North Carolina is in the club

From North Carolina’s breach notification law, which took effect on December 1, 2005:

(f) In the event a business provides notice to more than 1,000 persons at one time pursuant to this section, the business shall notify, without unreasonable delay, the Consumer Protection Division of the Attorney General’s Office and all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in 15 U.S.C. § 1681a(p), of the timing, distribution, and content of the notice.

Emphasis added
I have repeatedly said that this sort of central notice is a good idea. I have also repeatedly said that only New York (and later, Maine) required it. I am very happy to stand corrected.
The way I learned of my error illustrates the cooperation among folks interested in this stuff — Beth Givens of privacyrights.org alerted the dataloss folks to a breach that they hadn’t recorded. This was reported to the dataloss mailing list, where I read it. In the referenced article was information about the reporting requirement.

Choicepoint Spins off 3 Businesses

From their press release:

ALPHARETTA, Ga., July 10 /PRNewswire-FirstCall/ — ChoicePoint (NYSE: CPS – News) today announced its intent to divest various businesses resulting from its company-wide strategic review. The previously disclosed review process resulted in the company adopting a new strategic focus on helping customers manage economic or physical risks, as well as the decision to divest businesses that either do not fit within the new strategic direction or are unlikely to gain critical mass in the marketplace under ChoicePoint’s ownership. This process is ongoing and is expected to continue throughout 2006. Included in the announced divestiture plan are ChoicePoint’s direct marketing, forensic DNA and shareholder services businesses.

I’m glad to discover that amassing a DNA database and selling the contents to the government is something even Choicepoint doesn’t expect will become profitable. I’m also glad that they’re owning up to mistakes. Now lets see if we can see some fair information practices around the rest of their services.

See other analysis in Direct Marketing News or the Boston Globe.

gcc -Wall -WeReallyMeanIt

Following up on a problem I mentioned long ago, (“Ranum on the Root of the Problem“) that gcc’s -Wall doesn’t actually run all the analysis it could. Apple has a great page “Improving Your Software With Xcode and Static Analysis Techniques” (I believe that this is a mirror of that page, see section 5) that lists all of the things that gcc’s -Wall, -Wextra and -Wmost don’t catch. A great resource. Via Red Sweater Links.

A Few More Thoughts on Disclosure

some-dam-lost-the-original-url-damnit.jpgReading Arthur’s “What Me Data Share?” and Chris’ “CSI/FBI Survey considered harmful,” I realized that what they’re discussing may not be common knowledge. I also realized that my posts about how valuable disclosure laws are assumed that everyone knows what Chris and Arthur said, and that ain’t so. The lack of information sharing that plagues our industry is, itself, a well kept secret. (Arthur, I’ve heard from people whom I respect that ISAC is much like FIRST, in that there’s no data sharing.)

When I say it plagues us, I mean that in an almost literal sense. We are sick. Information security professionals often carry and communicate a contagious contempt towards information sharing which has prevented us from learning from each others mistakes. Buffer overflows were first documented in 1972 [1], and until after exploit techniques were clearly described by Aleph1, no systemic defenses were built.

The lack of good information leaves us powerless at the hands of auditors who come in threatening to fail companies on Sarbox rules if they don’t require password changes monthly. It leaves us with any idiot able to declare their personal ideas of how to improve security as “best practices.”

Laws such as California’s SB 1386 and the 31 laws it has inspired give us a stream of anecdotes which may, at some point, start to resemble data.

This is why 1386 is good for us, despite being bitter to swallow today.

[1] Cite after the break.

Continue reading

What Me Data Share?

I completely have to support Chris in his analysis of the latest CSI/FBI Survey. He sums it up nicely with: “there is no reason to give this survey any credence.”
The survey, does an excellent job of highlighting a general problem within the security industry, the sharing of data. If we’re to make real progress in managing risk, we need real information about what the risks actually are.
Unfortunately, this lack of data sharing is not limited to just the CSI/FBI survey, bur rather an endemic problem with our industry. At this year’s RSA show, I sat in a session with approximately 100 CSO/CISOs and the topic of data sharing came up. Someone asked “Who here would be willing to say what brand of firewall they are running at their site?”. Less than ten percent of people in the room raised their hands!
In the past, I’ve been a member of FIRST(Forum of Incident Response and Security Teams). One of the goals of FIRST is to “develop and share technical information, tools, methodologies, processes and best practices”. I am very fond of FIRST and it is a great organization for developing contacts and intend to be a member again in the future, however, I can’t remember the last time I actually saw real information being shared on the mailing list. And this is an organization that attempts to do some level of trust verification of members.
I’ve heard mixed things about the Information Sharing and Analysis Centers and rumor has it that mostly there is no data sharing going on there either. Can anyone who is a member of one of the ISACs shed more light on this for me?
There is however, a potential ray of sunshine, the Deloitte 2006 Global Security Survey. This survey focuses specifically on the financial services industry and goes into a lot more detail of how the data was collected, including the fact that they used in-person interviews. Can any of our readers who have more experience with statistics chime in here with a better analysis of this report?

