Emergent Chaos“It used to be you were labeled with your diagnosis and that was it; you were marginalized,” said Molly Sprengelmeyer, an organizer for the Asheville Radical Mental Health Collective, a mad pride group in North Carolina. “If people found out, it was a death sentence, professionally and socially.”Call me crazy, but I think these folks might be onto something. Learning about coping strategies from one another? Testing what works and what doesn't, and reporting on it? Maybe "we were broken into" isn't the most embarrassing thing you can say in public.She added, “We are hoping to change all that by talking."
...
Participants write and distribute publications, stage community talks, trade strategies for staying well and often share duties like cooking or shopping....
Many psychiatrists now recognize that patients’ candid discussions of their experiences can help their recoveries. “Problems are created when people don’t talk to each other,” said Dr. Robert W. Buchanan, the chief of the Outpatient Research Program at the Maryland Psychiatric Research Center. “It’s critical to have an open conversation.”
Bookmark this post:
Bookmark this post:
How much do you make? How surprised would you be to learn that your magic number had been posted on the Internet by the government? And that it was not by mistake, as in other recent breaches of privacy.How Much Do You Make? The Nation Already Knows. The data has already been removed from easy web access at the official site. Bloomberg's report indicates that it wasn't simply posted to the web, but offered up as spreadsheets:
A ministry Web site was bombarded by Italians curious to see what their neighbors or favorite actors declared as income, making it often impossible later in the day to download spreadsheets with the name, date of birth, total income and amount each taxpayer paid.
If anyone knows where the mirrors are, please share.
I ask not out of prurient interest, but because it's not so easy as taking data off the website.
Bookmark this post:
In a blog post entitled "Lending Tree A Little Late In Cutting Off Network Access?", I read that in the recent Lending Tree breach:
several former employees may have helped a handful of mortgage lenders gain access to Lending Tree's customer information by sharing confidential passwords with the lenders.
Later, the author describes "an obvious chink in Lending Tree's information security armor", (reprinting a U.S. News quotation from Brian Cleary):
These are former employees—how can those user accounts to critical customer data still be active? Those should be shut down. So, their access to all of the information and resources should be revoked on the day of their termination.USNews.com
Finally, he observes that
If you're going to rely primarily on human beings to implement the policies, then you'd better make sure that those human beings are either themselves subject to checks and reviews to make certain that they're following the policies.
All of this is nothing new to EC readers. What surprised me, and what I think is noteworthy here, is that the guy writing this is not some CISSP, CISA, or even CISO. He's the voice behind the Bank Lawyer's Blog, an attorney with banking and other corporate clients.
Not to read too much into this, but when the legal profession starts commenting knowledgeably about access termination policies, there's something interesting afoot.
Bookmark this post:
The other 2.1 million people, apparently, should be reassured, that their personal medical data was stolen, but the University feels it would be hard to read, and well, there's no financial identity theft risk associated with it. If you believe the sorts of people who notify 1.9% of the victims of a breach. Sorry, ChoicePoint. Unfair comparison. You notified about 18% of the victims*, nearly ten-fold as many.
There's some analysis of how hard it would be to read the tapes. I'm skeptical: why does someone steal tapes from an Iron Mountain van if not to read them?
The Breach Blog feels differently. In "University of Miami reports stolen tapes affecting patients," he digs into the likelihood of the data being accessed.
Now, the University claims that the tapes are in a "complex and proprietary format," which seems to be "Tivoli Storage Management" from IBM. Now, Tivoli storage manager has encryption capabilities (page 3 of this PDF.) I'm curious why that wasn't in use.
Also, looking around, I found this quote at an IBM partner site:
Much is made of the inbred security of the TSM system since the backed up data is so closely linked with the TSM database. While, to the layman this is true, and it is almost impossible to reconstruct TSM data without the database, it is possible in the right scenario, with the right skills at your disposal.Until I hear more, I'm skeptical of the University's claims. I don't believe, and I have not believed for a long time, that breach notices are about identity theft. They're about the performance of a promise to protect information.
(*Footnote: 18% being 30/160, approximate numbers for the ChoicePoint incident.)
Bookmark this post:
This volume of the SIR focuses on the second half of the 2007 calendar year (from July through December) and builds upon the data published in the previously released volumes of the SIR. Using data derived from several hundred million Windows users, and some of the busiest online services on the Internet, this report provides an in-depth perspective on trends in software vulnerability disclosures as well as trends in the malicious and potentially unwanted software landscape, and an update on trends in software vulnerability exploits. The scope of this fourth volume of the report has been expanded to include a focus on privacy and breach notifications, and a look at Microsoft’s work supporting law enforcement agencies worldwide in the fight against cyber criminals. [Emphasis added.]Emergent Chaos readers are unlikely to learn new details in the analysis. What's important to me is that this helps to establish a new normal baseline around the way we're using information that's disclosed and gathered by folks like Attrition.
