Blog Lapse

I apologize for the short notice, but this blog is in suspended animation until further notice. This was a business decision that I adamently disagree with, and I will be back with some noticable changes in the near future. In the meantime, please bear with me while I sort out some business decisions.

Identity Theft? That’s Been Outsourced, Too

There’s been a lot of attention paid to “pretexting”,the practice of posing as someone else in order to gain access to their personal data, lately in the wake of the HP scandal. However, a British TV program has shown that there’s more than one way to skin the identity fraud cat, as an undercover reporter was offered the personal details of 100,000 UK bank customers, stolen by offshore call-center workers.

The knee-jerk reaction is simply to point the finger at outsourcing and offshoring, but they’re largely irrelevant to the situation. Lax corporate security and indifferent attitudes towards data breaches certainly aren’t restricted to a particular country, industry or line of work, so the suggestion that banks and other companies that allow offshored workers access to personal financial information could simply solve the problem by bringing outsourced functions back in-house is inaccurate.

Quite clearly, many companies’ security policies are inadequate, unenforced or nonexistent, whether for in-house employees or external suppliers, and there’s currently little motivation for them to take the problem seriously. Whether data is kept internally or shared with offshore workers doesn’t really seem to matter — it doesn’t appear particularly secure either way.

$100 Children’s Laptop May Be at Security Forefront

According to the Washington Post, developers for the OLPC project are working on implementing virus protection on each laptop’s kernal and the way the laptops deal with both security and code sharing:

“The developers of software for the One Laptop Per Child (OLPC) initiative are redefining security for the personal PC. Since the laptops have the potential of communicating with any other laptop, the developers have a unique opportunity to implement both virus protection on the kernel, master boot record and also the way in which the laptops deal with security and ‘code-sharing.’

The developers are currently seeking outside counsel from security experts and if you’re worried about these security schemes posing only problems to the children, ‘these security measures can be turned off by the PCs’ owners. To protect against that leading to disaster, the laptops will automatically back up their data up on a server whenever the machines get in wireless range of the children’s school. If a child loses data, the files can be restored by bringing the laptop within wireless range of the server.’”

Laptop security is a top priority

ZDnet reported “The Sans Institute says the greatest concern for businesses should be the security of their laptops, as more companies replace desktops with notebooks. The mix of sensitive data being taken out of the organisation and a lack of encryption, coupled with incidences of human error that can see such devices lost or stolen, means companies should make this issue a top priority.

The Sans report also said the theft of other mobile devices, such as PDAs and smart phones, will increase because of the value of the data they may contain.”

I would of course agree that loss or theft of data on laptops is important … along with the introduction of malware on portable devices, the lack of backups and the use of portable (and especially wireless) devices to remove information illicitly from corporate networks. But, sure, loss or theft of data on laptops is an issue.

Identity fraud targest at home users

Would you leave your front door open for a month? That’s exactly what many individual Internet users are doing with their personal computers over the Net.

Internet criminals are increasingly targeting home users for identity theft, fraud and other financially motivated crime, reports the latest Internet Security Threat study released by anti-virus firm Symantec.

Home users are less likely to have established security measures in place and are careless with their data, making themselves a statistic on a security report. They account for 86 per cent of all targeted attacks and are followed by financial services sector and government, education and IT firms. E-mail, browsers and desktop applications are the window to your personal computer. Calling end-users the “weakest link in the security chain”, Mr Vishal Dhupar, Managing Director, Symantec India, said that with the emergence of Web 2.0, security concerns would increase. Web 2.0 is the new trend sweeping the virtual world, where concepts such as sharing, blogging, democracy of information, and `power to the individual’ are gaining momentum. Attackers will take advantage of the implied trust between the community of individual developers and the sites hosting content to compromise individual users and/or Web sites, warns Symantec.

Online threats made up 69 per cent of all vulnerabilities. Patches can be downloaded to fix them. However, the numbers give a reality check.

It takes three days to produce a malicious code (virus/ spam/ worm, etc). It takes 31 days to produce a patch for it. The gap of 28 days is open for the attacker to reach into your critical files and steal what information is required.

BROWSERS

In a surprising revelation, Symantec reports that the open source Mozilla browser had the most vulnerabilities, 47, compared to 38 in Microsoft’s Internet Explorer. However, the more popular Internet Explorer was the most frequently targeted Web browser, accounting for 47 per cent of all Web browser attacks. Twenty per cent of all attacking IP addresses targeted the Firefox browser.

It also said that spam was up from 50 per cent (6 months ago) of all monitored email traffic to 54 per cent. In the last report, the firm reported a decline of spam, but the current reversal of this trend indicates that spammers may have found means to circumvent these measures, such as utilizing image-based spam. One out of every 122 spam messages contained malicious code.

The Tug O’ War Between Privacy And Data Retention

It’s no secret that the government has been pushing for more stringent data retention laws, on the belief (which many question) that by forcing ISPs to collect all this data, it will better help criminal and terrorist investigations. At the same time, the recent leak of data by AOL has some pushing in the completely opposite direction, suggesting there should be laws that ban companies from collecting and holding onto too much data. In fact, I noted that the AOL leak may have caused some politicians to rethink their position on data retention.

Adam Thierer, over at the Tech Liberation Front, has also noticed these two diametrically opposed issues, and wonders how search engines are going to deal with being pulled from both sides. Hopefully, the answer is that the back and forth on these two issues has a better chance of making sure that nothing happens, and things are pretty much left as is. This may turn out to be the best solution for everyone.

PhishTank Taps Community To ID Scams

“The AP has an article on PhishTank, OpenDNS’s service for fighting e-mail fraud. The free service seeks to tap the wisdom of the Internet community in identifying phishing emails and sites.”

From the article:

“Users simply submit to PhishTank.com the messages they believe are scams. Others then examine the message and the site to which it links and decide whether it is or isn’t a scam. When an item gets enough votes and the margin is wide enough, it is either dropped or classified as a phishing message. To prevent scammers from trying to game the system, votes are weighed based on how long, how often, and how accurate one has rated other messages.”

PhishTank, unlike any other anti-phishing service, provides a full API and open access to the data for any developer to use to secure their applications. Before PhishTank, someone from the SpamAssassin project or maybe the Squid Cache would have to fork over a lot of money for phishing data to groups like the Anti Phishing Working Group or Symantec. It’s now available for free, and I believe in a far more accurate and usable form.

Gonzales Wants ISP Data Retention To Curb Child Porn

The AP is reporting that Attorney General Alberto Gonzales testified before the Senate Banking Committee today and called for Congress to require ISPs to preserve customer records, asserting that prosecutors need them to fight child pornography.

‘This is a problem that requires federal legislation,’ Gonzales said. He called the government’s lack of access to customer data the biggest obstacle to deterring child porn. ‘We respect civil liberties but we have to harmonize this so we can get more information,’ he said.”

Gonzales added that he agrees with a letter sent to Congress in June by 49 state attorneys general, requesting federal legislation to require ISPs to hold onto customer data longer.

Biometrics Promising Says Report

A report issued by RNCOS has encouraging news about using biometrics in securing authenticated identities. Making transactions more secure, they state that such biometric technologies include iris scans,fingerprint scan, matching shape and size of palm, skin, voice and face patterns can be used successfully.

The recently published market research report by RNCOS namely “World Biometric Market Outlook (2005-2008)” after having conducted a thorough survey says that there is a growing worldwide interest in biometrics technology for access control or personal identification. As compared to 2003 the market is expected to bounce 6.5 times by 2008. The RNCOS Report further states “the market of biometrics the point-of-sale equipment and services are predicted to leap to $440 million or 85% by 2010,up from $31 million or 2% in 2005.”

Mandatory fingerprinting of European children

The European Union is working on a new rule that would require all children in the EU to be fingerprinted and entered into an international database. Currently, the proposed regulations would require all children age 12 and up to be fingerprinted, but some committee members are lobbying for an even younger age limit, possibly as young as six. The European Commission notes that “Scientific tests have confirmed that the paillary ridges on the fingers are not sufficiently developed to allow biometric capture and analysis until the age of six.”

Ben Hayes, spokesman for the civil liberties group Statewatch said “We are going from fingerprinting criminals to universal fingerprinting without any real debate. In the long term everyone’s fingerprints will be stored on a central database. You have to ask what will be the costs to a person’s privacy.” Statewatch also accused the EU Governments of making decisions based only on “technological possibilities – not on the moral and political questions of whether it is right or desirable.”

On the one hand, so long as you do nothing wrong, what difference does it make who has your information on file? On the other hand, however, the potential for misuse is huge. What do you think? Would you be concerned if your kids had to be fingerprinted and put into an international database? Or do you, like I do, see this as a positive move forwards in authentication?