Tuesday, January 04, 2011

Towards mandatory breach reporting?


ITRC 2010 Breach Report

January 3, 2011 by admin

The Identity Theft Resource Center has issued its end of year press release. It includes some of the organization’s key findings and stresses the need for more information and mandated disclosures. Breach reports by sector can be found on their site as well as their chronology of the breaches they recorded for 2010:

The Identity Theft Resource Center recorded 662 breaches on its 2010 ITRC Breach List. It is apparent, with few exceptions, that there is no transparency when it comes to reporting breaches. Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events. It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported.

Mandatory reporting has had a positive impact on the reported number of medical data breaches. First published this year, the Department of Health and Human Services (HHS) Breach List has identified 214 breaches to-date. Unfortunately, the HHS database provides insufficient information for the public to know what types of records were placed at risk. The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data. The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.

In addition, state mandated reporting of all breaches – by several state Attorneys Generals – increased public reporting, but only applies if an individual in that state might be affected. In 2010, New Hampshire listed 96 breaches and Maryland reported 160. Wisconsin and Vermont have small lists of reported breach events.

Approximately 200 breaches, 29% of the 662 total reported by the ITRC, were credited to information provided by these “mandatory reporting” states. This is a clear argument for mandatory reporting to achieve transparency for the public.

Highlights of the ITRC Breach List analysis include:

  • Paper breaches account for nearly 20% (1/5th) of known breaches and typically go unnoticed until a consumer reports the problem to local media. There is generally no mandatory reporting requirement for paper breaches.

  • Malicious attacks still account for more breaches than human error, with hacking at 17.1% and insider theft at 15.4%.

  • 38.5% (255) of listed breaches did not identify the manner in which the information was exposed. This indicates a clear lack of transparency and full reporting to the public.

  • 51% of publicly reported breaches indicated the number of records exposed, totaling 16.1 million records. Note: records can mean credit cards, bank accounts or other information. It is not representative of the number of people involved.

  • However, nearly half of all breaches (49%) did not list number of potentially exposed records. This ingrained inaccuracy in reporting is another argument for mandatory reporting.

  • 412 breaches (62%) reported exposure of Social Security Numbers, representing 76% of known records.

  • 170 breaches (26%) involved credit or debit cards, representing about 29% of known records.

The nation needs a centralized, publicly available, data breach reporting site. It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened. This would also allow law enforcement to better address this type of crime.

Breaches happen. Consumers, government and the business community need to stop acting like ostriches with their heads in the sand. Second, the concept of “risk of harm” is not acceptable for determining notification. This is true especially if the company involved is allowed to define “risk of harm.” Only a federal IT forensic specialist should have that authority. Breached information has been used months after the original exposure.

Are breached entities going to like the future? ITRC hopes they will embrace the change as productive and valuable. Mandatory reporting is on the horizon. It will be demanded either by consumer lobbying or legislation.

For the reports and statistics used for this release, go to www.idtheftcenter.org

About the ITRC

The Identity Theft Resource Center(r) (ITRC) is a nationally recognized non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft. Visit www.idtheftcenter.org.

Victims may contact the ITRC at 888-400-5530.

“You can fool all of the people some of the time...”


Espionage Via Spoofed White House eCard

When many people were caught up in the warm fuzzy feeling of peace on earth and goodwill toward man, it may have felt rewarding to receive a Christmas eCard from The White House. The bad news is that the spoofed whitehouse.gov seasons greetings contained malware aimed at espionage and sucked up several gigabytes of sensitive government documents. Some of the victims worked on cybersecurity as government employees and contractors.

… Regarding this Zeus banking Trojan variant, security blogger Mila Parkour wrote, it "appears to be designed for stealing documents as opposed to stealing passwords and banking information. This places this particular trojan in the category of malware designed for data theft and political/corporate espionage."

Any recipient who clicked on the links and opened the card.zip file were then infected with a Zeus Trojan variant that snatched documents and passwords and then uploaded the stolen data to a server in Belarus.

No need for concern. Everything is under control. These are not the droids you are looking for... I would imagine there are some Hotmail users who actually depend on this service. Perhaps now they will consider 'e-mail redundancy.'


Microsoft 'sorry' as Hotmail bug hits 17,000

Microsoft has apologized, but not explained why nearly 20,000 Hotmail accounts were mysteriously emptied of their contents during the Christmas holiday.

Corporate vice president for Windows Live Chris Jones blogged on Monday that 17,355 Windows Live Hotmail accounts had lost all their email messages during the course of what he called "mailbox load balancing between servers."

Inboxes and folders starting emptying on December 30, with accounts appearing to be new and people receiving a "Welcome to Hotmail" email from Microsoft. Some affected accounts went back 10 years.

Users took to Hotmail forums pleading for Microsoft to restore their cherished accounts while other took to Facebook, launching a group to share their anguish and frustration with world+dog.

Jones responded on Monday to say that Microsoft had identified the problem by the evening of January 2 and that it had restored accounts – two days after messages went AWOL. He continued that Microsoft was sorry for the inconvenience to customers and partners.

… Further, Microsoft has been PR-ing people hard, trying to convince us that Hotmail is just one of a suite of services that the company can competently and reliably deliver in – where else? – the cloud.

In California you can probably be arrested for “failure to appreciate Avocados”


California Supreme Court: Court: No right to data privacy if you’re arrested

January 3, 2011 by Dissent

A significant ruling by the California Supreme Court is reported in the Central Valley Business Times today. The news story begins:

If you’re arrested in California, even for a traffic stop, police can rifle through the old text messages, photos, video and voice mail on your cell phone without a warrant, the state Supreme Court says.

