Report on data breaches

June 19, 2008 by Leave a comment

Verizon Buisness has published a Data Breach Investigations Report which looks at 500 data breaches worldwide over four years. Their report has several interesting findings.

  • 18% of breaches were caused by insiders.
  • Insider breaches were far less frequent than other types but they compromised more records.
  • 66% of breaches involved data the victim didn’t know was on they system.
  • 19% of breaches involved malicious misuse of access or privileges.
  • 70% of breaches were discovered by third parties.

For more information I recommend reading the report which is free for download.

Filed under Research

Societe Generale and controlling access

May 29, 2008 by Leave a comment

Societe Generale, a European bank, reported in January of 2008 a trading loss of nearly 7.2 billion dollars, one of the largest trading losses in banking history. How did they loose so much? Apparently an employee changed roles within the company moving from compliance to trading. While he was given the new permissions associated with his new role the permissions associated with his old role were never removed. Using his extra access rights and his knowledge of how compliance was managed the employee was able to make high risk trades in amounts far exceeding what he should be allowed. The result 7.2 billion in losses.

Filed under Research

Slow resoluton of user names in Windows XP

May 19, 2008 by Leave a comment

I recently had some trouble with a Windows XP machine which was being very slow resolving Secure Identification numbers (SID) to user and group names. The machine was a stand alone system with over 500 user accounts on it. The machine was a fresh install (user accounts were for a research project and were empty). Every time you clicked on properties for a file and looked at the file permissions for the file you would be presented with a list of SID numbers instead of a list of user names. Given enough time it would slowly resolved the SID numbers but it would take it forever to do so.

Turns out that it was trying to query a remote server to do the SID name resolution. Since there were 500 accounts this lookup was taking a very long time. To fix it I turned off the Workstation service. (Right click My Computer -> Manage, expand Services and Applications. Click Services and find Workstation Service. Right click Workstation service and select Properties. Under General click Stop which disables it till the next restart or select Disable under Startup type which will disable it until you expressly re-enable it).

Filed under Fixing computer problems Tagged with

Backing up files

March 11, 2008 by Leave a comment

The following script takes a file and appends the current date to it. This is a very useful script for backing up files regularly using crontab. I’m posting it here because it is both very useful and much harder to find online than one would think.


#!/usr/local/bin/bash
TIMESTAMP=$(date +%Y%m%d)
mv /home/bob/bob.dat /home/bob/bob-$TIMESTAMP.dat

Filed under Fixing computer problems

SOUPS 2008 conference

February 28, 2008 by Leave a comment

If you don’t know about the Symposium on Usable Privacy and Security (SOUPS) you probably should. Its a symposium dedicated to research on usable solutions to privacy and security problems. Attendees come to discuss topics ranging from graphical passwords to physical security management systems. I’ve included a description of the conference below. This year SOUPS will feature two workshops Usable IT Security Management (USM ‘08) and The Symposium on Accessible Privacy and Security (SOAPS).


SOUPS 2008

Symposium On Usable Privacy and Security

July 23-25, 2008

Carnegie Mellon University, Pittsburgh, PA USA

http://cups.cs.cmu.edu/SOUPS/

The 2008 Symposium on Usable Privacy and Security (SOUPS) will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program will feature technical papers, a poster session, panels and invited talks, discussion sessions, and in-depth sessions (workshops and tutorials). Detailed information about technical paper submissions appears below. For information about other submissions please see the SOUPS web site http://cups.cs.cmu.edu/soups/2008/cfp.html.

Filed under Research

Datadvantages and the MOMA

February 13, 2008 by Leave a comment

I just ran across this data management application from Varonis called Datadvantages. They appear to be doing some very interesting things with file control management interfaces. Their application not only gives administrators the ability to view who can access what in a very fine grain manner they also provide a recommendation service. The recommendations suggest access rights that should be granted or removed based on the system’s heuristics. Based on their marketing documentation it looks like their recommendations are primarily based on frequency of use and the relations between people. If anyone has a better understanding of what the recommendation capabilities of this interface are I would be interested to hear about it.

