Corporate Information as Reverse Spam

Posted on January 15, 2007 by dutcherstiles


From the NYT – Firms Fret as Office E-Mail Jumps Security Walls.

A growing number of Internet-literate workers are forwarding their office e-mail to free Web-accessible personal accounts offered by Google, Yahoo and other companies. Their employers, who envision corporate secrets leaking through the back door of otherwise well-protected computer networks, are not pleased.

And it goes on about how the suspender-snapping punch-card set is all wound up because the people they hired are trying to work. And that their remote access solution probably sucks and doesn’t meet their needs. You can go out and buy some sort of reverse spam filter that will process all the outbound e-mail for your corporate sensitive words. Once the offender is identified, you can then go mete out punishment. Of course you’ll have to be watching for false positives. It’s hard enough to create an accurate spam filter with the huge sample of spam processed through it, can you correctly identify all the corporate Type 1 and Type 2 errors?

The real answer is in the comment in last paragraph of the article:

“We have as high a security standard as any company,” said Ms. Bargero of Sendmail, “and sometimes it is just too difficult to access our e-mail.”

Bingo. If you design a system that is usable, you might not have this problem.

Posted in Uncategorized | Tagged , , | Leave a comment

Canadian Breach Notification

Posted on January 15, 2007 by dutcherstiles

From Emergent Chaos, a link to the paper “Approaches to Breach Notification” from the Canadian Internet Policy and Public Interest Clinic. I’ve been spending this frosty MLK Day afternoon looking it over. I really dig this approach:

Generally, the affected organization is in the best position to calculate the associated risks of a breach of its information security and should be entrusted with this determination. However, there should be a requirement that every breach involving defined personal information be reported to the Privacy Commissioner, with full information about the nature and extent, the anticipated risks, mitigation measures, steps taken to notify affected individuals or, where notification is not considered warranted, the justification for not taking this step.

This seems to be a reasonable approach to prevent blanketing of potential victims with notices of low-risk data loss events. The Commissioner can evaluate the organization’s risk assessment to filter for the Excessive Butt Coverage Risk Assessment Methodology. *

The recommended contents of the notice would help, notably the time and method of the disclosure. I’ve seen notices with the vague “may have been accessed by unauthorized individuals” which offer the potential victim no real way to assess the damage.

*EBC-RAM is a Full-Custom Chrome-Plated Methodology with a burled walnut finish (optional). Patent pending, R. Dutcher Stiles, 2007

Edit to add that Educated Guesswork has a very cogent analysis of the article.

Posted in Uncategorized | Tagged , , | Leave a comment

Finders Keepers

Posted on January 11, 2007 by dutcherstiles

Corporations lose data in a variety of ways, with impacts to the organization and to the privacy of individuals.

The view from the advantage of the threat actors becomes a bit clearer when the lost data is identified simply as contraband. Once the information has sloughed off the bonds of the corporation, it has no legitimate purpose*. Analogies to the illicit drug trade are both illustrative and fun.

Misplacing Your Assets
The Pawn Shop Lost Laptop with Millions of SSNs = Second Hand Escalade with G Pack of Yellow Tops in Door Panels
In this instance, the possessor of the item is not aware of its contraband contents. If he does discover the contraband, and he is a good citizen, he destroys it. No one would believe the innocent way he came to possess the contraband, and since he is not in the game, there is no easy way to convert it to cash. The contraband is useless, and the prior owner (Escalade gangster / VA administration) need not be concerned with dilution or market / rampant identity theft. Is there a countermeasure for absent-mindedness?

Theft
Hijacked Ground Stash = 0day Exploit on Corporate Server
The skilled threat actor knows where the contraband is, steals it, and converts it to cash. Outmoded models of the hacker as the intellectual curious, yet socially maladjusted prankster are fading even from CISSP training manuals. See Krebs and Omar Little for examples. What’s the countermeasure? Awareness and solid operational security.

Insider Fraud
Shorting the Count = Podslurping**
With means and opportunity, the insider can palm a few bills, snake a couple vials or pop a portable hard drive into a workstation. The countermeasure is the same: a well enforced security policy. “The count is right” is a street version of a completed GLB questionnaire. Corporations have some advantage over the corner, since the insider motive is dependent on the ability to turn the contraband into cash.

*Focussed on NPI and trade secrets. Could be that digital entertainment could serve a social purpose, but that would require more twists in my already contorted argument.
** I hate this unfashionable term so much, I am compelled to use it.

