Security: Cyber Gangs Target Small US Firms

Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation’s largest financial institutions.

Washington Post


How long does it take to wipe a drive?

How long does it take to wipe a drive?

Arguably there are a variety of factors in this, the type of drive (IDE, S-ATA, SCSI, USB drive), the wiping method, e.g all “00”, or a random pattern, the efficiency of the wiping tool etc, but most of this is relatively small beer.

The real deciding factors in the time scales are:

1) The size of the drive

2) The number of wipes

Despite all of the myths, rumors and lies, a drive only need to be successfully wiped once, to delete all of the data, so point (2) should be a moot point.

Therefore the only factor of concern is the size. All things being equal a 1 TB drive will take four times longer to wipe than a 250 GB drive.  But, for those in operations, the actual time to wipe a drive probably is not important, the time taken to start the drive wiping is, because once its started it can be left to wipe without any supervision.

It should take around 5 minutes to set a drive wiping and it doesn’t matter if its a 80 GB IDE or a 1 TB S-ATA (as long as you have the right connections), setting a drive wiping will not take long at all.

MIT: Data and Privacy Conference

The highly regarded Massachusetts Institute of Technology, MIT, is holding a conference on data and privacy in October 2009, entitled Engaging Data.

Below is their call for papers.

Engaging Data: First International Forum on the Application and Management of Personal Electronic Information.

Hosted by SENSEable City Lab, Massachusetts Institute of Technology – Oct. 12-13, 2009

Call for Papers

Over the past decade, the development and use of digital networks has produced an increasing wealth of new data. Handheld electronics, locative media, telecommunications networks, and a wide assortment of tags and sensors are constantly collecting a rich stream of real-time information on various components of our lives and the environment we inhabit, including our movements, purchases, social interactions, Internet activities, and many more.
These data afford a wide range of research opportunities in the social and natural sciences that will create a multitude of beneficial information and services. Affected areas range widely and include, among others, workplace efficiency, traffic management, tourism, marketing, logistics, e-commerce, entertainment, urban and architectural planning, disaster response, security, environmental sustainability, and social interaction.

Advances in this field are progressing cautiously, however, as the public, commercial and social entities, and the government are only just beginning to understand this new condition of pervasive sensing and data mining as well as the associated framework required to manage it. Conflicting standards on privacy and fear of entering upon uncharted territories hinder companies, researchers, and others from engaging in activities that make responsible use of potentially sensitive data. Moreover, regulation has not kept pace with the changing digital infrastructure, and as a result different stakeholders currently face different restrictions on data usage. In short, we still lack a complete understanding of the societal value in this data and the influence on society by its use, and much still remains unexplored.
It is becoming imperative to develop a new framework of standards and best practices for collecting, storing, analyzing, reporting, sharing, and protecting valuable electronic data created by new technologies and services. The Engaging Data: First International Forum on the Application and Management of Personal Electronic Information is the launching event of the Engaging Data Initiative, which will include a series of discussion panels and conferences at MIT. This initiative seeks to address the above issues by bringing together the main stakeholders from multiple disciplines, including social scientists, engineers, manufacturers, telecommunications service providers, Internet companies, credit companies and banks, privacy officers, lawyers, and watchdogs, and government officials.

The goal of this forum is to explore the novel applications for electronic data and address the risks, concerns, and consumer opinions associated with the use of this data. In addition, it will include discussions on techniques and standards for both protecting and extracting value from this information from several points of view: what techniques and standards currently exist, and what are their strengths and limitations? What holistic approaches to protecting and extracting value from data would we take if we were given a blank slate?
These issues and questions will be addressed through invited talks, paper presentations, and panel discussions. The forum will serve as a platform to exchange ideas, discuss the latest developments in this field, address significant issues, and create visions for the future.
The forum is seeking original contributions in the form of both position papers and technical papers. Of particular interest are papers that open new paths for research, express a creative vision for the future, and contribute to a lively debate.

Papers are solicited that propose principals and approaches to building a viable social ecosystem for using information mined from human interactions with digital networks. Each paper must touch on the technical, security, social, legal/political, and financial aspects of the issue, although it is expected that papers will concentrate more on some aspects than on others.
Topics of interest within these aspects include, but are not limited to, the following:
Uses and concerns associated with data collection and mining:
1. Information mined by an endpoint party to a communication, including:
• Types of information mined from consumer devices by endpoint parties (e.g. VoIP routers and radio
• Accuracy and use of location analyses based on IP addresses, Internet traceroutes, etc.
• Sharing of mined data with third parties
• Methodologies to analyze and visualize this data
2. Collection, storage, and use of information gathered from wireless networks, including:
• Location-based tracking and other forms of mobile sensing
• Mobile phones, cordless phones, walkie-talkies, wireless microphones
• Femtocells
• RFID systems
• Wi-Fi Networks
• Implications for “white spaces” signal-sensing devices
• Increased personalization of communications (i.e. device is commonly unique to a particular individual)
• Sharing of data with third parties
3. Collection of information on traffic flow patterns in fixed networks, including:
• How uses and concerns vary based on whether flows are segregated by endpoint, time-of-day, bandwidth
usage level, application type, etc.
• Optical and non-optical networks
• Broadband networks
• Personal area networks (PAN), Local-area networks (LAN), Wide-area networks (WAN), etc.
4. Information collection inside the network
• Packet inspection, e.g. collection of IP addresses, HTTP cookies, etc.
• Significance of IPv6 in providing static IP addresses that may be specific to particular devices and/or their
5. Soundness of data
• Veracity, completeness, etc. of data collected from multiple perspectives, e.g. multiple sensors and/or
points inside the network
• Algorithms and other tools to deal with incomplete, contradictory, and incorrect data
6. Data protection
• Effectiveness and adequacy of encryption, anonymization, aggregation, hashing algorithms, and level of
accuracy of information at ensuring customer privacy
• Metadata standards and preservation formats
1. Business and incentive models/structures
Social issues associated with data collection and mining:
1. Consumers and Privacy
• Privacy concerns and countervailing interests concerning the authentication of electronic identities and
• Consumer awareness, e.g. how common it is for people to read privacy policies
• Consumer access to, control of, and awareness of information collected about them
• Ethical considerations and implications of data mining for both individuals and society
• Social norms and expectations of privacy
Legal and political issues associated with data collection and mining:
1. Standards for protecting and extracting value from data
• Strengths and limitations of existing standards
• “Blank slate,” holistic approaches to protecting and extracting value from data
• Applicability of set standards, e.g. EC Data Protection Directive, to the US, developed vs. developing
countries, globally
2. E-government services
• Appropriateness of permitting private entities preferential rights of access or redistribution of such data
• Conformity with citizen expectations and assurances of the privacy of such data
3. Legal and regulatory concerns
• Requirements, if any, for prior review and approval of proposed collection and use of data (IRB, etc.)
• Acceptable methods of obtaining consent for the use of various types of information
• Requirements of consent from parties related to the information, e.g. from only one party related to the
information or from all parties related to the information
• Responsibilities to disclose mining of information (who must disclose such activities and to whom must
disclosure be made, e.g. direct customer of service, correspondents of direct customer, etc.)
• Role of regulation in the exposure of information collected on network activities
4. Risk and Mitigation
• Evaluation and mitigation of risks of research, government, and commercial activities involving data
collection and mining
• Methods of risk avoidance
Author Guidelines
Position papers must be 4-6 pages in length, technical papers 6-8 pages in length. Papers must be written in English
and follow the standard IEEE format (two-column, single-spaced, 10-point font, on US Letter size paper). Please
submit papers in PDF format. Templates can be found here

Each submitted paper will be peer-reviewed in a double-blind fashion.Please remove any mention of author names and affiliations in the entire submission, and if referencing previous work of the authors, use the third person. Papers will be evaluated according to originality, relevance, technical soundness, significance, and clarity. At least one author must register for the conference to have the paper published in the proceedings. The most exceptional papers in each category will be presented at the conference and published in the conference proceedings. All papers will be handled electronically and should be submitted online. An electronic submissions system will be available shortly.
Important Dates
Deadline for submission of full papers: July 13, 2009
Notification of acceptance: August 10, 2009
Camera-ready papers due: August 31, 2009
Early registration: August 31, 2009
Conference dates: October 12-13, 2009
General Chairs and Program Committee
General Chairs Carlo Ratti, Massachusetts Institute of Technology
Assaf Biderman, Massachusetts Institute of Technology
Technical Contributions Co-Chairs Alex (Sandy) Pentland, Massachusetts Institute of Technology
David Lazer, Harvard University
Program Committee Ben Adida, Harvard University
Albert-László Barabási, Northeastern University
Dirk Brockmann, Northwestern University
John Clippinger, Harvard University
Alissa Cooper, Center for Democracy and Technology
Simon Davies, Privacy International
Laura DeNardis, Yale University
William Dutton, University of Oxford
Deborah Estrin, UCLA
Marcus Foth, Queensland University of Technology
Dean Gallant, Harvard University
Myron Gutmann, University of Michigan
Gary King, Harvard University
John Krumm, Microsoft Research
William Lehr, MIT
Marc Rotenberg, EPIC
Karen Sollins, MIT
Rebecca Wright, Rutgers University
Jonathan Zittrain, Harvard University

For questions regarding paper submissions, please contact Caitlin Zacharias, email address  czachar at mit dot edu.
SENSEable City Laboratory
Massachusetts Institute of Technology
Suite 10-400
77 Massachusetts Avenue
Cambridge, MA 02139 USA
T ++1-617-2537926
F ++1-617-2588081

Data Loss: Bob Quick Follow Up

Following on from the story of Bob Quick accidentally revealing information, it seems that the “immediate” and very “real” threat of terrorists was not quite as immediate, or real, as originally stated.

With the raids, some of which did not even require firearms officers, producing the square root of nothing (not the first time crazed terrorists have been found to be regular people), with all those arrested being released without charge

So, the net result is that a well regarded, long serving officer, was forced to resign following the inadvertent exposure of largely irrelevant material relating to a totally irrelevant operation.

Data Theft: China and the F35

This week there have been renewed reports that the Chinese have been attacking US military networks, this time to gain informaiton on the F-35.

Later the US Aerospace industry clarified their statement by saying that:

Representation of successful cyber attacks on the F-35 program [are] incorrect,” … then the follow caveat was added “to our knowledge there has never been any classified information breach [despite] attacks on our systems continually”

The risk of a “cyber war” between China and the US seems to be increasing, with incursions by China reported more and more frequently, from the NASA incident to the FBI report into the risk of cyber attacks from China and Russia.

In addition to the US Congress has previously stated that China has been heavily involved in data theft of DoD information, stating that:

Page 162:“U.S. computer security authorities detected a series of cyber intrusions in 2002 into unclassified U.S. military, government, and government contractor Web sites and computer systems. This large-scale operation, code named Titan Rain by the U.S. government, was attributed to China.”

Page 164:“China has an active cyber espionage program” and “Many individuals are being trained in cyber operations at Chinese military academies”


Page 166: China’s strategists believe the United States is dependent on information technology and that this dependency constitutes an exploitable weakness.

It should be noted that some of these incidents, though reported relatively close together, occured over quite a range of times, many years in fact.

 Also, US incursions into Chinese cyber space are less likely to be reported in the the Western papers as the Chinese attacks on the west are.

 In case we forget the biggest attack the US got caught for, back in 2001, involved the physical access to China as well as electronic intrusion. In this incident the US had been using Chinse airspace to gain electronic information/signals from China.

How would that incident be reported in the Western press it if was the other way around?


Massive Chinese Hack

Apparently there has been a massive hack into thousands of different government computers around the world, coming from a Chinese network.

It is reported that the network had infiltrated 1,295 computers in 103 countries. The report comes after a 10-month investigation by the Information Warfare Monitor (IWM).

While China has denied involvement, and there is no proof that the Chinese government is responsible for this activity, increasingly the West is publishing reports about cyber incursions by the Chinese

Data Theft: Wyndham Hotels

It has just been revealed, in February 2009, that hotel chain Wyndham Hotels and Resorts was hacked into and credit card details stolen on or before August 2008; which is when customer credit card details were uploaded on to a website (presumably by the hackers to allow them to sell them), and despite this upload occurring in July and August 2008, this only been reported now.

It appears that Wydham was aware of the problem for some time, and had been investigating the issue for 8 weeks prior to contacting the secret service, who are involved in these types of investigation. Further more customers were only updated after the secret service in December 2008, possibly 8 to 12 weeks after Wyndham became aware of the issue

The exact number of details stolen has not been revelead, but it is believed that  around 41 hotels were hacked  and 21,000 details were obtained.