Journalists obtaining phone data

Interesting article on a phone “hacking” scandal. From what I can tell this was a case of widespread insider attacks and no “hacking” was involved.

http://www.guardian.co.uk/media/2011/jul/21/phone-hacking-operation-motorman-files

Intersting quotes:

Research by the lobbyists Big Brother Watch shows that between 2007 and 2010, 904 police officers and staff across Britain were subject to internal disciplinary offences for breaches of the Data Protection Act, which governs access to personal information. Of these cases, only 98 led to the dismissal of the person involved.

….

The offences include incidents where staff accessed sensitive information with the intent of passing it to third parties, as well as staff browsing material for personal interest. The records include 137 gross violations, defined as “serious breach of contractual terms … which makes any further working relationship and trust impossible”. Only 27 staff lost their jobs.

Who is responsible for securing confidential information?

Interesting article

The University of North Carolina at Chapel Hill found out last year that, in 2007, someone had hacked into a server holding personal information of 180,000 mammography patients from around the state. . . . . The university tried to fire — and is still trying to punish — the researcher who was in charge of the information.

Basically the school is trying to punish the researcher for failing to keep the data secure and the researcher is claiming that security isn’t her expertise. She did everything she knew to do but the university could have done a better job of providing her with support for keeping confidential information secure.

Update:
A resolution has been reached. The Professor in question is being reinstated as a full professor provided that she voluntarily retires.

Google employee fired for looking at private data

Another incident of an employee being fired for looking at customer’s private data, this time at Google.

ITRC data theft report

The Identity Theft Resource Center (ITRC) released their Data Breaches report for 2009. They analyzed 498 breaches which resulted in approximately 222 million compromised records.

The main highlights are:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

. . . .

The ITRC Breach Report also monitors how breaches occur. ITRC Breach Report – By Attribute. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Some additional interesting facts from the report:

  • In 2009 insider thefts account for 16.9% of breaches. In 2007 insider thefts accounted for 6.1% of breaches.
  • Insider thefts may have accounted for 16.9% of breaches but it only accounted for 0.1% of compromised records. The majority of those records came from Business and Government/Military sectors.
  • Paper (physical pieces of paper) breaches accounted for 26% of all breaches in 2009. However, paper breaches only accounted for just under 200,000 compromised records vs. 222 million electronic records compromised.

Yahoo! Key Scientific Challenges Program

Yahoo! is running their Key Scientific Challenges Program again this year. Their website has lists of ideas for projects that they consider to be major scientific challenges.

Under Security challenges they list this challenge which I found interesting:

Scalable and Integrated access control for users
Users share data with a variety of applications within and outside Yahoo. Each of these applications has their own Terms of Service forcing users to specify separate access control rules for each application. This frustrates users and users feel like they have relinquished all control of where their data ends up. The challenge here is to design an integrated access control language and mechanism that can be used across applications from different organizations. At the very least, this would allow users to identify which information they have disclosed and to whom across different applications. Another challenge is to design a scalable “access control broker” that brokers access to user information to applications that satisfies user defined permissions.

They also have a section for privacy challenges where I found this:

Tracking user locations privately
Mobile phones these days are capable of being tracked with very high resolution. Many applications provide fine grained location services, like finding your friends, nearby attractions, coupons, ads, and even location aware dating. However, there is a huge privacy risk for the individuals who opt-in. Moreover, current access control mechanisms are either opt-in (in which case you usually don’t have too much control of who can access your data and who can’t) or opt-out (in which case you miss out on the location services). Problems in this space are:

  • Can individuals be tracked in such a way that the individual cannot be uniquely identified from the logs?
  • Can an application which tracks an individual share this information with a third party vendor/application, while preserving the individual’s privacy?
  • What is the right access control language for location tracking?

Social networking data taxonomy

On his blog Schneier proposed a taxonomy of social networking data.  I’ve copied the taxonomy below.

1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.

2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.

3. Entrusted data. This is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.

4. Incidental data. Incidental data is data the other people post about you. Again, it’s basically same same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.

5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.

Schneier’s taxonomy is interesting as it focuses on data transfer and ownership. In the United States data ownership is a continuously debated issue. When I give my medical records to my doctor does my doctor now own those records such that he can give them to anyone he chooses as long as he complies with HIPPA? When I give my data to Facebook who now owns that data? When I allow a third party Facebook application to access my data who now has control of that data?

In his taxonomy Schneier seems to be implying that we should group social networking data based on the context under which it was collected and who controls it. I like this idea. I think this taxonomy well models how people perceive the flow of ownership of data. If I put data in my space then I should control it. If I give you data then you control it. If you ask me for data through a form then you control it.

Walmart servers hacked

Wired has a story about a hacker breaking into Walmart’s point of sales computer. Amazingly Walmart claims that the attacker didn’t get any costumer’s personal information or credit cards. While I’m a bit dubious of their ability to know this, I did find the description of how the attacker got in to be interesting.

Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company.

InfoSec Personnel Management

I found an article on Personnel Management and INFOSEC by M. E. Kabay which I like.  Its basically a paper discussing managerial techniques for managing employees in an organization from an InfoSec perspective.  I particularly like this analogy for how employees

What would you do if you discovered that an employee who used to occupy your current office still had the key? You would politely ask them to give it up. No one would question the reasonableness of such a request. However, when you remove access to the network server room from a system analyst who has no reason to enter that area, you may be treated to resentment, sulking and abuse. People learn about keys when they’re children; they don’t extend the principles to information security. People sometimes treat access controls as status symbols; why else would a CEO who has no technical training demand that his access code include the tape library and the wiring closet?