Bookmark this post:
[...]an individual or entity that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system following discovery or notification of the breach of the security of the system to the Office of the Attorney General and any affected resident of the Commonwealth without unreasonable delay.Virginia's new breach law
Emphasis added.
Bookmark this post:
Virginia, West Virginia, and South Carolina are the latest states to pass data breach notification laws, bringing to 42 the total number of states with such laws on the books (including the one state with a law that applies only to public entities, Oklahoma)See More Breach Notification Laws -- 42 States and Counting at the law blog of Proskauer Rose.
Bookmark this post:
One of the great things about having the full report is that we don't need to rely on Brian to interpret it for us. I love having data, and hate how rare it is for people who work in information security to have anything but summaries.
I found a couple of things interesting. At first they seem un-related:
An example is the "zippy" memo, where JPMorgan Chase employees traded information about how to fool the computer into approving loans. (See "How to Get an "Iffy" loan approved at JPM Chase," or "Chase mortgage memo pushes 'Cheats & Tricks.'" Chase fired at least one person for distributing it.)
The advice included:
As long as (as Martin Wolff says) "no industry has a comparable talent for privatising gains and socialising losses," we should expect to be unpleasantly surprised by reading about bank fraud. (A bit more context on the Wolff quote can be found in this excerpt.)
Bookmark this post:
MANILA, Philippines -- Local organizations want the breach of information systems and theft of personal information reported, a survey conducted by the Cyberspace Policy Center for Asia Pacific (CPCAP) showed.The survey had a small sample size, but even so. 94%. It's like a sea change in just three years. How are you using breach data?"A surprising 94 percent favored the imposition by law of [an] obligation upon businesses to report [a] breach of security of information systems or theft or personal information," Claro Parlade, executive director of CPCAP, said in a summary of its survey that was presented to a technical working group created by the Commission on Information and Communications Technology to help Congress draft a data privacy bill.
Bookmark this post:
...straining upon the start. The game's afoot!So closes the speech before battle which Shakespeare wrote for Henry V. You know, the one which opens, "“Once more into the breach:” (Thoughts on the cumulative effects of notification letters)." I seem to recall Henry talking about the proper ownership of the French Crown and Harfleur, and not breaches. Only because the French crown is long settled, I'd like to follow Dissent and talk about breaches. She's responding to an article by Scott Berinato, "The United States of TMI." Both are worth reading. Quoting Dissent:
Follow your spirit; and upon this charge
Cry 'God for Harry, England, and Saint George!'
While their comments are thought-provoking, I don’t agree that learned helplessness is the appropriate paradigm to apply here, although I agree what the individual tells himself or herself upon reading a disclosure is key to how they respond.Henry spoke to fire his men up for real battle. I think that we, like Henry's men, are fired up and straining at the start. We're aware of the danger in front of us, and the power which we have. We have today the ability to follow our spirit. We can agree that "in peace there's nothing so becomes a man, as modest stillness and humility." We can also see that our security measures are not working as well as we'd like, and actively engage with the problem.
There are two greyhounds straining. The first is the truth about the state of affairs, and the second is those of us sifting at start of the data, trying to make sense of it.
I don't believe we must learn helplessness. To the contrary, I believe that we must not. The landscape has changed dramatically since ChoicePoint. Talking about breaches has transformed the landscape, and will do so further. There's more embarrassment over coverups than over the breaches. Companies have emerged to address consumer and business concerns. We will see more.
So indeed. Once more into the breach, dear friends.
Bookmark this post:
“I gave a talk to a group of nonprofit executives a few weeks ago, and every single one of them had a fraud story to tell,” said one of the report’s authors, Janet S. Greenlee, an associate professor of accounting at the University of Dayton. “This has been going on for years, but there’s a feeling that it shouldn’t be discussed,” because of the effect it might have on donations.This resonated pretty strongly with points we make in the New School. It's about how problems fester when we don't talk about them. There's a principal-agent problem here, where charities, acting as agents for their donors, are actively concealing problems. And it shows yet another example of diverse perspectives helping to solve problems....
But it will now be harder for charities to hide fraud, because beginning with tax forms they must file for 2008, the Internal Revenue Service has added a question requiring them to disclose whether they have experienced theft, embezzlement or other fraud during the year.
The report is available at "An Investigation of Fraud in Nonprofit Organizations."
Bookmark this post:
Is the recent wave of reporting on British data breaches similar to what we've been seeing in the US? A couple of things seem true: the US has way more reported breaches per capita, but both locations have seen greatly accelerated reporting.
Here's a plot of all US (Country = 'US') and British (Country = 'GB') breaches in Attrition's DLDOS, as of March 13, 2008.
