Breach Tidbit

One of the things people would like to find out is how likely it is that improperly-revealed personal information will be used to commit real fraud.
ID Analytics has done some research which they interpret as suggesting that even with focused attacks, where the bad guy is going after SSN and account information, the probability of illicitly-gained PII being used for actual fraud is less than 1 in 1000.
In looking over some information I received from New York, I noticed a case in which branded credit card applications (including the assigned CC#) were targeted, and 150 stolen. Now, I don’t know if the case I’m talking about is like those in the “targeted” group studied by ID Analytics, but if it is, I’d expect maybe one fraud attempt, and that’s being extremely generous.
The number actually observed: 11, all fraudulent purchases.
There is a lot of work left to be done on this topic, that’s all I’m saying.
Updated: Link to press release, and characterization of observed fraud.

Darn kids! Get off my lawn!!

“Until Solaris became open, students were only interested in Solaris for the same reason they were interested in NextStep Unix — because it was this arcane, old-fashioned thing,” said Asheesh Laroia, a graduate student in computer science at Johns Hopkins University.

Via NetworkWorld.

The Future’s So Bright, Let’s Not Wear Blinders

I started this week asking “Is It Time To End the Breaches Category” and “What’s Next In Breach Analysis?” I talked about “Emergent Breach Research,” Chris talked about the theme of the “19th Annual FIRST Conference” including data being out of control. Arthur followed that up with “CSO Breach SOP == FUD?” and pointed out that real world data allows us to call people who are making bogus assumptions. Chris added some real world data which is interesting–the nature of breaches reported is changing.

Now, some people don’t like this brave new world of ours. Perhaps they’ve made a living selling FUD. Perhaps they fear that a breach will cost them their job (highly unlikely) or their company substantial money (possibly) or their shareholders will suffer (unlikely). Many people who like the world the way it is have been pushing for new data protection laws that protect those who lose control of data they collect. They focus on the negative, and ignore the positive impacts of disclosure. Or, if they’re really clever, they’ve picked up on Schwartz and Janger’s Model 4 (as mentioned in “Notification of Data Security Breaches.”

While I understand the motivators here, I am deeply encouraged by the emergent breach research that’s already come out, and I believe that research to be a harbinger of quite a bit more. Any central agency which collects and controls access to data will slow our ability to learn from and analyze data. A national “ceiling” on breach disclosure, in any form, does far more harm than good.

In computer security, we have too little data as is. The costs are surprisingly low when you look at the data. The benefits are high: we can look at data. We should drive the costs lower by accepting the normalcy of failure, and fixing its causes.

10-second MBA, por favor?

I have read repeatedly, most recently at Bejtlich’s blog, that with the IBM-ISS and now Secureworks/LURHQ deals, Counterpane “must” be looking to get bought out. Why? As with management consultancies, could there not be room for a boutique that does one thing really well? Help me out, here.

Breach Data

I just received a response to my second Freedom of Information request to the state of New York. I’ll report on this more deeply soon, but in the spirit of breach analytics week, I wanted to throw out a couple of things, based on an extremely superficial examination of the approximately 285 pages I received, representing approximately 45 breaches.
First, only maybe 2-3 of these were educational institutions. The vast preponderance were financial and/or insurance firms. Computer theft, primarily of laptops, was by far and away the leading breach mechanism — I’m talking over half of the reports, maybe even two-thirds (I’ll tally it up and post about this soon). After theft, I’d say it was a toss-up between web site coding/config screw-ups and dumb procedures like mailing out SSNs to the wrong people.
OK, so what does this have to do with data and research? Well, first off I would say that these 45 or so cases differ noticeably from those I got from the same source in NY only four months earlier. Far more laptop thefts reported now, and a much heavier financial services/insurance weight.
Does this reflect a different reality as far as how PII gets revealed, and from whom? Does it reflect an increasing awareness of the need to report? An increased focus on equipment theft as a regulatory compliance issue? I have no idea, and I don’t think anyone else who follows this stuff does, either. At least not any idea for which we have appropriate data to conduct an empirical test.
That, I would say, is our challenge. The analytical tools we have. The theoretically-informed hypotheses we pretty much have. We need better data.
More on this later.

HP: The Kind of Security Theater We Like To Watch

This story just keeps getting more entertaining. “HP targeted reporters before they published.” They tried to install spyware on target’s computers, as CNET reported in “HP Spying More Elaborate Than Reported.” They engaged in physical surveillance of targets, as reported by the Washington Post in “Extensive Spying Found At HP.” And the Post reports that the CEO knew and approved: “HP CEO Allowed Sting of Reporter,” and Ryan Singel points out that “the Chief Ethics Officer was heavily involved.” Where do you go from there? I hear TSA needs a new privacy officer.

Bruce Schneier writes:

I’m amazed there isn’t more outcry. Pretexting, planting Trojans…this is the sort of thing that would get a “hacker” immediately arrested. But if the chairman of the HP board does it, suddenly it’s a gray area.

Speaking of the Chairman of the HP board, she took the irony cake last night:

“All I will say about the maelstrom is that I look forward eagerly, in the near future, to the time when I can set the record straight and go back to leading my life as discreetly as possible,” Dunn said during her after-dinner speech.

And the title? I stole it from Dave Weinstein.

CSO Breach SOP == FUD?

