Andrew Patrick

A new book chapter by Jean Camp and myself is now available. It appears in a new collection edited by George Yee titled Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. Here is the abstract, citation information, and link to the book.

In August 2007 approximately 445,000 letters were sent to retirees who belonged to the California Public Employees’ Retirement System (CalPERS). This was a routine mailing, but all or a portion of each pensioner’s Social Security Number (SSN) was printed on the address panel of the envelopes, making this event all but ordinary. This massive breach of sensitive SSNs, along with names and addresses, exposed these people to potential identity theft and fraud. What are the harms associated with a data breach of this nature? How can those harms be mitigated? What are, or should be, the costs and consequences to the organization releasing the data? While it is very difficult to predict the specific consequences of a data breach of this nature, a statistical model can be used to estimate the likely financial repercussions for individuals and organizations, and the recent settlement in the TJX case provides a good model of harm mitigation that could be applied in this case and similar cases.

Patrick, A. S., & Camp, L. J. (2012). Harm mitigation from the release of personal identity information. In Yee, G. O. (Ed.), Privacy Protection Measures and Technologies in Business Organizations: Aspects and Standards. (pp. 309-330).

Here are some upcoming events that you might be interested in.

• Presenter: Privacy & Information Security Congress 2011, November 28-29, 2011, Ottawa. I will be presenting about privacy and location-based services.
• Attending: Financial Cryptography and Data Security 2012. February 27 – March 2, 2012, Bonaire.
  Financial Cryptography and Data Security is a major international forum for research, advanced development, education, exploration, and debate regarding information assurance, with a specific focus on commercial contexts. The conference covers all aspects of securing transactions and systems. Original works focusing on both fundamental and applied real-world deployments on all aspects surrounding commerce security are solicited.
• Program Committee: Workshop on Usable Security. March 2, 2012. Part of Financial Cryptography and Data Security 2012, Bonaire.
• Of Interest: Workshop on Ethics in Computer Security Research. March 2, 2012. Part of Financial Cryptography and Data Security 2012, Bonaire.
• Program Committee: Symposium on Usable Privacy and Security (SOUPS 2012). July 11-13, 2012, Washington, DC. This symposium will bring together an interdisciplinary group of researchers and practitioners in human computer interaction, security, and privacy. The program features technical papers, workshops and tutorials, a poster session, panels and invited talks, and discussion sessions.

An interesting article from Dark Reading on authentication options you might want to consider.

http://www.darkreading.com/authentication/167901072/security/security-management/231601615/tech-insight-a-practitioner-s-guide-to-authentication.html

The Office of the Privacy Commissioner of Canada is calling for proposals for cutting-edge privacy research and public education projects in Canada. The application deadline is March 14, 2011.

The Office is interested in receiving research proposals focusing on four priority areas:

1) identity integrity and protection,

2) information technology,

3) genetic privacy, and

4) public safety.

However, the Office will continue to accept research proposals on issues that fall outside these areas.

As well, the Office invites proposals to fund public education and regional outreach initiatives that aim to inform Canadians about their privacy rights and how they may better protect their personal information.

All proposals will be evaluated on the basis of merit by OPC officials, and the maximum amount that can be awarded for each research or public education project is $50,000.  (A maximum of $100,000 can be awarded per organization.)

Not-for-profit organizations, including education institutions and industry and trade associations, are eligible, and this includes consumer, voluntary and advocacy organizations.

Ars Technica has an interesting article describing in detail how the group Anonymous was able to penetrate and embarrass the security firm HBGary and the rootkit.com site.

This was not a particularly advanced attack, but rather one that focused on known weaknesses, bad practices, and social engineering of people who should know better.

Most frustrating for HBGary must be the knowledge that they know what they did wrong, and they were perfectly aware of best practices; they just didn’t actually use them. Everybody knows you don’t use easy-to-crack passwords, but some employees did. Everybody knows you don’t re-use passwords, but some of them did. Everybody knows that you should patch servers to keep them free of known security flaws, but they didn’t.

Wired has an interesting article on the psychology of political assassins. The US Secret Service has done a study of 83 people who killed, or attempted to kill, political figures. They found that the motivations for the killings were often mundane and obvious. And there was often a slow deterioration in the social and mental life of the assassin prior to the event, leading the service to develop early intervention methods.

Contrary to popular assumptions about public killings, the attackers didn’t conform to any particular demographic profile. But when Fein reconstructed their patterns of thinking, he was able to distill them into a handful of recurring motives for killing a public person — motives that seemed consistent regardless of whether a given individual was delusional or not (and three quarters of those who pulled the trigger were not).

Some hoped to achieve notoriety by killing a well-known person. Others wanted to end their pain by being killed by Secret Service. Still others hoped to avenge a perceived, idiosyncratic grievance unrelated to mainstream politics. Some hoped, unrealistically, to save the country or call attention to a cause. And some hoped to achieve a special relationship with the person they were killing.