Last week, I came across a great article at Forbes.com, "Fighting Hackers, Viruses, Bureaucracy", an excerpt :
"Cyber security largely ends up in the backseat," says Kurtz, who prior to lobbying did stints in the State Department, the National Security Council and as an adviser to President George W. Bush on matters relating to computer security. "Our job is to shine a bright light on it, to help people understand it."
Basically, it provides more info on how bureaucracy tends to dominate, and how security often ends up in the "backseat". Moreover, Paul Kurtz executive director of the Cyber Security Industry Alliance and it's multi-billion market capitalization members can indeed become biased on a certain occasions.
Still, he provides his viewpoint on important legislative priorities :
- setting national standards for data breach notification
PrivacyRight's "Chronology of Data Breaches Reported Since the ChoicePoint Incident" keeps growing with the recent Fidelity's loss of laptop. Standards for data breach notification are important, and the trends is growing with more states joining this legal obligation to notify customers in case their personal information is breached into -- given they are actually aware of the breach. Moreover, with companies wondering "To report, or not to report?" and let me add "What is worth reporting?", Uncle Sam has a lot of work to do, that will eventually act as a benchmark for a great number of developed/developing countries. Personal data security breaches are inevitable given the unregulated ways of storing and processing the data, or is it just to many attack vectors malicious identity thieves could take advantage of these days? E-banking is still insecure, and protection against phishing seems too complicated for the "average victim". Compliance means expenses as well, so it better be a long-term one, if one exists given today's challenging threatscape.
- a law on spyware
Do your homework and try to bring some sense into who's liable for what. Claria obviously isn't, and it's not just pocket money we're talking about here. Spyware legislations are a very interesting topic, that I also find quite contradictive, laws and legislations change quite often, but given the Internet's disperse international laws, or the lack of such, a spyware/adware's vendor business practices may actually be legal under specific laws, or the simple absence of these.
- and ratification of the Council of Europe's Convention on Cybercrime
That's important, the Convention on Cybercrime I mean, would they go as far as ratifying Europe's well known stricter compared to the U.S privacy laws? Excluding the data retention legislation, and various other privacy issues to keep in mind, there's this tiny sentence in its privacy policy "Google processes personal information on our servers in the United States of America and in other countries.
In some cases, we process personal information on a server outside your own country", makes it so virtually easy to bypass a nation's privacy regulations that I wonder why it hasn't received the necessary attention already. On the other hand, we have Interpol acting as a common cybercrime body, that according to a recent article :
"We need an integrated legal framework to exchange data. A lot of legislation doesn't consider a data stream as evidence, because the evidence is hidden behind 0s and 1s. We have to rethink the legislative framework".
There is already such and that's the NSP-SEC - a volunteer incident response mailing list, which coordinates the interaction between ISPs and NSPs in near real-time and tracks exploits and compromised systems as well as mitigates the effects of those exploits on ISP networks.
Still, The Internet Storm Center remains the most popular Internet Sensor.
No matter how many security policies you develop and hopefully implement, at the bottom line you either need regulations or insightful security czar in charge. And while the majority of industry players profitable provide perimeter based defenses, going through "2004's Annual Report to Congress on Foreign Economic Collection and Industrial Espionage" a decision-maker will hopefully start perceiving the problem under a different angle. While I find plain-text communications a problem, Bluecoat seems to be actively working in exactly the opposite direction. And while I find measuring the real cost of Cybercrime rather hard, applying a little bit of marginal thinking still comes handy. The future of privacy may indeed seem shady to some, and while data mining is definitely not the answer, sacrificing security for privacy shouldn't be accepted at all. Moreover, do not take a survey's results for granted, mainly because "There's always a self-serving aspect to anything a vendor releases," says Keith Crosley, director of market development with messaging security vendor Proofpoint, which does a few surveys per year" - in NetworkWorld's great article "It's raining IT security surveys".
To sum up, I feel in the security world it's the malicious attacker having the time and financial motivation to "spread ambitions" that outperforms, while in the financial world, it's Symantec that is the top performer - (Google Finance, Yahoo! Finance) with its constant acquisitions and trendy business strategy realizing the current shift towards convergence in the industry. Wish they could also diversify and take some market share of WetPlanet Beverage's Jolt Cola drink :)
Illustration by Mark Zug
UPDATE : This post was recently featured at LinuxSecurity.com "Are cyber criminals or bureaucrats the industry's top performer?"
Technorati tags :
Security, Information Security, Technology, Compliance, Survey, Bureaucracy, CSIA, Cybercrime
Monday, March 27, 2006
Are cyber criminals or bureaucrats the industry's top performer?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
DVD of the Weekend - War Games
Hi folks, as it's been a while since I last posted a quality post, I feel it's about time I catch up with some recent events. What I'm currently working on, is gathering a very knowledgaable bunch of dudes in order to open up a discussion on the emerging market for 0day vulnerabilities, and I'm very happy about the guys that have already showed interest in what I plan to do -- more on that around the week, or the beginning of the next week.
As you're all hopefully aware by now, yet another 0day IE vulnerability is in the wild, so either change your browsing habits for a little while(don't or you lose the battle, as secure surfing is still possible to a certain extend), or consider switching to another alternative -- security through obscurity isn't the panacea of fighting the problem in here, instead it's just a temporary precaution. On the other hand I'm desperately trying to promote my RSS compatible feed URL to make it easier for everyone to keep up to date with posts, whereas the majority of readers seem to enjoy reading the blog directly,
I appreciate that!
As always, it's disturbing how "quality" always becomes the excuse for security, in respect to MS delaying patches (or is it just patches only?) whereas WebSense is already aware of over 200 web sites disseminating the exploit code, I wonder are they counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of my previous posts "5 things Microsoft can do to secure the Internet, and why it wouldn't?" I tried to summarize some of my thoughts on the problem, while on the other hand things definitely change pretty fast as always -- for the good I hope! Was the participants' secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the reason, I doubt anyone is going to change their hats soon.
UPDATE :
Déjà Vu as Third Parties Ship IE Patches, and the patches themselves, while on the other hand it's great that anti-virus vendors have as well started detecting malicious sites using it.
Going back this weekend's DVD (check out the previous DVDs and vibes as well) War Games has shaped not just imaginations back in 1983, but acted as an important factor for the rise of another generation -- not wardialers, but wannabe hackers obsessed with command'n'control strategies such as Civilization 1 or Dune II, or at least that's how I remember it. Today's War Games have another dimension and it's called Network-Centric Warfare, or military communications and control over IP, and while there's a little chance an AI would malfunction and cause Doom's day, human factor mistakes will always prevail. As always, SFAM seems to have reviewed the majority of cool movies, so check out the review.
Technorati tags :
Weekend, War Games, Cyberpunk
As you're all hopefully aware by now, yet another 0day IE vulnerability is in the wild, so either change your browsing habits for a little while(don't or you lose the battle, as secure surfing is still possible to a certain extend), or consider switching to another alternative -- security through obscurity isn't the panacea of fighting the problem in here, instead it's just a temporary precaution. On the other hand I'm desperately trying to promote my RSS compatible feed URL to make it easier for everyone to keep up to date with posts, whereas the majority of readers seem to enjoy reading the blog directly,
I appreciate that!
As always, it's disturbing how "quality" always becomes the excuse for security, in respect to MS delaying patches (or is it just patches only?) whereas WebSense is already aware of over 200 web sites disseminating the exploit code, I wonder are they counting the hundreds of thousands of zombie pcs acting as propagation vectors. In one of my previous posts "5 things Microsoft can do to secure the Internet, and why it wouldn't?" I tried to summarize some of my thoughts on the problem, while on the other hand things definitely change pretty fast as always -- for the good I hope! Was the participants' secrecy in place, in order not to get a "shame on you" look from fellow hackers, whatever the reason, I doubt anyone is going to change their hats soon.
