Wednesday, October 6, 2010

The Professional

An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "Chapel Hill Researcher Fights Demotion After Security Breach"

A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process.  Her bosses cut the researcher's pay and reduced her status to associate from full professor.  The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.

The meat from the article (emphasis added):

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.
"I had an employee who I trusted who told me things were OK," she added. "I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done."
Working in the Public Interest
I believe that there is a another option.  Some folks are in charge of security but are not liars, but are incompetent.    And, yes, it is hard to tell them apart.

If it was money that was stolen, and someone said "I have no way of telling if the books were correct.  I trusted the accountant.  He was an experienced bank teller" what would be the response.  Why didn't you hire a forkin' CPA?  CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled.  

No so with security folks.  Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your  accounting records?  

I'm tempted to start my rant on certification, psuedo-science and "computer forensic professionals" but I'll save it for the next post.   

Wednesday, September 22, 2010

Risk a Harm?

Interesting post and comments on privacy risk from Solove at Concurring Opinions.  Despite being raised by a pack of feral solicitors, I can't claim to understand all the legal theories involved.  I'm attracted to the liquidated damages idea for a number of reasons, including the ability to build a reserve or get underwriting to mitigate potential incidents.  

Harms at Risk

On the other hand, this is where the disclosure rules suck.   For example, an organization loses track of a hunk of physical media that contains a couple hundred thousand records that contain personally identifiable information (but not financial information - no bank or credit card account number).   In this example, there is a very high probability that the media was subsequently destroyed.  Are the individuals identified on the media well served by being notified?  

Imagine there was a method to calculate the likelihood of financial damage to the individual due to the loss of the media.  Lets imagine that there is less than 1% chance that the information will be used in a crime in the next 2 years, and it decreases by half every year that follows.  However, if it is used in a crime, it is likely that the crime will be of a significant impact - a genuine fraud involving a false credentials that would take more than $100,000 for the victim to unravel.   Is notifying the victim of the risk, and making him feel uneasy (since humans perceive risk differently than equations) responsible?  

Or is this just an excuse for me to illustrate a post with a picture of Harms at risk?  

Friday, August 6, 2010

DBR600RR - The Verizoning

I admit I genuinely enjoyed the latest Data Breach Report courtesy the stalwart boffins at Verizon Business.   My personal benchmark of genuineness is derived from my ability to almost immediately put it to use in my job.    Nonetheless, I'd like to see the data hashed up one more way. 

The following quotes from page 14 -

"Though we do not assert that the full impact of a breach is limited to the number of records compromised, it is a measurable indicator of it."

“There is not a linear relationship between frequency and impact; harm done by external agents far outweighs that done by insiders and partners. This is true for Verizon and for the USSS and true for this year and in years past  … We could provide commentary to Figure 9, but what could it possibly add? If a chart in this report speaks with more clarity and finality we aren’t sure what it is.”
I’ll tell you what you can add, cause I’m that way.  And the suggestion comes from the assumption that records=impact. I'm groovy with the assumption that number of records compromised is a measurable indicator for the top three categories of records listed on Fig. 31 on page 41 (regulated data that requires breach disclosure).   However, it seems that an incident that involves the theft of proprietary source code, non-public financial statements, or trade secrets, or whatever else comes under the umbrella of "data breach," is it counted as a single record just as one credit card transaction record counts as one record.  

I'd like to see the PCI DSS and PII/PHI database breaches broken out from the other (information property, trade secret, national security) breaches.  Looking at the data where they are detailed (p 41), there are not a whole lot of them.  Based on the statement on page 18, viz:
”It is worth noting that while executives and upper management were not responsible for many breaches, IP and other sensitive corporate information was usually the intended target when they were.”  
NPI/PII/PHI mandatory disclosure type breaches may be characterized by a different set of threats, impacts, frequencies, and require a differing set corresponding controls than the breaches associated with occupational fraud.   Yeah, I said "fraud" not "insider."  And I'd like to keep on saying "fraud" until I'm comfortable that the internal controls over non-regulated data are targeted at management override rather than external organized crime.  Is organized crime recruiting from the sysadmins and call centers?  Or is the insider a fraud (corruption/breach of fiduciary duty) issue?  Little help and we'll all be safer. 

(I personally believe in Solove's assertion that management should have a fiduciary duty to the privacy of data, but from what I've seen, we ain't there yet, and it is still all about compliance.)

On a side note, the other category of data - authentication credentials - interests me.  Do bad guys just stop at root?  Or do they start at root?  Do the executives/upper management types rely on their organizational credentials, or do they use their authority to con an underling to hand them over?  I've got the anecdotes, but I'd like the data.

Some other comments:
Figure 27 (p38) – People?  A person is a compromised asset and contains records?  I’m not sure I follow the taxonomy (or is it  taxidermy?) here.
P 40 and 41 – Thanks!  These charts help quite a bit in understanding the data.
Fig. 35 (p46) Is not only hard on my eyes, but my brain.   Why is the scale broken into non-proportional time units?  Does the data naturally break down this way? A continuous timeline would give me more confidence how stuff happens.  It tapers off dramatically since each “timespan” is considerably bigger than the previous.  My brain could handle a logarithmic scale, but 60 / 12 / 7 / 4 / 12 / (sideways eight) is kinda hard.  I’m a simple country auditor, dadgummit.   The accompanying text 
“In over 60% of breaches investigated in 2009, it took days or longer for the attacker to successfully compromise data.”  
is not fully illustrated in the graph (to my humble eyes).   Also, it could be more informative.  (e. to the extreme g., my kitchen remodel is taking "days or longer" and yet, three months later, the fridge is in living room.  But my bourbon is appropriately iced!  (This is a footnote, really, rather than a parenthetical, so there you go.))

Good thing it the follow up on page 50 struck me like a diamond, a diamond bullet right through my forehead:
Internal audit methods—both financial and technical—are the bright spot in all of this.
Yeah! Give the auditor some!  

 (Image of Roger Lee Hayden's Moto2 Moriwaki Amerigasm courtesy Motorcycle News, American Honda and USA! USA! USA! because a) it is not wholly unlike a CRB600RR and CBR sounds like DBR, b) all information security can be seen as a metaphor for motorcycle roadracing (technology, engineering, empiricism, piloted by moody irrational egomaniacs who are only in it for the birds & booze) and c) it looks totally awesome!  Porkchop better clean the clock of some euro trash come Indy what with big ol' #34 plastered on the faring)

Wednesday, February 24, 2010

Live Twice

Chandler at the New School made me collect, collate and sort my thoughts on the whole recall issue.  Although what follows is more like bend, fold and mutilate.

The greatest risk Toyotas pose to me is that I get drowsy rolling down the highway with nothing more interesting to divert me than continual rivulet of pale metallic four door boredom. 
Not incongruent to their exterior aesthetics, my personal reaction to the Toyotathon of Death falls in two barrels.
  1. Risk of correctly engineered and manufactured product v. risk of incorrectly engineered and faulty product.   A base assumption in driving a recently produced auto is that, not only will it advance the spark automatically and not require a crank to start, but also that the accelerator will not get stuck open.   If Toyota had labeled one of their transportation appliances with the label “May very rarely yet randomly accelerate,” prudent drivers would familiarize themselves with the emergency stopping procedures.   However, Toyota did not disclose this information until much later, so the information was not available for calculation into a driving risk scenario.  Drivers were operating under a “Toyota quality” assumption.   Would the driver of a Trabant exercise the same risk equation as a Prius or Highlander driver?
  2. The Mediation of the Road.  The current Toyota passenger car philosophy appears to be a closer cousin to Kitchen Aid than TF109.  This transportation appliance paradigm isolates the user (no longer a driver) from the grit, grime and smells of the road, substituting an ego coddling display of eco-righteousness and pretty maps.  How could the impolite fangs of risk driven adrenaline ever intrude into the quiet gentle rocking motions of hybrid power in a sarcophagus of LED illuminated soft plastics? The white knuckling pilot of the beater Pinto or the hyper vigilant  motorcyclist know no such peace. They know the road is a dangerous place, and that they are engaged in high risk behavior.  Unintended acceleration is one of myriad annihilation scenarios coursing ten thousand times a second through their oxygen deprived neurons.  Driving for them is like conducting transactions of the internet.   
Tangentially, yet incongruously, I once had a notion (but with a bit of backing...) that the ultimate design for a website used to conduct high dollar Internet transactions would be modeled after a mid-90s "adult" entertainment website – HTTP Auth pop-up, sloppy HotDog generated HTML, broken icon indicating missing plug-ins, probably registered at .biz, .info, .ru or .cx.  The customers would perceive the risk and exercise due caution, such as verifying the SSL certificate, maybe out-of-band telephone call to the institution, and routine changes of password for every session.  The site could be state of the art secure (y’know, SSL + firewall ), but the appearance of danger and perception of risk would make it Yet Still Even More So.   Of course, the crappiness would have to have a periodic refresh just to keep the users’ adrenaline up.

Toyota photo courtesy Wikimedia Commons.

Thursday, January 21, 2010


Read this bit of oddness from the Statesman this morning - "Pflugerville man posed as model online to elicit cash." A young man with "very effeminate voice" managed to spend four years shaking down lonely men for cash while posing as model Bree Condon, who (according to a quick Google image search) poses mostly whilst bikini'd.

I appreciate the opportunity seized by the falsettoed Pfugervillian. And, of course, Ms. Condon should have checked her credit reports and shredded her bank statements to prevent this identity theft.

Wait, that wouldn't have worked. More from the article:

Her reputation also has taken an online beating.

A commenter — the person used the name Justin Brown — on the Web site said Condon was "really sweet at first, then it's $5,000 a month just to be one of her boyfriends."

Another wrote, "She scams men for money and she is extremely psychotic."

Gracious. It's reputation theft. But only among a slightly deluded public who can "date" a 24 year old man in Pflugerville and think he's a female model.