Feeds:
Posts
Comments

Archive for the ‘Economics’ Category

On 15 January 2014, George Osborne stated at the Open Europe Conference, “Europe accounts for just over 7% of the world’s population, 25% of its economy, and 50% of global social welfare spending.” The Right Honourable George Osborne, MP, is the current Chancellor of the Exchequer in England, the equivalent to the Treasury Secretary in the United States. On the surface, this seems like a typical politician’s claim and subject to doubt. But it is likely true.

According to Eurostat, the 27 nations that make up the European Union account for around 7.2% of the world’s population. If you include European nations that are not part of the EU, then it rises to 10.5%. Also according to Eurostat, the EU nations make up 25.8% of the world GDP (about 30% if you include all European nations). So if Mr. Osborne really meant the EU, he is spot on for the first two claims. The last number is a lot harder to pin down. Mr. Osborne credits German Chancellor Angela Merkel for the claim, but fullfact.org has not yet received an answer from the Chancellor’s office. In 2012 the World Bank published a report that Europe accounted for 58% of the world’s social welfare spending. This number included 36 countries as “European,” which includes the 27 EU members. So maybe the 50% number is reasonable for the EU.

Is it any wonder that the millions fleeing from the Syria, Afghanistan, Iraq, Kosovo, Albania, Pakistan, Eritrea, Nigeria, Iran and the Ukraine head to Europe? They are certainly not heading for Africa or Russia, even though Russia has a lot of empty space to house hundreds of thousands of refugees. Just as for many of the people who cross into the US from Mexico and further south, many of these people steaming into Europe are really economic refugees. On average in 2015, each EU country had 260 applicants for each 100,000 in local population, but of course it was not eevnly spread among the EU countries. Hungary had 1,799 applicants for each 100,000 in population, while Spain had 32.

Clearly the majority of these immigrants are fleeing terrible conditions where their lives are at great risk. In my view, these people are refugees that the receiving countries have some responsibility to deal with. But we see in the daily pictures from Europe, many able-bodied 18-35 year old men and women with no accompanying children. These people have no pride in their own land; they are not willing to stay and fight for their country and their culture. How much investment will they have in their new country?

This war-fed migration pales when compared with the fleeing masses during and after World War II. Some estimates put the European component of fleeing refugees at 60 million, with over a million of them still trying to find a place to settle five years after the conflict ended.

Perhaps the biggest difference between then and now is that this war still goes on. ISIS and other organizations still want to take over the world by any means. This migration provides the perfect opportunity for ISIS to infiltrate hundreds of fighters and organizers into Europe, and no way for the European countries to verify the identity and background of any of these people.

Another importance difference between now and just after World War II is the ability of these migrants to communicate. In some cases, and for really good reasons, these migrants are being given smart phones. They are an easy way for the authorities to provide information on where to get help and what options are available, and for the migrants to communicate with family members already in Europe. It also provides a way for the few invaders to communicate among themselves and with any sleeper agents or groups already in place.

The last word:

The US government created the Transportation Security Administration, with an annual budget of more than US$7 billion. The main result of this expense is to inconvenience the more than 800 million passengers in the US each year, adding wait hours to every passenger just to get on the plane. Based on the absence of any “we stopped this attack” information from TSA, it seems that actual attacks are stopped by passengers or crew, not TSA. TSA does provide a weekly report that, on average, reads like found six “artfully concealed prohibited items,” about a dozen weapons (mostly small pen knives), and arrested about a passenger a day for “suspicious behavior” or fraudulent travel documents. There is no indication that any of these incidents actually posed a threat to passengers. Rather, the long queues at checkpoints create clusters of people that are prime targets for those wishing to do us harm.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

The US Internal Revenue Service (IRS) is having a bad year. On top of a serious breach in 2015 that affected at least 330,000 and led to a class action lawsuit against the IRS, 2016 may turn out to be an even worse year for the agency. The lawsuit claims that the IRS knew its website was vulnerable to security breaches but did nothing to mitigate the problem. This is important, because the same systems are responsible for at least some of the 2016 breaches.

So far in 2016:

  • In January cybercriminals used malware to use 464,000 stolen Social Security Numbers to generate over 100,000 e-file personal identification numbers. These numbers along with your Social Security Number enable a cybercriminal to file a fraudulent tax form and generate a refund.
  • In early February, the IRS could not accept electronic filings (e-file) tax forms for at least one day. The IRS claims this failure was not related to the January attack.
  • In early March, the IRS revealed yet another problem: the system the IRS put in to protect those who were victims of the 2015 hack was itself hacked. What would be funny if this was some movie is that the same IRS online identity verification mechanism that was exploited in 2015 was used to verify the online identify of those who were supposedly protected by the new system. The IRS knew that this verification mechanism was the cause of the 2015 breach, and the pending class action suit alleges that the IRS knew of the problem even earlier. Yet, somehow, the IT security people at the IRS thought it would be a good idea to use it again. As of this writing, the IRS claims that this latest attack has resulted in less than 200 fraudulent filings.

If you are a victim of any of these cyber attacks do not expect a lot of help from the IRS. You should receive a letter in the mail indicating that you were potentially a victim. You might first find out when the IRS tells you that you have already filed your return. In any case, expect that it will delay any refund by weeks and will involve several phone calls with the IRS. It may even require that you go to an IRS office and file in person. If a fraudulent refund has already been sent out, the IRS is likely to claim they have already paid you.

The last word:

In fiscal year 2014 the IRS collected $3.1 trillion in revenue and processed 240 million tax returns. You should expect the IRS to be very careful with the information they keep on every taxpaying individual and corporation in the US. You will be very disappointed. The IRS used to take pride in its ability to protect taxpayer information, but that is clearly not even on their priority list. The 2015 hack enabled cybercriminals to steal $50 million of your tax dollars by using identity theft to file for bogus tax refunds. While $50 million is a very small percentage of $3.1 trillion, each fraudulent tax filing has a serious impact on an individual or company. Also, the stolen information can and has been used in other identity theft exploits.

Even if the IRS has not yet told you it has exposed your information, check your free credit reports periodically looking for new accounts or other fraudulent activity. You can check each of the three agencies (Equifax, Experian, and TransUnion) once a year for free. I recommend that you spread them out over the year, checking one every four months.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

If you want the full financial and operational value of Cloud Computing, then you want to use a public cloud. The advantages over private clouds include:

  • Low upfront costs.
  • Clear relationship between cost and benefit with pay-for-use model.
  • Easy to try new projects, easy to make change.
  • Flexible.
  • A wide choice of Service Level Agreement choices (SLAs).
  • Easy to provide a world-wide presence.

Of course, there are some public cloud disadvantages, the most critical being security, performance and availability. At this point in time, you can easily meet most performance and availability requirements from a variety of CSPs; security is more difficult. In a public cloud environment, you do not control physical access, and you have no control over who is sharing common infrastructure including networks, server hardware, and storage systems. But there is a way to secure your data both between your facility and your public cloud CSP and within the CSP’s infrastructure: combine Unisys Stealth with Amazon Web Services (AWS).

The basic principle behind Stealth is to only allow a device to communicate with another device if they share a Community of Interest, a COI.  A COI is nothing more than a group of people and servers.  Data can be shared freely within a COI, but must not be shared with any person or server not in the COI.  In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on.

If you are responsible for protecting your company’s proprietary information, your customers’ private information, or concerned with compliance you should at least look at Unisys Stealth. If you are responsible for a government database involving individuals’ information or classified data, you should also be looking at Unisys Stealth.

I have talked about Unisys Stealth before, Amazon Secure Storage Service (Amazon S3), and the combination in “Secure Public Cloud” back in 2013. What has changed are some significant “under the covers” enhancements to Unisys Stealth, the incorporation of Stealth into the AWS Marketplace, and additional operational facilities to enable you to easily extend your datacenter into the AWS cloud to handle expected, or unexpected, sudden increases in resource demand.

The combination protects communication between your AWS virtual servers even within the same physical server, encrypts all communication among the servers in your data center and the servers in the AWS cloud, and controls access based on roles. You control the security access policies that define who and what can communicate, allowing you to isolate applications within your environment for business or compliance reasons.

Stealth subscriptions are sold through the AWS Marketplace; you get one bill from Amazon for everything including Stealth. It is available in every AWS region. Suddenly you can open a presence anywhere quickly and inexpensively, and react to unexpected growth from anywhere.

One of the most important characteristics of Unisys Stealth and AWS is that there is no back door. Unisys, Amazon, and any network component between do not have your encryption keys. Your government cannot force Unisys or Amazon to provide access to your data; they do not have a way to break in. Even if you are OK with your government gaining access to your information at any time without providing notice to you, you should be very concerned. If your government can get in, then so can any other government, cybercriminal or cyberterrorist by using the same back door for access. Another important benefit of Stealth is that even if a cybercriminal as able to insert malware on one of your servers in the AWS cloud, that server would not be able to transmit anything back to the cybercriminals because Stealth will prevent your server from communicating to any device that is not part of a community of interest that you have defined.

