Practical Privacy Practices

savedatemay
Save the Date!
Choose Privacy Week is held annually May 1-7. Start planning now for your library’s participation and programming. Choose Privacy Week materials are available now in the ALA Store.
Resources
Information and tools to help libraries protect the privacy of online users.
Programs
Events and activities to raise awareness and engage users on privacy issues.

Voices For Privacy Blog

Privacy News and Views for October 20

Posted by on October 20, 2017 in News and Updates | 0 comments

Featured

The KRACK Attacks and Libraries | Choose Privacy Week

ALA files comments to Department of Homeland Security to protest plans to monitor and collect immigrants’ social media information | District Dispatch

Government Surveillance

Senate Intelligence Committee to debate in secret a bill that would renew a powerful spy tool | Washington Post

Justices to Decide on Forcing Technology Firms to Provide Data Held Abroad | New York Times

Should Federal Prosecutors Be Able to Search Americans’ Emails Overseas? | The Atlantic

There’s No Good Decision in the Next Big Data Privacy Case | New York Times

Surveillance “Reform”: The Fourth Amendment’s Long, Slow, Goodbye | Just Security

Corporate Surveillance

It takes just $1,000 to track someone’s location with mobile ads | Wired

Libraries and Privacy

Protecting Your Online Privacy: Risks And Strategies  – November 9  |  Infopeople Webinar  (FREE!)

Privacy Literacy Training for Librarians | Data Privacy Project, New York City

How these librarians are changing how we think about digital privacy| Christian Science Monitor

Students’ and Minors’ Privacy

U.S. Department of Education launches new student privacy website | Lexology

Commentary

How “Big Data” Went Bust | Slate

Encryption

Senior U.S. legal official meeting UK leaders to tackle online security issues | Reuters

Decrypting the Going Dark Debate | Lawfare

Apple removed several privacy apps in China — now two senators are demanding answers | CNBC

Cybersecurity

Facebook is struggling to meet the burden of securing itself, security chief says | Ars Technica

DHS To Order Agencies Implement Email, Website Encryption Tools | NextGov

Broadband Privacy

Internet giants contest proposed privacy laws | Bucks County Courier Times (PA)

Biometric Privacy

Apple answers Sen. Al Franken’s privacy concerns over Face ID | CNET

Law and Regulation

Equifax Hack Drives GOP Bill to Overhaul Credit Bureaus | Wall Street Journal
Legislation from Patrick McHenry would require big three credit-reporting firms to phase out use of Social Security numbers by 2020

Replacing Social Security Numbers won’t be easy, but It’s worth it | Wired

EU-U.S. data transfer pact passes first annual review | Reuters

Biometric barriers in Illinois: Developments with the Biometric Information Privacy Act | Lexology

This Week in Data Breaches

Pizza Hut Warns Customers That Hackers May Have Accessed Their Data | Fortune

Hyatt suffers second data breach in two years | Hotel Management

The KRACK Attacks and Libraries

Posted by on October 19, 2017 in Broadband privacy, cybersecurity, libraries, News and Updates, Privacy and Security | 0 comments

By Galen Charlton

Earlier this week Mathy Vanhoef of the imec-DistriNet research group at the Katholieke Universiteit Leuven announced his discovery of a set of related vulnerabilities in WPA2, a protocol used to encrypt communications over wireless networks. KRACK, as Vanhoef dubbed the vulnerability, expands to Key Reinstallation Attacks.

The vulnerability exploited by KRACK lies with how Wi-Fi devices set up keys for encrypted communications when connecting to a wireless access point. Under certain circumstances, an attacker who is physically in range of the wireless network can interfere with the process of installing a session key during the initial handshake.  In particular, it is possible to force a Wi-Fi client to reinstall the session key with previously-used cryptographic nonces. When that happens, depending on the particular WPA2 protocol options in effect, the attacker can then go on to decrypt or forge wireless frames. In turn, this can enable further attacks; for example, If the Wi-Fi device then (say) connects to a website over plain HTTP, the attacker could snoop on the traffic or potentially inject extra content.

The KRACK attack primarily affects Wi-Fi clients, but can also affect access points and routers, particularly if the 802.11r protocol for fast roaming is in use.

Linux and Android are particularly vulnerable to KRACK attacks, but Windows, macOS, and iOS are also affected. As of this writing, patches are available for all major Linux distributions and supported versions of Windows. Apple has issued patches for beta versions of macOS and iOS that should make their way into general release soon, and Google is reported to be working on patches for Android.  Manufacturers of access points and wireless routers have also started releasing patches.

Since attackers need to be in the same physical area as the network they wish to attack, many organizations can mitigate potential (external) KRACK attacks simply by attending to physical security and keeping visitors out.

Of course, many libraries operate public Wi-Fi services that use WPA-PSK or necessarily must allow patrons to be in range of protected networks for library staff. To avoid the potential for interference with library networks or snooping on patrons’ online activity, libraries can take the following steps to mitigate the risk.

  • Apply patches to library computers and network equipment as they become available.
  • Switch devices such as patron and circulation workstations over to wired Ethernet where possible.
  • If you use 802.11r (fast roaming) on your wireless networks, consider turning it off until you have an opportunity to patch your access points.
  • Promote the use of HTTPS Everywhere.
  • If your library offers technology training for patrons, consider offering sessions about managing software updates.

Some points about KRACK and the way it was announced point out general issues of concern for staff responsible for securing library networks and resources:

  1. Library skills regarding the evaluation of sources of information apply to security announcements, too.

Going by the headlines, the KRACK attack “destroys nearly all Wi-Fi security” (Ars Technica), is something not to worry about (Lawfare), or in any event is not worth burning the house down (Kevin Beaumont). A more nuanced take is offered by Bruce Schneier.

