PII | Bach Seat

Tag Archive for PII

RB | September 10, 2013

Comments Off

Is Connected Car Data Worth $1,400 Annually?

Michael Strong at TheDetroitBureau.com reports that Continental AG and Cisco (CSCO) recently demoed a highly connected car using the internet to improve vehicle safety and infotainment options at the recent Center for Automotive Research Management Briefing Seminars in Traverse City, MI.

The firms believe they’ve produced a connected car that provides a balance between giving consumers a safe, connected driving experience while providing companies with a chance to offer services that enhance the driving experience: for a price.

According to the article, the companies involved in bringing the Internet to cars collect an enormous amount of information about drivers. This presents a variety of challenges when it comes to privacy, who owns the information, how can or should it be used and what’s it worth?

While privacy and data ownership issues are still up in the air thanks to the U.S. government. Andreas Mai, director of product management at Cisco, believes data generated by a connected car is worth about $1,400 a year. He breaks it down this way:

Drivers can save $550 through better fuel economy, less time stuck in traffic, lower insurance rates, etc.
Society can save $420 by employing car platoons to speed up traffic and increase a road’s capacity.
Service providers can earn $150 by providing traffic guidance, navigation, parking, emergency services, etc.
Automakers can save $300 in lower warranty costs, profitable apps, etc.

The key, according to the article, is to maximize the information that can be collected (and re-sold) is convincing drivers that they get a tangible benefit from releasing the data, such as shorter commutes or lower insurance rates (thanks Flo). According to a survey by Cisco, 74% of drivers were willing to share vehicle information. However, who or what owns that information still needs to be sorted out, he said. They must balance all of those things against the driver’s wants and needs: connectivity, infotainment, and cutting-edge safety features.

Continental and Cisco teamed up to keep the bits flying. As a vehicle moves it needs to prioritize the critical needs of drivers and passengers for network connectivity, according to the article. Digital Trends explains that Continental will supply the hardware and Cisco will provide the software. The car can switch between 3G, 4G, WiFi, and Dedicated Short Range Communication (DSRC) on the go, depending on service quality and cost to the customer. DSRC system is part of the emerging vehicle-to-vehicle (V2V) technology system that allows cars to communicate with each other directly – and autonomously.

A Cisco software router loaded in Continental hardware performs the network switching. The router sends signals first to a Cisco-managed “Connected Car Cloud,” which then relays information to whatever network appears optimal at the moment.

The Cisco on-board software system can seamlessly switch between available 3G, 4G, and other wireless networks based on cost and quality of service preferences. “Connected vehicles are opening up a vast field of opportunities for services to make driving safer, more efficient, and more comfortable,” said Ralf Lenninger, head of innovation and strategy, Continental’s Interior Division. “This is why we are looking at ways to connect the moving vehicle in a highly secure, fast, and reliable way.

The Cisco and Continental proof-of-concept connected car show how auto manufactures can provide the same amount of network security that is available at home (oh NO!) or in the office. Cisco provides one highly secure software gateway that delivers Cisco’s core networking capabilities and optimizes multiple communication links and mobility services to and from the vehicle. Security against cyber attacks will become more important as more vehicles include connected functions.

rb-

I recently covered Ford’s efforts to understand connected cars by studying the commlinks of space-based robots here.

The savings claims seem suspicious to me. The “lower insurance costs” are just cash savings. ~~Oh, yeah Walmart is still in business.~~ What is going to be the costs to the drivers after the insurance companies get their Hadoop big data analytics on the data from the magic boxes they are installing? Will they use the data you provided them to change the rules on your policy to raise your rates? It only takes a small leap to think about what the NSA could do with the data.

Just in case someone at Cisco or Ford or anybody else is reading this, here are some suggestions from Veracode to secure connected cars..

Infographic by Veracode Application Security

Cisco’s remedy for connected car security: Treat the car like an enterprise (gigaom.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: 2013, Automobile, Cisco, Cloud, CSCO, Insurance, IOT, M2M, Michigan, PII, Privacy

RB | May 14, 2013

Comments Off

Did You Wipe Your Tablet?

Techno prognostication firm IDC says (I think they are right on this one) that worldwide sales of tablets will surpass desktop PCs and laptops by the end of 2014. This will result in a boomlet in the second-hand tablet market and a recent article on Infosecurity says that in response, firms will need to start data wipe their old tablets just as thoroughly as old hard disks to protect their data.

The company is responsible for any company data held on the mobile device; no matter the flavor of BYOD practiced so it is the company that must take responsibility for removing data from the device before disposal. The Infosecurity article says that ensuring that mobile device solid-state memory is completely clean is technically difficult.

Solid-state memory

The article highlights BlackBelt, which has just enhanced its data wiping product to include Apple (AAPL) and Google (GOOG) Android tablets explained the difficulty to the author. “Solid-state memory uses a technique called wear leveling to maximize the life expectancy of the memory chips.” BlackBelt’s business development manager Ken Garner told Infosecurity, “It works by spreading the binary information (0s and 1s) randomly across all the memory cells in the chip. This means that unlike on spinning disk memory, the location of the data on the user interface bears no relation to where it is stored on the drive, making traditional forms of deletion ineffective.”

BlackBelt says end-users can’t data wipe their phones, “it isn’t possible for an individual to perform a full removal of personal data from any smartphone or tablet using a device’s in-built factory reset or by re-flashing the operating system.” the vendor explains to Help Desk Security that wear leveling will, “over-rule instructions to permanently overwrite old data.”

Solid-state memory wear leveling

Because of ‘wear leveling, neither remote wipes nor factory resets are guaranteed to remove all the data from solid-state memory. The blog points out that a low-cost product called Wondershare, can recover data from solid-state memory. Mr. Garner claims the software, “recovers just about everything after either a factory reset or a local (phone operating system) delete.”

When a tablet is retired it is incumbent on the company to make sure that all data held on the device is adequately deleted. One problem, says Garner, is that “Many data wiping solutions, more often than not, have been “…re-purposed from data wiping solutions for traditional hard disk drives,” and that simply doesn’t work on solid-state memory.

Three-stage process to wipe SSM

DataWipe, uses a three-stage process: first writing 0s in every memory cell, secondly writing 1s in every cell, and thirdly writing random 0s and 1s across every memory cell. The result, he claims, is guaranteed data erasure that can also provide audit, compliance, and reporting data in an industry-standard XML format that is easily exchanged with all the major DLP, SIEM, policy management, and mobile device management solutions solving both the technical difficulties around tablet recycling.

Wiping data from a PC or a first-generation Apple iPad that is being retired is important because of the enormous amount of data they can store. This makes the proper destruction of that data on the device essential before it leaves the organization. Unfortunately, IT asset disposition firm Retire-IT sees that many firms simply swap the devices with new ones or merely format the drives without securely wiping the data. The Columbus, OH-based firm says this leaves organizations vulnerable. Kyle Marks, CEO of Retire-IT told Help Net Security that:

99% of problems happen before a disposal vendor touches equipment. No vendor can destroy data if they don’t receive an asset, which is why we strongly encourage clients to destroy data before any move. Better safe than sorry. Of course, disposal vendors should destroy data (again) regardless

Retire-IT looked at tracking data from 1,072 corporate disposal projects encompassing 233 different companies and reported some shocking figures:

4 out of 5 projects (81.5%) had at least one missing asset.
1 out of 8 (11.6%) had a negative variance. The devil is in the details, but nobody looks very closely.
Only 79% of the serial numbers were matched with subjective matching.
Without subjective matching, only 58% of serial numbers were matched.

Sanitize IT equipment

Help Net Security offers some suggestions to help sanitize IT equipment:

Computers – Derik Boot and Nuke Linux Live CD for full disk wiping. It supports many types of wiping, including the DoD 5220.2 2-M method with 3 passes.

Starting with Windows Vista (and Windows 2008 Server), the Microsoft OS overwrites the contents of each sector when you do a Slow Format on your media. They recommend Microsoft’s SDelete for wiping files on Windows.

For Apple OS X there’s the Disk Utility.

On Linux use the “wipe”, “srm” or “shred” commands to securely sanitize files on most distributions.

Printers and copiers – Consult the manual to find out how to clear the memory or use third-party software to wipe the hard drive. Which I covered here

Mobile devices – Wired recommends a hammer and don’t forget to remove the SIM card.

BYOD: Preventing Breaches Can Be A Challenge (healthsecuritysolutions.com)

Category: Uncategorized | Tags: 2013, AAPL, Apple, Blackbelt, Computer, Data, Erasure, Hard disk drive, PII, Security, Server 2008, Solid-state memory, Wear leveling, Windows

RB | February 19, 2013

Comments Off

School Kids’ Data at Risk – Part 2

In the Huffington Post article, “In Push For Data, Schools Expose Students To Identity Theft” author Gerry Smith writes about the growing risk of school kids data being stolen across the country.

Read Part One here:

Data Quality Campaign, an organization that encourages states to build student databases argues that students’ Social Security numbers are useful for education policy by creating “enhanced analytical opportunities” for evaluating school curriculum. “The more important conversation is not whether states are collecting Social Security numbers, but how they are ensuring the privacy, security, and confidentiality of all personally identifiable information,” Laird said in a statement to the Huff Post. “We can’t speak to how Social Security numbers are collected and stored at the local level,” she added.

The article cites one survey that concludes student PII is not stored very securely. Only half of K-12 schools use data encryption, according to a survey of IT employees at K-12 schools nationwide. 72% cited budget constraints as the primary barrier to improving their IT security, according to the survey by Panda Security (PDF). Collecting PII in central databases with lackluster security is asking or trouble, “This is making a much bigger honey pot for people with malevolent purposes to gain access to children’s information,” Joel Reidenberg, a professor at Fordham University School of Law. He told The ID Channel, “It’s a meltdown waiting to happen.”

School districts in 26 states now ask for students’ Social Security numbers. The Michigan Department of Education states (PDF), “A school district cannot mandate that parents disclose the social security number of their children.” Huff Post states that Texas is one of those states where education officials use PII to connect K-12 records to higher education and workforce data, according to Debbie Ratcliffe, a spokeswoman for the Texas Education Agency.

Last year, the Texas agency asked eight school districts to send PII, including Social Security numbers, through the mail on unencrypted CDs for research purposes. The article reports that Laredo Independent School District learned the CD it sent got lost in the mail, exposing nearly 25,000 current and former high school students to identity theft, according to the Texas Tribune. Ratcliffe told The Huffington Post that the request came from an agency employee who operated “way outside” normal protocol.

It was not the only school data breach in Texas.

Beaumont school officials told parents that Social Security numbers belonging to an estimated 15,000 students were accidentally exposed online for nearly a year.
The San Antonio Independent School District told parents that names and Social Security numbers of up to 360 students were mistakenly made visible through a Google search.

Still, the Texas Education Agency has no plans to stop asking school districts for students’ Social Security numbers, Ratcliffe told the author. “We have so many databases that use them that it would require quite a bit of change to make that happen,” she said.

Yet concerns over child identity theft have prompted at least five states — Nebraska, North Dakota, Washington, Maine and Wyoming. to create policies that restrict the collection and use of Social Security numbers in K-12 schools.

Jerry Coleman, director of school finance at the North Dakota Department of Public Instruction Coleman said in an interview, “To protect those Social Security numbers would be a hassle we don’t need,”

Parents can refuse to disclose their child’s Social Security number, and the student would be assigned a different identifying number. Ratcliffe, of the Texas Education Agency, said most parents disclose their child’s number anyway.

But privacy experts say, in most cases, parents should keep that information to themselves. “When someone asks for your child’s Social Security number, say no,” said Aaron Titus, chief privacy officer for Identity Finder, which helps organizations protect sensitive data. “I have found about 90 percent of the time when I push back a little bit, I get my way.”

Data breaches leave people six times more likely to become victims of identity theft, according to a survey by Javelin Research. Schools warn parents to monitor their children’s credit after a data breach. The Huff Post says credit reports only turn up 1 percent of fraud on children’s credit histories because thieves pair children’s Social Security numbers with new names and birth dates, a study by Debix found.

More than 18,000 child identity theft complaints were reported to the Federal Trade Commission. But experts tell Huff Post that figures on child identity theft are likely much higher because the crime often goes undetected for years. ID Analytics estimates more than 140,000 children are victims of identity theft each year, based on a one-year study of those enrolled in the firm’s identity protection service. When child identity theft victims turn 18, they find their credit has been destroyed, preventing them from taking out loans or renting apartments.

rb-

Consumers Unions points out that Michigan law restricts how Social Security numbers can be used. In Michigan, SSNs cannot be printed on ID cards, intentionally communicated to the public, and/or publicly displayed or mailed within an envelope.

- Child Identity Theft: Warning Signs and Action (lexingtonlaw.com)

Category: Uncategorized | Tags: 2013, Breach, Data, Identity Theft, K12, PII, Security, Social Security number

RB | February 14, 2013

Comments Off

School Kids’ Data at Risk

Gerry Smith writes about the growing amount of school kids’ data being stolen across the country. In the Huffington Post article, “In Push For Data, Schools Expose Students To Identity Theft” the author explains why. Data thieves want this information to commit identity theft. The author cites several recent cases:

Hackers broke into the computer network of an El Paso, TX school district, They stole a database of about 63,000 students’ Social Security numbers.
School officials mailed out 5,000 postcards with students’ Social Security numbers printed on the front in Wake County, NC.
Social Security numbers of 8,000 Palatine, IL special education students were lost when laptops belonging to a state contractor were stolen.
A former Broward County, FL high school teacher was sentenced to six months of house arrest for stealing the identities of students.
A police officer for the Palm Beach County School District was sentenced to eight years in prison for stealing the identities of former students and teachers.

Child identity theft The article says these incidents highlight the growing risk of school kids’ vulnerability to identity theft. Across the country, schools have become conduits for children’s pristine Social Security numbers. The students’ numbers are increasingly falling into the hands of credit-hungry identity thieves. The frequent data breaches have prompted calls for schools to stop collecting sensitive student data. The breaches have angered parents like Art Staehling, whose 14-year-old daughter was among 18,000 Nashville students who had their Social Security numbers accidentally exposed online for three months in 2009.

They left the gate wide open for data theft

“They left the gate wide open,” Mr. Staehling told The Huffington Post. “It’s clumsiness. There’s no excuse for it. If schools want that information, there should be some sort of penalty paid if they don’t guard it with their lives. I haven’t found a reason why they honestly need it.”

Schools collect students’ Social Security numbers as part of a campaign to more precisely track their progress. But privacy experts told Huff Post there are less risky ways to identify students. The privacy experts accuse schools of needlessly exposing children to identity theft by gathering their Social Security numbers. Mn then not securing them.

The push for collecting student data began under the federal No Child Left Behind Act. Financial incentives in the 2009 stimulus package, including Race to the Top‘s $250 million in competitive grants drove schools to collect student social security numbers, according to Reidenberg.

The U.S. Department of Education has warned schools not to use students’ Social Security numbers in their databases. The Huff Post says the Feds urge schools to create other unique identifiers. The National Center for Education Statistics warned schools last fall that. They told educators that Social Security numbers are “the single most misused piece of information by criminals perpetrating identity thefts.”

School abuses student’s Social Security numbers

Despite the warnings, the collection and use of student’s Social Security numbers in K-12 schools remain “widespread.” An audit last year by Patrick O’Carroll, the Social Security Administration‘s inspector general. The IG found students’ Social Security numbers printed on transcripts, tests, and athletic education forms. According to the article, the audit concluded that schools were using the numbers “as a matter of convenience.” Mr. O’Carroll found there have been at least 40 data breaches of confidential student information at K-12 schools since 2005.

In his report, O’Carroll wrote.”We believe the unnecessary collection and use of Social Security numbers is a significant vulnerability for this young population. Each time a student provides his or her Social Security number, the potential for a dishonest individual to unlawfully gain access to, and misuse, the number increases.”

Read Part 2 here.

rb-

Young children can be identity-theft targets (goerie.com)

Category: Uncategorized | Tags: 2013, Breach, Cybersecurity, Data, Hack, Identity Theft, K12, Michigan, No Child Left Behind Act, PII, School Data Breach, Security

RB | December 20, 2012

Comments Off

Detroit Leader in Identity Fraud Rings

Motown has a new not-so-good title. ID Analytics‘ ID:A Labs has identified the metro Detroit area as one of the top areas for identity fraud. According to their research, there are over 10,000 identity fraud rings in the U.S., and the three-digit ZIP codes with the most fraud rings are around Washington DC; Tampa, FL.; Greenville, MS; Macon, GA; Detroit; and Montgomery, AL.

Detroit The credit rating bureau says an identity fraud ring is a group of people actively collaborating to commit identity fraud. Help Net Security reports this study is the first to investigate the interconnections of identity manipulators and fraudsters to identify rings of criminals working in collaboration.

While many of these fraud rings involve two or more career criminals, surprisingly, others are family members or groups of friends. The article says that ring members operate by either stealing victims’ identities or improperly sharing and manipulating personal identifying information such as dates-of-birth (DOB) and Social Security numbers (SSNs) on applications for credit and services.

Other findings of the study include:

States with the highest numbers of fraud rings include Alabama, the Carolinas, Delaware, Georgia, Mississippi, and Texas.
While many fraud rings occur in cities, a surprisingly high number were also found in rural areas of the country.
A large number of families are working together in fraud rings, even using each other’s SSNs and DOBs. However, rings made up of friends are more common, with the majority of fraud rings made up of members with different last names.

“In this latest research, we have taken a broader approach, looking at connections among bad people rather than studying individual activity,” Dr. Stephen Coggeshall, chief technology officer of ID Analytics said in the post. “This information enables us to build new variables into our fraud models so we can help our customers to make better decisions and improve protection for consumers.”

ID:A Labs looked at about 1.7 billion identity risk events including applications for credit cards, wireless phones, payday loans, utilities, and other financial services credit products. It also examined changes in personal identifying information among accounts such as changes in name, address, DOB, and SSN to identity over 10,000 fraud rings in the United States.

10,000 ID fraud gangs active in US, especially the Southeast, study finds

ID Analytics chart The dots show concentrations of identity theft crime rings.

How Common is Identity Theft? (pubcit.typepad.com)

Category: Uncategorized | Tags: 2012, Detroit, ID Analytics, Identity, Michigan, PII, Security, SSN, Theft

« Older Entries Recent Entries »

Bach Seat

Tag Archive for PII

Did You Wipe Your Tablet?

Solid-state memory

Solid-state memory wear leveling

Three-stage process to wipe SSM

Sanitize IT equipment

Related articles

School Kids’ Data at Risk

They left the gate wide open for data theft

School abuses student’s Social Security numbers

Related articles

Detroit Leader in Identity Fraud Rings

Related articles

Meta