Category Archives: Security

Risky IT managers

Posted on by
Reply

Company Cyber-Ark has conducted an interview of 300 IT managers. According to their press release, there are some interesting (worrying) outcomes:

  • 88% of the interviewed IT managers admit that they would steal sensitive data if being layed off. A third of them would leave with the list of privileged passwords that give access to root resources!
  • More than a quarter of the interviewed managers announced to have faced problems of leaking or stolen data. Economic intelligence (nice euphemism for industrial spying) is a reality.

The report seems to show that bad practice with sensitive data and password are still very generalized.

88% is awfully worrying. With the generalization of outsourcing storage (Sharepoint, …) or outsourcing computing power (cloud computing), this problem will become more and more problematic. Outsourcing is changing the trust model of IT. Some trust hypothesis may weaken. Will you trust as much IT administrators from outsourcing companies than your ones. Are you sure that they can be trusted? Will you audit their security policies and their compliance to them? Storage of sensitive data will become more and more complex.

I have not read the report. I will try to get access to it (not directly available on their site) and will come back to you with the best parts.

IRBI: A nice initiative from Microsoft

Posted on by
Reply

Microsoft Germany and Ludwig-Maximilians-Universität München (LMU) designed an evaluation of the Internet Risk Behaviour Index (IRBI). It is a set of tests to educate users in different situations that they may encounter while using Internet.

The tests are interesting and well designed. I must confess that I failed one scenario. I will not tell you my mistake, just that it was situation 3. The advises are also extremely good. Some situations seem complex for a non tech savvy such as 6 or 11. It is a good educative tool although in real environment, you may be less vigilant than during the tests.

Some small critics:

  • The display was awfully slow on my computer. I don’t know if it comes from it or from SilverLight.
  •   It did not work with Firefox!!!! I know that it is a Microsoft study, nevertheless many internet users are using this browser.
  •  It is in German. I did not find an English version. Is it planned?

So for people who read German, the address is https://www.irbi.de/iHome.IRBI?ActiveID=1008  I will try to see if there is an English one

Paranoia, laptop and border

Posted on by
Reply

Holiday season is finishing. Business travels will start again. If you are paranoid about your sensitive data then you may worry when crossing some borders such as US or UK. Border officers are allowed to scan your computer, download data and even cease it for further investigation. They may look for any type of infringements such as pornography, copyright infringement and of course terrorist documents.

If you are seriously paranoid (and even if you are serious about security), then you will have encrypted your hard disk. This is good (if well done) against theft but not against inquisitive border officers. They will ask your password. And you will have to give it unless you are ready to risk computer ceasing or even refused to enter the country.

Thus, if you want your sensitive data to be safe for paranoia sake, for confidentiality reason, or for privacy (pick up your choice), some tricks:

  • Securely delete everything you do not want to be viewed. Do not forget the tons of temporary files and cookies that are stored by software. I usually uses CCleaner.
  • I would recommend encrypting sensitive data in discrete non obvious locations. The chances that the officer will spot it are lower. Do not use my xxx directories.
  • One important action is to switch off the computer before crossing the border. The sleep mode leaves a lot of data available for forensic tools.
  • Even better is to store the sensitive data in encrypted format on removable media such as USB sticks or even better memory cards. Memory cards have a small form factor that you may easily “hide”. Most modern laptops have such card readers. And even if they find it, they will cease it rather than the laptop. If your password is strong,
  • The optimal solution is to use a VPN. In that case, all sensitive files will be securely stored on your company’s network rather than on your computer.

I must confess that my computer was never scanned at any border. Nevertheless, several people reported this type of scanning. Only once, when entering a US federal building, I was asked to switch on the computer to test it was not fake.

Your feeling?

Security and Prospect Theory

Posted on by
Reply

Which choice would you take:

  • 500€ sure gain or a 50% chance of winning 1.000€?

About 85% people will take the sure gain.

Which choice would you take:

  • 500€ sure loss or a 50% chance of loosing 1.000€?

About 70% people will take the risky loss.

This is a result of the economic theory called Prospect Theory. In an article, Bruce Schneier applies it to the problem of selling security products. When faced to purchasing a security product, the customer is in the position of choosing between a sure loss of money (the price of your product) and the risky loss he/she may incur in case of an exploit. The theory shows where the purchase mood will go. He proposes two methods to bias this natural trend:

  •  Increase the feeling of fear which give a feeling of higher probability of the risk
  • Package (hide ?) security with other features that provide a perceived gain.

I would add a third one: Educate your customer. Use real figures and facts. Avoid the fear strategy that is neither ethic neither trustful.

Definitively a must read article. It is available at CIO: How_to_Sell_Security

I have now to read the seminal work of Kahneman and Tversky on Prospect

Legal eavesdropping

Posted on by
Reply

Swedish government passed a law that allows eavesdropping of any communications that is passing the border. It means that any mail, or phone conversation may be read or listened to. Obviously, the announced argument is to fight terrorism. More than 1 millions Swedes protested by mail. They claim that is a blow to privacy.

More and more such types of laws are passed by many governments. Another example is the law that allows to open laptop at US borders (I will come back to it soon) Does fighting terrorism require to loose privacy? I doubt. There are two possibilities:

  • Legislators believe that they will really fight terrorism with this type of method. This is probably wrong. We should stop to believe in the image of stupid terrorist. They will be able to use modern tools to hide the communication. They may encrypt mails or communications. Or even better, if they want to be stealthy, they may use stenography.
  • Governments cannot on one hand claim they fear cyberterrorism that requires cyber attackers and in the other hand use methods that any beginner hacker could bypass.
  • Or legislators do know it is snake oil. Then either they use it for theatrical security (to reassure Joe Sixpack), or for an hidden agenda.

According to you, which one is the good explanation?

YouTube will not have to provide private data

Posted on by
Reply

Next sequel in YouTube-Viacom litigation. You tube was requested by a judge to handover Viacom the IP address and list of viewed clips of each viewer. (See Blog of 10th July) Fortunately, YouTube and Viacom reached an agreement. The data will be anonymized before to be passed to Viacom.

This is at least true for normal users. Viacom maintains the requests of these identified data for YouTube’s employees. The objective is to prove that YouTube was aware of these infringements. In retaliation, YouTube will ask the same data for Viacom’s employees who browsed YouTube. The objective is to detect eventual Viacom’s people posting copyrighted clips.

Let’s wait next movement. Nevertheless, we can applause two companies that found an agreement on a legal decision that preserves privacy.

Some notes about Broadband World Forum Asia 2008

Posted on by
Reply

I chaired the Hot Session at this conference. The topic was “Peer To Peer: opportunity or threat?” The two panelists were rather in favor of P2P although they highlighted some threats. The best quote from Shashi: “P2P means also People To People” I love this one.

Two sessions were interesting from the security point of view. The first one was “VoIP security: Myths and Realities”. The papers were not technically detailed. The most interesting part was the discussions and Q&A. Final conclusion: “Encryption for VoIP is probably useless from the security point of view, nevertheless it makes people feel more comfortable.”
The risk of eavesdropping in a cafe the unsecure wireless transmission is probably not serious. There are easiest ways to listen the speakers such as being near or high quality microphones. The risk of a eavesdropping by government wiretapping is balanced by the legal requirement asking for such feature. In other words, if you want it to be secure, either use an independent scrambling codec, or use a VPN.

The second session was “Monetizing Content: 360 degree view of the customer”. Two speakers were extremely interesting. Daniel Brody VP of Tudou (The Chinese YouTube), and Ringo Chan VP of Tuner International. Some interesting comments/facts. According to Mr CHAN, the release window of VOD will soon coincide with the release window of home rental, i.e., the DVD sales. Currently, VOD occurs one to 3 months after DVD release. The future of VOD will be difficult in China when you find high quality DVD for 1$ at each corner street months before the official DVD release. Tudou succeeded to have a commercial agreements with Chinese content providers. It was far easier than with Western content providers. Chinese content providers do not have complex business models such as windows release. An interesting revelation from Dan. User Generated Content (UGC) is about buzz. And it is extremely easy for UGC sites to create the buzz on the clips they want to promote. He revealed that they are very good at this game.