Two days ago, the 33rd episode of the Silver Bullet Security Podcast was released. If you are new to the this podcast, it’s a monthly podcast featuring interviews with noted security experts. It’s co-sponsored by IEEE Security and Privacy Magazine and Cigital. I would highly recommend it for anyone interested in software security and privacy research. I’ve been a loyal listener almost since it started, and I have yet to find an episode that didn’t teach me something new.

In it, Dr. Gary McGraw, the host of the series, interviews Dr. Laurie Williams, an Associate Professor of Computer Science at North Carolina State University. They discuss the work the Software Engineering Realsearch Group is doing in software security, testing, and agile development. In my humble and admittedly biased opinion, Dr. Williams is an excellent teacher and the podcast is absolutely worth checking out.

In a previous episode, Dr. Annie Antón, a Professor of Computer Science at North Carolina State University and the Director of The Privacy Place, was also interviewed by Dr. McGraw. They discussed the our work here at The Privacy Place including research on privacy policies, the role of regulations in computer privacy and security, and the relationship between privacy and security. Of course, my opinion as to this podcast is even more biased, but I would still encourage you to check it out.

Previous podcasts have included interviews with luminaries such as Ed Felten, Bruce Schneier, Dorothy Denning, Eugene Spafford, Adam Shostack, and Matt Bishop. I am tempted to simply list all the interviewees because each episode is fantastic, but I’ll leave the rest as a teaser. If you were so inclined, you could even follow their RSS or iTunes feed as a New Year’s resolution.

Google recently announced their new open source browser, called Chrome, via a comic book. Although slated for release sometime today, the link mentioned in the comic book (http://www.google.com/chrome) appears to be down is now up! The 38-page comic book is surprisingly informative, mildly entertaining, and certainly a unique way to release a new product, but don’t let the playfulness of the announcement fool you. Chrome has many important features, including a privacy-enhancing feature called “Incognito.”

Incognito is a user-visible feature that enables a private browsing mode. Private browsing is a relatively simple concept with tangible benefits to privacy. Under normal operation, a browser will store information about a user’s browsing history. Stored information could include sites visited, data downloaded, searches conducted, or even personal information entered. Under private browsing mode, that same browser simply doesn’t store this type of information. Essentially, a browser has no memory of what users do when private browsing is enabled.

Although private browsing is conceptually simple, it is not easy to implement because everything the browser does is affected by private browsing. Apple’s Safari browser has had a private browsing mode since version 2.0 (April 2005). Currently in version 3.1.2, Safari still is the only major browser to have a built-in private browsing mode. However, Safari’s private browsing mode isn’t perfect.

Private browsing was a planned feature for Firefox 3.0, but was dropped before the release because the developers “didn’t want to put something in that was half baked.” The Mozilla Wiki describes the current state of this feature and provides a link to a Firefox plugin called Stealther, which provides some private browsing features.

Microsoft has announced that they will include a private browsing feature, called InPrivate, in their next version of Internet Explorer. Microsoft’s effort seems to be even more ambitious than simply not storing data locally. For example, a Microsoft blog post describes a feature, called InPrivate Blocking, that would add the ability to block browsing information that would normally flow to third party sites.

Clearly, private browsing mode is not a trivial engineering task, but Chrome has some fundamental advantages over the “big three” that may simply make real private browsing easier to implement and maintain. Since Chrome will have Incognito on its first release there is less code that needs to be re-engineered to respect a private browsing mode. Also, Chrome uses a separate process for each tab, whereas a traditional browser only has a single process for all of its tabs. Multiple processes make it easier to sandbox tabs. As a result of these strict separations, it could be possible that Chrome would allow individual tabs to go “Incognito” while others act normally.

It is difficult to predict what sort of impact Chrome will have on the browser market, web application development, or Internet privacy, but if Chrome will have any impact, then it must compete with the “big three.” They are big for a reason, and a comic book isn’t going to solve that problem.

[ Update: Google has officially released Chrome at the following URL: http://www.google.com/chrome ]

No technology can replace a culture of respect for privacy. Arthur Riel, a former IT manager at Morgan Stanley found out the hard way. Information Week has done a good job covering the story. Seems that Mr. Riel was in charge of putting in place an e-mail archiving and searching solution at Morgan Stanley. Ironically enough, as a result of SOX findings that indicated that the company needed to do a better job of managing it’s e-mail.

Read the rest of this entry »

The Electronic Frontier Foundation reports that Sony has been shipping CDs that infect computers with a Rootkit. A rootkit is a set of programs or tools, generally installed by hackers, that run stealthily in the background. Sony’s rootkit, called XCP2 and developed by First 4 Internet, “protects” music from being illegally copied. However, the software also seems to prevent legal uses of the CDs such as listening to the songs on your iPod. It also reportedly slows down PCs and makes computers more susceptible to attacks. Unfortunately, the software hides itself, so you may not even know you are infected.

To Sony’s credit, you can distinguish which CDs have this software by the noting the “CONTENT-FILTERED” label on the left transparent spine of the CD case and the fine print on the back of the CD case. Although, I might take that back. Given the stealthy nature of the software, and the fact that Sony is unwilling to disclose a list of the CDs with this software installed on it, it seems that Sony is only disclosing as much information as is required. Privacy doesn’t just deal with the confidentiality of information, it also concerns the availability of your information. In this instance, Sony is abusing the inherent trust a consumer has in their newly purchased product.

To read more about this or to obtain a list of the known infected CDs, click here to read the EFF article.

Apparently, laywers in California has filed a class-action lawsuit against Sony to prevent them from selling CDs with this software on it. Furthermore, California is seeking monetary damages for its consumers. A suit in New York is expected to be filed later today.

The Concurring Opinions Privacy Blog had a very descriptive and informative post that explains how Microsoft Word documents may give away information about you that you are unaware of. They point out that Microsoft Word documents contain “metadata” that encodes information about the authors and editors of each document. They also cite a few examples of how this can come back to haunt you.

Similarly, according to this article, the Electronic Frontier Foundation has cracked a secret printer code with the Xerox DocuColor line of laser printers. Apparently, this is the word of the U.S. Secret Service. Encoded in each document printed from the laser printer is the date and time the document was printed, as well as the serial number of the printer.

The point is, your privacy may be at risk in ways you aren’t aware of.

Kevin Mitnick, a notorious serial hacker and security specialist, recounts his criminal hacking exploits. Mitnick looks back at his criminal past as detractors comment on his life then and now. Mitnick is the founder of Mitnick Security Counsulting, LLC and a speaker at IAPP

Information sharing and integration are essential elements of today’s marketplace. Current information integration approaches are based on the assumption that all of the information in each database can be revealed to the other databases. This is a potential privacy concern in many applications, such as applications that involve medical information and national security. IBM Almaden Research Center’s Sovereign Information Integration (SII) technology allows companies to share and integrate data while complying with privacy policies and laws. The SSI technology employs an innovative double-encryption technique in which each party encrypts its own data and then sends it to the other party to encrypt again. Double-encrypted data can be compared without violating disclosure rules because nonmatching values are protected by the other party’s encryption and would be unreadable by either party. SII is the functional component of IBM’s Hippocratic Database, which ties into health care applications to let users indicate who should have access to certain patient data.

Security and privacy should be designed into IT systems. Developers of new technologies must take privacy implications into consideration when developing new products. Vulnerabilities from intentional and unintentional intrusions or violations need to be guarded against at an architectural level. John Kavanagh recently wrote an article about what questions IT professionals should ask themselves about privacy when developing new systems.

A study conducted by the Better Business Bureau and Javelin Research finds that despite growing fears about online fraud, most cases of identity theft originate offline.

“Most often, a lost or stolen wallet or checkbook gives thieves information to commit fraud. Computer crimes made up just 12 percent of all identity fraud cases in which the cause is known; and of those half are attributed to spyware, the software that sneaks onto computers and can send back private information.” According to the AP.

The study also found that identity fraud is often committed by a friend, relative, in-home employee or someone else known by the victim.

Link to the press release for the study.

Full(ish) report here.

The national strategy to secure cyberspace is extremely important, but its implementation has been weak, says Cyber Security Industry Alliance of Washington leader Paul Kurtz, whose last post was special assistant to the president and senior director for critical infrastructure protection. Kurtz believes cybersecurity should be approached from a business-risk viewpoint, given that most of the owners and operators of critical infrastructure are members of the private sector. The government cannot and should not shoulder the entire burden of protecting cyberspace. Read full story.