Monday, April 20, 2015

INTERNET - Ransomware

"The hack attack that takes your computer hostage till you pay" PBS NewsHour 4/18/2015

Excerpt

SUMMARY:  Ransomware, a type of software that computer hackers use to hold individuals' data hostage by blocking access to files unless they agree to pay a ransom, is on the rise.  And because anyone with an internet connection is vulnerable, the problem highlights a growing threat that consumers face on both their personal computers and mobile devices.

WILLIAM BRANGHAM (NewsHour):  Inna Simone is retired, a mother and grandmother from Russia who now lives outside of Boston.  Last November, her home computer started acting strangely.

INNA SIMONE:  My computer was working terribly.  It was not working, I mean, it was so slow.

WILLIAM BRANGHAM:  A few days later, while searching through her computer files, Inna saw dozens of these messages — they were all the same.   They read:  “Your files are encrypted.  To get the key to decrypt them, you have to pay $500 dollars.”  Her exact deadline — December 2nd at 12:48 pm – was just a few days away.

All her files were locked — tax returns, financial papers, letters — even the precious photos of her granddaughter Zoe.   Inna couldn’t open any of them.

INNA SIMONE:   It says, “If you won’t pay, within one week or whatever, your fine will double.  If you won’t pay by then, all your files will be deleted and you will lose them forever and never will get back."

Thursday, April 16, 2015

CYBERSECURITY - Big Business, No Incentive For Greater Security

"Data breaches may cost less than the security to prevent them" by Michael Kassner, TechRepublic 4/9/2015

Companies have little incentive to invest in cybersecurity, says Benjamin Dean.  The security expert says the reason why may be moral hazard.

When it comes to data breaches, 2014 was a banner year.  However, if Benjamin Dean, Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University, did his math right, 2015 will be more of the same.

In a March 2015 column on The Conversation, Dean provided a hard to disagree with defense of why things security-wise "ain't gonna change" soon.  "When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues," wrote Dean.  "After reimbursement from insurance and minus tax deductions, the losses are even less."

Dean then administered the knockout punch:  "This indicates that the financial incentives for companies to invest in greater information security are low and suggests that government intervention might be needed."

The costs of the Target, Home Depot, and Sony data breaches

Target's data breach in late 2013 involving 40 million credit- and debit-card records, plus 70 million customer records (including addresses and phone numbers), came under Dean's microscope.  A Target financial statement revealed the data breach cost Target $252 million.  "When we subtract insurance reimbursement, the losses fall to $162 million," explained Dean.  "If we subtract tax deductions (yes, breach-related expenses are deductible), the net losses tally $105 million."

Dean pointed out that this sum equaled 0.1% of Target's 2014 sales.

Home Depot suffered a data breach in 2014 where attackers stole 56 million credit- and debit-card numbers plus 53 million email addresses.  According to Dean after an insurance reimbursement of $15 million, the data breach cost Home Depot $28 million or .01% of its sales in 2014.

Dean also looked at Sony's data breach that occurred near the end of 2014.  Sony at first suggested losses exceeded $100 million.  However, Dean found some equally-interesting numbers in Sony's third-quarter financial statement, "$15 million in 'investigation and remediation costs' and that it [Sony] doesn't expect to suffer any long-term consequences."

A senior general manager at Sony later said the figure would be closer to $35 million for the fiscal year ending March 31.  Dean offered some perspective about the losses:  "To give some scale to these losses, they represent from 0.9% to 2% of Sony's total projected sales for 2014 and a fraction of the initial estimates."

As to the question of Sony's reputation, Dean provided the following numbers on the movie "The Interview":

  • It cost $44 million to make the film; and
  • it has grossed $46.7 million in online sales and cinemas worldwide.

"If anything, the free publicity for a new movie on cable news, across social networks and daily newspapers, at Christmas to boot, represents a net financial benefit to Sony," mentioned Dean.  "There's no such thing as bad press, after all."

The moral hazard response

Dean then introduced a concept I had not heard of: moral hazard.  There are several versions of the definition, but this one from Wikipedia is relevant to this discussion:

"In economics, moral hazard occurs when one person takes more risks because someone else bears the burden of those risks."

Dean applied the concept of moral hazard to Target, Home Depot, and Sony.  "These companies are able to invest less in information security," said Dean in an email exchange with me.  "Because, in the event of a breach, other parties (banks, customers, etc) bear the lion's share of the costs of the breach."

In the case of Home Depot, Dean said credit- and debit-card providers plus Home Depot customers caught the brunt of the fallout.  "Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards," Dean added.  "Each customer whose card had to be replaced also incurred a cost in terms of inconvenience."

Dean then concluded it does not make economic sense for companies like Target, Home Depot, and Sony to invest heavily in information security, especially when insurance payments and tax deductions cut the financial outlay to where it is less than what it would cost to improve information security.

What is the answer?

Removing the moral hazard seems to be the logical answer.  But how would that come about -- government intervention?  "It's important to make sure the intervention doesn't make the problem of moral hazard worse," cautioned Dean.  "This is a huge problem because as we plough billions of dollars into intelligence agencies, supposedly to keep us all safe from 'cyber-attacks', it has the effect of further weakening the already low incentives for companies to invest in information security themselves."

"Unintended consequences of policies, even in instances where the case for government intervention is strong, can be worse than the consequences of doing nothing at all," further cautions Dean.  "I'm not saying that we do nothing at all -- just that we need verifiable and reliable data on which to begin making these complex policy decisions."

Monday, April 13, 2015

SOCIAL MEDIA - Book on the Privacy Issue

"How can we return privacy control to social media users?" PBS NewsHour 4/7/2015

Excerpt

SUMMARY:  What’s the cost of being constantly connected through social media?  A new book, “Terms of Service” examines the erosion of privacy in the digital era.  Author Jacob Silverman sits down with Jeffrey Brown to discuss what data is being tracked, stored and sold.

GWEN IFILL (NewsHour):  Now the latest addition to the NewsHour bookshelf, “Terms of Service.”  It’s a look at the erosion of privacy in the age of social media.

Jeffrey Brown recently talked to author Jacob Silverman at Busboys and Poets, a restaurant and bookstore chain in and around Washington.

JEFFREY BROWN (NewsHour):  Welcome to you.

JACOB SILVERMAN, Author, “Terms of Service”:  Thanks for having me.

JEFFREY BROWN:  The case you’re making — and it’s a strong case — we don’t know or we don’t seem to care enough about what we’re giving away in our digital lives.

JACOB SILVERMAN:  Right.

Well, the same systems that make it so easy to communicate with one another and live these lives where we’re essentially all public figures now also make it very easy to sort of spy on us, to collect personal information, whether you’re companies or governments or other bad actors.

And I think that a lot of people don’t really realize how much is being collected on each and every one of us, that there are big data brokers out there forming dossiers on hundreds of millions of people.

JEFFREY BROWN:  There’s been a lot of emphasis on government surveillance.   Here, you’re really pointing to what we perhaps don’t know as much about, corporate surveillance.

JACOB SILVERMAN:  Right.

Well, actually, corporations have really led the way turning the Internet into what is really a remarkable surveillance machine.  Ever since the introduction of the cookie about 15 years ago, we have sort of shifted paths to make the Internet all about monitoring what users do, so that we can direct ads toward them.