Posted in Uncategorized | Tagged , | Leave a comment

Now That’s What I Call Fraud By Impersonation! COED EDITION!

Posted on January 10, 2007 by dutcherstiles


NY Post story on mysterious fraudster coed.

“All she took was her cat, her toothbrush and her brushes and combs – anything with DNA on it,” he said.

Man, I try to keep my DNA away from my cat.

From the Chronicle of Higher Ed’s news blog.

(photo courtesy Fritz & Julie Beth )

Posted in Uncategorized | Tagged , , | Leave a comment

Provably Private?

Posted on January 9, 2007 by dutcherstiles

From the Guardian, I read this curious article on privacy and contextual
integrity. “Linear temporal logic,” eh? I wish I could groove to what that means. So I read Wikipedia, then I started researching the folks mentioned in the article, finding the paper mentioned in the Guardian article: Privacy and Contextual Integrity: Framework and Applications.

Two things I liked, from what I’ve been able to digest so far (but I’m a lover, not a logician, so I am likely indigesting as well).
First:

“Unlike a number of prominent normative accounts of privacy, the approach taken here rejects the idea that a simple dichotomy-usually between public and private (sensitive, intimate) information-is sufficient for adjudicating privacy claims. Instead, there is potentially an indefinite variety of types of information that could feature in the informational norms of a given context.”

That sounds right to me, but I’m going to have read more to make sure fully understand the if the words mean what I think. I also really like the idea of time as a factor to enter into the privacy question.
I also found figure 4 irresistible and disturbing:
Irresistible? Because I like the idea of the fistful of regulations and laws boiled down to a set of numbers, letters, (and especially) symbols.

Disturbing? Because it looks too much like compliance. Wrestling the GLB down to a series of equations is noble and mostly cool. However, if it falls in to the wrong hands, it could launch a raft of ill advised applications that get the auditor’s seal of approval, are “provably compliant” and yet don’t do much in the way of privacy. (This is a knee-jerk reaction.)

The paper covers the US privacy law hit parade (COPA, HIPAA, GLBA), but wait! What about everybody’s favorite – SB 1386?

“Finally, our current language faces a limitation common to many policy languages. Consider SB 1386, a California law requiring businesses that inappropriately disclose personal information to notify the subjects of the information. This provision cannot be expressed properly in the language because it takes effect only when an agent violates norms. In our model, agents never violate norms and thus would never be required to notify individuals. However, such notifications are common in California. To express such “defense in depth” provisions, we plan to extend our model to account for agents who occasionally (perhaps unintentionally) violate the norms. We expect this to require modifications to the current logic.”

Hmmm.

Posted in Uncategorized | Tagged , , | Leave a comment

Grackles in a Pancake Mine!

Posted on January 8, 2007 by dutcherstiles


This morning, city officials decided to shut down a significant portion
of Austin’s central business district due to the discovery of a covey of
dead birds.

Meanwhile, Gotham panics when confronted with a strange pancake smell.

I’m not going to second guess the response to the pile of avian rats on
Congress Ave. Nor will I try to determine which eldritch spell summoned
from the Permian Basin was used to extinguish these fowl lives.

I will however, try to figure out under what circumstances a bunch of
dead birds would require the closing of a central business district.
What sort of risk assessment process went on here?

1. PANDEMIC! O.k., the birds may have had a virulent version of avian
cedar fever. Some of the carcasses have been sent to our Aggie brethren
to be tested for bird flu. We’ll get the results in a week or so. Then
we will close Congress Ave. again? If the folks in the hazmat outfits
scooped up the carcasses, pureed them, placed them in 3 oz bottles and placed them in one quart zip top bags, what is the risk?

2. NERVE GAS ATTACK! Then these truly were the grackles in the
coalmine, who gave their lives for us. Only the bad guys released the
gas at 3:00 am on a Monday morning. He should at least wait until the
Lege is in session, so as to terminate some Bees as well as birds.

3. A DISTURBING MESSAGE IS BEING SENT! – Homeland Security necromancers
find an ancient passage in the code of federal regulations that speaks
ominously of the scents of phantom flapjacks aligning with the mass
suicide of capital city trash birds. Maple Alert!

