Charter Communications decided against using advanced web ad technology this week that would have allowed Charter to spy on where users were going on the web, and then sell that data to a company called NebuAd so it could provide targeted web ads to Charter subscribers. Of course Charter made this decision because of an outcry from privacy advocates, customers, and Congress. From what I understand of this technology; it is a device that NebuAd places in the ISP's stream to gather data on it's users, and then uses that data to deliver web ads targeted at what they are searching for and what kind of sites they visit. Unlike third-party cookies that you can control on your PC, these would be completely invisible, and would be controlled by the ISP, and the Marketers at these companies. This should definitely scare you a little, and you should check your ISP to make sure they are not contemplating the same, since it would most certainly be a very inexpensive, if not free way for the ISP to make more money on your traffic, as well as invade your privacy. HTTPS would be safe from the prying eyes of this technology, but even then, they could still tell what site you were on, and it is not beyond belief that an ISP would install a certificate into your browser, and set the proxy to their proxy when the nice guy from Craptastic shows up to install the cable modem, and talks someone into installing their CD, on the grounds that "I can't install the modem unless you run this". Once the certificate and proxy was configured, it would allow them to peek into the HTTPS traffic. Marketing folks will say that this is not a big deal, and they are improving the experience for people by only delivering ads they are interested in, but what if a computer is shared and the previous person had been researching medical conditions, mental health information, or some other private matter.
#$%^&*!
Sorry, I fell off the soapbox, and it is getting late.
Thursday, June 26, 2008
Sunday, June 15, 2008
The Chinese are coming The Chinese are coming
First the story:
WASHINGTON — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China.
Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee.
Entire Story
Now some guesses as to what might have happened:
Someone found spyware calling a server in China, and have jumped the gun, jumped the shark, and has the opportunity to make a story out of nothing.
Someone found probes from China in the firewall logs, and there were viruses caught on Capitol computers that same day - That's it, we've got them now!
There really was an attack from a Chinese source to a government computer, and knowing the government's record on information security - they somehow managed to breach the security measures in place - shocking!
Not to worry though because
"Wolf plans to introduce a resolution that he says will help ensure protection for all House computers and information systems"
I think we can all sleep a little better now
WASHINGTON — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China.
Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee.
Entire Story
Now some guesses as to what might have happened:
Someone found spyware calling a server in China, and have jumped the gun, jumped the shark, and has the opportunity to make a story out of nothing.
Someone found probes from China in the firewall logs, and there were viruses caught on Capitol computers that same day - That's it, we've got them now!
There really was an attack from a Chinese source to a government computer, and knowing the government's record on information security - they somehow managed to breach the security measures in place - shocking!
Not to worry though because
"Wolf plans to introduce a resolution that he says will help ensure protection for all House computers and information systems"
I think we can all sleep a little better now
Friday, June 6, 2008
Security Requirements for Software Development
I bought a new car last year, and being the way I am, I had a list of requirements and repeatedly ran sever cars through the requirements list until I narrowed it down to 5, of which I made my final decision. Things such as: it had to have 4 doors (for the princesses), it had to do 0-60 close to 5 seconds, it had to handle well, look good, and have lots of cool toys inside to play with. Some of theses requirements are easy to evaluate, while some are more subjective. Which brings me to the Information Security connection. In software development projects we are always asked to provide security requirements to the devleopment team that is either in-house or contracted.
"Make sure there are no vulnerabilities that can be exploited" is always one of my favorites, but it is a little vague, and they always seem to want something more concrete. Over the years, I have kept a running list of the items I usually include in those security requirements, so for those of you that are interested, I am including it here. The list is derived from things I have seen in projects and a lot of great external sources such as OWASP, Common Criteria, etc. This list is not meant to be an exhaustive or comprehensive list, but a list that can be used as a base to draw upon when completing these types of requests. you will still need to perform threat modeling, and in depth analysis of the project, and to check that the requirements are being met in the SDLC. If anyone has any updates, suggestions, or corrections, please let me know, and I will update the list.
The link below directs you to a Google Docs page with the doc.
Security Requirements
Thanks
"Make sure there are no vulnerabilities that can be exploited" is always one of my favorites, but it is a little vague, and they always seem to want something more concrete. Over the years, I have kept a running list of the items I usually include in those security requirements, so for those of you that are interested, I am including it here. The list is derived from things I have seen in projects and a lot of great external sources such as OWASP, Common Criteria, etc. This list is not meant to be an exhaustive or comprehensive list, but a list that can be used as a base to draw upon when completing these types of requests. you will still need to perform threat modeling, and in depth analysis of the project, and to check that the requirements are being met in the SDLC. If anyone has any updates, suggestions, or corrections, please let me know, and I will update the list.
The link below directs you to a Google Docs page with the doc.
Security Requirements
Thanks
Monday, June 2, 2008
Software vulnerabilities and updates
The Flash vulnerability last week that was initially thought to be a zero day, but was eventually categorized as a known issue that was already patched in the latest flash version got me to thinking. I know what you are going to say, and yes there was initially some smoke, and a slight headache, but eventually I recovered. OS patches are usually up to date on all of my systems, but there are so many ubiquitous applications on systems that there should be an easy way to check if they are up to date. Well Secunia has one. For those of you that don't know about this organization, they have for several years now delivered top notch vulnerability and patching information for any OS or application I can think of for free. Now they have leveraged that database of known insecure programs into both a personal and corporate edition of what they call a software vulnerability scanner. The personal edition is free, and uses their database to check applications on your computer to see if there are known vulnerabilities. The software does not perform a vulnerability assessment, it checks for known vulnerable versions, and in most cases provides a link to download the latest version. The software tries to launch in startup by default, but this is easily changed. Give this a try and you will probably be amazed at the vulnerable applications residing on even the most up-to-date system.
Subscribe to:
Posts (Atom)