It’s never pleasant to receive a somewhat negative book review, but such reviews often point the way to future improvements. As Theodore Roosevelt once said, “It is hard to fail, but it is worse never to have tried to succeed.”

So that’s how I felt about Robert M. Slade’s review of the book Enterprise Information Security and Privacy (Artech House, 2009), which I co-edited with Jennifer Bayuk and Dan Schutzer. You can find the review in many places on the Web, such as at http://www.portable-digital-video-recorder.com/review-%E2%80%9Centerprise-information-security-and-privacy%E2%80%9D-c-warren-axelrodjennifer-l-bayukdaniel-schutzer/

The last sentence of what I consider to be a generally fair review states “If the authors were supposed to present new ideas for security, they have failed. There is nothing wrong with any of the pieces contained in the book, but they are simply ‘more of the same.’” As coordinating editor of the book, my personal response, and not necessarily that of my co-editors or the authors, is “Guilty, with an explanation.” So here’s the explanation.

I originally came up with the concept of developing a book that would point out the myths that constantly dog information security practices and then come up with some “game-changing” ways in which to advance the state of the art of information security and privacy. Researchers in government, academia and the private sector are all looking for those breakthroughs that will “change the game” when it comes to the fight against cyber attacks. My co-editors and I canvassed among the practitioners, whom we knew, for them to write chapters for the book, based on the premise that practitioners likely know better than researchers and vendors what works and what doesn’t. This presented our first hurdle. Few practitioners have time to write. We found some very good ones who were able to contribute, but it was a hard slog.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: book review, Dan Schutzer, Enterpise Information Security and Privacy, Jennifer Bayuk, Randy Sabett, risk, Robert M Slade, spotlight

I recently read James Bamford’s book The Shadow Factory: The Ultra-Secret NSA from 9/11 to the Eavesdropping on America, which, as the subtitle suggests, is a history and an exposé of the NSA (National Security Agency). It is certainly a book that should be read by privacy advocates and those interested in the interplay among the various intelligence and law enforcement agencies, both in the U.S. and elsewhere. A particular quote that caught my eye was that on page 183 by David W. Aucsmith, security architect and CTO for Microsoft Corp.’s Security and Business Technology Unit, and a recent member the NSA’s Advisory Board. He is quoted as saying: “The actual user of the PC—someone who can do anything they want—is the enemy.” Nice, but I happen to disagree.

I believe that PC users have been wrongly put in an untenable position with respect to end-user security, namely, they are given all the responsibility (and blame) and little authority and few tools to resolve issues.

There you are. You just attempted to shut down your PC when a notice appears admonishing you not to turn off your computer as 5 updates are being applied and we’re only at update number 3. You wait anywhere from 2 minutes to 30 minutes as your machine whirs away in a magical mysterious way as, presumably, you are being given new features and further protection against the latest malware. But are you? Could this be rogue software injecting all forms of malware into your formerly pristine machine? Well, yes, you can do your research and determine the validity of the updates, decide whether you want them installed, check the web for indications of what the updates, if real, are actually doing. But who has the time and inclination to do that? Most of us just succumb and pray that the updates are real and that they will not damage or otherwise hamper the operation of our machines, albeit unintentionally.

© BlogInfoSec.com, 2011. | Permalink | One comment | Add to del.icio.us
Post tags: "The Shadow Factory", end-user security, James Bamford, National Security Agency, NSA, Privacy, spotlight

And the answer is … less and less. The Wall Street Journal’s series “What They Know,” which is an exposé of privacy “violations” on the Web, has been running since July 30, 2010. The thirteenth column in the series was published on December 18, 2010. I previously mentioned this WSJ series in my November 1, 2010 column “Privacy? What Privacy?” as well as in my January 17, 2011 column “Those Data are Mine(d).” I have suggested that you might want to follow the series, which you can easily do at http://online.wsj.com/public/page/what-they-know-digital-privacy.html

The December 18 WSJ article, “Your Apps Are Watching You: A WSJ Investigation finds that iPhone and Android apps are breaching the privacy of smartphone users,” by Scott Thurn and Yakari Iwatani Kane, describes how a large number of smartphone apps are sending off scads of personal information to marketers. Perhaps the most impressive part of the article is the amount of research that WSJ staffers actually performed. They set up a test environment in which they could monitor the information being sent out by phones’ apps. Of the101 popular smartphone apps that the WSJ researchers examined, 56 transmitted the phones’ UDIDs (unique device identification numbers). 47 transmitted the location of the phone, and 5 sent out age, gender and other personal details.

