2007 a year of Data Breaches

In Wired:

Foley’s group lists more than 79 million records reported compromised in the United States through Dec. 18. That’s a nearly fourfold increase from the nearly 20 million records reported in all of 2006.

Another group, Attrition.org, estimates more than 162 million records compromised through Dec. 21 – both in the U.S. and overseas, unlike the other group’s U.S.-only list. Attrition reported 49 million last year.

“It’s just the nature of business, that moving forward, more companies are going to have more records, so there will be more records compromised each year,” said Attrition’s Brian Martin. “I imagine the total records compromised will steadily climb.”

Neflix anonymous data De-anonymization

Wow! This is a different kind of data breach.

In October last year, Netflix released over 100 million movie ratings made by 500,000 subscribers to their online DVD rental service. The company then offered a prize of $1million to anyone who could better the company’s system of DVD recommendation by 10 per cent or more.

Of course, Netflix assured everybody that the data had been anonymized by removing any personal details.

That turns out to have been a tad optimistic. Arvind Narayanan and Vitaly Shmatikov at the the University of Texas at Austin have just de-anonymized it.

They go on to explain how they did it.

As one of the comments highlights the part they gloss over is that they can only find out who you are if you had an account on Netflix and IMDB.

From Slashdot: Most Scary to Least Scary

FBI datamining for more then just terrorists:
“Computerworld reports that the FBI is using data mining programs to track more than just terrorists. The program’s original focus was to identify potential terrorists, but additional patterns have been developed for identity theft rings, fraudulent housing transactions, Internet pharmacy fraud, automobile insurance fraud, and health-care-related fraud. From the article: ‘In a statement, Sen. Patrick Leahy (D-Vt.), chairman of the Senate Judiciary Committee, said the report [on the data mining] was four months late and raised more questions than it answered. The report “demonstrates just how dramatically the Bush administration has expanded the use of [data mining] technology, often in secret, to collect and sift through Americans’ most sensitive personal information,” he said. At the same time, the report provides an “important and all-too-rare ray of sunshine on the department’s data mining activities,” Leahy said. It would give Congress a way to conduct “meaningful oversight” he said.'”

from the just-forward-your-mail-to-homeland-security dept:
“You probably already knew that the FBI was data mining Americans in the “search” for potential terrorists, but did you know that they’re also supposed to be looking for people in the U.S. engaged in criminal activity that is not really supposed to be the province of the federal government? Now the feds are alleged to be data mining for insurance fraudsters, identity thieves, and questionable online pharmacists. That’s what they’re telling us now. What else could they be looking for that they are not telling us about?”

From the is-that-anything-like-the-lime-in-the-coconut dept:
“The kernel meets The Colonel in a just-published Microsoft patent application for an Advertising Services Architecture, which delivers targeted advertising as ‘part of the OS.’ Microsoft, who once teamed with law enforcement to protect consumers from unwanted advertising, goes on to boast that the invention can ‘take steps to verify ad consumption,’ be used to block ads from competitors, and even sneak a peek at ‘user document files, user e-mail files, user music files, downloaded podcasts, computer settings, [and] computer status messages’ to deliver more tightly targeted ads.”

From the how much can you remember department:

The research reveals that the average citizen has to remember five passwords, five pin numbers, two number plates, three security ID numbers and three bank account numbers just to get through day to day life.

Six out of ten people claimed that they suffer from “information overload,” stating that they need to write these numbers down in order to remember them.

However, more than half of the 3000 people surveyed admitted to using the same password across all accounts, leaving them at risk of potentially severe security breaches.

Professor Ian Robertson, a neuropsychology expert based at Trinity College Dublin who carried out the study, said: “People have more to remember these days, and they are relying on technology for their memory.

“But the less you use of your memory, the poorer it becomes. This may be reflected in the survey findings which show that the over 50s who grew up committing more to memory report better performance in many areas than those under 30 who are heavily reliant on technology to act as their day to day aide memoir.”

