Search This Blog

Monday, February 7, 2011

review of Forcing Firms to Focus: Is secure software in your future?

In the chapter Forcing Firms to Focus, Jim Routh the author gives an actual scenario of a company that he was the CISO of, how he progressed beginning with the stakeholders all the way through gaining the trust and respect of the developers. He uses a generic name, but of course I had to find out who the company was that he worked for and was discussing. The company that he was working for was American Express.(Anonymous, 2011a) As a major financial institution with a large working budget, it was obvious that he had little convincing to do on the part of the stakeholders and the board of directors.


He discusses previous security measures and modern methodologies of security as well as potential threats. He mentions the Melissa virus (Ellis-Christensen, 2011) as a modern virus that virtually shut down Microsoft servers by attaching itself to either WORD or Outlook and picking the first 40 names in the address book and re-sending the virus. Fortunately, Microsoft realized this right away and created a patch for it, which now exists in all aspects of MS Office in versions beginning with Office 2000. He explains that it is usually web applications that are how intruders gain access to the servers and can obtain multiple amounts of data including identity theft from the end user. (Oram & Viega, 2009)

The author lists a statistic form a survey that was conducted by McAfee where approximately two thirds of mothers that were end users, ranked their teenager’s online safety as important as or more important than drunk driving or drug use. I personally could not find this survey, but for the matter of record, I find this a bit far-fetched and wonder how the survey was conducted.

The author tells us that we can find the 10 top favorite hacking techniques by going to the website of The Open Web Application Security Project (OWASP), which lists the number one hacking technique (at time of publishing Beautiful Security)as cross-site scripting (Oram & Viega, 2009), but as of today it is listed as number two with number one being injection. The technical aspects of injection are “Injection can result in data loss or corruption, lack of accountability, or denial of access. Injection can sometimes lead to complete host takeover.” (Anonymous, 2011b) On this website, the reader can find Threat Agents, Attack Vectors, Security Weakness, Technical Impacts and Business Impacts for most known security threats.

As it usually occurs, Routh described that at American Express [1] developers were not as much concerned with the security vulnerabilities as they could be dealt with in future enhancements. He then goes on to describe how he convinced American Express that the development of the code must include the thought of security threats while being developed.

The author was aware of new regulations that were coming through, and in 2008 the first guidelines were issued by the Office of the Comptrollers of the Currency (OCC) (Corporate, 2011) He stated that the cost for compliance was significant, but at this point American Express had no choice in the matter. They put in place a software development process that they used both internally as well as a mandatory guidance for their vendors. To be assured that they were in compliance, they used a third party vendor to check their code as well as the code of the vendor. This vendor, Verify is a worldwide known organization that is used for multiple security purposes and has clients such as many U.S. governmental departments. (Anonymous, 2011c)

The author concludes that his effort has saved his organization 11% in productivity by eliminating security vulnerabilities early on in the lifecycle of the development of their software instead of spending those dollars to fix problems after they occur. (Oram & Viega, 2009)

References

Anonymous. (2011a). InformIT Network. 2011, from http://www.informit.com/authors/bio.aspx?a=2211919B-476B-40AE-84B5-4AE2FE6239D7

Anonymous. (2011b). OWASP top ten project. 2011, from http://www.owasp.org/index.php/Top_10_2010-A1-Injection

Anonymous. (2011c). Verify homepage. 2011, from https://www.vscnet.com/Default.aspx

Corporate. (2011). Office of the comptroller of currency. 2011, from http://www.occ.treas.gov/index.html

Ellis-Christensen, T. (2011). What is the Melissa Virus? WiseGeek.com, from http://www.wisegeek.com/what-is-the-melissa-virus.htm

Oram, A., & Viega, J. (Eds.). (2009). Beautiful security: O'Reilly Media, Inc.
_____________________________________

[1] assuming that my research is correct and American Express is the actual name for his fictious name of Acme


Tuesday, February 1, 2011

week VII Privacy-enhancing technologies

Users of the Internet may or may not be aware that every post that they make to a blog, a wiki, an email or even Web pages that are viewed, can be viewed and saved without the users knowledge. Let’s assume for a second that we are not talking about spying on credit card or bank information, social security numbers or even home addresses. We need instead to talk about the very basics of why privacy is extremely important.


The authors of Digital Privacy: Theory, Technologies and Practices discusses a wide array of privacy issues including but not limited to email, remailers and privacy enhancing technologies. They go on to say that identity theft is the number one growing crime in America today. (Acquisti, Gritzalis, Lambrinoudakis, & Vimercati, 2008) Another alarming fact is that databases are shared between government and private organizations.

The text discusses various types of remailers. Basically, a remailer is a computer service which renders your email private, as technology changed, so did the abilities of the remailer to hide the origin of the original sender. Why would someone want to hide their identity in email? Suppose someone is sending an email within an organization that they know that the head of their department is going to be fired by week’s end? If that department head were to be able to access and read that email, it may jeopardize many other jobs. In many countries, such as China and Iran as examples, monitor their government run Internet Service Providers (ISP), every web page visited is recorded and they review emails to see if there are dissidents within their jurisdiction and act as an actual Big Brother [1] .

The most famous remailer that was shut down was anon.penet.fi (Acquisti, et al., 2008) . I looked up this remailer, along with others such as alpha.c2.org and found that they were in fact, shut down for legal reasons. Anon.penet.fi was founded by Julf Helsingius . (Anonymous, 1996) An example of why someone would want to use a re-mailer, Helsingius told Wired Magazine that he used the debate of caller ID on a regular phone. When it first became popular, people were upset that the person being called would be able to know who was calling.

Many people believe that the same thing applies to email, that the privacy of the sender must remain anonymous. Unfortunately, there is a dark side to having an anonymous email. Since the email is encrypted and/ or stripped of its headers, less than scrupulous people can come up with a plethora of reasons why they would not want to be known.

Ironically, there are many websites that utilize remailers and the non-technical person is usually not aware of its presence. Websites such as www.craigslist.com, dating sites such as www.eharmony.com and www.match.com all use pseudo anonymous remailers. This means that they are using an email such as joestud@match.com but is then forwarded to Harold Smith’s (false name) actual Yahoo! or Gmail account.

I researched a few remailers that exist right now, including the two included in the text book. PGP Desktop and Gnu PG were what were included in the text as ideal remailers, which appear to be honest organizations with integrity. The problem that I saw with both of those examples was that they are both installed programs on the computers hard drive, whereas a company such as www.hushmail.com is a remailer that is web based. Having the ability to utilize email on any computer is more convenient in my eyes, but it is a personal preference.

Hush mail claims on its website that it is the most secure email system in the world. It also discloses however that if it finds out that any illegal activity is discovered, they will report the incident to the proper authorities. It goes on to say that it will only comply with any subpoena that is part of, or a reciprocating member of the government of British Columbia, Canada.

I personally utilize MS Outlook to access my POP3 Gmail account. Outlook comes already setup so that all email sent is encrypted. This however, does not preclude the ISP from unencrypting the message.

Another security issue are anti-phishing tools that I found to be important. Phishing is when an attack happens to a user when they visit a site that was disguised as a known site without the user’s knowledge. (Acquisti, et al., 2008) I have installed on my personal computer Mozilla, Internet Explorer (my default browser by choice) and Firefox. What I found interesting is that Firefox 3.6.13 comes with McAfee site advisor as part of the program. It checks the security certificate of every site that is visited. Also, when loaded, it checks software that may need updates.

As technology develops programs such as MS Outlook with built-in encryption and Firefox’s security checks will be part of all future programs, both web based and installed program.


References

Acquisti, A., Gritzalis, S., Lambrinoudakis, C., & Vimercati, S. D. C. d. (Eds.). (2008). Digital Privacy: Theory, Technologies, and Practices. New York: Auerbach Publications.

Anonymous. (1996). Press Release. http://w2.eff.org/Privacy/Anonymity/960830_penet_closure.announce.

--------------------------------------------------------------------------------

[1] Big Brother was a term used to characterize the government spying on citizens in George Orwell’s book, 1984. Ironically, this and other terms were written in this book that was first written in 1949.