In security circles we often discuss why some individuals and businesses find themselves in a perpetual state of high risk. While there can be complex factors, the bottom line is that many of us make poor risk management decisions in our business and personal lives.
Sometimes a high risk position results because we don’t correctly asses asset values, threats or vulnerabilities. Sometimes the cost of implementing a safeguard exceeds and expected loss, and the decision to accept risk is a logical one. And sometimes we simply make mistakes.
But there are other reasons that we Canadians are often too polite to point out: Laziness, denial, rationalization and risk decisions based upon emotion rather than logic. The H1N1 ‘flu gives us plenty of examples.
We’re in the midst of an influenza pandemic. Fortunately we know how to create ‘flu vaccines — we do it every year to combat the seasonal flu. So we have a vaccine, and every credible organization from the World Health Organization down to our local medical officers are recommending that we vaccinate ourselves and our families.
The risk is clear: pH1N1 is a nasty virus that, at best, will make you sick for a week or two. At worst, it could kill you. The threat is real and much of resulting risk can be mitigated by a simple vaccination. The Public Health Agency of Canada advises that, “without interventions like a vaccine and antivirals, close to 25 to 35 percent of the population could become ill over the period of a few months.” Other health organizations have released similar estimates. The vaccine has been tested in Canada as well as other countries, and we know that approximately 1 in 100,000 people will have a serious reaction to it, as with any other vaccine. (Source: http://www.phac-aspc.gc.ca/alert-alerte/h1n1/vacc/options-eng.php)
From a risk management perspective it doesn’t get much simpler than this. The benefits of the vaccine clearly outweigh the risks, and the cost (a few hours of our time at most) is minimal compared to the potential loss. And that doesn’t take ethics and social responsibility into account. Those who choose not to be vaccinated not only may become ill, but could also pass H1N1 on to more vulnerable family, friends and colleagues — including those who can’t be vaccinated due to alergies.
As a result, we continue to see people announce on the Internet that they’re not getting vaccinated. Some quote “facts” that are uninformed myths at best. Some focus on the 1 in 100,000 serious reaction rate and completely loose perspective. Others ignore a century or so of medical science and proclaim that they don’t need a vaccination because they are “healthy and take their herbs and vitamins.”
Chances are that you’ve already seen the writings of otherwise intelligent parents who are incapable or making good risk management decisions. Their blog posts usually start with how much they love their kids. Then they latch on to the one quack that chargers people $50 each to attend a seminar to learn “the truth” and rationalize that “the medical community don’t all agree”. They focus on the danger of mercury in vaccines, even though the exposure is less than you’d get from eating a can of tuna. Or they repeat silly claims like suggesting that the vaccine is “untested”.
Some of these people obviously have other agendas. It’s clear from their writing that they’re simply anti-vaccination shills. They write clever “balanced” articles pitting fact against laughable fiction and seek to “support” others who share their defective logic.
Some see themselves as rebells, not “giving in” to the experts who tell them they should be vaccinated. The old phrase, “Rebells without a clue” comes to mind.
In others, the barrage of H1N1 information creates neurotic behaviour and they operate on a completely emotional level. They “agonize” (often at length and in writing) about how “difficult” the decision was. They loose all perspective, and should you dare point out the flaws in their reasoning their feelings are hurt. How dare you suggest that they don’t know what’s best. They behave as if the act of conceiving a child instantly made them more knowledgeable on vaccines than the WHO, CDC, and the medical experts of countless countries, including their own. They have “the right” not to vaccinate themselves and their children, and as emotional people often do, they confuse having a right with it being the right thing to do.
(The Berlin Wall, December 1985. Photo by Eric Jacksch)
Twenty years ago today the Berlin Wall fell, uniting East and West Germany. Celebrations today include fireworks, concerts, and the toppling of foam dominoes painted by school children. Spiegel Online International has a great collection of historic images and coverage of the 20th anniversary celebration. They also have published their interview with Lieutenant-Colonel Harald Jäger, The Guard Who Opened the Berlin Wall (in English).
A new student-run program in Indianapolis called Now Think Now encourages teens to think and make better decisions behind the wheel. Their web site explains,
Now Think Now is a social site where teens and other community members can gather and share their stories, ideas and opinions. Our ultimate goal is getting teens the information they need to make the right decision at the right time. Members can socialize about real topics with their friends and the community at large while at the same time earn points and recognition by peers. Points can be earned by contributing content or taking place in various activities, then can be redeemed for gift cards for food, gas, and more.
We’ll be keeping an eye on this great use of social media.
We often hear banks complaining loudly about the losses they suffer from payment card fraud. Campaigns like “Protect your PIN” and humorous commercials with a miniature armoured truck following a customer down the street must cost tens of millions of dollars.
But then consumers still receive calls like I did on Saturday afternoon. The bank – or someone claiming to be from the bank – called me, advised that they were recording the call, welcomed me as a new customer, and then asked me for my date of birth and postal code, “to confirm they were speaking to the right person.”
I have a very simple rule: If I call you, it’s reasonable for you to ask me to prove I am who I say I am. However, if you call me, you get to go first. And unfortunately, while banks are somewhat good at authenticating their customers, they never seem to consider how customers should authenticate them.