While the claim by the senders and receivers of such information is that they do not collect personally identifiable data, we all know is that all it needs for specific attribution is access to some database that relates the unique phone ID to individuals or some data mining software that can infer from the thousands of data items collected on each individual and stored in an Acxiom, or a similar “data management and retrieval” software, who the person is with a high degree of assurance. And either it is being done now without the WSJ reporters’ specific knowledge or it’s just around the corner.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: apps, personal information, Privacy, smartphones, spotlight, The Wall Street Journal, UDID, WSJ

I began drafting this column some time ago, but had not posted it. Then an article by Rob Walker appeared in The New York Times Magazine on January 9, 2011 about the preservation of one’s digital self. The title of the piece is “Things to Do in Cyberspace When You’re Dead,” and it discusses various methods and services that one can use to ensure that your digital heritage on the Web will be preserved for posterity in a form that is agreeable to you and represents your own interpretation of what is valid, which might well differ from the opinions and interpretations of others.

My thoughts on the subject are somewhat different. The real challenge, in my opinion, is in ensuring that what appears as a result of a search on your name is actually about you and not someone else with the same name. We expect that those with common names, such as “John Smith,” will have many hits when searched. On a recent (January 10, 2011) search on that name, Google came back with 6,480,000 results. So, unless you are particularly famous, or have a distinguishing other name or initial, or are involved in a highly-specialized endeavor, it is extremely difficult, if not impossible, to monitor your total presence on the web, which means checking for the many typographical and transcription errors and various forms of misrepresentation of your name.

On the other hand, if you have a somewhat distinctive name, your expectation is that, when you search on your name, much of what comes back is indeed relevant. Certainly there are examples when the browser parses your name and comes up with obviously inappropriate results, such as the many books on tropical fish by Warren E. Burgess and Herbert R. Axelrod, which are listed when I search on my own name.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: identity loss, identity theft, online identity, spotlight

The “What They Know” series in The Wall Street Journal continues and is commendably relentless in its reporting of the growing compromises of personal data. Periodically and quite frequently, the WSJ publishes an article on how our privacy is being gnawed away many millions of records at a time. I first discussed the initial set of “What They Know” columns in my November 1, 2010 column “Privacy? What Privacy?” and suggested that we should all stay on the lookout for subsequent articles in the series. So here’s another one…

An article by Steve Stecklow and Paul Sonne, with the title “Shunned Profiling Method On the Verge of Comeback,” appeared on the front page of the November 24, 2010 edition. This time the reporters describe how “deep packet inspection” can glean behavioral information about millions of us by delving into the details held within the data packets that traverse the Internet.

I had originally known deep packet inspection to be a good thing. After all, it is touted by vendors of intrusion detection and prevention systems as a means of determining malicious, or at least suspect, behavior by prospective attackers. It enables the ferreting out of questionable transactions that would otherwise not be detected using more superficial techniques.

But like virtually all valuable technologies, deep packet inspection can be used for good or for evil, and, from the viewpoint of privacy advocates, such profiling of individuals, as described in the article, is certainly a bad thing.

When data mining first appeared on the scene, I was an enthusiastic proponent of the technology, and wrote about it some 14 years ago in an article in the December 1996 issue of Wall Street & Technology with the title “Cashing in on Data Mining.” Back then, the issue of privacy was not top of mind and was simply handled by not providing specific names, addresses, etc. of the persons in the database. The idea was to mine patterns of behavior that could then be used in developing marketing programs. While reports might show distributions of information, such as family income by zip code, they didn’t get down to the individual household level. Granted, marketers would determine that particular zip codes contained persons more likely to purchase a particular type of product of service, but they would target an area rather than specific individuals.

