Tag Archives: Privacy

Why the security war will never be won

At security trade shows like RSA, we are purposefully given the impression that if we just employ some new defensive technique or purchase some new defensive tool, we will be able to keep intruders out of our systems for good.

How many times have we heard this? And how is this different from remedies that promise to solve other problems like our finances or our physical appearance?

The information security war will never be won.

Never.

As long as people, or groups of people, have accumulated wealth of any kind. Other people try to steal it. We can keep ahead of the thieves for a time, as our defenses sometimes prove better than their offensive capabilities. But the wealth is still there, proving to be such a tempting challenge to some that they will use all of their imaginative powers to find a way in.

In our homes, we have better locks, stronger doors, better windows, better alarm systems – for what?  It doesn’t seem like the problems of residential burglaries is getting any better, despite these improvements. Thieves simply improve their techniques and find a way around our defenses.

In our information systems, we have better firewalls, application firewalls, intrusion prevention systems, anti-malware, and a host of other defensive (and even some offensive) security controls. But intruders still find a way in.

There are times when it proves very challenging to break directly in to information systems.  That is when intruders switch tactics: they target personnel who are employed in the organization that owns the systems, using a variety of techniques to trick users into performing seemingly harmless tasks that give intruders the beachhead they need.

Why do intruders persist?  Because of the wealth that lies in the target systems. Whether this is direct monetary wealth, or information that can be traded for monetary wealth, as long as the information is there, and no matter what measures are used to protect the information, intruders will find a way to retrieve it. This is true, even if you have all of the latest defenses, tools, training, and so on.  Your defenses will only slow down a determined intruder, and maybe only be a small margin.

  • We must protect all systems. An intruder will attack the system of his choosing.
  • We must protect from all types of attacks. An intruder will use an attack method of his choosing.
  • We must protect our systems at all times. An intruder will attack at a time of his choosing.
  • We must teach all personnel to be aware of threats. An intruder will attack the person of his choosing.
  • We must obey all laws when defending our systems. An intruder may break any law of his choosing.
  • The intruder will always choose the path of least resistance, the weakest link, at our most vulnerable time.
  • Intruders are patient and resourceful, and often well-funded, and often more motivated by the prospect of success than we are by the prospect of intrusion.
Advertisements

How to opt out from advertising tracking cookies

Bookmark This (opens in new window)

The truth is, I’ve been irritated about tracking cookies for over ten years. Ever since I was an advisor on a corporate privacy project, I learned just how extensively our Internet browsing habits and patterns are being recorded. I don’t appreciate that kind of “over your shoulder” scrutiny and personally consider it an invasion of my privacy. The ad agencies defend their position of tracking cookies as their way of enriching my browsing experience. Whatever. I turn a blind eye to most ads anyway, but the idea of tracking where I go puts us on a slippery slope of Internet usage tracking that is not unlike what I believe occurs in communist China today.

Don’t misunderstand me. I don’t surf to sites I don’t want anyone to know about. While I am at work I am implicitly accountable to my employer for all of my usage of corporate owned assets – Internet access and personal computer included. And when I’m at home or on the road with my MacBook, I use OpenDNS that records where I go and blocks access to unwanted sites. My accountability partner is free to see those records on request.

Anyway, back to my main point – those tracking cookies. There is a way to opt out from nearly all of them. Before you spring into action, however, you will want to read this article all the way through, as there are several notes at the end.

If you have time to visit a lot of sites to opt out, go here to the World Privacy Forum and click on each link to opt out of each of the sites (there are, at least count, 46 of these):

http://www.worldprivacyforum.org/cookieoptout.html

I went through each link and opted out of each site. It took me about 15 minutes (I’m a fast typer and clicker). You’ll also want to go to Google to opt out from their advertising (I don’t know whey they are not listed on the World Privacy Forum opt out page) cookies as well:

http://www.google.com/privacy_ads.html

If you want to do this the quick way, go here to the Network Advertising Initiative to opt out from many ad agencies in one single action:

http://www.networkadvertising.org/managing/opt_out.asp

Notes

Whichever option above you choose, know this: you will need to perform this on each browser (that is, Internet Explorer, Firefox, Safari, and so on) on your computer. Your computer’s cookies are managed separately by each browser, so you’ll have to go through the above procedures for each one you use. I use primarily Firefox on my Mac systems, and I’ve opted out of all of the sites I could find. I’ll have to do this later with Safari (which I use only occasionally).

You will need to do this on each computer you use.

Turning off cookies?

You may be thinking, why not just turn off all cookies (or at least all tracking cookies) on your browser. Certainly that would block all tracking cookies, present and future. Sure. But you would also certainly hamper the functionality of many of the websites you visit, particularly those you log in to in order to use the site’s services. But if you are into extreme measures and a little experimentation, I invite you to turn off cookies and see how things go. I will bet, however, that you will soon be turning them back on so that the important sites you use will keep working the way you want.

References

World Privacy Forum (http://www.worldprivacyforum.org/)

Electronic Privacy Information Center (http://www.epic.org)

E-mail security problems and the Canadian ISPs that are ignoring them

Bookmark This (opens in new window)

Over one year ago, days apart, I began to receive e-mail messages addressed to others. For weeks I worked diligently to try and put a stop to it. My requests fell on deaf ears. I receive regular reminders that it is happening still.

I began to receive many (or all) e-mail messages addressed to someone named Sandy, who lives in Ontario Province, Canada. The domain name is Eastlink.ca, a broadband access provider.  It didn’t take long to figure out that I was receiving all of Sandy’s e-mail. I wrote to Sandy, suggesting she complain to her ISP. And of course I also received a copy of the message in my own inbox. I wrote to Sandy a couple of times and never heard from her. I guess she doesn’t care – or maybe she did not receive them.  I also complained to Eastlink.ca, and heard nothing from them.

I also receive all of Brian’s e-mail, and his ISP is ica.net, another broadband access provider in eastern Canada.  I complianed to ica.net, several times, and never received a response.  I wrote to Brian also, and he responded and suggested I change my e-mail address. As if!

I also receive messages to someone at charter.net, but this user’s e-mail address does not indicate their name. I wrote to them and to Charter.net – you guessed it: no response.

Soon after this began, I wrote inbox rules to immediately delete all e-mail messages addressed *to* these user accounts that ended up in my inbox.  Now and then I look in my Trash Bin (where deleted e-mails go), and sure enough, there are still scores of e-mail messages: thank you’s for online merchant orders, FaceBook invites, e-cards, and personal correspondence.  I don’t read these messages.

Some of these messages still come to my inbox – this includes messages where the recipient is in the BCC (blind carbon copy) list. My inbox rules don’t know how to respond to these.

I wish this would stop. I’m going to write to ica.net, Charter.net, and eastlink.ca again, but I’m not expecting any response, not to mention action.

I cannot imagine that this is happening only to me. If some malevolent (or even accidental) action is behind this, then chances are that hundreds or thousands of other users’ e-mail messages are also being forwarded without their permission.

This also makes me wonder if this is happening to MY incoming e-mail: could some other user out there be receiving messages sent to me?  I sure don’t relish that idea: sometimes I receive “reset your password by clicking on this URL” messages. What if someone else receives these and decides to click the one-time link before I do? Some online account of mine could be compromised as a result.

I’m also worried about my own liability in this matter.  I’m receiving e-mail messages that are supposed to be sent to others. I don’t want them, I don’t read them, and I delete them when I see them. But what if I receive messages containing personal medical information, for instance?

There are several possible causes for this inadvertent e-mail forwarding:

  • Malware, tampering, or compromise of ISP e-mail server.
  • Compromise of individual users’ e-mail accounts, where attacker inserts rules to forward mail to me (and maybe others).
  • Malare or compromise on individual users’ computers; this may be true if users use workstation-based e-mail software such as Outlook, Outlook Express, or Thunderbird.

There may be other potential causes, but I cannot think of any more.

If malware or a human intruder were behind this, what is their gain? What is the benefit for an intruder if someone’s e-mail is forwarded to someone who lives 3,000 miles away?  If the intent is to harm someone, who does it harm? If the intent is to harm the individuals whose e-mail messages are being forwarded to me, then I can think of several more malicious ways to harm them.  If the intent is to harm me, I don’t see how this harms me.

Are more federal cybersecurity laws needed?

Bookmark This (opens in new window)

Someone I know recently sent me a Washington Post article about some proposed U.S. federal regulations on cybersecurity. The article was an attempt at fear-mongering over privacy concerns. As a cybersecurity professional and author on twenty books on cybersecurity and the technology of data communications, I’m qualified to comment on this article.

Federal regulation on cybersecurity is LONG overdue. Today, almost all of the 50 states have enacted cybersecurity laws, each different, most designed to protect the privacy of citizen data, and none of these state laws go nearly far enough to deal with the blatant irresponsibility on the part of many private corporations on protecting citizens’ data. The scourge of security breaches (such as the recent Heartland heist of ONE HUNDRED MILLION credit card numbers) are, in part, still occurring because private corporations are not doing enough to protect OUR DATA.

My most recent book on cybersecurity, which is to be published in May, opens in this way:

“If the Internet were a city street, I would not travel it in daylight,” laments a chief information security officer for a prestigious university.

The Internet is critical infrastructure for the world’s commerce. Cybercrime is escalating; once the domain of hackers and script kiddies, cyber-gangs and organized criminal organizations have discovered the business opportunities for extortion, embezzlement, and fraud that now surpasses income from illegal drug trafficking. Criminals are going for the gold, the information held in information systems that are often easily accessed anonymously from the Internet.

The information security industry is barely able to keep up. Cybercriminals and hackers always seem to be one step ahead, and new threats and vulnerabilities crop up at a rate that often exceeds our ability to continue protecting our most vital information and systems. Like other sectors in IT, security planners, analysts, engineers, and operators are expected to do more with less. Cybercriminals have never had it so good.

There are not enough good security professionals to go around. As a profession, information security in all its forms is relatively new. Fifty years ago there were perhaps a dozen information security professionals, and their jobs consisted primarily of making sure the doors were locked and that keys were issued only to personnel who had an established need for access. Today, whole sectors of commerce are doing virtually all of their business online, and other critical infrastructures such as public utilities are controlled online via the Internet. It’s hard to find something that’s not online these days. The rate of growth in the information security profession is falling way behind the rate of growth of critical information and infrastructures going online. This is making it all the more critical for today’s and tomorrow’s information security professionals to have a good understanding of the vast array of principles, practices, technologies, and tactics that are required to protect an organization’s assets.

What I have not mentioned in the book’s opening pages is that cybersecurity laws are inadequate. The security incidents of the recent past (and short-term future, I fear) are so severe that they may pose a far greater threat on our economy than the worldwide recession.

Case in point: considerable intelligence suggests that the likely culprit for the great Northeast Blackout of 2003 was not electric power system malfunctions, but computer hackers who are sponsored by the People’s Republic of China.  I have read some of the intelligence reports myself and they are highly credible. You can read a lengthy article in the National Journal about the outage here. A few years ago, I attended a confidential briefing by the U.S. Office of Naval Intelligence on state-sponsored Chinese hackers. The briefing described many cyberterrorism activities in details that I cannot describe here. I believe that the capabilities by those groups are probably far greater today than they were at the time of the briefing. The fact that these groups’ efforts have been so successful is because U.S. private companies are not required to adequately security their networks; they are not even required to disclose whether security incidents have occurred (except as required by a patchwork of U.S. state laws).

I do not know whether the specific legislation discussed in the Washington Post article is an attempt to federalize the laws present in many U.S. states, or whether this legislation has a different purpose.

Security standards that are enforceable by the rule of law are badly needed. No, they will not solve all of our cybersecurity problems overnight, but if crafted correctly they can be an important first step. Today we have good standards, but no private company is required to follow them. The result is lax security that leads to the epidemic of cybersecurity incidents, many of which you never hear about.

Browsers are compromising our privacy

Bookmark This (opens in new window)

…and it’s not just Google.  IE8 also has features that are misleading, in terms of privacy.

I’ll talk about Google first.  What’s going on: text you type in the search or URL field are sent to Google, even if you don’t press Send. In other words, if you type in the word “breasts”, and then later decide that you should not be searching on that at work (or wherever you are), it’ll be sent to Google anyway.  It’s practically a key logger.

Article here (Seattle Times)

Now back to IE8.  This new version of the browser has an InPrivate browsing mode that supposedly does not record where you’ve been.  However, according to forensic experts, the feature doesn’t work and it’s still trivially easy to see what sites a user has visited even in InPrivate mode.

Article here (Network World)

Sept Scientific American on security and privacy

Bookmark This (opens in new window)

The entire September 2008 issue of Scientific American magazine is devoted to security and privacy.  I’m going to run out and pick up a hardcopy, and suggest that other security professionals do the same.

It’s also available online at http://www.sciam.com/sciammag/

Sears admits to loading spyware on computers

Bookmark This (opens in new window)

Sears Holding Corporation, owner of Sears, Roebuck and Co. and Kmart, makes the pitch in an email sent to people shortly after they provide their address at Sears.com. Clicking the “Join” button invokes a dialog that requests the person’s name, address and household size before installing ComScore spyware that monitors every site visited on the computer.

Sears’ privacy statement does disclose this.  Their privacy statement is 54 pages long, and the disclosure is on page 10.

Wow.

Link to full story:

http://www.theregister.co.uk/2008/01/03/sears_snoopware_disclosure/