Category Archives: Information risk

Privacy and Breach Reporting

Why do corporations and the government think we should trust them with everything, yet they shouldn’t even have to report security breaches?

Adam notes that the Commission on Cyber Security is currently meeting “to provide advice about cyber-security policy to the next presidential administration.” Adam has a recommendation:

Many of our fears about what happens after a company is breached have turned out to be false. This is the first key lesson. We have feared that companies will go out of business, people will lose their jobs, and customers will flee. Generally, these things happen only in extreme outliers, if at all. (Two companies have gone out of business; average customer churn is about 2%.)

The second lesson comes from studying the data. The dataloss list contains less selection bias about a broader set of incidents than any other public data I’ve ever seen.

So my goal for the 44th Presidency would be to overcome the fear that has held us back from having national cybercrime statistics, in the form of good law requiring breach disclosure.

How Government Can Improve Cyber-Security, by Adam Shostack, Emergent Chaos, 12 Nov 2007

This would be a big improvement.

-jsq

Fraud: Fake Zep Tickets on Ebay

ledzeppelin003.jpg Now this is chutzpah:
Although our reporter was not the winning bidder, the seller contacted us and claimed the winner had failed to pay. She then quoted a price of £2,400 and said she would post the tickets to our reporter.

But we had already contacted the winning bidder via Ebay; he told us that he had already transferred £2,414 to the seller’s bank account.

Fraudsters hijack Led Zeppelin concert, Promotor blames Ebay for failing to take down auctions for non-existent tickets,Dinah Greek, Computeract!ve, 30 Oct 2007

Not only are these invalid tickets, but the seller was selling them twice!

-jsq

Fingerprint False Positives

fingerprint_definition.jpg Not all that glitters is gold:
“Fingerprints, before DNA, were always considered the gold standard of forensic science, and it’s turning out that there’s a lot more tin in that field than gold,” he said. “The public needs to understand that. This judge is declaring, not to mix my metaphors, that the emperor has no clothes.”

Judge bars use of partial prints in murder trial, By Jennifer McMenamin, Sun Reporter, October 23, 2007

The judge did this because of the partial fingerprint false positive linking an Oregon lawyer to the Madrid bombings. Apparently that was only one of twenty false matches in that case. So the judge in this homicide case has ruled that partial fingerprint matches can’t be used as evidence.
At a pretrial hearing in May, prosecutors argued that fingerprint evidence has been accepted by the courts and relied upon for nearly 100 years. Defense attorneys countered that there is no similar history of subjecting the evidence to scientific review.

“The state is correct that fingerprint evidence has been used in criminal cases for almost a century,” Souder, the judge, wrote in her decision. “While that fact is worthy of consideration, it does not prove reliability. For many centuries, perhaps for millennia, humans thought that the earth was flat.”

So if a hundred year old “gold” standard of evidence turns out to be tin, what about all the wide-scan wiretap dragnet evidence that certain governments seem intent on compiling these days?

-jsq

PS: Seen on Bruce Schneier’s blog.

eCrime Papers Posted

ecrimetitle.gif The APWG eCrime Researchers Summit has released its papers by linking them to its agenda. Lots of interesting stuff there about phishing and website takedown, capture and recapture, password reuse, behavorial reaction, etc.

There were also sessions on getting technology solutions adopted and user education, but those appeared to be panels, and don’t have papers posted.

-jsq

APWG in Pittsburgh and Fraud in Japan

gm2007logo.jpg The Anti-Phishing Working Group is having one of its periodic member meetings, this time in Pittsburgh. Probably I shouldn’t report too much detail, but I’ll say that interesting things are going on worldwide that may spread to other countries. For example, in Japan it seems that fake programming sites are more popular than phishing. Also, if I heard correctly, most phishing in the Japanese language originates from phishers in Japan. This would make sense, since it’s very hard for foreigners to write well enough to pretend to be Japanese. So that one probably won’t spread too widely, but the fake programming scam could.

My favorite is the history attack. World War II ended on 15 August 1945 in Japan, so a timeline of that war can get a lot of hits on a war’s end link in August of any year. Who would have known history could be so popular?

