[SecurityRatty] tag: remark

Heads up SFO travelers

Tue, 05 Aug 2008 14:06:16 +0000

Jeez, I dont even want to remark on this one.
Unencrypted? Why not?

“Clear” Air-Travel Pass Data Stolen From SFO

“A laptop containing the unencrypted security data for 33,000 travelers using the Clear system was stolen at San Francisco International Airport on July 26, according to CBS5 Television. The Clear system allows travelers who register and pay a $100.00 annual fee to speed through airport security by using a smart card at special kiosks in some airports. TSA has suspended new registrations in the system, which is run by a private contractor, Verified Identity Pass, Inc., a subsidiary of GE. The laptop was apparently stolen from a locked office at SFO. The company has now decided that it might be a good idea to encrypt the data in their systems. They are in the process of notifying customers that all of their personal data, including name, address, SSi number, passport number, date of birth, etc. has been compromised.”

Laptop is stolen from the car of a First Calgary Savings employee

Tue, 20 May 2008 06:47:48 +0000

Technorati Tag: Security Breach

Date Reported:
5/14/08

Organization:
First Calgary Savings

Contractor/Consultant/Branch:
None

Victims:
Customers

Number Affected:
"hundreds", Calgary Sun
"a few hundred", First Calgary Savings

Types of Data:
"clients' confidential information" in a database stored on the laptop

Breach Description:
"The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner.

In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month. "

Reference URL:
Calgary Sun
First Calgary Savings

Report Credit:
Bill Kaufmann, Sun Media (Calgary Sun)

Response:
From the online sources cited above:

The theft of a laptop computer containing hundreds of clients' confidential information from a Calgary bank employee's vehicle has raised concerns for Alberta's privacy commissioner.

In a letter sent yesterday to its customers, First Calgary Savings said a vehicle parked in a secured underground parkade was vandalized and the bank employee's laptop and cellphone stolen last month.

If a complaint is lodged with the province's privacy commissioner, officials there would launch an investigation

"We're very concerned when we hear about these kinds of things," Wayne Wood, Privacy Commissioner spokesman

Soon after the theft occurred, police were notified

potentially vulnerable accounts numbering "in the hundreds, not thousands" had been red-flagged to prevent abuse and there's been no unusual activity detected, said First Calgary privacy officer Rod Banman.

As part of this employee's specialized role at First Calgary Savings, it was determined that a database had been saved onto the password protected laptop.
[Evan] Password protection doesn't mean squat on a laptop. There are numerous better (more secure) methods for an employee to work with this information while mobile. How about keeping the database on the server (where most databases belong) and enabling remote VPN access?

And while he said the data was protected by a password, it doesn't appear to have been encrypted and could be vulnerable to a determined computer hacker
[Evan] It DOES NOT take a "determined computer hacker" to access a password protected laptop. It takes no more than 30 seconds to create a bootable CD, turn the laptop on and run through a few menu prompts. Done. Total time: 5 minutes. Experience level: Novice to Intermediate.

"It is information somebody would love to get their hands on for identity theft purposes," said Banman.
[Evan] This is not reassuring. Mr. Banman is the First Calgary privacy officer.

"We're doing the best we can to ensure the information is not going to impact them."

He said it's not improper for employees to carry information in such a fashion.
[Evan] It SHOULD BE!

"It's information needed for our employees to do their jobs -- this is a theft and there is nothing the fault of our employees," said Banman.
[Evan] It is the fault of poor information security management and governance. The person or persons responsible for information security management and governance appear(s) to have failed in his/her responsibilities.

We have contacted all affected member-owners, totalling a few hundred, by telephone and personal letter.

First Calgary Savings is taking all prudent steps possible to protect the privacy and security of affected member-owners.

We have undertaken several additional monitoring approaches to provide an enhanced level of protection to the affected member-owners.
[Evan] Additional monitoring is good. Steps to prevent a similar occurrence would be good to, eh?

First Calgary Savings places the highest importance on your privacy and the security of confidential information.
[Evan] It is so easy to make remarks like this. The actions that led to this breach and the comments afterwards do not support the remark though. Sorry, but they don't.

We take this event very seriously and I apologize for the understandable concerns this has caused our member-owners, especially the member-owners that were directly impacted.

I can assure all member-owners that your personal and financial information is safe and secure within our well constructed, monitored banking system.

If you have further questions or concerns please contact your branch, phone the Contact Centre at (403) 520-8000 or email info@1stcalgary.com.

