Friday, December 24, 2010

The Invisible Line Between "Error" and "Data Breach" ...

Just catching up on a quick story that's circulating (if you read the news like I do) on what is being called a data breach ...but is it?

The headline is "Santander Leaks 22,600 Account Details [source:]" - but at what point does the line between accidental disclosure (or an "error") turn into a data breach?

I think the discussion needs to be had, and while Santander is doing the responsible thing here, when it comes to data breach laws in the US, how do we treat this?  Where is the line drawn between "accidental disclosure" which is just that, accidental, and a data breach which is the result of negligence?

It would seem the entire discussion is based on cause, and whether the cause was "an accident in spite of due diligence" or rather "a result of a lack of appropriate measures" ...what concerns me is this text from the article-

The ICO confirmed that it will be investigating the breach.
"We have recently been informed of a data breach involving Santander. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken," said an ICO spokesperson.
"Under the Data Protection Act, organisations that process personal information have an obligation to keep it secure; therefore, it is a matter of concern if information such as account details have been incorrectly provided to the wrong recipient," they added.

So we turn to trying to figure out how to draw a line on intent ...and that's a very difficult thing.

Friday, December 10, 2010

DDoS'ing into Oblivion

I don't know if you've noticed, but Distributed Denial of Service (DDoS) has taken the spotlight on center stage of this 3-ring circus we call the Internet.

If you don't know what a DDoS is, I suggest you go give Wikipedia a quick read, and maybe get WiFi in the cave.

What used to be a nuisance, and let's face it DDoS started out as a nuisance, has turned into an interesting and powerful weapon.  Tools like LOIC which is released by "Anonymous" and the OWASP tool that essentially does a similar task against web servers using slow header payloads are brutal.  These can cause serious outages and down web servers and entire sites, or even web farms.

Let's talk impact

  • Full pipe - a DDoS can fill your network pipe with junk traffic and effectively cut you off from the rest of the Internet
  • Overloaded server - a DDoS can actually completely overwhelm a piece of hardware, and cause the machine to die
  • Overloaded server - a DDoS can also overwhelm poorly (actually even no-so poorly) written software to completely stop responding and die
  • Software zombie - an interesting condition recently uncovered where a server is still completely responsive to other requests except that legitimate requests for targeted sites returning nothing at all
  • Huge bill - That's right, imagine paying for your Internet pipe by the megabyte... then you get a 100Mbit/sec flood for 12 straight hours ... you could go broke trying to pay that bill!
  • Bad PR - Imagine if you're launching a super-cool online game that some kid gets mad at and takes down your servers ...ouch!
Perfect example, Al-Akhbar's website has been decimated (and is still down) for a while now... interesting use of internet bandwidth.

So DDoS is a very versatile tool - and with literally millions and millions of zombie machines out there - maybe even YOURS - the attacker agents are plentiful.  I wonder what the horizon holds for DDoS attacks could be interesting.