The last word:

Unisys has been around since 1886, and is one of the few survivors of the initial computer revolution designing and building commercial and government computers since the 1940s, computer systems that continue to perform “bet the business” functions. Support is a key element of that environment, and no matter how big or small your company is, you still get that enterprise level support from Unisys. Sure, Unisys has the on-line self-help site with all of the technical documentation and discussion you might want, but you can always pick up the phone and talk to a real person who is knowledgeable on the product, and is probably located within one or two time zones of you.

Curious? Check it out with a Unisys AWS test drive.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

ransomwareRansomware is like the elementary school bully who steals your lunch and won’t give it back until you give him a quarter. Except in this case, it is all or most of the files on your computer’s hard drive, and the cost to restore your data is hundreds of dollars.

The first known ransomware attack was back in 1989. Widespread ransomware attacks started in Russia in 2005. By 2012 the attacks had spread outside of Russia, especially to Europe and North America. They work by either encrypting your files or locking access to your system via a variety means, from constantly putting pornographic pictures over everything on your screen to running a fake version of Windows that won’t do anything until you pay.

There are ransomware attacks for Windows, Mac OS, iOS, and Android systems.

Payment is almost always through some form of electronic currency like Bitcoin. These virtual monetary systems are anonymous and it is very difficult for authorities to track the destination of the payments. However, some ransom notes have you call a “toll-free” number to get a key to release your files or system, except the phone number is routed through a country with very high long-distance rates, and the operator “needs” to put you on hold for several minutes before giving you the code. You could end up with a several hundred dollar item on your next phone bill.

Sometimes the pop-up on your screen looks like it came from a law enforcement agency like the FBI in the US, Scotland Yard in the UK, or your local police agency. The notification page claims the agency locked your computer because they detected illegal files on your computer: usually porn or terrorism-related material. Once you get over the official looking notification with all the correct logos and badges and can read it calmly, it looks like a scam. Often the wording is awkward, and, really, is the FBI going to ignore your alleged terrorism-related activities if you Bitcoin them a few hundred dollars?

By the end of 2013, Security expert Symantec reported 600,000 ransomware attacks a month, and expects these attacks to increase substantially in 2016 across all platforms.

If you get a ransomware notification on your business or personal computer, tablet or smart phone, do not pay the ransom. They may give you the key, or they may not. These are cybercriminals, not necessarily known for their ethics. Once the malware is loaded, they can bully you again as often as they want until you clean it off of your system. Have a five-minute rant, calm down, reload a fresh copy of the OS and then restore your files from your latest backup.

The solution, of course, is not to be attacked by ransomware. While you can never be completely protected, here are four things that you should already be doing.

  1. Practice safe clicking. Always check the link in an email or on a website that you are not positive is friendly. Check out my last post for how to do that. Most ransomware comes in through a standard malware attack.
  2. Keep your software up-to-date. Cybercriminals and cyberterrorists are always looking for new vulnerabilities, and they are very good at it. Once they find one, they pass the information on to other cyber attackers. Fortunately, the good guys are also looking for vulnerabilities and making updates to their software to close vulnerabilities as they find them. But if you do not have the latest software, you still have those vulnerabilites.
  3. Use a good security software package that is more than just anti-virus.
  4. Often. No, even more often than that. Periodically, ask yourself when you or your automated backup mechanism made your last backup. Then ask how much grief it would be to redo everything you had done since then. Macintosh Time Machine and Windows 10 File History backup changed files every hour, but only if you have an external hard drive and the option turned on.

In one recent example, Hollywood Presbyterian Medical Center paid cyber-terrorists 40 bitcoins (about $17,000) to get the key to release the hospital’s data. I call this a cyber-terrorist attack because it put every patient in the hospital at risk of death or serious injury when doctors and nurses can no longer access the patients records or get access to diagnostic information from monitoring or diagnostic equipment. Hollywood Presbyterian Medical Center is a private hospital in Los Angeles with 434 beds. The hospital CEO, Allen Stefanek, said the paying the terrorists was the “quickest and most efficient way” to regain control of their data systems. The malware attack was first noticed on February 5, and was fully functioning until 10 days later. Clearly, this hospital IT department was not prepared for any kind of a disaster. I expect they will be attacked again, probably by the same terrorists.

The FBI is investigating, but I would not expect them to catch anybody.

The last word:

Packages like Time Machine and File History are great for automatically backing up in the background while you are working, and in general meaning you never have more than one hour’s worth of work to recover. They also make recovery easy, and can give you the file as it was yesterday or last week in case you really messed it up and do throw away the last change effort.

However, they are not very effective in two cases:

  1. If you have a building failure, they are likely to also get destroyed. A building failure is a case where you cannot get back into the building, perhaps because of a fire, earthquake, biological contamination, police or military action, or terrorist act.
  2. Some ransomware not only makes the files on your computer’s hard drive inaccessible, but will also destroy or encrypt the files on any attached hard drives, like your Time Machine or File History drive.

If you are paranoid, like me, you should also have an offsite backup. It is now fairly easy and inexpensive to do this with packages like Microsoft OneDrive, Apple iCloud, Carbonite, and a host of others.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

VoteIn addition to being a huge source of interest, amusement, annoying commercials, robo-calls, and anguish to all of us in the US, the 2016 election cycle is likely to drive cybercriminal and hacktivist activity. The Forcepoint 2016 Cybersecurity Predictions Report describes some interesting possibilities.

As an individual, expect to be targeted. By the 2012 election cycle, social media was an important method of getting a candidate’s message out, gauging voter interest, collecting donations, and promoting engagement hopefully leading to a vote. For some candidates, social media is at least as important as the traditional new media. Attackers will use the intense interest in this election cycle to create highly effective email lures and misdirects to push malware to the unsuspecting public.

Some of these attacks will be advanced cyber attacks against specific organizations unrelated to the election, potentially including your company. The cybercriminals will target individuals pursuing election-related information, with the expectation that the cybercriminals can gain access to personal or company information for financial gain or negative business impact unrelated to the election.

The candidates themselves, as well as the news media, will become vulnerable to attacks on their social media sites. These attacks may be by opponents, foreign governments, or hacktivists with a specific political agenda. Expect to see these attacks used to spread inaccurate messages and information. Even if a candidate can quickly correct the information, the false information lives forever and may impact the outcome of an election. In the US political circus, the message is critical.

These attacks on a candidate’s social media could also impact the data the candidate is collecting on probable voters and donations. Corrupting that data could have a huge negative impact on a candidate’s ability to run or fund a campaign.

InfoSec Institute published “Which Top 5 Presidential Candidate is Most Likely to Be Hacked?” back in October, 2015. The only candidate with an “A” rating was Ben Carson (remember him?), largely because he outsources donation and volunteer services and does not have an on-line store; he has a very small attack server. Hillary Clinton and Donald Trump got a “B,” Bernie Sanders and Jeb Bush got a “C.” Several of these candidates are using unsecured or only partially secured WordPress sites that may leak internal usernames and other information, making them relatively easy targets. While she did get a “B,” Hillary has the largest attack surface based on a quickly built custom application. Her development team’s motto is “ship early and often; done is always better than perfect.” Security may not be high on the team’s priority list, and security testing is likely to be a low priority task.

As the Forcepoint report points out, “Technology decisions made by candidates during their tenure can expose them to data theft attacks (as seen by Clinton’s use of a private email server).” It is also likely true that technology decision made during a campaign may give a hint as to how that candidate will behave relative to data security when elected. If you see a candidate reacting to incorrect information on their web site or social media, then expect that their concern about data security is very low. Put that on your scorecard as one factor as you decide how you will vote.

It will not be just the candidates’ web sites and social media sites, but also those of the hundreds of issue-related websites that represent PACs and other special interest groups.

The bottom line is that you need to be very careful. Before you click on a link in an email or on a website, carefully look at it. Even if you know the sender of an email, if all it says is something like “check this out” or some other short message, be careful: the email may only appear to be from a friend or co-worker. The safest way is to copy the link (right-click on the link and select “Copy Link Location”) and then paste that into your browser’s URL line and make sure you recognize the web site.

The last word:

SEAIf you think it unlikely that a foreign government would attack a candidate, consider the Syrian Electronic Army (SEA), a group of attackers supporting Syrian President Bashar al-Assad. Beginning in 2011, the SEA targeted political opposition groups within Syria, western news organizations (including the BBC, Associated Press, and The Washington Post) and human rights groups. The SEA has managed to send false tweets from Twitter accounts for 60 Minutes, Reuters, Associated Press, ITV News London, and many others. It has defaced the web sites of Forbes, NBC, CBC News, and hundreds of other sites including the National Hockey League.

