« Older posts
The Data Security Experts' Blog

LinkedIn going the way of Facebook and others?

By jasonhigh | January 31, 2012

As many readers of this blog are likely LinkedIn users as well, I wanted to pass along this latest privacy tidbit courtesy of Martin Kuppinger.

Last Friday, I received two identical emails from LinkedIn contacts informing me about changes in the privacy conditions of LinkedIn. Without user consent, LinkedIn is now allowed to use names and pictures of the users in advertisements. Users can revoke the permission in a simple way (see below). However, what LinkedIn has done raises the question whether the providers of today’s social networks never will learn their privacy lessons.

LinkedIn once again has shown the fundamental misunderstanding of social network providers, that all data therein is their data. However, it is the data of the users, not of the social network. There are some upcoming approaches like personal.com which change that paradigm and give users control over their data. Changing privacy policies in a way like LinkedIn just shows that they probably never will understand this.

Martin correctly identifies that the problem is one of who owns your data, and it is a dilemma that I foresee sticking around for many years to come.  Social networking sites like LinkedIn, Facebook, Twitter, etc. provide great ways for us to connect with other individuals in ways that are meaningful.  The problem is that in order to make those connections meaningful, these sites must collect a great deal of information about each of us – and therein lies the problem.

That data is worth a lot of money and, as the collection agent, social networking sites like LinkedIn feel entitled to use the data that we are providing them with in any way that they see fit – they view it as their data.  Here comes the ‘chicken or the egg’ part, though…we only provide them with the amount of data that we do because of a trust relationship wherein we assume that they understand that it is our data and that they cannot do whatever they want with.

It’s a tricky subject, no matter which side you’re on.  Companies like LinkedIn wouldn’t be in the business that they’re in if there wasn’t money to be made, and then we wouldn’t have these cool ways to connect with other people.  And round and round  we go.

No matter how it all shakes out in the end – the message to the end user is easy: be vigilant with your personal data.  You need to understand the privacy policies of the sites that you belong to and make sure that you’re comfortable with what they plan to do with your data.

Also, as cases like this one with LinkedIn prove, remember that these policies are not written in stone.  They can and do change – in many cases frequently.  Stay on top of the changes and make sure that you’re taking full advantage of privacy controls.

Posted in Cybersecurity, Privacy, Staying Safe | Leave a comment

The Megaupload take down and what it means for cloud computing

By byounke | January 30, 2012

If you have followed the recent developments of the government shutdown of Megaupload you may be under the impression that the site was merely a pirate’s playground used exclusively for infringing on copyright. Whether or not this is true, whatever your opinion of copyright in the digital age, the shutdown does bring forth one of those perhaps unthought of questions. What happens to my data in the cloud?

Along with any infringing material, Megaupload servers contained user created data. Family pictures, documents, recipes, and perhaps small business documents were also stored on Megaupload’s servers. It was cloud storage pure and simple.

As the story unfolds, at least some of the storage space was on servers not directly under the control of Megaupload. It resided on third party servers who leased the storage space and bandwidth to Megaupload. And now those bills are coming due. The government has frozen the assets of Megaupload and it’s principals, the URLs to the data no longer work, and no one is paying the bills for this leased capacity.

The migration of critical corporate documents to the cloud hopefully includes a thorough due dilligence study. Things like security controls, data center locations and redundancy, backup and restore terms are often included. Hopefully there is a plan in the event the cloud storage provider goes out of business. But what about a situation where the government pulls the plug? What about individuals or small businesses who may not have thought to look far enough forward?

It is going to be interesting to see if the government intervenes to allow legitimate user’s access to their data that had been stored on Megaupload’s servers or to at least ensure that data is protected. In the meantime there are probably lots of family vacation photos that could end up collateral damage.

I don’t know that there is an easy answer to this particular situation, but it does give food for thought in planning out your cloud storage strategy and underlines again the need for GOOD backup and restore practices. If your data is in anyway important to you, there should be multiple copies in multiple locations. Allowing the only copy of important information to exist on systems under control of others is a recipe for disaster. 

Posted in Cloud Computing, Privacy | Leave a comment

New study gives advice for breach aftermath

By jasonhigh | January 27, 2012

Being the victim of a data breach is one of every company’s worst nightmares (at least it should be, if you’re paying any attention to what’s happening in the world today).  When the unthinkable happens and you are the victim of a breach, emotions will run high, decisions will be made, and plans will be followed (you have a plan, right?).

A new study from the Ponemon Institute gives some great guidance from industry professionals that have been victims of a breach that significantly impacted their organization.

Just half of the respondents said their organizations had done all they could to shield customer data, and 56 percent said retaining legal counsel is a priority, followed by analyzing the harm to user data (50 percent). Nearly 65 percent of organizations offered credit monitoring services to their customers affected by the breach, and 73 percent don’t offer credit monitoring or other identity theft tools.

We can also extrapolate some great suggestions for preventing a breach in the first place.  For example, sixty percent of the organizations surveyed did not encrypt customer data…so maybe it’s time to start encrypting your customer data.

The important point is that the more we are able to study the aftermath of data breaches and take lessons learned from others, the more we are able to prepare for the inevitable breach that is going to impact our own organization.

Read the full Ponemon Institute report here.

Posted in Breach Notification, data breach | Leave a comment

The first step in proper breach notification

By jasonhigh | January 21, 2012

Dark Reading has a very informative article up regarding the rules surrounding breach notification.  While all of their points are essential ones (and there is much more to the subject), the first step is, as usual, the most important.

The first step in ensuring compliance with breach notification laws is knowing whose data you have. That means keeping accurate records of whose data you store, where they live, and where the data resides. Once you understand that, you can identify the laws that apply. Next, you can identify the particular pieces of information that you need to protect and understand the kind of breaches that would require you to notify the victims as well as state authorities.

Posted in Breach Notification | Leave a comment

How are you disposing of your data?

By jasonhigh | December 28, 2011

Are you enjoying all of those shiny new gadgets that you got for Christmas?  Ready to get rid of the old stuff that you’re not using anymore?  Don’t just throw them in the trash, particularly if they have any form of data storage.

What you should do with your old computer equipment is actually a very serious question, and it’s something that, unfortunately, many of us don’t spend enough time thinking about.  You can’t just throw that old laptop in the dumpster because you got a fancy new one from your Aunt Sally (if your Aunt Sally actually got you a laptop for Christmas, ask her to adopt me – my aunts buy me socks).

First off, there are environmental concerns.  More importantly, though, there are data security concerns, particularly if you’re talking about replacing your primary computing device.  These devices likely have gigabytes of intimate data about you (and no, I’m not just talking about the web history that shows you spending hours looking for fake nudes of celebrities), and in the wrong hands, this data can be recovered and used against you.

These concerns only become more critical (and complicated) when you extrapolate them out over the enterprise.  It is imperative that businesses implement and follow policies for proper, secure disposal of e-waste – specifically data storage.

Also remember, folks, that not all companies offering data disposal services are created equal.  Make sure that the company that you use has the skills, certifications, and reputation to guarantee secure destruction of your data.  If they don’t guarantee it – they’re not destroying it.

In this day and age, your data is your life.  Make sure that you’re taking care of it properly.

Posted in E-Waste | Leave a comment

Don’t be so emotional

By jasonhigh | December 21, 2011

Ransomware, or malware that holds your computer hostage until you pay a “ransom” (hence the name – clever, huh?), has been around for a while.  Today we became aware of a particularly crafty new strain is now posing as law enforcement.

The software informs the user that he or she has all sorts of illicit material on their computer, and that the software is locking the computer down until a “fine” is paid.  If the fine is not paid – the hard drive will supposedly be erased.

Granted, this attack will only be successful on people that are technologically-ignorant enough to believe that child pornography somehow accidentally snuck onto their system, and that law enforcement would send a pop-up instead of showing up at your house and kicking your door in (hint for those that don’t know: it’s the latter).  However, it’s a nice reminder that you can never be too sure when it comes to clicking stuff.

