headfry



	Security week in review

	FUD

	Hot topics

	Tip of the week

	Home users

	Security in the movies

Week of November 26, 2004

CIBC fax debacle

The recent CIBC fax debacle that made front page news in the Globe & Mail, is, alas, far from unique. The Globe and Mail and CTV reported that confidential data for hundreds of CIBC customers had been faxed for more than three years to a scrapyard operator in West Virginia. The faxed documents contained names, social insurance numbers, phone numbers, bank account details, and in some instances, signatures, of CIBC customers.

A law suit had been filed by the US operator against CIBC. It would appear that customers were first notified of the security and privacy breaches by the media.

With up to 15 per cent of US consumers affected by ID theft, and one-third knowing of a friend or family member who has had their identity stolen, such examples of human error have the potential to have extremely significant consequences for affected individuals.

In February 2002, there was a story in the Irish Times that indicated that for several years AIB documents containing sensitive customer information had been repeatedly faxed to a local businessman with a similar fax number. Apparently, the local businessman repeatedly advised the bank of the error, but it continued over an eight year period. The incidents were only resolved by the Bank when Mr. O’Leary, the recipient of the erroneous transmissions, took legal action against AIB.

The current legal situation - namely that there is no obligation whatsoever on the part of companies to report security breaches (for which they are responsible) to affected customers, is simply reprehensible. I have written extensively about this gap in consumer protection laws, and while the US banking regulators are expected to produce some type of guidelines on the issue of mandatory reporting in the near future, there is no such initiative in Canada- and seemingly little interest in the topic.

At least in the US, there are state wide Identity Theft laws and a federal act - not so in Canada. Canadians are left out in the cold. And, with the exception of their brethren in California, (where mandatory reporting laws do exist), most consumers are dependent upon the largesse of individual companies as to whether they ever find out that their identities are in danger of being stolen, or worse- that they in fact have been stolen.

The banks are very quick (in copious fine print) to pass the obligation on to consumers to report suspicious transactions (on their accounts), but bear little or no responsibility to do likewise - when the shoe is on the other, well shod foot.

Don’t count Gates out

A number of the UK's top IT bosses have ridiculed Microsoft chairman Bill Gates’s prediction that the password is a dying breed, and that smart cards and biometrics will replace it. The uber techies apparently pointed to his oft cited, and undoubtedly much regretted, prediction that “640KB would be enough for any desktop computer”, as proof that he is somewhat less than a visionary.

Alas, I have to agree with Gates for once. Passwords may not be dead in the near future, but their demise is inevitable. Users hate them – they are sick of them- they subvert them on purpose. I think it is the UK IT chiefs who are out of touch. Amazing though how most of them invariably run not walk when MS offers them a job. No offence lads, gals.

Let’s face it, Gates is the man who built MS from scratch. The geeky, bespecled kid who outsmarted IBM and stole DOS from under their noses. He is also well known to play hard ball to catch up when proven wrong, and he learns from his mistakes. It is a very foolish person indeed that writes the 48 year old off.

I also believe his true legacy is likely to be his philanthropic efforts. His Foundation does more to try to cure AIDS, malaria, etc, than national governments. Hats off to him there.

And unlike other Net zillionaires (who will remain nameless) he is not focused on egomaniacal self - aggrandizement, wifely upgrades, or Charvet shirts – his lack of sartorial elegance being legendary. Indeed, many of those that cry foul vis a vis MS, are doing little for humanity with their own tech gotten wealth.

Let the pot call the kettle black.

Read the story

CEOs - beware the wrath of outsourced IT workers

Michael Soden, ex CEO of the Bank of Ireland was forced to resign last summer after being caught viewing porn sites by the less than contented staff he outsourced to HP when he first came into the top job. Staff took industrial action over the move, as they lost various lucrative banking perks with the move. Insiders tell us they markedly did not let bygones be bygones, and instead plotted their revenge.

Ironically, Soden was responsible for putting in place the first acceptable use policy- and was promptly hung by it.

Sauce for the goose…..

Now there is a fight over who pays his departure costs- HP or the bank.

When you think you have seen and heard it all…

Richard Clarke, former counter terrorism advisor to the US National Security Council, has stated that before invading Iraq, the U.S. government used the Internet to intimidate Iraqi soldiers by sending them personalised messages saying:

"We're about to invade. We're going to overwhelm you and if you resist us we're going to kill you. But we don’t want to do that. So really the best thing for you to do when we invade is to go home.