UPDATE :
Déjà Vu as Third Parties Ship IE Patches, and the patches themselves, while on the other hand it's great that anti-virus vendors have as well started detecting malicious sites using it.
Going back this weekend's DVD (check out the previous DVDs and vibes as well) War Games has shaped not just imaginations back in 1983, but acted as an important factor for the rise of another generation -- not wardialers, but wannabe hackers obsessed with command'n'control strategies such as Civilization 1 or Dune II, or at least that's how I remember it. Today's War Games have another dimension and it's called Network-Centric Warfare, or military communications and control over IP, and while there's a little chance an AI would malfunction and cause Doom's day, human factor mistakes will always prevail. As always, SFAM seems to have reviewed the majority of cool movies, so check out the review.
Technorati tags :
Weekend, War Games, Cyberpunk
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Tuesday, March 21, 2006
Privacy issues related to mobile and wireless Internet access
I just came across a research worth checking out by all the wardrivers and mobile/wireless Internet users out there. While it's written in 2004, "Privacy, Control and Internet Mobility", provides relevant info on an important topic - what kind of information is leaking and how can this be reduced. The abstract describes it as :
"This position paper explores privacy issues created by mobile and wireless Internet access. We consider the information about the users identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, interme- diaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the users access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked."
A more in-depth overview on the topic can also be found in "A Framework for Location Privacy in Wireless Networks", an excerpt :
"For example, even if an anonymous routing protocol such as ANODR is used, an attacker can track a user's location through each connection, and associate multiple connections with the same user. When the user arrives at home, she will have left a trail of packet crumbs which can be used to determine her identity. In this paper, we explore some of the possible requirements and designs, and present a toolbox of several techniques that can be used to achieve the required level of privacy protection."
Mobile/Wireless location privacy would inevitable emerge as an important issue given the growth of that type of communication, and the obvious abuses of it.
Technorati tags :
Security, Privacy, Wireless, Mobile, Tracking
"This position paper explores privacy issues created by mobile and wireless Internet access. We consider the information about the users identity, location, and the serviced accessed that is necessarily or unnecessarily revealed observers, including the access network, interme- diaries within the Internet, and the peer endpoints. In particular, we are interested in data that can be collected from packet headers and signaling messages and exploited to control the users access to communications resources and online services. We also suggest some solutions to reduce the amount of information that is leaked."
A more in-depth overview on the topic can also be found in "A Framework for Location Privacy in Wireless Networks", an excerpt :
"For example, even if an anonymous routing protocol such as ANODR is used, an attacker can track a user's location through each connection, and associate multiple connections with the same user. When the user arrives at home, she will have left a trail of packet crumbs which can be used to determine her identity. In this paper, we explore some of the possible requirements and designs, and present a toolbox of several techniques that can be used to achieve the required level of privacy protection."
Mobile/Wireless location privacy would inevitable emerge as an important issue given the growth of that type of communication, and the obvious abuses of it.
Technorati tags :
Security, Privacy, Wireless, Mobile, Tracking
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
The Practical Complexities of Adware Advertising
A report released by the The Center for Democracy and Technology yesterday, "How Advertising Dollars Encourage Nuisance and Harmful Adware and What Can be Done to Reverse the Trend", outlines the practical complexities of Adware Advertising. It gives a great overview of the parties involved, discusses a case study "CDT egages the advertisers", as well as outlines a possible solution, namely Adoption and Enforcement of Advertising Placement Policies. Here's a excerpt from the research findings :
"At this point, CDT has set a low bar by merely asking a small group of companies to contact us to discuss their advertising policies in the context of nuisance and harmful adware. We are working to increase awareness of the complex business models associated with nuisance and harmful adware, and we are pointing advertisers to policies and criteria that already exist as a step towards creating and enforcing their own policies. It is also imperative that advertising networks engage in self-regulation in order to aid in this endeavor. Initiatives such as the TRUSTe Trusted Download Program can help to set certification standards and provide public criteria for evaluating adware makers. Advertisers must demand strict compliance from their affiliates and refuse to work with blind networks and other networks that cannot commit to following stringent advertising policies. Without advertising dollars, there would be no nuisance or harmful adware. CDT is committed to working with advertisers to stem the tide of this nefarious form of software."
Now, if major advertising platforms start measuring the maliciousness of the Web, namely evaluate the participants' condition on a regular basis, they will loose the scale necessary for generating the billions of dollars necessary to, sort of, live with click-fraud. In respect to future online advertising trends, I feel that cost per performance/action model, would sooner or later emerge, given the successful collective bargaining of all the sites participating -- I really hope so!
How it would influence Google's ability to perform financially, contribute to the growth of Web 2.0, being among the few companies born in, is yet another topic to speculate on. As a matter of fact, Google recently launched Google Finance, still I miss what's all the buzz all about as compared to Yahoo's Finance Google still has a lot of job to do, given they actually want to turn and position themselves as Yahoo! 2.0 in respect to turning into a Internet Portal -- which I doubt as they tend to be rather productive while disrupting.
Great report, so consider going through it. And, in case you're interested in learning more about the different spyware/adware legislations, current and future trends, you can also check Ben Edelman's and Eric Goldman's outstanding research on the topic.
The post recently appeared at Net-Security.org - "The practical complexities of adware advertising"
More resources can also be found at :
Spyware/Adware Podcasts
Top 10 Anti Spyware Apps reviewed
Clean and Infected File Sharing Programs
Technorati tags :
Security, Spyware, Adware, Advertising, Center for Democracy and Technology
"At this point, CDT has set a low bar by merely asking a small group of companies to contact us to discuss their advertising policies in the context of nuisance and harmful adware. We are working to increase awareness of the complex business models associated with nuisance and harmful adware, and we are pointing advertisers to policies and criteria that already exist as a step towards creating and enforcing their own policies. It is also imperative that advertising networks engage in self-regulation in order to aid in this endeavor. Initiatives such as the TRUSTe Trusted Download Program can help to set certification standards and provide public criteria for evaluating adware makers. Advertisers must demand strict compliance from their affiliates and refuse to work with blind networks and other networks that cannot commit to following stringent advertising policies. Without advertising dollars, there would be no nuisance or harmful adware. CDT is committed to working with advertisers to stem the tide of this nefarious form of software."
Now, if major advertising platforms start measuring the maliciousness of the Web, namely evaluate the participants' condition on a regular basis, they will loose the scale necessary for generating the billions of dollars necessary to, sort of, live with click-fraud. In respect to future online advertising trends, I feel that cost per performance/action model, would sooner or later emerge, given the successful collective bargaining of all the sites participating -- I really hope so!
How it would influence Google's ability to perform financially, contribute to the growth of Web 2.0, being among the few companies born in, is yet another topic to speculate on. As a matter of fact, Google recently launched Google Finance, still I miss what's all the buzz all about as compared to Yahoo's Finance Google still has a lot of job to do, given they actually want to turn and position themselves as Yahoo! 2.0 in respect to turning into a Internet Portal -- which I doubt as they tend to be rather productive while disrupting.
Great report, so consider going through it. And, in case you're interested in learning more about the different spyware/adware legislations, current and future trends, you can also check Ben Edelman's and Eric Goldman's outstanding research on the topic.
The post recently appeared at Net-Security.org - "The practical complexities of adware advertising"
More resources can also be found at :
Spyware/Adware Podcasts
Top 10 Anti Spyware Apps reviewed
Clean and Infected File Sharing Programs
Technorati tags :
Security, Spyware, Adware, Advertising, Center for Democracy and Technology
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)