Who ownes that copy?:

‘Copyfraud is everywhere. False copyright notices appear on modern reprints of Shakespeare’s plays, Beethoven’s piano scores, greeting card versions of Monet’s Water Lilies, and even the US Constitution. Archives claim blanket copyright in everything in their collections. Vendors of microfilmed versions of historical newspapers assert copyright ownership. These false copyright claims, which are often accompanied by threatened litigation for reproducing a work without the owner’s permission, result in users seeking licenses and paying fees to reproduce works that are free for everyone to use…'”

Second Life – the real picture emerges:

The LA Times is running a story today saying that marketers are pulling out of Second Life, primarily because — surprise, surprise — the ‘more than 8 million residents’ figure on the game’s Web site is grossly inflated. Also, as it turns out, the virtual world’s regular visitors — at most 40,000 of them online at any time — are not only disinterested in in-world marketing, but actively hostile to it, staging attacks on corporate presences such as the Reebok and American Apparel stores.

RunBot Robot Walks:
“The basic walking steps of Runbot, which has been built by scientists co-operating across Europe, are controlled by reflex information received by peripheral sensors on the joints and feet of the robot, as well as an accelerometer which monitors the pitch of the machine. These sensors pass data on to local neural loops – the equivalent of local circuits – which analyse the information and make adjustments to the gait of the robot in real time.”

from the free-at-last dept:
“IBM is making it easier to utilize its patented intellectual property to implement nearly 200 standards in the SOA, Web services, security and other spaces. Under a pledge issued by the company Wednesday, IBM is granting universal and perpetual access to intellectual property that might be necessary to implement standards designed to make software interoperable. IBM will not assert any patent rights to its technologies featured in these standards. The company believes its move in this space is the largest of its kind.”

German Data Retention, NSA doesn’t Trust itself & FBI and “spying student” profiles

From Slashdot:

“Google is threatening to shut down the German version of its Gmail service if the German Bundestag passes it’s new Internet surveillance law. Peter Fleischer, Google’s German privacy representative says the new law would be a severe blow against privacy and would go against Google’s practice of also offering anonymous e-mail accounts. If the law is passed then starting 2008, any connection data concerning the internet, phone calls (With position data when cell phones are used), SMS etc. of any German citizen will be saved for 6 months, anonymizing services like Tor will be made illegal.”

Well if the can’t collaborate maybe they can’t spy on us all that well?
Linked to the Baltimore Sun from Slashdot:

NSA employees also do not trust one another, which has left the agency fragmented and in search of a “unity of purpose,” according to a task force report released to employees late last month.”What we need is fundamental change in the way we manage NSA and what we expect of management and ourselves,” concluded the study, which was led by George “Dennis” Bartko, the NSA’s deputy chief of cryptanalysis. The Sun obtained unclassified portions of the report and eight related documents.

From Presssec:

US university students will not be able to work late at the campus, travel abroad, show interest in their colleagues’ work, have friends outside the United States, engage in independent research, or make extra money without the prior consent of the authorities, according to a set of guidelines given to administrators by the FBI.

linked to from Slashdot:

“FBI is offering to brief faculty, students and staff on what it calls ‘espionage indicators’ aimed at identifying foreign agents. Unexplained affluence, failing to report overseas travel, showing unusual interest in information outside the job scope, keeping unusual work hours, unreported contacts with foreign nationals, unreported contact with foreign government, military, or intelligence officials, attempting to gain new accesses without the need to know, and unexplained absences are all considered potential espionage indicators.”

Sex offender mixup on MySpace and AmeriTrade Spam

Last week there were some interesting identity developments.

summary: Ms. Jessica Davis had her Myspace profile eliminated because it matched a name in a sex offender database. She tried to resolve it with Myspace but they were very unhelpful. She went to the press after learning about a new information sharing agreement between MySpace and states attorney generals. She is planning to go into law and public service and did not want to be in a position for the rest of her life defending her innocence because they put her in some database.

AmeriTrade Spam: “On April 14, 2007, I signed up for an AmeriTrade account using an e-mail address consisting of 16 random alphanumeric characters, which I never gave to anyone else. On May 15, I started receiving pump-and-dump stock spams sent to that e-mail address. I was hardly the first person to discover that this happens. Almost all of the top hits in a Google search for “ameritrade spam” are from people with the same story: they used a unique address for each service that they sign up with, so they could tell if any company ever leaked their address to a spammer, and the address they gave to AmeriTrade started getting stock spam. “

More Slashdot Stories of interest.

So it seems slashdot is full of interesting identity related stories this week.

We have the ‘spying into laptops when you cross the boarder’ story from the NYTimes. (any container is searchable this means your hard disk on your lap top [I suppose avoiding this search is one of the advantages to storing information in the cloud]) It also speaks to the need for technology folks to get more involved in shaping the law.

You can blog in China with a pseudonym but only if you register using your ‘real name’

How we organize ourselves to do work together – are worker owned co-ops an alternative to the corporate form for successful open source development.

Ponderings on the Metaverse as the next big thing. It is an area that I think we in the identity community need to become more literate in because some of the legal, social and economic issues they are tackling are the same ones we are.

Election Mashups on google Earth.

Regaining one’s voice after loosing it the story of Scott Adams, Dilbert’s Writer.

Identity Confirmation on Myspace

This is really quite bazar. Boing Boing reported.

Confirm your identity with “MySpace salute”
MySpace says that if someone is pretending to be you on their site, you can confirm your identity by sending in a picture of yourself giving a “MySpace salute” (“holding a handwritten sign with the word ‘MySpace.com’ and your Friend ID”). As Waxy notes, “it’s a good thing there’s no way to fake photographs on a computer.” Pictured here: an Iraqi child confirming his identity as Rupert Murdoch. Link (via Waxy)

That seems so easy. Send in a picture with your name on it. It really begs the question what is Identity verification anyways.

e-passports cloned…

This was on Wired yesterday (posted on Slashdot). I think it highlights the importance of thinking deeply about how these proposed identity systems work. The other security flaw is the ‘integrity’ of the databases that the passport system is built on.

A German computer security consultant has shown that he can clone the electronic passports that the United States and other countries are beginning to distribute this year.

The controversial e-passports contain radio frequency ID, or RFID, chips that the U.S. State Department and others say will help thwart document forgery.

“The whole passport design is totally brain damaged,” Grunwald says. “From my point of view all of these RFID passports are a huge waste of money. They’re not increasing security at all.”

Grunwald plans to demonstrate the cloning technique Thursday at the Black Hat security conference in Las Vegas.

The United States has led the charge for global e-passports because authorities say the chip, which is digitally signed by the issuing country, will help them distinguish between official documents and forged ones. The United States plans to begin issuing e-passports to U.S. citizens beginning in October.

Although countries have talked about encrypting data that’s stored on passport chips, this would require that a complicated infrastructure be built first, so currently the data is not encrypted.

“And of course if you can read the data, you can clone the data and put it in a new tag,” Grunwald says.

The cloning news is confirmation for many e-passport critics that RFID chips won’t make the documents more secure.

“Either this guy is incredible or this technology is unbelievably stupid,” says Gus Hosein, a visiting fellow in information systems at the London School of Economics and Political Science and senior fellow at Privacy International, a U.K.-based group that opposes the use of RFID chips in passports.

Open Standards have interesting consequences…anyone can use them… it also highlights the need to have ‘social’ fabric underlying any identifier system/network.

Grunwald says it took him only two weeks to figure out how to clone the passport chip. Most of that time he spent reading the standards for e-passports that are posted on a website for the International Civil Aviation Organization, a United Nations body that developed the standard. He tested the attack on a new European Union German passport, but the method would work on any country’s e-passport, since all of them will be adhering to the same ICAO standard.

