Most of the BlackHat 2010 talks aren’t off the ground yet and already this week has been busy for news and announcements. We already noted the DMCA updates earlier this week (which have been grossly over-hyped – see why that is here). Now on to the bigger story. No, it’s not Apple’s mouse-killer, nor is it the plethora of next-gen batteries that are now available (Apple, Toshiba (for cars), etc.). Nor is it the BlackHat talk about intercepting GSM-based mobile communication, nor is it the availability of cloud-based WPA/WPA2 cracking services, nor is it the publication of a 2.8GB database of information collected from public Facebook pages (see Joey’s commentary for more).

In my mind, the biggest, most important news this week is the release of the 2010 Verizon Business Data Breach Investigations Report (DBIR), which includes data from Secret Service investigations. It’s too lengthy to provide a reasonable summary here and now, but I wanted to bring this to your attention. If you read only one data breach report this year, then it should be the Verizon DBIR 2010.

Incidentally, if you’re looking for another data breach report to read, check out the one also released recently from the Digital Forensics Association “The Leaking Vault – Five Years of Data Breaches.” It does not present any new data, but it rather provides a fresh and interesting analysis of a compilation of existing data breach repositories (primarily DatalossDB.org).

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights:

-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.

-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.

On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.

Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).

However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.

So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.

So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ‘123456′ as a password.

According to a new article on TechTarget, a study by the Ponemon Institute has revealed the cost of a data breach has increased once again, to $204 per compromised record. The study is available for download at http://www.encryptionreports.com/ after giving away some personal details.

The “Fifth Annual U.S. Cost of Data Breach Study,” funded in part by encryption vendor PGP Corp., determines the annual cost of the breach by establishing a company’s cost of lost business as a result of an incident; expenses incurred by notifying individuals and authorities of a breach; costs associated with legal fees and consulting firms and new investments made in technology and employee education.

In our down economy, it is interesting that the cost of data breaches have been rising for five years running.  If I were cynical, I might suggest that one of the reasons for the constantly increasing costs in this study is the partnership with PGP, who sells products designed to protect you in the case of a lost laptop or storage device.

That said, I’m not even sure that those items above can accurately represent the cost of data breaches, especially in certain environments.  The loss or damage of reputation caused by a data breach can be so devastating that the monetary cost can’t even be calculated.  If you don’t know what I’m talking about, what is the first thing that comes to your mind when I mention Heartland Payment Systems, TJX, or the Department of Veterans Affairs?  These organizations have suffered tremendously because of wide (and widely publicized) data breaches.  Imagine the firestorm of criticism if some of the most trusted companies were to suffer data breaches along the lines of Heartland’s breach?

In addition to the loss of reputation, what are other costs of data breaches that the Ponemon study doesn’t reveal? Let us know in the comments.

Verizon Business has released their 2009 Data Breach Investigations Report [pdf] and an accompanying blog post.

2008 was a crazy year in the world of data breaches… The percentage of breaches in our caseload involving financial service organizations, targeted attacks, and customized malware all doubled in 2008. It’s sure to win me the “Captain Obvious Award” from the Securitymetrics list, but organized crime activity increased and was responsible for over 90% of the 285 million records compromised.

The report is sure to be a good read. We linked last year’s report, and this year’s report has some improvements–it is based on more data was collected more often, and goes into a lot more detail than the previous report. 285 million is a lot of compromised records. Wonder if mine was one of them.