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: data mining, deep packet inspection, Privacy, spotlight, The Wall Street Journal

Do you remember reading over the summer about Citigroup having a security hole in an iPhone app, which stored all manner of nonpublic personal information in a file? … and that the data could then be transferred to a PC? In the Technology section of the July 27, 2010 The Wall Street Journal, Spenser E. Ante, assisted by Ben Worthen, wrote an article, “Citi Offers Fix for Security Flaw: Free iPhone Banking App Accidentally Saved Personal Data in a Hidden File.”

It is interesting to note Citigroup’s claim that “… it performed security tests before and after releasing the application, but failed to detect the problem.” According to John Hering, CEO of Lookout, a provider of mobile security, “… his company is discovering more apps that could inadvertently expose or leak personal data …”

While Mr. Hering believes that such security flaws will only increase due to the quick pace at which these apps are being introduced, such a situation suggests that what is needed is much better testing … and not just functional testing and nonfunctional security testing. These latter two types of testing were apparently done for the Citi app.

What is not clear is whether any functional security testing was done, and the results imply that it was not. I have again and again touted the benefits of testing functionality of applications from the perspective of their not doing what they shouldn’t – see, for example, my August 30, 2010 column “Eureka! Professor Does FST (Functional Security Testing)” my article “The Application Security Testing Gap” in the Perspective column of the November 2010 issue of Information Security magazine, and my December 20, 2010 column “Reinventing the Functional Security Testing Wheel.” Clearly copying personal data to a hidden file on an iPhone is an unwanted function. Just as clearly, according to Mr. Hering, there are many such apps, growing in number, for which testing that the apps don’t do functionally what they are not supposed to be doing is not done.

© BlogInfoSec.com, 2011. | Permalink | One comment | Add to del.icio.us
Post tags: CWE/SANS, functional security testing, iPhone, iPhone app, nonfunctional security testing, OWASP, spotlight

You must read the hair-raising article by Greg Shipley in the October 11, 2010 issue of InformationWeek titled “Epic Fail.” The article is featured on the cover of the magazine with the words “The Wrong Protection: We’ve spent billions on security products, so why are we so ill-prepared for the attacks raining down on us?” I was reminded of the song that begins:

“We’re busy doing nothing, working all day through, we’re trying to find lots of things not to do. We’re busy going nowhere, isn’t it such a crime? we’d like to be unhappy but we never do have the time.”

I learned that it was first sung by Bing Crosby et al in the 1949 movie “A Connecticut Yankee in King Arthur’s Court.” You can see the clip at http://www.youtube.com/watch?v=QuxSl_4yLz4  Don’t you agree that Bing and his buddies bear some small resemblance to some of our better known security gurus? And what do you think about the expressions on the faces of the two passers-by? Isn’t that look of bewilderment a familiar one when we try to explain what we actually do? Ah, well.

Now back to Shipley’s article. He is essentially saying that attackers are outrunning defenders and the promise of security products to meet the challenges is never realized. He’s not saying not to do anything about security. He says that we should continue to implement much of what we do install, but recognize that the tools are not fixing the problems.

Now Shipley isn’t the first to voice this opinion. I recall that, on getting his new job at DARPA, Peiter Zatko (the infamous “Mudge”) said that not much had changed in cyber security during the past couple of decades. And yours truly was quoted in The Wall Street Journal of January 19, 2010 as saying that little progress had been made in the past 10 years. The backlash from my colleagues was such that I posted an explanation of my statement on BlogInfoSec in my February 8, 2010 column with the title “Please Let Me Explain.”

© BlogInfoSec.com, 2011. | Permalink | No comment | Add to del.icio.us
Post tags: application security, Enterprise Information Security and Privacy, Greg Shipley, historical analysis, security tools, spotlight

It is unusual for the popular (as opposed to technical) press and particularly for The Wall Street Journal to publish a multipart series on the topic of privacy. But the WSJ did it in “What They Know: A Wall Street Journal Investigation” And I think they did a pretty good job. You can find the published articles and related resources at www.wsj.com/WhatTheyKnow

The first article, which appeared in the July 30, 2010 issue, is by Julia Angwin and has the title “The Web’s New Gold Mine: Your Secrets.” It describes how information about one’s Web activities is captured, packaged and sold for marketing purposes.

The second article, written by Nick Wingfield appeared in the August 2, 2010 issue, with the title “Microsoft Quashes Effort to Boost Online Privacy.” Wingfield discusses how Microsoft chose to provide customer information to advertisers rather than protect customer privacy when it came to designing and deploying Internet Explorer 8.0.

A third article, in the August 4, 2010 issue, is by Emily Steel and Julia Angwin, and has the title “On the Web’s Cutting Edge, Anonymity in Name Only.” It is about how data describing individuals’ online behavior are used to profile such persons, namely all of us, and sell that information so that companies can target their marketing more accurately, similarly to what was described in the first article, mentioned above.

The fourth article, appearing in the August 5, 2010 issue, takes a somewhat different tack. It is by Justin Scheck and has the title “Stalkers Exploit Cellphone GPS,”  Scheck describes how GPS and other forms of tracking, which have many positive uses, are also exploited by individuals who have violence in mind, to locate their victims.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: Google, GPS, microsoft, Privacy, spotlight, Wall Street Journal

Update:

 Since I began writing this column, which discussed AT&T’s iPad issue, AT&T was reported to have experienced another privacy breach, this time during the heavy use of its registration site when the latest model of the iPhone became available. This was reported in The Wall Street Journal of June 16, 2010 in “AT&T Flooded By iPhone,” by Niraj Seth and Roger Cheng. The article states that “… in certain cases [the website] appeared to reveal subscribers’ personal information to strangers,” and that the Federal Trade Commission is aware of the problem.

In the article, AT&T Chief Executive Randall Stephenson, who was talking to media and investors during the development of the iPhone registration problem, was reported to have responded with the following in answer to a question about the iPad (not iPhone) breach: “… privacy issues are important and … a failure to prevent more serious breaches of network security would stall the growth of the mobile data market.” In an interview, Mr. Stephenson went on the say: “Customer privacy, data privacy is critical. We take this very seriously.” It is clear from the article that Mr. Stephenson is supportive of protecting customer data because doing so will enable AT&T to grow its mobile business  … and not only because privacy protection is a legal and regulatory requirement. I would have thought that privacy advocates would be all over this one, except that everyone’s anger was being directed at BP CEO Tony Hayward.

As for me, I think that it is less important what the motivation is for C-level management to take security and privacy seriously than them actually doing something. So now, back to the primary topic …

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: AT & T, business owner, data breach, Ed Amoroso, iPad, iPhone, portable devices, Privacy, privacy regulations, spotlight

The biggest scare at this years IANS event was not news about botnet attacks from Belarus or data leaks, but the increased scrutiny by Human Resource Departments of prospective candidates to include social media. So, do not be surprised when you are asked during an interview to provide information about your blogs or websites, or to logon and provide Human Resources access to your Facebook account.

Any person having graduated from high school or college during the past 10 years has a high probability of being included some form of electronic media, knowingly or not. A simple indiscretion at a party or on Spring Break can result in being the primary reason to be excluded for consideration for that choice position. You never know who has a YouTube camera.

But the scrutiny does not stop there. It is not longer sufficient to have stellar references, clean credit history and be drug free. Where is the separation between what is considered a personal and professional life? Any person can have belong to an association, group, volunteer for a charity, etc. that may not be considered as appropriate.

Do these preclude a person from satisfactorily executing the roles and responsibilities as required?

Not so long ago, the analogy to be a Boy Scout meant you walked in a different light, but now even that could be a problem.

© BlogInfoSec.com, 2010. | Permalink | No comment | Add to del.icio.us
Post tags: botnet, facebook, hr, human resources, IANS, Privacy, YouTube