Archive for 'Computer Security'

In Defense of Smart Phone Security by Default

Sunday, October 19th, 2014

The Apple iOS8 phone and the latest Google Android phone claim to establish landmark privacy protections by establishing encryption by default. According to Apple and Google, they will be unable to “open” the phone for anyone, not even law enforcement. These new measures have been sharply criticized by the Director of the FBI and the Attorney General. As a software engineering professor, I’ve devoted my career to teaching students how to develop (a) secure, (b) privacy preserving, and (c) legally compliant software systems. I’m not qualified to debate whether or not this move by Apple and Google is lawful or constitutional. However, as a technologist I can assert that applying security best practices will yield a system that can withstand intrusions and denial of service attacks, limits access to authenticated and authorized users, etc.

The recent “encryption by default” design decision by Apple and Google is currently being discussed in software engineering and security classes across our nation, and perhaps across the globe. By default, privacy and security researchers, technologists and activists applaud this decision because it is raising the bar for truly implementing security best practices. It’s a bitter pill to swallow for professors who teach students to develop secure, privacy preserving, and legally compliant software, to have our students be told on the job, “Oh, that stuff you learned about security back in school? We only want you to secure the system part way, not all the way. So, leave in a back door.” Such a position undermines those academic institutions seeking to prepare tomorrow’s security and privacy workforce in an ever-changing world where sophisticated criminals are getting smarter and their offensive techniques are surpassing our ability to stay ahead.

From my experience working with government agencies, I thoroughly understand the desire to “catch the bad guys” and value the ability to prevent malicious criminal activity by individuals or nation states. I want our government, Department of Homeland Security, Department of Defense and Intelligence Community to protect us from the unfathomable. I find myself wondering why the very institutions who promote security and privacy best practices (via, for example, centers of excellence at our nation’s top universities) are so vehemently opposed to industry actually implementing best practices. My analysis yields two observations:

  1. Taking the Easy Way Out. For law enforcement to expect companies to provide the government with back door access (even when required by law), seems to me to be the lazy approach. If one reads between the lines, one could infer that the government is lacking the incentives and/or the will to innovate and improve the state of the art in cyber offense. Where’s the spirit of the scientists and engineers who enabled man to walk the moon? Where’s the American will to innovate, to surpass the state of the art, and be the best? Why let other nations beat us at our own game? The only way we can get better at offense is by facing the best possible defense. At a time when other nation states are getting so sophisticated, we risk not developing our own capabilities if we rely on an easy backdoor rather than honing our own skills. We need to keep ourselves sharp by learning how to confront the state of the art systems. If we aren’t staying ahead of the curve then other countries and their intelligence services will have reason to develop capabilities beyond our agencies when we’re relying on these factors.
  2. Creating a Backdoor for Use in Other Countries. If the United States expects companies to provide a back door to gain access to systems and the data that resides in those systems, then other governments will, too. We can’t well expect Apple or Google to provide a backdoor to the U.S., but not to China or Russia. At least in the United States, we have a legal framework that requires search warrants, etc. to gain access via the backdoor. But many other countries lack these legal safeguards and will require the phone companies to enable snooping into the systems within those countries with no legal protections comparable to US system. As security engineers have learned in many other systems, you can’t build a vulnerability that is used only by the good guys and not by others.

I certainly empathize with law enforcement’s desire to gain evidence for critical investigations. But Congress and the White House have agreed that cybersecurity should be funded as a national priority. As professors of computer security, we can’t teach the importance of building secure systems and then explain to our students that we will leave tens of millions of devices insecure.

Dr. Annie I. Antón is a Professor in and Chair of the School of Interactive Computing at the Georgia Institute of Technology in Atlanta. She has served the national defense and intelligence communities in a number of roles since being selected for the IDA/DARPA Defense Science Study Group in 2005-2006.

Silver Bullet Security Podcast Interviews Dr. Williams

Wednesday, December 24th, 2008

Two days ago, the 33rd episode of the Silver Bullet Security Podcast was released. If you are new to the this podcast, it’s a monthly podcast featuring interviews with noted security experts. It’s co-sponsored by IEEE Security and Privacy Magazine and Cigital. I would highly recommend it for anyone interested in software security and privacy research. I’ve been a loyal listener almost since it started, and I have yet to find an episode that didn’t teach me something new.

In it, Dr. Gary McGraw, the host of the series, interviews Dr. Laurie Williams, an Associate Professor of Computer Science at North Carolina State University. They discuss the work the Software Engineering Realsearch Group is doing in software security, testing, and agile development. In my humble and admittedly biased opinion, Dr. Williams is an excellent teacher and the podcast is absolutely worth checking out.

In a previous episode, Dr. Annie Antón, a Professor of Computer Science at North Carolina State University and the Director of The Privacy Place, was also interviewed by Dr. McGraw. They discussed the our work here at The Privacy Place including research on privacy policies, the role of regulations in computer privacy and security, and the relationship between privacy and security. Of course, my opinion as to this podcast is even more biased, but I would still encourage you to check it out. 🙂

Previous podcasts have included interviews with luminaries such as Ed Felten, Bruce Schneier, Dorothy Denning, Eugene Spafford, Adam Shostack, and Matt Bishop. I am tempted to simply list all the interviewees because each episode is fantastic, but I’ll leave the rest as a teaser. If you were so inclined, you could even follow their RSS or iTunes feed as a New Year’s resolution. 😉

Google’s New Browser: Chrome

Tuesday, September 2nd, 2008

Google recently announced their new open source browser, called Chrome, via a comic book. Although slated for release sometime today, the link mentioned in the comic book (http://www.google.com/chrome) appears to be down is now up! The 38-page comic book is surprisingly informative, mildly entertaining, and certainly a unique way to release a new product, but don’t let the playfulness of the announcement fool you. Chrome has many important features, including a privacy-enhancing feature called “Incognito.”

Incognito is a user-visible feature that enables a private browsing mode. Private browsing is a relatively simple concept with tangible benefits to privacy. Under normal operation, a browser will store information about a user’s browsing history. Stored information could include sites visited, data downloaded, searches conducted, or even personal information entered. Under private browsing mode, that same browser simply doesn’t store this type of information. Essentially, a browser has no memory of what users do when private browsing is enabled.

Although private browsing is conceptually simple, it is not easy to implement because everything the browser does is affected by private browsing. Apple’s Safari browser has had a private browsing mode since version 2.0 (April 2005). Currently in version 3.1.2, Safari still is the only major browser to have a built-in private browsing mode. However, Safari’s private browsing mode isn’t perfect.

Private browsing was a planned feature for Firefox 3.0, but was dropped before the release because the developers “didn’t want to put something in that was half baked.” The Mozilla Wiki describes the current state of this feature and provides a link to a Firefox plugin called Stealther, which provides some private browsing features.

Microsoft has announced that they will include a private browsing feature, called InPrivate, in their next version of Internet Explorer. Microsoft’s effort seems to be even more ambitious than simply not storing data locally. For example, a Microsoft blog post describes a feature, called InPrivate Blocking, that would add the ability to block browsing information that would normally flow to third party sites.

Clearly, private browsing mode is not a trivial engineering task, but Chrome has some fundamental advantages over the “big three” that may simply make real private browsing easier to implement and maintain. Since Chrome will have Incognito on its first release there is less code that needs to be re-engineered to respect a private browsing mode. Also, Chrome uses a separate process for each tab, whereas a traditional browser only has a single process for all of its tabs. Multiple processes make it easier to sandbox tabs. As a result of these strict separations, it could be possible that Chrome would allow individual tabs to go “Incognito” while others act normally.

It is difficult to predict what sort of impact Chrome will have on the browser market, web application development, or Internet privacy, but if Chrome will have any impact, then it must compete with the “big three.” They are big for a reason, and a comic book isn’t going to solve that problem.

[ Update: Google has officially released Chrome at the following URL: http://www.google.com/chrome ]

The New Frontier of Privacy Management: Policy Based Auditing

Monday, April 3rd, 2006

No technology can replace a culture of respect for privacy. Arthur Riel, a former IT manager at Morgan Stanley found out the hard way. Information Week has done a good job covering the story. Seems that Mr. Riel was in charge of putting in place an e-mail archiving and searching solution at Morgan Stanley. Ironically enough, as a result of SOX findings that indicated that the company needed to do a better job of managing it’s e-mail.