[Updated to fix html errors]

CSI/FBI Survey considered harmful

The latest 2006 CSI-FBI Computer Crime and Security Survey has been released.
Already, it is making waves, as it does each year.
I want to simply state that there is no reason to give this survey any credence.
The survey instrument is sent only to CSI members. This time, it was sent to 5,000 of them. There is no reason AT ALL to think that these people are a representative sample of infosec practitioners, or that their employers are representative of employers generally. Think of every infosec practitioner you know. Now think of that person’s boss…and that person’s. When you reach the C-suite, stop. Is any of those people a CSI member? I didn’t think so.
The overall response rate for this survey was just over 12% (616 of 5000). Were the 12% who did answer different in any other way from the 88% who did not? We do not know, because the report doesn’t tell us.
Of course, professionals, notably physicians, are difficult to survey effectively. Despite this, real survey research is actually done. As an example drawn from the link above, one survey of US physicians which (like CSI’s) was done through the mail, got a response rate of 62%. That isn’t perfect, but the survey concerned “physicians’ attitudes and behavior concerning physician-assisted suicide and voluntary active euthanasia”.
That’s right — it asked doctors if they had killed any patients on purpose — and they got a 62% response rate. CSI, surveying its own membership — 12%.
Enough, already.
A computer scientist, an economist, and a survey researcher need to gang up on this. The economist and CS guy can get the NSF money, and the survey researcher can spend it the right way: on a statistically valid sample and techniques proven to increase response rate. They all can put together a decent instrument, the survey researcher can quantify the extent to which their conclusions might be tainted by non-response bias or sampling error, and later the economist can have some fun with Stata and grab some headlines for the group. They could even make the data available for the rest of us to work with.
[stupid math error — 616/5000 != .3 — corrected]

In every dream home, a heartache

Barry Ritholz, an NYC hedge fund manager, blogs about a WSJ story. The gist:

On Sept. 21, 2001, rescuers dug through the smoldering remains of the World Trade Center. Across town, families buried two firefighters found a week earlier. At Fort Drum, on the edge of New York’s Adirondacks, soldiers readied for deployment halfway across the world.
Boards of directors of scores of American companies were also busy that day. They handed out millions of bargain-priced stock options to their top executives.
[…]
A review of Standard & Poor’s ExecuComp data for 1,800 leading companies indicates that from Sept. 17, 2001, through the end of the month, 511 top executives at 186 of these companies got stock-option grants. The number who received grants was 2.6 times as many as in the same stretch of September in 2000, and more than twice as many as in the like period in any other year between 1999 and 2003.

WSJ, 7/15/2006
I find myself surprised at the instinctive greed this story reveals to us. As Mr. Ritholz says:

What makes this so pathetic is that corporate executives could have stepped up AND BOUGHT STOCKS IN THE OPEN MARKET if they believed they were so cheap. It would have been reassuring to a nation to see the leaders of industry voting with their own dollars.
[…]
In 1929, when the stock market crashed, JP Morgan (and others) stepped in. They bought stock with their own dollars, they saved Wall Street. Oh, and they were rewarded for it — both monetarily, and in the history books.

Amen.
As an aside, Ritholz’s two blogs are worth a few minutes.

With the Advice and Consent of The Blogosphere?

town-meeting.jpgSo I’ve been too busy to blog the Spector bill, but the astounding quality of analysis that’s been applied to Spector’s “”Judical Review” for Spying On Americans” bill has been really astounding.

Early reports in (say) the Washington Post were really positive, saying that the bill was quite a positive development. Then legal bloggers got the text of the bill. See, for example, Jack Balkin’s “Specter Gives Up the Game– The Sham NSA Bill:”

Although the judicial review provision is worrisome, it is by no means the most troubling thing about this bill. Specter’s proposed legislation, if passed in its present form, would give President Bush everything he wants. And then some. At first glance, Specter’s bill looks like a moderate and wise compromise that expands the President’s authority to engage in electronic surveillance under a variety of Congressional and judicial oversight procedures. But read more closely, it actually turns out to be a virtual blank check to the Executive, because under section 801 of the bill the President can route around every single one of them.

(After writing this, I got to Dan Solove’s “The NSA Bill in the Mainstream Media vs. the Blogosphere,” which gives a lot more examples.)