Member Reaction:
A recipient of the letter, 14-year First Calgary client Doug Gablehaus, said he was "livid" to hear personal information would have been left in a vehicle.

"It's unacceptable ... that's the way identity theft goes," said Gablehaus, adding he might now take his business elsewhere.
[Evan] When a company sees a correlation between an incident and the bottom line is often times when it decides to take action. It's a poor strategy (or no strategy). Customers leaving equates to less revenue, and less revenue gets the attention of upper management. Sad but true.

"In today's society, I don't think confidential information should be on someone's laptop and kept in their car."

Commentary:
I strongly encourage people to read the letter from First Calgary Savings. Tell me if you read this the same way I do. Sometimes I need a sanity check. In my opinion the letter is one of the best attempts to minimize an information security breach that I have read in some time. The sense that the bank sees nothing wrong with storing confidential customer information on a "password protected" laptop is very troubling. Out of touch with best practices, current news and general risk management.

NOTE: Throughout this posting I am assuming that the stolen laptop was not encrypted. There was no mention of encryption, and the Calgary Sun reports "it doesn't appear to have been encrypted".

Past Breaches:
Unknown

Testing Signature-based Antivirus Products Contest

Fri, 02 May 2008 02:31:36 +0000

This is both interesting, yet irrelevant and outdated as well :

"The Race to Zero contest is being held during Defcon 16 at the Riviera Hotel in Las Vegas, 8-10 August 2008. The event involves contestants being given a sample set of viruses and malcode to modify and upload through the contest portal. The portal passes the modified samples through a number of antivirus engines and determines if the sample is a known threat. The first team or individual to pass their sample past all antivirus engines undetected wins that round. Each round increases in complexity as the contest progresses."

What are the reactions of security vendors, AVs in particular? The best remark - "Security vendors began panning it immediately, saying it will simply help the bad guys learn some new tricks."

The bad guys will learn new tricks from the good guys modifying binaries to prove that anti virus signature scanning isn't working? There's no shortage of creativity and innovation on behalf of malware authors, and in reality,the good guys are supposed to learn from the bad guys in the sense of the techniques, tools and tactics they use to achieve such a high-level degree of now automated polymorphism. Moreover, the only thing the bad guys can learn from the good guys are the techniques the good guys use to make the bad guys' living a pain, in fact obtain the tools and see their malware through the eyes of a good guy.

Moreover, as I've already pointed out in a previous post, undetected malware or malware with the lowest possible detection rate is no longer created, it's being generated thanks to :

"DIY nature of malware building, the managed undetected binaries as a service coming with the purchase of proprietary malware tools, the fact that malware is tested against all the anti virus vendors and the most popular personal firewalls before it starts participating in a campaign, and is also getting benchmarked and optimized against the objectives set for its lifecycle."

Nowadays, even a script kiddies' favorite Remote Administration Tool is empowered with such advanced point'n'click DIY type of features such as anti-sandboxing and anti-reverse engineering, either through the use of built-in such features, or outsourcing the process to someone who's excelling at the process. Undetected malware isn't just coming as a product these days, it's also getting pitched as a managed service on a per obfuscated binary basis.

Thankfully, signature based malware scanning is slowly becoming just one of the many other alternative malware and behaviour detection approaches available within antivirus solutions these days, given the possibilities for artificially messing up the industry's count for malware variants.

Just a reminder the free ride is coming to a end.

Sat, 19 Apr 2008 11:43:12 +0000

I posted a remark previously about this.
You are responsible for your actions.
Banks are refusing to pay up if you dont take steps to protect yourself.

clipped from www.techconsumer.com

Web Safety and Crime on the Internet

The latest news from United Kingdom’s major retail bankers says that if your online bank account has been compromised and you didn’t use any Internet computer security software such as antivirus and antispyware (e.g. Norton 360), you solely bear the responsibility for the loss, and they won’t compensate you a dime. A clause has been added to the newly updated Banking Code to make this very clear.

Elliot Health System reports a breach involving health information

Wed, 16 Apr 2008 07:00:28 +0000

Technorati Tag: Security Breach

Date Reported:
3/3/08

Organization:
The Elliot Health System (EHS)

Contractor/Consultant/Branch:
Advanced Medical Partners, Inc.

Victims:
Patients

Number Affected:
Unknown

Types of Data:
"electronic protected health information" "name, procedural dates of service at EHS, name of your insurance company and your date of birth"

Breach Description:
"A business associate of The Elliot Health System (EHS), Advanced Medical Partners, Inc. (AMPI), has recently informed us that on the evening of February 22, 2008, a thief/thieves broke into corporate headquarters, and stole ten computers. The computers contained electronic protected health information and could potentially include your name, procedural dates of service at EHS, name of your insurance company and your date of birth"

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

A business associate of The Elliot Health System (EHS), Advanced Medical Partners, Inc. (AMPI), has recently informed us that on the evening of February 22, 2008, a thief/thieves broke into corporate headquarters, and stole ten computers.
[Evan] Is this the same Advance Medical Partners that was recently acquired HealthTronics?

The computers contained electronic protected health information and could potentially include your name, procedural dates of service at EHS, name of your insurance company and your date of birth

AMPI has told us that these computers have safeguards in place, including password protection, to guard against access to this information.
[Evan] Really? I have two primary problems with this statement. First, is the "AMPI has told us" remark. EHS should know how their vendors/contractors secure confidential information. Contractor information security must be dictated by policy and/or contract language, then audited on a regular basis. Secondly, does EHS and/or AMPI want people to believe that password protection is adequate?

As with any such occurrence, we have reviewed this situation as an opportunity to evaluate current practices, policies and procedures.
[Evan] You don't need a breach to open an opportunity for improvement. Constant improvement should be built into the information security program from the beginning.

If EHS is informed of any new information related to this security incident by AMPI, EHS will contact you and update you.

Please accept my apologies for any inconvenience this may have caused you.

If you require any additional information or assistance, please feel free to contact me.
Katherine St. Jean RN, CPC, CMAS
Director of Compliance/Corporate Compliance Officer
Elliot Health System
Compliance Dcparttnent
4 Elliot Way
Suite 303
Manchester, NH 03103
603.663.2932-phone

Commentary:
This is just a short and quick breach notification without much detail. Feel free to comment.

Past Breaches:
Unknown

Confidential Texas A & M personnel file exposed on the Internet

Mon, 18 Feb 2008 20:51:43 +0000

Technorati Tag: Security Breach

Date Reported:
2/16/08

Organization:
Texas A&M University

Contractor/Consultant/Branch:
None

Victims:
Current and former employees of the Texas AgriLife Extension and Texas AgriLife Research -- formerly Texas Cooperative Extension and Texas Agricultural Experiment Station, respectively -- and the College of Agriculture and Life Sciences

Number Affected:
3,000

Types of Data:
Names and Social Security numbers

Breach Description:
A file containing sensitive personal information belonging to current and former employees of three Texas A&M organizations was inadvertently uploaded to a server that was publicly accessible over the Internet. The file was available on the server for up to three weeks before it was detected during a routine examination.

Reference URL:
The AgriLIFE RESEARCH news release
The Bryan/College Station Eagle online story

Report Credit:
Dave Hayes, Texas A&M University

Response:
From the online sources cited above:

Computer records containing names and Social Security numbers of 3,000 current and former employees of two Texas A&M System agricultural agencies and the College of Agriculture and Life Sciences were inadvertently made accessible over the Internet

Texas A&M administrators said the personal information could not be directly viewed on Web pages, but was obtainable through sophisticated software designed to search databases and hijack such information.
[Evan] Huh? Like what? I seriously doubt that anything more than a browser and good text editor would have been necessary.

The file, which was accessible from a Web site for 21 days, was removed within a half hour of its discovery on Tuesday by information security personnel doing routine system checks

“We are not currently aware of any unauthorized use of this information,” Hussey said “But we are taking all steps necessary to notify the affected individuals, and offering to help them protect their personal information.
[Evan] How is the university offering to help protect the affected persons? Are they referring to the notification and helpful tips?

“We sincerely regret this inadvertent disclosure occurred, and we are taking steps to ensure this doesn’t happen again.”

The file apparently contained an 8-year-old record of employees of the Texas AgriLife Extension Service, formerly known as Texas Cooperative Extension; Texas AgriLife Research, formerly known as the Texas Agricultural Experiment Station, and the College of Agriculture and Life Sciences. An initial analysis of the records suggests the file did not include any employee hired after about May 1, 1999, Hussey said, but that review is not yet complete.

All employees were sent an e-mail Wednesday evening advising them of the possible exposure of these records, Hussey explained. Those whose names were in the files are being contacted individually by e-mails and letters and offered assistance.

"The prudent course then was to take action that essentially assumed the data was made available to somebody who shouldn't have had it."
[Evan] Absolutely. This remark is right on.