Of course, the SEA is only one potential government sponsored hacktivist organization, and in my view, not the most dangerous by far. There is a reason why the US and China agreed to a pact to not use cyberattacks to steal company records for financial gain. Of course, China does not admit to ever having done anything like that. A careful reading of the pact indicates that the pact does not bar cyberattacks for other reasons such as political.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I got hold of a sample ballot for our November 2015 General Election, and noted that there was no candidate for the position of “Auditor.” Sounds like an important and necessary job, so I launched a massive write-in campaign and began my run: I asked my wife to also write in my name. A couple of week’s later I received a call from the County Board of Elections that I had tied with another candidate, and there would be a drawing to see who won. I could come myself, send someone in my place, or ask one of the election board staff to draw for me. Since I would be traveling that day, I asked that someone there draw for me. On a picturesque fall day just before Thanksgiving, we are driving across I-70 in Ohio and my phone rings again. I had won!

auditelectionWhen I got back home, I decided that I had better find out what I won, and what the duties and responsibilities of the position entailed. I figured that there was not much power to the position, since neither party had bothered to propose a candidate. After some research, I determined that I had won a six-year term on the three-person Board of Auditors for the township where we live in. A quick visit to the township office revealed two things: they did not yet know that I had won, and, since there was no candidate on the ballot, they were not actually expecting that anyone had won. But most importantly, I found out that I should attend the Township Supervisors Organizational meeting in early January, and a separate Board of Auditors meeting the next evening.

There are relatively few required duties for this board. For example, if the township hires a Supervisor as an employee, it is the Board of Auditors that officially sets the salary. But the Board of Auditors can actually do the annual audit. For at least the past few years, the Township has hired a private firm to do the audit. We’ll see if that changes.

The last word:

The township covers 18.2 square miles, with a population of 21,219 people according to the 2010 census, up 38% from the 2000 census.

One thing this exercise shows, probably not to your surprise, is the lack of interest in local elections. There are 13,810 registered voters, probably a very high percentage of the eligible citizens. Only 28% actually voted in this election, with a little less than 1% by absentee ballot. For this auditor position, there were only 26 votes, and I won with 2 of them. Three votes would have won the position without the risk of a run-off drawing. The open Supervisor position was won by less than 160 votes, about 4% of the votes, but only a little over 1% of the registered voters. Township and County supervisors have a strong influence over our daily lives. If you want to take over a local government, all you may need to do is get a hundred or so people who do not normally vote to go out and vote the way you want.

All politics is local.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

I like statistics. When properly used, they can tell you what has actually happened in the past. Statistics can provide valuable information to help you run your company or for the government to run the country. Statistics can tell you how closely two sets of data are related, their correlation. You might notice, for example, that since you introduced pastel colored widgets, your sales to teenage girls have significantly increased. You might jump to the conclusion that teenage girls prefer pastel colored widgets, and you might be right. On the other hand, the increase in sales to teenage girls could be due to your increased marketing of widgets in women-only high schools and colleges.

When statistics tell you that two quantities vary together, most people will believe that they are related in some way. You should always beware of jumping to conclusions. Correlation does not equal causation. Here are three very high correlation examples from Tyler Vigen’s book Spurious Corrections.” I suspect there really is no relationship between the two quantities in each case.

CorrelationEven if there is an actual cause and effect relationship, it may not be in the direction you think.

Your company collects more and more data about its operation, products and customers. Additionally, thousands of data sets are available from public and private sources about behavior, health, poverty rates, driving accidents and just about anything you can think of. Given enough processor power, you can search for correlations among these data sets. Sometimes these “strange” correlations can prove valuable. A dozen years ago, an almost random check of the correlation between auto accidents involving personal injury or death across the counties of one state had a very high correlation with the number of people over 55 who were taking a specific medicine. The resulting investigation by the pharmacy company that manufactured the drug led to increased warnings to doctors and patients about a previously unsuspected age-dependent side effect.

When someone brings you one of these correlations, pay attention, but apply reason. Correlation is not causality

The last word:

President Obama and many other politicians on the left want to make it illegal for law abiding citizens to own a gun. In their view, only the government should have any weapons. They want to eliminate the Second Amendment to the US Constitution. The primary reason the first session of the US Congress included that amendment in the Bill of Rights was the recent experience with their prior government. The British Government severely limited gun possession in towns and cities; they could not police the rest of the colonies. They feared, rightly it turned out, that the colonists could use those weapons against the British government. The US Founding Fathers wanted to make sure that a future government could not take away citizens rights without the citizens having a last resort to deal with a run amok government.

