The Professional

An interesting narrative, trapped unfortunately behind a pay wall, comes from the Chronicle of Higher Education - "Chapel Hill Researcher Fights Demotion After Security Breach"

A cancer researcher's database of gets potentially pwnd (two years from incident to discovery), spurring the usual breach notification process.  Her bosses cut the researcher's pay and reduced her status to associate from full professor.  The justification was that she, as principal investigator, was responsible for the security of the personal data entrusted her by the subjects of the study.

The meat from the article (emphasis added):

The provost also accused her of assigning server-security duties to an inexperienced staff member, who failed to install important patches and upgrades, and of not providing the staff member with the training needed. Ms. Yankaskas countered that the staff member, who has since left, had worked for the university's technology office and that the employee never submitted a formal request for additional training.

"I had an employee who I trusted who told me things were OK," she added. "I would have no way to get on the computer and tell if it was secure. Unless I assumed my employee was lying to me, I don't know what I could have done."

Working in the Public Interest

I believe that there is a another option.  Some folks are in charge of security but are not liars, but are incompetent.    And, yes, it is hard to tell them apart.

If it was money that was stolen, and someone said "I have no way of telling if the books were correct.  I trusted the accountant.  He was an experienced bank teller" what would be the response.  Why didn't you hire a forkin' CPA?  CPAs have professional knowledge, and ethical obligations, and if they fail to meet them, you can have their license pulled.  

No so with security folks.  Why is it acceptable to treat for others to manhandle your personal, private data more cavalierly then your  accounting records?  

I'm tempted to start my rant on certification, psuedo-science and "computer forensic professionals" but I'll save it for the next post.   

Intent

There’s a whole bunch of the IDC/RSA white paper on insider risk management that puzzles me on one level or another.

“Whether the threats are accidental or deliberate, the costs are still the same.”

I didn’t see much data in the report regarding costs. I'm not sure if they are talking about dollars. Regardless, the controls to prevent either accidental or deliberate data loss probably overlap in most scenarios, so that cost may be similar. It’s the cost of response and recovery could be wildly different. I would rather pay to have a document restored from backup than pay for the costs of a data falling into the hands of someone who would steal it. Intent is material in incident response cost. ( I'm not married to this idea yet, but I've taken it out to dinner a couple times.)

“Malware and spyware attacks are another example of the risk of good employees doing bad things.”

I don’t think good employees are doing the bad things in malware and spyware attacks. I think it's bad people doing bad things. I’d categorize the real threat as the operator of the malware or spyware. The employee's behavior is a control, but given the sophistication of much of the malware around, it is not surprising that this control occasionally fails (Is visiting NYTimes.com a “bad thing”?) If the security of data is breached due to malware on a desktop, it has gone to bad people. I think this sort of incident belongs in a different category from an error, omission or mistake. There is an intelligent actor intending harm behind the action. Not so with a lost laptop.

Under “Key Findings”

"14.4 incidents of unintentional data loss through employee negligence in the past 12 months'

So, what does this mean “unintentional data loss”? Dropping the wrong table? Hitting “Save” rather than “Save As” ? Losing a laptop? That number is not as exciting to me as the 11 incidents of internal fraud a year cited a couple rows down. Response to "unintentional data loss” could be as simple as pulling a back-up, but fraud incidents are going to burn more organizational cycles and have a demonstrated loss.

Market Fresh

A curious discussion of terror risk, and a terror prediction futures market by some GMU economist types and at the Chronicle's Footnoted blog.

I don't know enough to about econ to assess the value of such a market, but I do wish that some one would set up a Privacy Breach Futures Market so we could make the security analystas put their magic quadrants where their mouths are. (Or vice versa: whichever would be more unpleasant.) Viz, the TJX OMG!!1! MILLIONS IN PWNAGE!! NO!!BILLIONS! analysis found on Computerworld. Maybe something more along the lines of buying squares in a football pool would offer as much predictive value as the collective voices of these cats.


Photo courtesy The Prodigal Son.


And yes, this is the second consecutive post with a Broken Social Scene related title. Because Broken Social Scene are one of my top five most favorite things that are Canadian.

I Feel That It's Almost Crime

Imagine Monster put a click-through license on the malware, adjusted the privacy policy a tad (include an opt-out for additional "services"), and voila! It's not a privacy breach, it's an additional revenue stream! The 1.6M bits of Monster job hunter data is at least as hot as the Glengarry leads.

Imagine that Certegy/Fidelity records were not sent in wild cascading romp through the land of data brokery by the actions of a rogue database administrator, but through a perfectly legal contract. (As Mr. Certegy assures us, the data was sold to legitimate data brokers.) So the whole thing is a just a crossed "T" or dotted "I" away from being 110% on the up and up. Instead of class action, we'd be talking steak knives and Eldorados!

It's just semantics. "Data broker" = "Identity Thief." "Lead Generation" with "Privacy Breach."
It's all the same. But the Yukon keeps me up all night, and it feels like it's almost crime.