(Dave Mayes, a spokesman for Texas A&M) said it appears the personal information was accidentally uploaded to the Internet during a recent computer server update. Only certain items were to be updated, but for some reason the eight-year-old, dormant file that contained the information was linked to the Web server during the update, he said.

It remains unclear why or how the file was updated. The original purpose of the file -- which Mayes described as a "data dump" -- also was unclear, though he noted the file had been created intentionally.
[Evan] This is the result of poor data management. Nobody knows where the file came from, why it was there, or who is responsible. Confidential information needs more control than this.

Current or former employees who think they might be affected are encouraged to call Texas A&M AgriLife Human Resources at 979-845-2423. A Web site providing information on how to prevent identity theft is also available at: fcs.tamu.edu/money/your_money/fraud.php.

Commentary:
Texas A&M information security personnel deserve some credit for conducting regular security audits on servers (and I assume networks, processes, workstations, etc.). The risk of compromise is proportionate to the amount of time the information was exposed.

This breach could be the result of a simple employee mistake, or it could be indicative of greater information management problems at the school. The fact that nine-year-old sensitive information exists and nobody knows why or how is an obvious problem. What is the school planning to do to prevent similar breaches in the future?

Past Breaches:
September, 2007 - Former Student Charged in Texas A&M Breach that Affected 130,000

Donor personal information was on Lifeblood stolen laptop

Thu, 14 Feb 2008 07:17:22 +0000

Technorati Tag: Security Breach

Date Reported:
2/13/08

Organization:
Lifeblood

Contractor/Consultant/Branch:
None

Victims:
Blood donors

Number Affected:
320,000

Types of Data:
"names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers"

Breach Description:
Two laptop computers are lost and presumed stolen from a storage room at the Lifeblood office building. The laptops contained sensitive and personal information belonging to blood donors.

Reference URL:
Lifeblood Press Release
Commercialappeal.com story
WREG Memphis Channel 3 News

Report Credit:
Lifeblood

Response:
From the online sources cited above:

Two laptop computers are missing from Lifeblood’s possession and presumed to be stolen.

Someone got inside a storage room at the Lifeblood building on Madison and took the computers.

The dual-password protected laptops were used on mobile blood collection drives, and each included information about Lifeblood’s blood donors, including names, contact information, blood type, gender, ethnicity, and, in some cases, Social Security numbers.
[Evan] I have to say, "dual-password protected" sounds very impressive and very secure, but the I should follow-up and say IT'S NOT. I am guessing that one password is for the operating system, which takes less than five minutes to bypass/change and I am also guessing that there is (was) a password to access the database or the program that opens the database. The second password probably isn't that hard to crack/bypass either.

The organization is notifying all of the approximately 320,000 affected individuals about the situation and encouraging them to place fraud alerts on their credit reports in the unlikely event that an unauthorized person gained access to the data on the computers.
[Evan] What a hassle for 320,000 people.

Lifeblood started sending out letters to donors this week, notifying them about what happened.

Based on the level of password security and the intricacies of the database structure, Lifeblood believes that is extremely unlikely that an individual who is not specifically trained to use the laptop and who does not have a valid Lifeblood ID and password could access the information contained on it.
[Evan] If this statement weren't so sad, it would be funny. I could stretch and maybe agree with "unlikely", but I would certainly not go as far as to say "extremely unlikely". It really is easier than most people think.

"Our hope was we'd be able to locate the devices and with that we'd be able to find whether the database had been accessed or not," said Dr. Edward Scott of Lifeblood.

Since the discovery Lifeblood has implemented additional security measures to protect against future theft of property or donor information. These measures include more restrictive access to and continuous closed circuit monitoring of the areas housing the laptops, installation of software to allow remote tracking and erasure of the hard drives on laptops used on mobile drives, and additional programming to prevent full Social Security numbers from being downloaded to mobile laptops.
[Evan] WHERE IS ENCRYPTION? Remote tracking and erasure provides some protection, but it isn't very hard to disable/bypass either to anyone with skill. Nobody breaks strong encryption with sound key management, no matter how skilled they may be. Why does a donor have to supply a Social Security number to donate blood in the first place? What does my blood have to do with my Social Security benefits?

He says a private investigator's been working this case. But with no solid leads, they've now teamed up with Memphis Police.

"We're concerned it may be a former employee. Or someone else who had access to building at the time," said Dr. Scott.
[Evan] Someone did have access or the laptops wouldn't be stolen.

