Google employee fired for looking at private data

Another incident of an employee being fired for looking at customer’s private data, this time at Google.

Online shopping, privacy, tracking and me on tv

KDKA news, in Pittsburgh, did an article on the FTC’s new ‘Do Not Track’ List proposal.

The exciting news is that I have a silent role in the video as a “shopper” and I’m using Ghostery.

Architecture Is Policy: The Legal and Social Impact of Technical Design Decisions

Over on the CUPS blog I wrote up a summery of the EFF board panel on the legal and social impact of technical design decisions.


Technology design can maximize or decimate our basic rights to free speech, privacy, property ownership, and creative thought.  Board members of the Electronic Frontier Foundation (EFF) discuss some good and bad design decisions through the years and the societal impact of those decisions.

Book: Applied Security Visualization

I just ordered a book entitled “Applied Security Visualization” written by Raffael Marty. The author previously wrote a chapter in “Security Data Visualization: Graphical Techniques for Network Analysis“, another book on how to bring visualization techniques and tools to the aid of the security community. I was somewhat disappointed with the Security Data Visualization book as I felt that it was just throwing eye candy at what I consider to be a serious problem. Many of the tools put forward by the Security Data Visualization book fail to follow the principles put forward by Edward Tufte on how to create useful and effective data visualizations. I have not yet had a chance to review “Applied Security Visualization” but based on the author’s other work I am hopeful for a clearer and more useful application of visualizations to the security domain.

DHS: A roadmap for cybersecurity research

DHS has released a report entitled “A Roadmap for Cybersecurity Research” in which they outline what they consider to be the major research challenges in cybersecurity. Both “Privacy-Aware Security” and “Usable Security” made the list. Each research direction has several pages worth of discussion about the topic and the current interesting research challenges in that area. Both Lorrie Cranor’s book, “Security and Usability: Designing Secure Systems That People Can Use“, and SOUPS are cited under resources in the Usable Security section.

– Kami

ITRC data theft report

The Identity Theft Resource Center (ITRC) released their Data Breaches report for 2009. They analyzed 498 breaches which resulted in approximately 222 million compromised records.

The main highlights are:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

. . . .

The ITRC Breach Report also monitors how breaches occur. ITRC Breach Report – By Attribute. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Some additional interesting facts from the report:

  • In 2009 insider thefts account for 16.9% of breaches. In 2007 insider thefts accounted for 6.1% of breaches.
  • Insider thefts may have accounted for 16.9% of breaches but it only accounted for 0.1% of compromised records. The majority of those records came from Business and Government/Military sectors.
  • Paper (physical pieces of paper) breaches accounted for 26% of all breaches in 2009. However, paper breaches only accounted for just under 200,000 compromised records vs. 222 million electronic records compromised.

Yahoo! Key Scientific Challenges Program

Yahoo! is running their Key Scientific Challenges Program again this year. Their website has lists of ideas for projects that they consider to be major scientific challenges.

Under Security challenges they list this challenge which I found interesting:

Scalable and Integrated access control for users
Users share data with a variety of applications within and outside Yahoo. Each of these applications has their own Terms of Service forcing users to specify separate access control rules for each application. This frustrates users and users feel like they have relinquished all control of where their data ends up. The challenge here is to design an integrated access control language and mechanism that can be used across applications from different organizations. At the very least, this would allow users to identify which information they have disclosed and to whom across different applications. Another challenge is to design a scalable “access control broker” that brokers access to user information to applications that satisfies user defined permissions.

They also have a section for privacy challenges where I found this:

Tracking user locations privately
Mobile phones these days are capable of being tracked with very high resolution. Many applications provide fine grained location services, like finding your friends, nearby attractions, coupons, ads, and even location aware dating. However, there is a huge privacy risk for the individuals who opt-in. Moreover, current access control mechanisms are either opt-in (in which case you usually don’t have too much control of who can access your data and who can’t) or opt-out (in which case you miss out on the location services). Problems in this space are:

  • Can individuals be tracked in such a way that the individual cannot be uniquely identified from the logs?
  • Can an application which tracks an individual share this information with a third party vendor/application, while preserving the individual’s privacy?
  • What is the right access control language for location tracking?

Social networking data taxonomy

On his blog Schneier proposed a taxonomy of social networking data.  I’ve copied the taxonomy below.

1. Service data. Service data is the data you need to give to a social networking site in order to use it. It might include your legal name, your age, and your credit card number.

2. Disclosed data. This is what you post on your own pages: blog entries, photographs, messages, comments, and so on.

3. Entrusted data. This is what you post on other people’s pages. It’s basically the same stuff as disclosed data, but the difference is that you don’t have control over the data — someone else does.

4. Incidental data. Incidental data is data the other people post about you. Again, it’s basically same same stuff as disclosed data, but the difference is that 1) you don’t have control over it, and 2) you didn’t create it in the first place.

5. Behavioral data. This is data that the site collects about your habits by recording what you do and who you do it with.

Schneier’s taxonomy is interesting as it focuses on data transfer and ownership. In the United States data ownership is a continuously debated issue. When I give my medical records to my doctor does my doctor now own those records such that he can give them to anyone he chooses as long as he complies with HIPPA? When I give my data to Facebook who now owns that data? When I allow a third party Facebook application to access my data who now has control of that data?

In his taxonomy Schneier seems to be implying that we should group social networking data based on the context under which it was collected and who controls it. I like this idea. I think this taxonomy well models how people perceive the flow of ownership of data. If I put data in my space then I should control it. If I give you data then you control it. If you ask me for data through a form then you control it.

Walmart servers hacked

Wired has a story about a hacker breaking into Walmart’s point of sales computer. Amazingly Walmart claims that the attacker didn’t get any costumer’s personal information or credit cards. While I’m a bit dubious of their ability to know this, I did find the description of how the attacker got in to be interesting.

Investigators found that the tool had been installed remotely by someone using a generic network administrator account. The intruder had reached the machine through a VPN account assigned to a former Wal-Mart worker in Canada, which administrators had failed to close after the worker left the company.

Psychology and Security resources

Ross Anderson put together a web page which contains many resources in the intersection of psychology and security. The site includes papers, books, conferences and people.