What’s interesting is not just Prof. Balkin (and others) analyses, but that they’re widely available within days, and far better than what the press did. The quality of analysis in the blogosphere now regularly surpasses that available in the mainstream press. The trick is to find it.

One of the things that’s interesting to me, in re-reading the American Declaration of Independence and the US Constitution, is the realities of place which enter into the thinking of the authors of those documents.

“He has called together legislative bodies at places unusual, uncomfortable, and distant from the depository of their public Records…”

While being in place is helpful, and I have paper records, would this be such a problem today? What would the founders do in the emerging world, with fast, high quality analysis available from flash mobs of experts? It was clear during the Harriet Miers nomination that Senate staffers were reading blawgs. When letters could take a week to go from Boston to Washington, the idea that the Senate could operate quickly while consulting with widespread experts was inconceivable. The experts coordinating and building on each others work? Likewise. When you consider the founders’ clear respect for vigorous debate and what has become technologically possible…hmm.

I don’t want to be techno-utopian here. There’s clearly a lot of crap in the blogosphere. My blogosphere exclude filters are still maybe a third as powerful as the ones I had in tools to read Usenet News. (The include filters are as good as the ones Kibo had, and more generally available, in Technorati and probably other blog search tools.) For anyone to read everything posted on popular topics might be impossible.

Interesting times. They’re not just a curse.

(Photo is “Huntington, VT Town meeting” by Redjar.)

The “Box Switching” Game

boxes.jpg

I have two boxes. Each has some positive amount of money in it, but I will give you no information about the possible dollar amounts other than the fact that one box has exactly twice the amount of money in it as the other. You randomly select one of the two boxes, open it, and find $100 inside. I now give you the option of keeping the $100 or switching boxes with me and keeping whatever’s inside the other box. Which should you choose?

This reminds me a lot of ‘The Wallet Game.’ I’m not yet sure if the analysis is the same? From Kevan Choset at Volokh. Read the excellent comments over there.

MatrixAll boxes by KellyBeth7.

ThreatChaos Podcast Featuring Emergent Chaos

This week marks the first installment of a series of podcasts I am producing called “Meet The Security Bloggers”. I asked Adam Shostack and Chris Walsh to be the guinea pigs for the first one and it turned out really well. These guys write for EmergentChaos, a blog that Adam started. When he got it to a certain point of maturity he decided to open it up to a few other bloggers and it became “The Emergent Chaos Jazz Combo of the Blogosphere”. Adam is now a security guru for Microsoft which we will try not to hold against him, after all it is a good sign that Microsoft is bringing on such great talent. Chris is a security practitioner in Chicago.

Thanks to Richard Stiennon for having us as the first installment of his podcast, “Meet the Security Bloggers.”

If we were really hip, we’d mash up our blogs and have EmergingThreatChaos^2.0 with a sexy rounded sans serif logo, and a place for you to sign up for our exclusive beta.

Hmmm…Hey Rich! Wanna come guest blog for a bit?

New rules, you say?

Vystar Credit Union was hit by “hackers”, who obtained personal info on 10% or so of their 334,000 customers. The information included “names, addresses, social security numbers, birth dates, mothers’ maiden names and e-mail addresses”, according to Jacksonville.com.
Credit union CEO Terry West took a rather old school approach:

West said the company noticed the invaded information “a few weeks ago,” before turning to Jacksonville-based IT consulting firm Idea Integration, who confirmed the breach.
West insisted that the stolen information consisted of “things you can get from a variety of sources anyway.”

Adam, did you forget to send Terry a copy of the New Rules memo? He obviously isn’t familiar with it.
Florida’s breach law took effect well before this event. That law requires notice to be sent “without unreasonable delay”.
Hat tip to the Identity Theft Resource Center, who maintain a pretty decent breach list. Too bad they overwrote the 2005 version with a file of the same name.

Well, He Had Valid ID (Houston Edition)

Houston police and the federal Transportation Security Administration disagree over who is responsible for allowing a man with what appeared to be bomb components board an aircraft at Hobby Airport last week.

Although the FBI eventually cleared the man of wrongdoing, police officials have transferred the officer involved and are investigating the incident while insisting that the TSA, not police, has the authority to keep a suspicious person from boarding a flight.

No explosive material was detected, the report states. A police officer was summoned and questioned the man, examined his identification, shoes and the clock, then cleared him for travel, according to the report. (Emphasis added.)

Houston Chronicle, “HPD, airport security at odds over incident,” via BoingBoing. Previously in the ID checking department, “Well, umm, He Had Valid ID.”

More seriously, the outstanding coordination between agencies was (ahem) singled out in the 9/11 Commission report. Its good to see that nearly 5 years later, that lesson has been internalized, and overcomes bureaucratic squabbles.