By Jeff Stanton on 7/7/2006 3:13 PM

Last week (7/1/06), the Red Cross reported that a laptop containing thousands of records of blood donors' personal data had been stolen from a locked closet in one of their local offices. They reported that there was no sign of forced entry into the closet. Obviously this implicates someone with a key to the closet. An employee? Janitorial staff?

Bizarrely, the Red Cross spokesman, Darren Irby, said, "We haven't viewed this as a security breach at this point." I guess he is resting comfortably with the idea that because the donor data were "encrypted," that they are safe even on a stolen laptop. Let's just take a moment to remember that there are lots of different types of encryption, some more secure than others, and that all forms of encryption are subject to attack. Further, for the most common kind of file encryption (symmetric key encryption), the security of the data also depends on keeping the "key" (like a p ... Read More »

By Jeff Stanton on 7/6/2006 4:23 PM

Partly as a public service and partly as a marketing technique, antivirus vendor Sophos (http://www.sophos.com) publishes an update on the state of computer security every six months or so. The latest report just came out (July 2006) and it highlights an ever-increasing array of security threats that affect business and home users.

Among other problems, Sophos has documented the increased use of subtle social attacks that encourage users to perform dangerous behaviors such as clicking on attachments. While these attacks used to entice victims with the possibility of seeing Brittany Spears or some other celebrity "lightly clad," new enticements to click on evil attachments include political scandals, crime descriptions, and other newsworthy headlines. These threats are considered social attacks because they prey on natural human curiosity (or other common motivations) as a method of encouraging u ... Read More »

By Jeff Stanton on 7/5/2006 5:00 PM

Well the day has finally arrived. Next Tuesday (7/11/06), Microsfot will officially discontinue support for Windows 98 and Windows ME. no more security updates, no more operating system patches. Good riddance, you may say! These operating systems were never very stable, and were not well suited for the thorny security environment that is the modern Internet.

The only probably is that there are tens of thousands of schools, non-profit companies, and small businesses across the country and the world that still have a substantial number of working computers that are running Windows 98 and Windows ME. I hate to admit it, but I have one of each myself! (Strictly for non-critical applications you understand - think gaming and mp3 playback.)

I've visited a number of these smaller organizations in the course of my research and I've found that they are struggling with enough IT problems already and are under enough budgetary pressure that there is no w ... Read More »

By Jeff Stanton on 6/30/2006 1:43 PM

This is really cool! Researchers at Newcastle University in the UK conducted an experiment which showed that people are more honest when they feel they are being watched - even if they are not actually being watched. In the experiment, a large black and white poster depicting a person's eyes, when placed in front of an "honor system" contribution box (for the purchase of a drink), caused people to put two and a half times more money in the box than when the poster depicted flowers.

The human brain is programmed at a deep level to care about what others think of our behavior. If cues in our environment make us think we are being watched by other people, we generally will behave more "prosocially."

This is a major issue that we documented in The Visible Employee when discussing employee monitoring. We argued that for monitoring to be effective in its mission of improving informa ... Read More »

By Jeff Stanton on 6/19/2006 11:58 AM

If Microsoft were chasing me I would be scared too. Today's news reports that McAfee - maker of individual and corporate antivirus solutions - has released a beta of their new product, code named "Falcon."

Falcon purports to be a security "platform" not just a tool or application. As a platform it appears to be a one stop shop for security protection for computers. In addition to traditional anti-virus functions, the platform provides anti-phishing protection, detects and eliminates rootkits, and a Site Advisor that provides information about contaminated or dangerous websites.

McAfee is developing these welcome innovations in response to the fact that Microsoft has been edging their way into the security product business little by little over the past few years. The great news for small business is that the competition between the antivirus giants like McAfee and Microsoft will drive prices down and create a wider range of features and capa ... Read More »

By Jeff Stanton on 6/14/2006 11:40 AM

OK, now the Department of Energy is having "difficulties" with data security. A "red team" (a security testing group, sometimes called penetration testers or pen testers) was testing DOE security last Fall when they discovered a previous hack in which employee records of 1502 contract employees of the DOE were stolen by a hacker from an unclassified computer system..

This one sounds, at least in part, like a technical security problem, though there are certainly organizational issues here as well. It is strange that the DOE knew about the breach for some months but did not undertake an effort to notify all the affected employees until recently. Neither the DOE Secretary nor his deputy were informed about the breach until recently. A little communication problem, perhaps?

In our research we found that IT departments and IT security groups often had difficulty getting and holding the attention of upper management because the ... Read More »

By Jeff Stanton on 6/13/2006 2:14 PM

At latest count over 26 million veterans had their data leaked by an employee who downloaded data onto a laptop, brought the laptop home, and was the unfortunate victim of a burglary in which the laptop was stolen. The records contained a variety of sensitive information including social security numbers.

As a result of this data theft there has been an expected outcry in industry and government circles about the need for greater security. Unfortunately, most of this hubbub focuses on the wrong issues. Polls show that U.S. citizens are concerned about privacy and identity theft, but primarily in the context of online transactions such as eCommerce purchases.

The VA case is a classic failure of behavioral policy within large organizations and has little to do with Internet security or eCommerce security per se. One of several root causes is important here:

1. The VA did not have a policy ... Read More »
   Author Jeff Stanton's Blog: Employee Monitoring and Information Security