President Obama will tell you that eliminating all legal guns is the solution to these tragic mass-shooting events. But we know that is a false argument. Almost every one of the mass shooting events in the past two decades has been in a “gun-free zone.” We have been steadily increasing the number of these zones, so it includes virtually every school, sporting event, shopping area, government facility, and even most portions of our military bases. We actually put signs up to indicate to potential terrorists of where they will have five to thirty minutes of unbothered time to kill as many unarmed victims as they can.

Consider the recent Oregon tragedy. Chris Mintz is student at Umpqua Community College. As a decorated Army veteran, he tried to stop the gunman before he entered the classroom where the gunman killed nine students. Mr. Mintz was shot seven times for his bravery. If Mr. Mintz had a weapon with him, the results could have been vastly different.

Oregon state law actually requires that colleges allow guns on campus in some circumstances. At a minimum, a college must allow a visitor with a carry permit to bring a gun on campus, but not necessarily a student. Until police arrived, the gunman was the only person with a weapon on the campus.

Gun control laws do not keep guns out of the hands of criminals and terrorists; they only keep them out of the hands of law-abiding citizens. Chicago, with restrictive gun control laws, had over 400 murders in 2014. That is the equivalent of an Umpqua Community College event every 8 days.

We are painting a target on the back of our children.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

A “Half-Life” is the amount of time required for the amount of something to decline to half its initial value. Those of us of a certain age remember that from the discussions of how long the fallout from nuclear explosion would be dangerous, and rest of you get periodic reminders of that from events like Fukushima. When we were in Norway this summer, there were radioactive reindeer; seems they were eating moss still radioactive from clouds that had drifted over from the 1986 Chernobyl accident.

Secrets have half-lives also: how long does it take for half of your secrets to become known to others. Countries have millions of secrets, companies thousands of secrets, and people maybe dozens of secrets. Each secret represents a fact that if revealed to the wrong entity could cause harm. Countries “classify” documents or even individual facts, and establish large organizations and complex processes to protect those secrets. Countries usually also have large organizations whose sole purpose is to steal the secrets of others. Companies have trade secrets, often about exactly how their products or services are created or delivered, but also about their internal financial processes and contracts with partners and customers. People have secrets about things they have done, or didn’t do, that they would rather their spouse, employer, doctor, or tax collector never found out.

Patents are not secrets. Patents are published in the one or more country’s Patent Office and are freely accessible. International law protects, to some extent, the owner of the patent. In order for the patent owner to reap the financial benefits of the patent, the patent must be shared.

Secrets also have time limits. The foreign travel plans of high-ranking government officials are often classified to enhance the safety of the individual but often so as not to reveal where or why the individual is traveling. Consider the case of National Security Advisor Henry Kissinger’s visit to Beijing in 1972. These kinds of secrets are only secrets for a specific period of time, often measured in days or weeks.

But many secrets need to be kept secret for years or decades. One such trade secret is the formula for Lena Blackburne’s Rubbing Mud that is used to fix the feel of baseballs for major league play. That formula, and the location of the mud hole, has remained a secret for over 75 years.

The half-life of secrets used to be measured in decades. A person could designate that their boxes of papers would not be opened until their death or longer. That worked for Mark Twain and his autobiography, which was not published until 100 years after his death. That did not work for Harper Lee. She kept her first novel locked up saying she did not want it published. Go Set a Watchman was published this year while she is still alive.

With todays cybercriminals, including government and organization sponsored cyberterrorism, the half-live for secrets on computer networks is measured in months.

Almost always, secrets must be shared. Lena Blackburne is not the only person making that NBA Rubbing Mud, especially since he died in 1968. Every trade secret is shared with those in the company that need to know the secret in order to actually build the product. The trick to keeping a secret is to minimize those who know the secret and pay attention to each of those people.

One of the biggest dangers to a secret is sharing-creep, the phenomenon that occurs when you add just one more person to the “need to know” list, or someone who knows tells someone else. At the highest levels of government classified documents, security agencies try to keep track of every individual who has the right to know the secret and the places where the secret is stored at all times. This is why, for example, that one of the Department of Homeland Security’s jobs is to know where every computer system containing government classified information is physically located, determine what secrets are on the system, and check that the system is protected by appropriate physical and network security mechanisms, and that everybody who has access to that system is also cleared for the information on the system. Companies with critical trade secrets have similar processes. One of the key activities for a government or commercial organization after an identified data breach is to determine exactly what information was compromised.

