Cybersecurity New Years’ Resolutions

New Years is a great time to reboot your life habits, including diet, exercise, relationships, and more. To keep your systems safe and your personal information private, consider adopting one or more of the following News Years’ resolutions:

• Use strong passwords – On each website and service you use, construct strong passwords, consisting of lower case and upper case letters, numbers, and one or more special characters.
• Use unique passwords – Use a different password for each service you use. This will help prevent a compromise of one service (where cybercriminals are able to obtain its users’ login credentials) from spreading to others.
• Use a password manager – If you use strong, unique passwords, you’ll need a password manager such as Password Safe or KeePass to store them. I recommend you NOT use your browser to store passwords.
• Use multi-factor authentication – when available, select multi-factor authentication, whether by a text message (SMS), or an authenticator app such as Google Authenticator. Doing so will make it more difficult for criminals to break into your accounts.
• Install OS security patches – Configure your operating system (Windows, macOS, ChromeOS, iOS, Android, etc.) to automatically download and install security patches. This helps prevent criminals from compromising your device. When security patches are no longer available, you’ll need to upgrade your OS to keep your system safe.
• Keep applications up to date – Configure your system to update all of the applications you use. This helps keep your system and your data safer by fixing security flaws that criminals can exploit.
• Be wary of spam and phishing – Be wary of all incoming email, so that you can better spot scams and fraud. If someone you know has sent you a strange looking email, confirm by calling them (but not by replying, as the reply could go back to the fraudster who is trying to con you). Resist the temptation to click on “too good to be true” links and attachments.
• Use a VPN – If you frequently go online at hotels, restaurants, airports, and other public places, install a VPN software package to help protect your network traffic from prying eyes. It can be surprisingly easy for cybercriminals to see your network traffic while on a public Wi-Fi network. Avoid free VPN services as they likely eavesdrop on your traffic.
• Upgrade your home Wi-Fi router – If your home Wi-Fi router is more than four years old, chances are good that it has exploitable vulnerabilities that the manufacturer will not fix. These vulnerabilities can make it easy for criminals to take over control of your router, resulting in eavesdropping and routing your traffic through their systems to help them steal your data.
• Move your home’s smart devices to your guest Wi-Fi – Often, smart devices are vulnerable to attack by cybercriminals. Some smart devices do more than they advertise, looking around on your network for other targets. Moving your smart devices to your guest network prevents them from accessing your computers and smartphones.
• Check your credit report – Cybercriminals are exceedingly good at identity theft. The best way to stay on top of this is to periodically check your credit report, and even to put a freeze on your credit to make it more difficult for criminals to open credit accounts in your name. Freezing your credit may be a minor inconvenience when you try to open a new account, but this is minor when compared to the inconvenience of having your identity stolen.
• Place transaction alerts on all your credit and debit cards – Log in to your online banking and set up alerts (texting, email, or both) to notify you of every transaction. If any of your cards have been compromised, you’ll know it when you see transactions that you did not authorize.
• Learn more about these and other kinds of risks – Visit the National Cybersecurity Alliance at www.staysafeonline.org to learn about more steps to protect your network, systems, and identity.

Beware Language Translation Browser Extensions

While I’ve been a privacy nerd since the early 2000s, lately I’ve found a few of my long-time practices have been defeating my attempts to fly under the radar. I have little to hide, but I don’t care to reveal to big tech everything that I do online. For this reason, I stopped using the Google Chrome browser many years ago, nor do I use Google Search. But something else escaped my scrutiny until lately.

I’ve been using the Google Translate browser extension for years, as it’s handy for – you know – translating websites in other languages into my native language. I reconsidered the T’s & C’s for Google Translate, and find that I’m revealing far too much of my personal business to Google. Depending upon the settings you select, Google Translate will send your entire browsing history to Google, and all of the content of websites you visit. If you are privacy-conscious like me and have switched to other browsers and search engines but continue to use the Google Translate extension, your privacy efforts may have been wasted.

