Emergent ChaosThe real culprit is actually ChoicePoint itself and the three bureaus. By creating what is supposedly a superior solution than the old fashioned way of granting credit (knowing your customer, personal references, bank references, like they do it in most of the rest of the world) they have created a system that is prone to identity theft and over extended borrowers.He's right. The players at the heart of identity theft in the U.S. are the credit bureaus. But, what they've done is more than just creating a system which is prone to identity theft. Let's review how the credit bureaus work. They serve businesses by selling information about creditworthiness. Their customers (businesses extending credit) are happy to charge higher rates for people with poor credit, so there is little incentive for the business or the bureau to eliminate errors from the credit data. Worse, as the problem of identity theft becomes more widespread, the credit agencies can sell “credit monitoring” services to consumers and “enhanced authentication” to businesses and make even more money.
The credit agencies now run TV commercials touting credit monitoring, threatening people with identity theft. They don't quite say "nice credit score you've got there. Shame if we were to do something to it," but they come close.
Small wonder it’s hard to address the problem.
Rich closes:
I suggest that the FTC, various Attorneys General, and the trial lawyers, target the credit reporting industry for reform. Maybe we can starve the cyber criminals out by making identities less valuable goods.I think it would be simpler to remove their exemption from libel law. The credit agencies share default data just fine. They should have to share remedial data as well, or be accountable for the costs which they impose by their negligence.
Bookmark this post:
Yesterday Hoff blogged about McGovern's "Ten Mistakes That CIOs Consistently Make That Weaken Enterprise Security" and added ten more of his own. I'm particularly annoyed at him for #4:
Awareness initiatives are good for sexual harassment and copier training, not security.
Why? Because, damn that really sums it up. I wish that I had thought of this one myself. As I've said in the past, I think that awareness training is way under appreciated in security and Chris just had to go and be far more eloquent in one sentence than I was in several paragraphs. Hey Chris, mind if I steal this?
Bookmark this post:
Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution.
Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed decisions about with whom to do business. In an earlier paper, he argued that banks should publicly disclose identity theft statistics.
From the current paper's abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.This is an area fraught with methodological challenges, many of which are due to sparse (or, as I have intimated with regard to ID Analytics for example) proprietary data. Chris' paper simultaneously shows what can be done with what we have, and why we'd be better off if we had more.
Bookmark this post:
[Update: If you want to see all the threat modeling posts, they're at Threat Modeling SDL blog posts. They're displayed latest to oldest, which we're looking into.]
Bookmark this post:
Bookmark this post:
Kim Cameron not only admits what Ben Laurie has said here, here, and here, but he says it succinctly:
OpenID provides convenience and power but suffers the problem of all the Single Sign On technologies - the more it succeeds, the more dramatically phishable it will become.
There you have it.
It has long been a joke about crusty states such as Idaho, Oregon, New Hampshire, or New Jersey that they have signs at the border that read, "Welcome to <insert-name-here>, now go home."
As a Mac user, someone often asks me if they should switch to a Mac because it's more secure, my response to them is that the only reason a Mac is more secure than a PC is because it's only people like me who use them. As soon as hordes of people start using them, then they will no longer be as secure. I like not knowing the details of anti-virus programs. I like not bothering even to run the built-in firewall. So, no, I don't think you should switch to a Mac because it's more secure. I think you should just update your virus files every week. Besides, Macs are much more expensive than you can afford. Really. Have you heard about Ubuntu? It's Open Source! (Cue sounds of angels singing.) People tell me it's really nice. And I hate Leopard.
Despite all of these being true statements, this technique does not work as well as I would like. I think I need to take a presentation skills class.
OpenID is similar in that it's a safe neighborhood because people like me don't go there. Once enough people like me start going there, it's not going to be secure. I am reminded of comments by each of Groucho Marx and Yogi Berra.
I am happy to help keep OpenID secure by not using it. I've already written about what I think is better.
What I find amusing about Cameron's epiphany is his solution for the problem. He thinks that OpenID should become part of InfoCardSpace, and thus shipped with Windows.
