Thursday, September 08, 2011


Distressing...
Breaches: Study Shows Over 806.2 Million Records Disclosed, Estimated Cost of $156.7 Billion
September 8, 2011 by admin
I’m still playing catch-up with everything I missed thanks to NatGrid’s profound incompetence in restoring power after a tropical storm knocked us offline. Here’s a press release I had missed:
The Digital Forensics Association announces the release of their second annual data breach report. “The Leaking Vault 2011- Six Years of Data Breaches” analyzes 3,765 data loss incidents, with a known disclosure of 806.2 million records.
Organizations seem to be in the news on a daily basis for disclosing data inappropriately. Hundreds of millions of people’s personal private information has been lost, stolen or otherwise shared with unauthorized parties. The problem of data breaches is one that potentially impacts the economic health of the victim organizations, upstream or downstream partners, and the data subjects who face direct financial consequences.
Key findings include:
The Leaking Vault 2011 presents data gathered from studying 3,765 publicly disclosed data breach incidents, and is the largest study of its kind to date. Information was gleaned from the organizations that track these events, as well as government sources. Data breaches from 33 countries were included, as well as those from the United States.
This study covers incidents from 2005 through 2010, and includes over 806.2 million known records disclosed. On average, these organizations lost over 388,000 people’s records per day/15,000 records per hour every single day for the past six years.
The estimated cost for these breaches comes to more than $156 billion to the organizations experiencing these incidents. This figure does not include the costs that the organizations downstream or upstream may incur, nor that of the data subject victims. Further, it is a low estimate of the cost, due to the fact that 35% of the incidents did not name a figure for records lost.
The Laptop vector remains the leader in incidents, but the Documents vector (printed material) is fast growing and demonstrates the need to manage both electronic data assets as well as printed documents. This vector has been trending upward for several years and is a potential contender for the incident leader if it continues.
The Hacking vector remains the records loss leader, responsible for 48% of the records disclosed in the study. The Drive/Media vector is in second place with the Web vector in third.
Outsiders continue to pose the largest risk in terms of both incidents and records disclosed. When the threat actor is an insider, the incident is significantly more likely to be accidental in nature. While accidental incidents are more prevalent, they also cause the most harm of the insider incidents in terms of records disclosed.
In 65% of the cases, the data disclosed included the data subject’s name, address and Social Security Number. In contrast, only 15% of the incidents disclosed Credit Card Numbers, and 16% disclosed medical information. Medical disclosures saw a significant increase with the addition of the 2010 data. This is more likely due to the reporting requirement of existing regulations going into effect than any actual increase of incidents. The incidents where criminal use of the data was confirmed increased by 58% from the prior report. The two vectors most likely to show criminal use were the Fraud-SE and Hack vectors.
A complete copy of “The Leaking Vault 2011- Six Years of Data Breaches” is available at: http://dfa.squarespace.com/storage/The_Leaking_Vault_2011-Six_Years_of_Data_Breaches.pdf
A quick perusal of the report indicates that its analyses are based on data collected by the Open Security Foundation DataLossDB.org project, the Privacy Rights Clearinghouse, and the Identity Theft Resource Center. This blog, my companion blog for healthcare sector breaches (phiprivacy.net) and I fuel all three of those sources – PRC and ITRC rely heavily on my blogs and I’m a moderator/curator for DLDB. If you’d like to conduct your own analyses of the more than 4,500 breaches in DLDB, contact OSF for licensing arrangements and use.
In the meantime, if you know of a breach I’ve missed – which becomes increasingly likely these days given all the hacks and leaks – please do let me know by email to breaches[at]databreaches.net or tweet it to @pogowasright. Thanks!