When I declined to provide personal information to the caller, she politely replied that I could call the number on the back of my card if I had any questions and then she ended the call.
So I did just that, and asked about the call. The CSR verified that the person who called me was indeed from the bank, and that they ask for a date of birth and postal code to make sure they’re speaking with the “right person”. But he didn’t have a solution to how I should authenticate future callers who claim they’re from the bank.
Banks should know better. Telephoning customers and asking for personal information is irresponsible and contributes to the identity theft problem. Banks should be telling their customers that they will never call them and ask for personal information – just as they currently do for PIN numbers.
There’s also an obvious solution: The bank could easily add one more field to their database, a password that they will use when they call me. In fact, next time they do call, I think I’ll ask them for their telephone password.
Perhaps the Bank’s security, fraud and marketing people need to have a chat.
Ars Technica has a great article this morning entitled 30 years of failure: the username/password combination.
One of the things that they didn’t discuss is why we continue to use passwords for authentication even though they’re known to be a serious weakness. The first reason is that, as long as we don’t include the cost of a security breach, passwords are free. The second is that while better authentication technologies exist, nobody seems interested in allowing a single credential to be used across multiple systems on the Internet. I should be able to carry one authentication device and use it everywhere, but instead when we go that route we end up with a key-ring full of devices.
Perhaps it’s time for the open source community to step up to the plate?
I recently installed Windows 7 Ultimate (32 bit) on my brand new HP Mini 110 (it ships with XP). The Windows 7 distribution included all the drivers needed to get the system up and running, including the WiFi drivers, making it a very painless process. Once running, it automatically downloaded the vendor-specific video driver, resulting in a fully operational system. The only driver I had to manually install was for the touchpad. The Windows 7 driver worked fine, but I couldn’t use functions like vertical scrolling until I downloaded the software from Synaptics.
I’m a strong proponent of whole disk encryption, especially on portable computers. The small size and weight of the HP Mini 110 make it an easier target for thieves. However, by default Windows 7 creates two hard drive partitions, a hidden one for boot and recovery, and a second main partition for the operating system. My favourite open source encryption software, TrueCrypt, won’t do whole hard drive encryption on Windows 7…at least not yet. So I decided to give Microsoft’s BitLocker a try.
BitLocker is designed to work on PCs that include a Trusted Platform Module (TPM) chip on their motherboard. BitLocker essentially stores the hard drive encryption key on the TPM and the system can be configured so that users must authenticate to the TPM using a pin in order to boot their computer.
While that’s a nice plan, it doesn’t help those of us who have purchased a computer that doesn’t include a TPM, and I was somewhat disappointed to learn that the HP Mini 110 falls into that category. But searching the web I quickly learned that BitLocker can be used without a TPM chip by making a group policy change. (Detailed information can be found here.) Once the feature is enabled, the BitLocker key can be stored on a USB flash drive.
This scenario is not ideal because the key is not protected – anyone who gets their hands on the USB key can duplicate the key and use either it or the duplicate to boot the computer. However, it’s certainly better than the alternative, which is to not use hard drive encryption until third-party products catch up with Windows 7. If you protect your USB key like you protect your car keys, it does provide a practical defence against a thief accessing your data.
But if you’re like me, you probably keep your USB flash drive in your briefcase, making it vulnerable to theft along with your laptop. It’s like leaving your car keys sitting on top of the hood. I mentioned this challenge to a few colleagues, and one of them introduced me to a very cool product from Verbatim, the TUFF-’N'-TINY™ USB flash drive.
Image courtesy of Verbatim
In addition to having the smallest form factor I’ve seen in a USB flash drive, the Tuff-‘N’-Tiny is dust, water, and static discharge resistant. It also includes a short key ring lanyard, which I highly recommend you use.
BitLocker only requires the USB key during the initial boot sequence, after which it tells you to remove the key, so the Tuff-‘N’-Tiny soon hung on my keychain as the “ignition key” for my HP Mini.
The Tuff-‘N’-Tiny also includes Verbatim’s V-Safe encryption software. Unlike many USB devices that mount both a public (unencrypted) and secure (encrypted) partition, V-Safe switches the user between the unencrypted and encrypted partition on the same driver letter. At first this seemed a bit unusual, but I quickly realized that, in addition to requiring only one drive letter for the device, this scheme also prevents the user from accidentally saving sensitive files to the unencrypted partition. Once you’ve entered your passphrase, only the encrypted partition is available.
Getting back to BitLocker, I think we’ll all agree that it is best used with a TPM chip. However, while not perfect from a security perspective, it is possible to use Windows 7 BitLocker for pratical whole hard drive encryption without a TPM chip provided that you store the USB key separate from the computer. And so far, at least for me, attaching a small USB flash drive to my keychain appears to be the best option.
Last year I wrote about LoJack for Laptops, software that periodically checks in with a central server to help locate your laptop if it is stolen. One of the LoJack features that caught my attention is that, when installed on compatible computers, a bios agent is activated. The bios agent is supposed to reinstall LoJack if the thief removes it by, for example, reformatting the hard drive and reinstalling the operating system.