Google Translate can access all browsing history and website content

Trust, But Verify

Doveryay, no proveryay is the Russian pronunciation of “Trust, But Verify.” I often heard this (in English) spoken by, and about, President Ronald Reagan in the 1980s, referring to U.S. and Russian nuclear disarmament treaties. That Ronald Reagan turned this rhyming phrase back on the Russians was probably lost on most Americans. It certainly was on me.

In the cybersecurity, privacy, and information systems audit industries, we use this phrase often to depict the need for quality.

I say “quality” here for a reason. Security and privacy are really business quality issues. Security and privacy related defects in business processes and information systems are really quality issues.

Trust, but verify, appears in the opening paragraph in Chapter 3 of CIPM Certified Information Privacy Manager All-In-One Exam Guide that is to be published in May 2021. The draft manuscript is complete; my colleague, J Clark, has completed his technical review. What’s left is copy editing (about half done), page layout (not started), and proofing (not started). Lots of steps. The excerpt:

“Trust but verify is a Russian proverb that is commonly used by privacy and cybersecurity industry professionals. The complexity of information processing and management, which includes layers of underlying business processes and information systems, invites seemingly minor changes that can bring disastrous consequences.”

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

• We must protect all systems. An intruder will attack the system of his choosing.
• We must protect from all types of attacks. An intruder will use an attack method of his choosing.
• We must protect our systems at all times. An intruder will attack at a time of his choosing.
• We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
• We must obey all laws when defending our systems. An intruder may break any law of his choosing.
• The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
• Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.

How to opt out from advertising tracking cookies

The truth is, I’ve been irritated about tracking cookies for over ten years. Ever since I was an advisor on a corporate privacy project, I learned just how extensively our Internet browsing habits and patterns are being recorded. I don’t appreciate that kind of “over your shoulder” scrutiny and personally consider it an invasion of my privacy. The ad agencies defend their position of tracking cookies as their way of enriching my browsing experience. Whatever. I turn a blind eye to most ads anyway, but the idea of tracking where I go puts us on a slippery slope of Internet usage tracking that is not unlike what I believe occurs in communist China today.

Don’t misunderstand me. I don’t surf to sites I don’t want anyone to know about. While I am at work I am implicitly accountable to my employer for all of my usage of corporate owned assets – Internet access and personal computer included. And when I’m at home or on the road with my MacBook, I use OpenDNS that records where I go and blocks access to unwanted sites. My accountability partner is free to see those records on request.

Anyway, back to my main point – those tracking cookies. There is a way to opt out from nearly all of them. Before you spring into action, however, you will want to read this article all the way through, as there are several notes at the end.

If you have time to visit a lot of sites to opt out, go here to the World Privacy Forum and click on each link to opt out of each of the sites (there are, at least count, 46 of these):

http://www.worldprivacyforum.org/cookieoptout.html

I went through each link and opted out of each site. It took me about 15 minutes (I’m a fast typer and clicker). You’ll also want to go to Google to opt out from their advertising (I don’t know whey they are not listed on the World Privacy Forum opt out page) cookies as well:

http://www.google.com/privacy_ads.html

If you want to do this the quick way, go here to the Network Advertising Initiative to opt out from many ad agencies in one single action:

http://www.networkadvertising.org/managing/opt_out.asp

Notes

Whichever option above you choose, know this: you will need to perform this on each browser (that is, Internet Explorer, Firefox, Safari, and so on) on your computer. Your computer’s cookies are managed separately by each browser, so you’ll have to go through the above procedures for each one you use. I use primarily Firefox on my Mac systems, and I’ve opted out of all of the sites I could find. I’ll have to do this later with Safari (which I use only occasionally).

You will need to do this on each computer you use.

Turning off cookies?

You may be thinking, why not just turn off all cookies (or at least all tracking cookies) on your browser. Certainly that would block all tracking cookies, present and future. Sure. But you would also certainly hamper the functionality of many of the websites you visit, particularly those you log in to in order to use the site’s services. But if you are into extreme measures and a little experimentation, I invite you to turn off cookies and see how things go. I will bet, however, that you will soon be turning them back on so that the important sites you use will keep working the way you want.

References

World Privacy Forum (http://www.worldprivacyforum.org/)

Electronic Privacy Information Center (http://www.epic.org)

E-mail security problems and the Canadian ISPs that are ignoring them

Over one year ago, days apart, I began to receive e-mail messages addressed to others. For weeks I worked diligently to try and put a stop to it. My requests fell on deaf ears. I receive regular reminders that it is happening still.

I began to receive many (or all) e-mail messages addressed to someone named Sandy, who lives in Ontario Province, Canada. The domain name is Eastlink.ca, a broadband access provider.  It didn’t take long to figure out that I was receiving all of Sandy’s e-mail. I wrote to Sandy, suggesting she complain to her ISP. And of course I also received a copy of the message in my own inbox. I wrote to Sandy a couple of times and never heard from her. I guess she doesn’t care – or maybe she did not receive them.  I also complained to Eastlink.ca, and heard nothing from them.

I also receive all of Brian’s e-mail, and his ISP is ica.net, another broadband access provider in eastern Canada.  I complianed to ica.net, several times, and never received a response.  I wrote to Brian also, and he responded and suggested I change my e-mail address. As if!

I also receive messages to someone at charter.net, but this user’s e-mail address does not indicate their name. I wrote to them and to Charter.net – you guessed it: no response.

Soon after this began, I wrote inbox rules to immediately delete all e-mail messages addressed *to* these user accounts that ended up in my inbox.  Now and then I look in my Trash Bin (where deleted e-mails go), and sure enough, there are still scores of e-mail messages: thank you’s for online merchant orders, FaceBook invites, e-cards, and personal correspondence.  I don’t read these messages.

Some of these messages still come to my inbox – this includes messages where the recipient is in the BCC (blind carbon copy) list. My inbox rules don’t know how to respond to these.

I wish this would stop. I’m going to write to ica.net, Charter.net, and eastlink.ca again, but I’m not expecting any response, not to mention action.

I cannot imagine that this is happening only to me. If some malevolent (or even accidental) action is behind this, then chances are that hundreds or thousands of other users’ e-mail messages are also being forwarded without their permission.

This also makes me wonder if this is happening to MY incoming e-mail: could some other user out there be receiving messages sent to me?  I sure don’t relish that idea: sometimes I receive “reset your password by clicking on this URL” messages. What if someone else receives these and decides to click the one-time link before I do? Some online account of mine could be compromised as a result.

I’m also worried about my own liability in this matter.  I’m receiving e-mail messages that are supposed to be sent to others. I don’t want them, I don’t read them, and I delete them when I see them. But what if I receive messages containing personal medical information, for instance?

There are several possible causes for this inadvertent e-mail forwarding:

• Malware, tampering, or compromise of ISP e-mail server.
• Compromise of individual users’ e-mail accounts, where attacker inserts rules to forward mail to me (and maybe others).
• Malare or compromise on individual users’ computers; this may be true if users use workstation-based e-mail software such as Outlook, Outlook Express, or Thunderbird.

There may be other potential causes, but I cannot think of any more.

If malware or a human intruder were behind this, what is their gain? What is the benefit for an intruder if someone’s e-mail is forwarded to someone who lives 3,000 miles away?  If the intent is to harm someone, who does it harm? If the intent is to harm the individuals whose e-mail messages are being forwarded to me, then I can think of several more malicious ways to harm them.  If the intent is to harm me, I don’t see how this harms me.

Are more federal cybersecurity laws needed?

Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.

Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.

My most recent book on cybersecurity, which is to be published in May, opens in this way:

“If the Internet were a city street, I would not travel it in daylight,” laments a chief information security officer for a prestigious university.

The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.

The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.

There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.

What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.

Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China.  I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).

I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.

Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.

