Archive for the ‘Stealing Stuff’ Category

The trouble with buying stuff used is that you never know what the last person who had owned the thing was up to. Sometimes you win out and the preowned factor works in your favor – like when we bought our “preowned” Wii the other week.

But on the other hand, sometimes you lose out big time – like when my neighbor back in NJ got the crabs (ewwww) from a pair of pants he bought at a thrift store. That’s no good… Seems to me like probably the least fun way to get crabs is the “used pants” route.

But then there’s this, which is a whole different category of pre-owned crazy. Turns out that this fellow (a kiwi) bought an MP3 player from a thrift store, and it turned out that it had all kinds of military data on the thing – personal data on soldiers, troop and equipment deployment information, and generally all kinds of crazy stuff. Not bad for 9 bucks.

Of course, this kind of thing happens all the time. For example, in college I bought a used Compaq “portable” (think laptop but in the form factor of a 25 pound suitcase) from my father’s work. At the time, he happened to work for a government agency (unfortunately not one of the cool ones) and of course there was all kinds of crazy data on the thing that you wouldn’t want the average citizenry to have.

But what’s interesting to me is not so much that this MP3 player is “da bomb” from a data leakage perspective, but moreso that the data was missing since 2005 and nobody knew it was out there. The scary part, in my opinion, is that the data had a good four years of floating around in the ether before anybody realized it was missing.

Scary.

That’s right, you guessed it – TJX is currently holding their “we lost your data, now give us your money” sale. They’re calling it their customer appreciate sale and it’s going on right now.

Originally, the 15% off sale was supposed to be part of the settlement over the loss of all that credit card data. Turns out they didn’t have to do it, but they decided to anyway. And why not? Free publicity for their sale, and they still make money at that rate anyway. Don’t think of it as them losing your data – think of it more as them selling it in order to hold a second presidents’ day sale.

I wonder if Heartland will discount their services now too?

For years risk and security professionals have been trying to escalate awareness about the frequency of insider attackers. We’ve been working to combat the perception that many “non-riskers” have that external pen test scans of firewalls and web applications are “cool” (heck Harrison Ford did a whole movie on firewalls) and the responsible assessment approach of interviewing employees, reviewing policies and procedures, performing scans on internal assets, and creating risk/benefit analysis – yawn inducing. How many times have you heard something like this: “The inside is safe, I trust my employees”?

But we know internal matters! And we’ve been pressing this point for so long that when an IBM executive mentioned that “90-95% of attacks” initiate from inside at this week’s Security Summit – no one raised and eyebrow. Yeah, yeah – we’re security people, we *know* that.

Or do we? Dark Reading just published a thoughtful piece on “Why Risk Management Doesn’t Work” and in it references both the RSA report that Ed discussed earlier this week and a Verizon report on data breaches. The Verizon report is an analysis of hundreds of actual breaches across multiple verticals.

The entire report is worth reading, but the finding that really got me checking my assumptions was this: “data compromises are considerably more likely to result from external attacks than from any other source. Nearly three out of four cases yielded evidence pointing outside the victim organization. . . . Internal sources accounted for the fewest number of incidents (18 percent), trailing those of external origin by a ratio of four to one.”

Four to one? Hmmm…that’s definitely something to think about.

So interestingly, we’ve been reading some articles over the past few days that are speculating heavily about what the current economic meltdown will mean to us guys over here in IT security and risk. The net consensus appears to be – with budgets shrinking and credit freezing up, spending on IT risk is going to be hard hit.

Really? We’re not so sure about that. Historically, security spending goes up when perceived risk goes up. Look at DHS in the post 9/11 era. Or your own house after a break-in. Or your company’s spending after a worm took down the mail server.

Also – what about the way spending soared after key regulations and bills were passed? While it might have been hard to sell the CEO on file/disk encryption before SB1386, et al came into effect, it became a “get it done” spend for many afterward. Couldn’t get the budget for wireless intrusion detection or application scanning before PCI? After high-profile breaches like TJX, Forever21, and Hannaford, executives freed funds and started demanding why purchases weren’t being completed and implemented fast enough. And the big Daddy of ‘em all – SOX. Implemented to, ostensibly, prevent another Enron, but in reality a huge spend in IT governance, risk, and audit.

So, sure, we agree that budgets are going to shrink overall. And that many companies will not withstand the credit freeze and financial turmoil. But for those who do – we suspect there’s going to be increased oversight (The Financial Stability Oversight Board and congressional oversight panel in the current “bailout” for example) and that’s going to translate into IT security and risk spending. Not because it’s right necessarily, but because it’s going to be mandated by overseers, auditors, and examiners. We’re in for a bumpy night.

Now this is a bit more speculative, but we could even see a direct increase in overall electronic fraud and crime given the new economic outlook. Studies show that straggling economic conditions tie directly to increased crime rates – lower wages, worse economy, more crime. So, even assuming those folks who foresee less spending are right, it could lead to higher spending once the initial hit is over. It’s like the dude from Les Mis – he was a decent guy, but needed to steal bread to feed his family. And some percentage of that crime will be electronic crime – meaning more need for risk, risk managers, and infosec.

Audit’s going up, perceived need will go up, and fraud is likely to go up. Sounds to us like business could actually boom in these conditions.

So, you heard about Best Western, right? The Sunday Herald originally ran the story saying that up to 8,000,000 records were impacted. Best Western says that wasn’t the case. So which is it? I’m not sure we’ll ever know. We can speculate, or dig around to try to get more data, but at the end of the day, it’s going to be hard to figure out.

Not that it matters for where I’m going with this, but my personal take is that Best Western must have some kind of leg to stand on since they put out a press release refuting the Sunday Herald story. Say, hypothetically, that the original story as reported was accurate – can you imagine the world of pain and suffering that Best Western would experience in terms of bad PR? We know from Hannaford and TJX that not much happens to you when you lose a lot of data – but if you say you didn’t lost the data and then it turns out you did? That’s like a PR bunker-bomb. So it seems to me like the stakes of the press release being false are so high that – in my opinion – it’s likely to be almost retentively accurate.

I got a question for you. What percentage of corporate laptops do you think have some sort of personally identifiable data on them? Take a second to mull that over while we go over something else.

Now, you may not remember this, but I’ve suspected for a long time that things are not what they seem in the disclosure space. I.e., do we really think that everybody who actually has a breach is disclosing the way they should?

Now, back in the day, I speculated that at least 10 percent of breaches were going unreported. Where are we now? Let’s use the same method as last time and see if the situation has gotten any better in the year or so since I last posted that.

Now, we know that the “stolen laptop” number was up to about 624000 for 2007 (for just airports alone, but let’s use that since we don’t have any better data.) Now, while we don’t know if any of those laptops had PII on them or not, but we *do* know that the total universe of publicized breaches (446) for 2007. If we assume that every stolen laptop with PII lead to a breach disclosure (which it should), then we can accept that – at the very least – the total (446) represents some superset of all the lost laptops.

So, let’s churn some logic to see what we can conclude about how many of these laptops have “disclosure-requiring” data on them:

We’ll start with the (spurious, but useful for making the point) that every breach was a result of a stolen laptop. Realistically, the number of breaches will include other things as well, but assuming that they’re all a result of laptops gives us a “best case” upper bound for how many are responsible for breaches.

To get to where we need to be, we figure out what percentage of the total laptops stolen were reported via breach disclosure. That number is .07% – 7 in 10,000. Which means, 7 in 10,000 laptops have PII on them.

If that’s true, it’s more likely for Joe Average to pull a full house in his next game of 6 card stud than it is for him to have PII on his laptop. Bullshiz. 7 in 10k? Not likely. In reality, it’s gotta be higher. Maybe, if you really want to get all optimistic, you might say that 1 in 100 have PII on them. Which is still an order of magnitude lower than what’s being reported.

So, really… where are we now? The only conclusion I can possibly draw is that breaches are under-reported by at least an order of magnitude – for airport laptop thefts alone. And unless I’m totally off base, it’s a common enough occurrence that it’s only a matter of time before someone gets caught failing to report. As to whether anyone will care or not – well, that’s a different question.

(Today’s topic has been brought to you by Dave N.) So, strange things are afoot at the Circle K – provided that by “Circle K” you mean “Breach Disclosure” and by “strange things” you mean “corporate irresponsibility”. Specifically, have you seen the recent statistics for how often laptops are lost? Now, while I haven’t seen an “authoritative” source for this statistic, I see 1600 per day cited fairly often as is 2000 per day. Now, whether it’s 1600 or 2000 is irrelevant… the point is that it’s a lot.

