Category Archives: Information risk

Class Action Coming for Identity Theft?

zerodaythreat.jpg It wouldn’t be a moment too soon:
I painfully predicted a few years back that phishing and related identity theft would result in class action suits. I lost my bet as it didn’t happen fast enough, but a significant step has been taken (reported by Lynn) with the publication of a book that apparently blames the banks and the software manufacturers for identity theft.

Signs of Liability: ‘Zero Day Threat’ blames IT and Security industry, Ian Grigg, Financial Cryptography, April 14, 2008

The book review iang quotes gets it about online crime not being amateur anymore: it’s organized. And it gets it about perhaps a more important point: Continue reading

Auditing Georgia Government Security

93177422govheadshot3finalpreview.jpg Georgia’s governor wants to standardize information security reporting across the entire state government:
The Executive Order calls for a single set of information security reporting standards for all agencies to follow. Currently, state agencies use a variety of reporting standards, making it difficult to measure information security across state government or to track progress from year to year.

Governor Perdue has directed the Georgia Technology Authority (GTA) to work with the Georgia Department of Audits and Accounts and the Governor’s Office of Planning and Budget to develop a reporting format and required content for agency information security reports. Each agency will be responsible for reporting to GTA at the end of the fiscal year. GTA will compile agency reports into a single Enterprise Information Security Report, available by October 31 of each year.

Gov. Perdue Signs Executive Order Strengthening Georgia’s Information Technology Security, News Report, Government Technology, Mar 20, 2008

I think this is a good move. Now how about monthly reporting in a publicly visible web page.

-jsq

New School: New Book by Adam Shostack

51jF+BW+JAL._SS500_.jpg Adam Shostack, whose group blog Emergent Chaos I quote frequently in this blog, has a new book coming out with co-author Andrew Stewart: New School of Information Security.
We think there’s an emerging way of approaching the world, which we call the New School.

We start with a look at some persistent issues like spam and identity theft. From there, we look at why the information security industry hasn’t just fixed them, and some of the data sources which we rely on and how poor they are. We then look at some new source of data, and new ways of interpreting them, and close with some very practical steps that any individual or organization can take to make things better.

The New School of Information Security, Adam Shostack, Emergent Chaos, 10 March 2008

I haven’t read the book yet, since it’s not published yet, but if it’s like the material he posts in his blog, it’s a good thing.

One of his commenters doesn’t get it: Continue reading

Availability Is Not Security If an Abandoned Sea Anchor Cut the Cable?

art.cable.jpg I see in some fora people are still arguing that security involves countering malicious actors, and availability alone is not security, even if people are depending on availabity.

Were all those recent cable cuts in the Med. and the Persian Gulf not security issues, even though some of the affected companies are now planning to spend $300-400m on physical security to fix the problem?

If the culprit had been a Russian mobster or Al Qaeda or the CIA rather than (in one case) an abandoned ship anchor, then it would have been security, but now it’s not?

-jsq

Publicity about Internal Fraud: Still an Issue after 30 Years

top_hansom_cab.gif Adam quotes a 30 year old book about computer security and notes that the IRS then and now doesn’t adequately protect taxpayers’ information and promises to do better. His quote that I like best, though is:
Top management people in large corporations fear that publicity about internal fraud could well affect their companies’ trading positions on the stock market, hold the corporation up to public ridicule, and cause all sorts of turmoil… (Computer Capers, page 72)

Computer Capers: Tales of electronic thievery, embezzlement, and fraud, by Thomas Whiteside, Ty Crowell Co., 1978

That’s why corporations fear a breach reporting reputation system. That’s also why we need one.

-jsq ~

Canadian Breach Reporting

michael_geist.gif Michael Geist’s top tech law issue for Canada for 2008 is:

Security Breach Reporting Rules Are Introduced. Scarcely a week went by last year without a report of a security breach that placed the personal data of thousands of Canadians at risk. Last spring, a House of Commons committee acknowledged that the country needs mandatory security breach disclosure legislation that would require organizations to advise Canadians when they have been victimized by a breach.  A public consultation on the issue concludes next week and new regulations will be introduced before the summer.

Eight Tech Law Issues To Watch in 2008, Michael Geist, Tuesday January 08, 2008

That would be a good thing.

-jsq

Traffic Control Viewed as ISP Risk

pirates.jpg Certain ISPs plan to spend a lot of money throttling, stifling, policing copyrights, campaigning and lobbying to control content of information flow through their networks. They might want to look at what’s happening in China:
Beijing has recently added a new weapon to its arsenal of surveillance technologies, a system it believes to be a modern marvel: the Golden Shield. It took eight years and $700 million to build, and its mission is to “purify” the Internet — an apparently urgent task. “Whether we can cope with the Internet is a matter that affects the development of socialist culture, the security of information, and the stability of the state,” President Hu Jintao said in January.

The Golden Shield — the latest addition to what is widely referred to as the Great Firewall of China — was supposed to monitor, filter, and block sensitive online content. But only a year after completion, it already looks doomed to fail. True, surveillance remains widespread, and outspoken dissidents are punished harshly. But my experience as a correspondent in China for seven years suggests that the country’s stranglehold on the communications of its citizens is slipping: Bloggers and other Web sources are rapidly supplanting Communist-controlled news outlets. Cyberprotests have managed to bring about an important constitutional change. And ordinary Chinese citizens can circumvent the Great Firewall and evade other forms of police observation with surprising ease. If they know how.

The Great Firewall: China’s Misguided — and Futile — Attempt to Control What Happens Online, By Oliver August, WIRED MAGAZINE: ISSUE 15.11, 10.23.07 | 12:00 AM

And if they don’t know how, that article provides tips. Continue reading

Breached Party: Labour Loses Confidence Due to Lack of Breach Security

breachedwhale.jpg The U.K. Revenue ministry has been leaking massive amounts of personal information, and now it’s affected the ruling party:
The Government will face fresh questions over the loss of millions of voters’ personal data amid evidence the debacle has helped fuel a massive slump in public confidence.

One poll showed those backing Labour’s ability to handle economic problems had been more than halved to 28%, with just a quarter deeming Gordon Brown’s administration “competent and capable”.

And another gave the Tories a nine-point overall lead, its strongest position for 15 years, just weeks after Labour enjoyed an 11-point advantage in the same poll.

Confidence in Labour ‘plummets’, Press Association, Guardian Unlimited, Friday November 23, 2007 7:03 AM

A government in risk of falling due to lack of breach security and perceived lack of technical confidence might be what it takes to get governments and industry to take breach security seriously. For example by requiring breach reporting.

-jsq

Egerstad Arrested: Uses Tor to Snoop Snoopers; Is This a Crime?

So this fellow was just arrested and some of his computers confiscated: danegerstad_narrowweb__300x378,0.jpg
Dan Egerstad, a security consultant, intercepted data carried over a global communications network used by embassies around the world in August and gained access to 1000 sensitive email accounts. They contained confidential diplomatic memos and other sensitive government emails.

After informing the governments involved of their security failings and receiving no response, Egerstad published 100 of the email accounts, including login details and passwords, on his website for anyone curious enough to have a look. The site, derangedsecurity.com, has since been taken offline.

Swedish Police Swoop on Dan Egerstad – UPDATE by Fergie, Fergie’s Tech Blog, 14 Nov 2007

He got this information by installing Tor, which people use to hide their IP addresses, and looking to see what passed over it. What he saw he thinks was people who had already broken into embassy accounts using them illicitly. He tried to inform governments, who (except for Iran) were uninterested. Then he posted his information online, thus probably stopping the snoopers.

So Egerstad gets arrested, yet this man, who says “Privacy no longer can mean anonymity” walks around free.

-jsq