A related issue for secret loss is the velocity of the loss. In 1750, a secret could not move more than about 20 miles in a day – the speed a man or a horse could walk. If you discovered that a secret was stolen, you could often literally run down the culprit in a day or two, and severely limit the damage. With the Internet and the Cloud, it takes your secret less than a second to get anywhere in the world, and to dozens or millions of individuals. A single misdirected email or text message, or a singe disgruntled employee or contractor (e.g., Edward Snowden) or employee or contractor not following your security policy (e.g., Hillary Clinton) can put a significant number of secrets at great risk.

Figure out what your company’s critical secrets are, and pay attention to whom those secrets have been shared. Remember that any meeting, whether in a conference room or virtual, that has a smart phone or tablet present is a potential leak. You cannot tell what is being recorded and what will be done with the recording.

The same is true in your personal life. Any stupid thing you do can be on YouTube in seconds, and the more stupid the more likely. Of course, the same is true if you do something great, like the passengers who subdued the Islamist terrorist on the train in Belgium. Video of the attack was on YouTube before it appeared on breaking news announcements.

The last word:

The biggest example of sharing-creep is your Social Security Number. Originally implemented in 1935 as part of the New Deal, it was solely used to track individual’s accounts with the Social Security Program. In the original law it was illegal to use the SSN for any other purpose. In the late 1970’s, Virginia was using your SSN as your Driver’s License number, and that use was struck down as illegal in Federal Court.

In addition, the IRS was prevented from sharing information with other agencies. Decades ago I worked with someone whose father was a Bookie (i.e., worked in the numbers game for organized crime). He always indicated on his Federal Income Tax form that his occupation was Bookie, and reported every cent he illegally earned. He did not want to get in trouble with the IRS over his taxes, and knew that the IRS could not pass that information on to law enforcement at any level.

But now, thousands of individuals have access to your SSN; it is your key identifier for almost all financial relationships, and, thanks to Obama Care, all health care related activities. The United States uses the Social Security Number as the identification number for every member of the Armed Forces. All of this information is stored on the Internet, which varying degrees of vulnerability

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

TargetEarlier this year I posted about the cyber attack in which Target allowed at least 40 million credit cards to be compromised, and watched as cyber criminals stole the personal information from about 110 million people. This breach occurred during the year’s biggest shopping season between Thanksgiving and Christmas in 2013.

Last month, Target agreed to a settlement: a maximum of $10 million, or $0.25 per compromised credit card. Individual victims may get up to $10,000 in damages.

This settlement requires final federal court approval, but is, in my view, a settlement favorable only to Target.

In order to claim any damages from Target, victims must prove:

  • That unauthorized charges were made to their credit card.
  • That they invested time in addressing the fraudulent charges.
  • That they incurred actual costs from correcting their credit report, paying higher interest or fees because of the impact to their credit rating, paid fees to replace identification cards, or hired identity protection companies or lawyers.
  • That the Target breach was responsible for their loss.

Matthew Esworthy, a litigation partner at Shapiro Sher Guinot and Sandler, said that many victims would have trouble proving that they lost money because of a specific data breach.

A friend had her purse stolen in a museum. She discovered the theft within a couple of minutes of its occurrence. By the time she got to a phone and called her debit card company, the thief had drained over $5,000 from her bank account, and that money was gone. That debit card was just one of the items in her purse. A maximum benefit of $10,000 may not cover an individual’s lost.

One reason that it took so long to get to this ridiculous settlement is that Target argued in court that consumers lacked standing to sue because they could not establish any injury.

If you have a problem, report it as soon as possible at the web site Target sent you.

Fortunately, this is not the only cost to Target. By the end of January, Target estimated that it had already accrued $252 million in expenses related to the breach, including this settlement. That will be partially offset by up to $90 million in insurance payments to Target. Target also faces claims from three of the four major credit card companies, and probably also from the fourth, as those companies try to recoup their loses due to this data breach. In addition, the Federal Trade Commission, the Securities and Exchange Commission, and several state attorneys general are also investigating and may impose fines.

Target was instrumental in this data breach. Target’s computer security systems alerted IT to suspicious activity after cybercriminals had infiltrated its networks, but Target decided to ignore the alert. The settlement also revealed that Target had no written information security program and no chief information security officer.