How did he do it?

  1. Grunwald then prepared a sample blank passport page embedded with an RFID tag by placing it on the reader — which can also act as a writer — and burning in the ICAO layout, so that the basic structure of the chip matched that of an official passport.
  2. As the final step, he used a program that he and a partner designed two years ago, called RFDump, to program the new chip with the copied information.
  3. The result was a blank document that looks, to electronic passport readers, like the original passport.He obtained the reader by ordering it from the maker — Walluf, Germany-based ACG Identification Technologies — but says someone could easily make their own for about $200 just by adding an antenna to a standard RFID reader.

Why it is a security failure…

The demonstration means a terrorist whose name is on a watch list could carry a passport with his real name and photo printed on the pages, but with an RFID chip that contains different information cloned from someone else’s passport. Any border-screening computers that rely on the electronic information — instead of what’s printed on the passport — would wind up checking the wrong name.

Identity theft…continued

So apparently to some in the identity community having someone use your debit/credit card number is not “really” identity theft.

This is how I see it. The Bank ‘issues’ me an identifier – or an identity.
It is the card that i get from them – when I present it and enter in my pin they know I am me. This is my identity in relationship to them. (every time I go see a teller I must swipe my card and enter my PIN).

So when someone takes that identity given to me by my bank (and uses it fraudulently) THIS IS IDENTITY THEFT.

It turns out the bank had me fill out the wrong forms and today I had to fill out different ones (another 30 min later). Apparently with debit card fraud I will get a response within 10 days about the situation.

I am off to Portland tomorrow for recent changes camp with a giant wad of travelers cheques to get by sans card that works in machine.

Identity theft…continued

So apparently to some in the identity community believe having someone use your debit/credit card number is not “really” identity theft.

This is how I see it. The Bank ‘issues’ me an identifier – or an identity.
It is the card that i get from them – when I present it and enter in my pin they know I am me. This is my identity in relationship to them. (every time I go see a teller I must swipe my card and enter my PIN).

So when someone takes that identity given to me by my bank (and uses it fraudulently) THIS IS IDENTITY THEFT.

It turns out the bank had me fill out the wrong forms and today I had to fill out different ones (another 30 min later). Apparently with debit card fraud I will get a response within 10 days about the situation.

I am off to Portland tomorrow for recent changes camp with a giant wad of travelers cheques to get by sans card that works in machine.

Web Wariness is real

Web Users Increasingly Wary. This article articulates the challenge we face.

THE PROSPECT OF IDENTITY THEFT has led the majority of online users–53 percent–to stop giving out personal information online, according to a study released Wednesday by Consumer Reports WebWatch. Additionally, 30 percent of consumers report reducing their overall use of the Web, while 25 percent say they no longer make online purchases, according to WebWatch. The report, “Leap of Faith: Using the Internet Despite the Dangers,” was based on a survey of 1,501 online adults, conducted earlier this year.

The insecure keys to our castles SSNs

This was on Slashdot today and highlighted again the main problem the identifier SSN and the password to access accounts and other critical information in our lives is THE SAME. This is a structural problem created by our ubiquitous use of SSN. This needs to be addressed by government, employers and the commercial sector.

“Many of us that work in the financial sector are bombarded with daily security threats. One of the biggest these days is Identity Theft. My fellow comrades and I have been really grilling each other on differing scenarios on what could be done with what information. However, it all seems to come back the the Social Security Number. Financial companies have other controls in place (customer service verification checking, account passwords, etc) to ensure identification. But in order to be of any use, a bad guy would really need someone’s SSN. Absent of that, other information would be useless. Right? That’s what I would like to ask Slashdot folks. What could be realistically done with customer information without a SSN? Account numbers, address, maybe a phone or payment amount. Is that really dangerous to the customer if only those get compromised?”