The incident count has been normalized by dividing each series by the total number of incidents in that series. The US had 840 reported incidents, Great Britain had 33.
Update: Added vertical lines to graphic, in response to Lyger's comment. Left one is Choicepoint 2/15/05. Right is HMRC 11/20/2007.
Bookmark this post:
One of the reasons that airline passengers sit on the tarmac for hours before takeoff is how the FAA Department of Transportation measures "on time departures." The on time departure is measured by push-back from the gate, not wheels leaving the tarmac. (Airlines argue that the former is in their control.) If you measure the wrong things, you create incentives for bizarre behavior.
Which is why I was fascinated to read the new GAO report, "Information Security: Although Progress Reported, Federal Agencies Need to Resolve Significant Deficiencies."
While progress may be reported, PogoWasRight calls out:
The number of security breaches on government computers has quadrupled in the last 2 years – from just over 3,500 in fiscal 2005 to just over 13,000 in fiscal 2007.If that's progress, maybe we need some regression?
More seriously, I think it's great progress that we are talking about the failure rates. Now we need to start to question the things being measured that allow the GAO to summarize that state of affairs as progress.
I wonder, where else are we measuring the wrong things?
[Update: I was measuring the wrong agency.]
Bookmark this post:
Today was a NIGHTMARE-DAY! Globat.com just emerged from a major outage - the worst in company history and everybody - customers and staff alike - still feel extremely beaten up. Here's what happened:He goes on to explain what went wrong, and what he's doing to prevent it from happening again.At approximately 5:00am Pacific Time on Thursday, February 21, 2008 we suffered a major network outage, which effected nearly all Globat.com customers, our own Web sites and service infrastructure as well as our phone systems.
This sort of thing is fairly common in computer operations. People talk about what's gone wrong. And their customers, while annoyed, prefer this to the bravado and bull they get about security incidents.
In fact, it's common in a lot of industries to have failures discussed. And while it leads to some Monday-morning quarterbacking, it also leads to operational improvement.
Bookmark this post:
The trouble is, consumer behavior seems un-impacted.
Also in the looking at Javelin department, Chris Hoofnagle writes about "Making the Known Unknowns Known," which gets some additional thoughts from Dan Solove, in "Requiring Banks to Disclose Identity Theft Statistics." It's a very good and reasonably short article that makes the argument that the fraudsters have figured out weaknesses in the US banking system that aren't getting analyzed in a systemic way.
If this data thing were organized, it would be like a movement.
Bookmark this post:
The report, Educational Security Incidents (ESI) Year in Review, spotlights institutions worldwide, and Penn State was included in the report with one data breach last year."Security of data analyzed in study," The Daily Collegian at Penn State....
"My goal with ESI is to, hopefully, increase awareness within higher education that not only is information security a concern, but that the threats to college and university information is not as simple as network and/or computer attacks," Adam Dodge, ESI creator, wrote in an e-mail....
The report also shows the majority of information breaches at colleges came from unintentional leaks, rather than hackers. But Penn State Information Technology Vice Provost Kevin Morooney said he isn't sure how deeply anyone should read into the report."I'm ignoring the report," he said. "Hackers are a constant and daily threat at the university, and we have many things put in place to mitigate the risk." (Emphasis added.)
Adam Dodge runs the "Educational Security Incidents" blog, and his "Year In Review" is worth a look.
I hope that Vice Provost Morooney had other things to say about a comprehensive approach to security. Because otherwise, he's made up his mind, and don't wanna be bothered with no facts. A sad position for anyone at a University to take.
Bookmark this post:
Chris Hoofnagle has completed a paper which ranks US financial institutions according to their relative incidence of ID theft, based on reports to the FTC by consumers who named an institution.
Chris (like another Chris I know) would like to see more complete information on ID theft available to consumers, so they can make informed decisions about with whom to do business. In an earlier paper, he argued that banks should publicly disclose identity theft statistics.
From the current paper's abstract:
There is no reliable way for consumers, regulators, and businesses to assess the relative incidence of identity fraud at major financial institutions. This lack of information prevents more vigorous competition among institutions to protect accountholders from identity theft. As part of a multiple strategy approach to obtaining more actionable data on identity theft, the Freedom of Information Act was used to obtain complaint data submitted by victims in 2006 to the Federal Trade Commission. This complaint data identifies the institution where impostors established fraudulent accounts or affected existing accounts in the name of the victim. The data show that some institutions have a far greater incidence of identity theft than others. The data further show that the major telecommunications companies had numerous identity theft events, but a metric is lacking to compare this industry with the financial institutions.This is an area fraught with methodological challenges, many of which are due to sparse (or, as I have intimated with regard to ID Analytics for example) proprietary data. Chris' paper simultaneously shows what can be done with what we have, and why we'd be better off if we had more.
Bookmark this post:
