To Insure or Not to Insure?

firewallmovie.jpg Iang reminds me that it was on his blog, Financial Cryptography, that I saw the rough estimate of how much an identity theft costs, that is, about $1,000.

He follows up on my post of yesterday about LifeLock, discussing a company called Integrity which insures identities in Second Life. Or, actually, insures any lawsuits resulting from "inappropriate content", whatever that is.

Then he gets to the real quesion:

How viable is this model? The first thing would be to ask: can’t we fix the underlying problem? For identity theft, apparently not, Americans want their identity system because it gives them their credit system, and there aren’t too many Americans out there that would give up the right to drive their latest SUV out of the forecourt.

On the other hand, a potential liability issue within a game would seem to be something that could be solved. After all, the game operator has all the control, and all the players are within their reach. Tonight’s pop-quiz: Any suggestions on how to solve the potential for large/class-action suits circling around dodgy characters and identity?

If Insurance is the Answer to Identity, what’s the Question?, Iang, Financial Cryptography, September 11, 2007

This wraps right around to the original reaction of the person from whom I heard it (hi, Anne Marie) on a list that is silent.

I have several thoughts about this:

Continue reading

Identity Theft as Marketing Opportunity

Since identity thieves are making many people worried about losing control of their identities, of course somebody has found a way to cash in on all that free publicity:
By now you’ve heard the stories about Americans whose identities have been stolen. They’re not pretty…people working for hundreds of hours over many years to get their lives back in order, kids not getting student loans because someone has already ruined their credit, people losing homes because thieves placed mortgages they never knew existed, even innocent individuals ending up in jail.

LifeLock can keep this from happening to you and we guarantee our service up to $1,000,000.

LifeLock

I seem to recall reading that the typical identity theft is only worth $1,000, but nevermind that.

Look who recommends it:

You’ve heard Rush Limbaugh, Paul Harvey, Dr. Laura, Sean Hannity, Howard Stern, Dr. Joy and others endorse us.
Well! None of those people would ever sell pure fear, would they?

I have to give them credit for honesty, though: LifeLock admits right out that the main four preventive things they do you could do for yourself. Beyond that, the main substance they seem to offer is essentially an insurance package:

If your Identity is stolen while you are our client, we’re going to do whatever it takes to recover your good name. If you need lawyers, we’re going to hire the best we can find. If you need investigators, accountants, case managers, whatever, they’re yours. If you lose money as a result of the theft, we’re going to give it back to you.
For $110/year or $10/month, is such an insurance policy overpriced, underpriced, or what?

-jsq

Are You Ready for Some Football Storm?

storm_nfltracker_2.jpg What do you do with the world’s fastest supercomputer? Use it to follow football, of course!
Today we started seeing new Storm mails and the web pages changed layouts completely. Now the theme is National Football League (NFL) which is timely considering the 2007 NFL season started on the 6th of September. The website even has the correct score, statistics, and schedule information.

Storm and NFL, by Patrik, F-Secure Weblog, Sunday, September 9, 2007

It’s sort of like gambling on the game; gambling that some suckers will think the site is legit.

-jsq

PS: Seen on Fergie’s Tech Blog.

APEC, Schmapeck

0,,5644398,00.jpg
Yesterday, a TV comedy team succeeded in driving a fake motorcade with Canadian flags right through all the security barriers and weren’t stopped until right outside President Bush’s hotel. Inside their motorcade was someone dressed up as Osama Bin Laden.

APEC Conference in Sydney Social Engineered, Bruce Schneier, Schneier on Security, September 07, 2007

It gets better. Continue reading

Phishing by Rogers?

Is it phishing if an ISP does it?
We do apologize but we are unable to locate your account with the information provided. To answer your question more precisely please reply to this e-mail with your account/wireless number, date of birth and full billing address including the postal code. Please note if there is a password on your account you will need to provide it or we will not be able to access your account. Once we are able to locate and access your account and provide you with the information requested. We will reply within 24 hours.

Early morning kvetch, Paul Madsden, ConnectID, Thursday, September 06, 2007

Even if it’s not, it’s just asking for somebody to intercept it.

-jsq

How to Overdo Outrage

fearfulterroristmovies.jpg How to overdo outrage:
“How can you overreact when it’s your children?” she said.
Like this:
…seven Iraqi men who were passengers on a plane scheduled to fly from San Diego to Chicago on Tuesday night. Robbins was also on the plane but was so terrified the men might be terrorists that she demanded to get off, causing a delay that prompted the airline to postpone the flight until the next morning.
When you interfere with other people’s travel and basic rights on the basis of nothing more than fear and prejudice:
“He looked so mean, the way he was looking at everyone,” Robbins said. “It was very frightening, like something out of a movie.”
And no, “all I could think of was 9/11” is not an excuse. (I suppose it could have been worse. She could have said “like something out of ’24’.”)

And like this:

Citizens who have done no more than criticize the president are being banned from airline flights, harassed at airports, strip searched, roughed up and even imprisoned…

BUSH RESTRICTING TRAVEL RIGHTS OF OVER 100,000 U.S. CITIZENS, by davidswanson, AfterDowningStreet.org, Mon, 2007-09-03 15:35

Wherever Osama bin Laden is, he must be chortling at how individuals and the U.S. government are doing more to harm Americans than he ever could have.

-jsq

Aged Old Code

pic_large21yearold.jpg Old wine or whisky can become more complex and interesting. Old code becomes insecure:
Or at least become more vulnerable. I’ve recently been helping a client with their secure coding initiative and as a result I’ve been reading Mike Howard and Dave LeBlanc’s Writing Secure Code which reminded me of an important aspect of maintaining a secure code base which often gets overlooked: That is that as code ages it becomes insecure.

Evolve or Die, by arthur, Emergent Chaos, August 29, 2007 at 7:47 AM

The state of the art in discovering vulnerabilities advances. I remember when nobody worried much about buffer overflows. Related to that, programs get used in environments they weren’t written for. Who really cared about buffer overflows on the early Internet when just getting it working for a few researchers was the goal? Related to that, the number of people motivated to break code keeps increasing, especially those with monetary motivation. With enough eyes are bugs are shallow also means with enough eyes all vulnerabilities become easy to find. Or, in this postmodern world, even computer programs are largely what people perceive them to be, and those perceptions change.

For example, Jeff Pulver perceives Facebook’s video messages as videophone. How long before somebody perceives it as a phishing method? Where there’s humans there’s humint.

-jsq

Outrage at Outrage Management

outrage.png
management.png

So we were discussing Peter Sandman’s recommendations for outrage management, which mostly have to do with how to deal with management not doing something that you’ve given them rational reasons to do, because of some emotional resistance or other. The opposite problem also occurs: they believe you; they just don’t care. Then you could use some outrage.

Alex brings up two good points in the previous comments:

I’m afraid that outside of usefulness in those communications channels, I just would hesitate to use the term "Outrage". For example, creating "Outrage" metrics sounds like you’re working in hollywood publicity for Paris Hilton, not protecting business assets. 🙂

Yes, exactly, it’s usefulness in these communications channels, that is, with management, that emotion, up to and including outrage, has to be used and managed.

Continue reading

Non-Asymmetric Malware

<~~T.A.Z~~>

Most exploits through the Internet have been relatively small guys (individuals, gangs, etc.) against big companies and governments. Yet they’re already using botnets to leverage their activity. What happens when botnets start connecting with other botnets via wireless?

Consider the following scenarios:

  • malware infected PCs actually opening a WiFi connection in a port-knocking nature to the wireless botnet master only
  • no need for wardriving, as malware authors would quickly map the entire WiFi vulnerable population around a given region in the age of malware geolocating IPs using commercial services
  • once a PC gets infected inside an organization, it can automatically turn into a wardriving zombie exposing vulnerable WiFi connections within
  • Bluetooth scanning plugins expose even more vulnerable Bluetooth-enabled devices in the range of the infected host

Distributed WiFi Scanning Through Malware, by Dancho Danchev, @ Friday, August 24, 2007

It already wasn’t clear which side the asymmetry favored, since the bad guys use the full leverage of the Internet and the defenders mostly don’t. Now the bad guys can leverage the leverage of the Internet by also using local wireless connections to further interconnect.

Did we need more proof that there’s no such thing as a perimeter to fortify anymore?

-jsq

Outrage: Less and More

danrather0207.jpg We’ve been discussing Outrage Considered Useful. Alex remarked in a comment:

The term "Outrage" suggests that risk cannot or should not be discussed in a rational manner.

What I think Sandman is getting at is that often risk isn’t discussed in a rational manner, because managers’ (and security people’s) egos, fears, ambitions, etc. get in the way. In a perfect Platonic world perhaps things wouldn’t be that way, but in this one, people don’t operate by reason alone, even when  they think they are doing so.

Outrage x Hazard may be a means to express risk within the context of the organization, but I like probability of loss event x probable magnitude of loss better for quantitative analysis.

Indeed, quantitative analysis is good. However, once you’ve got that analysis, you still have to sell it to management. And there’s the rub: that last part is going to require dealing with emotion.

Continue reading