Meanwhile, during Carnival in Brazil, nobody reports malware, so there’s a dip in measurements…. Then and the rest of the year, sophisticated personalized social engineering attacks seem to be popular in Brazil.

-jsq

DRM: The Secret that Can’t be Kept

Cory Doctorow on why DRM can never work:
It’s great for email, but it can never work for movies, TV shows or music, because in the case of “copy protection” the receiver is also the person that the system is meant to guard itself against.

Say I sell you an encrypted DVD: the encryption on the DVD is supposed to stop you (the DVD’s owner) from copying it. In order to do that, it tries to stop you from decrypting the DVD.

Except it has to let you decrypt the DVD some of the time. If you can’t decrypt the DVD, you can’t watch it. If you can’t watch it, you won’t buy it. So your DVD player is entrusted with the keys necessary to decrypt the DVD, and the film’s creator must trust that your DVD player is so well-designed that no one will ever be able to work out the key.

Pushing the impossible, by Cory Doctorow, Guardian Unlimited, Tuesday September 4 2007

So as long as you can keep a secret from yourself, DRM will work….

-jsq

Quantitative >= Qualitative

See Pete Lindstrom’s Spire Security Viewpoint for empirical evidence that mechanical quantitative diagnosis is almost always at least as good as clinical qualitative diagnosis.

There is still plenty of room for qualitative decision-making in arenas where there aren’t enough facts or the facts haven’t been quantified or there’s no baseline or there’s no mechanical method yet. But where those things are available, it’s better to use them. You’ll still need qualitative judgement for cases where the algorithm is right but it didn’t take into effect unfortunate side effects, for instance. Even then, you’ve got a better chance of knowing what you’re doing.

-jsq

To Insure or Not to Insure?

firewallmovie.jpg Iang reminds me that it was on his blog, Financial Cryptography, that I saw the rough estimate of how much an identity theft costs, that is, about $1,000.

He follows up on my post of yesterday about LifeLock, discussing a company called Integrity which insures identities in Second Life. Or, actually, insures any lawsuits resulting from "inappropriate content", whatever that is.

Then he gets to the real quesion:

How viable is this model? The first thing would be to ask: can’t we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren’t too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.

On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight’s pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?

If Insurance is the Answer to Identity, what’s the Question?, Iang, Financial Cryptography, September 11, 2007

This wraps right around to the original reaction of the person from whom I heard it (hi, Anne Marie) on a list that is silent.

I have several thoughts about this:

Continue reading

Brass Leaks

usacio.png We already observed that military information security is a bit of an oxymoron and over in Peerflow that the U.S. military thinks its soldiers in Iraq are likely leaks.

Well, it turns out that:

For years, members of the military brass have been warning that soldiers’ blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post far more potentially-harmful than blogs do.

Army Audits: Official Sites, Not Blogs, Breach Security, By Noah Shachtman, Danger Room, August 17, 2007, 12:29:00 PM

Is there a psychologist in the house? Is the military blaming it’s own incompetent leaks on the troops projection, or is it just plain old CYA?

I’m pretty sure hiding this report until the EFF filed a FOI lawsuit to get it is CYA.

I don’t think it’s good risk management for the troops, or the Iraqis, or even for the brass.

-jsq

Click Fraud Network

ContentNetworks.jpg Here’s another company detecting effects of botnets:
The Click Fraud Index™ monitors and reports on data gathered from the Click Fraud Network™, which more than 4,000 online advertisers and their agencies have joined. The Network provides statistically significant pay-per-click data collected from online advertising campaigns for both large and small companies.

“We’re not surprised to see the industry average click fraud rate climb this quarter as a result of botnet activity,” said Robert Hansen, CEO of SecTheory and one of the industry’s leading experts in online security threats. “Our clients are well aware that botnet activity is on the rise and that botnets are being used for a variety of online fraud activities, including click fraud.”

ClickFraudNetwork accessed 16 August 2007

They claim the country originating the most click fraud is France, followed by China. However, it would be more useful to show which ISPs are originating most click fraud, i.e., which ones are most infested by botnets. Countries are too big and too slow to have much of a chance of doing something about this. ISPs can.

-jsq