Charter Communications decided against using advanced web ad technology this week that would have allowed Charter to spy on where users were going on the web, and then sell that data to a company called NebuAd so it could provide targeted web ads to Charter subscribers. Of course Charter made this decision because of an outcry from privacy advocates, customers, and Congress. From what I understand of this technology; it is a device that NebuAd places in the ISP's stream to gather data on it's users, and then uses that data to deliver web ads targeted at what they are searching for and what kind of sites they visit. Unlike third-party cookies that you can control on your PC, these would be completely invisible, and would be controlled by the ISP, and the Marketers at these companies. This should definitely scare you a little, and you should check your ISP to make sure they are not contemplating the same, since it would most certainly be a very inexpensive, if not free way for the ISP to make more money on your traffic, as well as invade your privacy. HTTPS would be safe from the prying eyes of this technology, but even then, they could still tell what site you were on, and it is not beyond belief that an ISP would install a certificate into your browser, and set the proxy to their proxy when the nice guy from Craptastic shows up to install the cable modem, and talks someone into installing their CD, on the grounds that "I can't install the modem unless you run this". Once the certificate and proxy was configured, it would allow them to peek into the HTTPS traffic. Marketing folks will say that this is not a big deal, and they are improving the experience for people by only delivering ads they are interested in, but what if a computer is shared and the previous person had been researching medical conditions, mental health information, or some other private matter.
#$%^&*!
Sorry, I fell off the soapbox, and it is getting late.
Thursday, June 26, 2008
Sunday, June 15, 2008
The Chinese are coming The Chinese are coming
First the story:
WASHINGTON — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China.
Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee.
Entire Story
Now some guesses as to what might have happened:
Someone found spyware calling a server in China, and have jumped the gun, jumped the shark, and has the opportunity to make a story out of nothing.
Someone found probes from China in the firewall logs, and there were viruses caught on Capitol computers that same day - That's it, we've got them now!
There really was an attack from a Chinese source to a government computer, and knowing the government's record on information security - they somehow managed to breach the security measures in place - shocking!
Not to worry though because
"Wolf plans to introduce a resolution that he says will help ensure protection for all House computers and information systems"
I think we can all sleep a little better now
WASHINGTON — A congressman said Wednesday the FBI has found that four of his government computers have been hacked by sources working out of China.
Rep. Frank Wolf, a Virginia Republican, said that similar incidents — also originating from China — have taken place on computers of other members of the House and at least one House committee.
Entire Story
Now some guesses as to what might have happened:
Someone found spyware calling a server in China, and have jumped the gun, jumped the shark, and has the opportunity to make a story out of nothing.
Someone found probes from China in the firewall logs, and there were viruses caught on Capitol computers that same day - That's it, we've got them now!
There really was an attack from a Chinese source to a government computer, and knowing the government's record on information security - they somehow managed to breach the security measures in place - shocking!
Not to worry though because
"Wolf plans to introduce a resolution that he says will help ensure protection for all House computers and information systems"
I think we can all sleep a little better now
Friday, June 6, 2008
Security Requirements for Software Development
I bought a new car last year, and being the way I am, I had a list of requirements and repeatedly ran sever cars through the requirements list until I narrowed it down to 5, of which I made my final decision. Things such as: it had to have 4 doors (for the princesses), it had to do 0-60 close to 5 seconds, it had to handle well, look good, and have lots of cool toys inside to play with. Some of theses requirements are easy to evaluate, while some are more subjective. Which brings me to the Information Security connection. In software development projects we are always asked to provide security requirements to the devleopment team that is either in-house or contracted.
"Make sure there are no vulnerabilities that can be exploited" is always one of my favorites, but it is a little vague, and they always seem to want something more concrete. Over the years, I have kept a running list of the items I usually include in those security requirements, so for those of you that are interested, I am including it here. The list is derived from things I have seen in projects and a lot of great external sources such as OWASP, Common Criteria, etc. This list is not meant to be an exhaustive or comprehensive list, but a list that can be used as a base to draw upon when completing these types of requests. you will still need to perform threat modeling, and in depth analysis of the project, and to check that the requirements are being met in the SDLC. If anyone has any updates, suggestions, or corrections, please let me know, and I will update the list.
The link below directs you to a Google Docs page with the doc.
Security Requirements
Thanks
"Make sure there are no vulnerabilities that can be exploited" is always one of my favorites, but it is a little vague, and they always seem to want something more concrete. Over the years, I have kept a running list of the items I usually include in those security requirements, so for those of you that are interested, I am including it here. The list is derived from things I have seen in projects and a lot of great external sources such as OWASP, Common Criteria, etc. This list is not meant to be an exhaustive or comprehensive list, but a list that can be used as a base to draw upon when completing these types of requests. you will still need to perform threat modeling, and in depth analysis of the project, and to check that the requirements are being met in the SDLC. If anyone has any updates, suggestions, or corrections, please let me know, and I will update the list.
The link below directs you to a Google Docs page with the doc.
Security Requirements
Thanks
Monday, June 2, 2008
Software vulnerabilities and updates
The Flash vulnerability last week that was initially thought to be a zero day, but was eventually categorized as a known issue that was already patched in the latest flash version got me to thinking. I know what you are going to say, and yes there was initially some smoke, and a slight headache, but eventually I recovered. OS patches are usually up to date on all of my systems, but there are so many ubiquitous applications on systems that there should be an easy way to check if they are up to date. Well Secunia has one. For those of you that don't know about this organization, they have for several years now delivered top notch vulnerability and patching information for any OS or application I can think of for free. Now they have leveraged that database of known insecure programs into both a personal and corporate edition of what they call a software vulnerability scanner. The personal edition is free, and uses their database to check applications on your computer to see if there are known vulnerabilities. The software does not perform a vulnerability assessment, it checks for known vulnerable versions, and in most cases provides a link to download the latest version. The software tries to launch in startup by default, but this is easily changed. Give this a try and you will probably be amazed at the vulnerable applications residing on even the most up-to-date system.
Friday, May 30, 2008
Crane collpases and Information Security
There was another crane collapse in NYC today, killing one person and critically injuring two others, according to CNN. This brings the death toll to 8 people in the last two months just in New York City due to crane collapses. These events are tragic, and they make the issues that we as Information Security and Privacy professionals seem minor by comparison. However, there is a connection between the people in New York that strive to reduce these types of incidents and us. Somewhere in the various departments and agencies in NYC that regulate and inspect these cranes, there are probably several people who have made the argument time and time again that they are understaffed or under budgeted, or that there are not enough controls in place to prevent these types of incidents. Unfortunately, it takes one of these incidents to obtain increased funding and controls that should have been in place in the first place. The same thing happens in InfoSec and Privacy. We all tell management (and anyone else who will listen) things like:
We need to install x to reduce the risk of y
We need to do x to minimize the risk y
We need a review or addition of controls
We need more staff
We need more budget
Unfortunately, it takes an incident like this to produce change and to get enough attention on a topic that something is done. There is one other constant between these subjects. Whether it is a crane collapse, or a DNS takeover for a giant cable provider - there will be a fall guy to blame for both of these.
Rock On
We need to install x to reduce the risk of y
We need to do x to minimize the risk y
We need a review or addition of controls
We need more staff
We need more budget
Unfortunately, it takes an incident like this to produce change and to get enough attention on a topic that something is done. There is one other constant between these subjects. Whether it is a crane collapse, or a DNS takeover for a giant cable provider - there will be a fall guy to blame for both of these.
Rock On
Thursday, May 29, 2008
Stupid security trick of the month
The following story was reported by the Memphis News. Hopefully, some lawmakers in Nashville will ask their 12 year old about the Internet before creating anymore useless legislation that deals with technology.
[Memphis News]
Starting July 1st, Tennessee sex offenders are required to report their e-mail addresses, user names, and screens names to Tennessee’s Sex Offender Registry. Lawmakers created the new requirement for sex offenders during this year’s legislative session in Nashville. Police say the requirement will make it easier for them to spot sex offenders trolling for prey online.
[Memphis News]
Starting July 1st, Tennessee sex offenders are required to report their e-mail addresses, user names, and screens names to Tennessee’s Sex Offender Registry. Lawmakers created the new requirement for sex offenders during this year’s legislative session in Nashville. Police say the requirement will make it easier for them to spot sex offenders trolling for prey online.
Tuesday, May 13, 2008
Anti-virus not keeping up?
According to Panda Software there was a tenfold increase in the number of new malware strains detected in 2007 compared to 2006. More than 3,000 per day were detected in 2007. I don't have to tell you that with that many new malware strains, each day that your A/V software will, well, "strain" to keep up. The days where A/V signatures could be updated daily, or every couple of hours are simply gone, and even if you could update them every 5 minutes, the signatures simply aren't there to cover all of the new threats. Never mind the impossibility of updating signatures across thousands of systems on a network constantly. Some companies are working on behavioral based A/V like ISS. They take all of the common traits found in viruses and malware and try to stop the code based on behavior. In theory you would then only have to update the behavioral signature when a new malware strain does something you have not seen before. Almost all of the thousands of new malware strains a day do basically the same thing, but thanks to morphing and subtle differences, they are not always detected by traditional signatures. The behavioral model is not perfect either, since it suffers from false positives, just as IDS/IPS signatures do.
So what to do?
Defense in depth is called for here.
Systems need to be patched to minimize the attack surface
System administrators need to minimize the places users can get one of these files through the web, e-mail, IM, etc. by using content filtering.
Reduce or remove the number of local administrative users
Watch what is entering and leaving the network
Run IDS/IPS on endpoints as well as the network
Run A/V and update it often
Watch for registry changes
Run virtualization, so cleanup becomes much easier, and infections become temporary (hopefully)
So what to do?
Defense in depth is called for here.
Systems need to be patched to minimize the attack surface
System administrators need to minimize the places users can get one of these files through the web, e-mail, IM, etc. by using content filtering.
Reduce or remove the number of local administrative users
Watch what is entering and leaving the network
Run IDS/IPS on endpoints as well as the network
Run A/V and update it often
Watch for registry changes
Run virtualization, so cleanup becomes much easier, and infections become temporary (hopefully)
Subscribe to:
Posts (Atom)