He says many took them at their word, and not surprisingly headed for the hills.

Not that such tactics are anything new, but a low cost, highly effective strategy worth bearing in mind.

Some years back, I recall reading a survey about how merely telling employees that you had recently installed the most complex employee 'aberrant behaviour' analysis tool known to mankind, and developed by NASA, was enough to vastly decrease undesirable behaviour in the workplace.

Of course, this was entirely a ruse. But perception being nine tenths of reality, a useful ploy. And playing fire with fire has a certain Macchiavelian appeal..

Speak to your lawyers before you try this though.

There is invariably some nitty gritty pesky law to worry about. Rarely something that can't 'be sorted'- but best to hash it out first with the legal eagles, and HR.



	So what's headfry? Headfry is a common, much used and loved expression in Ireland, the UK and Australia. read more...

Don't be too brash ISPs, telecos and sundry service providers are understandably anxious to short up revenues and devise new service offerings that differentiate them from the competition, but occasionally they allow blind enthusiasm to trump common sense. Lycos Europe (the search engine people) threw down the gauntlet to spammers with a new offering - the 'makelovenotspam' campaign- a free screensaver that would outwit spammers by deluging them with data- essentially launching what could only be considered a denial of service attack. Now it appears, despite heated Lycos denials, that they have been hacked back. Oh, quelle surprise. My first thought about this marketing innovation was - are the Lycos lawyers on vacation with staff from RBC? Since when was running the appreciable risk that such action could expose them to criminal liability for breaching global cybercrime laws, considered a sound corporate startegy? Perhaps the marketing department has staged a coup, and killed all the Lycos lawyers- lying bloodied and defeated as we speak?. I always wonder at managers who pay lawyers good money to ignore their advise- or worse, don't even seek it. In any event- one can only speculate as to what went on. Playing chicken with bad guys Legal exposure aside, almost never a good idea, unless you are John Woo. Don't say you are super secure, or make some other naive representation - or threaten to 'strike back'. Why actively try to attract the attention of the bad guys?. As the Irish would say- " don't be a daft idgit". Lie low - that is what everyone else is trying to do. Hire new strategy advisors with a smidgen of sense, and a keen self preservation radar.... When you say, 'bring it on', don't be dazzled when taken at your word. Work off the aggression someways else - take a self defense course..go skydiving.....go home.. Lobbying works a dream A huge $388bn spending bill US Congress approved last weekend contains a provision that provides $2 million for a federal copyright enforcement czar. There have been a plethora of bills recently that favour the Justice Department acting as policeman for Hollywood's interest- including attempts to allow the D o J file civil lawsuits on their behalf. The taxpayer pays. You would think they could at least get the security details right in their movies - with all their resources. See Security in the Movies In a ZDNet report, Gigi Sohn, president of the non-profit fair-use advocacy group Public Knowledge was quoted as saying, with commendable insight: "I think the taxpayers would be surprised that there's money being spent for copyright enforcement when terrorists and criminals still roam the streets...When every dollar is being counted for education, health care and homeland security, it seems like a strange priority." Not so strange when you have top notch lobbyists at your beck and call,and millions to spend to get the job done. Note the lack of progress (see the archives) in getting a US Cybersecurity Czar in place- someone with access straight into the top, and with real power. And yet there are frightful sums of money set aside for biometrics- that holy grail of security. Cybersecurity laws unlikely A panel of senior US cybersecurity officials recently agreed that cybersecurity mandates (read: laws) were not required to 'encourage' companies to adopt cybersecurity best practices. It was stated that Congress should instead develop "carrot" incentives for industry - to reward them for trying to improve their cybersecurity efforts. In late 2003, legislation was proposed that would have required companies to fill out a cybersecurity checklist in their filings with the U.S. Securities and Exchange Commission. This useful suggestion seems to have died a death. 'Incentives' under discussion include an investment tax credit and a limit on liability for companies adopting cybersecurity best practices, although one of the reasons given for not mandating better security practices was apparently lack of standards, and consensus on what constitutes best practices. Details, details... In light of strong indications that the banking regulators will soon release massively watered down 'guidelines' for member banks on the much feared proposal for mandated reporting of security breaches to customers - it appears that the battle for more consumer protection is being lost, and that the lobbyists are winning the high stakes (but eminently shortsighted) game, hand over fist.

	Home \| Security Week in Review \| FUD \| Hot Topics \| Tip of the Week \| Home Users \| Security in the Movies	Copyright ©
	Disclaimer	Headfry Inc. 2004