Confidentiality of data – where you ensure that critical data is only accessed by people with proper approval and on a need to know basis.
Confidentiality is related to the broader concept of data privacy – the act of limiting access to Personally Identifiable Information (PII). In the US, a range of state and federal laws, with abbreviations like FERPA, FSMA, and HIPAA, set the legal terms of privacy.

Integrity of data – where you do everything possible to protect business and client information from unauthorized alteration. Integrity is all about the trustworthiness of information and the assurance that data have not been changed inappropriately, whether by accident or deliberately.  It also includes making sure that the data actually came from the person or entity you think it did, rather than an impostor. In many cases, it might actually come down to making sure that the information recorded reflects actual, reliable and correct record or circumstance. At the end of the day, it is the business owners job to make sure that  business’s information system includes mechanism to preserve without corruption, whatever was transmitted or entered into the system, right or wrong.

Availability – where you ensure that critical business information is readily available to authorized users and applications as needed. Businesses today are highly dependent on functioning information systems.  Many could not operate without them.
Availability, like other aspects of security, may be affected by purely technical issues (e.g., a malfunctioning part of a computer or communications device), natural phenomena (e.g., wind or water), or human causes (accidental or deliberate).
While the relative risks associated with these categories depend on the particular context, the general rule is that humans are the weakest link.  (That’s why each user’s ability and willingness to use a data system securely are critical.)

The provision of Confidentiality, Integrity and Availability is something most businesses take for granted, especially those that provide services dealing with sensitive data like finance, health and legal matters. Consider the following scenarios:

• janitors working at night freely browsing customer information that was left open on a computer without a screen-saver password.
• partially printed result of a retina scan that was thrown into a trashcan
• sensitive email that was sent without encryption
• a USB drive full of financial reports that has no password protection or encryption is carelessly left at the front desk?
• an employee loudly discussing sensitive business details on the phone at an airport

The biggest area where most small businesses fail is in the area of availability – making sure that resources are available to users and clients when needed. This is because over seventy percent of small businesses do not make any effort to back up their critical data. I have dealt with enough to know that it is only when a hard drive fails, or a memory module goes bad (the famous server crash) that they scramble around begging any computer support provider they can find to “do whatever it takes to get our stuff back”. Sadly, in most cases it is either too late or is going to cost an outrageous amount to recover the data through high-end data recovery software or service.

What can you do? We’ll talk about this in the next installment.

Tweet This Post

Recently, I started noticing a trend that did not initially ring an alarm bell. Whenever I go online to research a particular topic, say “disaster recovery” or “file encryption”, I would get an email from one of the content provider’s “Research Assistant” with links to articles and documents from vendors about data backup, disaster recovery and file encryption. Normally you would say, “great, just what I was looking for”. But I tend to look at it from the other side – how did they know what I was searching for? And more importantly, what else are they tracking other than my search habits? To push it even further, how long has it been going on?

Remember, these are subscription services I signed up for a long time ago. Sure, whenever you download a white-paper (never mind that the piece of crap is only a page long) and you have to fill out a long form asking for every little detail about you, you will get your fair share of spam email. But thanks to recent regulations, you also have the option of putting a stop to the nonsense by opting out. In some stubborn cases as was my recent experience with Preplogic, you simply add them to your block list (yes, I will name this company because of their unethical behavior after I tried to unsubscribe four times and was still getting their “promotions”. I had to block their list address from sending me emails!).

[As an aside, I do hope companies realize that it is not the amount of emails you bombard us with on a daily basis that spurs our purchase (listen up Amazon!); rather, it is our need for specific products at specific times. After all, I came to your website to buy something in the first place. If I need something else, I know how to get to your website. Clogging my Inbox with useless "promotions" just pisses me off and could surely guarantee that I will not buy from you next time].

I had a suspicion that my internet searches were being tracked by this content provider (through IP tracking). IP tracking can be used to track people’s online behavior in a way that eliminates their anonymity online,  and recent tests have shown that IP addresses can perfectly identify about 30% of U.S. households.  That means that from your IP address, it is possible for a site to know or approximate your exact physical or home address).

So I did a little experiment (as a regular day-to-day user) to test my theory. I installed a fresh copy of Mozilla Firefox and set it up to always start in private browsing mode and to clear the cache on exit. I then used Adobe’s Flash Settings Manager to lock down (I thought)  flash cookies. Over a period of three weeks, I went online and searched for three different unique subject areas.

The first was “Identity Theft”. To my surprise (and to be honest, a little alarm), about 15 minutes later, I got an e-mail from the content provider’s “Research Assistant” with the following:

RECOMMENDATIONS:
Linking identity and data loss prevention to avoid damage to brand, reputation and competitiveness

Next, I searched for “Risk Management” and like clockwork, the “Research Assistant” came back with:

RECOMMENDATIONS:
Managing Risk an Integrated Approach

Finally, I searched for “Security Compliance” and got an e-mail from the “Research Assistant” with the following:

RECOMMENDATIONS:
Video Whiteboard: Managing Risk and Compliance Proactively

Were these three case coincidental? Possibly, but I find it really interesting that their email robot would send me messages “To assist you with your IT research”  and recommending “following related content, which other readers have recently requested. I am tempted to believe that despite the steps I had taken to shield myself from invisible “eye-balls” following my every move online, these content providers have found a clever and invasive way of keeping tabs on us all the same. The good thing is they (or some at least), provide an option to “opt out”. Whether that is just a window dressing to cover their butts is the anyone’s guess.

My recommendation is that you should be aware that nothing you do online is anonymous. More and more content providers are sharing subscriber information these days and tracking is the way they fulfill these barter arrangements. The goal is targeted marketing, but the psychological effect on us is a little stressful. There is so much going on in our daily lives that many of us do not have the time to look at the stuff working in the background as we go about our daily “surfness”.

Be careful out there.

Tweet This Post

Well, Disney is in hot water right now for something similar but far more disturbing – Flash Cookies. Flash cookies are a new way of tracing your movement and storing a lot more information about you than with normal cookies and you can’t locate them in your browser. They are not shown in the list of cookies that you can see when you take a look at the cookies that are currently saved in your web browser. Even more disturbing is the fact that while normal web browser or HTTP cookies cannot save more than 4 Kilobyte of data, Flash cookies can save up to a whopping 100 Kilobyte.

That is a lot of storage space for snooped personal information through the use of LSOs, or locally shared objects with the ability to gather detailed user information over long periods of time without a trace. To make it worse, a recent paper by UC Berkeley researchers exposed the ability of Flash cookies to “re-spawn” themselves. This means that even if the user deleted the cookies, they automatically re-generated, like a virus.

This is not a new development as the dangers of Flash cookies were exposed way back in 2007.
The Disney case involves the use of Flash cookies to track highly personal information about their users, many of whom were minors by the company and its subsidiaries. Specifically, it is the “re-spawning” aspect of the suit that should concern “ordinary” users who do not have enough time or interest to dig into the inner workings of the more technical aspects of web browsing.

According to the suit filed in US District Court in Los Angeles against Walt Disney Internet Group, Clearspring Technologies, Warner Bros. Records, and several other companies that shared the cookies, the affiliates engaged in “covert online survellance” by failing to adequately warn users about the information-sharing arrangement. They are also alleged to have allowed “zombie cookies” to be restored even after a user had gone through the trouble of deleting them. In one stated instance, the “re-spawning” allowed Disney affiliates to track the habits of one individual who researched articles on depression.

The companies are alleged to have violated several laws, including the federal Computer Fraud and Abuse Act, the California Computer Crime Law, the California Invasion of Privacy Act and trespass and personal property statutes by:

• “…hack(ing) the computers of millions of consumers’ computers to plant rogue, cookie-like tracking code on users’ computers” which could not be easily detected, managed or deleted without notice or consent;
• “circumventing the users’ browser controls for managing web privacy and security”
• scheming to “obtain personal identifying information, monitor users, and to sell users’ data and to use the hacked profiles to track users’ across numerous websites;
• Spotting and tracking users when they accessed the internet from different computers, at home and at work.

There is a laundry list of information collected which, even though we know this stuff goes on, is a little troubling:

• viewing choices
• Gender, age, race, number of children
• Educational level, geographic location, household income
• What the user looked at, what the user bought, the materials the user read
• Details about financial situation, sexual preference, name, home address, email address, telephone number, health conditions etc.

So what can you do to protect yourself?

• Adobe Flash has a “Settings Manager” that can be used to control how Flash cookies work on your computer, but the tool is buried on the company’s website and is not readily available through the controls on your web browser. You can access the tool here. Go through the settings and make “deny” the default for everything. You can also set the allowable storage to 0. The setting can always be adjusted if necessary.

• In addition, get into the habit of using other web browsers than Internet Explorer that give you more granular control over what your web browser can do and you do not have to dig through hidden menus and locations to adjust them as is the case with Internet Explorer.
  Firefox, Opera and Chrome for example, have add-ons that can help you fight the invasion of privacy that is being driven by the need to gather more information about your browsing habits so companies can better target what to advertise to you.

• You can also try not using your real name for your computer account. Use a nickname instead. Encrypt personal data with tools like Truecrypt and Axcrypt. If you are using Internet Explorer 7 and above, Opera or Firefox, there is an option for private browsing where cookies are not saved. t is not perfect, but it can reduce the amount of trash content providers leave on your computer.

• Use spy-ware scanning tools like Spybot Search and Destroy, MalwareBytes etc. By occasionally scanning your computer for spy-ware, you may be able to detect some irregular files dropped on your computer by a content provider.

Sadly, many computer users take the issue of privacy and safe computing for granted, until something terrible happens.

Tweet This Post

So I received an email from a very perceptive user the other day. The request was to look into a suspicious e-mail that accused this user of copyright infringement:

“To whom it may concern,
It has come to our attention that you have made an unauthorized use of my copyrighted work in the preparation of a work derived therefrom. We have reserved all rights in the Work, which was first published in 2008, and we have registered the copyright.

The copyrighted images which appear on your web site, are essentially
identical to the Work and clearly used the Work as its basis.
You neither asked for nor received permission to use the Work as the basis
for it nor to make or distribute copies of it. Therefore, we believe you
have willfully infringed our rights under 17 USC Section 101, et seq. and
could be liable for statutory damages as high as $100,000.

I demand that you immediately cease the use and distribution of all
infringing works derived from the Work, and all copies of it, and that you
deliver to us all unused, undistributed copies of it, or destroy such copies
immediately, and that you desist from this or any other infringement of my
rights in the future. If we have not received an affirmative response from
you by 10/05/2010 indicating that you have fully complied with these
requirements, we will be taking the full legal remedies available to rectify
this situation.

Attached you will find the list of the copyrighted material you are
infriging on.”

This particular email had a password-protected zipped (rar) attachment called n2nh1 and inside that zipped folder was a single word file named attachment. Inside the word file was a packaged PDF file that asked you to click to view the “list”. Inside the PDF was an exe file that supposedly contained the “lawsuit”. Another variation contain prompts and malicious links that will lead the victim to web sites that will install a malicious code onto a computer.

Obviously, at this point, any discerning person should immediately recognize this for what it is. What we had here was a shake down that has steadily been growing in recent months – pay us or we will sue you. This seems to be a rehash of old tactics as were employed by Davenport Lyons, ACS Law, Digiprotect etc.

The immediate red flag was the absence of any reference to the “offending material”. Second, I noticed that there was no signature attached – name, dept., phone number etc. Third, the email address was spoofed. A quick look at the email header showed that the origin of the IP address was different from that of the domain that was supposedly accusing this user of infringement. Most importantly, any attorney with an iota of self-respect would not send you a notice of infringement by email! That is what certified mail is for. The purpose of this particular tactic is not clear, but I suspect that the intent is to install fake files on a computer system that can later be used to accuse the victim of some illegal file sharing activity or copyright violation.

The US-CERT  (Computer Emergency Readiness Team) has an  alert on this scam and has a few pointers on how to mitigate the risk associated with it. It is easy for most tech-savvy people to thumb their noses at those who fall for this pedestrian scam, but many computer users out there are not aware of these dangers and they are the target of these kinds of scam. Many are so afraid of the sometimes ridiculous nature of our legal system that they would rather “just pay up” than spend endless time fighting a system that wants you to answer “Yes or No, Mr. John Doe?”

This is not the only kind of ransom-ware out there. There are more insidious kinds that install trojans on the computers of unsuspecting users through an “Online Virus Scan” scheme and the victim is held hostage until they buy (“activate) the “anti-virus/anti-spyware” software from the hijacker. A good example of this is the XP Internet Security 2010, XP Guardian, Antivirus XP 2010 rogue anti-spyware program that has been making the rounds.

Bottom line, if you receive an email accusing you of something you know is definitely ridiculous, and contains an attachment, delete it. A serious accuser ought to send you a “snail mail”.

Tweet This Post

As a result of wider economic pressures, IT in general today is shaped by one dictate: reducing costs. This is why more and more businesses, especially small and medium sized organisations, are currently using cheap solutions, or even consumer products, to protect their IT environments. The imperative to reduce costs also results in many postponed projects and more careful spending of budgets. The free Essential Firewall edition from Astaro aims to support small and medium business owners with the necessary functionality to be secure today at no cost, as well as expanding as their needs grow.

The Essential Firewall edition is based on the Astaro Security Gateway and delivers the fundamental functionality required to protect customers and their networks. If more functionality is needed over time, the customer can upgrade to the full Astaro Security Gateway.

As a free edition of the Astaro Security Gateway, the Essential Firewall offers the same easy-to-use Graphical User Interface and is available as Software and Virtual Appliance. Additionally, the Essential Firewall edition will come with the ability to receive support through Astaro’s user forum (www.astaro.org).

Features included in the Essential Firewall edition:

• Networking: Internet Router, Bridging, DNS server & proxy, DynDNS, DHCP server & relay, NTP support, automatic QoS
• Network Security: Stateful Packet Inspection Firewall & Network Address translation (DNAT/SNAT/Masquerading)
• Remote Access: PPTP and L2TP over IPSec support (including iPhone support)
• Logging/Reporting: Full logging on local hard drive, searching, real-time reports for hardware, network usage and network security, daily executive reports
• Management: Web-based GUI in local languages, setup wizard, configuration backup & restore, administrator notifications, SNMP support, centralized management via Astaro Command Center (also free of charge)

While this is a good move which will allow IT admins who have been “secretly” using the home version to protect their businesses breath a sigh of relief, we must note that the free business version drops the ball in providing the “essentials” that small and medium businesses need – web, mail and malware security are glaringly absent in this version.

This is a big mistake. The home edition provides more security than the business version – a reversed situation. Of course, the ultimate goal is to ease business owners in and allow them to see the business value and the need to get the “full” version.
I do not believe in teaser software especially for critical environments like businesses. If you want to give it away free, then make it truly free. Moreover, it goes counter to the statement by the CEO of Astaro, Jan Hichert, as to the company’s motivation for this release:

Small and medium sized businesses are the backbone of the world economy. They act more cautious, they maintain a stable business and they are not subject to the high demands of investors. But nevertheless, SMBs are affected by the current economic climate even more so than larger businesses. This is why we see more and more businesses fall back to consumer products to secure their IT environment (emphasis mine) – in order to reduce costs, they lower their level of security. This is a dangerous compromise. By launching the Essential Firewall edition we aim to provide those companies a professional alternative.

Terribly crippling the so-called business version, runs counter to the stated objective and seriously dampens the incentive to even try the software, especially when there are comparable products out there like Untangle, Smoothwall, ClearOS – formerly ClarkConnect, IPCop, and pfSense to name a few.

Tweet This Post