Visa says TJX Impacted 94 million accounts, $68MM+ in fraud

“Although TJX suggests that the breach only affected approximately 45.7 million accounts, in fact the breach during a period of 17 months affected more than 94 million separate accounts. To date, Visa has calculated the fraud losses experienced by issuers as a result of the breach to be between $68 million and $83 million on Visa accounts alone.”

Evan Schuman, quoting Visa’s Joseph Majka, in “TJX Breach More Than Twice As Bad As Had Been Reported .”

Would someone please page Willy Sutton?

Ceremony Design and Analysis

Carl Ellison has been doing some really interesting work on what he calls Ceremonies:

The concept of ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.

He’s talked about it in public a little before, and now has a paper available from the IACR eprint service, “Ceremony Design and Analysis.”

If you design network protocols, or think about the intersection of security and usability, this is very much worth reading.

With p=.7, Breach Costs Will Fall by 2009

There’s an article over on Tekrati, “Cost of a sensitive data breach will increase 20 percent per year through 2009, says Gartner.”

Near as I can tell, this is the sort of half-thought through analysis which Gartner sometimes spews, to the great detriment of their reputation. (To be fair, I can only see what other people report on the news, not the original Gartner slide deck.)

Gartner analysts estimate that the cost of sensitive data break will increase 20 percent per year through 2009. While mass attacks such as worms and viruses have continued, the investments that enterprises have made in intrusion prevention, vulnerability management and network access control have paid off, as those simple mass attacks have succeeded much less often. However, the attackers are now more financially motivated and have launched new waves of attacks that, when successful, cause enormous damage to the bottom line, but that often go unreported.

There’s some fascinating juxtapositioning in that last sentence. It “cleverly” mixes new motives for attacks with attacks succeeding, and then implies that there are these secret attacks happening, causing “enormous damage to the bottom line,” but that somehow these material events aren’t being reported. What might the SEC think about that? What might Milberg Weiss say about such allegations? How about Sarbanes and Oxley?

I simply don’t believe that there are real events happening at public companies with real bottom line impacts being covered up. I believe that there are events whose costs are exaggerated. I believe there are events that are reported and not widely publicized. A company which is knowingly not reporting something which has caused “enormous damage to the bottom line” is committing a felony for which their executives can be jailed.

If you’re an information security professional, making claims like this damages your credibility and your career. Similarly, claiming that breaches often drive companies out of business simply isn’t supported by the facts.

However, I made a different assertion, which is that breach costs will fall, and I need to support that or risk damaging my own credibility. Breach cost will fall as the market responds and a growing number of credible organizations offer breach response services. Competition will drive costs down as everyone tries to get in on this new space.

I’d rate the chances as .9 five years out. If I’m wrong, I’ll refund 90% of the money I made on this post.

Laboratories of Security?

There’s a story in USA Today, “Most fake bombs missed by screeners.” It describes how screeners at LAX find only 25% of bombs, at ORD, they find 40%, and at SFO, 80%:

At Chicago O’Hare International Airport, screeners missed about 60% of hidden bomb materials that were packed in everyday carry-ons — including toiletry kits, briefcases and CD players. San Francisco International Airport screeners, who work for a private company instead of the TSA, missed about 20% of the bombs, the report shows. The TSA ran about 70 tests at Los Angeles, 75 at Chicago and 145 at San Francisco.

I could go on at length about how bad air travel has gotten, and how security theatre is crushing the travel and tourism industries in the US. Rather I’d like to focus on the emergent chaos aspects of this story: the reality that even TSA bureaucracy can’t impose standards on airports, and why that would be a good thing, if they could accept it.

Before I do, I want to comment that missing 75% of the bombs is probably ok. There are very few airliners bombed in the US. I think it’s less than 10 in history. So the issue is not really false negatives, where the screener misses a real fake bomb, but false positives, where the screener shuts down either someone’s day or the airport. Given that every single bomb smuggled past security last year at US airports was fake, they are far more likely than real bombs.

Now, there’s an opportunity for dramatic improvement in the way we run airport security. “Just run them all like they run SFO!” Orin Kerr makes this point, “I would think the real story is the dramatic gap between the performance of TSA employees and private sector employees.”

More importantly, what comes out of this study for me is the emergent chaos of running a large mission like airport security, and the value of that variation for learning.

If all airports were run exactly the same, we’d have missed this opportunity for learning.