When all Health Care system are linked, the number (ans scope) of the breaches will likely skyrocket.
By Dissent, September 7, 2011
The U.S. Department of Health and Human Services Office of Civil Rights has submitted its mandated report to Congress on breach reports it has received. The report covers incidents reported between September 23, 2009 (the date the breach notification requirements became effective), and December 31, 2010. Here are some of the highlights of the report:
Major causes of breaches, as reported to and by HHS:
The breach reports submitted to the Secretary in 2009 described four general causes of incidents: (1) theft; (2) intentional unauthorized access to, use, or disclosure of protected health information; (3) human error; and (4) loss of electronic media or paper records containing protected health information.
[...]
The breach reports submitted to the Secretary in 2010 described five general causes of incidents, four of which were also reported in 2009: (1) theft; (2) loss of electronic media or paper records containing protected health information; (3) unauthorized access to, use, or disclosure of protected health information; (4) human error; and (5) improper disposal. In comparison to 2009, in 2010, the number of individuals affected by the loss of electronic media or paper records was greater than those affected by unauthorized access or human error. Moreover, the reports received in 2010 contained incidents involving an additional category, improper disposal of paper records by the covered entity or business associate… Theft was once again the most common reported cause of large breaches. Among the 207 breaches that affected 500 or more individuals, 99 incidents involved theft of paper records or electronic media, together affecting approximately 2,979,121 individuals.
A more refined analysis is contained in the report.
With respect to the smaller breaches (i.e., those affecting less than 500 individuals):
HHS received approximately 5,521 reports of smaller breaches that occurred between September 23, 2009, and December 31, 2009. These smaller breaches affected approximately 12,000 individuals. HHS received more than 25,000 reports of smaller breaches that occurred between January 1, 2010, and December 31, 2010. These smaller breaches affected more than 50,000 individuals.
The majority of small breach reports in 2009 and 2010 involved misdirected communications and affected just one individual each. Often, a clinical or claims record of one individual was mistakenly mailed or faxed to another individual. In other instances, test results were sent to the wrong patient, files were attached to the wrong patient record, emails were sent to the wrong addresses, and member ID cards were mailed to the wrong individuals.


Useful resources?
Future of Privacy Forum Releases “Privacy Papers for Policy Makers”
September 8, 2011 by Dissent
From FPF:
Future of Privacy Forum is pleased to share the second annual “Privacy Papers for Policy Makers,” showcasing leading analytical thinking about current and emerging privacy issues.
Leading Papers:
  2. Against Notice Skepticism (Forthcoming, 87 Notre Dame Law Review – 2012) *Draft
    Ryan Calo
  3. The Case for Online Obscurity
    Woodrow Hartzog and Frederic Stutzman
  4. Dispelling the Myths Surrounding De-identification: Anonymization Remains a Strong Tool for Protecting Privacy (Seen in the Canadian Law Review, vol. 8, no. 9, August 2011)
    Dr. Ann Cavoukian and Khaled El Emam
  5. The Failure of Online Social Network Privacy Settings
    Michelle Madejski, Maritza Johnson and Steven Bellovin
Notable Mentions:
  1. Flash Cookies and Privacy II: Now with HTML5 and ETag Respawning
    Chris Hoofnagle, Mika Ayenson, Deitrich James Wambach, Ashkan Soltani and Nathan Good
  2. Regulating Privacy by Design
    Ira S. Rubinstein
Download the 2011 Privacy Papers for Policy Makers to read executive summaries and view full papers below.
View the 2010 papers here.


Since it is easier to beg forgiveness than to request permission, I'd bet they are already doing this and now want to acknowledge a small portion of the scope of their monitoring – perhaps to legitimize evidence shared with law enforcement?
The Spy Who Tweeted Me: Intelligence Community Wants to Monitor Social Media
A research arm of the intelligence community wants to sweep up public data on everything from Twitter to public webcams in the hopes of predicting the future.
The project is the brainchild of the Intelligence Advanced Research Projects Activity, or Iarpa, a relatively new part of the spy community that’s supposed to help investigate breakthrough technologies. While other projects exist for predicting political events, the Open Source Indicators program would be perhaps the first that mines data from social media websites.
… The science underlying the project is the notion that early indicators of major social upheavals might be hidden in plain, socially-networked sight. “Some of these changes may be indirectly observable from publicly available data, such as web search queries, blogs, micro-blogs, internet traffic, financial markets, traffic webcams, Wikipedia edits, and many others,” the announcement, published August 25, says. “Published research has found that some of these data sources are individually useful in the early detection of events such as disease outbreaks, political crises, and macroeconomic trends.”
… For those who fear the all-seeing surveillance state, Iarpa says there are some things the program won’t do. It won’t be used to predict events in the United States, for instance. Nor will it be used to track specific individuals. [“We've already got plenty of tools for that.” Bob]

(Related) Amusing, but it also makes clear that “public” areas of Social Networks can easily be monitored.
Robbery suspect's Facebook name: 'Willie Sutton Jr'
… The way the Smoking Gun has fired it up, Hippolite, a 23-year-old New Yorker, came under the suspicion of the police after bank employees gave them the partial license plate of a getaway car after a bank heist.
Being servants of the social interest, the police began monitoring Hippolite's Facebook page. Hippolite had, presumably, found Facebook's privacy settings of little interest. Those things are still tough to find anyway.
In their regular readings of Hippolite's Facebook musings, police reportedly found such thought bubbles as "I Gotta Get That $$$$$ Man!!!!" and the perhaps unfortunate "Crime pays my bills!"
It was on July 29, however, that Hippolite decided his Facebook profile needed a little undercover identity. So he reportedly changed his Facebook name to "Willie Sutton Jr."
Some might admire his enthusiasm for his apparent hero, a man who enjoyed a 40-year career of bank robbery but did, sadly, spend half of his life in jail.
… But he has been arrested for robberies at three Brooklyn branches of Chase and is a suspect in another 16 bank heists that all had a similar modus operandi--in this case, allegedly handing a note to the cashier that read: "GIVE ME ALL THE MONEY OR ELSE EVERYBODY DIES!!! $100s $50s $20s ONLY."
It may not have helped Hippolite's ultimate cause that his profile picture shows him holding what seems like a plethora of $100 bills.

(Related) Doesn't seem to help much with Guidelines...
Labor Board: Fired-For-Facebooking Employees Must Be Rehired
It’s no secret that an employer can, and probably should, do a little check-up on your internet presence before hiring you, and possibly afterwards. But as several unhappy people have found out, sometimes they look pretty hard, and have access to information you thought private. It can result in foot-in-mouth moments and occasionally punitive action. That was certainly the case when five workers were fired for their conduct on Facebook.
The post in question was a complaint about someone else’s complaint, and other employees joined in, including the person being complained about. A few days later, they were sacked; their employer said that the posts constituted harassment.
The workers felt their rights had been violated, and took it to the National Labor Relations Board. And incredibly, an NLRB judge has just ruled that all five must be hired back. I say “incredibly” because judicial comprehension of tech issues is a serious problem. Judge Arthur J. Amchan seems to have a head on his shoulders, though. He stated that the employees had not forfeited the protection of the law in their speech, which was well within the bounds of normal discussion of workplace conditions for which one can’t easily be fired.
The size of the precedent being set isn’t clear. It’s certainly a victory, but to blow it out of proportion would be a mistake. This was a one-time offense with some coffee-break jabbering — a fairly easy thing for the judge to see. But questions abound. What if it was systemic? What if it was in private messages? What if it had been going on for weeks? Months? What if the person being harassed has left the company?
It’s entirely possible that a company could institute a contract policy in which employees essentially do forfeit their right to private communication. And the line past which behavior becomes not just undesirable but a fireable offense isn’t clear at all. Like many other areas where communication is moving to new platforms, the boundaries have to be tested, and this ruling extends the safe zone by a little bit.


“Throw the book at them, Danno” Is there an International Organized Crime treaty?
"The Obama administration wants hackers to be prosecuted under the same laws used to target organized crime syndicates, according to two officials appearing in front of the Senate Judiciary Committee on Wednesday morning. From the article: 'Associate Deputy Attorney General James Baker and Secret Service Deputy Special Agent in Charge Pablo Martinez said the maximum sentences for cyber crimes have failed to keep pace with the severity of the threats. Martinez said hackers are often members of sophisticated criminal networks. "Secret Service investigations have shown that complex and sophisticated electronic crimes are rarely perpetrated by a lone individual," Martinez said.'"


Boys and their toys.
Lawyers and security experts share concerns over app security – ABA Journal
An article in the ABA Journal highlights the concerns that law professionals find with popular apps.
Chicago, September 7, 2011 – A recent article posted on the ABA Journal news site, “App-solutely Perilous? Security of Mobile Apps Spurs Concern” by By Richard Acello, points to findings by viaForensics as a cause for concern over the security of many mobile apps. The article states “lawyers may be especially vulnerable because of the varying levels of technical savvy in the profession, and because the apps in question provide services attractive to them.”
viaForensics provides a free appWatchdog service aimed at providing the public with information about potential insecurity of popular mobile applications. The hope is that developers will be motivated to take all appropriate measures to secure their apps.
In addition to checking out appWatchdog findings, viaForensics recommends other tips that mobile users can do to protect their data on a mobile device.
Read the full ABA Journal article here.

(Related) Does this suggest why Lawyers like the BlackBerry?
South Africa joins the call for BlackBerry messaging keys
September 7, 2011 by Dissent
Bill Ray reports:
South Africa has joined the call for access to the BlackBerry Messaging service, quoting the usual security concerns and pointing out that the UK plans much the same thing.
BBM, the BlackBerry messaging service, has become the medium of choice for the discerning ne’er-do-well, which is strange considering it is a good deal less secure than the email offered by the same handset. But the instant nature of messaging appeals to everyone, prompting the new action from the South Africans:
“There is evidence that criminals are now using BBM to plan and execute crime,” the deputy comms minister told his audience at a London conference on African telecommunications: “We want to review BBM like in the UK and Saudi Arabia.”
Read more on The Register.


A list of free and useful stuff.
"InfoWorld's Peter Wayner provides an in-depth look at the state of open source software and an overview of the best open source software of the year. 'It's easy to find hundreds of other positive signs of open source domination. If the mere existence of a tar file filled with code from the nether regions of a beeping device that's buried deep inside someone's pocket is all you need to feel warm and fuzzy about "open source," you might conclude that open source development is the most dominant form in the increasingly dominant platform of the future,' Wayner writes. 'But anyone who digs a bit deeper will find it's not so simple. Although the open source label is more and more ubiquitous, society is still a long way from Richard Stallman's vision of a world where anyone could reprogram anything at any time. Patents, copyrights, and corporate intrigue are bigger issues than ever for the community, and more and more people are finding that the words "open source" are no guarantee of the freedom to tinker and improve. Some cynics even suggest that the bright, open future is receding as Linux and other open source tools grow more dominant.' Included in the writeup are the best open source applications, best open source desktop and mobile offerings, best open source development tools, and best open source software for datacenters and the cloud."


This could be handy... I did a search on “Privacy” and the first entry in “Find privacy nearby” was the Sturm College of Law at DU.
WDYL: Search All Google Products On A Single Webpage
Google users often find themselves clicking on the “Images”, “Video”, and similar links at the top of the search results page when they use Google. This is done to get search results from different Google products. Fortunately you will no longer have to spend an extra click to get those additional results, all thanks to WDYL “What Do You Love”.
What Do You Love is a new page launched by Google that presents the search results of a query from all Google products. The search results are displayed in individual boxes placed next to one another. Each box has an arrow to browse over to the next result . A box on the far left lets you easily navigate the page.
Also read related articles:


Another handy tool
Google Takeout: Download All Your Google Data
Facebook is not the only online place you store valuable data; you also have important information stored in your Google account. Buzz, Contacts, and Picasa jointly hold a lot of your important information. Realizing that users might want a backup of their online information, Google has now launched a new web service entitled Takeout.
Takeout is a new web service by Google that lets it users download all their data stored in Google accounts. In addition to your Google Profile information, data is downloaded from Picasa, Contacts and Circles, and Google Buzz. The data is compressed into a ZIP archive and made available for download.
Google will gradually be adding more products to Takeout so you can create a backup of all your Google services.


I love technology projects my students can enthusiastically participate in... Now if we can only get past Step One: Empty the can
Boost Your WiFi Signal Using Only a Beer Can

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)