NoticeBored blog

In connection with this month's NoticeBored awareness materials on the security aspects of software development, I've been listening to a podcast by Ralph Hood and Kim Howell (two Microsofties) about how both privacy and wider information security issues are integrated into Microsoft's development practices.

From a non-US perspective, the very idea that privacy and security are "opposite sides of the same coin" seems a little weird. For most of the rest of the world, privacy has long been acknowledged as a subset of information security, being essentially the confidentiality of information about specific individuals. But, as host Julia Allen mentions in the podcast, the US is still shifting from the idea that it's perfectly OK to collect all sorts of personal information from people and use it as you wish.

One of the interesting approaches discussed in the podcast is that personal information needed purely for aggregation or statistical purposes should be collected and held only temporarily, then deleted as soon as possible. Personal information in server logs, for example, may be parsed out, analyzed and deleted by a regular process. While this would make post-hoc validation of the data difficult, this slight drawback is outweighed by the privacy advantages for those who supply their information.

The podcast is one of the excellent Security for business leaders series by CERT at Carnegie Mellon University. An impressive range of podcasts is available to download.

Labels: Awareness, Confidentiality, Development, Privacy

The Electronic Freedom Foundation's paper on locational privacy explores the privacy issues relating to automatic road toll devices and similar systems that check the locations of users. Such systems can be designed to incorporate locational privacy controls but this increases their complexity and cost - the question is whether that's justified by the privacy benefits.

It's also a moot point given that most of us already carry cellphones which can be tracked to a few city blocks or a few miles in open country.

Labels: Privacy

Labels: Privacy

Privacy is both a narrow, intensely personal issue relating to the individual, and a broad democratic principle relating to society at large. It’s one of those things in life that perhaps we don’t truly appreciate until it’s gone – ask anyone who has suffered intrusive media coverage for instance, lost their identity to an identity thief, or had their medical, personnel or credit card data records “lost presumed stolen”.

A lay person might define personal information as “Details about someone that they would consider private.” That definition may make perfect sense to you and me but is probably too subjective for the courts. Personal information is defined more narrowly in the legislation, but annoyingly the definitions vary between countries.

Read more about what’s in September’s NoticeBored module and the free security awareness newsletter, or follow along with us on Twitter or our blog as we continue gathering links to interesting privacy news.

Labels: Awareness, Privacy

Used hard disks bought on an online auction site were found to contain personal and proprietary data. Some of the drives that had supposedly been erased yielded their secrets to forensic examination techniques. Others still had the original undeleted data and could have been read easily by any purchaser. The Irish newspaper article notes that homeworkers were probably the source of at least some of the security lapses, having used their own PCs for work projects, "forgotten" about the sensitive work data they contained, and sold the disks or whole systems privately. This kind of breach would fall outside the remit of most organizations I have worked for, except those few who insist that staff only use company systems for work activities, typically providing laptops for the purpose. That said, whether the laptop hard disks were properly erased at the end of their life, or the extent to which employees complied with the company policies on not working on personal IT equipment, is anyone's guess.

Labels: Compliance, Confidentiality, Forensics, Privacy

As the title suggests, Will your cellphone spill your secrets focuses on privacy exposures from lost cellphones but the same considerations apply to other gizmos of course.

The loss of a gizmo is more than just a privacy issue: we become very attached to, if not dependent on them. Speaking personally, I'm terrible at remembering names let alone phone numbers, email addresses, passwords and so forth, so I rely heavily on the technology to do the remembering for me. Naturally, being a security freak, I use encryption and other controls to protect such sensitive information so the privacy side is less of a concern than me simply losing access to all that valuable information ... so don't forget backups. Decent backups. Off-line backups with the backup media stored securely. It's a bit of a pain to take them but it's far worse to lose a gizmo (whether by leaving it on the back seat of a cab on the roof of a car, having it stolen, dropping it in a puddle or some other accident or hardware failure ... actually, thinking about it, there are quite a few ways!) and not to be able to recover the data.

Here are some simple tips to reduce the risk:
- Transfer new phone numbers from your cellphone to a diary/contacts database such as Outlook every so often, and while you're at it, look through the contacts for any that should be put on your phone. Try to make this a routine activity, perhaps once a month or two;
- Make a separate database of important contacts, for example to feed a form letter notifying them of change-of-address details. Keep a copy of this with you when you travel;
- Use encryption and other available access controls such as a PIN code to unlock your phone/SIM card, PDA etc.;
- Avoid taking all your gizmos with you when traveling - just the ones you need - and try to keep them physically about your person (e.g. not in checked-in hold baggage);
- Make an inventory of your gizmos with models, serial numbers, distinguishing marks etc. so that if you lose any, you can at least describe them properly to the Police or the Lost And Found office;
- Use those 'distinguishing marks' proactively to identify your gizmos e.g. mark the case with your name, phone number, email address or whatever, trying not to make the privacy exposure even worse but making it easier for finders to return them to you;
- Don't forget to erase personal data properly from gizmos when disposing of them. A simple 'delete' is unlikely to be sufficient. See NIST's SP800-88 for the full nine yards.

Labels: Availability, Mobile, Privacy

In the past year, the British Government admits to having lost:

• 53 computers
• 36 BlackBerrys
• 30 mobile phones
• 4 memory sticks; and
• 4 disc drives.

If we assume that the devices had just 1 Gb of data storage each (a low estimate for some I'm sure), that's 127 Gb of data gone walkies. Some of them were hopefully strongly encrypted - let's be generous and say half, bringing the exposure down to 63.5 Gb of unencrypted data. By my calculation, that's equivalent to a pile of printed papers more than 50 feet high:

The reported numbers of lost devices is certainly an underestimate, since (a) it's self reported by government officials; (b) it excludes the Ministry of Defense and Home Office who did not respond to the request for information; (c) government employees probably use, and lose, personal devices for official work; and (d) it excludes other formats e.g. lost CD/DVD ROMs and actual papers.

As to whether it is acceptable for Her Majesty's Government to lose at least 50 feet of printed papers per year, that depends on whether your privacy was compromised I guess.

Labels: Mobile, Physical, Privacy, Secrecy, Trust

Looks like McCain's team need to read the latest NoticeBored module on security for gizmos ... oh wait, it's too late. They sold at least one information-packed Blackberry to a reporter ...

Labels: Mobile, Privacy

The BBC reports that a father, concerned about his under-age daughter's relationship with an adult ice hockey coach, installed spy software on the family PC to monitor her online liaisons.  It soon became apparent from the emails and Messenger chat the pair were exchanging that they were having unlawful sexual intercourse.  The coach was arrested, charged and convicted of five counts of sexual activity with a child and jailed for 4½ years.