Half Baked

What follows are annoying thoughts that have been ground to meaningless gravel in my head for the past month or so. As soon as I think them through, and dismiss them, my brain belches them back up. Committing them to the ether seems the only way to purge them, but I've been wrong before:

Proximity and Privacy: Privacy breaches due to negligence occur when there is a distant relationship between the identity custodian and the individual. Malicious breaches occur when there is a close relationship between the two. (Half baked corollary: Web applications proxy a close relationship with distant actors.)

Metrics Will Be Juked: The compiling of stats is the prelude to the inevitable juking of stats. Observing, recording and reporting the data underlying a performance metric corrodes its value. The reason data that is difficult to access and compile is compelling is because it is difficult to access and compile. Once people realize that their behavior, or the results of their behavior are being observed and measured, their behavior will change, not necessarily to impact the desired results, but to change the metric. This change will be multiplied if the measure is tied to compensation or perceived to be tied to compensation.

Lone Gunmen Theory of Privacy Risk: Measuring a corporation's loss due of breach of privacy is futile and meaningless. This loss is not related to the harm to individuals whose privacy was violated. It makes no difference if the data is lost, stolen, or sold, or if it occurred within or without the bounds of the law. I don't see any equation that will match corporate postage, legal fees, data broker accounts receivables, or public relations consulting with personal financial trials, embarrassment, loss of employment, prohibition of travel, or physical detention. Privacy risk is borne by individuals, not corporations. Which is why I was a bit distressed when I read this:

If you are not suffering any damage due to these breaches, then why are you even trying to deter, detect, and respond to them in the first place?

In privacy, it's always the other guy that suffers the real damage.


Now I can concentrate on the important things: sorting out my emotions regarding the preemption of TV coverage of the German GP by live broadcast of Lady Bird's burial and Laguna Seca.

SSNS ON THE LOOSE! (Legacy Edition)

I'm trying to understand the newsworthiness of the latest episode of "SSNS On The L0OzE. OMG!!1!!"

Some dude in the mail room puts a bunch of computer tapes in the wrong slot, according to the AP report in the Houston Chronicle. State agency looks for 'em. Contractor looks for 'em. Then they find 'em, in the wrong slot. A problem as old as the mainframe.

My guess: the missing tape was a quarterly report (WITH SSNS!!), there was some turnover in the computer room, and the folkloric control vanished with the last operator who performed it. The article doesn't state the format of the tapes, but I'm guessing it's EBCDIC flavored, with a chewy center of either DB2, Adabas or Model204. (The New Russian mob has standardized on Unicode, leaving behind Blofeld and his "legacy" villainy.)

Solution? Document the process, develop a tracking spreadsheet. People have been exchanging tapes for decades, and there are simple ways to track it. You could even buy some bar code software, or something. (As it says on the wall in the illustration: If In Doubt ASK".)

What is the solution proposed by the contractor?

The company is now exploring transferring the data electronically to improve security, [contractor spokesman] Lightfoot said.

I think my way is cheaper. And safer. And easier to track. I only know what I read in the papers, though.



Diamonds Are Forever image courtesy Xeni.

Repost Redux: Special SXSW Edition

Having read a few additional commentaries, I began to think some more on two issues I posted about earlier.

Greg Abbott vs. The County Clerks
Mordaxus at Emergent Chaos says we need to chill, which made me wonder if there was less to this issue than I previously thought. The more I think of it, thought, the less appealing the whole mess appears. The clerks routinely sell the data in their charge to data brokers. The Open Records Act (Texas' FOIA) allows the clerks to charge for the records. By redacting the confidential parts, the data would be less attractive to the brokers, and the clerks revenue stream might dry up.
The clerks are digitizing and distributing information on the Internet beyond the scope of its original purpose, and counter to Texas law. I don't have a problem holding these folks accountable to the law and their duty as custodians of the data. I will be having a beer or three at SXSW, though, probably at the Yard Dog and at Woody's.

The Hacker vs. The Corporation
Both Emergent Chaos and ArsTechnica have things to say about the study I posted about yesterday. EC posted a link to the study, but after reading it, I don't think I've changed my mind. I am, in fact, more confused about the purpose of the study than before. The distinction between "hacker" and "corporate malfeasance" does not strike me as interesting as the distinction between "stolen" and "lost." The question for me as a consumer remains a question of risk. Am I more likely to suffer damage to my reputation or finances if my personal data is "lost" or if it is "hacked"? No doubt frequency is part of the equation, but so are the capabilities and intention of the threat.

Photo of the Casting Couch in action by me.

Charts 'n Graphs

From Pogo, this article from Physorg on the classic Evil Hacker v. Evil Suit dilemma. From the article:

If Phil Howard’s calculations prove true, by year’s end the 2 billionth personal record – some American’s social-security or credit-card number, academic grades or medical history – will become compromised, and it’s corporate America, not rogue hackers, who are primarily to blame. By his reckoning, electronic records in the United States are bleeding at the rate of 6 million a month in 2007, up some 200,000 a month from last year.

Goodness. This article seems to do more damage than good in increasing awareness of the privacy issue. The key bit of data that seems to be missing is the damage. More from the article:

Malicious intrusions by hackers make up a minority (31 percent) of 550 confirmed incidents between 1980 and 2006; 60 percent were attributable to organizational mismanagement such as missing or stolen hardware; the balance of 9 percent was due to unspecified breaches

So, how many fraudulent charges were made, fake IDs manufactured or reputations horribly disfigured by each category? The author of the study adds:

"And the surprising part is how much of those violations are organizationally prompted – they’re not about lone wolf hackers doing their thing with malicious intent."

So, would you rather Big Nameless Credit Card Company notify you:

A. that your name/credit card/SSN/date of birth were lost at an airport while stored on an encrypted laptop hard drive

OR

B. that Lone Wolf Hacker sniped your digits of their server (running unpatched IIS 2.0 on unpatched Win98)

Of course I can't prove that either scenario is inherently more dangerous for the consumer. I can just shake my angry fist at the data.

Impacted Molars: Misguided Ninja Dudes and PCI Awareness

MESIAL
Dark Reading continues its obsession with physical security:
Network dude rassels potential bad guy, followed by a stern warning on what a scary world it is out there, cause physical attacks hurt.
Forgive me if I'm out of line, but why would I hire a network security guy to dress up as a maintenance dude to steal a laptop out from under an executive? Especially since there are skilled investigators who could get a signed confession and all his passwords from just talking to the accused. I wouldn't going to hire an investigator to secure my network, and I shouldn't ask a network security guy to conduct fraud investigations. I'm not going to hire the network guy to run my HR department either.

LINGUAL
The Bank Lawyer celebrates PCI Awareness Month early, with his take on the TJX Incident. Nice run down of all the parties involved. His characterization of the consumer is incomplete:

The consumers' concern for nuance extends only to the following extent: "I see a sturdy live oak right over yonder. Let's get us a rope and hang him."

The consumer is likely to be distracted by a shiny object on the way to the noose dealership, since he or she has no loss. Credit card numbers are becoming more a disposable commodity, unlike SSNs, HDL levels or Sudafed consumption. Coming this summer: Retailers v. Credit Cards v. Banks Smackdown at the Legislative Arenadome.

Photo from Henrier.

Infosecalypse Now

A number of links in the chain:
Mr. Walsh asks Why We Fight?
Which spurs Mr. Hoffman's Nam flashback.
Bloginfosec says it's safe to surf this beach, so its safe to surf this beach.
Meanwhile, Charlie squats in the bush, everyday getting stronger, and the BS piles up so fast, you need wings to stay above it.

Me? I'm an errand boy sent by grocery clerks to collect the bill.

I don't give a damn about my bad reputation

No. No. Not me.

I was meditating on reputation risk the other day, and behold, the Daily Dave belches forth the documents I sought. (I remembered something on Emergent Chaos on this topic, but hadn't dug deep enough into their archives.)
The study I remembered and cited by Adam Shostack was "Is There a Cost to Privacy Breachs? An Event Study."


The salient quote:

"[Privacy breach] impact is statistically significant and negative, although it is
short-lived."

Which is supported by anecdote (check out the TJX stock price).

So how do you convince your management to follow privacy principles? Appeal to the better angels of their nature? Start eavesdropping and pretexting them and see how they like it? (HP probably did as much good as the CDT, EFF or ACLU as far as advancing the privacy agenda in Congress).

I'm guessing the shift, as a result of the "privacy fatigue" and the "identity theft fatigue" should be to the high risk transactions, that expose the data's subject to verifiable risks, not just the lost computer tape or missing laptop. But I need data to support that, dagnabit. Else:

An' everyone can say what they wanna say, it never gets better anyway.

Canadian Breach Notification

From Emergent Chaos, a link to the paper "Approaches to Breach Notification" from the Canadian Internet Policy and Public Interest Clinic. I've been spending this frosty MLK Day afternoon looking it over. I really dig this approach:

Generally, the affected organization is in the best position to calculate the associated risks of a breach of its information security and should be entrusted with this determination. However, there should be a requirement that every breach involving defined personal information be reported to the Privacy Commissioner, with full information about the nature and extent, the anticipated risks, mitigation measures, steps taken to notify affected individuals or, where notification is not considered warranted, the justification for not taking this step.

This seems to be a reasonable approach to prevent blanketing of potential victims with notices of low-risk data loss events. The Commissioner can evaluate the organization's risk assessment to filter for the Excessive Butt Coverage Risk Assessment Methodology. *

The recommended contents of the notice would help, notably the time and method of the disclosure. I've seen notices with the vague "may have been accessed by unauthorized individuals" which offer the potential victim no real way to assess the damage.


*EBC-RAM is a Full-Custom Chrome-Plated Methodology with a burled walnut finish (optional). Patent pending, R. Dutcher Stiles, 2007

Edit to add that Educated Guesswork has a very cogent analysis of the article.