Archive for September, 2006

More on Airport Security and Computer Insecurities

Monday, September 4th, 2006

Today Silicon.com reported some interesting statistics about the increased number of computers being found in  the UK now that those airports do not allow for electronics basically of any kind to be taken onboard.

Heathrow reportedly obtains an average of 120 laptops monthly from travellers who misplaced them, and around 15 go unclaimed, ending up at auction.

The story makes a good point about how it seems travellers just assume that their laptop was stolen, so they don’t even check with the airport’s or airlines’ lost and found to see if their computer is indeed within the custody of the airline management.

From the report, "Research out last week suggested 40 per cent of all electronic devices lost at UK airports go unclaimed, with mobile phones more likely to be left unclaimed than laptops and PDAs."

A good lesson for travellers in and through countries with the onboard electronics restriction:  If your computer, cell phone, PDA, etc. goes missing, check with the airport security or lost and found department.  If you’re lucky it may be there.  If you’re even luckier none of the data on it will have been compromised.

Just one more reason to encrypt sensitive and personally identifiable information (PII) on mobile computing devices, to use boot and login passwords, and to use tracking labels and services, such as StuffBak, 4found, IMFound, STOP, Huzizit, or Yellowtag.

Technorati Tags








More on Airport Security and Computer Insecurities

Monday, September 4th, 2006

Today Silicon.com reported some interesting statistics about the increased number of computers being found in  the UK now that those airports do not allow for electronics basically of any kind to be taken onboard.

Heathrow reportedly obtains an average of 120 laptops monthly from travellers who misplaced them, and around 15 go unclaimed, ending up at auction.

The story makes a good point about how it seems travellers just assume that their laptop was stolen, so they don’t even check with the airport’s or airlines’ lost and found to see if their computer is indeed within the custody of the airline management.

From the report, "Research out last week suggested 40 per cent of all electronic devices lost at UK airports go unclaimed, with mobile phones more likely to be left unclaimed than laptops and PDAs."

A good lesson for travellers in and through countries with the onboard electronics restriction:  If your computer, cell phone, PDA, etc. goes missing, check with the airport security or lost and found department.  If you’re lucky it may be there.  If you’re even luckier none of the data on it will have been compromised.

Just one more reason to encrypt sensitive and personally identifiable information (PII) on mobile computing devices, to use boot and login passwords, and to use tracking labels and services, such as StuffBak, 4found, IMFound, STOP, Huzizit, or Yellowtag.

Technorati Tags








Identity Fraud Study From the AARP: Use It for Your Awareness Efforts

Saturday, September 2nd, 2006

Yesterday (9/1) the AARP announced a new report they commissioned, "Into the Breach: Security Breaches and Identity Theft."  They provided links to the full report, but unfortunately they do not work!

The press release sounds interesting, though.  A few of the excerpts:

"A new report from the AARP Public Policy Institute (PPI) states that from January of 2005 through May of 2006, 89.8 million Americans were potentially exposed to identity theft as a result of security breaches involving sensitive personal information. As security breaches at high profile institutions have made the public aware of the seriousness of this problem and more concerned about the safety of their personal information, PPI has analyzed the kinds of institutions most often experienced by security breaches and also the most common ways used to gain sensitive personal information.

The report, "Into the Breach: Security Breaches and Identity Theft," closely examined 244 publicly disclosed security breaches that took place from January 1, 2005 through May 26, 2006. It found that educational institutions were more than twice as likely to report a breach as healthcare organizations, financial services companies, corporations, and government agencies.

The report found that 40 percent of the publicly disclosed security breach incidents were caused by hackers or insider access specifically targeting sensitive personal information. Breaches caused by hackers or insider access put the personal information of 50 million individuals (making up 56 percent of all breach victims) at risk of identity theft."

"The report notes that of all the ways used to improperly gain or display personal information, 30% are the result of breaches from the inside."

I wish I could see the full report!  I always like to see what they pick out of the full report to put into the press release.

Something interesting is the finding of the tendency for educational institutions to be more likely to report a breach as opposed to other types of industries.  Considering all the other industry specific data protection laws for such industries as the financial and healthcare, and even more considering that there are at least 33 state level breach notification laws, many of which apply to all types of organizations.  Of course, the study looked back from January 1, 2005, and most of the state level notification laws have gone into effect after that date by several months or even over a year later.

I found one of the statements a little confusing though; 40% of incidents were "caused by hackers or insider access specifically targeting sensitive personal information."  Insiders with authorized access are a very different type of threat than hackers from the outside.  It would have been good to break those two demographics apart.  However, probably the gist of this statement is that the personal information was specifically targetted.  A June 2005 New York Times article reports criminals can get paid $100 for each individual’s personal information.  When you look at how many thousands, and even millions, of individuals’ data are often on stolen computers and within compromised databases that amount of crime profit is quite significant.  Certainly motivation to target such information.