So ask yourself, what do I standardize on too much? Where is there too much structure, inhibiting learning? How can we harness chaos, and what emerges? (I talk in more deatil about a very similar point in the latest post in my threat modeling series on the SDL blog, “Making Threat Modeling Work Better.”)

Photo: Frisk, by Tim Whyers. (Machine by Tim Hunkin, we’ve mentioned it previously.)

Breaches: Coverup & Disclosure

There’s an interesting case of breach non-disclosure documented in the Edmonton Sun, “Privacy breach at MacEwan.” It’s interesting for a few reasons. First, the breach wasn’t disclosed:

MacEwan College was cited in the auditor general’s report this week after a tipster told the AG’s office about the security breach in 2006. It mirrored access problems in 2002-2003, the AG’s report confirmed.

The college chose not to tell those whose personal information was included in the accessible journal entries based on an assessment of risk by its Freedom of Information and Protection of Privacy office, said MacEwan spokesman Gordon Turtle.

You’ll note that I’m writing about it anyway.

Secondly, people are upset:

Public institutions engender trust, and that’s just one of several reasons why students should have been told, even if the college was confident the breach was minor, said MacEwan Student Union president Justin Benko.

“Based on what the auditor report says, if bank account information and credit card numbers and signatures were readily available and obvious, there should’ve been something said,” he said.

Benko’s opinion is interesting. There’s no Canadian law explicitly requiring breach disclosure, but there’s an expectation of disclosure. (There are also interpretations by Privacy Commissioners that read disclosure into existing laws.)

It also seems that the risk assessment was wrong. If you’re covering up a breach because of a risk assessment, you might want to have another, and include crisis communication in the assessment.

What’s an Identity Oracle (LLPersonas)

Adam: So you say “my oracle.” Who is that? Is it an entity which I control? To be cynical, how does ‘my identity oracle’ differ from Choicepoint?

Bob Blakely:My oracle most assuredly does not belong to me. It’s a commercial enterprise. It differs from choicepoint in that it has contracts with its data subjects which require it to protect their privacy and other

Adam:So the Oracle is making money on both sides of the deal? From me and from an employer?

Bob Blakely:The oracle is making money by providing a service to the individual. Like broadcast TV, Google, or a real estate buyer’s agent, it doesn’t necessarily have to charge the individual for that service; the cost
could be borne by the relying parties.

Adam:If the Oracle doesn’t charge me, do we have a meeting of the mind and an exchange of value? As I’m sure you know, those are the core
elements of a contract.

On a related note, what’s to prevent a rogue oracle organization? I
think that there’s both value in me paying, and all sorts of risks,
such as oracle capture by customers or the moral issues of me having to
pay to get data about me validated.

Bob Blakely: The oracle might make money on you but more likely is charging your transaction partners, in the same way that your real estate buyer’s agent gets paid by the seller. But unlike today’s identity providers, it has obligations to you.

You could ask the same question about the relationship between you and a
pro-bono lawyer, or a realtor (if you’re buying a house), or any one of a
number of other professionals and businesses who work on your behalf but charge others for the privilege. American Express works this way – you pay a (small) yearly fee, but most of their money comes from charging retailers.

What prevents a rogue oracle organization is lawsuits (based on contract law) and the inability to continue in business due to bad publicity.

The difference between an oracle and other identity providers is that the other providers don’t offer you the contract which would let you take action against them; instead you have to rely on someone like the FTC taking action on your behalf, without the possibility of personal recovery for loss.

How to Better Cite Blogs

Via BoingBoing, we learn that the NIH has a guide to citing blogs. Cool! Respectworthy! And a little lacking as a citation format. Here’s their first sample:

Bernstein M. Bioethics Discussion Blog [Internet]. Los Angeles: Maurice Bernstein. 2004 Jul – [cited 2007 May 16]. Available from:

There are at least two major problems with this citation format.

Firstly, the URL to the post itself is missing. I might want to cite ““How to Cite Blogs” by the NIH / National Library of Medicine” on Kidney Notes. In which case, I should print the URL “” It strikes me as rare to want to cite a blog in general, rather than in particulars. We get to example 29 before we see this.

Secondly, I should include a real, full date. When I cited is uninteresting. When I visited might be. When the post was posted certainly is. Only a small fraction of the citations include a date of publication, and those refer to (say) June, 2006.