There's a joke that begs to be made here, oh, how it begs. It is rim-shot worthy, so I'll not make it. I'll merely point out that if you want to get CardSpace, you have to get Vista. Ba-dum-dump.
I am again using the photo "Trunk 'n Branches" by slightly-less-random because it is the only image in Flickr that comes back from the search of "cardspace phishing" and one of two for "openid phishing".
Bookmark this post:
Dan Solove has an interesting article up, "Coming Back from the Dead." It's about people who are marked dead by the Social Security Administration and the living hell their lives become:
Dan starts with quotes from the WSMV News story, "Government Still Declares Living Woman Dead"I'd propose a different solution: libel law. These organizations are making false and defamatory statements about people. They should be held accountable, under existing law.According to government paperwork, Laura Todd has been dead off and on for eight years, and Todd said there's no end to the complications the situation creates.Responsibility should be placed on every entity that maintains records to ensure that information is correct and that errors are promptly fixed. Moreover, when information is shared with others, the one sharing the information should have duties to inform the others of the error; and those receiving the data should have a duty to check for corrections in the data from the source....
According to a government audit, Social Security had to resurrect more than 23,000 people in a period of less than two years. The number is the approximate equivalent to the population of Brentwood.
...
Illinois resident Jay Liebenow was also declared dead. He said Todd is now more vulnerable to identity theft because after someone dies, Social Security releases that person’s personal information on computer discs. He said the information is sold to anyone who wants it, like the Web site Ancestry.com.
I've been discussing libel and the credit agencies for years, in posts like "Because That's Where The Money is: Ethan Leib's ID Theft" or " Government Issued Data and Privacy Law." I've yet to hear why libel law isn't a reasonable and easy approach to the problem. As Nick Szabo comments in "The Discovery of Law," "common law is a painstaking way of discovering and making better law, case by case, dispute by dispute, piece of evidence by piece of evidence."" I'm not calling for a broad overhaul. I think that a common law approach to libel law would likely address many of our issues with the way data flows between organizations.
Bookmark this post:
"Let's play 'airport security'," says Foriegn Policy. It's like playing Doctor, only with latex gloves and inappropriate touching.
In an effort to help children understand and be comfortable and confident in the need and process of higher security protocols we've developed a new play and learning toy and resource web site to promote and educate security procedures.It's not really clear who "we" refers to here. The operationcheckpoint.com, also refers to "SampleRewards.com." That sounds like the sort of pliable marketing channel who'll sell anything for a buck, so maybe it's not them who's really behind this thing. OperationCheckpoint has four different names on a single landing page. (OperationCheckpoint, SampleRewards.com, Wizard Idustries and Product Exposure Services.) If only we had ID for the forces of evil. Maybe these guys could carry sample National ID cards, and kid's tattoo guns, too.
Previously, "From the mouths of toymakers:"
Bookmark this post:
Dubai, as Adam pointed out, is in something of a branding quandary. A hard line - some would say a retrograde and counterproductive line - on victimless crime doesn't mix well with an image as a fun spot for the well-heeled.
Meanwhile, there's this (from Emirates Business 24-7, retrieved 2/21/2008):
Dubai-based banks are recruiting former hackers to shore up their information security systems, said an information technology expert.(emphasis mine)Addel Wahab Ahmed Mostafa, an IT consultant and chief of the technical committee at information company UAE Data Warehouse PM, said banks were hiring hackers in a bid to stay one step ahead of potential breaches.
Most of the big organisations are employing ex-hackers.
In Dubai banks are hiring hackers to protect themselves because how else do you protect yourself from hackers?
You must figure out the measures they use and use them yourself.
He said 60 per cent of hacking originated inside organisations or was carried out by former employees.
I see a mixed message being sent here. And by the way, from the tone of the article it is clear the "ex-hacker" doesn't mean "broke the law ten years ago", so let's not start that flame war.
Bookmark this post:
Explanation and more pictures here.
Bookmark this post:
Cat Le-Huy is a friend of friends who has been "detained" entering Dubai. I put detained in quotes, because he's been thrown into prison, where he's now spent a few weeks.
He claims he was carrying melatonin, which is legal in Dubai, and the authorities have charged that there was .001 gram (1 milligram) of hashish, which is basically some specs of dust. The law firm representing him wants a £25,000 retainer.
