Researchers have developed a method (pdf) by which they are able to record the sound of a dot matrix printer in operation and recreate the information that was printed based on the audio data. Data leakage from electronic devices isn’t new (TEMPEST comes to mind). However, it seems like the higher-profile methods tend to encompass electromagnetic properties rather than mechanical properties.
Chances are, if you read 10 articles or blog posts about the 2010 RSA conference, you will hear the term “cloud computing” ten times. The cloud was clearly the dominant theme of most of the presentations, product demonstrations, and discussions which took place at the Moscone Center in the first week of March 2010. However, another theme was nearly equally present in presentations and discussions: Cybercrime.
Today Slashdot had a story about how a news story about an Australian transportation plan was broken early by a newspaper. The transport minister said the access of this information was akin to the newspaper trying to “pick the lock off a secure office and take highly confidential documents”. What was the brilliant security plan that was supposed to be protecting this information? The information was all stored on an unpublished URL with no security or authentication in place.
We in the security industry call this “security by obscurity“. And it is not security at all. (more…)
When companies create security policies designed to keep their information secure, they are often most focused upon the threat of an outsider. Certain measures, like using secure protocols such as SSL and TLS, or using S/MIME encrypted email can help keep your information from being viewed by third parties when it is sent over untrusted networks. Other measures, like performing hard disk encryption on your laptops help keep your information secure when a laptop is lost or stolen, or a hard drive is sold on eBay. None of these measures will help in the scenario of a trusted insider getting access to over 1300 documents that they have no business having.
According to the complaint, Jhaveri admitted being employed by Bristol-Myers-Squibb as a Technical Operations Associate from November of 2007 until his termination on February 2, 2010. The complaint further alleges that during his employment, Jhaveri stole numerous trade secrets as part of a plan to establish a pharmaceutical firm in his native India which would compete with Bristol-Myers-Squibb in various markets around the world.
How do you protect against the insider threat? It is one of the more complicated issues of information security and there are a lot of opinions on how to deal with it. Certainly it has to start with understanding what information you have which needs to be protected, how damaging that information could be if it were to be lost/stolen, and then making some cost/benefit analysis decisions on the best ways to protect it. Everything from a rights management services type of solution to a strong security event and information management (SEIM) system could be useful in preventing and detecting insider threats.
Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights:
-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.
-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.
On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.
Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).
However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.
So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.
So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ‘123456′ as a password.
According to a new article on TechTarget, a study by the Ponemon Institute has revealed the cost of a data breach has increased once again, to $204 per compromised record. The study is available for download at http://www.encryptionreports.com/ after giving away some personal details.
The “Fifth Annual U.S. Cost of Data Breach Study,” funded in part by encryption vendor PGP Corp., determines the annual cost of the breach by establishing a company’s cost of lost business as a result of an incident; expenses incurred by notifying individuals and authorities of a breach; costs associated with legal fees and consulting firms and new investments made in technology and employee education.
In our down economy, it is interesting that the cost of data breaches have been rising for five years running. If I were cynical, I might suggest that one of the reasons for the constantly increasing costs in this study is the partnership with PGP, who sells products designed to protect you in the case of a lost laptop or storage device.
That said, I’m not even sure that those items above can accurately represent the cost of data breaches, especially in certain environments. The loss or damage of reputation caused by a data breach can be so devastating that the monetary cost can’t even be calculated. If you don’t know what I’m talking about, what is the first thing that comes to your mind when I mention Heartland Payment Systems, TJX, or the Department of Veterans Affairs? These organizations have suffered tremendously because of wide (and widely publicized) data breaches. Imagine the firestorm of criticism if some of the most trusted companies were to suffer data breaches along the lines of Heartland’s breach?
In addition to the loss of reputation, what are other costs of data breaches that the Ponemon study doesn’t reveal? Let us know in the comments.
Google has just announced that HTTPS access would be “on by default” starting immediately. This is in response to the recently publicized attacks against Google and Gmail which are causing Google to reconsider their approach to China.
While I’m happy that Google will now be encrypting Gmail-related communication by default, I’m a little surprised and disheartened that it took an attack to cause this to be implemented. Sure, https has been an option since July of 2008, but Google had previously warned of a security / usability tradeoff with turning it on:
Because the downside is that https can make your mail slower. Your computer has to do extra work to decrypt all that data, and encrypted data doesn’t travel across the internet as efficiently as unencrypted data. That’s why we leave the choice up to you.
Today’s computers are fast enough to handle https without concern, thank you very much. And I think they meant to say your encrypted email “can’t be cached by proxy servers” instead of “doesn’t travel across the internet as efficiently” – which is a good thing, right? The use of always-on-HTTPS is an infrastructure problem – establishing and maintaining all those different secure sessions with different keys certainly takes time and processing power. It is unfair to solve your infrastructure problem by suggesting that the user might not want comprehensive security.
Are you aware of any other services that allow the user to make a poor security decision in the (perhaps unjustified) name of speedier access? Let us know in the comments!
A recent study on lost laptops by Dell and the Ponenom Institute show how important data protection and encryption are, especially for portable devices. Here are some of the findings.
Guess how many of those machines were protected with encryption.
You can read the entire report [pdf] and find out on page 7.
Overnight, the Clear Registered Traveler Program ceased operation. I do travel by air 5-10 times per year, and had considered the program to speed my visits through airports. There were three main reasons why I didn’t, and I wonder if they are reasons why they have had to cease operation.
In addition to the $199/year charge, enrolling in Clear required presentation of two IDs, your social security number, and the capture of your fingerprints and retinal scan. Clear lost (and found) a laptop last year, and although their privacy policy (pdf) indicates that all personal information is always stored and transmitted encrypted, it doesn’t indicate what algorithm is used or how key management is performed. (Remember, ROT13 is an encryption algorithm…) Biometrics are the only identification factor that you can’t have revoked and reissued, so giving mine up to both a private company and the Transportation Security Administration to save perhaps 15 minutes didn’t seem like a good idea.
The privacy policy also indicates that personal information is removed from their system automatically after 90 days if you are no longer a Clear member. It is not yet clear if the cessation of operation that occurred overnight will trigger this data removal event. It is also not clear if the TSA ever gives up your data which Clear shares. All told, if I had been a Clear member, I would seriously examine tools for detecting and preventing identity theft for a while.
Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post.
2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised.
The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million is a lot of compromised records. Wonder if mine was one of them.