I read with interest the story about stealing data easily using iPods with a tool a security guy created. I received a 60 GB iPod for Christmas; I can certainly see how an organization’s most valuable and sensitive data could be slurped out without any knowledge of the company. I did an information check of a few of my security practitioner buddies at some very large multinational organizations. One thought all the USB ports on the desktop computers had been removed, but she did a quick check…of the desktops being used by the contracted staff…and found they ALL had active USB ports on them. Supposedly the tool the security guy created is not designed to download actual files, only report how many it found. However, how trivial would it be for an IT dude to write a simple script to find and download the files? I’ve accidentally copied files into my iTunes before, and it recognized them with the extensions renamed to look like MPEG files. Hmm…
Archive for February, 2006
In this podcast I explain the purpose and goals for making this a valuable, independent site to allow information security, privacy and compliance professionals in all sectors to share and communicate about the issues and news that impact our efforts.
Are those of you with offices in the EU aware that there is now a new data retention directive to follow? These to add on top of all the other data retention requirements that exist. The huge challenge I’ve found many organizations struggling with is how to deal with conflicting retention requirements.
I urge you to read this regulation if you have any customers or offices within any of the EU countries. You’ll need to read the entire document to get the full effect, but the following excerpt is of particular interest:
Categories of data to be retained
1. Member States shall ensure that the following categories of data are retained under this
(a) data necessary to trace and identify the source of a communication:
(1) concerning fixed network telephony and mobile telephony:
(i) the calling telephone number;
(ii) the name and address of the subscriber or registered user;
(2) concerning Internet access, Internet e-mail and Internet telephony:
(i) the user ID(s) allocated;
(ii) the user ID and telephone number allocated to any communication entering the public telephone network;
(iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication;
(b) data necessary to identify the destination of a communication:
(1) concerning fixed network telephony and mobile telephony:
(i) the number(s) dialled (the telephone number(s) called), and, in cases involving supplementary services such as call forwarding or call transfer, the number or numbers to which the call is routed;
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s);
(2) concerning Internet e-mail and Internet telephony:
(i) the user ID or telephone number of the intended recipient(s) of an Internet telephony call;
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication;
(c) data necessary to identify the date, time and duration of a communication:
(1) concerning fixed network telephony and mobile telephony, the date and time of the start and end of the communication;
(2) concerning Internet access, Internet e-mail and Internet telephony:
(i) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone;
(d) data necessary to identify the type of communication:
(1) concerning fixed network telephony and mobile telephony: the telephone service used;
(2) concerning Internet e-mail and Internet telephony: the Internet service used;
(e) data necessary to identify users’ communication equipment or what purports to be their equipment:
(1) concerning fixed network telephony, the calling and called telephone numbers;
(2) concerning mobile telephony:
(i) the calling and called telephone numbers;
(ii) the International Mobile Subscriber Identity (IMSI) of the calling party;
(iii) the International Mobile Equipment Identity (IMEI) of the calling party;
(iv) the IMSI of the called party;
(v) the IMEI of the called party;
(vi) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated;
(3) concerning Internet access, Internet e-mail and Internet telephony:
(i) the calling telephone number for dial-up access;
(ii) the digital subscriber line (DSL) or other end point of the originator of the communication;
(f) data necessary to identify the location of mobile communication equipment:
(1) the location label (Cell ID) at the start of the communication;
(2) data identifying the geographic location of cells by reference to their location labels (Cell ID) during the period for which communications data are retained.
2. No data revealing the content of the communication may be retained pursuant to this Directive.
Periods of retention
Member States shall ensure that the categories of data specified in Article 5 are retained for periods of not less than six months and not more than two years from the date of the communication.
And the directive continues on with the data protection, data security, and other requirements.
Folks, what are you doing to get your arms around data retention issues? I see this as a sleeping giant that will emerge sometime soon to surprise and bonk on the head a great many compliance, info sec and privacy officers. A few forward-looking organizations have established well-defined and effective data retention teams. Be sure if you have one that you let them know about this new regulation…just in case they have not kept up with the international laws. If you don’t have a dedicated data retention function, then start planning for how you will address the multitude of data retention requirements!
I’m really glad to see Google standing their ground on refusing to submit the details of two months of search data to the DOJ. I certainly support efforts to crack down on child porn…of course! I want those scumbags put away for life somewhere even half as hideous as their twisted, demented, sordid actions. However, is this the best way to do it? Will it even yield any leads? Aren’t other methods available for the DOJ to pursue? Don’t other methods make more sense? This type of activity, considering everyone within the wide net which is cast around all types of Internet searches, reminds me of a similar type of effort in Iowa a few years ago; law enforcement attempted to solve the incredibly sad, shocking and deplorable discovery of a newborn infant’s body by requiring all hospitals and clinics within a certain area to turn over records of all women who had been pregnant within a certain range of time so they could question all these women to determine which of them had committed the horrendous crime. The intent is noble in both cases, but the probably that these invasive measures will find the targeted perpetrators is very remote, and these actions completely dismiss the associated privacy impacts, and potential and likely damages, to those whose information is being sifted through en masse. Remember, when you cast a wide net, a great many other fish get caught and get thrown away that weren’t the target of the expedition; however, those unintended catches certainly pay the ultimate price for what may have been a noble effort by others.