They also had a 46% drop in year-over-year profits for the quarter when the breach occurred.

Don’t let this happen to your company.

The last word:

How did the cybercriminals do? Pretty well, probably. Krebs on Security estimated that between one and three million credit cards stolen from Target were sold on the black market and successfully used for fraudulent purchases before the credit card companies managed to cancel the rest. That likely generated over $53 million of income to the cyber-criminals. That number is interestingly close to the $55 million that the ousted CEO Gregg Steinhafel will get in executive compensation and severance benefits from Target.

So the cybercriminals, lawyers, and the shamed CEO win. Meanwhile, Target as a company and millions of its customers lose.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

AnthemOnce again a company that we trust with our health and personal information has betrayed that trust. Cybercriminals were able to hack into an Anthem database that contained up to 80 million records of current and former customers and company employees. The information now in the hands of criminals includes names, Social Security numbers, birthdays, postal and email addresses, and employment information including income data.

Anthem stated that no credit card or medical information was compromised, but the information that was stolen is sufficient to launch successful identify theft attacks against every one of the tens of millions of compromised individuals.

Anthem noted the intrusion on January 29, but based on analysis of the cybercriminal infrastructure likely used suggests that the attackers first gained a foothold into Anthem’s servers in April 2014, nine months before Anthem noticed the attack. One link in the chain of establishing the Malware at Anthem went through China. Whether that is a significant fact is unknown at this time. Anthem immediately notified the FBI.

Since admitting the attack, Anthem has been sharing information about the attack including IOCs (indicators of compromise) with HITRUST, the Health Information Trust Alliance, and NH-ISAC, the National Health Information Sharing and Analysis Center. These groups disseminate information about cyber threats to the healthcare industry. So far, these IOCs have not been discovered by other health care organizations. It appears that this attack was focused against Anthem.

Clearly, Anthem is not paying attention to the security of their customers’ data. None of this data was encrypted. Anthem has contracted with Mandiant, a cybersecurity firm, to evaluate their security systems and identify solutions. Seems to me they are a year late with this kind of analysis.

The brands impacted by this breach: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, and Healthlink. It can also impact anyone holding a BlueCard. A BlueCard enables members of one Blue Cross / Blue Shield plan to obtain healthcare sevices while traveling or living in another service area. Blue Cross / Blue Shield Federal Employee Programs are also impacted. This information is linked through a single electronic network throughout the US and 200 other countries and territories.

What should you as an individual do if you think you were impacted?

  • You may receive an email apparently from Anthem. These emails are not from Anthem and are scams attempting to get your personal information. Do not click on any link in such an email.
  • You may also receive a phone call apparently from Anthem about the attack. These calls are also not from Anthem. As always, do not give out credit card or Social Security numbers over the phone on any call you did not initiate. Hang up.
  • According to Anthem you should receive a letter in the mail “in the coming weeks.” That letter will advise you of the protection(s) being offered.
  • Take whatever identity theft services they offer.
  • Continue to monitor all of your financial accounts, including mortgage, investment, and loan accounts.
  • Consider putting a security freeze on your credit reports at each of the three reporting companies, Equifax, Experian, and TransUnion. Since most businesses will not open a new account without first checking your credit history, if they can’t access your credit history they are quite likely to deny someone getting credit in your name. It may cost you a few dollars, but it really does stop most identity theft. Availability and cost vary by state. If you want to request credit, you can lift the freeze enough to let a specific request be accepted.

If you are responsible for the personal information of your customers, employees or contractors, how vulnerable are you? You should not guess the answer. Find out, before you become the next Anthem.

Anthem will have some very stiff fines as a result of this breach. Between 2009 and 2013, HIPAA has levied fines of more than $25 million for data breaches. But this attack impacts more than twice as many people as all of the 2009-2013 breaches involving fines combined.

In 2014, Columbia Medical Center was fined $4.8 million for a data reach involving less than 10,000 people.

The last word:

Sometimes personal data is “released” on paper. Hundreds of documents from the Philadelphia Adult Probation and Parole Department were found in early February strewn across several streets in part of Philadelphia. These documents contained names, addresses, birthdates, Social Security numbers and signatures. The best guess as of this writing is that one or more boxes of information fell of a truck on the way to a nearby recycling center. The documents were not shredded.

Comments solicited.

Keep your sense of humor.

Walt.

Read Full Post »

Older Posts »