In a corporate setting, it is not entirely obvious to many IT, HR and information security professionals whether an employer has the legal right to monitor it's employees' use of email and other IT facilities in the same way, even if those facilities clearly belong to the organization and are provided to employees for work purposes.  In some countries, privacy laws constrain what employee monitoring employers can reasonably do but there are often exceptions to permit more intrusive monitoring in order to investigate suspected illegal activities - not random interception, perhaps, but targeted monitoring of specific individuals which the organization has good reason to believe are doing something illegal.  There may be further exceptions in relation to serious crimes such as pedophilia, allowing organizations and law enforcement to present pretinent information obtained by chance as evidence in court, even though they had no prior knowledge of the crime. [NB: this is not legal advice!  I am not a lawyer!  Consult a competent lawyer familiar with the laws in your country to find out what you can and cannot do.]

Labels: Email, Law, Privacy

This is just too funny to resist.

I might open up a little on this blog from time to time but you won't find a picture of me in a fairy costume, clutching a beer, when I'm supposed to be at work. Oh the joys of Facebook.

Labels: Accountability, Awareness, Misc, Privacy

An update to the Payment Card Industry Data Security Standard (PCI DSS) has been announced with a preview/summary of the changes due for release in version 1.2 on 1st October.

Most of the changes are classified as clarifications of existing requirements but controls for wireless networks caught my beady eye. On the one hand, PCI DSS semingly acknowledges that WEP is no longer adequate (about time!), but on the other it allows WEP to continue until July 2010. 2010! That's like saying "Wardrivers, take your time, you have 2 years to find and exploit vulnerable stores". Given recent high-profile incidents of that nature, I'm puzzled as to why WEP is tolerated at all. PCI DSS 1.2 is an opportunity to drive up security standards and in many respects it is incrementally improving things, but in this one respect, they're letting the chance slip by.

Examples of "critical employee-facing technologies" that ought to be covered by security policies will be expanded to include "remote access technologies, wireless technologies, removable electronic media, email usage, internet usage, laptops, and Personal Data Assistants (PDAs)". I'm pleased to say that we have been covering those issues for years in the NoticeBored security awareness service, and will be covering them all before the end of this year [RATs were mentioned in the malware module in March. We're currently finalizing next months module on email security right now, and researching for a forthcoming module on 'securing portable IT devices' for release in December.]

Employees will be required to acknowledge that they have read and understood the company’s security policy and procedures “at least annually”. Note the wording: employees will have to acknowledge the policies and procedures. Management's focus will be on getting bits of paper signed or learning management systems ticked once a year, rather than confirming that employees actually understand and recall the policies or pushing for more frequent awareness and training. That's another opportunity missed. Ho hum.

Against this background, I'll be just a touch more cynical next time someone complains about the 'PCI DSS compliance overhead', and even more careful about giving anyone my payment card details.

[Thanks to the Security Warrior, Anton Chuvakin, for alerting me to this. Anton's home turf is security logging but like many infosec pros, he has fingers in many pies.]

Labels: Compliance, Confidentiality, Infosec, Law, Privacy

The Information Card Foundation is a trade body representing "a group of thoughtful designers, architects, and companies who want to make the digital world easier for you by building better products that help you get control of your personal information", and promoting the concept of "Information Cards". There are some big- and not-so-big-name backers.

Billed as "the digital version of the cards in your wallet" and "the new way to control your personal data and identity on the web", Information Cards (also known as InfoCards or I-Cards) are stored in an identity selector ("selector" or "digital wallet") on your desktop, browser or mobile device. Websites that accept Information Cards access the stored card, retrieving user identity and authentication information automatically without the user having to login in the conventional way. Other information such as your shipping address can also be retrieved automagically.

So far, this sounds reminiscent of cookies (oh no!) but presumably those 'thoughtful designers and architects' have been beavering away on the security and privacy aspects. The Information Cards Forum website doesn't actually say much about the technology, unfortunately. Perhaps they've thought through the use of powerful encryption algorithms, long keys and solid protocols. Maybe they've considered shared and public PCs, cross-site issues and more. Perhaps this time they'll get it right.

If you change your address, you only have to update it in your personal data store, and all the relationships you have established with your Information Card will be updated automatically.

OR

'If a hacker changes your address, they only need to update it in your personal data store and all the sites that use your I-Card will use the hacked version'. I wonder if the automation will be such that the user never even notices that his bank statements and goods ordered online are now being delivered to a strange PO box address half way across the country?

Use "I-Cards" to:

- login to websites with a single click

- create relationships with those you want to do business with

- manage your personal data in one place that only you and those you allow have access.

- wield the claims that other people and institutions say about you.

- prove that you are who you say you are without revealing details using trusted identity providers.

The first bullet - single click website logins - and several others on the list can be achieved already with all manner of browser-integrated password vaults.

I have no idea what bullet 4 means by "wielding claims". I understand you can wield an ax but not a claim.

The last bullet presumably implies the use of digital certificates and PKI. So that's alright then. No issues there.

I'll be interested to see how this initiative pans out. So far, it looks suspiciously like a vendor-backed "solution" looking for a market demand. Claims to the effect that the ICF will develop vendor-independent standards (for interoperability among, presumably, the ICF members) hint at the real objective here. Get something to market (or rather, 'launch the concept') and start building the I-Card brand before some idiot has the temerity to point out the flaws.

Labels: Authentication, Fraud, Hacking, ID theft, Integrity, Privacy, Risk, Secrecy, Trust

At last! Indiana has seen the light!

A new Indiana state law comes into effect on July 1st mandating disclosure of breaches involving loss or theft of laptops containing personal data, even if the data are 'protected by a simple password' (such as a normal Windows or Linux login password, presumably).

"Public Law 136 (House Enrolled Act 1197) requires businesses to notify consumers when any of their personal information is contained on a laptop that has been lost or stolen unless that information is encrypted," Pierce said. Current law does not require consumers to be notified about a lost or stolen laptop if personal information about them on the laptop is protected by a simple password.

The article goes on to explain that 'a simple password' can be compromised by brute force attack, which is often true but is not really the point. A hacker with unrestrained physical access to a laptop could remove the unencrypted hard drive, install it on another system and access all the data. Or they could run one of the 'retrieve lost admin password' utilities, typically booting the laptop from an external boot drive or compromising the system's Firewire connection etc.

Unfortunately, the article doesn't make it clear that brute force attacks might also work against the password/passphrase commonly used to secure encryption keys. Multifactor authentication, for example using biometrics or token in addition to the usual user password/passphrase, would make a significant difference, along with tamper-resistant hardware protection for the keys themselves (e.g. the "Trusted Platform Module" or cryptographic smart card). And even then, there are potential attacks if the attacker has sufficient resources, skills and experience.

I haven't read the statute but I'm curious about how it defines 'encrypted'. For example, does it mandate AES with a 256 bit key or would DES with a 56 bit key, or even a Caesar cypher with key of 5, be considered good enough? Defining such things in law would be tricky since the state of the art is moving along constantly. Caesar's cypher was considered good enough 2 millennia ago.