And what will the DOJ do with all this search information? Decide, perhaps, that while they have it they might as well see what everyone else is Googling for…and then flag people making what they determine as questionable searches? It will be interesting to see how the Google case progresses.
I found it very interesting that one of my alma maters, the University of Northern Iowa, reported potential identity theft because, from what the news reported, a "virus" was discovered on one of their laptops containing personal information about 6,000 of theier employees. When discussing privacy breaches it seems that there is a very wide range of definitions for what constitutes a privacy breach. This is the first time I’ve seen a virus infecting a laptop being considered a privacy breach. Perhaps there is something I’m missing…so I checked other sources. The Des Moines NBC television station reported that the laptop computer was "illegally accessed." The ABC affiliate in Cedar Falls reported even fewer details. Radio Iowa reported a few more details, indicating "…a fire in November in the Cedar Falls school’s business building contributed to the breach in computer security…the laptop computer was purchased the day before the fire and since the fire, the business office has been moved twice…" It also indicated a "bot" was discovered on the computer, which is why they reported the incident as a privacy breach. It would be interesting to do a little digging to see types of information these bots have already collected, and what the potential is for them.
Email retention…is it easier to delete important information and pay fines than it is to figure out how to control the content people put within email messages?Tuesday, February 14th, 2006
There continues to be more news made about businesses and their email retention practices. Today it was reported that Morgan Stanley proposed paying a $15 million dollar fine as a result of the firm not appropriately or adequately retaining emails. Other fines have been in the news as well. Considering the hugely expanding amount of email messages being sent and used each day for business…do we all really need a darned Blackberry with us 24/7?…companies really do need to re-examine their policies regarding the use of email for business. It could result in huge fines or even jail time, depending upon the information personnel put within the messages, if it is not properly addressed.
I have been interested for several years about the impact of security incidents and privacy breaches on business. The Ponemon institute has done quite a bit of research on privacy, and last year did one specific to business impact. I’ve created over the years my own business impact tool based upon my researh and work with several different companies who have experienced breaches; it contains even more types of costs that the companies experienced than the Ponemon research identified. It would be interesting for the insurance companies that businesses use for their own liability and E&O insurance to keep track of these numbers. Such information would not only provide some good information to start more accurately keeping track of incidents than the current hit-or-miss subjective surveys and guessing, but it could also form the basis for some nice actuarial tables to apply within cybersecurity insurance.
I’ve been hearing a lot over the past year about trusted insiders…or formerly trusted insiders…doing bad things to their employers, ex-employers, the customers, and so on. The latest I’ve heard about is the Honeywell ex-employee who the company says posted sensitive information about 19,000 of the company’s U.S. employees. When I read these types of incidents, I wonder, why did one person have access to all the information on all these people? If the person truly needed it, why weren’t there compensating controls to monitor what a person with such trust and access did with this data? The story reported, "In the court filings, Honeywell claimed that Nugent "intentionally exceeded authorized access to a Honeywell computer," but the integrity of Honeywell’s computer systems was not compromised, Ferris said. " So, was this employee a systems administrator?
Companies must realize, after hundreds of frauds and incidents over the years, that information is most vulnerable to those in trust. Just look at the yearly CERT/Secret Service Study. Why does it always seem that most companies do not want to appropriately or adequately safeguard information until something bad happens? Why are business leaders so willing to gamble that something bad will not happen within their organization? Surely they do not take the same gambles with the other parts of their business…or do they?
Today it was widely reported that the Boston Globe and Worcester Telegram & Gazette inadvertantly distributed credit and bank card numbers of as many as 240,000 subscribers with bundles of T&G newspapers on Sunday. (See http://www.boston.com/business/articles/2006/02/01/subscriber_credit_data_distributed_by_mistake/ for one story on this).
I don’t know much about the mechanics of a newspaper printing press, but when I went on a tour of one (admittedly more years ago than I’m going to admit) the way the paper was printed was completely separate from the computer systems and customer databases. Yes, I’m probably living in the dark ages, and probably modern news publication advancements now allow for direct printing of the paper with just a press of a computer keyboard button, but I’m still trying to figure out how what sounds like a subscriber database listing got printed with the Sunday funnies! Is it as simple a lack of access controls? Lack of separation of duties?
It reinforces in my mind the need to encrypt personally identifiable information (PII) in storage. If the database *HAD* been encrypted, then would just some hieroglyphic-looking pages been bundled with the Sunday news?