Who benefits from exaggerating the impact of a vulnerability — or downplaying it? Who has demonstrated expertise in network security — and who is just speculating or even posing? It can be hard to evaluate claims about computer security, and even more so when cryptography is discussed.

KRACK, since it involves a vulnerability in most implementations of a widely-used protocol, is serious, but the degree of your library’s exposure to it heavily depends on the specifics of which WPA2 protocol options you use and the devices that connect to them.  When evaluating your potential risk, first, don’t panic — but pay attention to security news, particularly bulletins from the manufacturers of your wireless network equipment.

  1. When in doubt, patch.

Regardless of the specific impact on your library, KRACK is certainly worth patching against. Patches can be expected for most supported devices and should be applied as they become available. CERT maintains a list of vendors and operating system providers that may have patches available.

  1. We do not live in the Platonic realm where mathematical proofs of the security of protocols can ignore implementation details.

Vanhoef’s KRACK cites a formal proof (Changhua He et al. 2005) of the correctness of various aspects of the IEEE 802.11i standard underlying WPA2 — then points out that while the proof remains correct, it was not complete as it failed to model the installation (and reinstallation) of keys.

The deficiencies in the model can presumably be corrected — but, of course, there’s no guarantee that every implementation will fully and correctly match the model that was formally validated.

For the library IT worker who is not in a position to personally verify formal proofs, those proofs amount to a useful data point for selecting protocols to require, but the proofs can not replace testing and monitoring the implementations that are actually deployed.

  1. Defense in depth matters.

Depending on the specific WPA2 protocol options in effect, a successful KRACK attacker may be able to decrypt or forge packets between a wireless device and the access point. However, that doesn’t give the attacker any special way to decrypt HTTPS traffic as TLS encryption occurs at a higher protocol layer — although as demonstrated in Vanhoef’s video, an attacker may be able to force a client’s web browser to downgrade connections to HTTP if the secure website is not configured properly.

The lesson for libraries: efforts to promote the adoption of mandatory HTTPS across the board should continue, and can help mitigate weaknesses in other protocols.

  1. The Internet of Things (IoT) is going to remain a headache for library IT staff.

As Brian Barrett points out in Wired, while many computers, mobile devices, and routers will get patched against KRACK sooner or later, many will never be, including IoT devices.  A lightbulb that acts as a Wi-Fi range extender may have been made by a manufacturer that no longer exists or no longer supplies software updates — or never did. If updates are available, it may not be easy to apply them.

The potential impact of a compromised IoT device can vary widely. If an attacker manages to convince an IoT garage door opener to keep the library’s loading dock door closed; it can be a nuisance. If the door is instead induced to open up, the nuisance could turn into loss. Alternatively, a compromised device could become an entry point into the library’s network for snooping or bulk downloading of sensitive information — as apparently was the case for a casino operating an Internet-enabled fish tank.

What should a library do? For starters, keep track of all devices purchased by the library that can connect to networks. Bear in mind one lesson of the Wi-Fi light bulb: IoT devices can slip in through budget lines other than that of the systems department. Prefer manufacturers that credibly claim to provide software updates and a way for them to be applied automatically — but also budget for when those updates stop and it may be better to replace the devices.

To sum up, KRACK as a vulnerability in Wi-Fi encryption does represent a risk to patron privacy and the security of library networks, so patch early and often… but don’t panic.

Galen Charlton is Infrastructure Manager at the Equinox Open Library Initiative and a contributor to the Evergreen and Koha open source ILS projects. He can be found on Twitter as @gmcharlt.

Privacy News and Views for October 13

Posted by on October 13, 2017 in News and Updates | 0 comments

Featured:  Encryption.  Again.

The Justice Department Just Reignited Its Fight With Apple Over iPhone Encryption | Slate

Deputy Attorney General Rod J. Rosenstein Delivers Remarks on Encryption at the United States Naval Academy | Dept. of Justice

GOP rep on responsible encryption: ‘You can call it whatever you want’ | The Hill

DOJ grows frustrated with tech firms over encryption | CNN

iOS 11 May Complicate Border Searches | Lawfare

Government Surveillance

The one change we need to surveillance law | The Washington Post

Over 40 Groups Say Bill Leaves Open Too Many Loopholes, Leaving Americans Vulnerable To Warrantless Spying | ACLU

  • ALA is a signatory to the letter sent to Congress saying that the groups cannot support the current version of the surveillance reform bill

Court significantly reins in what data anti-Trump website must give to feds | Ars  Technica

Opposition mounts against bill to renew surveillance program | The Hill

The new DHS plan to gather social media information has privacy advocates up in arms | Public Radio International

Russia Has Turned Kaspersky Software Into Tool for Spying | Wall Street Journal

Corporate Surveillance

Google admits its new smart speaker was eavesdropping on users | CNN

On monetizing personal information | IAPP

Biometrics

Legal, privacy concerns to consider before implementing iris-scanning technology | PoliceOne

Law and Regulation

Internet privacy laws we need to be aware of in 2017 | The National Law Review

Open Data and Privacy

How to Open Data While Protecting Privacy | GovTech

  • San Francisco’s Open Data Release Toolkit offers detailed guidance on how departments can evaluate whether, and how, sensitive data sets should be made public.

This Week in Data Breaches

Data Breach Exposed Medical Records, Including Blood Test Results, of Over 100 Thousand Patients | Gizmodo

Study: Millions still unaware of Equifax data breach | NBC Nebraska