Archive for the 'breaches' Category

Failure to Notify Leads to Liability in Germany

Published by adam on April 21, 2010 in breaches. 0 Comments

…a Bad Homburg business man won millions in damages in a suit against the [Liechtenstein] bank for failing to reveal that his information was stolen along with hundreds of other account holders and sold to German authorities for a criminal investigation. He argued that if the bank had informed those on the list that their data had been sold, they could have turned themselves in, receiving temporary amnesty and much lower fines. (“Taxman rakes in hundreds of millions thanks to stolen bank data“, TheLocal.de)

The decision was by the Liechtenstein high court. If anyone knows the details of the case (what duty was violated), I’d appreciate knowing more. Was it a violation of Liechtenstein bank secrecy law, or a general duty to disclose?


Via the web hacking incident database and “German Government Pays Hacker For Stolen Bank Account Data” at TacticalWebAppSec.

‘Don’t Ask, Don’t Tell in Davos’ — Act 3 in the Google-China affair

Published by Russell on February 1, 2010 in Amusements, breaches and government. 2 Comments

Taboos are willful ignorance, socially-enforced.  They are so not New School.  We have to deal with them, but we don’t have to be happy about it.

The Great Family Shame of incest between Oedipus and Jocasta

The public display of taboo is one of the more interesting aspects of Operation Aurora, a.k.a. the Google-China affair (summary and analysis is here, more details here.).  It’s unfolding almost like a like a Greek tragedy. 

Act 1 in the play was Google’s strategic decision to go public and recruit other breached companies to join them (without success).  Google went public anyway, violating the InfoSec disclosure taboo, and also the taboo against corporations speaking out against China.

Act 2 was the public and institutional reaction to Google’s announcement, the political posturing between US and China, and even the tempest of chatter in the InfoSec community about “Advanced Persistent Threats“  (or “Advanced Persistent Adversaries“, a term I prefer).

Act 3 is now under way at that great annual public meeting of Big Thinkers, the World Economic Forum in Davos, Switzerland.  While they discussed almost every other topic and idea, they avoided the Operation Aurora as if it was the Great Family Shame, as highlighted here:

“BusinessWeek reports that the cyber attack on Google was the elephant-in-the-room at the annual meeting of world leaders in Davos. ‘China didn’t want to discuss Google,’ Josef Ackermann, CEO of Deutsche Bank AG and a co-chair of this year’s World Economic Forum, said in an interview. China’s Vice Premier Li Keqiang made that clear, he added. Even Google CEO Eric Schmidt didn’t bring up China, and Bill Gates was mum on the topic in an interview. The reluctance of companies to talk about China illustrates the pressure on them to protect their business in the country, while the U.S. government doesn’t want to upset Chinese investors, said Andy Mok of Red Pagoda Concepts LLC. ‘People have their commercial interests,’ explained Deutsche Bank’s Ackermann.” [emphasis added]

The Business Week article is here.  (Funny: here is a great Saturday Night Live skit that satirizes the power of China over the US in matters like this.)

While the Operation Aurora taboo is rooted in international politics, similar taboos exist within both the public and private sectors and no international politics are involved.   While we must deal productively with these taboos, we also can’t let them block meaningful progress toward the goal of data-driven information security and collective learning.

The Dog That Didn’t Bark at Google

Published by adam on January 18, 2010 in breaches. 2 Comments

So it’s been all over everywhere that “uber-sophisticated” hackers walked all over Google’s internal network. Took their source, looked at email interception tools, etc.

What’s most fascinating to me is that:

  • Google’s customers don’t seem to be fleeing
  • Google stock fell approximately 4% on the news they were hacked, while the market was down 2% and threatening to pull out of the largest market on Earth. Baidu’s stock was up over 10%.
  • No one I know or know of in Google infosec has lost their job
  • Google didn’t go under because of the security issue

In fact, Google is getting all sorts of props for how they handled the announcement.

Something for the “sweep it under the rug” crowd to ponder.