The Security Catalyst

The Supreme Court of New Jersey has ruled that people have an expectation of privacy when they are online, and law enforcement officials need a grand jury warrant to have access to their private information. While the ruling only affects New Jersey state law, the holding will take precedence over weaker federal court decisions that hold there is no right to privacy on the internet.

The court ruled in the case of Shirley Reid of Lower Township, Cape May County, who was charged with second-degree computer theft for hacking into her employer’s computer system from her home computer. Township police obtained her identity from Comcast by using a municipal court subpoena. The Supreme Court held that law enforcement had the right to investigate her but should have used a grand jury subpoena.

The unanimous seven-member court held that police do have the right to seek a user’s private information when investigating a crime involving a computer, but must follow legal procedures. The court said authorities do not have to warn a suspect that they have a grand jury subpoena to obtain the information.

Writing for the court, Chief Justice Stuart Rabner said: “We now hold that citizens have a reasonable expectation of privacy protected by Article I … of the New Jersey Constitution, in the subscriber information they provide to Internet service providers — just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies.”

The case has significant implications for how courts could possibly interpret online privacy in e-mails and other forms of electronic communication. Federal courts have been reluctant to offer stronger protections in defense of online privacy except when there is a clear violation by the government under complicated statues like the Electronic Communications Privacy Act. This is the first ruling in the country that seeks to raise the bar on the privacy standards for online activities. It would help influence other state decisions and eventually could reach the Supreme Court.

Sorry for the lack of posting. We drove hard this weekend and have enjoyed two days in Lincoln, NE. I was honored to provide two keynote sessions today — and was made an Admiral in the Nebraska Navy!

I just looked at the travel plan for the next 24 hours - and I am making my way to southern Tennessee by nightfall tomorrow. It’s about 12 hours of driving, and brings me through Kansas City, St. Louis, Paducah (just love the name) and Nashville. After Talladega, we will swing to Nashville again…

Meantime - if you are in one of these cities and want to catch up - drop me a note and if I can, we’ll coordinate.

Michael

Special Segment by Brad Montgomery

Brad is a friend of mine who had worked to improve my ability to use humor. He’s witty, funny and nice. As a “corporate comedian” he always cracks me up - so I asked him for some advice on how to use what he knows to ease some stress and improve the workplace, and he agreed. Here is what he shared! — Michael

I love office harmless, victimless office pranks. Before I give you a couple cool pranks you can do today, let me tell you why I love them.

Practical jokes are fun, create fun, and inspire fun. When I talk to my clients about boosting humor in their workplace (which increases productivity, improves morale, and aids with employee recruitment and retention), one of the main points I teach is that humor doesn’t start spontaneously. It’s not like a lightning strike. It has to be created, nurtured, and fed.

If your goal is to LEAD the way to humor, the single best way to create an environment conducive to fun is to demonstrate an appreciation for humor yourself. In other words, if you want to have more fun at work, you don’t have to be able to tell jokes, wear clown shoes, or crack wise during meetings. (Though if those things float your boat, go for it!) Instead, show appreciation for a good joke or prank, and laugh at other people’s wise cracks.

Guess what happens when you demonstrate this appreciation of humor? You’ll hear more jokes, you’ll see (and fall victim to) more pranks, and you’ll be entertained by wise cracks. See the brilliance? In order to lead the way to more humor at work, you don’t have to be funny at all. All you have to do is DEMONSTRATE that you like it when other people are funny.

Ok… this is where pranks come in. When you pull a prank, you’re shouting to the world, “Take me on! I love to laugh! Go for it!” And lucky you … your people will listen.

So, how ‘bout a couple of easy, victimless won’t get you sent to the HR department pranks you can execute today? Easy. Here are three:

• Use tape loops to tape your workmate’s telephone receiver to their phone. (So when they try to answer the phone they can’t “pick up.”
• Put a small piece of tape over the laser on the bottom of somebody’s mouse. It will simulate a broken mouse.
• Change the height of a workmate’s desk chair. Do this one time and it’s funny. Do this twelve times over the course of two weeks, it’s hilarious.

