No technology can replace a culture of respect for privacy. Arthur Riel, a former IT manager at Morgan Stanley found out the hard way. Information Week has done a good job covering the story. Seems that Mr. Riel was in charge of putting in place an e-mail archiving and searching solution at Morgan Stanley. Ironically enough, as a result of SOX findings that indicated that the company needed to do a better job of managing it’s e-mail.

Read the rest of this entry »

The Electronic Frontier Foundation reports that Sony has been shipping CDs that infect computers with a Rootkit. A rootkit is a set of programs or tools, generally installed by hackers, that run stealthily in the background. Sony’s rootkit, called XCP2 and developed by First 4 Internet, “protects” music from being illegally copied. However, the software also seems to prevent legal uses of the CDs such as listening to the songs on your iPod. It also reportedly slows down PCs and makes computers more susceptible to attacks. Unfortunately, the software hides itself, so you may not even know you are infected.

To Sony’s credit, you can distinguish which CDs have this software by the noting the “CONTENT-FILTERED” label on the left transparent spine of the CD case and the fine print on the back of the CD case. Although, I might take that back. Given the stealthy nature of the software, and the fact that Sony is unwilling to disclose a list of the CDs with this software installed on it, it seems that Sony is only disclosing as much information as is required. Privacy doesn’t just deal with the confidentiality of information, it also concerns the availability of your information. In this instance, Sony is abusing the inherent trust a consumer has in their newly purchased product.

To read more about this or to obtain a list of the known infected CDs, click here to read the EFF article.

Apparently, laywers in California has filed a class-action lawsuit against Sony to prevent them from selling CDs with this software on it. Furthermore, California is seeking monetary damages for its consumers. A suit in New York is expected to be filed later today.

The Concurring Opinions Privacy Blog had a very descriptive and informative post that explains how Microsoft Word documents may give away information about you that you are unaware of. They point out that Microsoft Word documents contain “metadata” that encodes information about the authors and editors of each document. They also cite a few examples of how this can come back to haunt you.

Similarly, according to this article, the Electronic Frontier Foundation has cracked a secret printer code with the Xerox DocuColor line of laser printers. Apparently, this is the word of the U.S. Secret Service. Encoded in each document printed from the laser printer is the date and time the document was printed, as well as the serial number of the printer.

The point is, your privacy may be at risk in ways you aren’t aware of.

Kevin Mitnick, a notorious serial hacker and security specialist, recounts his criminal hacking exploits. Mitnick looks back at his criminal past as detractors comment on his life then and now. Mitnick is the founder of Mitnick Security Counsulting, LLC and a speaker at IAPP

Information sharing and integration are essential elements of today’s marketplace. Current information integration approaches are based on the assumption that all of the information in each database can be revealed to the other databases. This is a potential privacy concern in many applications, such as applications that involve medical information and national security. IBM Almaden Research Center’s Sovereign Information Integration (SII) technology allows companies to share and integrate data while complying with privacy policies and laws. The SSI technology employs an innovative double-encryption technique in which each party encrypts its own data and then sends it to the other party to encrypt again. Double-encrypted data can be compared without violating disclosure rules because nonmatching values are protected by the other party’s encryption and would be unreadable by either party. SII is the functional component of IBM’s Hippocratic Database, which ties into health care applications to let users indicate who should have access to certain patient data.

Security and privacy should be designed into IT systems. Developers of new technologies must take privacy implications into consideration when developing new products. Vulnerabilities from intentional and unintentional intrusions or violations need to be guarded against at an architectural level. John Kavanagh recently wrote an article about what questions IT professionals should ask themselves about privacy when developing new systems.

A study conducted by the Better Business Bureau and Javelin Research finds that despite growing fears about online fraud, most cases of identity theft originate offline.

“Most often, a lost or stolen wallet or checkbook gives thieves information to commit fraud. Computer crimes made up just 12 percent of all identity fraud cases in which the cause is known; and of those half are attributed to spyware, the software that sneaks onto computers and can send back private information.” According to the AP.

The study also found that identity fraud is often committed by a friend, relative, in-home employee or someone else known by the victim.

Link to the press release for the study.

Full(ish) report here.

The national strategy to secure cyberspace is extremely important, but its implementation has been weak, says Cyber Security Industry Alliance of Washington leader Paul Kurtz, whose last post was special assistant to the president and senior director for critical infrastructure protection. Kurtz believes cybersecurity should be approached from a business-risk viewpoint, given that most of the owners and operators of critical infrastructure are members of the private sector. The government cannot and should not shoulder the entire burden of protecting cyberspace. Read full story.

I recently received another email “alert” from “my bank” - “CitiBank”, telling me due to recent identity theft and fraudulent emails, CitiBank needs me to update my personal information by clicking the provided link. The sender of the email was shown as “customerservice@citibank.com”. The CitiBank logo was displayed in the email. The request was to “protect” me, a customer of CitiBank. Everything seemed so right. I almost wanted to click the link, but I did not.

Of course, I would never click such a link. As a researcher working on security and privacy, I’m quite familiar with such kind of fraudulent emails. But for the general public, especially those inexperienced Internet users, would they click such a link and update their personal information?

Study has shown that this attack (using fraudulent emails and screens to trick customers to provide their personal information) has a surprisingly high success ratio. As many as 5% of the email recipients were tricked by these fraudulent emails and screens. (I wish I had a reference for you about the 5%. I heard that in a seminar at NC State University in May 2004 given by Professor Marianne Winslett from UIUC.)

So, are you scared or are you astonished by the high success ratio of the attack?

I have been using online banking for over three years. So far it works pretty good for me. I enjoy the convenience that online banking has brought to me. So, maybe it is not bad after all.

A recent article by Tony Lima - Does Online Banking Put Your Money at Risk?, states that scammers and thieves are out there, but you can protect yourself. I agree with Tony. But I also think the security knowledge of the general public is far from good enough to protect themselves against the attacks that are invented every day.

Even for myself, I do not completely trust the security of online banking. For example, there is usually less than $1,500 balance in my checking account. This is the average amount I use to pay my bills each month for an apartment living. I have other accounts that I never use online banking. In this way, I have limited the maximal loss of my account in the worst case.

Online banking brings us a lot of convenience and also poses additional risks. Knowledge is the power. With more security knowledge, people can protect themselves from being attacked or tricked. There is a great need for more security training on and off campus for everyone that are involved in online banking and e-commerce.

I finally got a chance to see I, Robot last week. Frankly, I had many qualms about going to see this film. For one thing, every movie with Will Smith seems to end up being a Will Smith love-fest rather than, you know, an actual story. My main objection, at least before seeing the movie was that they didn’t use Harlan Ellison’s scrieen play. But I’m a sucker for summer sci-fi action flick so I decided to go anyway. Little did I know I’d be professionally insulted as well as underwhelmed.

I’ll try not spoil the story too much, for those of you who might want to go see the show. A key location in the movie is the world headquarters of “U.S. Robotics” the makers of commercial domestic Robots. The entire building is secured by Artificial Intelligence system called Vicki. (I forget the cute acronym.) They make a Big Deal out of the fact that Vicki is constantly monitoring everything in the U.S. Robotics buildings for security. OK fine. I can suspend my disbelief in AI for the sake of a move. The sentient Artificial Intelligence is a time honored trope in the science fiction.

But as things start to get tense in the movie, Our Hero, Detective Dell Spooner (Will Smith) and his geek robot psychologist, Dr. Susan Calvin (Bridget Moynahan) find themselves desperately needing to get into the U.S. Robotics building. Unfortunately, it’s surrounded by thousands of NS5 Robots who have inexplicably turned into bad guys.

As Del and Susan hide just out side the reach of the Evil Robots, they ponder how the heck they are going to get into the building, past Vicki’s perimeter security. Finally, Dr. Calvin comes up with a brilliant plan. I don’t remember the exactl dialog, but it was something like, “I know, we’ll sneak in through the service tunnel. It’s not monitored by Vicki because it’s only used for service!!”. And that’s what they do, they pry open a conveniently located man hole, hop into the service tunnel and sneak into the building. So there ya go, a security hacker lesson from I, Robot.

Um, OK. In other words, the screen writer wrote himself into a corner he couldn’t get out of so he wrote a plot hole that violated the most fundamental tenet of security, which is that YOU PLAN YOUR SECURITY ON WHAT COULD HAPPEN, NOT WHAT USUALLY HAPPENS.

Any security consultant who would suggest that a service tunnel doesn’t need to be monitored because it isn’t usually used by humans to get into the building would be laughed out of business. It’s like a police officer saying that you don’t need locks on your doors because most of the time burglars don’t try to walk in your front door. It’s like telling a company they don’t need firewalls protecting their intranet because most people interact with the company’s web site.

So we can all get a chuckle at the screen writer’s sloppy plotting and feel smug about the mature computer security industry. Even the most technologically phobic executive understands the basic needs of physical and network security in their company’s environment. We’ve got a rich industry of firewalls, authentication systems, authorization systems, intrusion detection systems, etc. etc.

It occurs to me that IT industry hasn’t yet adopted the same rigor in our thinking about privacy management. Ask any IT professional in a company about the tools they use to protect the prvacy of the personal information they are entrusted with and they’re likely to mumble something about having a privacy notice on their web site. Maybe they’ll talk about using SSL when transferring data from a browser to a browser to a server. And the really forward thinking folks may be able to articulate a strategy for encrypting personal informations when it’s stored.

All of these things are good, and I’d not speak against any of them. But do they really protect the privacy of their customers. How do the stewards of personal information know that they aren’t using data in ways that directly violate the promises they make to their customers? As the good folks at Hooked On Phonics found out the hard way, the FTC is starting to crack down on companies that violate the privacy promises that they make.

It’s most likely that the folks at Hooked On Phonics were not deliberately being malicious. It was just a case where one department in a company used sensitive personal information without any prior knowledge about the promises made by other departments in the company. All to often, the only preventative measure the companies have in place is to circulate a memo reminding people of the company privacy policy. In other words the typical privacy management strategy in a company is based on what usually happens, not what could happen, which is just as big a hole in its IT infrastructure plans as the plot holes in I, Robot.

- Calvin Powers