Data Thefts Triple This Year?

So says USA Today, in “Theft of personal data more than triples this year.” A few small quibbles:

  • I’d prefer if Byron Acohido had said “reported” thefts
  • It’s not clear if thefts or reports tripled. I suspect the reports, but proving that would be tough.

Both of those things said, it’s a good article, and helps get the word to a much wider audience.

Congratulations to the folks at attrition whose data is quoted. I think they do great work.

One other quick comment, I expect someone will do some simple math, and note that 162 is more than half of 300, and jump to the conclusion that “more than half of all Americans had their data stolen.” This would ignore that 25mm of those records were in the UK. Even if that were not the case, odds are some people have had their data stolen repeatedly, and are thus multiply represented.

The Emergent Chaos of the US Presidential Campaign

This New York Times really is interesting. It’s all about how candidates are losing control of their campaigns, and they’re in a new relationship with emergent phenomenon on the internet.

Now, as we come to the end of a tumultuous political year, it seems clear that the candidates and their advisers absorbed the wrong lessons from Dean’s moment, or at least they failed to grasp an essential truth of it, which is that these things can’t really be orchestrated. Dean’s campaign didn’t explode online because he somehow figured out a way to channel online politics; he managed this feat because his campaign, almost by accident, became channeled by people he had never met.

Meanwhile, those candidates who have amassed roomfuls of well-paid online experts have frequently found themselves buffeted or embarrassed (or sometimes both at once) by mysterious forces outside their grasp. (“The Web Users’ Campaign,” The New York Times.)

Stupid Safety Feature Of The Week

I love my Prius. It’s fun to drive, eco-friendly and even has lots of geek appeal. However it has one incredibly moronic safety feature which I was reminded of while driving through the snow the other day. Now I have the base model which means I don’t have fancy features like the automatic skid prevention. Instead, what I have is a flashing light. When the wheels lose traction, a little icon starts flashing on the dashboard. Now that’s what’s useful, a distraction as the car starts to slide. More of a danger than anything else. Maybe next time, they can add an audible alarm as well. Then the car will feel even more like an airplane cockpit….

CA1386 meet AB1298

Life is about to get a lot more complicated for companies that do business in California. I completely missed this getting signed back in October, but on 10/14, the Governator signed AB1298 which updates CA1386 to mandate that medical and health insurance policy information also are to be treated as PII. To say that this is a huge quantity of information that now needs to be encrypted is an understatement. To make things even more challenging for companies that handle this sort of data, AB1298 goes into effect on January 1, 2008, lots of folks are going to be scrambling to implement encryption or be crossing a lot of fingers and hoping they don’t have a breach before they can come into compliance. It will definitely be interesting to see who publishes a breach first and if these new breaches follow the trends of the breaches we’ve already been seeing with financially oriented PII. It should also be interesting to see if any of the other 39 states (and Washington DC) follow suit and if so, how long it takes for them to do so.
[via the IAPP and Rebecca Herold]

Working on the Traveling Band

traveling-band.jpgIf you travel a lot, you’re used to dealing with many network difficulties. For a while now, I’ve been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work from the bed, rather than from a desk that is inevitably at the wrong height.

Even more so, I now travel with at least three devices that have WiFi — my laptop, my phone, and my iPod. I travel about half the time with my SO, who also has a laptop and an iPod with a network. I said “at least” because I also have a Nokia slate, which is a specialized device (I lug it along when I don’t want to lug a laptop, for example).

Also, for some reason the better the hotel you stay in, the more they charge you for Internet access. Sleep in a cheap hotel, and the network is free. Stay in an expensive one, and they charge you $10 to $15 a night. Stay in the UK, and you can face £18 a day for your net.

This is changing. Ramada and Radisson, are doing a lot of free Internet. Fairmont gives free Internet to their President’s Club members (no better reason to join, for me). However, this still means that you have to figure out how to share your one obscenely expensive net connection with the coalition of devices in your room.