The Museum of Modern Art (MOMA) in New York had some very interesting though common access control issues when it came to their data. In addition to the general problem of having a large number of users accessing a large number of files the MOMA also has business relations with many other organizations. They also have a need to archive all data that isn’t being used. For there access issues they ended up turning to Datadvantages which seems to be working well for them.

A Computer World article had this to say about the MOMA’s installation of Datadvantages:

Granting or revoking permissions for data access is challenging because the user repository and data file server information are in constant flux. Moreover, once permissions are granted, they are rarely revoked because doing so may have unpredictable consequences on authorized use. This often results in overly permissive access rights for most data users.

Filed under Uncategorized

Privacy & data protection survey

February 11, 2008 by Leave a comment

Deloitte and Ponemon Institute published a survey on privacy and security in the enterprise enviornment.

I saw a talk given by Deloitte today on the survey and here are some of the highlights I found interesting:

  • Over 85% of respondents reported at least one breach where user notification was required and 63% reported multiple breaches.
  • The most implemented (59.9%) technology solution to privacy and security issues was segregation of duties tools. (Note: this sounds like companies are making use of the RBAC model)
  • Data classification was also high (57.7%) on the list of technology solutions. (Note: This may also be part of RBAC, classifying data into roles as well as people)
  • Encryption is being implemented (55%) but the encryption isn’t being applied to everything and a significant number of companies fail to adequately protect data both in storage and while in transit.
  • Both privacy and security professionals spend most of their time on incident response which includes notifying affected users.
  • Female and Male security professionals make approximately the same salary.

Filed under Research

Subversion on Ubuntu

February 11, 2008 by Leave a comment

Why is it always so hard to setup applications in Linux? Don’t get me wrong I much prefer setting up complex applications in Linux to setting them up in Windows but still there must be an easier way. I just spent several hours setting up subversion on my Ubuntu machine which involved some time on help pages and some time debugging and some time figuring out how I wanted my setup to work vs. other people’s setups. So I’m documenting some of my problems and solutions here just in case some other poor soul has a similar issue.

Basic Subversion setup

To begin the following url was an excellent help guide to start with. The guide described everything except how to do ssl encryption and I had some issues with the authentication which is detailed below.

https://help.ubuntu.com/community/Subversion

Authentication issues

Once I got everything installed and working I tried doing a checkout on another machine. Much to my surprise the checkout worked but asked for no username or password. For some reason the server was requiring a username and password to write to a file on svn but not to read. Since I wanted my files to be kept private I had to lookup some documentation on how to change the authentication. I recommend this site, it is fairly cryptic but it has some good examples. I ended changing the /etc/apache2/mods-available/dav_svn.conf so it would only allow bob and myself to make changes.


<Location /svn/compilers>
DAV svn
SVNPath /home/svn/compilers
AuthType Basic
AuthName "compilers subversion repository"
AuthUserFile /etc/subversion/passwd
require user kami bob
</Location>

SSL Encryption

Using the basic setup SVN sends all passwords and other data in the clear. This is somewhat insecure and I wanted to enable SSL encryption. There is a nice Ubuntu documentation page on how to do this. The only problem is that a default install of apache2 on Ubuntu doesn’t come with the apache2-ssl-certificate application. I found a discussion forum that talks about the issue and proposes several solutions. I’ve quoted the solution I used below:

* apache2-ssl.tar.gz (964 bytes, application/x-tar)

You can grab ssleay.cnf and apache2-ssl-certificate from Edgy’s apache2 version.

I hope this workaround works for people who bothered by this issue. Extract the package and put ssleay.cnf to /usr/share/apache2/ and apache2-ssl-certificate to /usr/sbin.

Create /etc/apache2/ssl directory. Then apache2-ssl-certificate script should work.

Filed under Fixing computer problems Tagged with , , ,

How to use color in information visualization

January 28, 2008 by Leave a comment

NASA has a nice page on using color in information visualizations.

http://colorusage.arc.nasa.gov/

Filed under Uncategorized

Newer posts