The worry now though is that this breach will discourage people from donating.

"Blood is always going to be needed in the community, there's no substitute for that," said Dr. Scott.
[Evan] This is by far the most intelligent remark of any I have read about this breach. PEOPLE NEED BLOOD AND BLOOD SAVES LIVES. At the end of the day, I would trade my Social Security number to save someone's life.

Commentary:
We have now reported two blood centers that each stored confidential personal information on laptops (without encryption) and had them stolen. The other was Memorial Blood Centers in Minnesota. I don't understand why blood centers need my Social Security number in order for them to take my blood. I assume they use it as a personal identifier. I would much prefer that they create an identifier for me that cannot be used against me later.

I really appreciate all the work that blood centers do for the communities they serve, but they really don't serve the victims well when they don't take the time to properly secure the information they collect.

I cannot think of a good alternative to laptop encryption. Why won't Lifeblood encrypt confidential data at rest?

Past Breaches:
Unknown

Stolen Salesforce.com unencrypted external storage device

Tue, 12 Feb 2008 10:32:40 +0000

Technorati Tag: Security Breach

Date Reported:
2/7/08

Organization:
Salesforce.com

Contractor/Consultant/Branch:
None

Victims:
Current and former Salesforce.com employees

Number Affected:
Unknown*

*"Approximately 6 employees affected reside in New Hampshire." Salesforce.com is headquartered in San Francisco, California

Types of Data:
Names, Social Security numbers, and dates of birth

Breach Description:
An "unencrypted external storage device" was stolen from a vehicle that contained sensitive personal information belonging to current and former Salesforce.com employees.

Reference URL:
The New Hampshire State Attorney General breach notification

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

We recently became aware of a theft of an unencrypted external storage device that may have resulted in the compromise of personal information of some current and former salesforce.com employees.
[Evan] An "unencrypted external storage device"? Wonderful! Is this whole encryption thing just a waste of time?

The potentially compromised personal information includes your name, Social Security number, and date of birth.

We are working with law enforcement authorities to recover the stolen device.
[Evan] I suppose recovery could happen, but I'm not holding my breath.

We take our obligation to safeguard your personal information very seriously, and are working to further enhance our data security practices to prevent this type of event from reoccurring.
[Evan] I see this same (or very similar) remark in almost all breach notifications. IF a company or organization REALLY does take their obligation seriously, then why don't they take the precautions necessary to demonstrate this obligation. In this case, prohibit the use of mobile media for confidential data storage. If the business case for mobile storage media is too great, then encrypt the information. Seems simple.

The personal information was not taken from the salesforce.com application, and no customer data was stored on the stolen device. This theft did not compromise our data centers or our customer security infrastructure in any way.
[Evan] I suppose this needed to be mentioned in order to save face and protect revenue, even though this is a notification letter to affected employees. If I were a victim, would I care?

The storage device was stolen from a vehicle along with several other items.

We believe this was a random criminal act, and we have no evidence that the information has been used to commit identity fraud. Nevertheless, to protect yourself, we encourage you to remain vigilant and take the precautions

To further assist you, we recommend that you register for credit monitoring, which we have arranged to provide you at no charge for twelve months.

I hope this information is useful to you. If you would like to speak with us, please email us at response@salesforce.com with your question and the best way to reach you.

We deeply regret any inconvenience that this event may cause you, and we will continue to monitor this situation closely.
[Evan] Does the inconvenience thrust upon the victims outweigh the inconvenience of protection?

Commentary:
How does this happen at a well-respected public software company like Salesforce.com? They had to have known that there are umpteen breaches reported monthly that involved similar circumstances. There is no mention of existing policy or procedure, so we can only assume. Sometimes what we assume is worse than reality.

Past Breaches:
Unknown

Fraud on the Target Visa call center

Fri, 08 Feb 2008 12:32:45 +0000

Technorati Tag: Security Breach

Date Reported:
1/22/08

Organization:
Target Corporation

Contractor/Consultant/Branch:
Target Financial Services
Target National Bank
Unknown contract company

Victims:
Target Visa customers

Number Affected:
Unknown*

*Target estimates that there were three (3) affected New Hampshire residents. It is assumed that the nationwide number is larger.

Types of Data:
Target Visa account information, including name, address, account number, social security number and telephone number.

Breach Description:
The Target Fraud Prevention team discovered that three employees of a company that provides call center assistance for Target National Bank used the privileges granted as part of their job to commit fraud. The suspected employees used Target Visa card account information to place fraudulent charges on Target Visa accounts.

