The Creep Factor Continues

Twice last week, my wife and I had conversations in our living room on new topics. Within two days, my wife’s YouTube feed had suggestions for videos on those new topics. She had never viewed videos on those topics before, and probably would not have chosen to view any.

We have no voice assistants in our home, and no devices in our home are configured to respond to “Hey Google / Siri / Alexa / Whatever.”

I am aware that many of you experience this from time to time. Nothing new here. But sometimes it is more noticeable.

Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

• Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
• Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
• Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
• Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
• Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
• Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
• Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
• Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
• Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
• Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
• Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
• Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
• Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at www.staysafeonline.org to learn about more steps to protect your network, systems, and identity.

Beware Language Translation Browser Extensions

While I’ve been a privacy nerd since the early 2000s, lately I’ve found a few of my long-time practices have been defeating my attempts to fly under the radar. I have little to hide, but I don’t care to reveal to big tech everything that I do online. For this reason, I stopped using the Google Chrome browser many years ago, nor do I use Google Search. But something else escaped my scrutiny until lately.

I’ve been using the Google Translate browser extension for years, as it’s handy for – you know – translating websites in other languages into my native language. I reconsidered the T’s & C’s for Google Translate, and find that I’m revealing far too much of my personal business to Google. Depending upon the settings you select, Google Translate will send your entire browsing history to Google, and all of the content of websites you visit. If you are privacy-conscious like me and have switched to other browsers and search engines but continue to use the Google Translate extension, your privacy efforts may have been wasted.

Google Translate can access all browsing history and website content

Clean out your contact lists

I recently watched Rob Braxman on the security of encrypted messaging apps like Signal and WhatsApp. In his video, Rob pointed out that many apps access our contact lists and build webs of associations. Even though the cryptography protecting message contents is generally effective, it may be possible for law enforcement and intelligence agencies to know the identity of a person’s connections.

Let’s dig deeper.

If a law enforcement agency considers you a person of interest, they may discover that you use encrypted messaging apps like Signal. While law enforcement will not be able to easily view the contents of your conversations, they will be able to see with whom you are conversing.

Image courtesy Aussie Broadband

Also, the appearance of using an encrypted messaging app could suggest that you have something to hide.

Let’s look at this from a different perspective. Consider an active law enforcement investigation focusing on a particular person. If you are in the person’s contact list, and if that person is known to be communicating with you on an encrypted service, then you may become another person of interest in the investigation.

I watched Rob’s video twice, and then I recalled something I see in Signal often: when someone in my contact list installs Signal, I get a notification from Signal that the contact is using the app. I recently noticed that I frequently do not recognize the contact’s name, and I dismiss the notification. I’ve had this occur dozens of times this year.

Then it hit me: I have been collecting contacts for decades, and they’re stored in multiple services (primarily, Yahoo and Google). In previous jobs, I’ve had associations with numerous clients, partners, vendors, co-workers, and other associates, resulting in an accumulation of thousands of contacts, most of whom I barely know.

Last week, I found it difficult to rationalize keeping all of these contacts and purged them. In Google alone, I had well over one-thousand contacts. After spending time last weekend deleting extraneous contacts, I’m down to about three hundred, and I might go back through them and remove many more.

Encrypted apps and your association with contacts are not the only risks related to maintaining a long contact list. Another issue is this: if someone breaks into any of my services where I keep many contacts, I don’t want people getting Joe Job and other attacks made possible through contact harvesting.

Until recently, I didn’t consider my accumulated contacts a liability, but I do now.

In my day job, one of my responsibilities includes leading numerous programs, including data governance, which includes data classification and data retention. And, having been a QSA for many years, the concept of data-as-asset and data-as-liability are clear to me. For instance, retaining credit card data after a transaction has been completed may provide value to an organization. Still, it also presents itself as a liability: if that stored card data is compromised, the consequences may significantly outweigh its benefit.  Somehow, I didn’t apply this concept to personal contact data. Thanks again to Rob Braxman for nudging me to realize that contact data can be just as toxic as other forms of sensitive information.

