Monday, April 30, 2007

Don't Click that Ad

Apparently, Google technology is good enough that it's being taken advantage of even by people seeking to install malware on your computer. According to this article from CNET, there has been a coordinated effort to purchase ads which link to the web site (no link for obvious reasons). When people clicked on the ads, the smarttrack web site would attempt to install software which would capture passwords from their systems.

The interesting question this raises though, is what responsibility Google has for placing the ads. The Google brand is based on a reputation for providing people with content that they actually want (e.g., good search results, or targeted ads). If what Google provides is not only not what people want, but is actually harmful that could, at very least, damage the brand which is the basis for Google's incredible market capitalization. At this point, Google has stated that they are "are also evaluating...[their] systems to ensure that the appropriate measures are in place to block future attempts." Whether those measures will be successful (and what will happen if they aren't) is another question entirely, which is important not just for Google, but potentially for anyone who places targeted internet content.

Monday, April 23, 2007

The Federal Government in the News

Recently, members of the U.S. House of Representatives Cybersecurity subcommittee recently held a hearing during which serious concerns were raised regarding the security of computers within the State and Commerce departments. The bottom line, from this article from CNET is that
21 of 24 major federal agencies had weak or deficient information security controls in place during the last fiscal year, according to audit reports, said Gregory Wilshusen, director of information security issues for the Government Accountability Office.

troublingly, many of the vulnerabilities can only be described as the result of bad IT practices, such as
failing to replace well-known vendor-supplied passwords on systems to not encrypting sensitive information to not creating adequate audit logs to track activity on their systems.
Of course, it's not at all clear how much the security flaws identified at the hearing even matter, given the federal government's exceptionally lax stance toward data privacy. For example, according to this article, which describes how, until recently, the Agriculture Department and Census Bureau were maintaining a publicly accessible database filled with private information, including social security numbers, of people who received loans from the Department of Agriculture. Thus, while threats from cyberterrorists on State Department servers might be significant, they almost seem redundant, given the amount of information which the government makes publicly available, but shoudln't.

Tuesday, April 17, 2007

Google's Purchase of Doubleclick: Privacy Disaster or Positive Step? has an interesting article up about possible implications of Google's recent purchase of Doubleclick (a company famous for its almost ubiquitous multimedia ads). The Center for Digital Democracy says that this deal raises huge privacy concerns, by allowing Google to more easily create comprehensive profiles of individuals' web usage. On the other hand, Google says that the acquisition will actually increase internet users' privacy, because Google will impose its own data retention policies on a company which had been a poster child for threats to on-line privacy. Who's right? At this point it's impossible to say. However, it's worth noting that Google has in the past been willing to go to court to protect the privacy of its users (e.g., in its fight against the US government, described here). Thus, this could be one case where the expansion of a giant organization with omnipresent data collection abilities could actually be a good thing for individual privacy.

Wednesday, April 11, 2007

State Enforcement Actions

While federal laws such as Gramm-Leach-Bliley and HIPAA are often the focus of concern for organizations seeking to maintain regulatory compliance, it is important to remember that many states have put in place requirements which must be observed as well. Case in point: Texas, where the attorney general took action against Radio Shack for violating that state's 2005 Identity Theft Enforcement and Protection Act and section 35.581 of Chapter 35 of Texas' Business and Commerce Code. According to the attorney general's press release Radio Shack had failed to properly protect and dispose of their customers' by simply dumping bulk records in a garbage receptacle behind a store. The dumped records included, ironically, a receipt from a woman who purchased a shredder from Radio Shack to protect herself from identity theft - just the kind of potential victim the media loves to focus on. Thus, the Radio Shack prosecution should serve as a reminder to businesses everywhere that Federal Law isn't the only source of data privacy and information security law, and it is necessary to be mindful of state statutes as well.

Saturday, April 7, 2007

Possible Security Breach ot UCSF

Last week, UCSF (University of California, San Francisco) issued a statement that there had been a possible compromise in the security of a computer server, and about 46,000 records may have been accessed by an unauthorized party. This event, while not unusual in and of itself (about 150 million records have been exposed in breaches in the last two years, according to this list from the Privacy Rights Clearinghouse) raises an interesting question about the effectiveness of current models of data breach and information security legislation. California has one of the toughest, if not the toughest, security breach notification laws in the country, SB 1386, yet that state's own public university system is still plagued by data security problems. While this doesn't mean that California's law (and others which use it as a model) should be scrapped, it does mean that people trying to design legislation to protect individual information should be constantly looking for new ideas, as the strategies currently being used clearly have room for improvement.

Wednesday, April 4, 2007

And we have a new champion...

According to this article from cnet there is a new record holder for the unwelcome honor of worst breach of security for consumer data. The not-so-lucky entity who's security was breached was TJX, which operates discount stores such as T.J. Maxx, and Marshalls. The size of the breach: 45.7 million accounts compromised over a two year period, which beats the previous record (held by Cardsystems, a third party processor of payment data) by almost 6 million records.

The question though, is how much this is going to hurt. Previous studies (such as the one described here) have pegged the cost of security breaches at around $180/record, which puts the total estimated damages for TJX at more than 8 billion dollars. Of course, the biggest breach of all is, by definition, outside the normal run of data on which these estimates are based. The previous titleholder, Cardsystems, took a tremendous hit to its business when Visa an American Express revoked its status as an approved transaction processor (details available here) and was eventually forced into an asset sale (details available here). Does that mean that TJX will suffer a similar catastrophic collapse? Not at all. However, it does illustrate that, when it comes to security breaches, there are real risks associated with being number 1.