Sunday, June 26, 2005

Digital Insecurity

I see a common thread in the news these days. The proliferation of digital technology and connectivity is creating an unprecedented threat to information security on many fronts. Here are just a few excerpts from recent news on this theme.

SenderID, SPF, Domain Keys
By this Fall, if your e-mail does not have a Sender ID, MSN & Hotmail will handle your message as if it was JUNK mail. other e-mail giants such as America Online (SPF) and Yahoo (Digital Keys) have developed their own authentication systems. AOL and Yahoo plan to implement them into their e-mail systems by year's end.
Unsigned mail could be handled differently since it is more likely to be SPAM, but DoubleClick, a major SPAMMER, has already announced plans to use SenderID on it's mail servers when appropriate. [You probably won't recognized the name of that domain owner or it could appear similar to a known business. ]

Instant Message Collaboration
The latest desktop version of Microsoft Office Communicator 2005 together with the company's Live Communications Server software will allow workers to access a [corporate] IM system from any device on the Internet.

MS Issues Small Business Security White Paper (71 pgs)

Microsoft Releases 10 Security Bulletins
Microsoft's monthly bundle of patches for June is one of the biggest since the company switched to a monthly patching cycle, and it brings fixes for 12 vulnerabilities, including three critical issues.

Popular Web browsers' javascript leaves users vulnerable
The flaw allows a phishing attack when a malicious JavaScript pop-up window appeared in front of a trusted Web site, Secunia [Security firm] said. It could prompt s user to enter data such as a userid and password.
"The problem is that JavaScript dialog boxes do not display or include their origin in a popup dialog window which could appear to be from a trusted website. The latest versions of Internet Explorer, Internet Explorer for Mac, Safari, iCab, Mozilla, Mozilla Firefox, Camino, and Opera prior to 8.01 are all vulnerable.

Security Software facing increased attacks
Symantec, CheckPoint Software, and F-Secure are among the vendors that have seen a rise in the number of security issues that affect their products in the past years, according to Yankee Group. If the trend continues, the number of vulnerabilities for security products will be 50 percent higher than 2004 levels, according to the analysts. While Microsoft flaws continue to be exploited, the rate has decreased notably. Analysts credit the shift in targets to the tighter security in Windows XP Service Pack 2.

Microsoft to Deliver Automated, All-in-One PC Health Service for Consumers OneCare is a comprehensive, simple-to-use consumer subscription service that will provide automated protection, maintenance, and performance tuning in an all-in-one package for Windows-based PCs. [...there's big money in creating a problem then solving it.]

Microsoft plans to buy Claria (Gator)
Microsoft is expected to buy the advertising firm Claria which earned the wrath of millions of users when it was called Gator for trashing Windows PC's with AdWare. Microsoft hopes to extend it's MSN advertising and add user profile technology already possessed by rivals Yahoo and Google. All three offer free "toolbar" downloads which add functionality to browsers but could also work in the background to gather information about your browsing and even capture keystrokes or at least javascript field (login) input if so configured. I do NOT recommend adding optional toolbars in general, but do find the Yahoo and Google customized homepages helpful and informative. You might try these highly personalized portals for a homepage, but avoid the temptation to modify your browser with added features you don't really need and installing executables you don't understand.

To make matters worse, Microsoft's [Giant] Anti-SpyWare software (still in Beta) has just been changed so the default settings Ignore Claria/Gator SpyWare rather than remove it. Anti-M$ jealots are going wild over this clear abuse of power and lack of ethics. That pretty well shoots 'Trustworthy Computing' in the foot. Nice going Balmer. Hopefully, Enterprise Admins will use this as a valid reason not to implement SpyWare Security with Microsoft products since they now ignore the worst AdWare/SpyWare offender out there.

Beyond PC's
Gartner analysts John Pescatore and John Girard wrote in a published paper that enterprises should prepare for the growing threat from malicious software for mobile phones and PDAs. "...a fast-spreading phone virus or worm is unlikely to appear before the end of 2007...after that, even antivirus software is unlikely to help. "

Two main factors...that would encourage a virus to propagate.... First, smart phones capable of being infected by malicious software will have to make up about one-third of the market. Second, users of those phones will have to regularly exchange executable files. "Today, the penetration of [such] mobile devices (capable of being infected by a virus) is still relatively small. [That situation is changing quickly. Wireless providers are anxious to sell optional data services and routinely offer comlex picture phones for under $100 with extended service plans these days.]

The Liberty Alliance is working on a standard to keep cell phone numbers from providers of wireless content such as ring tones, protecting people's privacy.

"The standard's purpose... is to enable third-party content providers to integrate (services) with mobile carriers without knowing the identity of the users." said a member. The interface specification for mobile messaging will work with both plain Short Message Service (SMS) and with Multimedia Messaging Service (MMS), which is used by newer cell phones to send images and music.

The privacy concern arises from content providers sharing users' information, such as e-mail addresses, with spammers for a fee. "This business represents a large source of income for mobile operators and content providers alike," says Timo Skytta, of the Liberty Alliance. In Europe, laws now prohibit service providers from transferring personal information to third parties without customer's consent.

Vehicle Computer Security
Malicious Code - Anti-virus firm F-Secure confirmed it was unable to infect an automobile, a Toyota Prius, with variants of the Cabir worm, despite rumors to the contrary.

Personal Security
"[Security firm] Cybertrust does not use the term 'identity theft' if we can avoid it. Identity theft is actually identity fraud, since the victim continues to have the use of his identity after being attacked."

National Digital ID
In May, President Bush signed into law a bill that will require all Americans to obtain federally approved, machine-readable ID cards approved by the U.S. Department of Homeland Security. The "Real ID Act of 2005", was attached to an Iraq/Afghanistan military spending bill. Enforcement starts in May 2008. This will effectively create a national ID card [and database]. Once created, it's likely that it will make an attractive replacement to Social Security numbers, passport numbers and other credentials which would be more easily trackable in a national database. Read more on the Real ID Act:

RealID (national digital ID cards & database) and RFID (embedded passive transponder chip) may be the most significant, life-altering developments in this Century! I'm working on a detailed discussion of their significance to all of us. I was astonished at what I discovered.

Digital Identity Control
While the potential for abuse is obvious, proper implementation of digital identification can be beneficial and finally end the senseless repetition of filling out your name, address, and phone number on different forms again and again. Urge legislators to require all digital ID information be encrypted with the best available technology including a hardware component and to require physical contact with the item containing the embedded encryption chip plus your personal identifier number (PIN) code to authorize and enable decription of personal identity information transmitted by RFID or read from your card. You should always have positive control of when and how this information becomes usable unless superceded by the filing of criminal charges against you.

Knowledge and Vigilance
Government has a legitimate interest in being able to gather this still encrypted information and some unecrypted non-personal information such as zip code, citizenship status or other valuable but less personal data to help identify criminal or terrorist movement and activity. In a post-911 world, there is room for some high-tech tracking and surveillance without wholesale invasion or elimination of personal privacy. We can learn to live with cameras everywhere in public places and infrared scanning through buildings by authorities looking for criminal activity. These minor technical invasions of privacy are offset by the increased threat of terrorism and need for security. All of this can be done without excessive snooping, building extensive profiles of regular citizen activity or other unjustified loss of personal liberty or privacy. The principles of personal liberty and privacy must be maximized while the proliferation and uses of digital technology increase. Strong penalties for anyone exploiting technology to compromise personal identity must keep pace with new technology and be vigorously enforced.

For now, I remain hopeful that digital technology can be used properly to improve our lives. But this will require our knowledge and vigilance to overcome those who would abuse it's power.



Post a Comment

<< Home