Continuing this line of thinking leads to the inevitable conclusion that personal data cannot be totally secured on a laptop or other device to which an attacker has unrestrained physical access. So, perhaps businesses that lose encrypted laptops containing personal data should come clean anyway since they can still rightfully state that the data were protected by encryption.

Previous posts on this topic: Password protected =/= hacker proof and "Password protected" again

Labels: Authentication, Governance, ID theft, Law, Privacy, Secrecy

The BBC reports that a substantial reward is on offer for the return of two CD-ROMs that went missing in the post en route between two Government offices. They have searched numerous offices (including TNT, a well-known courier company) and at least one rubbish tip, and have completed some forensic analysis (presumably looking to see if individuals implicated in the incident might have something to hide), but these all came up blank. Having forlornly scaled down the search, a cash reward is now on offer and the British populace is warned to keep an eye out for identity theft or similar incidents.

The report notes several other personal information breaches at the Department concerned, and low staff morale as a result of the latest one. Given the sorry history of incidents, heads should roll. If public servants cannot be trusted to protect sensitive information provided to them by the public they serve, the public have every right to withhold information - but the civil disruption this would cause has far-reaching consequences.

UPDATE 19th Jan: more stories of improper disclosure of personal information by officials are adding to the Government's woes, and more importantly increase the risk of identity theft of British residents. Today we read that (1) a Ministry of Defence laptop, stolen from a car (doh!), contained personal details on 600,000 applicants to join the forces, some of whom will have provided the full nine yards necessary to undergo security clearance; and (2) papers containing personal data on benefits claimants were found strewn across a West country roundabout, for at least the second time in two months. The man who discovered the latest batch of papers found and reported a similar load at the same place in November. We don't know if any more papers might have been lost or abandoned there and discovered by criminals during the last two months, or indeed previously or subsequently. ['Strewn across a roundabout' is a rather extreme example of "unstructured data". An article in December 2007's ISSA Journal on managing unstructured data patiently explains how to get a grip on unstructured data in ten steps, most of which are virtually impossible to do any Real World organization and all of which ignore paper records. Data Leakage or Loss Protection (DLP), another security industry buzzword, likewise deals with a small part of the problem, and not very well at that. \rant]

Who will be held accountable for these security screwups? Will anyone lose their job, be fined or end up in prison as a result? Somehow I doubt it. It is the British Government after all. A press release on AccountingWeb says:

"The Information Commissioner, whose office was established to protect personal information and take appropriate action where the law is broken, described the scale of the loss as “unprecedented” and stated that data protection laws have almost certainly been breached. This loss of information serves as a timely reminder to businesses and organisations that they are legally obliged to ensure the safety of personal information relating to individuals."

UPDATED Jan 20th: a USB stick lost by a hospital worker had personal details of thousands of patients but apparently it's OK because "The loss was an accident rather than any systematic failing in management and governance". I assume from the BBC item that the data on the memory stick were not encrypted. What's more, "diaries containing patients' names and addresses were stolen from staff cars in two separate incidents in June." There are two good examples of "a systematic failure of management and governance", and here's a third: local management evidently decided not to inform the patients about the loss of their personal data because, in their estimation, the data could not be used for identity theft. I hope the patients concerned will complain and the Privacy Commissioner will prosecute the hospital under the Data Protection Act.

UPDATE 22nd Jan: the MoD (that's Ministry of Defence, yes, Defence, Her Majesty's Government department charged with, and paid vast amounts of taxpayers' money to protect the Realm and maintaining the freedom of her people) has now revealed that it has lost laptops with sensitive personal data on potential recruits at least twice before. With typical British understatement, shadow defence secretary Liam Fox called it a "dreadful mess". He really is awfully, awfully sorry.

"Data on the laptop stolen in Edgbaston on 9 January included passport, National Insurance and driver's licence numbers, family details and NHS numbers for about 153,000 people who applied to join the armed forces. Banking details were also included for around 3,700 people ... It is clear that the database files were not encrypted, in breach of MoD procedures ... Some 68 MoD laptops had been stolen in 2007, 66 in 2006, 40 in 2005 and 173 in 2004."

The same BBC news story reports that:

"The new rule on laptops comes in an e-mail from the Civil Service chief, Cabinet Secretary Sir Gus O'Donnell, to all government departments. It said: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises. Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

New rule? NEW RULE! From now on!! Someone has evidently been asleep at the wheel. The situation is completely out of hand in the UK. Government departments cannot ignore the law and have a clear duty to protect the personal information entrusted to them by citizens. They need to be held to account. If not, citizens will, quite justifiably, withhold their information from public bodies, like for example the tax office and social security department ... and there lies the route to anarchy.

UPDATE Jan 26th: The BBC reports that:

"Marks and Spencer has been found in breach of data protection rules after the theft of a laptop containing the personal details of 26,000 employees. The Information Commissioner's Office (ICO) said the data on the laptop, which was stolen from the home of an M&S contractor, was unencrypted. The ICO has ordered M&S to make sure all laptop hard drives are fully encrypted by April 2008."

So it would appear that laptop encryption is now mandatory in the UK for any organization handling personal data!

UPDATE 5 Feb 15th: 5,000 patients of a Dudley hospital face anxiety over possible identity theft thanks to the theft of a laptop. We're told the laptop was "password protected" which, as we all know, is spin on "not encrypted".

"A spokesman for the trust said the laptop and database were protected with two separate passwords, making it very difficult to access. He added: "We would like to apologise for any concern this matter has caused those patients affected and would like to reassure them that the information on the database is unlikely to be recoverable."

Yeah, right.

UPDATE #6 22 Feb 08: personal medical records on 3,000 patients in Bolton were dumped in landfill. Eee, it's grim up North.


UPDATE #7 Leapday: some good news at last! A laptop and CD which appears to have belonged to the Home Office has been recovered by Police after it was purchased on eBay and sent to a repair shop. Even better news is that the CD and laptop were encrypted. Police are investigating how it ended up there. The repairman should be congratulated for reporting it. As to whether Al Qaida is now moving into the laptop repair business, we can only speculate.

UPDATE #8 - the final update? With no end in sight, I'm getting bored of this blog item, so it's time to close with perhaps just a little hope for the future. I've just chanced across a Liberal Democrat's blog listing several security/privacy incidents that I've mentioned here and a few more for good measure. The blogger, Frank Little, describes himself as a semi-retired hack computer programmer. I'm not entirely sure if that's hack as in journo or hack as in hacker, but at least he has an obvious interest in the UK's data protection mess. Vote wisely at the next election!

