So the three big credit bureaus are adopting a single data encryption standard to "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies" (link). Great.
Except that data encryption isn't the problem. All of the widely publicized recent attacks have been either from insiders, or from organizations that were customers. Such attackers already have access to the data.
The answer isn't going to be that easy. It is going to require some type of rights management that ties the data to the consumer, the usage and the time that it is valid.
The real message here is that this isn't for consumer protection at all. It is to make life easier for the purchasers of credit reporting data, who today have to deal with different schemes from each of the big three. Maybe there is some benefit here for the consumer, but it isn't immediately obvious.
The CSIA is sort of the British version of NIST, with respect to IT. They've invented their own accreditation for security tools (link), basically looking to validate the vendor's claims (thus the name, "Claim Tested Mark"). This is a very different approach to that used in the Common Criteria process, which seeks to apply a single set of standards to many different products.
I think I like the British approach more -- it provides customers with some amount of trust that the products will perform as described, without making the verification process so onerous that only the products with the largest volumes (e.g. Windows Server) would ever be put through the process.
If you have a high-performance machine with a good video card, check out http://www.microsoft.com/max/. It's the Codename Avalon user interface used for photo browsing. Not only is it really pretty, but it also shows some great ideas around how a UI can provide context for users.
An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords. There are many caveats here, including the requirement that the typist is typing in one language (they used English) and that the recognition rate is far from 100%. But nevertheless it provikes thought.
So what does this tell us? First off, relying solely on passwords is a bad idea -- even if this attack wasn't possible, there are just so many others. Two-factor authentication is not foolproof but it does greatly reduce the risk.
Second, this reiterates the old saw about physical access. If I can get close to your PC then I have a reasonable chance of obtaining your user ID and password.
Type quietly, everyone!
Tony Bailey, the Senior Product Manager on the Microsoft Solutions for Secrity & Compliance team, has put together a list of all of our security solutions. You can find it here: http://www.microsoft.com/technet/community/columns/sectip/default.mspx
NIST has opened up a National Vulnerabillity Database, also available as an XML feed. I love the fact that all of the available info will be in one place, although I do fear that it will re-open the "what's more secure" arguments that have been running for several years.
Link: http://nvd.nist.gov
Story: http://www.fcw.com/article89911-08-15-05-Print
If researchers are pointing out the issues, the bad guys will not be far behind. Start checking to make sure that your AV software is up to date!
Link.
Link. Microsoft Q&A.
They provide email customers with security and compliance services (retention, etc.). As IT environments get more complex there are more opportunities for providing this type of service for part of the infrastructure. THis is somewhat in contrast to the old approach of outsourcing everything.
Despite the slings and arrows that we endured originally when we came up with Patch Tuesday, it looks like this is gaining momentum. This article from eWeek talks about other companies starting to release patches on Tuesday as well. Of course there is always a dissenting opinion.
Now if only we could come up with a single auto-update mechanism that supported multiple vendors -- but that is a hairy legal as well as practical issue.
You know that a concept has truly entered the mainstream when it spawns politically correct euphemisms. Potentially unwanted software is the latest safe and approved term for what most people think of as spyware and adware. So the House has just approved a bill that adds some deterrents and safeguards for consumers, to make spyware (oops... there I go again) somewhat less attractive as an advertising medium (link). However, the bill doesn't provide for protection for anti-spyware (should that be "anti-potentially-unwanted-software"?) makers -- companies who feel that they've been unfairly targeted can sue (link). This seems odd... if the anti-spyware product is erroneously removing desired software, you would think that the word would get out and no one would use it. However, if the software wasn't explicitly desired and installed by the customer, what's the argument?
Lawyers probably have a different view. I can think of a couple of products (which I won't name) that appear to do something useful, and then install adware as well. They protect themselves legally (but not IMHO ethically) by hiding the "consent" for installing the adware in an unnecessarily long click-through end user license agreement (EULA). So they say that the user must have desired it since they accepted the EULA.
So, what do you think? Obviously since I work for the Big M you could say that I am biased. But ethically this appears to be pretty clear-cut. The medical profession went through this whole "informed consent" problem several years ago, and now bend over backwards to ensure that the patient's consent includes an understanding of the procedure and the risks. Do we need some type of EULA law as well, in order to allow anti-spyware vendors to have a clear line of demarcation between wanted and unwanted?
This article (Protect passwords? Not if latte is free) was passed on to me from a colleague who also saw the irony in this. I would say that we're 3 years too late in making 2-factor auth a base part of computing. This makes identity theft almost too easy... fish in a barrel.
What do you do to keep your passwords secure? Use the same one everywhere? Write them down? Keep them in your cell phone? None of these are great options.
The alternative is a something that you need to carry around. Any ideas on what could work? Iris and fingerprint scanners still aren't reliable enough (in the home market). Smartcards would work, as would token generators such as those sold by RSA and others. But equally important is who the issuer is. Because I don't want 20 fobs hanging off of my keychain, I want one or two to cover every site that I visit.
Has anyone else read this article on "safecount.org" wanting to encourage people to not delete cookies? While I understand that the advertisers have a difficult task, it makes me crazy that sites such as TechWeb just take press releases and post them without providing any context or value-add. In fact, they become a value-subtract, since some less discriminating readers will look to TechWeb for factual news articles and perhaps actually believe what they're reading.
I don't mean to pick on TechWeb; it's just that I read this piece this morning and it just pissed me off. If you want to get your news from the 'net, you have very few places to choose from. Most sites do the sam ething -- get a flurry of press releases, have someone reword them into a semblance of an objective article, and publish. This particular article is great -- the position of safecount.org is that you shouldn't delete your cookies because it makes life harder on their advertiser members. The writer makes no comment regarding privacy, and quotes "analysts" (which ones, I wonder) to make the story more believable.
Please take everything you read with a grain of salt, particularly if it comes from a news source that you didn't pay for. Remember, they have to get their expenses by someone...
Awareness is our biggest challenge, but we've been doing a lot to make this happen. At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune. I like this editorial by Robert MacMillan at the Washington Post. Here's an excerpt:
I am a staunch defender of what I call the average computer user, but I wonder whether it's time to change my tune... It makes sense that the Internet service providers and other stewards of our online experience should do their part to protect people from online danger. But I need to modify that point of view. Everyone should know by now that we should never trust e-mail, mobile phone messages or instant messages from strangers who want to deal with our money. If you don't know the source, delete immediately. Some of you will be yawning by now because you know this already, but the Times piece points out a tragic reality that criminals know well already -- a sucker signs on to the 'Net every minute.
The Payment Card Industry (credit-card issuers) have created their own set of regulations that e-commerce sites must follow if they're to continue processing credit card payments. The regs are pretty good -- a 12-point checklist of areas that need to be covered. For example, Do not use vendor default passwords on IT products and Uniquely authenticate each person accessing computer systems. It's a great idea, but is yet another regulation that needs to be dealt with.
http://www.ecommercetimes.com/story/113003FF5PFJ.xhtml
More progress being made on the anti-spyware front: http://www.eweek.com/article2/0,1759,1788844,00.asp. Industry players are banding together to try and define this.
I'm not sure that this is a good idea -- while I agree that the term "spyware" has unfortunate connotations to anyone branded as such, creating a specific definition just seems to me to open the door to firms trying to work around the definition while achieving the same effect.
Although it had a terrible acronym, I really thought that "potentially unwanted software" captured the category in a nutshell.
This is one of those times that I love this company -- building a tracking system to fight kiddie porn, and giving it away to police departments worldwide. Link.
TechWeb just posted an article on DNS cache poisoning continuing. The Microsoft KB article can be found here. The problem: cache protection (in Windows 2000 SP3 and above) only applies when the DNS server is a master. If it is forwarding all requests, then the data is assumed to be filtered by the upstream DNS server. If that server isn't filtering properly, then the cache could still be poisoned. This is often the case when Windows DNS is set to forward requests to an older version of BIND. The Internet Storm Center (link) has a pretty good description of the several scenarios, and how you need to protect your organization depending on your scenario.
Lesson learned: Look at the whole chain to understand how you're protected.
Interesting article: Google Yourself to Identify Security Holes by Tony Bradley. His point is that security people should be using Google and the discussed tools as one facet of a vulnerability analysis program.
Sorry, I just can't get behind this: Battle brews over unlocking PC secrets. The PC industry has suffered for not having trusted mechanisms for identifying computers and locking down digital rights. I read the article and I still don't see Stallman's point. Then I read his manifesto and I really don't get it. GNU has come up with some good stuff in the past, and in a previous life I used to use and contribute to that effort. But this seems to be ideology taken to the extreme. Since the typical modern mobo allows users to flash their BIOS rather than remove and replace the chip, suddenly it should be treated differently? Presumably this includes video cards as well, that have extensive (and flash-able) code on the card.
It's not really a battle, more of a tempest in a teapot.
An old article, but still a good one, by Jakob Nielson (formerly at Sun, now at his own company). I strongly agree with his points, particularly: "passwords that comply with the above list of "security-enhancing" principles lead to one outcome: Users write down their passwords."
Ahh, the wonderful world of information security in the United States, where the threat of litigation can keep holes open and spyware active. eWeek has had a couple of articles this week on this topic. In The Chaotic World of Defining Spyware they discuss issues that CA has with companies that are fighting being labeled as spyware. In Big Security Guns Should Aim Carefully at Adware, Spyware there's a discussion of Symantec's scoring system versus Microsoft's behavior-based approach documented in a recent white paper.
There is money to be made in spyware and the bottom-feeders that are using spyware and "adware" are going to be very aggressive at resisting being labeled as such. You can see this in the Microsoft white paper, where the targets are labeled "potentially unwanted software" rather than spyware.
It's all just semantics. When you install something on my PC that I don't explicitly want and ask for, you're a bad person and need to be dealt with harshly.
My group didn't write this... that is, I don't think we did, although this may have come out of our Consumer team. But it is pretty good, basic advice for students that are heading off to school with their new laptops.
School is in: 7 computer security tips for students