Last month, CSO Magazine ran an article “Avoid a Meltdown: Reacting to a Security Breach.” The article had some great advice on breach handling, however as usual, the magazine resorts to scare tactics in order to get its point across. It is articles like this that give CSOs a bad reputation for not understanding business needs or risks. CSO says:

Looking further into the business impact of the post-breach processes, we quickly see that the way an organization reacts to the security breach can make the difference between a minor financial impact and a complete corporate meltdown.

and also:

The real costs in any security breach are in the long-term financial impact and productivity reduction, not the immediate remediation costs

Except, they don’t actually ever support the claim. They don’t provide a single example of a company being significantly hurt by a disclosure. I personally, can think of one, and that is CardSystems. In fact, from the Alessandro Acquisito et al paper, that Adam linked to earlier today, we learn the following which completely contradicts CSO Magazine:

Our event study shows that there exists an impact for privacy violations. This impact is significant and negative, although it is short-lived.

This supports the anecdotal evidence, such as the fact that Choicepoint is now trading at prices that are more or less the same as before all of its disclosure issues.
And while I’m complaining, enough with citing the 1982 Tylenol issues as a business case. There is a big difference between dealing with a privacy or data leak and people dying because your drugs have been poisoned. Surely, the editors could find a more recent example where a management team has handled a major issue well, such as the one at Facebook?

CfP: 19th Annual FIRST Conference

The Forum of Incident Response and Security Teams (FIRST) has put out a call for papers for its nineteenth annual conference.  The theme for 2007 is “Private Lives and Corporate Risk: Digital Privacy – Hazards and Responsibilities”.

Full details at:

FIRST 19th Annual Conference, June 17 - 22, 2007,
Melia Seville hotel, Seville, Spain
Private Lives and Corporate Risk:
Digital Privacy - Hazards and Responsibilities.
Call for Papers
All submissions must reflect original work and must adequately
document any overlap with previously published or simultaneously
submitted papers from any of the authors. If authors have any doubts
regarding whether such overlap exists, they should contact the
program chairs prior to submission.
Papers will be scheduled as part of the Main Conference.
Timeslots are available in three lengths:
a) 50 Minutes, with 10 minutes question time
b) 40 minutes, with 10 minutes question time
c) 25 Minutes, with 5 minutes question time.
The program committee is also looking for contributions to the 'Geek
Zone', where presentations last for three hours and which are aimed
at a smaller more technical audience of up to 30 people. These
presentations are intended to include live demos and involve their
audiences in active participation.
It is important that your presentation/class is:
. Topical
. Unique
You should not present with the aim of gaining the audience's
interest in any commercial application or product, in other words:

Emergent Breach Research

I talk about research and next steps, but what do I mean? We’re starting to see academics taking a serious look at the data sets we’ve accumulated here and at Attrition, and that’s awesome. I want to see more papers like:

The unfettered ability to do research based on shared data is exceptionally powerful, and cool things will emerge.

All of these papers, by the way, are well worth reading.

What’s Next In Breach Analysis?

I asked recently “Is It Time To End the Breaches Category?” I think we, amongst others, have driven real change in expectations. Organizations outside the US, not compelled by any law, have chosen to notify customers. (Examples include a Bank of Montreal latop, the Government of British Columbia, KDDI, a Japanese phone company, the Bank of Bermuda, the Grand Hotel, Brighton, UK, and others.

When I started on this, I didn’t have a deep analysis. I found it interesting, and I’ve done well by following my instincts in the past. I now know that California’s SB 1386 is one of the most important developments in recent information security history. The opportunities that it creates for empiricists are tremendously important. Similarly, the opportunity to overcome the military-derived anti-disclosure approach to information security is tremendous, rare, and not to be squandered.

As most honest practitioners are willing to admit, security work is tremendously challenging because there are a great many things we don’t know. Metrics are hard to gather, and hard to share, in part, because we have a fear of talking about what’s going on. But over hundreds of breaches, there are few lost jobs. Only one company has sold their assets at a fire sale (CardSystems Solutions. There’s 30+ mentions in our breach category archive.) It seems the stock market doesn’t care. I’ve argued these points in more detail in “Transparency is good for the soul (of our profession)” and more generally in the breach analysis category.

So where do we go from here?

Is It Time To End the Breaches Category?

working-dam.jpgLooking back to February of 2005, that companies routinely lose control of data entrusted to them was known mostly to security professionals and enthusiasts. Breaches were swept under the rug, and the scope and breadth of the problem was unknown. Thanks to Choicepoint’s dedication to bringing about public debate on the issue, the outstanding reporting of Bob Sullivan and others, and my unholy fascination with it, and Chris’s dedication in finding data, things have changed. This blog became an important source of information and analysis, and I’m very pleased to have contributed to the changes. The stories are now mainstream, and more broad. Things like “Payroll Giant [ADP] Gives Scammer Personal Data of Hundreds of Thousands of Investors” make ABC news. (Names and addresses, not SSNs.)

Academic researchers, not to mention the AARP, are using the breaches archive to get data for studies, and that’s both really cool and really scary. (For the AARP story, see Brian Krebs, “Study Analyzes 16 Months of Data Breaches.”) Chris and I should not be amongst the best data sources on a major emerging category of crimes. The FBI should be accumulating this, along with the National Crime Victimization Survey, and, you know, the guys at Attrition, and anyone else who wants to collect, and ideally, share their data.

It seems to me that the Dataloss list and database are now my primary source for breach data, and that causes me to ask, is it still worth having the roundups of breaches? I’d love reader feedback before I make a final decision.

Lastly, when it comes to pithy analysis, Anton Chuvakin pointed to “Hacking Still can’t outdo stupidity for data leaks.” Good to know!

Photo by Andres Colmenares.