Labels: ID theft, Incidents, Privacy

The UK's Financial Services Authority has fined insurer Norwich Union £1.26m as a result of inadequate protection of customers' personal data:

"The City watchdog says Norwich Union's life assurance unit did not have effective systems and controls in place to protect customers' confidential information and manage financial crime risks. These failings resulted in a number of actual and attempted frauds against policyholders. Slack call centre security allowed fraudsters to use publicly available information - including names and dates of birth - to impersonate customers and obtain sensitive customer data, says the FSA. In some cases criminals were able to ask for confidential customer records, such as addresses and bank account details, to be altered. The fraudsters then used the information gleaned to request the surrender of 74 customers' policies totalling £3.3 million in 2006. The FSA says its investigation found that Norwich Union Life failed to properly assess the risks posed by financial crime and as a result, its customers were more likely to fall victim to identity theft."

The official FSA report makes interesting reading, disclosing for instance that fraudsters were using information obtained legitimately from public records held at Companies House to respond to authentication questions.

The company has since smartened up its act with better policies, procedures and (hopefully) compliance activities but I doubt that even it would claim to be immune to social engineering risks. Pretexting is a relatively cheap and easy form of attack and the juicy personal data in such databases is clearly luring fraudsters.

Labels: Compliance, ID theft, Incidents, Privacy, Social engineering

Three stories from the BBC today demonstrate, as if demonstration were necessary, that carelessness with IT storage media can easily expose the personal data of thousands of individuals to the potential of identity theft:

1. The Driver and Vehicle Agency in Northern Ireland lost 2 disks containing details of 6,000 people en route to its headquarters in Swansea.

2. Leeds Building Society mislaid personal details of 1,000 employees while moving the HR department from one floor to another.

3. A Merseyside health care trust "accidentally" sent out personal details on thousands of staff to four medical organisations bidding to supply the trust.

If the data involved had been printed out, I suspect those involved would have taken more care with the filing cabinets or boxes of paper but CD-ROMs or DVDs seem so insignificant.

Security policies, procedures and guidelines, coupled with effective security awareness activities and staff training, are obvious controls for such situations, along with encryption of anything confidential and care over the encryption keys.

Labels: Confidentiality, Incidents, Privacy

California State Bill 1386 was the first US bill to insist that organizations disclose to Californian citizens details of privacy breaches affecting their financial data, an idea since extended to around 40 US states.

SB1386 opened the flood gates when privacy breaches affecting millions of data subjects were disclosed. Prior to SB1386, even huge privacy incidents were successfully hushed up or downplayed by embarrassed (borderline unethical) organizations' spin doctors. SB1386 woke up an ignorant or complacent public.

The Californian law is now being extended to include privacy breaches involving medical and health insurance information under AB1298:

" AB 1298 adds two new breach-triggering data categories to the law of “health insurance information” defined as a health insurance policy or subscriber number(s), any information in an individual’s application and claims history, including any appeals records; and “medical information” including any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional."

Labels: Compliance, ID theft, Law, Privacy

After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event.

Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage.

The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and down about the risk.

Whether Chancellor Alistair Darling swings for this is presumably in Her Majesty's hands. I believe the death sentence is still on the cards for treason in the UK. Now that's what I call accountability.

Labels: Accountability, Audit, Privacy

ASIS International has released a guideline on protecting information assets.

"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."

The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
classified etc.

It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:

"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."

The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.

Labels: Awareness, ISO27000, Physical, Privacy, Trade secrets

Someone appears to have posted a load of personal data including credit card numbers on an eBay discussion forum, paradoxically one on trust and safety. Around 1,200 eBay users' details may have been compromised.

Why anyone would do this remains a mystery. Is it just some sort of publicity stunt, or a hacker's brag?

eBay shut down the forum and pulled the pages about an hour after being informed of the incident. There's more about the incident on an eBay blog.

"eBay spokesperson Nichola Sharpe said Tuesday afternoon that posts made on the Trust & Safety board early this morning contained name and contact information for 1,200 eBay members and called the person posting the information a "malicious fraudster." She said the incident was not the result of a security breach from eBay and could have been obtained as part of an account takeover."

It's possoble that a merchant's account may have been compromised, I guess.

Labels: Incidents, Network, Privacy

This week is the third annual Global Security Week. This year's topic is Privacy in the 21st Century. For information on GSW events, free awareness materials to download and links to further privacy resources, visit the GSW website.

There's also a GSW blog: I've just posted the following item to the GSW blog and there are contributions from supporters of GSW.

Does your organization have a policy on promptly informing those affected by privacy incidents and, where necessary, disclosing breaches to the proper authorities? If not, a privacy incident at John Hopkins Hospital might make you think again:

"A desktop computer containing the personal information of 5,783 patients was stolen from Johns Hopkins Hospital in mid-July, and the hospital waited more than five weeks to inform the patients or their families of the theft. The computer, taken from an "administrative work area" in a building on Johns Hopkins' main campus the night of July 15, contained patients' names, Social Security numbers, birth dates, medical histories and other personal information, according to Hopkins officials. Another computer and a projector were also stolen."

Another suggestion is to make sure your organization's contingency plans cover privacy and security incidents, giving management a blueprint to help them deal with a crisis in the most efficient and professional manner possible under the circumstances.

Labels: Awareness, DCP, Privacy

I'm impressed by a Ponemon Institute study into the business costs incurred through US data breaches involving disclosure of Personally Identifiable Information PII. Ponemon investigated around 80 reported braches, analyzing costs that are often hard to quantify such as customer defections. The results are fascinating: an average breach costs over $4m or ~$180 per record lost. Customer defections (and presumably a reduction in the number of new customers) are the main impact.

Incident costs within IT are negligible - the costs fall primarily on the rest of the business. In extremis, it could be said that IT doesn't care about privacy breaches. Therefore, the onus is very firmly on the rest of the business, not IT, to cost-benefit justify investment in better privacy controls. If the budget is forthcoming, I'm sure IT will happily evaluate, select and implement better privacy controls: if not, they won't. It's that easy.

This clearly demonstrates the distinction between IT security, a function sitting within IT and working on behalf of IT to secure the IT infrastrucutre and services, and information security, a function with responsibilities across the entire organization to protect information assets, not just technology.

Best of all, the Ponemon report provides useful data to build the business case for control improvements. Let's say we anticipate one notifiable serious data breach involving PII every 5 years, at $40m per incident that makes an average cost of $8m per year. So, controls costing up to $8m per year are justified. $8m would buy a lot - it's probably more than enough to implement whole disk encryption for laptops, for example. It's WAY more than enough to implement a security awareness program focusing on protection of PII.

Labels: Incidents, Privacy

Thanks to Paulo, an Italian blogger talking about his attendance at The European e-Identity Conference held in Paris earlier this month, I've been browsing the conference presentations. Many concern ID cards, massive PKI systems plus the national and international interoperability issues arising.

A case study [PowerPoint presentation and PDF paper] on the national ID card scheme in Estonia ("E-stonia") has several lessons for other nations currently planning their own schemes. It is surely one of the most advanced pilots with live applications in banking, eGovernment (including online voting) and of course routine personal authentication. Mind you, I do hope that Mari-Liis Mannik is happy to see her ID card (complete with mugshot, signature, date of birth and personal code number) displayed for all to see on the WWW.

A fascinating paper (for those with an interest in ePassports and PKI anyway) reveals the authentication schemes being implemented in today's electronic passports. I particularly enjoyed the author's description of Terminal Authentication - no, that's not the final check before execution but the mechanism by which an immigration official's system "convinces" the passport to release sensitive biometric data.

Finally, there's a Carnegie Mellon University study into the privacy implications of social networking sites such as FaceBook. The study team successfully downloaded 4½ thousand FaceBook profiles from the CMU community before being locked out by the site administrators, and then proceeded to analyze the profiles. They correlated information posted on the site with that obtainable from other public sources, and interviewed members to reconcile what people say about privacy to what they actually publish. It is clear that a large proportion of individuals are uniquely identifiable through voluntarily disclosing their real names, email addresses, photographs, birthdays, home towns, schools, interests and even phone numbers. Why people choose to disclose so much in this way is not nearly so clear, though.

Labels: ID theft, Privacy

DISCLAIMER: I am not a lawyer. This blog piece is based on incomplete information and hence speculation on various assumptions that may or may not be true. Still, it's an interesting case ...

The UK's Information Commissioner (IC) has released details of an undertaking affecting British mobile phone company, Orange (Orange Personal Communications Services). The issue specifically concerns Orange's practice whereby existing employees share their userIDs and passwords with new employees, presumably before their own have been set up, in contravention of principle 7 of the Data Protection Act.

Principle 7, the security principle, reads as follows:

"7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

The seventh principle is interpreted further in Part II of the Act:
"

9. Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to -
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.

10. The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle -
(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b) take reasonable steps to ensure compliance with those measures.

12. Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless -
(a) the processing is carried out under a contract -
(i) which is made or evidenced in writing, and
(ii) under which the data processor is to act only on instructions from the data controller, and
(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle."

Possibly the IC may have been unable to determine which of a number of people sharing an ID infringed the Data Protection Act in some way, perhaps a privacy incident? Equally, this action may have been taken to forestall such a situation in future.

It seems strange to me that the IC would be concerned about the internal operations of a data processor in this level of detail, especially given that neither the principle nor the explanatory notes explicitly ban the sharing of user IDs.

Sharing of user IDs is not uncommon in practice but is normally covered by a corporate policy stating that the legitimate owner of an ID must keep their ID and password private, and is personally accountable for whatever happens under their ID. In that way, even if someone shares their ID with someone else who creates a problem, the original person is held to account both for disclosing the password and for the incident that ensued. Perhaps Orange did not have such a policy in place, or perhaps it (in effect) forced employees to share their IDs with others? I can only guess. Anyway, Orange has undertaken to cease the practice and is probably busy slickening-up its security admin processes to get personal user IDs and passwords quickly to new employees.

In addition to that made by Orange, undertakings have been made by the following organizations: Littlewoods, Alliance and Leicester, Barclays Bank, Clydesdale Bank, Co-operative Bank plc, Dipesh Limited, HBOS plc, HFC Bank Limited, National Westminster Bank plc, Nationwide Building Society, Phones4U, Post Office Limited, Scarborough Building Society, The Royal Bank of Scotland plc and United National Bank Limited (and presumably others not currently listed on the IC's website).

[The preponderance of banks and financial services companies in this list arises largely from a mass enforcement action in March resulting from the disclosure of bank customers' personal details in the trash.]

Labels: Privacy

A ruling by 6th US Circuit Court of Appeals has confirmed that email users have the same 'reasonable expectation of privacy' as they do in respect of their phone calls. A search warrant is therefore required before the Goverment (or indeed anyone I guess) can legitimately access and search emails stored by Internet Service Providers. Furthermore, I understand the owner of the emails must be notified and given the right to object.

"In considering the factors for a preliminary injunction, the district court reasoned that e-mails held by an ISP were roughly analogous to sealed letters, in which the sender maintains an expectation of privacy. This privacy interest requires that law enforcement officials obtain a warrant, based on a showing of probable cause, as a prerequisite to a search of the e-mails."

But remember folks, IANAL. I have no idea whether this ruling is also relevant to companies accessing employees' emails, for example.

Labels: Email, Privacy

A professor on holiday in Madagascar lost a USB drive containing personal data on ~8,000 students, and another one stolen from a Michigan university contained info on ~3,000 students. Both incidents exposed students' names and Social Security Numbers, and could potentially lead to identity theft.

We hear about these kinds of incident because the organizations have to inform the data subjects, and word either leaks out to the media and public or they come clean through press releases.

We don't often hear about such incidents:
- in places where there is no compulsion to inform data subjects about them
- where the loss is unnoticed or goes unreported
- involving loss/disclosure of proprietary or military as opposed to personal information
- on a smaller scale, where it is not considered so newsworthy

... in other words, it's even worse than it seems. USB flash memory drives should be routinely encrypted.

Labels: Mobile, Privacy

Privacy International, a pressure group on privacy issues, recently rated Google as the worst performer in a ranking of major web services companies, worse even than Microsoft. The summary report notes a catalogue of privacy concerns with the way Google operates (some of which have landed it in court facing EU action), and contrasts that with Microsoft's moves to improve its privacy stance in recent years.

The report's conclusion notes that none of the surveyed companies came out semlling of roses.

"Overall, the privacy standard of the key Internet players is appalling, with some companies demonstrating either wilful or a mindless disregard for the privacy rights of their customers. Even the better performing companies create lapses of privacy that are avoidable. With minimal effort most organizations can improve their privacy performance by at least one grade."

Labels: Privacy

Compromise of a laptop PC belonging to Pfizer Inc. has exposed personal data belonging to over 15,000 employees. The breach involved unauthorized peer-to-peer software.

Labels: Privacy

Thanks to a reply to a question on the IIA's IT Audit discussion board, I have discovered two useful privacy resources.

Firstly, the IIA's Global Technology Audit Guide (GTAG) number 5 covers Managing and Auditing Privacy Risks which

"is intended to provide the chief audit executive (CAE), internal auditors, and management with insight into privacy risks that the organization should address when it collects, uses, retains, or discloses personal information. This guide provides an overview of key privacy frameworks which help to understand the basic concepts and aid in finding the right sources for more guidance regarding expectations and what works well in a variety of environments. It also covers the details on how internal auditors complete privacy assessments."

Secondly, the American Institute of Certified Public Accountants (AICPA)'s Generally Accepted Privacy Principles (GAPP) cover the following ten key privacy issues:

1. Management: the organization must define, document, communicate and assign accountability for its privacy polices and procedures.

2. Notice: the organization must provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained and disclosed.

3. Choice and consent: the organization must describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.

4. Collection: the organization must collect personal information only for the purposes identified in the notice.

5. Use and retention: the organization must limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.

6. Access: the organization must provide individuals with access to their personal information for review and update.

7. Disclosure to third parties: the organization must disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.

8. Security for privacy: the organization must protect personal information against unauthorized access (both physical and logical).