The bad guys on the Internet aren’t dumb – they know that human beings are emotional creatures.  Just as advertisers and politicians do everything possible to elicit an emotional response out of you that will cause to buy their product or candidate, malware writers are fully aware that the best way to get you to click stuff is to generate an emotional response.

“Click here to save the kitties.”

“Click this or go to jail.”

“Click here to see Britney Spears naked.”

Each of these appeals is designed to generate an emotional response that will cause you to click on something.  It’s one of the basics of the sort of ‘hacking’ that is really dangerous – social engineering.  As any security professional will tell you, the biggest threat to your data is probably you.  Install lots of firewalls, anti-virus, intrusion prevention and detection systems, etc.  These are all well and good.  They can also all be subverted with a simple mouse click from a user that just wants to save the planet, save themselves, or save Britney Spears from those constricting clothes.

Stop being so emotional, and you’ll start being a lot safer on the Internet.

Posted in General, Malware | Leave a comment

Encryption is easy

By jasonhigh | December 20, 2011

Encryption, once a topic thought reserved for math geeks that were incapable of carrying on normal conversations around the water cooler, is now something that every organization should be using to secure their data.  And it’s easy to use.

This has actually been a soapbox of mine for quite a while now.  To this day, it amazes me how many infosec professionals don’t have a GPG or PGP key to encrypt emails or don’t take the five minutes necessary to encrypt their USB thumb drives.  These are people in the industry that should know better – just imagine how few people are using encryption in their everyday lives to secure their data.  From your resume to your pictures of your kids birthday party, the vast majority of the data on your computer is likely stuff that you don’t want some “bad guy” seeing and using against you.

The vast majority of us understand what SSL is, or are at least vaguely aware that when we see ‘https’ instead of ‘http’ in the address bar of our browser, our data is more secure.  If we’re savvy enough to demand that sites like Google and Facebook encrypt our data, we should take the same care ourselves.  It’s easy to do, and with the large amount of risk to our data out there today, there really isn’t any excuse not to.  Software like GnuPG and Truecrypt make it easy (did I almost mention that they’re free), and the article linked above provides some great tips and pointers on using encryption.  Take a few minutes to check it out, and please start taking care of your data.

Posted in Data Security | Leave a comment

Top Seven Emerging Threats from 2011

By jasonhigh | December 15, 2011

It’s always important to stay on top of what is threatening your data, and the end of the year is a great time for lists like this.  Not every threat is relevant to every organization, so it is important to understand not only what these threats are, but to take a look at them in the context of your organization and your critical data.  Gain a picture of your overall attack surface, which would include any mitigating controls that you have in place, and then you can figure out where best to spend your information security dollars.  The first step is always assessment.

Posted in Cybersecurity | Leave a comment

Five biggest breaches for the second half of 2011

By jasonhigh | December 15, 2011

Dark Reading has a list of the five biggest data breaches to occur in the second half of 2011.  These lists are useful, if for nothing else, to give us a gentle reminder that the risks to our data are very real, and that we need to continue vigilantly protecting our critical assets.

Posted in Cybersecurity, General | Leave a comment

New report says health care data in trouble

By jasonhigh | December 2, 2011

A new report out has some interesting findings related to the safety of health care data in America. The findings show that, for a variety of reasons, data breaches in the health care industry are on the rise.

The new Ponemon Institute “2011 Benchmark Study on Patient Privacy and Data Security,” commissioned by IDExperts, found that employee error is one of the main reasons for data breaches in hospitals and healthcare providers. Hospitals and healthcare providers suffered an average of four data breaches in the past year, according to the report.

But the jump in breaches is in part due to better detection capabilities by healthcare organizations, says Larry Ponemon, chairman and founder of the Ponemon Institute. “It was not too surprising that the rate of data loss increased … [But] we think that finding may not be as negative as it appears, and could be a discovery-rate increase with more control and governance practices and use of enabling technologies.”

Another big factor in data loss, however, is the explosion in mobile devices in the healthcare field. Some 80 percent employ these devices for gathering, transmitting, and storing patient information, but half are not securing them. While these devices help patient care, they also pose a major risk of exposure for the patient’s health and other personal information, Ponemon says.

Posted in Data Security, General, Healthcare | Leave a comment