However, another way that this is changing is that there’s more and more wireless going into hotel rooms, and less wired. For us, wired is good, because you just plug a basestation into the net and you go. But with wireless, you need a basestation that listens on a wireless connection while re-broadcasting another.

For quite some time, I’ve been complaining that the appropriate router doesn’t exist. A few weeks ago, however, a friend told me about the D-Link DWL-G730AP, which purports to do what I want. I also found on my own research the Linksys WTR54-GS. They appear on the surface to be mostly equivalent. The Linksys comes in a compact package that has an AC plug bundled into the unit. The D-Link has a separate transformer, but can also be powered from USB.
I ended up getting the Linksys. The deciding factor was that both units have manuals on the web, and the D-Link manual is a high-level installation guide that describes several possible configurations, but the one I want is missing. The Linksys has a detailed manual that tells how to set it up from its internal web server, do MAC address spoofing, port mapping and redirection, and so on. A manual that told how to set up what I want was the clincher. I bought it right before a trip to the UK, and wanted to avoid buying wireless access.
There are a couple of annoying things about the Linksys. It cannot be a client onto a secured network, which meant that I didn’t set it up before I left. I would have taken time I didn’t have to pull the “security” off of my my G network to experiment. (It’s just WEP, hence the quotes around “security.” I consider it a no-tresspassing sign.) Once in a hotel, I have not yet figured out how to put a password on the network it broadcasts. Each of my attempts resulted in having to hard-reset the device. It has a nice, convenient hard-reset button. On the other hand, I’ve been busy and in various stages of sleep-deprived brain damage, so I don’t know that it’s their fault that I haven’t figured it out. I settled for hiding the SSID. I don’t actually care if someone mooches on my hotel wireless, if they leave enough bandwidth for me.
If the D-Link will work as a wireless-to-wireless router, it has an advantage over the Linksys in being USB-powered. That means you can easily plug it in to your laptop while using paid wireless, and rebroadcast for your phone or iPod or SO. I just don’t know that you can. If someone has a definitive answer, place a comment below. If you’re from D-Link and reading this, make a note that you lost a sale solely because your manual confused me.

Thoughts on "Internet Miscreants"

I’ve been thinking about Franklin, Perrig, Paxson, and Savage’s “An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants” for about three weeks now.
This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not PRIVMSGs) obtained from several networks and channels, collected over a 7 month period. These messages contain sensitive information (such as PII) and offers to sell various illicit goods. The authors provide no information concerning the process by which the IRC networks and channels were selected for monitoring, a matter which may be relevant for those seeking to replicate their findings. For the CS crowd, they use a nifty machine-learning technique to identify and categorize messages which are advertisements.
The authors are able to present a number of fascinating descriptive statistics about the market they study, including the number and activity level of market participants, price history, measures of flow of goods into the market, statistics on which goods are offered for sale most often, etc.
This paper has gotten some attention in the trade press because it discusses methods which could potentially be used to disrupt this IRC-based underground economy. In a nutshell, the key is to make it impossible to tell good sellers from bad, thereby deliberately creating a market for lemons and driving out customers.
Ultimately, there are way more questions than answers. This has nothing to do with the paper, which is excellent. It has to do with disciplinary maturity, which we in information security lack, and with quality data, which we lack even more.
But dwelling on the positive for a moment, it is interesting to consider what we might be able to investigate using a dataset like this. At a macro level, we might be able to observe the price reaction given a sudden increase in supply. For example, if we have independent confirmation that at a particular time 100 million credit card numbers became available for sale, it would be interesting to see if this was followed by a drop in the asking price, and if so, how large a drop.
Even more interesting: if we already have an idea about the elasticity of price with respect to supply, we can estimate the size of the market based on observed price movements given a supply shock of known size. If, similarly, we observe an unexplained drop in price, we may presume that an unreported supply shock has taken place. This is an indirect estimator of the amount of the personal information iceberg existing below the waterline. Cool!
There’s also a certain practical value. Consider the recent UK data breach. Already, there are reports that personal information from this incident are appearing on the underground market. Franklin, et. al. have provided us with an estimate of how much traffic in UK PII existed prior to this breach. The same surveillance techniques which informed their analysis are undoubtedly still under way today. Perhaps three, six, or twelve months from now a second analysis will show a dramatic increase in the amount of UK PII flowing through the market. The policy ramifications of knowing how great the lag is between PII being pilfered and its appearance on the market are significant. What use is a twelve month credit freeze, for example, if the lag is 24 months?
A final question that data like this can help answer concerns the relationship between breaches and identity theft. Since British banks reportedly are balking at monitoring all the accounts involved for fraud, this opportunity may be squandered. I commented on the important role banks could play back in June:

One way to estimate the extent to which having your PII exposed in a breach increases the probability of your becoming an identity theft victim is to watch for the exposed data elements using a fraud detection network
Other than using banks as a focal point and having them report on fraud using these stolen elements, I cannot think of another way.
I suppose one could try to determine whether the stolen elements were in the inventory of any black-market sellers, but I do not see how one can gain access to their inventory information. It’s clear that the illicit trade in this stuff is non-trivial, but I honestly do not know that we have anything approaching a comprehensive picture of the landscape.

(emphasis added)
I now see that I was overly pessimistic in my last two sentences, and I am thankful for that.
Let me close with a quotation about price data which reflects my current mood:

Certainly they tell us a great deal, some but not all of
which is reflected in policy debates.
At the same time much remains unknown. Given the number of instances in which deductive
arguments have been promulgated with great confidence only to be refuted by empirical
evidence, it seems wise to be somewhat cautious in drawing conclusions that go beyond the
scope of the data.
Although some of what is not known is probably unknowable–at least in the medium term–there
are considerable opportunities for expanding the range of questions that have been addressed
empirically. Price data are much more accessible than data pertaining to prevalence or quantity.
A relatively modest investment of resources could substantially increase both the quantity and the quality of the price data available for analysis.

This observation is from “What price data tell us about drug markets”, a 1998 paper. I fervently hope its applicability to the information security world is demonstrated by a stream of papers stimulated by Franklin, et. al.

Toasting Repeal Day

Today marks the 64th 74th anniversary of the repeal of Prohibition in the United States.

For 14 years, Americans were unable to legally have a drink. This led to a dramatic growth in the acceptance of organized crime and violence. Al Capone made his money in the demon rum, and was willing to fight for income and market share. It led millions of otherwise law abiding Americans to speakeasys. The imposition of controls made the problem worse.

Back then, Congress had the wisdom and backbone to recognize a broken policy when they saw it, and passed the 21st Amendment to repeal prohibition.

An awful lot of chaos emerged from that day. People can now buy a staggering variety of vodkas, all perfectly identical in taste. There are thousands of wineries, all around the country, some internationally famous, and others providing great value wines. There’s a movement for the quality brewing of beer, ranging from stores providing everything you need to brew at home to Michelob trying to redefine their industrial process as craft brewing.

So raise a toast to the fact that you can buy booze from a wide variety of producers, and forget, for a moment, the worries of the day.* Enjoy the blessings of liberty which the Constitution aspires to, and hope that they’ll be expanded one day to the entire United States, to our youth, and to a wider variety of intoxicants.

Image: Enoteca, by Conmani, via

* Void where prohibited by law. Advice not intended for people under 21. Emergent Chaos encourages you to enjoy our products responsibly.

[Update: I can’t subtract. Thanks, Puck!]

Book on Boyd

osinga-boyd.jpgFrans Osinga’s book on Boyd, “Science, Strategy and War: The Strategic Theory of John Boyd” has been issued in paperback. Previously, it was $90 for a copy. The new paperback edition is $35.95, and is easily worthwhile at that price.

Science, Strategy and War is an academic analysis of the John Boyd’s thinking and its origin. It may not be as good an introduction as Coram’s book but it goes into far more detail about the theories he put forth, challenges narrow views of them, and provides a degree of academic respectability the work hasn’t previously had.

Via Global Gureillas.