File that number (1600 per day) away for a minute. Now consider the number of breach disclosures reported this year. According to the ID Theft Center, the number was 138 as of the end of August. Using our figure from before (1600 laptops stolen per day), let’s solve for how many laptops have been stolen in the same timeframe (we can assume 30 days per month here – no need to be a stickler). We get: 1600*(30*8) or 384,000 laptops stolen as of the end of August. See any kind of disparity there? Even if we assume that every breach disclosure stemmed from a stolen laptop (not the case, by the way), the percentage of stolen laptops leading to a beach disclosure is: (138/384000)*100… or .036 percent.

Now, how could it be that this number is so low? Could it be that firms aren’t disclosing when they should? Is it possible that the corporate custodians of our data are running afoul of the law – either intentionally or unintentionally? Maybe so, maybe not. First of all, not every state has a breach disclosure law – so, we wouldn’t expect that every case of disclosed data would lead to notification, right? Last count I saw, it was only 23 states that had a law – just about half. So, adjusting for half of states not having breach disclosure laws – we would expect that if everybody’s reporting when they should that .07 percent of laptops contain unencrypted personally identifiable data, right? Now, I don’t have any numbers on how what the actual number of laptops containing personally identifiable data is, but 7 in 10000 seems small to me – it just doesn’t jive with personal experience.

So, without having an estimate of how many laptops contain PII, we can’t really point an accusatory finger – other than to just say that the numbers seem “fishy”. Going by personal experience, I would think that maybe on in five or one in 10 would be more realistic… If that’s the case – if one in 10 laptops contain PII, we would expect to see 38,000 breach-disclosure incidents. Too high for you? How about 1 in 100? If only one laptop in a hundred has PII on it, we would expect 3,800 reports – meaning that over 95 percent of breaches still are unreported. But maybe I’m just being cynical…

Everybody’s fired up about thumb-drives. ComputerWorld warns us about the dangers of thumb-drives in their article “Thumb-Sized Leaks in Corporate Security” and Hummingbird’s recent study about how departing corporate executives steal data hand-over-fist has been getting all kinds of play in the Register and on VNUNet. According to some, it’s quite a huge issue:

Think about compliance issues if an insurance company employee downloads a couple of thousand customer records onto a flash drive and then loses the device… And often, the company won’t even know the employee has done it. The result can be lawsuits and, if federal medical or financial privacy rules have been violated, multimillion-dollar fines.

Yowsa. Sounds serious. Clearly, all of these things could happen. But when you stop and think about it, the threat of the thumb-drive is not categorically different versus what has been present in corporations since corporations have existed. Why do I say that? Because folks have always carried knowledge (and media used to carry that knowledge) with them from job to job and from task to task. Look, what’s the difference between putting proprietary data on a thumb-drive vs. putting confidential documents in your briefcase? Before the briefcase, the knapsack was the “data stealing” vector of choice. Isn’t it the case that CEO’s, directors, managers, and – yes – even humble flunkies could have walked out the door with proprietary information in the fifties before the PC as we know it even existed? I think human nature is such that we can guarantee an unbroken chain of data theft spanning back to the before time of Solomon; ancient Greeks hiding stone tablets labelled “propietary and confidential” under their togas and ancient egyptians smuggling papyrus under their armbands.

OK, granted that you can fit a lot more information on a thumb-drive than you could fit in a briefcase, but doesn’t that mean that folks using the “hardcopy data stealing method” have to select what they steal a little more carefully? In fact, although I haven’t studied the matter carefully, I would bet that percentage-wise employees are pocketing about the same percentage of data as they always have – it’s just that now there’s more of it to steal.

So what’s the answer? Clearly, employees are going to steal data. They want to steal it, so they’ll find a way. They feel (as we all probably do) that what they do today can be useful to them tomorrow in the next endeavor that undertake; given that incentive, folks will go to fairly far lengths to get their hands on this stuff. Mark my words: take away thumb-drives (or implement some measure to make thumb drives hard to use) and employees will steal floppies – get rid of the floppies and they’ll send information out via email – filter the email and they’ll walk out with hardcopy – implement airport-style security to prevent walking off with documents and guess what – they’ll take it home anyway (as much of it as they can) in their head.

Look, I don’t want to be a doomsayer, but it seems to me that this is the kind of battle that won’t be solved with technology – it’ll be solved by making employees not want to steal the data – either via legislation, litigation, or because your employees are so darned satisfied that they don’t want to leave in the first place. But then again, I could be wrong.