It used to be that the United States, the United Kingdom (where Cat lives), and Germany had a certain moral high ground with regards to the arbitrary detention of their citizens. Unfortunately, the executives of our countries have tossed away that high ground with our own arbitrary detentions. In the US, we detain not only foreigners, but our own citizens.
So, what does this mean to you?
First, please donate to Cat's legal defense fund.
Second, don't go to Dubai. They're competing to be the next "Disneyland with the Death Penalty," and that should hurt their businesses and that should hurt their bizarre attempts to bring in tourists.
It might mean other things, but we'll leave that for future blog posts.
[Updated: fixed donation link.]
Bookmark this post:
As we love to say, if you have physical access to a machine, then you have access to all the data on it. Today Ed Felten et al. proved that yet again when they released a paper describing cold boot attacks on encryption keys. In it, they DRAM can be stripped (even after a full shutdown) of passwords and encryption keys. It turns out that DRAM doesn't lose it's memory immediately even after losing power. As a result, they have been able to successfully extract keys for Bitlocker (Vista), TrueCrypt (multiplatform open source) and FileVault (OS X). They can even take the DIMMS out of the target computer move them to another machine then find the keys without interference from the original host OS. How cool is that? I imagine it won't be long before this gets implemented in forensics software and/or hacking tools.
[Via Boing Boing]
Bookmark this post:
Via Kable's Government Computing, comes news that the British House of Lords "Science and Technology Committee has announced a follow-up inquiry to its 'Personal Internet Security' report".
Chair of the committee Lord Sutherland said: "The committee was disappointed with the government's response to its report. We felt they had failed to address some of our key concerns about people's security on the internet.Kable's Government Computing, 2008-02-21"The House of Lords is likely to be debating the report in the summer and to ensure that the debate is as well informed as possible we have decided to seek key stakeholders' views on the government's response."
I speak American english, so I may not be up on the nuances, but I think Lord Sutherland is saying that they're going to line up a bunch of experts to say what absolute dolts the government were in ignoring the recommendations put forth by the Committee last year.
Excellent.
Bookmark this post:
Experian sues Lifelock.
I think I can hear the champagne corks popping at ID Analytics from here. They, arguably, provide a service which is similar enough (a detective control against new account fraud, rather than a preventative control), but theirs operates through a different mechanism.
I'd like to see some numbers showing the efficacy of these approaches. I am pretty sure Lifelock or Debix can produce them for the 'automated fraud alert' approach. I don't know what ID Analytics has.
Bookmark this post:
Last week, Siva Vaidhyanathan, of Sivacracy, released a new column in the Chronicle of Higher Education, Naked in the 'Nonopticon' has some refreshing thoughts on privacy and surveillance that I wish more of us on the security side understood better. His main themes are (in his own words):
1) Anyone who claims "young people don't care about privacy" doesn't understand that privacy is about control, not about whether we choose to reveal our sexual or consumer details in public forums.2) We have at least four "privacy" interfaces" and try to govern our details and reputations differently in each one. For instance, we regulate information about ourselves one way among friends and family, and a different way with Amazon or Google.
3) The "Panopticon" model of surveillance is stale and inapplicable to the current situation. We don't suffer from knowing we are being watched. We suffer more from the surveillance we are not supposed to see or understand -- such as the illegal domestic wiretapping in the United States.
Additionally, his reviews of Daniel Solove's and James Rule's new books, makes me wish I had more time to read in the next few weeks.
[Image from hawkinspi.com]
Bookmark this post:
EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to its feedback system, setting up more "non-public" communication channels and, most dramatically, curtailing the ability of sellers to leave negative feedback on buyers. It turns out that feedback ratings were being used as weapons to deter buyers from leaving negative feedback about sellers.He goes on to rail against the usefulness of feedback loopss:
As these sites grow, keeping them in line requires more rules and regulations, greater exercise of central control. The digital world, it seems, is not so different from the real world.However, he doesn't question EBay's central decision. If the goal is to control retaliatory feedback, then require all feedback be given within N days (N might vary for transaction types, international shipping, etc), and don't reveal the feedback until both buyer and seller have finalized what they want to say.
