Category Archives: Privacy

Are more federal cybersecurity laws needed?

Bookmark This (opens in new window)

Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.

Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.

My most recent book on cybersecurity, which is to be published in May, opens in this way:

“If the Internet were a city street, I would not travel it in daylight,” laments a chief information security officer for a prestigious university.

The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.

The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.

There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.

What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.

Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China.  I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).

I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.

Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.

Advertisements

Browsers are compromising our privacy

Bookmark This (opens in new window)

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)

Sept Scientific American on security and privacy

Bookmark This (opens in new window)

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

Apparent misdeeds result in free credit monitoring for millions

Bookmark This (opens in new window)

A class action lawsuit against credit reporting bureau TransUnion has resulted in a settlement that will result in millions of U.S. citizens getting free credit monitoring for as long as nine months.

If you had a credit card or even a student loan between 1987 and 2008, you may be eligible.

This development could be enough to get millions more citizens signing up for credit monitoring, which could result in a small reduction in identity theft.  I say “small”, because despite the rate of fraud and identity theft, many will just be too busy to go to the trouble of signing up for credit monitoring, or they’ll have initial zeal but will lose interest after a short time.

But don’t take *my* word for it – here are some independent news stories:

KOMO TV Seattle

WSMV TV Nashville

Baltimore Sun

Kiplinger Magazine

Yahoo Answers

…and when you are convinced that this is real, go here to sign up and make your claim:

https://www.listclassaction.com/

In the settlement, Transunion has admitted no guilt.  And whether there is any actual wrongdoing or not is not my point.

Shortage of qualified security professionals continues

Bookmark This (opens in new window)

Security is a topic of great interest to IT professionals, business management, and the general public.  The wide proliferation of private information among organizations in the 1980s led to public outcry and the passage of privacy laws.  The explosion of e-commerce in the 1990s resulted in the theft of hundreds of millions of credit card numbers in thousands of security incidents that continue to this day.  Identity theft has also skyrocketed, largely because many organizations collect and store personal information and do not adequately protect it.  Many countries have passed additional data security laws intended to tighten up security and also require the disclosure of security breaches.  Things have only marginally improved since then.

These developments have led to a severe shortage of qualified information and business security professionals who are able to properly apply security controls required by applicable laws and regulations.  These professionals also need to be able to seek, identify, and mitigate other risks that could negatively affect organizations that collect and use sensitive information.

Introduction to an upcoming academic textbook on business and computer security

New severe home/small business router vulnerability requires attention

Bookmark This (opens in new window)

A severe UPnP flaw allows router hijacking. Experts believe that 99% of home routers are vulnerable. This is a potentially alarming development.

An attacker will most likely use the vulnerability to alter a home (or small business) router’s DNS settings, which will effectively direct every computer in the network to visit sites of the attacker’s choosing.

How the attack will work: attackers will place malicious code on web sites in SWF (Flash) or other active content that will contain UPnP commands that the router will intercept.

Things you can do:

1. Disable UPnP on your router. Most people don’t use it anyway. I use it but will probably deactivate it this week.

2. Implement OpenDNS or ScrubIT DNS on your internal systems. This will effectively bypass your router’s DNS, making a DNS attack on your router irrelevant.

3. Find someone who knows about home/SMB Internet router configuration who can tell you if your router has been compromised. Know your router’s configuration.

4. Change (or establish) the administrator password on your router. This is just a good idea anyway.

5. Contact your Internet service provider and ask for information about updates to counter this vulnerability.

6. Implement firewalls on individual systems in your network. If an attacker decides to deactivate the firewall function on your router, PC based firewalls will continue protecting them.

Links to information:

CERT Warning

Information Week story

Computerworld story

SANS Internet Storm Center article

Older story on home router vulnerability

Sears admits to loading spyware on computers

Bookmark This (opens in new window)

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer.

Sears’ privacy statement does disclose this.  Their privacy statement is 54 pages long, and the disclosure is on page 10.

Wow.

Link to full story:

http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/