Reference URL:
The New Hampshire State Attorney General breach notification which accidentally included the letter sent to Mass. residents.
The New Hampshire State Attorney General breach notification which includes the correct letter sent to New Hampshire residents.

Report Credit:
The New Hampshire State Attorney General

Response:
From the online sources cited above:

We value the relationship we have with you and the trust you have in us. Unfortunately, I am writing to let you know about an incident that may have involved tne compromise of some of your Target Visa account information, including name, address, account number, social security number and telephone number.

Recently, the Target Fraud Prevention team became aware of suspicious activity
on some Target Visa accounts.

The suspicious activity was tied back to employees of a company that provides call center support services to Target National Bank, the issuer of the Target Visa credit card.
[Evan] If you read the breach notification too fast you may miss the "employees of a company" remark. To me this means that these were employees of a contractor.

To assist account holders with their questions, employees of the call center have access to information about Target Visa accounts in the course of their normal job duties.
[Evan] I would think that there is a pretty easy way to limit the amount of information that call center employees have to account information. Maybe it would still work if portions of sensitive information were masked.

Based on Target's investigation into the incident, we have determined that three employees of the call center accessed information about certain Target Visa accounts.

Subsequently, these employees used some of the account information to place fraudulent charges on Target Visa accounts.

The three employees involved in this incident have been terminated by the call center.
[Evan] I would hope so!

Target National Bank has renumbered all Target Visa accounts that appear to have experienced fraudulent activity as a result of this incident. Fraudulent charges identified on these accounts have been removed.

As a precaution, Target also is renumbering those accounts that have experienced the same pattern of access even though no fraudulent activity has been identified.
[Evan] Better safe than sorry. Good.

If yours is one of these accounts, we will be renumbering your account and issuing new card(s) for every card holder on your account. Your old card(s) will be turned off, so it's important that you activate your new card(s) right away.

we are also making a credit monitoring product available to you, free of charge. This product is a one year paid subscription to ConsumerInfo.com, Inc.'s Triple Advantage SM Premium Credit Monitoring.

We are very sorry this incident occurred, and we deeply regret any inconvenience or worry this may cause you. If you have any questions, please call us at 1.866.225.7040. Representatives will be available seven days a week from 6.00am to 10:00pm (CST) to respond to your questions
[Evan] This time you will not get a criminal!

Commentary:
I can only imagine that this type of fraud happens more often that we think. There is no mention of how the Target Fraud Prevention Team "became aware" of the suspect activity that led to the investigation. If I were a betting man, I would say that a customer called.

I like the response by Target. They run a well-respected information security team over there, or so I hear. I was a little disappointed to hear that call center employees have what appears to be too much access to account information. No disrespect to call center employees, but they are typically not high-paid, high-skilled, or appreciated enough.

Past Breaches:
Unknown

SmartWater Works

Mon, 21 Jan 2008 09:17:39 +0000

Almost three years ago I blogged about SmartWater: liquid imbued with a uniquely identifiable DNA-style code. In my post I made the snarky comment:

The idea is for me to paint this stuff on my valuables as proof of ownership. I think a better idea would be for me to paint it on your valuables, and then call the police.

That remark aside, a new university study concludes that it works:

The study of over 100 criminals revealed that simply displaying signs that goods and premises were protected by SmartWater was sufficient to put off most of the criminals the team interviewed.
Professor Gill said: "According to our sample, SmartWater provided a strong projected deterrent value in that 74 per cent of the offenders interviewed reported that they would in the future be put off from breaking into a building with a SmartWater poster/sign displayed.

"Overall, the findings indicate that crime reduction strategies using SmartWater products have a strong deterrent effect. In particular, one notable finding of the study was that whilst 'property marking' in general acts as a reasonable deterrent, the combination of forensic products which SmartWater uses in its holistic approach increases the deterrent factor substantially."

When scored out of ten by respondents in regard to deterrent value, SmartWater was awarded the highest average score (8.3 out of a score of 10) compared to a range of other crime deterrents. CCTV scored 6.2, Burglar Alarms scored 6.0 and security guards scored 4.9.

Of course, we don't know if the study was sponsored by SmartWater the company, and we don't know the methodology -- interviewing criminals about what deters them is fraught with potential biases -- but it's still interesting.

Also note that SmartWater is not only sprayed on valuables, but also sprayed on burglars and criminals -- tying them to the crime scene.