Shostack + Friends Blog Archive

 

Beat To The Punch

Yesterday, Sammy Migues talked about the risk of too much risk management. The only problem is that he completely misused the term Risk Management. I was all set to post a rant about that here, and in fact spent far too much time last night writing up a response. In the meantime, the Hoff and […]

 

Breach reporting rates

Adam’s comment to my previous post prompted me to think about breach reporting rates again. Above, there’s a slide (click for a larger image) from the presentation I delivered at FIRST 2007. It shows the breach reporting rate for different time periods, from different sources. I think the results are pretty interesting when combined with […]

 

Disaster Preparedness by Conair

Mini-me guest posting on The Guerilla CISO tells us all some hard learned lessons in Data Centers and Hair Driers. In it we learn (yet again!) that Disaster Recovery/Emergency Response/Business Continuity rely heavily on documentation, process being followed and above all regular testing. Regular testing is more than just practicing via drills or table top […]

 

15-30 dataloss incidents daily, sez top Fed cyber-beancounter

The Office of Management and Budget issued a memo in July 2006 requiring agencies to report security incidents that expose personally identifiable information to the U.S. Computer Emergency Readiness Team within one hour of the incident. By June 2007, 40 agencies reported almost 4,000 incidents, an average of about 14 per day. As of this […]

 

Emergent Breach Analysis

When I started blogging about breaches and breach notices way back in early 2005, a number of friends wrote to say I was sounding like a broken record. They were right, and at the same time, I felt there was something really big going on, and I wanted to push it and shape it. Over […]

 

Beer For a Laptop

A New Zealand company is offering a lifetime supply of beer if someone gives them their lost laptop. See the BBC, “NZ brewery offers beer for laptop.” Thanks to Phillip Hallam-Baker for the pointer. We are indeed happy, and would analyze the clever marketing, ROI on investment, and emergent chaos of the barter system, but […]

 

FEMA’s Fake News Conference

In light of FEMA using our tax dollars to stage a fake news conference, I’d like to take a moment to assure you that none of the Emergent Chaos combo works for the Burton Group, and any softball questions in our interviews are just because we like them. Photo: FEMA news conference, AP. [Update: We […]

 
 

What Would One Actually Do With A Persona?

I asked Bob Blakley and Mike Neuenschwander some questions about Limited Liability Personae. Rather than focusing on the implementation, I wanted to talk about the high level purposes, as well as concerns that most people have with the idea of a persona. Whenever I discuss personae, there are issues that frequently come up, for example: […]

 

Should Email Address Breaches Be Notification-Worthy?

Brian Krebs raises the issue in his column in the Washington Post, “Should E-Mail Addresses Be Considered Private Data?” The question raises some fascinating economics questions and a possibly unique opportunity for interesting information security signals: A database of e-mail addresses and other contact information stolen from business software provider Salesforce.com is being used in […]

 

Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on […]

 

Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies: The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band […]

 
 

With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.” Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other […]

 
 

The Pogues Show

What an amazing show. Shane MacGowan slurred a lot, but I just couldn’t care when he sang ‘Brown Eyes’ or ‘The Greenland’ or ‘The Sick Bed Of Cuchulainn.’ They’re touring the western states. Photo: “The Pogues in Seattle on October 17, 2007 – first show of US tour” by Dan10Things.

 

Laboratories of Security?

There’s a story in USA Today, “Most fake bombs missed by screeners.” It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%: At Chicago O’Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, […]

 

Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed: MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems […]

 

What's an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint? Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which […]

 

How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample: Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from: http://bioethicsdiscussion.blogspot.com/. There are at least two major problems with […]

 

Egggsellennt!

I, for one, salute our entropy-increasing overlords….but I must confess to being mystified by this press release.

 

More on LLPersonae, Identity Oracles, and RCSL

Adam: But applying for a job is exactly what you describe, “organizations with whom you don’t have a lot of history and interaction.” For an awful lot of people, they apply for jobs broadly. One cashiership is as good as another. And there are a lot of places where I’d like to protect my privacy. […]

 

TSA Violates Your Privacy, Ties themselves in Little Knot of Lies

There’s a story in InformationWeek about the latest TSA privacy violation, “TSA Promises Privacy For Subjects Of Clothing-Penetrating Scans:” “We are committed to testing technologies that improve security while protecting passenger privacy,” said TSA administrator Kip Hawley in a statement. “Privacy is ensured through the anonymity of the image: It will never be stored, transmitted, […]

 

Limits of Limited Liability Personas?

Adam: I have some cost questions, but I think more importantly, this can limit my exposure to, say, a credit card, but I can get most of this without paying Delaware a couple of hundred bucks. I get a PO box, a limited credit card, and a voice mail service. What’s the advantage that’s worth […]

 

Bob Blakely on the LLP

Adam: The LLP is a great analogy because that’s exactly what the Limited Liability Partnership was, and is, for-controlling liability in transactions. The growth of the limited liability corporation allows me, as an investor, to invest a set amount of money, and know the limits of my exposure to management errors. But I can’t do […]

 

Mike Neuenschwander on Limited Liability Personas: Intro

I was deeply intrigued when I read an article in the New York Times, “Securing Very Important Data: Your Own.” Mike Neuenschwander of the Burton Group proposed an idea of “limited liability personas.” I thought this was so cool that I emailed him, proposing we interview him for the blog. He’s agreed, and here’s part […]

 

Breach Laws Charts

At The Privacy Symposium that Harvard Law just held, I had a fascinating conversation with Julie Machal-Fulks of the law firm of Scott & Scott. Scott and Scott have published a one page breach laws chart, with just five variables. Julie Brill of the Vermont Attorney General’s office also mentioned that she maintains a chart. […]

 

Bank Note of the Year

Who knew there’s an International Bank Note Society? Or that they have a prize for best bank note of the year? This year’s winner is the “1,000-franc note issued by the Banque Centrale des Comores, the central bank of the Comoros, an archipelago located between Madagascar and the east coast of southern Africa.” Don’t miss […]

 

Emergent Breasts Handled By Ohio’s Finest

Yesterday CNN reported that Ohio State Representative Matthew Barrett was giving a presentation to a group of High School students a photo of a naked woman appeared instead of the expected graphic. The State Highway Patrol seized the USB drive containing the presentation and in less than 24 hours determined that the image had been […]

 

EWeek on The Gap Breach

Lisa Vaas has a great article in eWeek, “Let’s Demand Names in Data Fumbles” That unnamed vendor should indeed be taken to task. The Gap is now in the process of contacting an enormous number of people in the United States and Canada whose information may have been compromised, and it’s providing credit reporting services […]

 

Sammer at Officer Candidate School

Those of you who don’t know Sameer Parekh can ignore this message. For those of you who do, he’s joined the Marines and is attending Officer Candidate School, and would appreciate your letters: He does not have access to email or phone. Please send him snail mail (US mail) as often as you can. He […]

 

Looking for a challenge? Life dull?

If you need a change in your life, consider this job posting: Title: IT Security Architecture Manager Needed Company: TJX Companies Location: Framingham, MA Skills: Very strong technical security background in both the mainframe and distributed environments. Term: Full Time Pay: DOE Length: Full Time Detail: TJX Companies is seeking an IT Security Architecture Manager […]

 

Blogging @ Work: Blue Hat and Threat Modeling

BlueHat 6 was a great event. I had a really good time listening and talking with the attendees and speakers. The team is also looking to share a lot more about what’s happening, and one way they’ve done that is to open up their blog to speakers. There are posts from Rain Forest Puppy, Halvar […]

 

Connecticut Sues Accenture over Ohio Breach

As reported in the Scott and Scott Business and Technology law blog: Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though […]

 

Best Comment in a Long Time

Ian Rae comments “I think Apple demonstrated quite convincingly their inability to compete with their own proprietary hardware and software platforms.”

 

Apple’s Update Strategy is Risky

On Saturday I was going to a party at an apartment building. The buzzer wasn’t working, and I took out my shiny new iphone to call and get in. As I was dialing, a few young teenagers were coming out. They wanted to see the iPhone, and so I demo’d it in exchange for entry […]