9. Quality: the organization must maintain accurate, complete and relevant personal information for the purposes identified in the notice.

10. Monitoring and enforcement: the organization must monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.

Anyone familiar with the EU's data protection principles will probably recognize the commonality with GAPP.

Labels: Privacy

A draft of a new book on privacy (Engaging Privacy and Information Technology in a Digital Age) is available for free download from the publisher. Its 400+ pages cover everything from conceptual frameworks to privacy and related laws in the US and elsewhere. If privacy is a core topic for your organization, I'd recommend making time to go through this in depth.

Labels: Privacy

A Ponemon Institute survey into database security found that:

"- Trusted insiders remain a significant, and largely unmonitored risk
- A majority of organizations do not have the technology or processes required to effectively manage against insider threat
- Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property
- The vast majority of data exposed in the past two years has been confidential customer and employee information.
The survey found that “trusted” insiders’ ability to compromise critical data is the most serious concern for respondent organizations. Despite this concern, fifty-seven percent of those surveyed do not believe that their organizations have taken adequate measures to protect against malicious insiders and fifty-five percent do not believe that they have taken adequate measures to protect against “data loss.”
The survey also found that despite being aware of these threats, inadequate protection of corporate databases is the norm rather than the exception. Forty percent of those surveyed do not have the mechanisms in place, or are unaware of whether databases are monitored for suspicious activity. This shortfall can be attributed to the massive scale of corporate data stores and the lack of IT resources. Eighty-eight percent of those surveyed manage greater than one hundred databases and a majority of respondents manage in excess of 500 databases."

Although the survey was sponsored by a company with a vested interest in database security, the survey sample was large enough for the results to be statistically significant. The Ponemon Institute is a respected survey institution, for instance including notes in the report about possible biases in the respondants and responses. To a non-scientist, it may seem perverse that pointing out possible weaknesses in the method actually makes is stronger, but better that than to ignore or gloss over them.

As to what needs to be done about database security, the survey commentary merely suggests a few hints e.g.:

"Among core security and IT professionals, operational efficiencies and system optimization are consistently higher priorities than efforts related to Sarbanes-Oxley, PCI, NIST 800-53 or other similar compliance initiatives ... our results show that intellectual property and business confidential information in databases is not generally protected. Even in the face of frequent, expensive, and highly publicized breaches, respondents have not made protecting customer and employee information a high priority."

... so priorities need to be adjusted (but how?).

Perhaps Lloyds TSB has (part of) the answer?

Labels: Database, Insider, Privacy, Secrecy

The personal information of "every police officer in Texas" (nearly 100,000 people) has been compromised by the theft of a laptop from a Houston company that stores sensitive records for the Texas Commission on Law Enforcement.

Well that's one way to raise police awareness about identity theft, I suppose.

Labels: Privacy

A decidedly up-beat Computerworld article identifies 5 significant security improvements that were spurred on, if not triggered, by the theft of a U.S Department of Veterans Affairs laptop and external hard drive containing personal data on 26.5 million vets and active-duty military personnel:

1. A greater focus on data encryption within government
2. Stronger breach notification guidelines within agencies
3. More attention to data retention, classification and minimization
4. Stronger remote access policies
5. More authority for agency CIOs

The piece is so positive in style, it almost smacks of wishful thinking or marketing spin but even if only partly true, these are all indeed worthwhile changes, especially if they are as widespread in US Government circles as the journalist says.

It is a shame, of course, that it took a massive security breach (ex facto rather than a priori risk analysis) to prompt the changes but nevertheless this is a good example of closing the circle on an incident.

Labels: ID theft, Incidents, Privacy

Today I was fortunate enough (lucky me! How exciting!) to be invited to participate in an online Technology Management survey, "an opportunity for IT Executives to share their opinions on the evolving role and influence of the CIO in today's corporate enterprise" being conducted by CIO Magazine, apparently. I say apparently because the survey URL in the email took me first to a page on the CXOmedia.com website (which is presumably CIO Mag's publisher) and then auto-redirected me here. That final destination is a third party, and looks like a typical market survey site. Unfortunately, that page also looks a lot like a typical phisher site, complete with CIO logo (but not other elements of the CIO mag website's standard design) and typo i.e. "The drawing is open to legal U.S. and Canadian (expect Puerto Rico and Quebec) residents".

But it's OK because, according to the email, "Your responses are completely confidential and will be used only in combination with other survey responses." So, let's find out what CIO Mag means by 'competely confidential'. One of the links on the survey page points me at CIO's privacy policy which makes fascinating reading for those who take the trouble, like for starters the unfinished sentence at the end of section 1 part 4:

"For more information about our ad-serving company or for your choices about not having this anonymous information used, please visit" [sic]

And wait, it gets worse. I quote for a bit further down section 1:

"Postal addresses, and other personally identifying information and data will be used to promote CIO and other IDG companies ‘ products and services, and may be rented and/or licensed to selected outside firms for promotional purposes. Offers for which the personally identifying information and data are rented and/or licensed for use and the users are required to target their offers carefully.

Telephone numbers of CIO print subscribers are used by CIO to collect re-qualification data and may be used by CIO, IDG and other IDG companies, affiliates and it's advertisers for promotional purposes. CIO may rent and/or license for use phone numbers to selected outside firms for promotional purposes. Offers for which the numbers are rented and/or licensed for use are required to target their offers carefully."

So, by participating in this "survey", I am opening myself up to 'carefully targeted offers' (read spam and junk mail) from third parties. Yippee. Just what I need.

Of course, I need not actually enter the survey to participate in the prize draw. According to the full rules, I can simply ...

"legibly print your name, street address, city, state, zip code, telephone number, complete e-mail address, and your full entry code URL on a 8.5” x 11” piece of paper, and fax to Claudette Sears at IDG Research Services Group, fax # 508-370-0020. Please reference “Sweepstakes Drawing – CIO Technology Management Survey” in your fax."

You know, it hardly seems worth it for the infinitesimal chance of winning a pair of headphones, not least because as an NZ resident I am not even eligible to win them. So much for their oh-so 'carefully targeted' email!

Labels: Privacy, Secrecy

Users of Street View, Google's new facility to get ground-level views of selected city streets have noticed that some of the images may not be entirely appropriate for public viewing. Examples quoted in a NY Times piece include bikini-clad women, a man scaling a gate, a man entering a porn shop and readable vehicle number plates. The images were captured by cameras mounted on a car, in other words anyone who happened to be there at the time would have seen whatever was on show. The privacy issues arise from (a) not asking permission of those photographed to publish their pictures; (b) publishing the captured images on the World Wide Web; and (c) adding Google's legendary search capabilities into the mix.

For its part, Google claims to have considered the privacy implications and evidently made the decision to go ahead with the Street View project, so far at least.