Now all you have to do is to laugh. Smile. And wait for the joy — and pranks — to come back to you. And they will.

Good for you… now you’re doing your part to Lead the Way to Laughter.

==
Brad Montgomery is a motivational humorist speaker, author, and facilitator. He works with groups who want to laugh-out-loud while learning how to make their workplaces more fun. You can reach Brad at BradMontgomery.com and read his latest rants and ideas at his blog: Bradlaughs.com

An interesting decision came down last week by U.S. District Court for the District of Columbia that could potentially change the financial liability of data breaches by government agencies and private corporations. For the first time, the district court held that government employees who claimed that a data breach by the Transportation Service Agency (TSA) caused them harm have a valid cause of action against the government. Recent rulings in state courts have dismissed claims for lack of merit based on insufficient proof of emotional harm or financial damage.

In May of 2007, the TSA lost a hard drive containing the personal information of 100,000 of its employees. After the breach was disclosed, the TSA offered free credit-monitoring services to its employees and advised them to alert their financial institutions of potential cases of identity theft.

Since there is no federal law dealing with compensation for data breaches, employees of the TSA brought a civil action against the government under the Privacy Act of 1974. This piece of legislation governs how personal information is to be protected by federal government agencies. The act lays out requirements that the government must meet in order to establish appropriate safeguards in order to ensure the confidentiality of personnel records. It regulates the collection, maintenance, use, and dissemination of personal information by the government.

Employees of the TSA believed that the TSA had violated provisions of the Privacy Act and were negligent in protecting their personal information. TSA had argued that the lawsuit lacked merit because the employees had failed to demonstrate damages and that the “concerns about future harm are too speculative and dependent upon criminal actions of third parties.” The Supreme Court and other courts have left open the question of what constitutions damages and this continues to be a point of contention in litigation. However, in this instance, the court held that concern for identity theft, damage to financial suitability, and mental distress are not too speculative or dependent on future events to have the lawsuit dismissed.

This is the first time that a federal court has stated that non-pecuniary injuries would qualify as actual damages. Despite the fact that the employees did not show current or actual financial loss resulting from disclosure of their personal information, the court believed that their claim was valid to proceed with a lawsuit against the TSA.

While this is only the interpretation of a district court and will likely be appealed by the TSA, it does show that courts are beginning to realize the costs of data breaches on the public. Even though no immediate financial injury was demonstrated by TSA employees, the court defined more broadly what they consider to be actual damages. Hopefully, allowing the lawsuit to move forward will pressure other government agencies to have better security standards to protect information in their possession. If this ruling is affirmed, it would potentially impact not only government agencies but even corporations. If federal courts begin to redefine damages, it might not be too long before states courts hold companies liable for their data breaches as well.

Come join the security catalyst community members, meet each other in person:

Mel’s at 801 Mission St.
7 am

PS: The last few days have been excellent. I’ll be updating on the meetings I liked, some trends that I’m paying attention to and where I think the successful companies will be heading over the next few days.

This is the third and final (for now) installment of the honey stick project that Scott Wright is working on. Those of you at RSA - I know Scott welcomes the contribution of USB drives and such for this project. If you are at RSA, you can give them to me and I will get them to Scott when I see him in May. Until then, happy reading — Michael

The First Drop
Having designed a simple mechanism for tracking the use of “found” Mobile Storage Devices, and an experimental framework with which to apply some scientific analysis, it was time to put out the bait. I was actually nervous the first time I left a Honey Stick in a public place. I felt like everyone was watching me, suspicious of what I was doing. I was in a fairly busy coffee shop attached to a book store. It had a table where people could do work, so after ordering my coffee and biscotti (this could get to be a much more expensive experiment than I had planned!), I clumsily reached and dropped the first USB stick on the table as I swept my garbage into a pile and stood up to wander off…

If I had time, I had planned to find a vantage point and watch to see what would happen as people discovered the orphaned device. However, this was not a good time. So, I decided to return the next day and see if anyone had turned it in. Believe it or not, they had. So, I decided to adjust my experiment to attempt recovery at the nearest logical point where one might turn in things to a lost and found. I would give them 24 hours before returning, in case the staff were curious at the end of their shift. However, the next few drop-points did not have the same results, and it was sometimes too far out of my way to return the next day, so I decided to just leave the sticks where they were for the long term. Besides, if they ended up in the lost and found, a month may pass, but it might still be possible for somebody to find it and give it a try.

