Jeff's InfoSec Blog

Credit Bureaus adopt data protection standard... so what?

So the three big credit bureaus are adopting a single data encryption standard to "further assure the protection of sensitive consumer data when transmitted between data furnishers and credit reporting companies" (link).  Great. 

Except that data encryption isn't the problem.  All of the widely publicized recent attacks have been either from insiders, or from organizations that were customers.  Such attackers already have access to the data.

The answer isn't going to be that easy.  It is going to require some type of rights management that ties the data to the consumer, the usage and the time that it is valid. 

The real message here is that this isn't for consumer protection at all.  It is to make life easier for the purchasers of credit reporting data, who today have to deal with different schemes from each of the big three.  Maybe there is some benefit here for the consumer, but it isn't immediately obvious.

British Gov't validating security tools - "CSIA CT Mark"

The CSIA is sort of the British version of NIST, with respect to IT.  They've invented their own accreditation for security tools (link), basically looking to validate the vendor's claims (thus the name, "Claim Tested Mark").  This is a very different approach to that used in the Common Criteria process, which seeks to apply a single set of standards to many different products. 

I think I like the British approach more -- it provides customers with some amount of trust that the products will perform as described, without making the verification process so onerous that only the products with the largest volumes (e.g. Windows Server) would ever be put through the process.

Cool stuff - Microsoft MAX

If you have a high-performance machine with a good video card, check out http://www.microsoft.com/max/.  It's the Codename Avalon user interface used for photo browsing.  Not only is it really pretty, but it also shows some great ideas around how a UI can provide context for users. 

Trapping passwords by listening to typing

An interesting paper to be published shortly by three clever people at UC Berkeley reports that without training (other than a 10-minute recording of someone typing) a recognition algortithm can be built to derive what is being typed, including passwords.  There are many caveats here, including the requirement that the typist is typing in one language (they used English) and that the recognition rate is far from 100%.  But nevertheless it provikes thought.

So what does this tell us?  First off, relying solely on passwords is a bad idea -- even if this attack wasn't possible, there are just so many others.  Two-factor authentication is not foolproof but it does greatly reduce the risk.

Second, this reiterates the old saw about physical access.  If I can get close to your PC then I have a reasonable chance of obtaining your user ID and password.

Type quietly, everyone!

Here's a list of Security Solutions

Tony Bailey, the Senior Product Manager on the Microsoft Solutions for Secrity & Compliance team, has put together a list of all of our security solutions.  You can find it here:  http://www.microsoft.com/technet/community/columns/sectip/default.mspx

A National Database of Vulnerabilities

NIST has opened up a National Vulnerabillity Database, also available as an XML feed.  I love the fact that all of the available info will be in one place, although I do fear that it will re-open the "what's more secure" arguments that have been running for several years.

Link: http://nvd.nist.gov

Story:  http://www.fcw.com/article89911-08-15-05-Print

First go for people with no armor; then look for chinks in the armor

If researchers are pointing out the issues, the bad guys will not be far behind.  Start checking to make sure that your AV software is up to date!

Link.

Microsoft buys email managed-services company

Link. Microsoft Q&A.

They provide email customers with security and compliance services (retention, etc.).  As IT environments get more complex there are more opportunities for providing this type of service for part of the infrastructure.  THis is somewhat in contrast to the old approach of outsourcing everything.

Patch Tuesday becomes popular

Despite the slings and arrows that we endured originally when we came up with Patch Tuesday, it looks like this is gaining momentum.  This article from eWeek talks about other companies starting to release patches on Tuesday as well.  Of course there is always a dissenting opinion.

Now if only we could come up with a single auto-update mechanism that supported multiple vendors -- but that is a hairy legal as well as practical issue.

Oh great -- now spyware is disguised as antispyware!

This is classic -- you get infected with spyware that masquerades as antispyware.  It pops up an alert that you're infected, and directs you to a web site to buy a licensed version of a disinfection program.  InformationWeek called it "ransom-ware" and I tend to agree.

Microsoft Solutions for Security team at TechEd

I was going to post on this but Tony Bailey beat me to it (link).  We have several sessions at TechEd, and 6 program managers and subject matter experts from my team will be in the Security Cabanas.  I can't make it down this year but I have reviewed many of the security sessions and they're awesome.  If you're down there drop into the security cabana and say that jeffnew said to say "hi". 

Spyware (I mean potentially unwanted software) and the law

You know that a concept has truly entered the mainstream when it spawns politically correct euphemisms.  Potentially unwanted software is the latest safe and approved term for what most people think of as spyware and adware.  So the House has just approved a bill that adds some deterrents and safeguards for consumers, to make spyware (oops... there I go again) somewhat less attractive as an advertising medium (link).  However, the bill doesn't provide for protection for anti-spyware (should that be "anti-potentially-unwanted-software"?) makers -- companies who feel that they've been unfairly targeted can sue (link).  This seems odd... if the anti-spyware product is erroneously removing desired software, you would think that the word would get out and no one would use it.  However, if the software wasn't explicitly desired and installed by the customer, what's the argument? 

Lawyers probably have a different view.  I can think of a couple of products (which I won't name) that appear to do something useful, and then install adware as well.  They protect themselves legally (but not IMHO ethically) by hiding the "consent" for installing the adware in an unnecessarily long click-through end user license agreement (EULA).  So they say that the user must have desired it since they accepted the EULA. 

So, what do you think?  Obviously since I work for the Big M you could say that I am biased.  But ethically this appears to be pretty clear-cut.  The medical profession went through this whole "informed consent" problem several years ago, and now bend over backwards to ensure that the patient's consent includes an understanding of the procedure and the risks.  Do we need some type of EULA law as well, in order to allow anti-spyware vendors to have a clear line of demarcation between wanted and unwanted? 

OK, passwords are so 20th century and have to go!

This article (Protect passwords? Not if latte is free) was passed on to me from a colleague who also saw the irony in this.  I would say that we're 3 years too late in making 2-factor auth a base part of computing.  This makes identity theft almost too easy... fish in a barrel. 

What do you do to keep your passwords secure?  Use the same one everywhere?  Write them down?  Keep them in your cell phone? None of these are great options. 

The alternative is a something that you need to carry around.  Any ideas on what could work?  Iris and fingerprint scanners still aren't reliable enough (in the home market).  Smartcards would work, as would token generators such as those sold by RSA and others.  But equally important is who the issuer is.  Because I don't want 20 fobs hanging off of my keychain, I want one or two to cover every site that I visit. 

What happened to IT journalism?

Has anyone else read this article on "safecount.org" wanting to encourage people to not delete cookies?  While I understand that the advertisers have a difficult task, it makes me crazy that sites such as TechWeb just take press releases and post them without providing any context or value-add.  In fact, they become a value-subtract, since some less discriminating readers will look to TechWeb for factual news articles and perhaps actually believe what they're reading.

I don't mean to pick on TechWeb; it's just that I read this piece this morning and it just pissed me off.  If you want to get your news from the 'net, you have very few places to choose from.  Most sites do the sam ething -- get a flurry of press releases, have someone reword them into a semblance of an objective article, and publish.  This particular article is great -- the position of safecount.org is that you shouldn't delete your cookies because it makes life harder on their advertiser members.  The writer makes no comment regarding privacy, and quotes "analysts" (which ones, I wonder) to make the story more believable.

Please take everything you read with a grain of salt, particularly if it comes from a news source that you didn't pay for.  Remember, they have to get their expenses by someone...

Internet fraud -- who's fault is it?

Awareness is our biggest challenge, but we've been doing a lot to make this happen.  At this point the consumers that are walking into these rediculous schemes need to accept that they are, to some extent, the authors of their own misfortune.  I like this editorial by Robert MacMillan at the Washington Post.  Here's an excerpt:

I am a staunch defender of what I call the average computer user, but I wonder whether it's time to change my tune...  It makes sense that the Internet service providers and other stewards of our online experience should do their part to protect people from online danger.  But I need to modify that point of view. Everyone should know by now that we should never trust e-mail, mobile phone messages or instant messages from strangers who want to deal with our money. If you don't know the source, delete immediately. Some of you will be yawning by now because you know this already, but the Times piece points out a tragic reality that criminals know well already -- a sucker signs on to the 'Net every minute.