30% of the incidents occurring from the inside is not surprising; actually a little low from what I’d expect.  However, even though the inside threat is nothing new, these types of studies and help to validate the insider threat to business leaders and demonstrate the need for strong information security controls and procedures not only just for preventing access into the network, but also within the network perimeter and for everyone using the network.

The AARP report is timely considering the theme of Global Security Week is identity theft; this is a report you can use and reference within your awareness messages.  In fact, one of the activities going on next week in Texas is a series of presentations to customers at different locations of a grocery store chain by Melissa Guenther .  This particular chain reportedly has a very large percentage of retired folks who are customers, so using this study should resonate with them.

Technorati Tags








Interesting University Paper: “Privacy as an Operating System Service”

Friday, September 1st, 2006

Periodically I check for research papers posted on university sites about information security, privacy and compliance.  They often contain great ideas, are a wonderful source of research references, stimulate further thinking, and often contain some interesting and forward-thinking proposals that you do not hear about from vendors or practitioners.

Today I ran across a paper posted on the Columbia University site in July of this year, "Privacy as an Operating System Service" by Sotiris Ioannidis, Stelios Sidiroglou, and Angelos D. Keromytis.  There were some intriguing ideas within discussing how to implement pervasive privacy services into the personal computer operating systems typically the majority of non-technical folks use.

I think it is interesting to think of "privacy," what I view as a goal, state or right in some situations, as part of a technical operating system service.  Certainly there are many technical privacy services out there right now, such as with P3P.  Viewing privacy from the strictly technical aspect, then, privacy baked into the operating system is a wonderful goal.  I’ve written often about the need to incorporate privacy and information security into applications and systems, so this is a nice demonstation of a discussion about how to do that within a personal computer OS.  Okay…now to look at a few of the points within the paper and provide a few thoughts…

The concept of removing personally identifiable information (PII) through the OS is quite interesting.  There are a growing number of vendor products out there right now that are attempting this, and most (if not all) have some very big challenges in thoroughly accomplishing this task.

They provide a good list of challenges with implementing privacy within the OS, as follows:

  • "Protocol Spanning: The operating system must have knowledge of the data and meta-data representation of applications. It needs to use this information to
    sanitize private information for each application in the system, or at least for those applications that the user has specified. For example, in order to scrub user name information in Microsoft Word and Open Office documents, the scrubbing module will have to be able to parse and according to policy remove user name references in both formats.
  • Single Point-of-Failure: Adopting a centralized operating system approach introduces the risk of global failure. If the operating system has a fault in the way it sanitizes private information, all applications will be affected.
  • Performance: It is possible that due to the centralized nature of an OS-center solution, that we might cause a performance bottleneck when executing privacy operations."

Yes, protocol spanning would be a huge challenge.  Think about all the possible applications that individual computers users could have, the diversity of all the vendors, and the likelihood that they would all cooporate to allow the type of collaboration and integration that would be necessary.  Most home computer users use a vast variety of software packages that are very unlike business software, and most of them collect and/or use PII in one way or another.  I’m thinking now about all the software packages (educational, interactive, etc.) that my sons use, and I’m not sure how the PII could be scrubbed from those accompanying data storage repositories.  The first thought is, well maybe that is not necessary, since those types of files would not be sent out of the computer anyway.  However, if that computer is also sometimes attached to the Internet, and an incoming probe or spyware makes it way through the personal firewall, then that data would be put at risk.  On the other hand, that is a risk today, so having the privacy in the OS to work with SOME applications would be better than nothing as long as the computer user does not get a false sense of complete privacy by using the OS privacy capabilities.

The paper gives a concise discussion of the challenges of scrubbing PII from meta data, para data and raw data.  However, it doesn’t suggest possible resolutions to these challenges, or even how to go about trying to resolve them.  I would have liked to have seen more about that.

Of course, the primary problem is the definition of what exactly constitutes PII, and then having a common format or look to those PII items.  PII is not universally defined.  Just within the U.S. federal laws, PII is defined in many different ways.  Looking globally you find even more definitions.  Throughout around 90 global laws I’ve found around 50 different specific types of information that are within these legal definitions.  Trying to integrate all would be an insurmountable task, it would seem.  However, if you would pick, let’s just say, the 10 most common or critical types of PII (perhaps those used most commonly for identity theft and fraud) to define globally, that would certainly be a very good start.

Also key is the ease with which the computer user would actually be able to set their own chosen privacy settings.  The goal of having it very easy for a non-technical computer user is certainly a challenge in and of itself even after a usable solution has been found and implemented into the OS.

I would also want such a solution to be customizeable so that you do not have it being TOO aggressive with removing everything it determines as PII from your outbound traffic…there may be instances where you need to send out what at least appears to be valid PII.

Overall this paper was a good high-level look at the concept of implementing privacy within the OS.  While it wandered here and there from the main idea at times, it was thought-provoking (at least it generated all kinds of questions for me as I read it) and is a good discussion centerpiece for this topic.

Technorati Tags