Adobe Flash Player 10.1 will make "its privacy settings more prominent and explicit to the user and also supports private browsing, which lets a user browse without logging his browsing history on his machines," according to an article in Dark Reading. The side effect is that e-commerce sites which have been using Flash's Local Storage to store machine ID's without the user's consent or knowledge will no longer be a viable machine authentication method.
This is actually good news because e-commerce sites will be forced to use technology designed specifically for authentication rather than relying on this Adobe externality.
Earlier this week, the CEO of Blippy posted an extensive explanation of the breach they suffered and the steps he is planning to take to improve the site's security and better protect the privacy of the users. I can only hope his explanation of the breach is accurate.
As to his "Plan" going forward, it reveals a shocking, but not untypical, heretofore lax attitude toward protecting the site's users.
I like their Rules page. The intent is to inform Blippy users of "Inappropriate Content and Use of Blippy," However, if I were considering signing up for Blippy, I might consider some of them the risks of using Blippy. Here are examples:
Impersonation: You may not impersonate others through our
services in a manner that does or is intended to mislead, confuse,
deceive, or harass others.
Serial Accounts: You may not create serial accounts or
relationships in order to evade the block tools or to otherwise disrupt
the Services.
Name Squatting:You may not engage in name-squatting (creating
accounts for the purpose of preventing others from using those account
names or for the purpose of selling those accounts). Accounts that are
inactive for more than 9 months may be removed without further notice.
Links: You may not publish or post content
that disguises the content of a link in a misleading or deceptive way.
Malware/Phishing: You may not publish or link
to malicious content intended to damage or disrupt another user.s
browser or computer or to compromise a user's privacy.
Social Network Spam: Blippy provides a
variety of ways for users to interact with one another. You may not
abuse these tools for the purpose of spamming users. Some of the
behaviors we look at when determining whether an account is spamming
include:
The user has followed and unfollowed people in a short time
period, particularly by automated means.
A large number of people are blocking the profile.
The number of spam complaints filed against a profile.
And I can only hope that Blippy is taking steps to reduce the risks of these actions and worse. How long will it be before Koobface infiltrates Blippy, or there is a new botnet specifically targeting Blippy called "ypblip?"
The UK-based Guardian posted a story today that an engineer from Google discovered a flaw in Facebook's Graph API where all events you have participated in or are planning to participate in cannot be kept private.
My reactions are (1) given Facebook's privacy policy trajectory, I am not surprised, and (2) given the threat that Facebook represents to Google, I am not surprised that a person from Google found the flaw.
If anything is going to blunt Facebook's popularity, it's going to be privacy issues. And I say this despite the long history of consumers willingness to give up privacy to gain convenience, e.g. Debit Cards.
Larry Seltzer has an interesting post about a conversation he had with Mikko Hypponen of F-Secure about the reason for the Operation Aurora attack in China against Google's Gmail service.I wrote about Aurora here and here. However, the question remains – why Gmail and not Yahoo or Microsoft's free email service?
Perhaps it's because only Gmail offers SSL encryption which prevents sniffing on the wire to read emails. Because the other free email services don't offer SSL, you can simply sniff the wire to read the emails on those services.
End users who have some level of security consciousness gravitate to Gmail. And if you want to read messages on Gmail, you have no choice but to hack the service itself as you are not going to crack SSL.
Dark Reading published a story based on VeriSign's iDefense's research of an underground black market for stolen social networking credentials. One criminal was selling 1,000 Facebook accounts with 10 or less friends for $25, while the price for 1,000 Facebook accounts with 10 or more friends is $45.
While this should not be surprising, it is worth noting again the level of cybercrime organization.
The U.S. Federal Trade Commission has notified nearly 100
organizations that data from their networks has been found on
peer-to-peer file-sharing networks, the agency said on Monday.
The FTC notices went to private and public entities, including schools
and local government agencies and organizations with as few as eight
employees to as many as tens of thousands, the FTC said in a statement.
The sensitive information about customers and employees that was leaked
could be used to commit identity fraud, conduct corporate espionage,
and for other crimes.
Unfortunately file sharing based on peer-to-peer technology is only a part of the problem. Some firewalls and most intrusion prevention systems (IPSs) can block peer-to-peer file sharing. However, the problem is actually much worse – the growth of browser-based file sharing applications designed to bypass most firewalls and IPSs.
Palo Alto Networks, a next-generation (as defined by Gartner) firewall vendor, recognizes and can control or block 88 different file sharing sharing applications. Of these, 40 use peer-to-peer technology, 39 are browser-based, and 9 are client-server. Therefore if your network security infrastructure can control or block peer-to-peer file sharing, you are solving less than half the problem.
For more information about the hundreds of applications that ought to be controlled or blocked, go to Palo Alto Network's Applipedia.
Earlier this week Google took the unprecedented step of disclosing a breach which does not legally require disclosure. Google's reasons for the disclosure are tightly linked to its concerns about human rights in China and its views on China's reasons for breaching Google's email systems. These last two points are well worth discussing and are being discussed at length all over the blogosphere. However, I am going to focus on the security and disclosure issues.
First regarding disclosure, IT risk reduction strategies greatly benefit from public breach disclosure information. In other words, organizations learn best what to do and avoid overreacting to vendor scare tactics by understanding the threats that actually result in breaches. This position is best articulated by Adam Shostack and Andrew Stewart in their book, "The New School of Information Security."
I blogged about Verizon Business's forensic team's empirical 2009 Data Breach Investigations Supplemental Report here. This report shows cause-and-effect between threat types and breaches. You could not ask for better data to guide your IT risk reduction strategies.
Organizations have been so reluctant to publicly admit they suffered breaches, the Federal and many state governments had to pass laws to force organizations to disclose breaches when customer or employee personal information was stolen.
Regarding the attack itself, it represents a type of attack that is relatively new called "advanced persistent threats" (APT) which in the past had primarily been focused on governments. Now they are targeting companies to steal intellectual property. McAfee describes the combination of spear fishing, zero-day threats, and crafted malware here. The implications:
The world has changed. Everyone’s threat model now needs to be adapted
to the new reality of these advanced persistent threats. In addition to
worrying about Eastern European cybercriminals trying to siphon off
credit card databases, you have to focus on protecting all of your core
intellectual property, private nonfinancial customer information and
anything else of intangible value.
Gunter Ollman, VP of Research at Damballa, discusses APT's further here, focusing on detecting these attacks by detecting and breaking the Command and Control (CnC) component of the threat. The key point he makes is:
Malware is just a tool. The fundamental element to these (and
any espionage attack) lies with the tether that connects the victim
with the attacker. Advanced Persistent Threats (APT), like their bigger
and more visible brother “botnets”, are meaningless without that tether
– which is more often labeled as Command and Control (CnC).
Jeremiah Grossman points out the implications of Google's breach disclosure for all cloud-based product offerings here, countering Google's announcement of Default https access for Gmail.
ReadWriteEnterprise is reporting via The Hill, that "the Federal Trade Commission (FTC) has opened an investigation into the privacy and security implications of cloud computing."
Given the FTC's aggressive Red Flags Rule program, I would not be surprised if more regulations will be forthcoming. BTW, after many delays, the Red Flags Rule is planned to go into effect on June 1, 2010.
Can you imagine your Data Leak Prevention system not being perfect? Is there value in a service that scans P2P networks looking for leaked data that eluded your Data Leak Prevention (DLP) controls?
Tiversa offers such a service. In an example of the value of their service, according to a Washington Post article, they claim that "the personal data of tens of thousands of U.S. soldiers – including those in the Special Forces – continue to be downloaded to unauthorized computer users in countries such as China and Pakistan…"
On a separate, but possibly related note, there was an Ars Technica article last last week on a bill working its way through Congress called the "Informed P2P User Act." From the Ars Technica article:
"First, it requires P2P software vendors to provide "clear and
conspicuous" notice about the files being shared by the software and
then obtain user consent for sharing them. Second, it prohibits P2P
programs from being exceptionally sneaky; surreptitious installs are
forbidden, and the software cannot prevent users from removing it."
It's clear that P2P represents risks that can be reduced by both technical and legal means.
Just in case you thought there was any hope of maintaining personal privacy, forget it. In fact you must assume your personal information is exposed and take steps to prevent identity theft.
Ars Technica reported this week that law professor Paul Ohm published a paper describing how easy it is to identify specific individuals from "anonymized" data that is released for research purposes and his recommendations for minimizing this type of abuse.
Ars Technica, quoting from Paul Ohm's paper, described the process a graduate computer science student used in the mid-90's to identify then governor William Weld of Massachusetts from "anonymized" health records released by the Massachusetts Group Insurance Commission.
Data is anonymized by removing "personally identifiable information" like name, address, and Social Security number. The anonymized data is useful for further statistical analysis by a variety of researchers.
The graduate student showed that she could "reidentify" individuals 87% of the time with only three pieces of information – zip code, date of birth, and sex. The key to her process is the availability of voter rolls, which you can buy for a small fee from any town, at least in Massachusetts. These voter rolls provide the name, address, zip code, birth date, and sex of every voter.
Professor Ohm's call for a reexamination of privacy laws and tougher regulation is admirable as this may protect you against disclosure of medical conditions and the like that can be used against you.
However, the biggest threat right now is identity theft. You must assume that your personal information is out there for anyone who wants it. Therefore you must take steps to limit the risk of identity theft. Start by reviewing the offerings of the three credit agencies Equifax, Experian, and TransUnion.