This is just one of many privacy concerns raised by Google's services, and another interesting 'unintended consequence' of modern high tech. Google is at the same time both a wonderful search tool with an impressive lineup of innovative services, and a threat to those who accidentally publish sensitive things on the WWW or now step out in public in selected city streets. Google's desktop search utility was previously slammed for disclosing details of the contents of users' C: drives on the Web and the European Community is currently deeply concerned about Google's privacy policies.

Other search engines raise privacy concerns too, of course, but Google is the biggest and hence is bound to be in the firing line.

More security awareness materials on privacy in this month's NoticeBored module.

Labels: Privacy

The Bank of Scotland has admitted that a computer disk containing personal information (names, addresses, dates of birth and mortgage account numbers) for 62,000 customers has gone missing en route by post to a credit reference agency.

BoS said that "no customer would be left out of pocket in the 'unlikely event of fraudulent activity'." Ah, so that's OK then.

Read about our latest awareness module on privacy and data protection

Labels: Privacy

IN yet another SSN-related privacy breach last month, a worm exploited an unpatched bug in Symantec's antivirus software to infect a University of Colorado server, potentially exposing SSNs and other personal information on ~45,000 students.

Labels: Privacy

A security breach on a server at the end of May created a privacy incident, exposing the names and Social Security Numbers of ~25,000 North Carolina Department of Transportation employees and contractors. Based on information in the press, I presume the server was used to record employee ID badges - most likely a database system used by physical security people I guess.

People who used their employee identification number instead of their Social Security number are not at risk.

Social Security Numbers are convenient personal identifiers for American citizens since they are more unique than full names. However SSNs are supposedly secret numbers (like credit card numbers) so systems and processes should avoid using them unless it is essential (i.e. for social security-related purposes). Systems that have to use SSNs for some reason need appropriate security measures including strong system and data access controls with encryption.

US public bodies have been known to post official documents containing SSNs online.

It seems to me the real problem with SSNs is their use for authentication as well as identification of individuals. Biometrics would make much better authenticators, and we'll be covering biometrics in next month's NoticeBored security awareness module. Watch this space.

Labels: Privacy

The latest NoticeBored security awareness module is out, covering privacy risks and data protection controls. This is a topic that concerns us all as individuals and affects all organizations, making it a good security awareness topic.

Read all about the latest module on the NoticeBored website.

Labels: Awareness, Privacy

How does Torbay Council in sleepy Devonshire, England, send confidential information about council workers (names, addresses, salary, banking details - that sort of thing) to the auditors. Why, they simply cut a CD and pop it in an envelope ... and when the first one goes missing in the post, they do it again and that one also goes missing in action.

More links on keeping secrets

Labels: Audit, ID theft, Incidents, Privacy, Secrecy

The Daily Mail is reporting that the British government is cooking up a cunning plan to sell personal data from the national identity card scheme to 'banks and other businesses' at 60p a pop. Please form an orderly queue. The idea is to offset the ID card scheme costs with some income. How very entrepreneurial of them. How very New Labour.

I assume the government has taken the privacy and legal implications fully into account. Presumably the system is perfectly secure. Presumably it has an opt-out field for those crazy Brits who are less than enamoured of the idea. Presumably the Data Protection Registrar is right behind the government on this one. Presumably there's no conflict with the Data Protection Act and Human Rights Act. Presumably squadrons of pigs are flying over parliament ...

More privacy/data protection and identity theft links

Labels: ID theft, Privacy

Here are just two of this week's stories about the theft of IT systems holding unencrypted databases of personal data.

Firstly, the US Department of Veterans Affairs ("the VA") has reported a portable hard drive containing personal data on vets lost, presumed stolen. A laptop computer containing the social security numbers of 26.5 million veterans was stolen from a VA official's home last May and another computer containing personal information on up to 38,000 veterans went missing last August. The VA is belatedly installing encryption software on its laptops at least, if not also its portable drives and desktops.

Secondly, a US accountant's stolen PC contains details of 800 clients for whom she had prepared tax returns. The thieves appear to have targeted the PC specifically since they left behind cash and checks.

More database security links

Labels: Database, Privacy

"More and more government agencies post public records online, making a startling amount of information available. With a little amateur sleuthing, you can peek into the backgrounds of the people you let into your life -- a nanny or housekeeper, an online acquaintance, a potential business partner -- and be reasonably satisfied they're not predators or crooks." The Seattle Times piece It's never been easier to be your own detective goes on to explain how easy it is to conduct background checks online, whether using do-it-yourself web search techniques or paying a few dollars for others to check on your behalf. While most database records are legitimately placed in the public domain in this fashion, it is equally possible that supposedly private databases could be hacked and end up on underground websites somewhere. The article also makes the point that you cannot necessarily trust everything you read online. Quite apart from the possibility of finding information about someone else with similar details to the person you are checking, the information available online is only as good as that stored in the database.

More database security and privacy links

Labels: Database, Privacy

We all know about the off-shore call-centers in places like India and Indonesia, but there's more to outsourcing than call-centre operations. A fascinating article in Bank Technology News paints a beautifully clear picture of IT outsourcing in India, particularly the islands of investment awash in a sea of poverty.

It's easy for us Westerners to overlook the cultural differences and make false assumptions about India, especially if we have never visited that part of the world. Outsourcing may be a massive earner for India and is still growing strongly but the local infrastructure is creaking under enormous strain. The caste system survives, meaning inherent inequalities. India has over a billion citizens, half of them under 25, and an average wage of just US$3,300 per year. Whereas two thirds of the population survives on less than a dollar a day, highly-trained IT specialists earn well and are in short supply. High IT staff turnover creates its own security issues.

The article specifically calls out the information security and privacy concerns in India. "... background checks of personnel remains a nagging concern. No central criminal databases exist and credit agencies remain relatively new, so any background checks must be done in person, which is often invasive. "Sometimes they'll just ride around the [potential employee's] neighborhood and talk to the constable," says Crosby. "None of this stuff is documented."

"... the Indian Information Technology Act of 2002 makes cyber crimes a federal offense, enforceable by India's Central Bureau of Investigation. The CBI established the Cyber Crime Investigation Cell in March 2002 to patrol such crimes, including a crime lab to train investigators. Parliament is now debating an amendment to the act, already approved by the Cabinet, that would make fines and jail time more stringent for those convicted of IT privacy crimes."

Indian data centers are reasonably secure according to those who have inspected the facilities. "... most outsourcers are compliant and certified for BS779 and ISO17799 controls, the two U.S. best-practice controls for information security, which have now become internationally recognized." [Some artistic license there by the journalist: British Standard BS 7799 became ISO standard ISO/IEC 17799, neither of which are American!].