(Personally, I think that some structure in the feedback--was the item as described? was it shipped quickly and as requested? was the interaction business-like, chatty, or rude? could enhance things a lot, as would displaying the value of the transactions. But that's an aside.)
What's important is that EBay is replacing a transparent and manipulated system with one that's going to be worse for their customers, and more expensive to operate. It will be interesting to see what emerges from this. Will a worse feedback system be enough to overcome the network effects and allow a strong competitor to emerge?
Thanks to Nicko van Someren for the pointer.
Bookmark this post:
We've been really astonished by how some of the most high-profile situations actually resulted in increased consumer confidence, because sometimes high-profile issues give us an opportunity to talk about what we do, and that has actually encouraged consumers.No, it's not a TJX spokesperson, but Janet Riley, a spokesperson for the American Meat Institute, discussing the recall of 143 million pounds of beef, some of which was shipped as long as two years ago, and has likely been eaten.
What's interesting to me is that despite there being no immediate tie to risk, the Agriculture department pushed for the largest beef recall in US history. There was no word about consumer notice fatigue, or that the cows were protected by a password.
Read Today's lunch special: recalled beef at Marketplace.
Bookmark this post:
We've made frequent calls here at EC for improved breach breach reporting. In particular, we've said that governments (be they state, provincial, national, whatever) should provide standardized reporting forms, should collect a basic set of facts in each report, should require precision in reporting rather than accepting weasel-words, and should mandate centralized reporting, so that legislators and the public can see (without commissioning a study) what the facts are. Additionally, we've mentioned research discussing notification fatigue, and the artful construction of notification letters seemingly designed to discourage both comprehension and action. Finally, we've praised efforts to increase transparency -- in particular New Hampshire's posting of notification letters on a government-administered web site.
In recent days, I was elated to learn of legislative efforts in California and Indiana that together substantially advanced each of these points. In California, Senate Bill 364 was recently voted out of the state senate. This bill requires that breach notification letters be written in plain language, and that they contain:
It also requires that breaches be reported to California's Office of Information
Security and Privacy Protection (where they would be subject to Freedom of Information requests).
In Indiana, House Bill 1197 would require the attorney general to publish notice of a breach of the security of a system on the attorney general's Internet web site, and closes a loophole in Indiana's existing breach law, which currently allows password protection to be sufficient to exempt and incident from disclosure. The new law would only exempt completely encrypted portable devices, with unexposed keys.
Each of these bills is a great thing, and each shows that (despite what cynics like I might say), smart people who are motivated can make a big difference. In California, the smart, motivated people are at the Samuelson Law, Technology & Public Policy Clinic, whose recent research supplied part of the bill's foundation. In Indiana, infosec researcher Chris Soghoian was instrumental in educating his own local legislator, and making several suggestions which found their way into Indiana's bill.
But the story gets more interesting. As Chris documents, the centralized notification portion of the Indiana bill is vigorously opposed by telecom giants AT&T and Verizon, as well as by Microsoft. The last, writes Soghoian, even argued that availability of actual breach letters would make phishers' work easier. Funny that the letters already posted by New Hampshire and others haven't done this. I guess phishers are too busy to write a FOIA letter, too. Note to Microsoft: this information is not secret from bad guys, it is merely hidden from the vast majority of good guys. Thanks for arguing that it should stay that way. Maybe Microsoft's lobbyists should learn about threat modeling.
Lest it be thought that tech industry opposition to democratic transparency is a purely domestic thing, the Information Technology Association of Canada testified in opposition to a Canadian breach law, as reported by Canadian privacy law expert Michael Geist.
Meanwhile, in California, a portion of the bill requiring breach notices to be placed on the web, thereby allowing the interested public to avoid the hassles of writing FOIA letters, has been stricken from the bill, this time for cost reasons.
I'm happy that California takes this issue seriously, and turned to some folks who obviously know their stuff. I guess they are strapped for cash. As for Indiana, and for Canada, it's disheartening to see tech firms argue that technology should not be used to bring relevant information closer to those who want it.
Bookmark this post:
