Month: February 2014

Report Shows How Employees Transfer Data Without Due Regard to Security

I have just reviewed a report on data security which provides empirical support for the obvious fact that unprotected file sharing practices take place within business environments with alarming frequency, and with seeming insensitivity to security, putting valuable and confidential corporate data at risk. The report is by GlobalSCAPE Inc., a Texas company that describes itself as ensuring “the reliability of mission-critical operations by securing sensitive data and intellectual property.” It is available for download here. GlobalSCAPE surveyed more than 500 corporate employees to find out how they transfer sensitive corporate data. Among the findings of the survey, in the last 12 months: • 63 percent of employees have used personal email to send sensitive work documents, and 74 percent of those employees believe that their companies approve of this type of file-sharing behavior. • 63% of employees have used remote storage devices like USB drives and mobile phones to transfer confidential work files. • 45% of employees have leveraged consumer sites like DropBox and to send sensitive work information. • 30% of employees use cloud storage services to move work-related files. • 80% of employees that use personal email to transfer sensitive work files do it at least once a month, and of that group, nearly a third have had their personal email hacked at least once. • 48% of employees said that their companies have policies...

Read More

Users Can Now Opt-Out Of Location Tracking

The Future of Privacy Forum, a Washington, DC based think tank that seeks to advance responsible data practices, has launched a web site which allows users the opportunity to opt out of location tracking when in malls, airports and other venues. According to the FPF, new technologies which rely on the fact that most people carry a mobile device, now allow venues such as airports, stores, and hotels to receive signals from devices that are in or near them. If a mobile device has Wi-Fi or Bluetooth turned on, it broadcasts a unique number – called a MAC address – that can be logged by Wi-Fi equipment or Bluetooth sensors. A MAC address is a 12-character string of letters and numbers. It does not contain personal information such as a user’s name, email address, or phone number. However, since each device has its own unique MAC address, analytics software can be used to generate reports about customer traffic based on the MAC addresses that are detected at any given time. A venue can tell how many people are walking around, where they walk, when they stop, where they go from there. This can have benefits, such as ensuring that a store has properly placed employees or displays. However, if combined with other analytical tools, the software can potentially identify a specific individual and learn and disclose his location and...

Read More

Presentation on Privacy Law and Data Security

This past Tuesday I participated in a panel discussion on privacy law and data security sponsored by the Westchester County Bar Association. The focus of my discussion was the origin of the concept of privacy law in the U.S. and current laws relating to requirements of notification of data breaches. Specific focus was given to the requiremens of Massachusetts laws, that “every person that owns or licenses personal information about a resident of the Commonwealth shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards.” It behooves companies in very state, not just Massachusetts, to develop and maintain written information security programs which detail the methods which are used to safeguard personal information of clients and employees. A pdf copy of my presentation is available here.   Privacy Law and Data Security Breaches –...

Read More

TrueCrypt Add-On – Is It Worth Adding On?

On Tuesday I participated in a panel discussion on privacy and data security sponsored by the Westchester Bar Association. My part of the discussion focused on the principles of privacy law and data breach notification statutes, but the really interesting presentation was by Paul Mazzucco of Xand, who spoke on data security. Paul spoke at length about the risks to security caused by laptop theft and advised that everyone with a laptop running Windows load TrueCrypt to provide a layer of encryption which is virtually impossible to break through. According to the web site TechTarget, “Security is about controlling data. Gone are the days when administrators could build walls around their data. Mobility has broken down those walls. With your data mobile, your best method of protection is through encryption.” TrueCrypt 4.1 is a free and open source encryption tool, for both Windows and Linux, that lets the user you create a password-protected encrypted disk — either in a standalone file, or on an entire physical partition or volume on a device — which is then mounted, read and written to just like a regular drive. Interestingly, In 2012 the United States Court of Appeals for the 11th Circuit, in a case entitled USA v. John Doe, ruled that a “John Doe” using TrueCrypt could not be compelled to decrypt his hard drives. The court’s ruling noted that FBI...

Read More

Target Breach a Result of Our World of Connected Networks

Krebs on Security has reported that the Target vendor who network credentials were stolen was a refrigeration, heating and air conditioning subcontractor, Fazio Mechanical Services, that has worked at a number of locations at Target and other top retailers. According to Krebs, it is not immediately clear why Target would have given an HVAC company external network access, or why that access would not be cordoned off from Target’s payment system network. Apparently it is not uncommon for large retail operations to have a team that routinely monitors energy consumption and temperatures in stores to save on costs (particularly at night) and to alert store managers if temperatures in the stores fluctuate outside of an acceptable range that could prevent customers from shopping at the store. To support this solution, vendors need to be able to remote into the system in order to do maintenance (updates, patches, etc.) or to troubleshoot glitches and connectivity issues with the software. This is another confirmation that our world today is a network of interconnected networks. Even in my home, even before I wake up I am I the connected world. My alarm clock, in my iPhone, the cable TV box on my dresser, my Nest thermostat, and as a result my furnace, are all entries, albeit password protected, into my home from third...

Read More
  • 1
  • 2