Wednesday, November 10, 2010

Crooks have move from carpet bombing to smart bombs.

Why data breach costs are really going down

A new study by Telus Corp. reveals that while Canadian organizations reported 29 per cent more data breaches in 2010 versus the previous year, the annual cost of these security issues has dropped substantially.

The telecom giant’s report, which polled 500 business and IT professionals, was part of a joint study with the University of Toronto’s Rotman School of Management. The report found that breaches were up almost 30 per cent year-over-year, largely because of a doubling in reported incidents at government agencies.

Yogen Appalraju, vice-president of Telus’ security solutions division, said better detection and protection technologies have not only led to more reporting across the board, but also to better containment techniques. This, he said, starts to explain why reported breaches have jumped 30 per cent in 2010, while breach costs dropped from an average of $834,000 in 2009 to $179,508 in 2010.

Appalraju added, however, that targeted attacks have been on the rise during the same period, which might be contributing to the underreporting of data breach losses at some firms.

“In a lot of cases, organizations might not know that they’ve been breached for a long time,” he said.

For Walid Hejazi, professor of business economics at Rotman, the massive 78 per cent decrease in breach costs underscores a drastic change in the way hackers and cyber criminals are going about their trade.

“They’re not trying to bring down the network anymore,” he said.

Increasingly, criminals are targeting organizations and employees that can give them sensitive data that can be sold or repurposed for financial gain.

Unfortunately, we need articles like this...

5 Ways You Can Block A Facebook Stalker

It's all part of the surveillance service!

A New Way to Compare Merchants recently released a free service called Mint Data that presents a snapshot of how much people in cities around the country are spending at individual vendors like restaurants, stores and gyms. It also lists which merchants are most popular.

… users, meanwhile, can’t opt out of having their data shared, though it is anonymous. [What to bet? Bob] Plus, the data is skewed in the sense that it only reflects the spending habits of users.

“Gee, it's not like we're going to staple an RFID tag to the babies!”

Plan to tag new babies causes outcry

November 9, 2010 by Dissent

Laure Belot reports:

A French company, Lyberta, has just dropped plans to fit children in several nurseries in Paris with electronic tags, after a newspaper revealed the scheme. Trade unions, councils and civil liberties groups were indignant at the invasion of privacy. But the response to the idea in online forums was much more divided: “I have been longing for this ever since my first child was born,” a woman wrote. “My three-year-old daughter walked out of her infant school and the teachers found her in the next street … I would rather put a tag on my child than sign up for a kidnap warning scheme.”


Portugal and Brazil have even passed laws to make individual security devices compulsory in maternity hospitals, to combat kidnapping and swaps,” Levasseur says. In 2009, some 300,000 infants were tagged around the world.

In France, 50,000 babies were tagged in 2009. “About 30 hospitals use our wristbands, but the subject is still something of a taboo,” Levasseur says. “Last year there were two attempted kidnappings in French maternity units, with one in our area,” says Philippe Cruette, deputy head of the Bordeaux-Nord clinic. “We were keen to respond to the concerns of mothers who had heard about these in the media.” RFID wristbands have been available since January. Cruette adds: “Roughly half the mothers ask for a tag, mainly young women having their first baby.”

Read more in the Guardian.

For my Ethical Hackers. The “Internet of Things” includes your car. If you go to court, you need to produce the car's computer files “proving” that you were NOT going 85 in a school zone.

How a Savvy Coder Hacked His Tesla

November 9, 2010 by Dissent

Justin Hyde writes:

A software engineer asked by a Tesla Roadster owner to see what information the car was collecting on its performance managed to crack Tesla’s data format. He found it records every second of its use.


Last month, after getting the request from another Tesla owner, the software engineer went to work, finding a 12Mb data file stored in the vehicle:

The binary file contains two sections, the first is a long term data logging section with 1 entry per day since the vehicle was made along with firmware update information and other vehicle data. The second section is an 8M wrapped block for data on driving and charging of the vehicle. Data while driving is saved once per second, minute and 10 minutes. Data from charging is once per minute as well as other unknown entries.

The previous parses found that in addition to basic data like speed and charging times, the Tesla also collects GPS data about where the vehicle was charged.


Ubiquitous surveillance.

Welcome to Skynet, the CCTV Surveillance Society

… The next time someone calls you paranoid or asks about your tin foil hat, point them toward the ACLU's website, You Are Being Watched. The site asks "Do we want a society where we live under an ever-watchful video eye?" Along with highlighting surveillance hot spots, the You Are Being Watched website reveals the high costs of camera surveillance systems, "both in terms of money and civil liberties." The site mentions true "horror stories" such as when CCTV surveillance has been misused for racial profiling and voyeurism.

The government wants to appear like it is doing something productive to cut crime and terrorism. In regard to CCTV, it has been reported that one crime is solved for every 1,000 cameras. New York University published a statistical study that surveillance cameras do not deter crime much, "if at all, based on five years of evidence." Furthermore, criminologists and others studying cameras found that violent crime levels showed "no statistically significant change in the level of crime anywhere in the 500 foot range around the cameras." On the other hand, all that CCTV footage may be successful after a crime has been committed by improving conviction rates and by decreasing the frequency of false convictions. New Orleans recently scrapped its crime camera program. In seven years, its CCTV program produced only six indictments; three were for crimes and three were for bribes.