It contends that a U.S. Supreme Court decision can be interpreted that there’s no violation of the Fourth Amendment if police comb through text messages without a warrant, if they’ve lawfully arrested you.

Read more on CVBT.

Related: Opinion in The People v. Gregory Diaz.

Green as in 'not ripe' or green as in 'moldy?'


January 03, 2011

Green Paper: Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

The commercial data privacy issues discussed in the Department’s green paper, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework, provide a clear lens through which to assess current policy. Throughout the history of the Internet as a commercial medium, the Department of Commerce has been a key avenue of government engagement. Today, the Department continues this role, primarily through the Internet Policy Task Force, established by Secretary Locke. This Task Force is examining policy approaches that reduce barriers to digital commerce while strengthening protections for commercial data privacy, cybersecurity, intellectual property, and the global free flow of information."

Something for my Ethical Hackers – the ethics of Computer Security...


MS Asks Google To Delay Fuzzer Tool

"Polish Google security white hat Michal Zalewski has announced concerns that one of a hundred vulnerabilities his fuzzer tool found in IE is well known to third party hackers in China. His simple explanation provides an interesting counter argument to Microsoft's usual request that security problems not be released until they can slowly investigate them. From the article, 'Microsoft asked Zalewski to delay cross_fuzz's release, but he declined, in part because of his fear the IE vulnerability was already being explored by Chinese hackers, but also because the company's security experts had not responded to information he provided.' You can read about and download cross_fuzz for your own use."

One of those “Heroes” who need a new strategy when the battle is won. What should we recommend?


Groklaw — Don't Go Home, Go Big

"You may have caught PJ's Christmas Day post on Groklaw, expressing her anger and frustration that, after she helped save Novell's Unix patents from SCO's clutches, Novell turned around and sold many of those patents to an open source-unfriendly coalition. She's feeling at a crossroads and wondering what Groklaw should become. Brian Proffitt has a suggestion: a bigger, more community-oriented site."

Another Ethical Quandary. Beware the “We can, therefore we must” arguments...


Using Technology To Enforce Good Behavior

"With the new year upon us and resolutions being made to change unwanted behavior, many tools are now available to help people stay in line, such as a GPS-enabled app that locks down texting once a car gets rolling and a program that cuts off credit-card spending. Another device monitors your workout and offers real-time voice feedback. Have we entered an era in which electronics serve as mother, cop and coach because we can't manage our own desires?" [What role should governments play? Bob]

(Related) Sounds like a useful tool, but does it also report/record where you parked and for how long?


French Use Space Tech To Find Parking Spots

"Using technology developed by French space agency CNES (Centre Nationale d'Etudes Spatiales) to explore the planet Venus, drivers in the city of Toulouse are discovering something much more down-to-earth: vacant parking spots. The system is based on 3,000 sensors buried just under the pavement that detect changes in the electromagnetic environment around them and communicate the results via coaxial cable to a server, which makes the information available in real time to drivers' smartphones."

Democracy, what a concept!


January 03, 2011

Justice Scalia's Comments on equal protection clause of the 14th Amendment to the U.S. Constitution

California Lawyer, January 2011 - Legally Speaking, The Originalist - Question: 'In 1868, when the 39th Congress was debating and ultimately proposing the 14th Amendment, I don't think anybody would have thought that equal protection applied to sex discrimination, or certainly not to sexual orientation. So does that mean that we've gone off in error by applying the 14th Amendment to both?

  • Answer: "Yes, yes. Sorry, to tell you that. ... But, you know, if indeed the current society has come to different views, that's fine. You do not need the Constitution to reflect the wishes of the current society. Certainly the Constitution does not require discrimination on the basis of sex. The only issue is whether it prohibits it. It doesn't. Nobody ever thought that that's what it meant. Nobody ever voted for that. If the current society wants to outlaw discrimination by sex, hey we have things called legislatures, and they enact things called laws. You don't need a constitution to keep things up-to-date. All you need is a legislature and a ballot box. You don't like the death penalty anymore, that's fine. You want a right to abortion? There's nothing in the Constitution about that. But that doesn't mean you cannot prohibit it. Persuade your fellow citizens it's a good idea and pass a law. That's what democracy is all about. It's not about nine superannuated judges who have been there too long, imposing these demands on society."

Clever idea for big (over $10 million) investors...


A "Private IPO" for Facebook?

Some have suggested that the deal could increase the pressure for Facebook to take the company public. The New York Times's Dealbook writes:

The new investment comes as the Securities and Exchange Commission has begun an inquiry into the increasingly hot private market for shares in Internet companies, including Facebook, Twitter, the gaming site Zynga and LinkedIn, an online professional networking site. Some experts suggest the inquiry is focused on whether certain companies are improperly using the private market to get around public disclosure requirements.

The deal could add pressure on Facebook to go public even as its executives have resisted. The popularity of shares of Microsoft and Google in the private market ultimately pressured them to pursue initial public offerings.

Indeed, there's already been some criticism of the way Goldman Sachs' investment is reportedly set up. According to Henry Blodget at Silicon Alley Insider:

One of the reasons Goldman just invested in Facebook was to create the ability for its clients to invest in Facebook--through a "special purpose vehicle". Specifically, Goldman has bought the right to buy $1.5 billion of Facebook stock for its clients via a single private investment entity. Goldman's clients who want to invest in Facebook will be given shares in the investment entity. And if the value of those shares rises, they'll cash in.

Voila! The private Facebook IPO. Just for Goldman clients.

For the Swiss Army folder...


7 Totally Awesome Tools For Cd/Dvds Tasks On Windows

No comments: