Microsoft has published its security intelligence report for the second half of 2009. The information is gathered by Microsoft security tools including the Malicious Software Removal tool, run before Windows Updates are installed, and Microsoft Security Essentials.
One of the main claims is that if you run Windows 7 or
Fake security software is also prevalent as are botnets used for sending SPAM.
The Open Web Application Security Project, OWASP, has published the 2010 version of its top 10 web application security risks, the first revamp since 2007. Recognised as a key information tool for developers and security professionals, the OWASP top 10 is referenced in many security standards including PCI DSS.
Although there are many similarities with the 2007 edition, the emphasis has been changed to reflect security risks rather than just vulnerabilities. Prominent as ever are cross site scripting, XSS, and injection vulnerabilities which have caught out both Apache and Amazon in recent weeks.
Added to the Top 10 is Security Misconfiguration. Left out of the 2007 edition as it wasn't considered to be a software issue, it was re-added to reflect the emphasis on risk. Also new is Unvalidated Redirects and Forwards. Relatively unknown as an issue, OWASP suggests that that its potential for damage is high.
Removed from the Top 10 is Malicious File Execution. Although still an issue, improvements in the default configuration of PHP where the problem was most widespread, has led to a reduction in incidents. Information Leakage and Improper Error Handling is also removed. Again, while still prevalent direct risk is minimal.
I recently tuned in to a Webinar on Security and Legal issues in the Cloud. I was pleased to find that most of the presenters started from the view point that Cloud technology is mainly rebranding of existing services and so many of the issues are what we know and are used to.
One of the main differences is not surprisingly trust levels. The more you outsource your services to the Cloud the more you need to have confidence in a third party to correctly handle your data and intellectual property. This can be achieved to a degree by the certifications and reputation of the supplier but it’s important to carry out your own audits.
Authentication was also heavily discussed during the presentations. One of the common side effects of Cloud Systems is the necessity to introduce yet another authentication level for the user population which of course is never popular. One of the presenters proposed federated authentication as a solution, particularly SAML and OpenID. These technologies as well as others have been around for a while but never seem to have got the momentum they might have.
Data protection is another area that needs some thought. It’s important to know where your data is held as it is governed by the laws of the country where it is located as well as those from which it is accessed. Regulation is very different from country to country and particularly between North America and
Although not directly related to the Webinar’s main subject, the undercurrent of the presentations was perhaps the most important. Cloud Computing is currently in fashion which has lead to many “Cloud” solutions being implemented when perhaps they shouldn’t have been. You would hope that the technology industry would be based more on fact that fashion but unfortunately that doesn’t seem to be the case.
The part of the UK Digital Economy Act designed to discourage illegal downloading has inadvertently initiated furious discussion about how best to anonymize Bit Torrent and other file sharing traffic. Only this morning an article on the Register speculated that the SeedF*cker code, originally considered an exploit, could be used to disguise the IP address of a server hosting illegal content. Although many commentators were quick to dispute this, it does appear that there are plenty of ideas out there on how to beat the snoopers.
Not surprisingly, many proposed solutions are based around encryption and VPNs but there are also more novel suggestions such as routing all traffic via countries with strong data protection laws or dividing files into extremely small chunks making them hard to identify. Some companies already claim to offer solutions.
There is also the so called darknet which offers solutions for remaining anonymous.
How much is your online privacy worth? In the UK it appears that until recently it was no more than £5000, which was the maximum the Data Protection Commissioner could fine companies who committed a serious breach. The Register reports that figure has just been raised to £500 000 which should hopefully focus data custodians into taking data protection a little more seriously.
With yet another Google Privacy story in the news today, I thought it would be interesting to examine exactly what Google knows about the average internet user and how they gather their information. To simplify the article I have excluded any Google services that require some kind of authentication such as Gmail or Google Apps. All the information discussed below is harvested from so called anonymous browsing.
Firstly, irrespective of your Internet browser or even the HTTP protocol, every time you visit a web site, you must send your IP address to the destination so that the receiver knows where to send the reply. If you are a home user your IP address is allocated on a semi random basis from a large pool managed by your ISP. Even so, publicly available online tools can be used to narrow down your location from your IP address to at least the nearest city to where you browse from. Many sites use this information to target advertising at you. This is most obvious if you browse a site in a different country but see advertisements in your local language specific to businesses or services from your country. Your ISP of course can use the IP address to uniquely identify you.
Again, even before you start using Google products or web sites, each time you access a new web page you send the web server certain information contained in “headers”. One of these is called the user agent which tells the website your browser type and operating system.
So, before you even type the first character into Google’s search engine, they already know more or less where you live, your operating system and your browser type. This of course is not limited to Google but applies to any web site. Once you do access www.google.com for the first time you receive a cookie, nominally to record your preferences, e.g. language, number of results per page etc, but which also contains a unique ID. The next time you access the Google site the cookie, which is stored on your hard drive, is read and the ID from the first visit retrieved. Each search you perform is recorded by Google together with the ID to build up profile of your browsing habits. The information is used to target advertising at you, with the targeting becoming more effective as your profile expands.
Things get even more interesting for users of Google’s Chrome internet browser. As Microsoft highlighted last week, the address bar of Chrome is also the search bar. Every key stroke typed into the address/search bar is sent to Google to allow for an auto suggest of the term you may want to search for or the site you wish to browse to. Guess what. Your Google cookie containing the unique ID is also sent to Google allowing them to record every site you visit.
Many commentators also flag Google Analytics as a way Google can record your internet activity even if your web usage habits prohibit use of the previously mentioned techniques. Google Analytics allow web masters to record usage statistics for their site. It works by including a small amount of java script on each page that sends information to Google about the user’s activity. From what I can see, it doesn’t send the Google cookie and so identifying a user is limited to IP address.
What does this mean in practise? In a worst case scenario, a law enforcement agency with complicity from Google and your ISP can build a complete record of your internet browsing including time and location information. Eric Schmidt, Google’s CEO, has previously stated that if you’ve nothing to hide then what’s the problem? This may be true if you live in a Western Democracy although many people would argue otherwise. It’s certainly not the case if you live in a country where the human rights’ record is less ideal.
In European countries at least, abuse of this data is prohibited by the European Data Protection Directive and the country based laws that reflect it. This is just as well as imagine your employer, or anyone else for that matter, being able to get hold of all your internet activity including that from your home PC.
It’s also worth pointing out that none of these data gathering techniques are unique to Google but as it is the biggest player in the internet space, they can gather the most data and consequently attract the most criticism when people complain about privacy issues.
In theory there are a few things you can do to limit the information that you leak to Google. The simplest is to delete you cookies on a regular basis which makes it much harder to track your activity. There are also services like GoogleSharing that anonymise your Google traffic, but in reality you can never completely hide your browsing patterns. If you want to use the internet to the full, it is necessary to accept that some of your privacy is lost.
The weekly podcast from the technology section of the Guardian recently did an item on online privacy. Although it was as informative and interesting as ever I was surprised that there was no mention of the data protection laws in place that, in theory at least, protect against many of the fears raised in the discussion.
Most European Nation data protection laws resemble, or should resemble, the European Data Protection Directive, EU 95/56/EC which is often summarized as follows:
Notice—data subjects should be given notice when their data is being collected;
Purpose—data should only be used for the purpose stated and not for any other purposes;
Consent—data should not be disclosed without the data subject’s consent;
Security—collected data should be kept secure from any potential abuses;
Disclosure—data subjects should be informed as to who is collecting their data;
Access—data subjects should be allowed to access their data and make corrections to any inaccurate data;
Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles
From http://en.wikipedia.org/wiki/Data_Protection_Directive
At first glance, the directive appears to be fairly comprehensive and favourable to the privacy of the end user. Read deeper into the document and you find that the rules can be breached in cases of national security or public interest but otherwise is still sound.
My own experience of the directive in action came from a client in
Although many of the abuses of data raised in the Guardian podcast probably occur on a regular basis, in my opinion it is not necessarily due to lack of legislation but more because of inefficient enforcement of existing rules. The directive does allow for compensation to be paid in the event of damage caused by misuse of data so I guess a few high profile cases with large payouts would help tighten up data protection law compliance.
As I blogged last week, email in the corporate setting is extremely vulnerable to being read by others. Although a typical company Email Usage Policy allows for employee email accounts to be read, perhaps for Data Leakage Prevention (DLP) purposes, you envisage this being in exceptional circumstances on the orders of the CEO rather than on an ad hoc basis by the IT department over their morning coffee and packet of Monster Munch. In addition, once your message leaves the corporate network, chances are that it is then transmitted in clear text over the public internet.
Looking at the external email problem first, most mail gateways can support Transport Level Security (TLS) which provides encryption and authentication. Unfortunately, TLS is often not configured and is not supported by some public mail systems such as Gmail. TLS can also be configured between the client and mail server depending on the individual setup of the mail system which reduces network sniffing attacks but does nothing to defeat abuse from rouge system administrators.
End to end encryption addresses all of the above issues and has been around for some time now. The leading solutions are Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME.) Both solutions use public/private key technology for encryption and certificates for authentication and integrity. The difference between them comes with the approach to the implementation of how certificates are trusted. S/MIME uses x509 certificates which have an hierarchical approach relying on a trusted certificate authority whereas PGP uses a web of trust.
Wide spread adoption of both technologies has been hindered by issues around certificate management and distribution as before you can send someone an encrypted message you need to get hold of their public key. Although automatic key retrieval is possible by a variety of techniques including LDAP queries of public directories, the management overhead has often been off putting for many people. It’s also necessary to have your key store on each system for which you wish to read and send encrypted mails. This is particularly annoying if you use a web client as although Outlook Web Access supports S/MIME and there are Firefox addons for both PGP and S/MIME that work with Gmail, both require local certificate stores.
Mobile devices don’t help much either. The iPhone has no support for either technology and although Blackberry devices do, they exist only as paid for extras.
One solution I found to the certificate locality problem with a web client was to use a portable version of Firefox with an S/MIME extension for Gmail. I could then read and send encrypted emails from any PC. The same is possible in theory with PGP. It is unlikely this would be feasible for Outlook Web Access given that there isn’t a portable version of IE and many of the enhanced features don’t work with Firefox.
An ideal solution would be to allow mail programs to access certificate stores located on something like a USB key and also to introduce a “miny” USB interface for mobile devices adopted by all the manufactures so that each user could use a single store from multiple devices. A single online public directory where everyone published their public key would also be useful. Why not something like Facebook or Linkedin?
Posts
All Comments