Fixing HIPAA

World Privacy Forum files two sets of regulatory comments on HIPAA

By Dissent, November 9, 2010

The World Privacy Forum filed two sets of detailed regulatory comments on recently proposed changes to HIPAA. The first comments focused on proposed changes to HIPAA in the area of marketing patient information. The proposed changes would be harmful to patient privacy, and are contrary to the law. WPF was joined in the marketing comments by the Center for Digital Democracy, Consumer Action, Consumer Federation of America, the Electronic Frontier Foundation, Privacy Activism, Privacy Rights Clearinghouse, and Privacy Times. The second set of comments WPF filed included the comments on marketing as well as on additional provisions that would be problematic if enacted.

Read the joint marketing comments on HIPAA (8 pages)
Read the long comments on HIPAA (15 pages)


Identity Theft Reported By 33% Of Healthcare Organizations

By Dissent, November 9, 2010

Nicole Lewis reports:

A Healthcare Information and Management Systems Society (HIMSS) survey has revealed that 33% of respondents said their organization has had at least one known case of medical identity theft, and that some cases may never be reported.

In addition, only 17% of respondents working for medical practices said they were likely to report an instance of medical identity theft, compared to 38% of those working for a hospital. These results come from the 2010 HIMSS Security Survey, a report sponsored by Intel and supported by the Medical Group Management Association.

Read more on InformationWeek.

Well, that's one approach.

Worker Rights Extend To Facebook, Says NLRB

Posted by timothy on Wednesday November 10, @07:14AM

"American Medical Response of Connecticut had a policy that barred employees from depicting the company 'in any way' on Facebook or other social media. The National Labor Relations Board has ruled that this policy runs afoul of the National Labor Relations Act, which gives employees the right to form unions and prohibits employers from punishing workers for discussing working conditions."

A simple “solution” to the “Free WiFi” question?

Dear Starbucks: The skinny on how you can be a security hero

The recent hubbub around Firesheep has provided me with a golden opportunity to Venti my views on public WiFi hotspots and present my Grande Plan.

All of the attention (as intended) resulting from the release of Firesheep has been focused on the service providers and how they should be using SSL/TLS to protect users' sessions. That's great, even if I would have preferred a more delicate approach to proving the point.

But I think it's the right answer to the wrong question.

The right question is this: why is "public Wifi" always synonymous with "unencrypted WiFi?" Encryption has been a basic component of WiFi technology since the first versions of 802.11 were approved. I wouldn't suggest we go back to using WEP like we did in the early days, but even WEP is an improvement over nothing.

While Facebook and other companies should be providing us secure methods of connecting to their services, those companies kind enough to provide us with free internet access at cafes, airports and other public places are also part of the problem.

I propose standard adoption of WPA2 and a default password of "free". Whenever you wish to connect to complimentary WiFi, you select "Courtyard Marriott" or "Starbucks" like you always have, but you are then prompted for a password.

… What is the value of a password if it is a "well-known secret?" WPA2 negotiates unique encryption keys with every computer that connects to it. This means you and I cannot spy on one another's traffic even when sharing access on the same access point. This is not true for WEP, but nearly all 802.11g access points (the most common) support WPA2 and can provide safe, convenient, free internet access.

Tools & Techniques for my Ethical Hackers

Nevercookie Eats Evercookies

Posted by CmdrTaco on Wednesday November 10, @09:04AM

"Anonymizer, Inc. has developed Anonymizer Nevercookie, a free Firefox plugin that protects against the Evercookie, a javascript API built and made available by Samy Kamkar (same guy who brought you the Samy Worm and XSS Hacking to Determine Physical Location) who set out to prove that the more you store and the more places you store it, the harder it is for users to control a Web site's ability to uniquely identify their computer. The plugin extends Firefox's private browsing mode by preventing Evercookies from identifying and tracking users."

I hadn't thought of myself as a node, but clearly I am.

November 09, 2010

Pew: How libraries can serve Networked Individuals

"Pew Internet Director Lee Rainie spoke at the annual meeting of the Tampa Bay Library Consortium. His speech is entitled, How libraries can serve Networked Individuals. In it he discusses the latest research of the Project and previews the themes of his forthcoming book, “Networking: The New Social Operating System.” He also describes how the social world of “networked individuals” is different from previous generations and how libraries can plug into the information needs and habits of this new tribe of media users."

Probably, since it's as hard to find clear definition of “Cloud Computing” as it is to summarize the contents of the Library of Congress in 25 words or less.

Are IT vendors missing the point of cloud?

There were two conferences in the San Francisco Bay Area last week with content targeted at cloud-computing consumers. These two conferences, Cloud Expo and QCon, helped me to articulate a trend I've been noticing for some time; the cloud market may be sending very different messages to IT operations audiences than it is to software developers.

… What was striking to me last week was how many vendors were pitching "here's how to replicate in the cloud what you do in your existing data center environment today".

… Don't get me wrong, there were exceptions. Some vendors have discovered that their technologies can bridge the gap from infrastructure operations to service or even application operations. So they were positioning their products as useful in strengthening a cloud service offering, or providing a valuable service to an application system. There were also some professional services companies that clearly understood how cloud changes software development and deployment.

(Related) If we can't agree on a definition, how to we agree which “services” need “levels?”

Amazon adds SLA to cloud-based content delivery service

The SLA specifies that if the availability of a user's content drops below 99.9% in any given month, it can apply for a credit equal to 10% of the monthly bill, according to a blog post. And if the availability drops below 99%, users can apply for a 25% discount, it said.

(Related) Another “bundling” attempt at Microsoft? Just a rumor, but logical. (Also a great way to look over the shoulders of end users)

Windows 8 To Include Cloud Backup?

Windows 8 will be released in 2012 but news is already swirling about the operating system backing up to Microsoft's cloud storage service.

For my fellow SciFi junkies... Suitable for framing?

This Is the Blueprint to the Millennium Falcon

… you can download the full-size image (jpg).

No comments: