Thursday, June 7, 2007

Stolen Laptops and data breaches - something doesn't add up

If it seemed to you like a new data breach was making the news every single day last year, you weren't far off from the truth. According to the numbers released by the Privacy Rights Clearinghouse, there were 327 reported data breach incidents in 2006. So it wasn't quite every day - maybe the bad guys took the occasional Sunday off.

If you take a closer look at the numbers, you'll see that 37% (or 119) of the incidents involved laptops. While it is difficult to determine precisely how many individuals' records were potentially compromised by these 119 breaches, it is most likely in the hundreds of thousands, if not the millions (the statistics on the page linked above seem to include the Department of Veteran's Affairs incident, in which the laptop was later recovered). So thousands and thousands of records potentially compromised by only 119 breaches? Well at least there were only 119 breaches, right? Maybe not.

If you gave truth serum to the Chief Information Security Officers of all the Fortune 500 companies, and asked them if their companies had lost a laptop due to theft during 2006, I think you'd find that 100% of them had lost at least one laptop. In fact, I'd bet if you asked whether they had lost more than 100 laptops, more than one would answer yes to that as well. I know of one Fortune 500 company that averages a stolen laptop every other day!

It gets worse if you do a bit of research into just how many laptops are stolen annually. Again, the numbers are difficult to pin down, but some believable numbers I've heard fall in the range of 500,000 to 1 million. Even on the low end, that's a lot!

So if I'm right and 500 of the largest companies have had at least one laptop stolen, and total laptops stolen is at least in the hundreds of thousands if not the millions, why have we only heard about 119 data breaches due to stolen laptops?

Even if we assume that a good number of those stolen laptops were owned by individuals rather than corporations, I'd be willing to bet that the majority were owned by corporations. Why? Because most are stolen out of vehicles, hotel rooms, at airports, etc. In other words, people traveling or on their way home from work, which means a good number of these are most likely corporate machines.

If only 119 of the hundreds of thousands of stolen corporate machines were holding personally identifiable information, what were the rest of those people using their laptops for? It hardly seems to me like you'd spend all that money equipping your staff with laptops if they aren't doing anything important with them.

If you allowed the CISOs to defend themselves, I'm sure they would spout some garbage about how their policies prohibit storing sensitive data on laptops. Even if I believe that all of their employees follow policy (which I don't), how can they be so sure there is no personal info on those laptops? In most cases they can't.

If you ask any expert who does forensic analysis of disk drives, I'm sure he or she could tell you stories where some individual has attempted to hide his nefarious activities by deleting files to cover his tracks. I'm sure the expert can also tell you that quite often he or she can still recover some (or all) of those tracks by looking at temporary files, swap files, etc. And these are cases where the data was intentionally wiped from the disk!

Any time you work with data, your operating system is potentially leaving pieces of that data on various parts of the drive. It isn't doing this maliciously or unintentionally, it is just the way software works. In order to work with more applications and data than your computer has memory to handle, operating systems and other software applications temporarily store parts of that data on disk until it is needed again. Usually that data is cleaned up when a program closes, but not always. So even if you aren't intentionally storing personally identifiable information on your corporate laptops, if you work with that data on a corporate laptop some of the remnants might be left behind.

And that is why the numbers don't add up. The majority of US states have data breach laws, and hundreds of thousands of laptops are being stolen annually. As I've explained, it is difficult to prove that a computer absolutely positively contained no personally identifiable information, so why were only 119 laptop incidents reported last year? A good question, isn't it?


Wednesday, June 6, 2007

Julie Amero's conviction set aside

Julie Amero is the Connecticut substitute teacher who was tried and convicted for allegedly exposing a class of middle school students to Internet pornography. She was facing 40 years in prison this morning in spite of the fact that a number of information security professionals believed that malware on the computer was quite likely the true cause - rather than any action taken by Ms. Amero.

At the sentencing hearing this morning, the judge presiding over the case set aside the jury's verdict and ordered a new trial. This long awaited move followed a fresh analysis of the evidence by both the state crime lab and a team of malware experts on behalf of the defense.

As an information security professional with a background in criminal justice, I found the original trial to be a travesty of justice. Quite clearly the police, prosecutor, and jurors had no understanding of the information security issues at the heart of the case.

Not having examined the computer system in question, I can't say with certainty that Ms. Amero is innocent, but I can say with certainty that the facts presented in the case (as recorded in the transcript) were enough to raise reasonable doubt in my mind, as they did in the minds of nearly every single information security professional who had heard of the case.

The information security professionals outraged by the original verdict were not taking a stand on this case because they were supporters of pornography or enemies of law enforcement - quite the opposite. Many deal with cases like this on a regular basis and often work with law enforcement and against illicit websites.

They took a stand on this case because the 'expert' testimony presented by a law enforcement officer was anything but expert. They took a stand because they have seen what an adware/spyware/malware infested machine can do (pretty much exactly what the machine in this case did). They took a stand because there are plenty of people who deserve to go to prison for endangering minors, and it seems highly unlikely (based on the testimony and evidence presented) that Ms. Amero was one of them.

For those who want to condemn someone for this incident, condemn the school district for placing outdated operating systems, web browsers, and anti-virus; as well as non-functional web filtering on computers accessible by students. Condemn the police department for not providing sufficient technical training to officers charged with investigating and testifying on cases involving computers.

Ms. Amero has lost her job, reputation, and a pregnancy (due to miscarriage) for something she most likely didn't do, something that should have been prevented by her employer (the school district). That's the real crime here.

At least it seems like justice may finally be prevailing in this case. Technically Ms. Amero could be retried, but with the new evidence and the judge's decision on the first verdict, it seems unlikely that the prosecution would bother.


Introduction and welcome

Let me introduce myself. I am The Merrier Psycho. Why so mysterious? Simple, really. This is a blog about information security, and one of the three tenets of the profession is confidentiality. In other words - secrecy. I have secrets to share, but as they say, the names have been changed to protect the guilty. If I revealed my secret identity, it would be a trivial matter to figure out the parties involved in some of the stories I plan to share.

In my years in this field, I've done a bit of everything. Policy, auditing, architecture, vulnerability management, threat analysis, research, engineering... you name it I've done it. So hopefully I can keep you entertained with my stories and opinions.

I have a lot of plans for this blog, so drop back in whenever you need a dose of information security insanity. Welcome to my asylum.