Browsers are compromising our privacy

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)

Sept Scientific American on security and privacy

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

Sears admits to loading spyware on computers

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer.

Sears’ privacy statement does disclose this.  Their privacy statement is 54 pages long, and the disclosure is on page 10.

Wow.

Link to full story:

http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/

Sears/Kmart loading spyware on computers?

Update: Sears admits to installing spyware, claims it is disclosed in its 54 page privacy statement

A report published yesterday by Ben Edelman, an assistant professor at Harvard Business School, indicates that the retail giant is violating Federal Trade Commission policies in its distribution of ComScore, an application that tracks Web browsing activity. If the allegation is true, this could erupt into another privacy scandal, such as Sony’s loading rootkits on music CDs (story).

Is this another case of technologists doing what they want and not following company policy or the law? Too often, technologists design and build systems to their own specifications without having informed outsiders review those specifications. This could also be a case of poor product data management, if a low-level person sneaked the spyware into the final system image without getting anyone’s approval.

Or was this a brazen and deliberate violation of the law? Time will tell.

News story here.

Defend Privacy: support EPIC

Submit:

“EPIC is on the front lines of the most important civil liberties issues of our age, defending privacy, promoting open government, and encouraging critical public debate about the technologies that are transforming our lives. I support EPIC and I hope you will, too.”

– Bruce Schneier, internationally renowned security technologist and author

Dear Friends,

Every year EPIC sends a fundraising request to EPIC Alert subscribers to ask for a contribution to EPIC. Individual contributions are critical for the continued success of EPIC.

Here are a few of EPIC’s current campaigns:

– EPIC is seeking the legal memos from the Department of Justice concerning the President’s domestic surveillance program. We believe those memos should be made available to the public before any new surveillance laws are passed.

– EPIC is pushing for greater scrutiny of the surveillance programs funded by the Department of Homeland Security, such as video surveillance systems, “fusion centers,” and other programs that track and monitor Americans.

– EPIC is asking Internet companies to do a better job of developing privacy technologies, to give consumers more control over their information, and to limit the collection of personal data where possible.

– EPIC is promoting privacy standards for the WHOIS database. That database contains detailed information of people who register web sites; personal information should be protected.

– EPIC is pushing for privacy safeguards in the Google-Doubleclick merger. We believe there should be some limits on the profiling and tracking of Internet users.

These efforts have real consequences for your privacy, and we need your support to continue our work.

You can contribute to EPIC in two ways:

– Send a check to “EPIC,” 1718 Connecticut Ave., NW, Suite 200, Washington, DC 20009

– Donate online at http://www.epic.org/donate

EPIC is a non-profit, charitable organization. Your contribution to EPIC is tax-deductible.

Thank you for your contribution.

And best wishes for the holiday season from all of us at EPIC.

Sincerely,

Marc Rotenberg
EPIC Executive Director

P.S. If you have friends who might be interested in supporting EPIC, please forward this message.

Make separate user accounts for shared computers

Previous tip | Next tip

If any of your computers are shared among family members, make separate user accounts for each user. Put passwords on each account and do not share your passwords. Make only one account an “administrator” (you – since you are reading this!) and make all other users a “Limited account”. Turn off the Guest account.

When a family member is done with the computer (even for a minute), get everyone into the habit of locking the screen, which requires a password to unlock. This will prevent one person from using another person’s computer account. Click here for instructions.

Get the spyware out and keep it out

Previous tip | Next tip

Spyware is used to snoop on your PC and Internet usage – most people find it offensive and a violation of their privacy. Spyware comes in many forms including:

• Cookies – tracking your movement on the Internet
• Browser helper objects – watching and (sometimes) intercepting your website usage
• Adware – sometimes the source of those annoying popups
• Key loggers – recording every keystroke and sending it to the spyware’s owner

Install one or more of the following anti-spyware programs. Scan your computer now, then scan monthly after that.

Spybot: www.safer-networking.org
Spyware Blaster: www.javacoolsoftware.com
Microsoft Defender: www.microsoft.com