4. JUST ANOTHER GRACKLE MUNDY – My just-don’t-have-to-work day.

5. YUPPIE TERROR – Rich fella or fellette from out-of-state, encountering the foul stench of grackle fecal splatter, sets out a Williams-Sonoma bowl of hand-tooled Vermont pigeon poison. Problem solved. (A real Austinite, or any grad of University of Texas would use a shotgun, just like the pros.)

So what did we learn? I’ll have to think on that some more.

photo courtesy of Ikayama

Posted in Uncategorized | Tagged , , , | 2 Comments

Hostage as Asset

Posted on January 5, 2007 by dutcherstiles


Reading Two Wheels Through Terror by Glen Heggstad.
A cracking adventure story of
the author’s attempt to ride his KLR 650 from his home in Palm Springs
to Tierra Del Fuego and back. I’m not yet finished, but have completed
the chapters that relate his trip from Bogota to Medellin with a side excursion through the countryside courtesy the Ejercito Liberacion
Nacional, a notorious and merciless Colombian guerilla outfit.

Heggstad has to make some tough risk assessment decisions during the
course of the ordeal. Maybe there’s a lesson here, maybe not.

The Risk of Riding from Bogota to Medellin
Heggsted mentions his inability to get any reliable information on the
condition of the roads despite talking to locals and reading the papers.
He saddles up his Kawasaki, and presses on. After the pavement ends, he
is pulled over at a ELN roadblock and taken hostage.
The risk issue? Haggstad, by nature of the fact he’s riding a
motorcycle through Colombia, has a healthy appetite for risk. These
risks he largely mitigates through his personal toughness, experience
and cunning. He is aware that he is riding into an area of high
frequency, high impact risk. So he gets pulled over by a couple dozen
men dressed in black carrying rifles.
Hostage as Asset
The more interesting dynamic is between hostage-takers and hostage. As a hostage taker, the hostage is your primary asset. It decreases in worth if damaged beyond repair, or if destroyed. At the same time, the hostage is at the same time your principal threat actor. Hostages will make every effort to escape your control.
As a hostage, your primary asset is the same as your adversary’s – your own health and well-being. However, you are primarily focussed on changing your situation, i.e., no longer being a hostage. Heggstad seek attempts to escape, gain information, and persevere until the opportunity arises for his escape. However, it isn’t until he realizes that the primary asset the ELN is willing to protect is in his control. So he sabotages his own health and effects his deliverance from his captors.

There’s a privacy corollary here somewhere, where corporations, information brokers, and credit bureaus are information kidnappers, and your personal information is the hostage. You are the asset, and the healthier you are the happier the kidnappers. These institutions are not aways working in your best interest However, there isn’t the “sticking a key in your nose until you bleed and enter a hunger strike and you get a mule ride to the Red Cross” sort of way out for the private individual.

I probably need to think on this more.

Posted in Uncategorized | Tagged , , | Leave a comment

The Lost Wallet vs. The Mugging

Posted on January 4, 2007 by dutcherstiles

According to the new round of disclosure laws that sprouted up out of state houses in the past couple years, if an outfit loses your data, they ought to let you know. The notice if familiar to just about anyone either attended an institution of higher education, applied for credit or was issued a Social Security card.

“Dude –
We lost your information in a way we may or may not describe to you.
Sorry.
Love,
The Man”

The Dude reads the letter, cusses, and hopes for the best.
Of course this doesn’t work in the real world. Consider the alternative:
Dude loans his ATM card to his buddy to grab a sixer and pack of butts at the Sunshine Mart. Bud comes back without card nor highly taxable products. The Dude has some key risk assessment questions to ask, primarily, “Did you lose it, or were you mugged?”

This question is key, and when extrapolated to the Man’s letter, exposes why disclosure laws generally suck in protecting the Dude. The Man isn’t required to fess up as to the how and who of the incident, so the Dude can’t make an informed decision. Does he call up the bank, cancel the card, bum butts and distill moonshine until the bank gets it all figured out? Or does he ask Bud to go crawl back into the Chevette and dig around between the seats?

SB1386 and its cousins don’t require the Man to give the Dude enough information to make an informed decision. There’s a difference between privacy and compliance. Compliance can really suck.

Posted in Uncategorized | Tagged , , , | Leave a comment

Initial Post

Posted on January 4, 2007 by dutcherstiles

The initial post for this blog. A place where I plan on documenting my thoughts on privacy, security, and the world in general.

Posted in Uncategorized | Tagged , | Leave a comment