Blog Lapse

I apologize for the short notice, but this blog is in suspended animation until further notice. This was a business decision that I adamently disagree with, and I will be back with some noticable changes in the near future. In the meantime, please bear with me while I sort out some business decisions.

Identity Theft? That’s Been Outsourced, Too

There’s been a lot of attention paid to “pretexting”,the practice of posing as someone else in order to gain access to their personal data, lately in the wake of the HP scandal. However, a British TV program has shown that there’s more than one way to skin the identity fraud cat, as an undercover reporter was offered the personal details of 100,000 UK bank customers, stolen by offshore call-center workers.

The knee-jerk reaction is simply to point the finger at outsourcing and offshoring, but they’re largely irrelevant to the situation. Lax corporate security and indifferent attitudes towards data breaches certainly aren’t restricted to a particular country, industry or line of work, so the suggestion that banks and other companies that allow offshored workers access to personal financial information could simply solve the problem by bringing outsourced functions back in-house is inaccurate.

Quite clearly, many companies’ security policies are inadequate, unenforced or nonexistent, whether for in-house employees or external suppliers, and there’s currently little motivation for them to take the problem seriously. Whether data is kept internally or shared with offshore workers doesn’t really seem to matter — it doesn’t appear particularly secure either way.

$100 Children’s Laptop May Be at Security Forefront

According to the Washington Post, developers for the OLPC project are working on implementing virus protection on each laptop’s kernal and the way the laptops deal with both security and code sharing:

“The developers of software for the One Laptop Per Child (OLPC) initiative are redefining security for the personal PC. Since the laptops have the potential of communicating with any other laptop, the developers have a unique opportunity to implement both virus protection on the kernel, master boot record and also the way in which the laptops deal with security and ‘code-sharing.’

The developers are currently seeking outside counsel from security experts and if you’re worried about these security schemes posing only problems to the children, ‘these security measures can be turned off by the PCs’ owners. To protect against that leading to disaster, the laptops will automatically back up their data up on a server whenever the machines get in wireless range of the children’s school. If a child loses data, the files can be restored by bringing the laptop within wireless range of the server.’”

Chinese Hackers Hit Commerce Department

The Bureau of Industry and Security (BIS), a branch of the Commerce Department, has sustained several successful attacks. Chinese hackers were able to gain access to its computers and install rootkits and other malware.”

From the Information Week article:

“This is the second major attack originating in China that’s been acknowledged by the federal government since July. Then, the State Department said that Chinese attackers had broken into its systems overseas and in Washington. And last year, Britain’s National Infrastructure Security Co-ordination Center (NISCC) claimed that Chinese hackers had attacked more than 300 government agencies and private companies in the U.K.”

I’m getting more and more concerned that the US Government does nothing to ensure the security of our records. I don’t know why they don’t move forward on making our federal computer systems failsafe.

Laptop security is a top priority

ZDnet reported “The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority.

The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain.”

I would of course agree that loss or theft of data on laptops is important … along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

Identity fraud targest at home users

Would you leave your front door open for a month? That’s exactly what many individual Internet users are doing with their personal computers over the Net.

Internet criminals are increasingly targeting home users for identity theft, fraud and other financially motivated crime, reports the latest Internet Security Threat study released by anti-virus firm Symantec.

Home users are less likely to have established security measures in place and are careless with their data, making themselves a statistic on a security report. They account for 86 per cent of all targeted attacks and are followed by financial services sector and government, education and IT firms. E-mail, browsers and desktop applications are the window to your personal computer. Calling end-users the “weakest link in the security chain”, Mr Vishal Dhupar, Managing Director, Symantec India, said that with the emergence of Web 2.0, security concerns would increase. Web 2.0 is the new trend sweeping the virtual world, where concepts such as sharing, blogging, democracy of information, and `power to the individual’ are gaining momentum. Attackers will take advantage of the implied trust between the community of individual developers and the sites hosting content to compromise individual users and/or Web sites, warns Symantec.

Online threats made up 69 per cent of all vulnerabilities. Patches can be downloaded to fix them. However, the numbers give a reality check.

It takes three days to produce a malicious code (virus/ spam/ worm, etc). It takes 31 days to produce a patch for it. The gap of 28 days is open for the attacker to reach into your critical files and steal what information is required.

BROWSERS

In a surprising revelation, Symantec reports that the open source Mozilla browser had the most vulnerabilities, 47, compared to 38 in Microsoft’s Internet Explorer. However, the more popular Internet Explorer was the most frequently targeted Web browser, accounting for 47 per cent of all Web browser attacks. Twenty per cent of all attacking IP addresses targeted the Firefox browser.

It also said that spam was up from 50 per cent (6 months ago) of all monitored email traffic to 54 per cent. In the last report, the firm reported a decline of spam, but the current reversal of this trend indicates that spammers may have found means to circumvent these measures, such as utilizing image-based spam. One out of every 122 spam messages contained malicious code.

The Tug O’ War Between Privacy And Data Retention

It’s no secret that the government has been pushing for more stringent data retention laws, on the belief (which many question) that by forcing ISPs to collect all this data, it will better help criminal and terrorist investigations. At the same time, the recent leak of data by AOL has some pushing in the completely opposite direction, suggesting there should be laws that ban companies from collecting and holding onto too much data. In fact, I noted that the AOL leak may have caused some politicians to rethink their position on data retention.

Adam Thierer, over at the Tech Liberation Front, has also noticed these two diametrically opposed issues, and wonders how search engines are going to deal with being pulled from both sides. Hopefully, the answer is that the back and forth on these two issues has a better chance of making sure that nothing happens, and things are pretty much left as is. This may turn out to be the best solution for everyone.

PhishTank Taps Community To ID Scams

“The AP has an article on PhishTank, OpenDNS’s service for fighting e-mail fraud. The free service seeks to tap the wisdom of the Internet community in identifying phishing emails and sites.”

From the article:

“Users simply submit to PhishTank.com the messages they believe are scams. Others then examine the message and the site to which it links and decide whether it is or isn’t a scam. When an item gets enough votes and the margin is wide enough, it is either dropped or classified as a phishing message. To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages.”

PhishTank, unlike any other anti-phishing service, provides a full API and open access to the data for any developer to use to secure their applications. Before PhishTank, someone from the SpamAssassin project or maybe the Squid Cache would have to fork over a lot of money for phishing data to groups like the Anti Phishing Working Group or Symantec. It’s now available for free, and I believe in a far more accurate and usable form.

The Age of Technological Transparency

“Executives and politicians may be starting to realize that privacy is dead and secrets can no longer be kept in the information age. There is always a technological trail, and transparency is pervasive. Just ask Patricia Dunn and Mark Foley.

In a piece at eWeek, Ed Cone from CIO Insight talks about the specific technologies that brought them down.”

From the article:

“Foley may have thought his IMs were disappearing into the ether as soon as they cleared his computer screen. Instead, the messages were saved, and his career was ruined, and the House leadership is left to fight for survival. We talk a lot a about transparency as a virtue in the age of the web, and hold it up as a marketing technique and a better way to run an enterprise. Sun’s blogging CEO, Jonathan Schwartz, is lobbying the SEC to allow more financial information to be disclosed online. Corporations are using all manner of web-techs to speak more directly to stakeholders. But transparency needs to be understood as more than a slogan or a strategy. It’s a reality. It can be imposed on you by the Internet, whether you want to be transparent or not.”

Digital voter fraud is here

This morning, the House Administration Committee held a hearing on legislation to require auditable, voter-verified paper trials for electronic voting machines, such as those manufactured by Diebold.

 

The hearing featured a demonstration by Princeton University professor Dr. Edward Felten, showing how easily such machines can be tampered with. Felten, along with two graduate students, wrote a paper, earlier this year, for the Center for Information Technology Policy, that details who easy it was to hack the Diebold machine and change the outcome of an election. Felten and his two associates set up the machine for an election between George Washington and Benedict Arnold. All three voted for Washington (good choice!) But the machine tabulated only one vote for Washington but two for Arnold.

 

This can be done in a way, Felten says, so that the virus is completely undetectable, and can be set up to generate results that won’t be questioned. If the virus is designed to give 55% of the vote to the winner, the loser is unlikely to question the results, and without a paper record, the result can’t be audited. Felten later explained that because of the way boards of elections typically set up the machines, a virus can be introduced into one, via its memory card, and then many more machines can be contaminated as the rest of the machines are set up. Very scary indeed.

Rather than prohibit the use of such machines, altogether, Rep. Rush Holt (D-N.J.), along with 215 co-sponsors, is supporting legislation that would provide that voters have the opportunity to verify the accuracy of their recorded vote, require that all voting systems produce a voter-verified paper record, ban the use of undisclosed software and wireless devices in voting systems, require random unannounced, had count audits, among other measures.

 

“Voters need to be confident of the central act of their democracy, and voter confidence is unraveling,” he said. The last six years have brought us example after example, in state after state, of the problems caused by unverifiable voting machines.”

In addition to the voting machines bill, Holt in the House and Senators Barbara Boxer (D-Calif.), Russ Feingold (D-Wisc.) and Christopher Dodd (D-Conn.) introduced emergency legislation on Sept. 26 to authorize Federal funding to the states for the printing of paper ballots to be available for voters in case of problems with the electronic voting machines. Boxer told the New York Times that “If someone asks for a paper ballot they ought to be able to have it.” Neither Holt’s voting machine bill, nor the Boxer bill appear to have much chance of enactment, this year, however.

 

It’s not hard to see why the Republican leadership in the Congress is not very interested in moving these bills. The Diebold machines would make what Karl Rove managed to pull off in 2000 in Florida and in 2004 in Ohio much easier and much harder to detect. And that’s why these machines should be banned altogether. Even without fraud, they can malfunction in other ways and screw up your election, just as happened in Montgomery County, Maryland during the Sept. 12 primary, when malfunctions in both voting machines and the electronic voter roles left many people unable to vote.

Rep. Rush Holt (D-N.J.) advocates for paper trails from electronic voting machines. To his left is Dr. Edward Felten of Princeton University.