Around the time I wrote last year’s article, Vancouver-based Absolute Software sent me a copy to try out. I installed it on a HP Pavilion dv4 laptop, checked that it was working a few times, and promptly forgot about it. A few weeks ago, my laptop required a warantee repair, and prior to sending it in, I used DBAN to thoroughly wipe the hard drive. When I got it back, HP had reinstalled the original operating system. So I deleted both partitions and did a fresh install.
Over the weekend I remembered about LoJack and I was curious. I logged into their web site and was informed that my laptop had checked in earlier the same day! LoJack survived every bit on the hard drive being overwritten and two operating system installs. Had a thief stolen my laptop and reinstalled the operating system, it would be checking in every time it was connected to the Internet. And we’d be tracking it down right now.
By now most of us know that when we delete a file from our computer it isn’t really gone – the space is merely marked as being available for reuse. Unlike in the physical world, where we can easily shred or burn documents we wish to dispose of (and put the others out in the same trash bag as the kitchen waste and used kitty litter) it’s relatively hard to do the same on our PCs.
If our operating systems and applications were designed with privacy in mind, we could simply tell them that we don’t want to retain any browsing history, that our web cache and cookies should be deleted when we close our browser, that we aren’t interested in being presented with a list of our most recently used files, and that the last date/time a file was read isn’t necessary information. We could also tell it to overwrite disk space when it’s done with it.
The technical reasons behind some of these issues were originally performance related, but given the speed of computers these days, there is no good reason that our computer needs to keep notes on what we’ve been using it for.
Of course when one brings up these issues, there are those who ask, “What do you have to hide?” Child pornography is an often-quoted example of why computer forensics is a good thing, and I certainly agree that child pornographers should receive an express ticket to jail (or worse). But I’m not willing to give up fundamental privacy rights and live in digital glass houses in order to make it easier to catch criminals.
I’ve written before about hard drive encryption, and full drive encryption remains the best way to safeguard your privacy. The enhanced BitLocker functionality in Windows 7 combined with the TPG chip in many new computers are a move in the right direction. The open source TrueCrypt project is great, but they need to quick adapt to new realities in Windows 7.
Self-encrypting hard drives appear to be a promising technology, but while vendors brag about them, they aren’t readily available and technical information remains marginal at best. If — as a security professional and writer — I can’t get my hands on one to test, I have to conclude that they’re not a viable option at this time.
Then there are software products that perform tasks such as wiping free space and deleting unwanted browser histories. From a functional security perspective, products like Evidence Eliminator can perform a nice clean-up of your computer, deleting temporary files, browser artefacts, and wiping unused hard drive space to eliminate ‘deleted’ data. But “Evidence Eliminator” is a really bad idea.
From a security perspective, this product (and to be fair many others in the same category) often creates a bigger problem than it solves: While they do a good job of removing unwanted data, they also do a fantastic job of creating evidence that you ran “Evidence Eliminator”. It quite amusing to read of people attempting to explain in court that they didn’t delete data pertaining to the matter in front of the court when they ran “Evidence Eliminator”. By definition, if you’re eliminating evidence, you look guilty.
Ironically, by calling the product “Evidence Eliminator”, the vendor has made performing clean-up tasks that may be quite reasonable in many circumstances look like a criminal act.
Imagine you’re at work and someone you know emails a URL. You download a file you expect contains something humours and end up with porn on your work computer. Sure we can discuss why you shouldn’t have downloaded it in the first place, but there are countless scenarios that could result in you having some type of data on your drive that you don’t want.
In the physical world, you could toss it in the shredder bin, take it home and put it in the fireplace, or otherwise dispose of it. We should have the same ability with data. But it’s just real deletion that we want, not evidence elimination.
On the off chance that enterprising developers are reading, there are two products missing from the market – or at least I can’t find them!
The first is a clean-up product that runs entirely from a USB stick and does not require installation on the PC. Running it would clean up the hard drive, overwrite browser artefacts, temporary files, wipe free hard drive space, etc. In fact, it would do most of the things that Evidence Eliminator does – except the purpose would be to clean up the computer and protect privacy – not destroy evidence.
The second is an installable package that monitors system use and cleans up after the user automatically. In short, it would protect privacy by doing what the operating system and applications should offer to do by itself really deleting stuff.
Thoughts? Questions? Ideas?
Let’s hear ‘em!
McAfee recently released a comprehensive report on the array of threats facing banks and their customers. It includes topics such as card skimming, money laundering, the Nigerian 419 fraud, auctions, and online banking. The report also provides a good overview of current countermeasures.
Highly recommended reading!
The full report is available for download here.
As a security professional, I spend a lot of my time contemplating how to manage security risk in the corporate and government space. But there is another challenge that greatly interests me: Protecting the average user.
Unless you have an IT guy or gal in the family, it can be hard to get the right information. And there are definitely challenges. For example, check out Justin Foster’s blog post on Keeping Granny Safe.
One of the great tidbits in it is the link to Secuna’s free vulnerability scannersfor home users. They offer both a web-based and a downloadable package. I installed the latter on my notebook and it quickly identified a few products on my computer that needed updating.