Read the rest of this entry »

Sony’s Secret Software on CDs

Thursday, November 10th, 2005

The Electronic Frontier Foundation reports that Sony has been shipping CDs that infect computers with a Rootkit. A rootkit is a set of programs or tools, generally installed by hackers, that run stealthily in the background. Sony’s rootkit, called XCP2 and developed by First 4 Internet, “protects” music from being illegally copied. However, the software also seems to prevent legal uses of the CDs such as listening to the songs on your iPod. It also reportedly slows down PCs and makes computers more susceptible to attacks. Unfortunately, the software hides itself, so you may not even know you are infected.

To Sony’s credit, you can distinguish which CDs have this software by the noting the “CONTENT-FILTERED” label on the left transparent spine of the CD case and the fine print on the back of the CD case. Although, I might take that back. Given the stealthy nature of the software, and the fact that Sony is unwilling to disclose a list of the CDs with this software installed on it, it seems that Sony is only disclosing as much information as is required. Privacy doesn’t just deal with the confidentiality of information, it also concerns the availability of your information. In this instance, Sony is abusing the inherent trust a consumer has in their newly purchased product.

To read more about this or to obtain a list of the known infected CDs, click here to read the EFF article.

Apparently, laywers in California has filed a class-action lawsuit against Sony to prevent them from selling CDs with this software on it. Furthermore, California is seeking monetary damages for its consumers. A suit in New York is expected to be filed later today.

What Your Word Processor Can Reveal About You

Tuesday, November 8th, 2005

The Concurring Opinions Privacy Blog had a very descriptive and informative post that explains how Microsoft Word documents may give away information about you that you are unaware of. They point out that Microsoft Word documents contain “metadata” that encodes information about the authors and editors of each document. They also cite a few examples of how this can come back to haunt you.

Similarly, according to this article, the Electronic Frontier Foundation has cracked a secret printer code with the Xerox DocuColor line of laser printers. Apparently, this is the word of the U.S. Secret Service. Encoded in each document printed from the laser printer is the date and time the document was printed, as well as the serial number of the printer.

The point is, your privacy may be at risk in ways you aren’t aware of.

Kevin Mitnick Recalls Cyber Crime And Punishment

Thursday, September 22nd, 2005

Kevin Mitnick, a notorious serial hacker and security specialist, recounts his criminal hacking exploits. Mitnick looks back at his criminal past as detractors comment on his life then and now. Mitnick is the founder of Mitnick Security Counsulting, LLC and a speaker at IAPP

IBM’s Sovereign Information Integration (SII) technology: double encryption to achieve privacy-minded security

Friday, September 16th, 2005

Information sharing and integration are essential elements of today’s marketplace. Current information integration approaches are based on the assumption that all of the information in each database can be revealed to the other databases. This is a potential privacy concern in many applications, such as applications that involve medical information and national security. IBM Almaden Research Center’s Sovereign Information Integration (SII) technology allows companies to share and integrate data while complying with privacy policies and laws. The SSI technology employs an innovative double-encryption technique in which each party encrypts its own data and then sends it to the other party to encrypt again. Double-encrypted data can be compared without violating disclosure rules because nonmatching values are protected by the other party’s encryption and would be unreadable by either party. SII is the functional component of IBM’s Hippocratic Database, which ties into health care applications to let users indicate who should have access to certain patient data.

IT developers need to consider privacy implications of systems

Thursday, March 24th, 2005

Security and privacy should be designed into IT systems. Developers of new technologies must take privacy implications into consideration when developing new products. Vulnerabilities from intentional and unintentional intrusions or violations need to be guarded against at an architectural level. John Kavanagh recently wrote an article about what questions IT professionals should ask themselves about privacy when developing new systems.

Most Identity Theft Occurs Offline

Thursday, January 27th, 2005

A study conducted by the Better Business Bureau and Javelin Research finds that despite growing fears about online fraud, most cases of identity theft originate offline.

“Most often, a lost or stolen wallet or checkbook gives thieves information to commit fraud. Computer crimes made up just 12 percent of all identity fraud cases in which the cause is known; and of those half are attributed to spyware, the software that sneaks onto computers and can send back private information.” According to the AP.

The study also found that identity fraud is often committed by a friend, relative, in-home employee or someone else known by the victim.

Link to the press release for the study.

Full(ish) report here.