There was one other initial device that I did discover had been turned in to the establishment’s proprietor. This was at a diner.

The amusing downside of recovering turned-in devices was that I could no longer trust them! According to my own preaching, they may have been loaded with a virus. So, in order to re-use them, I would have to carefully sanitize them on an isolated computer with non-sensitive information on it. Not really worth it at this point.

Stream 0 Results
You can track the current results at any time on the Honey Stick website Stream 0 Results page at:

http://honeystickproject.com/blog/results/stream-0-results/

But, to summarize here, after having dropped 19 Honey Sticks, 37% of them were clearly inserted by the finders into their computers. Is this a surprise? I don’t know. It’s not as high as the 75% of the employees who picked up and inserted similar devices during the penetration test reported in the 2006 Dark Reading story. But, one thing I’ve discovered is that there are many variables that can influence the results. Clearly, just dropping the devices in a location that has a convenient authority figure makes it easy for a finder to be a “good samaritan” and get on with their day.

Another subtle factor is the amount of privacy in the finder’s situation. If there are 10 people within view of you when you pick up the device off a chair, shelf or floor, you risk them watching you to see if you will keep it or turn it in. As far as you know the owner might be sitting nearby, and just realizing that they’ve lost the device. It’s very risky. On the other hand, a phone booth, elevator or washroom can provide enough privacy that nobody else will see you pick it up (except for the security cameras, right?). I think these types of locations are working better to allow people to follow their curiosity when they see one.

And what of the “return to owner” feature I mentioned in Part 2 (a file entitled “owner_contact_info.txt”)? Not counting the two devices that I physically recovered from proprietors’ lost and founds, 2 of the other 17 devices dropped resulted in the finders calling me to let me know they had found it. One found it in an office building elevator, and another found it in a city bus transit station. Interestingly, when I spoke to them, I found out one of the finders had inserted the device, ran a virus scanner, then explored the device to find the owner information. As far as I can tell, they did not open any other files on the device. It’s nice to know we have some honest, smart people in Ottawa! I don’t know how harshly I should rate them for inserting the device just to find the owner information. They may have known how to disable auto-run features in Windows (using the Shift Key during insertion, I believe prevents it).

Where to go From Here?
I now have a sponsor who is willing to purchase and donate another 30 devices to the project. I would like to thank Mike Sues, president of Rigel Kent Security, an ethical hacking and penetration testing company here in Ottawa, for this donation, allowing me to carry on the study. Mike has some good ideas on how we might be able to target other experiments to measure security awareness in the general public.

It would be nice to see what kind of responses I can get from other cities. A few colleagues have indicated that they would be willing to drop devices as they travel on road trips to various cities. In addition to Ottawa, I’ve left a few at the Mont Tremblant ski resort near Montreal, and in Toronto. In the next month, I hope to have some finding their way to the San Francisco, Las Vegas, and a few other towns across North America. I can ship the devices pre-configured, or send a zipped archive (the file sizes are very small) to people willing to supply their own devices.

It would also be exciting to have others contributing their efforts and/or funding to grow the project. The only thing I may ask is that, for the integrity of the project, people make a commitment not to alter the files on the devices, and not to try to hack the site where I gather the stats. Remember, the idea is to raise the public’s awareness of the risks that come with some of the most powerful and simple new technologies that are becoming a routine part of our lives.