More privacy and information security management links

Labels: Infosec, ISO27000, Privacy

Here’s a short security awareness video (low or high resolution) and article from the University of Delaware about the dangers of revealing too much information on ‘social networking’ sites such as MySpace, Friendster or FaceBook.
More social engineering and privacy links

Labels: Awareness, Privacy, Social engineering

In Japan, "More than 71 percent of people worry their personal information will be leaked as a result of inadequate security measures, according to a recent government survey." The article summarizes an opinion survey regarding awareness of and support for Japan's data protection laws introduced last year. Judging by the large number of Japanese companies already certified against ISO 27001, Japan is taking information security very seriously but the Japanese populace is not yet comfortable.
More links on ISO 27001 and data protection

Labels: Awareness, ISO27000, Law, Privacy

In similar fashion to the chronology of privacy breaches maintained by the Privacy Rights Clearinghouse, a table of privacy breaches in 2006 tells several stories. For a start, it's already 19 pages long after three quarters of a year. Secondly, the breaches reflect a variety of security threats (e.g. accidental disclosure, hacks, Trojans, theft of equipment/media from offices/homes/cars or in transit), vulnerabilities (e.g. no encryption, inadequate logical or physical access controls, careless disposal of information) and impacts (e.g. public disclosure of the breaches, thefts, around 50 million victims' personal details compromised/exposed to fraud) at all sorts of organization. Thirdly, virtually all of the incidents have had to be publicly disclosed under California State Bill 1386 (presumably a similar level of privacy incidents occur elsewhere outside the remit of SB1386). Finally, the authors of the table have identified the ISO 27001 controls that appear to have been missing or inadequate in each case (sections 7 through 11 feature prominently).
More incident management and privacy links

Labels: Fraud, Incidents, ISO27000, Physical, Privacy

Around 100 staff have resigned, 19 have been sacked and around 350 have been disciplined as a result of a two-year investigation into their unauthorized use of database facilities at Centrelink, the Australian federal government's social security and welfare agency. As such, Centrelink staff have access to a wide range of personal information. Five cases were serious enough to be referred to the federal police. It is reported that spyware was used to track staff use of the systems. A Centrelink general manager said "It was done for a whole range of reasons - from just sticky-beaking, through to at the more serious end of records actually being changed ... What this shows is that we have zero tolerance for any people who have surfed the details of the family and friends or peeked at records of their neighbours in our system." This statement fails to acknowledge the potential for abusing such wideranging access to personal data in order to commit identity theft.
More identity theft resources

Labels: Database, Incidents, Privacy, Secrecy

Microsoft's advice on Strong passwords: How to create and use them recommends "Do not type passwords on computers that you do not control. Computers such as those in Internet cafes, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet - your passwords and pass phrases are worth as much as the information that they protect."
Sound advice. You need to balance the convenience of web access whilst waiting for your coffee, plane or train, against the inconvenience of having your identity stolen and your bank accounts cleaned out.
More links on keeping secrets

Labels: Authentication, Privacy, Secrecy

A paper from the Privacy Rights Clearinghouse giving A Chronology of Data Breaches Since the ChoicePoint Incident identifies that the privacy of well over 54 million Americans has been compromised since February 2005. The list of more than 150 reported incidents (meaning an average of around three per week) is an eye opener for anyone that thinks this is not a risk.
More confidentiality and privacy resources

Labels: ID theft, Incidents, Privacy, Risk, Secrecy

It's no secret that the latest NoticeBored awareness module covers confidentiality, privacy and related matters. NoticeBored customers receive posters, briefing papers, presentations, mind maps, awareness surveys, puzzles, checklists and newsletters on this important topic: the newsletter is also available separately as a PDF free of charge to anyone who cares about information security.
Sign up for the newsletter.

Labels: Awareness, Privacy, Secrecy

Microsoft is reportedly on the verge of releasing an optional utility to track the websites users visit and compare them against a blacklist of phisher sites. Maybe this would work if the blacklist is reliable (no false positives and few false negatives), but the downside is that (for some reason I can’t quite fathom) Microsoft plans to gather details of users’ surfing habits, raising privacy concerns.
More authentication resources

Labels: Authentication, ID theft, Privacy, Secrecy

An editorial in Chief Marketing Officer Magazine hints at a possible upside to recent privacy breaches splattered across the press. "Privacy activists are up in arms over ChoicePoint and other high-profile security breaches at institutions such Bank of America, DSW and CardSystems, where 40 million credit card accounts from Visa, MasterCard and other card issuers may have been compromised. Legislation to tackle growing worries over credit report information, data breach disclosures and spyware is in the political pipeline. Wary consumers are increasingly reluctant to share personal information with marketers." Well OK, maybe calling it an 'upside' is a bit cynical, but if the general public are more security aware, we're happy :-)
More anti-hacking resources

Labels: Hacking, Incidents, Privacy, Secrecy

A handful of well known companies are caught up in a scandal over the use of a Trojan horse program for industrial espionage against selected targets. The story is a rather sketchy at present but it appears that police discovered the plot following a lead from an Israeli author whose London-based former son-in-law is accused of disclosing parts of a book he was writing. The existence of the Trojan is evidently not in dispute, along with the fact that it was distributed on a 'promotional CD'. The author, however, claims that it is legal and is 'not his fault' if it was misused for illegal/unethical purposes.
More malware and privacy links

Labels: Confidentiality, Malware, Privacy, Secrecy, Trade secrets

There seems to have been a rash of security incidents involving the loss of backup tapes lately. Computerworld is now reporting that Time Warner lost an entire shipment of data backups en route to its off-site storage. The Register outlined a handful of similar incidents, pointing out that identity thieves would love to get their hands on backup tapes containing credit card numbers and other personal details, especially as so few are encrypted.
More risk management, physical security, privacy and confidentiality links

Labels: Physical, Privacy, Risk, Secrecy

US-CERT Cyber Security Tip ST05-009 outlines the pros and cons of free web-based email accounts such as Yahoo, Hotmail and gmail. Three primary risks are identified: "security" (meaning confidentiality through SSL), privacy (confidentiality of personal and commercial information) and reliability (service availability).
More email security resources

Labels: Availability, Email, Privacy, Secrecy

US-CERT's latest cyber security tip discusses privacy concerns as we browse the Web. Most browsers disclose information about their systems simply by visiting websites. The tip concludes with three straightforward actions to limit our exposure. It is well worthwhile signing-up for the cyber security tips and related materials from CERT whether you are simply a computer user or run a security awareness program. Author Mindi McDowell and colleagues are doing a great job.
More confidentiality and privacy resources

Labels: Awareness, Privacy, Secrecy

The US Secret Service uses a network of 4,000 computers for brute-force attacks on encrypted forensic evidence obtained from target systems, using plaintext snippets and information from the user's browsed websites as cribs or clues to possible passwords. The system is reminiscent of the DES cracker built in 1999 by the Electronic Frontier Foundation, but uses spare cycles on desktop PCs like the SETI@home project.
More confidentiality links here

Labels: Network, Privacy, Secrecy

NIST Special Publication 800-66 is "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule". 'Nuff said.
More privacy/data protection and confidentiality resources

Labels: Accountability, Privacy, Secrecy