Failure to encrypt portable devices inexcusable, say analysts
March 31, 2011 by admin
Following the report earlier this week that a laptop containing 13,000 BP claimants’ personal data was missing, Jaikumar Vijayan reports that data breaches involving unencrypted laptops and portable drives continues at inexcusably high rates:
The company is only the latest in a long list of organizations that have made similar announcements over the past several years. In fact, data compromises involving lost or stolen laptops, unencrypted storage disks, and other mobile devices account for a substantial portion of breaches these days…. a distressingly large number of companies have continued to ignore the advice — some because they are unwilling to spend the money and others because of the perceived complexity involved with encryption.
“There really is no excuse for not encrypting laptops,” said Avivah Litan, an analyst with Gartner.
Read more on Network World.
Clearly, as my occasionally snarky comments on this blog and phiprivacy.net suggest, I agree with the analysts quoted in the news story. For how many years will we continue to read that entities were “in the process of encrypting” at the time of a breach, or now that they’ve had a breach, the entity is “speeding up” its efforts to harden their security and to use encryption. Encryption meeting NIST standards offers safe harbor for HIPAA-covered entities and can save time and money in terms of the costs of a breach. Would entities really rather spend $10-$15 per person offering free credit monitoring after a breach, or should they invest much less in preventing the breach? And how much is brand harm or bad press worth? Isn’t it worth the cost of encrypting your laptops and thumb drives?
Entities that collect information need to protect it. Anything else is just playing fast and loose with our information and our privacy and should incur fines or penalties. The “grace period” should be over.
[From the article:
"Enterprises that are not putting in laptop encryption are just being lazy," she said.
The growing cost of data breaches in particular should be pushing companies to adopt portable encryption more aggressively, say analysts. The Ponemon Group released a report last month showing how companies that experience data breaches these days can end up paying close to $214 per compromised record on average .
"I think laptop encryption is one of the few slam-dunks in security for any company of reasonable size because the risks are fairly well known and the solutions are mature," said Pete Lindstrom, an analyst with Spire Security.
… That lack of adoption is a problem not just in the private sector, but also within the federal government.
In 2006, when an employee at the U.S. Department of Veterans Affairs lost a laptop and several storage disks containing personal data on over 26 million veterans, the Office of Management (OMB) issued a memorandum requiring all agencies to encrypt sensitive data (PDF document) on portable devices.
Close to five years later, several federal agencies are not even close to compliance, according to an OMB report to Congress released earlier this month.
What is “insider information” worth?
U.S. Spy Agency Is Said to Investigate Nasdaq Hacker Attack
The National Security Agency, the top U.S. electronic intelligence service, has joined a probe of the October cyber attack on Nasdaq OMX Group Inc. amid evidence the intrusion by hackers was more severe than first disclosed, according to people familiar with the investigation.
The involvement of the NSA, which uses some of the world’s most powerful computers for electronic surveillance and decryption, may help the initial investigators -- Nasdaq and the FBI -- determine more easily who attacked and what was taken. It may also show the attack endangered the security of the nation’s financial infrastructure.
“By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack or it’s an extraordinarily capable criminal organization,” said Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, now at the Washington offices of the law firm Cooley LLP.
… Investigators have yet to determine which Nasdaq systems were breached and why, and it may take months for them to finish their work, two of the people familiar with the matter said.
Czech court bans telephone data retention
March 31, 2011 by Dissent
Associated Press reports:
The Czech Republic’s Constitutional Court has overturned parts of a law that force telephone operators to retain data on telephone calls and Internet traffic.
The court said Thursday the practice is unconstitutional. It says the provisions ordering data on all calls, faxes, text messages and e-mail exchanges to be retained for six months enabled a “massive” invasion into citizens’ rights and were not in line with the rule of law.
Read more on SeattlePI.
AdChoices? Compliance with Online Behavioral Advertising Notice and Choice Requirements
March 30, 2011 by Dissent
A new research report from CMU’s CyLab:
Online behavioral advertisers track users across websites, often without users’ knowledge. Over the last twelve years, the online behavioral advertising industry has responded to the resulting privacy concerns and pressure from the FTC by creating private self-regulatory bodies. These include the Network Advertising Initiative (NAI) and an umbrella organization known as the Digital Advertising Alliance (DAA). In this paper, we enumerate the notice and choice requirements the DAA and NAI place on their members and check for compliance with those requirements by examining members’ privacy policies and reviewing ads on the top 100 websites. We also test DAA and NAI opt-out mechanisms and categorize how their members define opting out. Our results show that most members are in compliance with some of the notice and choice requirements, but there are numerous instances of non-compliance. Most examples of non-compliance are related to the “enhanced notice” requirement, which requires advertisers to mark behavioral ads with a link to further information and a means of opting out.
Read the full report by Saranga Komanduri, Richard Shay, Greg Norcie, and Lorrie Faith Cranor on CyLab (pdf).
A lab experiment for my Computer Forensics students: recover all the data, determine who was alerted. Extra credit: Activate this app remotely.
U.S. Gov't to thank for panic button app to wipe phones
There's a new app being developed by the U.S. Government and it seems like everyone should want to add it to their phone for all kinds of different reasons. If a cell phone is confiscated by police or government agency, the panic button app will wipe the cell phone's address book, history, text messages and broadcast the arrest as an emergency alert to fellow activists.
If we don't like an article, do we have a responsibility to “correct” it?
Wikipedia Wants More Contributions From Academics
"University professors don't feel their role as intellectuals working for the public good extends to contributing to the world's largest encyclopedia, the Guardian reports. Wikimedia foundation is currently surveying academics as part of a search for ways to encourage them to pitch in alongside anonymous civilians and raise quality. The main problem seems to be the academic ego: papers, talks and grant proposals build reputation but Wikipedia edits do not."
For my geeky friends...
FCC Giving Away Wi-fi Routers For Broadband Tests
"The Federal Communications Commission (FCC) will be giving away 10,000 Wireless-N routers as part of their program to perform a number of broadband tests, for the benefit of a better connection in the future. They are striving to work on improving a number of issues including latency, packet loss, connection speeds and much more."
[From the article:
They have extended their research efforts to the public, but there are some minor requirements which need to be met. For example, your connection must be consistent (suffer very few disconnections), users must be considered average Internet browsers and not heavy downloaders, and that you currently use a standalone device to connect to the web.
Most users may be eligible for one of 10,000 Netgear WNR3500L wireless routers, for use during the trial, and they will get to keep it one the test period is over, obviously for the time and effort invested.
You can find out more about the offer at the FCC Test My ISP website.
[You will also need to know your Service Tier (advertised connection speeds) You can measure you actual speeds at: http://speedtest.cfl.rr.com/ Bob]
Because not all my students have subscriptions...
5 Ways To Get Around The New York Times Paywall
Did you know that the New York Times spent an incredible $40 million on their recent paywall solution? Did you also know that it can be circumvented with all but a few clicks? There are in fact a surprising number of methods that currently allow you to browse the NY Times for free, despite the small fortune involved in protecting this content. As newspapers take slow, unsure steps in a bid to generate revenue online, clearly there are still lessons to be learned.
If you’re interested in how the Internet has rendered $40 million worth of effort redundant, then read on.