So far, I’ve been pleasantly surprised by the response I’m getting from people. I encourage bloggers to write about the project and link to the site once in a while (that URL again, is http://www.honeystickproject.com). A big thanks to Michael, the Security Catalyst, for giving me space to blather on here. So, be careful the next time you pick up a seemingly abandoned USB stick. You may become part of the experiment! Let’s hope we don’t detect you opening a file called “naughty-things.html”.

It is sunny and cold in Laramie, WY. I didn’t make it nearly as far yesterday (leaving Omaha, NE) as hoped (not planned). Part of the adventure, for me, is the ability to have a flexible schedule. We’ll be heading out shortly, attempting to make Reno, NV by the time we stop. That means we are aiming to cover 900 miles today, including tackling the mountains. I realize as I write this, it is not going to happen.

What I want to see at RSA
I have enjoyed seeing America (from Rt 80); it has helped me clear some thoughts and focus on what I would like to get out of RSA. I am interested in companies that either:
1. change the way people protect information, or
2. make it easier for people to do their jobs while protecting information.

I want to see solutions where technology has been matched to people… not where people have to learn to adapt. I’m certain there are some excellent technology-only solutions available, but I’ll leave those for others who are passionate about technology the way I believe in people and the power of the individual.

My schedule is a bit hectic, and I have over 100 requests for time and meetings. I have replied to some, and the others I will reply to this weekend. If you are looking to meet with me, please let me know if/how you fit into the criteria above.

Carrying the Message
We are on the April Expedition of the Campaign Across America. In the next few weeks, I’ll update the book website, establish a blog for updates and will continue to use twitter (http://twitter.com/catalyst) to share the journey. We view the campaign as a grass-roots approach to carrying the message that protecting information is the responsibility of the individual - while working with corporations, governments and families to explain how easy this is. This is the celebration of nearly three years of work that led to the book, the security salon and now the ability to inspire people to change the way they protect information.

We are working to plan out the official launch of the campaign - shortly after the Ironman Triathlon in July — and after the book hardcover edition is in print (June/July). We’ll publish the route, and I’ll publish frequent updates; if you are en route, we’ll try to make time to stop and say hello. More details will be coming… and you can always call or send me an email.

Use me for RSA
I’m going to be at RSA. I’m going to be traveling the country. What do you need from RSA? What companies would you go see if you were me? What challenges are you facing that you think I could help lend some insights on? Shoot me a note and let me know.

Speaking Engagements
While in San Francisco/San Jose, I have a few private speaking engagements; but I also have some public events, too. I’ll post a listing this weekend - but if you’re in the area, I’ll make sure we get a chance to catch up and share some passion. We’ll be in the region until April 17th — when we leave to head to Lincoln, NE to speak at the Nebraska Cyber Security Conference.

Drive safe - and reach out and let me know what you want…

So I missed my Monday column. Didn’t post our guest article for yesterday and I’m really delayed on the podcast for today. Actually, I’m sitting on 3-4 podcasts right now… why, you ask?

We have started the Campaign Across America.
Well, not the whole thing, mind you, but the April Expedition. Five weeks, 7,000 miles and a whole lotta states! Stay tuned for map, updates and ways we can meet up and share some ideas. Or just a meal.

We are currently in Omaha, NE.
I am about to run out to a meeting and to have dinner with friends. As soon as I can, I’ll update our schedule (so we can meet along the way), the speaking engagements we have currently setup (though some are private) and some ideas and insights along the way. Turns out 20 hours of windshield and really _seeing_ America is rich with experience to teach us all.

Quick updates:
The book edits (3rd round) are done; the book is nearly done (I’ve learned a lot about writing and publishing in this last year)
The Security Salon has launched - and we have started helping businesses around the country change the way they protect information

Follow Along (and guide us)
If you want to follow the action, I’m now on twitter - http://twitter.com/catalyst - and trying to learn how to use it. I’m also figuring out how to post the photos I am taking along the way, with some regular updates. Ideas, questions, feedback and opportunities to meet — send me an email (securitycatalyst at gmail dot com).