Friday, December 03, 2010

For my Computer Security students. Long suspected, this is the first true cost measurement.

Lost Laptops Cost Billions

December 2, 2010 by admin

Thomas Claburn reports:

Businesses are losing billions of dollars annually as a result of lost and stolen laptop computers, a new study shows.

Representatives from Intel, which sponsored “The Billion Dollar Laptop Study,” and the Ponemon Institute, which conducted the study, announced their findings at a media event in San Francisco on Thursday.

The 329 organizations surveyed lost more than 86,000 laptops over the course of a year, the study found.

Read more on InformationWeek.

[From the Study:

It is important to point out that the smallest cost component is the replacement cost of the laptop. There are seven cost components used to arrive at the average value. These are: replacement costs, detection, forensics, data breach, lost intellectual property costs, lost productivity and legal, consulting and regulatory expenses.

2.3 percent of all laptops assigned to employees, temporary employees or contractors become missing each year. The average loss ratio over the laptop’s useful life is 7.12 percent. Hence, more than seven percent of all assigned laptops in benchmarked companies will be lost or stolen sometime during their useful life.

As we've seen repeatedly, the 'record count' tends to grow as victim organizations look more carefully at the breach.

(Update) ALDI breach affected 17,000 New York residents

December 2, 2010 by admin

Back in October, I noted that the ALDI breach had affected 8,000 Maryland residents. New York State’s breach logs for October, posted online, indicates that ALDI had reported on October 1 that 17,000 NYS residents were affected.

Given that the breach affected customers in 11 states and there are 25,000 affected in just two of those states, it seems that the total number affected for this breach may be much higher than what ALDI’s statement of October 1 suggested (emphasis added by me):

ALDI Inc. recently learned that, from approximately June 1, 2010 to August 31, 2010, tampered payment card terminals were illegally placed in some ALDI stores, enabling unauthorized individuals to fraudulently obtain payment card information from a limited number of our customers.

What do they consider a “limited number of customers?”

ALDI’s notice on their web site has not been updated since the last update on October 1.

Backup, backup, backup! And then make certain that the backups are not accessible via the Internet!

Ransomware Making a Comeback

"Ransomware is back. After a hiatus of more than two years, a variant of the GpCode program has again been released, kidnapping victims' data and demanding $120 for its return, InfoWorld reports. 'Like the ransomware programs before it, GpCode encrypts a victim's files and then demands payment for the decryption key. The new version of GpCode — labeled GpCode.AX by security firm Kaspersky — comes with a bit more nastiness than previous attempts. The program overwrites files with the encrypted data, causing total loss of the original data, and uses stronger crypto algorithms — RSA-1024 and AES-256 — to scramble the information.'"

Avast! Will this doom “Speak like a Pirate Day?” What else will it suppress? I think the lawyers will start finding this interesting.

Google To Block Piracy-Related Terms From Autocomplete

"Google is making changes in the way it presents web search results to try to exclude links that may be tied to pirated content. In a move enthusiastically praised by the RIAA, Google says it will not include terms closely associated with piracy from appearing via autocomplete. The company acknowledged that it can be hard to know what terms are being used to find infringing content, but 'we'll do our best to prevent Autocomplete from displaying the terms most frequently used for that purpose.'" [How would you do this? If “pirated copy” is banned, would “not a pirated copy” survive? Bob]


Google Algorithm Discriminates Against Bad Reviews

"According to the official Google blog, Google has altered their PageRank algorithm to not give back linking points to bad reviews of websites belonging to online retailers, following the publication of a recent article in the New York Times describing one woman's experiences in being harassed by an online retailer she found via Google. The specific changes to the algorithm are of course a guarded secret. So considering that these changes are already live, how do we know how the algorithm determines a bad review from a good one, and whether or not innocent online retailers will be wrongly punished by having their rankings downgraded?"

[From the Google Blog:

But if we demoted web pages that have negative comments against them, you might not be able to find information about many elected officials, not to mention a lot of important but controversial concepts. So far we have not found an effective way to significantly improve search using sentiment analysis.

… Instead, in the last few days we developed an algorithmic solution which detects the merchant from the Times article along with hundreds of other merchants that, in our opinion, provide an extremely poor user experience.

A guide for law enforcement. How to identify card types by account number and how to find the issuing bank.

DOJ’s “hotwatch” real-time surveillance of credit card transactions

December 2, 2010 by Dissent

Chris Soghoian writes:

A 10 page Powerpoint presentation (pdf) that I recently obtained through a Freedom of Information Act Request to the Department of Justice, reveals that law enforcement agencies routinely seek and obtain real-time surveillance of credit card transaction. The government’s guidelines reveal that this surveillance often occurs with a simple subpoena, thus sidestepping any Fourth Amendment protections.


While Congress has required that the courts compile and publish detailed statistical reports on the degree to which law enforcement agencies engage in wiretapping, we currently have no idea how often law enforcement agencies engage in real-time surveillance of financial transactions.

Read more on slight paranoia.

Maybe DOJ shouldn’t spend as much time worrying about Julian Assange and should spend more time worrying about Chris Soghoian, who does an outstanding job of exposing some of what our government would clearly prefer we not know.

The US will need to do some similar thinking.

Ie: Protecting People’s Private Health Information: HIQA Guidelines Published

By Dissent, December 2, 2010

This press release from Ireland’s Health Information and Quality Authority is of note:

A new guide on how to protect people’s privacy within healthcare services has been published by the Health Information and Quality Authority.

Professor Jane Grimson, Director of Health Information at HIQA said: “With so much information being collected, used and shared in the provision of health and social care, it is important that appropriate steps are taken to protect the privacy of each person to ensure that personal information is handled legally, securely and efficiently.”

