HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Why we can’t count (data loss)

Numbers lie

Recently California made headlines after more than 800 data breach disclosures were filed in the first five months of 2009. Upon closer inspection, the large number of incidents does not represent a rise in actual incidents, but just a change in mandated reporting practices due to California’s new medical data breach law which went into effect on January 1, 2009 .

Unfortunately in practice we have no idea how much private information is lost to data breaches every year, because disclosure laws do not entice businesses to accurately report data breach incidents. While the number of reported incidents appears to be growing, it is a poor reflection of reality, owed in large part to changes in compliance laws. Although we are getting a better estimate on the number of “reported incidents”, the number of “actual” incidents is still unknown.

Data breaches will not decrease

While it seems fairly compelling to believe that increased legislation and financial penalty would motivate all sectors of industry to beef up data security, pragmatism dictates otherwise.

Digital data is like uranium: dense with a high yield. Almost all data breaches are of digital records. In contrast, old-fashioned paper records are fairly secure.  Stealing several thousand paper records is physically risky and combing through them for valuable information is prohibitively time consuming.

Computers make breaches easier and more attractive. Roughly 50% of all incidents are of the non-accidental malicious variety, such as malware, hacking, and laptop theft. These incidents yield 83% of the total number of stolen records reported. A large amount of valuable personal information available for minimal risk is a very attractive value proposition… so attractive that it presents new and increased incentive where none existed before. Of reported financial data breach incidents, 24% are caused by insiders, such as executives, IT administrators and employees, and 55% percent are attributed to outside hacking .

Lack of Incentive

Although data breaches are expensive (on average costing $6.6 million per incident), companies are very slow to take preventative action. Despite compliance laws, many companies still lack sufficient pragmatic (read ‘monetary) incentive to change their security practices . The guidelines currently in place suffer from a number of issues:

Laws are vague: Compliance laws vary from state to state, and often include exemption from disclosure requirements if the stolen private data is “encrypted” – even if the encryption keys are stolen, too. Any data that is publically available from federal, state, or local government sources is also exempt.

Companies can plead ignorance: Of those reported data breaches, 24% do not know or do not specify how much information was compromised. To avoid negative media attention, many victims of large data breaches simply claim “zero” in the “number of records stolen” column .

Notification timelines are usually vague: Loose wording such as “the most expedient time possible” and “without unreasonable delay” serves to allow companies to choose when they disclose their data incidents (except companies in Florida and Ohio).

Most incidents are unreported: According to a survey conducted at the RSA conference in 2007, a full 89% of companies that experienced a data breach did not publically disclose the incident . Assuming that incident disclosure is still largely a voluntary exercise without oversight, we have no reason to suspect that is has changed much for 2008 or 2009.


The interest in personal data is not a fad, and related data breaches will not magically disappear. While private data is lost from many sources, web applications figure prominently in the security equation.

Changes in policy will highlight the enormous number of incidents, and attitudes will have to change from a reactionary “defense” to a proactive security “offense”.

Preventative security medicine is the best and most cost effective policy. For the IT manager, the decision to spend several thousand dollars on current security tools should be an easy one to make. The cost of preventative security pales in comparison to the cost of cleaning of the mess after getting breached.

Your online persona –trouble for you?

I keep reading in articles (which are generally meant to scare “regular people”) about how you should limit the personal information you reveal to websites like Facebook, LinkedIn, etc. A friend of mine, when job hunting, even password protected his website and requested cached pages be removed from various engines.


Couple this with some recent posts I’ve seen about people search engines (which love to say they search the “deep web”) getting better at aggregating this information, I decided it was the time to see what was out there about me.


So armed with my name, an email address, and the name of the town I live in (none of which is too hard to track down), I decided to see what I could find out about myself out there on the tubes. The results surprised me.


My first stop was pipl.com, which can search by email, name (with city/state), username or phone. Pipl searches various social networking sites, as well as common web resources. From MySpace, it claimed that I live in Cranston, RI (not true—and I told it so in my search) and that I am a serious Goth who is a Guitar Hero fanboy (not true. OK, I do enjoy a little Guitar Hero). It pulled up my LinkedIn profile accurately enough, and some other true info.


When I searched Pipl by email address, oddly, I got back an error that said “No results found for <redacted>@comcast.net.” The interesting thing is that the comcast.net address isn’t remotely close to what I typed in. So I tried it again, and this time it found no results for “Masongeary.”  Apparently, this is what others are searching on (I contacted Pipl and within the hour they responded that the issue was resolved). The third time, it actually pulled up some old mail list posts that were mine. They can’t even keep your search query straight, let alone the info about you.


Next up, I tried 123people.com. This one pulls back pictures of “me”… interesting:

Pictures of Chris Sullo?

Think I’m in there? Think again (though one of those faces looks oddly familiar…hmmm...).  They also got some info correct, but added to my online persona that I’m an indoor track runner (nope, sorry) and a soccer player (nope, sorry again). Apparently, I like to upload videos to YouTube (which I’ve never done).


Next up was Spokeo. This site has a special section for HR Recruiters… interesting. It claims I have three social networks, and I can tell that one of them is correct—but the other two I’m not sure about. It wants greenbacks to tell me for sure, so there’s where my experiment ends with this site.


I tried several others. Zoominfo.com says I worked at “Massachusetts Maritime.” Isearch.com thinks I may live in Nashville, Los Angeles, or perhaps my name is actually “Lil Chris.” Spock.com suggests I own a spa or maybe a law firm.


And The Google?  Well, it makes some of those same mistakes… and the image search is no better than 123people.com’s (it pulled up a bunch of other guys, including a high-jumper—yeah right!).


So what’s the point of all this? Good question. Some of the information I found out about me is true, and some of it I never knew—I’m actually beginning to feel a little like Ed Norton in Fight Club. Armed with my email address and/or name, what would a recruiter or hiring manager think they found out about me?  It’s not news to me that there is a high concentration of the “Sullo” surname in New England (where I am also from), so confusion seems highly likely. As a matter of fact, I once unexpectedly found myself on a conference call with another Chris Sullo (from NY) who also works in security, if you can believe it. Could some other “Chris Sullo” have an impact on a future job prospect? Could I have a negative impact on him (this seems more likely)? 


What about identity theft? Sure, some breaches only have a tiny bit of info, but… how much more do they need when your address is out there, your mom’s maiden name is on Geni, and your date of birth and names of y our kid/dog are proudly displayed on Facebook?


The privacy advocate in me (which generally rules the roost) is thrilled there is a bunch of confusion. However, as the web gets “deeper” and more information moves online (President Obama’s digital healthcare initiative, anyone?), this is going to be a larger and larger problem.  If we’re not careful about the data we give out to public sources, it will be relatively easy for someone to gather enough information to commit fraud or, at the least, impact decisions on jobs and security clearances.


Maybe it’s time I start using a different email address for each web site? A service to do this sort of thing (with less pain than doing it manually) and aggregate my mail would be nifty.


For now, I’m just going to change my bio to read: Chris Sullo, the high-jumping, soccer playing, track running, spa and law firm owning, Guitar Hero loving Goth who goes by “Lil Chris” and may or may not live in Los Angeles, Cranston or Nashville, and could work at either Massachusetts Maritime or Hewlett-Packard.

Xbox Live: The "Roach Motel" of Personal Information

Now I know I'm a bit behind the curve, but I finally got around to
purchasing an Xbox Live Gold membership so I could see how bad I really
am at Gears of War.  For a brief moment, I felt like Private Pyle from
"Full Metal Jacket" cleaning my rifle - "Everything is clean...smooth."
Registration was a snap; just enter my credit card number, verification
code, name, and current address - and in no time I'm online getting
fragged to death and spending more time as a spectator than I'm
actually fighting.

Well, once I got tired of watching everyone
else have fun, I decided to revisit my account settings so I could
remove my credit card information (as I commonly do with any online
account that stores my personal information).  Much to my surprise,
there's no "Delete" ability from the console menu. I can add all the
credit cards I want or update any existing information, but I can't
delete ANYTHING.  Thinking that it's just getting late and I'm missing
something obvious, I decided to let it go for the night and look into
it the next morning.

Since being an information security
professional is accompanied by a healthy amount of paranoia, the first
thing I did the next morning is start Googling terms such as
"delete|remove Credit Card Xbox Live" to see if anyone else has
encountered this problem.  Much to my dismay, it is indeed impossible
to remove.  Yes, I used the word "impossible." Some people "think" they
have the solution - but none of them are successful.  This is truly a
case of "You can put your personal information in, but it won't come
out." Getting a bit more concerned, I decided to take my chances and
call support.

Here's a short list of responses I received from calling 1.800.4MY.XBOX:

  • Yes, canceling your subscription will remove your billing information from your account.
  • Well,
    the only way to remove your billing information from your Xbox console
    is to completely wipe out your HDD drive and start a-new.
  • Sir, I don't understand what you're concerned about.  Only you can see your personal information.
  • Ok, I've entered a bogus name and address - so your billing information is now useless and you're all set.
  • I'm sorry sir, you'll have to call Microsoft for that.

the second response (which is just asinine and, in theory, would
probably work - but it's just a bit "bull in a china shop-ish"), all
proved false, incorrect, inaccurate or just plain wrong.  As for the
last one, well...you got me there.  I'm still trying to figure that one
out.  But customer
support isn't the problem - they're just doing their job and getting
frustrated with them gets you nowhere - there seems
to be something much more sinister at work here.

Next thing I
decided to do was closely re-read the privacy statement, conveniently
located right on the Xbox 360 console.  Sure enough, it explicitly
states I have the ability to "update" or "add" items for billing - but
conveniently leaves out the "delete" ability. I even found a KB article
that eerily ignores "removing" your personal information.

  Not only am I at a dead end with customer support,
now I'm suspicious and have only one burning question - Why?  What
benefit do I, the consumer, get by not being able to delete my personal
information and why all the barriers and misinformation? 
Unfortunately, I don't know - but rest assured I'm looking into it.

you've read this far, I'm sure you're probably wondering what I did to
relieve my all consuming paranoia. Unfortunately, there's not much you
can do, short of canceling your current credit card, that will be effective.

Although I was once fired up about joining the Xbox Live community and
the prepaid membership cards will indeed satisfy my privacy issue, I
still have a bad taste in my mouth from this experience and will have
to let this issue rest before I attempt another subscription request.

Apparently, it's more important for me to ensure
that I'm absolutely, positively certain that I want to close Microsoft
Word document without saving changes than it is to alert the user that
their personal information just checked in to the Xbox Live Roach Motel and can't check out.

Labels: Privacy

IE's Bookmarklet limits create privacy risk

Bookmarklets are awesome! They are similar to regular bookmarks, but instead of having a normal URL like http:// they use javascript &colon;. This means when you click on the bookmarklet JavaScript code runs. Some common example's of bookmarklets include:

  • Take any word that was highlighted on a webpage and open a new window with the Wikipedia entry for that word

  • Strip all the HTML out of a webpage and only render the images

  • Submit the current URL to a bookmarking site like del.icio.us

The popular Firefox extension, GreaseMonkey is basically a collection of bookmarklets. You can read more about Bookmarklets and see examples on Wikipedia.

Since a bookmarklet is just a javascript &colon; URL with some JavaScript code, it's size is limited by how long a URL can be. All the browsers differ on this limit, with most allowing several kilobytes. However, IE takes the unusual step of specifically crippling the size of a javascript &colon; URL to 508 characters! This
makes it impossible to have complex bookmarklets without resorting to a trick. To load large bookmarklets in IE, the
bookmarklet has to bootstrap a larger JavaScript file by dynamically
creating a SCRIPT tag, and point the source attribute at a file containing the rest of the JavaScript for the bookmarklet. This means IE sends an HTTP request to fetch the rest of the script! This is
actually a privacy violation, because the HTTP request for the larger
JavaScript file will have an HTTP referer (sic) header with the URL of webpage the
person is invoking the bookmarklet on. Depending on the setup, it is possible that a user is telling the bookmarklet creator each and every time they use the bookmark, as well as what website they are using it on.

The bottom line is bookmarklets are a very cool and powerful feature. Any security enhancement gained by limiting their length is far outweighed by the privacy violation it creates.


Labels: Bookmark| IE| Privacy
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.