Postscript: think about this in another way: would you want others you worked with in the past to remove you from their contact lists?

Trust, But Verify

Doveryay, no proveryay is the Russian pronunciation of “Trust, But Verify.” I often heard this (in English) spoken by, and about, President Ronald Reagan in the 1980s, referring to U.S. and Russian nuclear disarmament treaties. That Ronald Reagan turned this rhyming phrase back on the Russians was probably lost on most Americans. It certainly was on me.

In the cybersecurity, privacy, and information systems audit industries, we use this phrase often to depict the need for quality.

I say “quality” here for a reason. Security and privacy are really business quality issues. Security and privacy related defects in business processes and information systems are really quality issues.

Trust, but verify, appears in the opening paragraph in Chapter 3 of CIPM Certified Information Privacy Manager All-In-One Exam Guide that is to be published in May 2021. The draft manuscript is complete; my colleague, J Clark, has completed his technical review. What’s left is copy editing (about half done), page layout (not started), and proofing (not started). Lots of steps. The excerpt:

“Trust but verify is a Russian proverb that is commonly used by privacy and cybersecurity industry professionals. The complexity of information processing and management, which includes layers of underlying business processes and information systems, invites seemingly minor changes that can bring disastrous consequences.”

Protect your Black Friday and Cyber Monday shopping with a quick PC tune-up

Before embarking on online shopping trips, it’s worth the few minutes required to make sure your computer does not enable the theft of your identity.

Tens of thousands will have their identities stolen in the next few weeks, because malware was able to help steal valuable information from you such as credit card numbers, online userids and passwords. A few minutes work will go a long way towards preventing this.

That, or you can do nothing, and potentially have to take days off of work to cancel credit cards, write letters, get credit monitoring, and get back to where you are right now with perhaps forty hours’ work.

It’s up to you.

Ready?

1. On your PC, connect to http://update.microsoft.com/ .  Go through the steps required to check that all necessary security patches are installed.

Note: If you are able to connect to Internet sites but are unable to successfully install updates at update.microsoft.com, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

2. To eliminate the need to periodically visit update.microsoft.com, confirm that Automatic Updates are properly set. Use one of the following links for detailed instructions (all are Microsoft articles that open in a new window):

Windows XP | Windows Vista | Windows 7 | Windows 8 (automatic updates are turned on by default)

Note: If you are unable to successfully turn on Automatic Updates, your PC may already be compromised. If so, it is important that you seek professional help immediately to rid your computer of malware. Delays may be very costly in the long run.

3. Ensure that your PC has working anti-virus software. If you know how to find it, make sure that it has downloaded updates in the last few days. Try doing an update now – your anti-virus software should be able to successfully connect and check for new updates. If your Internet connection is working but your anti-virus software is unable to check for updates, it is likely that your PC is already compromised.

Note: if any of the following conditions are true, it is important that you seek professional help immediately to make sure your computer is protected from malware.

a. You cannot find your anti-virus program

b. Your anti-virus program cannot successfully check for updates

c. Your anti-virus program does not seem to be working properly

Several free anti-virus programs are worthy of consideration: AVG, Avast, Zone Alarm Free Antivirus + Firewall, Panda Cloud Anti-Virus. I cannot stress enough the need for every PC user to have a healthy, working, properly configured anti-virus program on their computer at all times.

LinkedIn’s “Intro” So Toxic It Could Dramatically Change BYOD

LinkedIn’s new “Intro” iOS app directs all e-mail sent or received on an iOS device through LinkedIn’s servers.

Yes, you’ve got that right.

Even so-called “secure” e-mail.

Even corporate e-mail.

Has LinkedIn been acquired by the NSA?  Sorry, bad joke, poor taste – but I couldn’t resist. It crossed my mind.

BYOD implications

So what’s this to do with BYOD?

Many organizations are still sitting on the sidelines with regards to BYOD. They are passively permitting their employees to use iOS devices (and Androids, Windows phones too) to send and receive corporate e-mail, mostly on unmanaged, personally owned devices. This means that organizations that presently permit their employees to send and receive e-mail using personally owned iOS devices are at risk of all of that e-mail to be read (and retained) by LinkedIn, by every employee that downloads and installs the LinkedIn “Intro” app.

LinkedIn talks about this as “doing the impossible.”  I’d prefer to call it “doing the unthinkable.”

Organizations without MDM (mobile device management) are powerless in preventing this, for the most part.

Every cloud has a silver lining.

This move by LinkedIn may finally get a lot of organizations off the fence in terms of BYOD, but employees might not be happy.  Organizations’ legal departments are going to be having aneurisms right and left when they learn about this, and they may insist that corporate IT establish immediate control over personally owned mobile devices to block the LinkedIn Intro app.

Corporate legal departments usually get their way on important legal matters. This is one of those situations. When Legal realizes that LinkedIn Intro could destroy attorney-client privilege, Legal may march straight to the CIO and demand immediate cessation. That is, once you peel the Legal team off the ceiling.

Nothing like a crisis and reckless abandon by a formerly trusted service provider to get people moving.

This article does a good job of explaining the evils of LinkedIn Intro.

My respect for LinkedIn could not be at a lower point if they publicly admitted that they were sending your content to the government.

Prism, XKeyscore, and International Business

Disclaimer: I do not, nor ever had, any level of secret clearance for any government. I have no connections to Snowden, the NSA, or any person or organization linked to them.

From 2006 through 2012, I was the information security officer for a global financial services company, selling subscription based services to the largest companies in the world in every industry sector.  Understandably, many of the larger corporate customers expressed a lot of concern over the confidentiality of their financial data when stored in our systems. Despite having numerous external audits and penetration tests (with reports available to these customers), many of the larger customers won additional concessions in the form of additional security controls, in exchange for their business.

The U.S. PATRIOT Act was a tremendous stumbling block for many potential non-U.S. customers. They were concerned about the ability for law enforcement to serve secret subpoenas and obtain business records without their knowledge or consent.  Our only argument was that we were not the source for original data, and that federal law enforcement would more likely go after original records, such as banking and telecommunications. Still, many non-U.S. companies elected not to do business with our U.S. based company because of PATRIOT.

Revelations of Prism and XKeyscore represent U.S. law enforcement and spy agencies taking a gigantic leap beyond PATRIOT. With PATRIOT (as I understand it — my former employer was never, to my knowledge, served with a National Security Letter), a judge was required to sign or approve the national security letter on behalf of the federal law enforcement agency that wished to obtain information.  But with Prism and XKeyscore, U.S. federal law enforcement and other agencies have unilaterally obtained – and apparently continuously obtain – many forms of electronic records, without the consent of anyone.

Prism and XKeyscore, in my belief, will prove to be extremely harmful to U.S. based electronic services providers at every level: Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), and virtually all other forms of electronic services that store, transmit, or process electronic information.  With PATRIOT, the mere prospect of law enforcement obtaining information in special, limited circumstances was enough to scare away many potential customers. With XKeyScore and Prism, law enforcement continuously obtains much of this same information.  Thus, the probability of law enforcement (and other agencies) obtaining sensitive information increases from longshot to near absolute certainty.

This has got to be bad for U.S. based businesses in nearly every sector that provides services to customers worldwide.

————-

Aug 5 update: headline article in Puget Sound Business Journal echos my sentiments. http://www.bizjournals.com/seattle/news/news-wire/2013/08/05/nsa-revelations-could-cost-us-lead.html

How to opt out from advertising tracking cookies

The truth is, I’ve been irritated about tracking cookies for over ten years. Ever since I was an advisor on a corporate privacy project, I learned just how extensively our Internet browsing habits and patterns are being recorded. I don’t appreciate that kind of “over your shoulder” scrutiny and personally consider it an invasion of my privacy. The ad agencies defend their position of tracking cookies as their way of enriching my browsing experience. Whatever. I turn a blind eye to most ads anyway, but the idea of tracking where I go puts us on a slippery slope of Internet usage tracking that is not unlike what I believe occurs in communist China today.

Don’t misunderstand me. I don’t surf to sites I don’t want anyone to know about. While I am at work I am implicitly accountable to my employer for all of my usage of corporate owned assets – Internet access and personal computer included. And when I’m at home or on the road with my MacBook, I use OpenDNS that records where I go and blocks access to unwanted sites. My accountability partner is free to see those records on request.

Anyway, back to my main point – those tracking cookies. There is a way to opt out from nearly all of them. Before you spring into action, however, you will want to read this article all the way through, as there are several notes at the end.

If you have time to visit a lot of sites to opt out, go here to the World Privacy Forum and click on each link to opt out of each of the sites (there are, at least count, 46 of these):

http://www.worldprivacyforum.org/cookieoptout.html

I went through each link and opted out of each site. It took me about 15 minutes (I’m a fast typer and clicker). You’ll also want to go to Google to opt out from their advertising (I don’t know whey they are not listed on the World Privacy Forum opt out page) cookies as well:

http://www.google.com/privacy_ads.html

If you want to do this the quick way, go here to the Network Advertising Initiative to opt out from many ad agencies in one single action:

http://www.networkadvertising.org/managing/opt_out.asp

Notes

Whichever option above you choose, know this: you will need to perform this on each browser (that is, Internet Explorer, Firefox, Safari, and so on) on your computer. Your computer’s cookies are managed separately by each browser, so you’ll have to go through the above procedures for each one you use. I use primarily Firefox on my Mac systems, and I’ve opted out of all of the sites I could find. I’ll have to do this later with Safari (which I use only occasionally).

You will need to do this on each computer you use.

Turning off cookies?

You may be thinking, why not just turn off all cookies (or at least all tracking cookies) on your browser. Certainly that would block all tracking cookies, present and future. Sure. But you would also certainly hamper the functionality of many of the websites you visit, particularly those you log in to in order to use the site’s services. But if you are into extreme measures and a little experimentation, I invite you to turn off cookies and see how things go. I will bet, however, that you will soon be turning them back on so that the important sites you use will keep working the way you want.

References

World Privacy Forum (http://www.worldprivacyforum.org/)

Electronic Privacy Information Center (http://www.epic.org)

E-mail security problems and the Canadian ISPs that are ignoring them

Over one year ago, days apart, I began to receive e-mail messages addressed to others. For weeks I worked diligently to try and put a stop to it. My requests fell on deaf ears. I receive regular reminders that it is happening still.

I began to receive many (or all) e-mail messages addressed to someone named Sandy, who lives in Ontario Province, Canada. The domain name is Eastlink.ca, a broadband access provider.  It didn’t take long to figure out that I was receiving all of Sandy’s e-mail. I wrote to Sandy, suggesting she complain to her ISP. And of course I also received a copy of the message in my own inbox. I wrote to Sandy a couple of times and never heard from her. I guess she doesn’t care – or maybe she did not receive them.  I also complained to Eastlink.ca, and heard nothing from them.

I also receive all of Brian’s e-mail, and his ISP is ica.net, another broadband access provider in eastern Canada.  I complianed to ica.net, several times, and never received a response.  I wrote to Brian also, and he responded and suggested I change my e-mail address. As if!

I also receive messages to someone at charter.net, but this user’s e-mail address does not indicate their name. I wrote to them and to Charter.net – you guessed it: no response.

Soon after this began, I wrote inbox rules to immediately delete all e-mail messages addressed *to* these user accounts that ended up in my inbox.  Now and then I look in my Trash Bin (where deleted e-mails go), and sure enough, there are still scores of e-mail messages: thank you’s for online merchant orders, FaceBook invites, e-cards, and personal correspondence.  I don’t read these messages.

Some of these messages still come to my inbox – this includes messages where the recipient is in the BCC (blind carbon copy) list. My inbox rules don’t know how to respond to these.

I wish this would stop. I’m going to write to ica.net, Charter.net, and eastlink.ca again, but I’m not expecting any response, not to mention action.

I cannot imagine that this is happening only to me. If some malevolent (or even accidental) action is behind this, then chances are that hundreds or thousands of other users’ e-mail messages are also being forwarded without their permission.

This also makes me wonder if this is happening to MY incoming e-mail: could some other user out there be receiving messages sent to me?  I sure don’t relish that idea: sometimes I receive “reset your password by clicking on this URL” messages. What if someone else receives these and decides to click the one-time link before I do? Some online account of mine could be compromised as a result.

I’m also worried about my own liability in this matter.  I’m receiving e-mail messages that are supposed to be sent to others. I don’t want them, I don’t read them, and I delete them when I see them. But what if I receive messages containing personal medical information, for instance?

There are several possible causes for this inadvertent e-mail forwarding:

• Malware, tampering, or compromise of ISP e-mail server.
• Compromise of individual users’ e-mail accounts, where attacker inserts rules to forward mail to me (and maybe others).
• Malare or compromise on individual users’ computers; this may be true if users use workstation-based e-mail software such as Outlook, Outlook Express, or Thunderbird.

There may be other potential causes, but I cannot think of any more.

If malware or a human intruder were behind this, what is their gain? What is the benefit for an intruder if someone’s e-mail is forwarded to someone who lives 3,000 miles away?  If the intent is to harm someone, who does it harm? If the intent is to harm the individuals whose e-mail messages are being forwarded to me, then I can think of several more malicious ways to harm them.  If the intent is to harm me, I don’t see how this harms me.

Security question: being watched while watching videos

A reader asks: I have a friend who heard that we can be “watched” while we watch online videos. Any truth to it that you know of?

Answer: Theoretically yes, but only if you have a webcam (if you literally mean “watching”). I’ve heard of it being done.

If you mean “knowing what you are watching” (some kind of tracking), that is certain. Youtube remembers what you have seen (it can be embarrassing), and other vid sites do too. Sites do this with tracking cookies and other means to remember what videos you view, what pages you see, and the sites you visit.

India to issue 1.2 billion biometric ID cards

Biometrics for Dummies available immediately to fill the knowledge void

Biometrics for Dummies

India has decided to issue biometric ID cards to each of its 1.2 billion citizens. Delhi recently established the Unique Identification Authority that will assign unique ID numbers to each citizen.

This will create a demand for knowledge about how biometrics works. Biometrics For Dummies, published in 2007, meets that need. “This is a huge deal in the world of biometrics,” writes Mike Simon, co-author of Biometrics For Dummies.

“Like many populations, people may not embrace biometrics right away,” cites Peter Gregory, co-author. “Most people do not know how biometrics works, and whether biometrics can be used to pry into someone’s personal details.”

Biometrics for Dummies is available in many forms and from several sources, including:

Amazon.com

Kindle (electronic) edition

Online bookstores serving India:

Infibeam

Rediff

You may view the Table of Contents here (PDF)

Times Online article

Are more federal cybersecurity laws needed?

Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.

Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.

My most recent book on cybersecurity, which is to be published in May, opens in this way:

“If the Internet were a city street, I would not travel it in daylight,” laments a chief information security officer for a prestigious university.

The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.

The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.

There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.

What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.

Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China.  I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).

I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.

Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.

Browsers are compromising our privacy

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)

Sept Scientific American on security and privacy

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

Apparent misdeeds result in free credit monitoring for millions

A class action lawsuit against credit reporting bureau TransUnion has resulted in a settlement that will result in millions of U.S. citizens getting free credit monitoring for as long as nine months.

If you had a credit card or even a student loan between 1987 and 2008, you may be eligible.

This development could be enough to get millions more citizens signing up for credit monitoring, which could result in a small reduction in identity theft.  I say “small”, because despite the rate of fraud and identity theft, many will just be too busy to go to the trouble of signing up for credit monitoring, or they’ll have initial zeal but will lose interest after a short time.

But don’t take *my* word for it – here are some independent news stories:

KOMO TV Seattle

WSMV TV Nashville

Baltimore Sun

Kiplinger Magazine

Yahoo Answers

…and when you are convinced that this is real, go here to sign up and make your claim:

https://www.listclassaction.com/

In the settlement, Transunion has admitted no guilt.  And whether there is any actual wrongdoing or not is not my point.

Shortage of qualified security professionals continues

Security is a topic of great interest to IT professionals, business management, and the general public.  The wide proliferation of private information among organizations in the 1980s led to public outcry and the passage of privacy laws.  The explosion of e-commerce in the 1990s resulted in the theft of hundreds of millions of credit card numbers in thousands of security incidents that continue to this day.  Identity theft has also skyrocketed, largely because many organizations collect and store personal information and do not adequately protect it.  Many countries have passed additional data security laws intended to tighten up security and also require the disclosure of security breaches.  Things have only marginally improved since then.

These developments have led to a severe shortage of qualified information and business security professionals who are able to properly apply security controls required by applicable laws and regulations.  These professionals also need to be able to seek, identify, and mitigate other risks that could negatively affect organizations that collect and use sensitive information.

Introduction to an upcoming academic textbook on business and computer security

New severe home/small business router vulnerability requires attention

A severe UPnP flaw allows router hijacking. Experts believe that 99% of home routers are vulnerable. This is a potentially alarming development.

An attacker will most likely use the vulnerability to alter a home (or small business) router’s DNS settings, which will effectively direct every computer in the network to visit sites of the attacker’s choosing.

How the attack will work: attackers will place malicious code on web sites in SWF (Flash) or other active content that will contain UPnP commands that the router will intercept.

Things you can do:

1. Disable UPnP on your router. Most people don’t use it anyway. I use it but will probably deactivate it this week.

2. Implement OpenDNS or ScrubIT DNS on your internal systems. This will effectively bypass your router’s DNS, making a DNS attack on your router irrelevant.

3. Find someone who knows about home/SMB Internet router configuration who can tell you if your router has been compromised. Know your router’s configuration.

4. Change (or establish) the administrator password on your router. This is just a good idea anyway.

5. Contact your Internet service provider and ask for information about updates to counter this vulnerability.

6. Implement firewalls on individual systems in your network. If an attacker decides to deactivate the firewall function on your router, PC based firewalls will continue protecting them.

Links to information:

CERT Warning

Information Week story

Computerworld story

SANS Internet Storm Center article

Older story on home router vulnerability

Sears admits to loading spyware on computers

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer.

Sears’ privacy statement does disclose this.  Their privacy statement is 54 pages long, and the disclosure is on page 10.

Wow.

Link to full story:

http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/

Sears/Kmart loading spyware on computers?

Update: Sears admits to installing spyware, claims it is disclosed in its 54 page privacy statement

A report published yesterday by Ben Edelman, an assistant professor at Harvard Business School, indicates that the retail giant is violating Federal Trade Commission policies in its distribution of ComScore, an application that tracks Web browsing activity. If the allegation is true, this could erupt into another privacy scandal, such as Sony’s loading rootkits on music CDs (story).

Is this another case of technologists doing what they want and not following company policy or the law? Too often, technologists design and build systems to their own specifications without having informed outsiders review those specifications. This could also be a case of poor product data management, if a low-level person sneaked the spyware into the final system image without getting anyone’s approval.

Or was this a brazen and deliberate violation of the law? Time will tell.

News story here.