… It has been estimated internationally that up to 30% of a country’s total health budget is spent on health information – collecting, storing, managing and searching for it. It is therefore essential that it is managed as efficiently and effectively as possible in order to ensure value for money.

… “The public has the right to expect that their private information will be safeguarded and protected when it is given to those who deliver health services,” Professor Grimson said.

… “We have developed the Guidance on Privacy Impact Assessment in Health and Social Care as a resource to show service providers how to ensure that they protect the privacy rights of the people using their services and to assist them in strengthening their own governance arrangements around health information,” said Professor Grimson.

Hat-tip, Irish Medical Times

This has implications for Cloud Computing too. Where is your data? Will Oklahoma be able to enforce its laws in India or China or Russia?

Social Media Accounts Part of Deceased Oklahomans' Estates

"Estate executors or administrators in Oklahoma have the power to access, administer or terminate the online social media accounts of the deceased, according to a new state law. '"The number of people who use Facebook today is almost equal to the population of the United States. When a person dies, someone needs to have legal access to their accounts to wrap up any unfinished business, close out the account if necessary or carry out specific instructions the deceased left in their will," Kiesel said.'"

[From the article:

The bill, which became a state law on Nov. 1, assumes a Facebook page or other social network account is the property of the person who creates and uses it. However, most websites claim the information as their own in service agreements when users sign up.

You could see this coming... But was this a case of “we forgot to tell the Defense” or was it “we need to make up some evidence?” Sounds like the latter...

Xbox Modding Trial Dismissed

It seems the harsh words from District Court Judge Philip Gutierrez on Wednesday had their intended effect; prosecutors in Matthew Crippen's Xbox modding case have now dismissed the indictment. Quoting Wired:

"Witness No. 1, Tony Rosario, was an undercover agent with the Entertainment Software Association. He told jurors Wednesday that he paid Crippen $60 in 2008 to modify an Xbox, and secretly videotaped the operation. Rosario had responded to Crippen’s advertisement on the internet and met Crippen at his Anaheim house. All of that had been laid out in pretrial motions. But during his testimony, Rosario also said Crippen inserted a pirated video game into the console to verify that the hack worked. That was a new detail that helped the government meet an obligation imposed by the judge that very morning, when Gutierrez ruled that the government had to prove Crippen knew he was breaking the law by modding Xboxes. But nowhere in Rosario’s reports or sworn declarations was it mentioned that Crippen put a pirated game into the console. ... [Prosecutor Allen Chiu] conceded he never forwarded that information to the defense."

Both Google and Microsoft (the other bidder) promised that GSA's data would be hosted in the USA only.

December 02, 2010

GSA First Fed to Choose Google Hosted E-Mail Service

Follow up to Google Files Bid Protest Against Dept. of Interior Over Hosted Email and Collaboration Services news that "the U.S. General Services Administration will become the first federal agency to use a hosted e-mail service, choosing Google, Unisys and others to offer the service."

[From the GSA Press Release:

GSA announced today an award for cloud-based email and collaboration tools that will reduce inefficiencies and lower costs by 50 percent over the next five years.

Think of it as pre-packaged PowerPoint slides...

December 02, 2010

Federal Reserve announces new interactive graphics feature of Data Download Program

"The Federal Reserve Board on Thursday announced a new feature of its Data Download Program that allows users to create custom charts. Users will now be able to create and view interactive graphics of data packages from the program before downloading the underlying data and charts. The charting feature allows users to view multiple data series on a single chart as well as to display individual data points. The charts can be saved as PDFs or in a standard image file format (PNG) for publication and redistribution. The Data Download Program allows users to create customized data sets or download preformatted packages in multiple formats, including XML. Additional information about how to use the program is available at:"

For my Ethical Hackers This is actually a bit scary. I was looking for something to confirm that my students were actually reading my emails and this allows me to do much more. - Track Who Reads Your Emails

Point Of Mail is a new online application that you can use in order to know exactly who is reading the emails you are sending out. Using this browser-based tool you will be able to track not only who has opened any email that you have sent, but also what has happened to the attachments that were sent along with the message.

Moreover, Point Of Mail will let you modify emails after they have been sent. That is a great option and no mistaking. If you have to send a report to your boss and you realize you have forgotten to attach it the minute you send the email out, then there is no need to panic. This application will let you undo the wrong, and avoid looking completely unprofessional.

Point Of Mail works with all email addresses, and it also supports virtually any email client that you could think of. And while you are not required to download anything in order to begin using it, a set of optional add-ins is featured. Again - all the main email clients and browsers on the market today are fully supported.

[From the website:

  • Trace Email Reading Chain - Full History of Email Reads and Forwards

  • Detailed Information About Recipient

  • Totally Invisible To Recipient, Unless You Decide Otherwise

  • Change Email's Content

  • Add or Remove Attachments

  • Add or Remove Links

  • Recall or Erase Sent Email

  • Real-Time Self-Destructing Email

  • Disallow Email Forwarding

  • Disable Print or Save of Your Email

A handy USB backup tool (Also a great way to steal data?)

USBFlashCopy: Automatically Copy A Flash Drive To Your Hard Drive

Many flash drive owners take their flash drives to work and save data on it. They then bring it back home, plug it into their computer, and copy all the contents to their computer’s hard drive. To copy, they have to go through a few steps after plugging in the drive. But USB Flash Copy ensures that the contents get automatically copied once you plug in the flash drive.

Something every computer user should know

How Much Is A Petabyte? [Graphic]

No comments: