You are here

Security

Observations on information security.

Security Versus Compliance: Old Guard Versus Digital Natives?

Forrester Research and RSA have published an interesting report on corporate security priorities and compliance programs. The bottom line is no real surprise: companies spend more money on compliance with external requirements like PCI-DSS or HIPAA than they do on protecting their own secrets. These compliance requirements are tied to obvious business needs - you can't do much retail work unless you take credit cards - so it's hard to argue against such expenses. Forrester and RSA show statistics arguing that companies lose more money through lost company secrets. Yet a lot of companies focus their security efforts exclusively on compliance and really don't make a special effort to protect company-specific assets.

Kapersky Labs posted a reasonable summary of the report.

Slashdot's title writers dramatically misread the report, summarizing it under the title "Compliance is Wasted Money." I tend to think of Slashdot as being edgy in a digital native sort of way, so I'm surprised they spun it that way.

I think the report reflects two things. First, companies don't want to spend money to assess their losses from leaked company data, unless they're already inclined to be a secrecy-oriented company. If a company is more inclined towards openness and information sharing, then they don't want to collect such information: bad news makes management look bad, and there's no countervailing data to show a measurable benefit to being a more open company.

Post category: 

Not the Droid

I recently migrated from my venerable Palm Treo 700 to a Blackberry Storm II. In between I had a brief fling with a Droid, but jettisoned it after about a day. There were two problems. First, it's too much like having a laptop instead of a phone, IMHO. Second, I don't like the security model.

When we talk about the "Droid security model" we're really talking about the Android operating system and not about any particular phone. The exact phone I had isn't as important as the mechanisms that are undoubtedly common to all Droids.

The basic problem is that it's too vulnerable to malware like viruses, worms, or Trojan horses. This is a feature of its openness, but not a feature I personally crave on my cell phone. My phone serves a little as an electronic wallet, and I don't want malware in there, even if it limits my choice of apps.

Post category: 

The blunt sword of legislation

Minnesota's Senator Klobuchar has co-sponsored a bill to criminalize certain behavior by peer-to-peer file sharing programs.

The bill is supposed to require a sort of informed consent by computer owners whenever a P2P file sharing program arrives. Here's what the bill wants to require:

• Ensures that P2P file sharing programs cannot be installed without providing clear notice and obtaining informed consent of the authorized computer user.

• Makes it unlawful to prevent the authorized user of a computer from:

1. Blocking the installation of a peer-to-peer file sharing program, and/or

2. Disabling or removing any peer-to-peer file sharing program.

Having taught several networking courses (not to mention having written my share of networking software), I'm not sure where they can draw the line. What constitutes 'clear notice,' and does that include such things as Windows and Apple file sharing? Do these OS vendors already comply with planned legislative requirements, or will they have to update their configuration software?

Does "Microsoft Genuine Advantage" violate the law if it won't let the computer owner block its communication with the Mother Ship in Redmond? If so, how does Microsoft check for people using the same license on two or more computers?

Post category: 

The cost of security failure

Marcus recently finished this 'creative project' as he calls it.
Post category: 

Profiling ("Fingerprinting") a Browser

EFF (Electronic Frontier Foundation) has put up a web site called Panopticlick.

It collects every scrap of info from your browser that it can - a browser will divulge a lot in order to optimize its display of information - so a server can find your screen size, a list of fonts, and of course the operating system and browser versions. This is even without looking for cookies!

So a clever site could try to 'fingerprint' individuals by retrieving system details from the browser.

Wordpress tag: 
Post category: 

Paying for Identity

Marcus Ranum and Bruce Schneier recently had another one of their "face-offs," this time, discussing anonymity on the Internet. Bruce argued strongly in favor of it, but then so did Marcus - with a cleverly nuanced argument.

The problem with Internet anonymity is that it's so incredibly cheap - fraud and spam is easy to do because it's almost free to adopt a new identity on the Internet. Many spam/scam techniques rely on creating bogus IDs wholesale.

Wordpress tag: 
Post category: 

RockYou and Password Choices

A social networking site called Rockyou.Com was hacked a few months ago, and someone was thoughtful enough to tell them about it in December. After some dithering, they announced it to their user community.

Unfortunately, they were trying to do site aggregation stuff - using other site login credentials to link that site to theirs. All very Web 2.0. All very dangerous, especially since passwords were stored in plaintext. Thus, the attackers collected 32 million user login credentials: ids, passwords, e-mail addresses. This was courtesy of a cross site scripting vulnerability.

John, a former colleague, sent me a note about a security group named Imperva that analyzed the list of passwords.

The actual report is poorly drafted - you can't tell how much of the database they really analyzed, or how they chose a set to analyze. However, it seems that they analyzed a sampling of the passwords and compiled a list of the 5,000 most common ones. Which they didn't share. They did share a list of the 20 most common: the most common word was "Password" while "princess" and "Nicole" were the most common names.

Post category: 

Bring-Your-Own-Computer

Paul Ardoin, a former colleague, has posted some comments on Bring-Your-Own-Computer, the notion that companies should rely on employees' personal laptops. My security-wonk-alarm went off when I read this, but I'm thinking the concept has some merit.

This is somewhat related to the question of using a company car versus the company paying you for mileage on your own car. People in general tend to take better care of their own car.

Wordpress tag: 
Post category: 

Best New Security Technology

A while back, Popular Science asked me to identify the Best New Security Technology. At the time I simply couldn't think of anything, and they've long since published their issue filled with Best New ____ Technology.

I finally thought of something - self-encrypting mass storage. This can be anything from an encrypting USB drive - the IronKey if you like theatrics - to a self-encrypting hard drive like Seagate's Momentus line of laptop drives.

While I also rely heavily on software drive encryption (TrueCrypt) I wish that all my hard drives had full disk encryption (FDE). If all drives had FDE, I could recycle drives (i.e. give them to my kids) just by erasing the key. Instead, I have to hook each drive up to an idle machine for a day or so to run a wiping process.

So FDE isn't just for security paranoids and folks hogtied by compliance regulations. They're useful for everyone. That is, assuming that the vendors make it easy to use them.

Post category: 

Security Through Obscurity

Kodak is offering the Easyshare Wireless Picture Frame, which uses a wireless Internet connection to select and display its content.

According to a blog post by Casey Halverson, the wireless picture frame contents comes from a findable URL. It wouldn't take a lot of technology to build software to search for the contents of other random picture frames.

This poses an interesting question: when is Security Through Obscurity (STO) good enough to protect privacy? This is one of those technical weaknesses that professionals like to talk about, but lots of people won't understand. This can play out in one of several ways:

  • The product becomes popular, and it takes years for the security problems to bother the user community. This is what happened with analog cell phones.
  • The product's security problems become an issue that interferes with its marketplace success. This is what happened with early Web sites. Netscape solved the problem by introducing SSL encryption.
  • The product fails for other reasons.
Wordpress tag: 
Post category: 

Pages

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer