ONLINE INFORMATION SECURITY GOVERNANCE

Lords want help on cyber attacks • The Register

2009-11-04T22:53:00.001-08:00

Lords want help on cyber attacks • The Register

tags: cybersecurity
- The European Commission is calling for a pan-European approach to critical infrastructure and the Lords will question this view. They also ask whether public-private partnerships could be encouraged at a European level or whether a worldwide approach would be more effective.

Seeking Privacy in the Clouds

2009-10-26T20:28:00.001-07:00

Seeking Privacy in the Clouds

tags: cloud computing, privacy
- Seeking Privacy in the Clouds
  
  Research aims at isolating social network information from 'the control of a central entity'

Primer on web security threats

2009-10-24T23:23:00.000-07:00

The internet has come a long way since its rudimentary beginnings as a government and academic network. Today we are seeing the web broaden its reach to an ever-widening range of devices, and with increasing levels of interaction. While this is all very positive and welcome, due diligence requires that we turn our attention to the security risks that are posed by such changes in use and behaviour.
This paper from The Register considers some of the emerging or longer term threats that you may want to keep in mind when modernising or extending your security infrastructure. At the same time, security protections are evolving to meet such needs. We consider what solutions are available and how to start deploying such new levels of protection.

http://whitepapers.theregister.co.uk/paper/view/1086/how-bad-are-the-bad-guys-reg-3-.pdf

Long live the database state « Prospect Magazine

2009-10-22T07:32:00.001-07:00

Long live the database state « Prospect Magazine

tags: privacy, security
- Smarter use of public service statistics can save lives as well as money. But anxious civil libertarians want to stop the state sharing our personal records. They must not succeed

Botnet Unleashes Variety Of New Phishing Attacks

2009-10-21T13:05:00.000-07:00

The massive Zbot botnet that spreads the treacherous Zeus banking Trojan has been launching a wave of relatively convincing phishing attacks during the past few days -- the most recent of which is a phony warning of a mass Conficker infection from Microsoft that comes with a free "cleanup tool."
The wave of attacks began early last week targeting corporations in the form of email messages that alerted victims of a "system upgrade." Email is accompanied by poisoned attachments and links; in some cases it poses as a message from victims' IT departments, including their actual email domains, and alerts them about a "security upgrade" to their email accounts. The message then refers victims to a link to reset their mailbox accounts, and the link takes them to a site that looks a lot like an Outlook Web Access (OWA) page (PDF), but instead infects them with the Zeus Trojan.
More here

Making The Security Outsourcing Decision: A Reader's Guide

2009-10-21T13:00:00.001-07:00

For years, enterprises resisted the idea of bringing a third party into their security strategies. Today, however, with security threats proliferating at alarming rates and economic pressures forcing major cutbacks, many companies are rethinking the security outsourcing decision. In this report, you'll learn about the wide variety of security services categories available on the market – their strengths and weaknesses, their costs, and what you should know before you make the outsourcing decision.
Download document here. [registration required]

What is scareware?

2009-10-21T12:58:00.000-07:00

Symantec Report on Rogue Security Software Press Kit

2009-10-21T12:54:00.001-07:00

Symantec Report on Rogue Security Software Press Kit

tags: malware, information security
- he Symantec Report on Rogue Security Software is an in-depth analysis of rogue security software programs. In total, Symantec has detected more than 250 distinct rogue security software programs. During the period of this report, from July 1, 2008, to June 30, 2009, Symantec received reports of 43 million rogue security software installation attempts from those 250 distinct samples. The continued prevalence of these programs emphasizes the ongoing threat they pose to potential victims despite efforts to shut them down and raise public awareness.

Report here

Danger lurks in the clouds • The Register

2009-10-18T23:33:00.001-07:00

Danger lurks in the clouds • The Register

tags: cloud computing, privacy, security
- Comment The failure of Microsoft to safeguard data synchronised from Danger's Sidekick devices on T-Mobile's network has thrown up important questions about cloud-based storage, along with insufferable smugness from iPhone owners.
  
  Most cloud-based services aimed at consumers are still on the backup side of things, offering to hold a copy of your data - the original of which is held on your own computer or elsewhere. But with cloud services increasingly wanting to process your data too, the failure of Danger's service could well be a nasty omen of things to come.

Cloud Computing - More on T-Mobile Seepage

2009-10-16T20:46:00.000-07:00

MA Weier has this feature: Who Do You Blame For Cloud Computing Failures? And here: How Did T-Mobile Suddenly Recover Unrecoverable Data?

E Zeman: Cloud Goes Boom, T-Mo Sidekick Users Lose All Data.
Future of the Internet

Security in the Clouds

2009-10-16T20:32:00.000-07:00

tags: cloud computing
- Dear valued T-Mobile Sidekick customers:
  
  T-Mobile and the Sidekick data services provider, Danger, a subsidiary of Microsoft, are reaching out to express our apologies regarding the recent Sidekick data service disruption.
  
  We appreciate your patience as Microsoft/Danger continues to work on maintaining platform stability, and restoring all services for our Sidekick customers.
  
  Regrettably, based on Microsoft/Danger's latest recovery assessment of their systems, we must now inform you that personal information stored on your device - such as contacts, calendar entries, to-do lists or photos - that is no longer on your Sidekick almost certainly has been lost as a result of a server failure at Microsoft/Danger. That said, our teams continue to work around-the-clock in hopes of discovering some way to recover this information. However, the likelihood of a successful outcome is extremely low. As such, we wanted to share this news with you and offer some tips and suggestions to help you rebuild your personal content. You can find these tips in our Sidekick Contacts FAQ. We encourage you to visit the Forums on a regular basis to access the latest updates as well as FAQs regarding this service disruption.
  
  In addition, we plan to communicate with you on Monday (Oct. 12) the status of the remaining issues caused by the service disruption, including the data recovery efforts and the Download Catalog restoration which we are continuing to resolve. We also will communicate any additional tips or suggestions that may help in restoring your content.
  
  We recognize the magnitude of this inconvenience. Our primary efforts have been focused on restoring our customers' personal content. We also are considering additional measures for those of you who have lost your content to help reinforce how valuable you are as a T-Mobile customer.
  
  We continue to advise customers to NOT reset their device by removing the battery or letting their battery drain completely, as any personal content that currently resides on your device will be lost.
  
  Once again, T-Mobile and Microsoft/Danger regret any and all inconvenience this matter has caused.
  
  I'll give T-Mobile and Microsoft/Danger some degree of credit for being so transparent about the problems, though it is sort of unforgivable that multiple back-ups weren't available to restore user data.
  
  According to all parties involved, if users haven't pulled their battery or otherwise reset their device, there's hope they can make a local back-up somewhere. A problem like this underscores the problem with cloud-based services.
  
  T-Mobile isn't alone in the service they provide. Other mobile companies, such as Google, Apple, Palm, and Microsoft, have cloud-based data management systems that users can take advantage of. I think the bottom line here is pretty clear. Cloud storage can certainly provide for a back-up that's mostly trustworthy, but making sure you back-up data locally can prevent real disasters.

This is the type of news that chills.

The End-to-End Problem

2008-09-08T09:47:00.000-07:00

The problem with trust is that it can be breached at any point along the network: at the bank through insiders or poor security practices (there is an article on OUTLAW that states that a bank forgot to renew its digital certificate); along the network through hackers or denial-of-service attacks; at home through malware and phishing attempts. What I am trying to get at in Chapter 2 is that it is the very nature of online banking which creates this end-to-end problem - by trusting the network (in the absence of human interaction) trust can be breached at multiple points. I am not saying that this does not happen in the real world, just that it is more likely to occur in the online world because the Internet has become the facilitator of crime.

Taking Daniel Solove's arguments as inspiration I believe law has the potential to solve the end-to-end problem. He argues that the architecture of law needs to change; rather than focusing on information misuses, law needs to focus on information leaks and insecurity. A combination of civil and criminal laws can potentially improve trust.Applying this to the end-to-end principle:

Bank - law can incentivize banks to have in place the secure technology and information security practices, rectifying data leaks and insecurity; the criminal law can penalise insiders

Network - criminal law can be used to penalise hackers and those who commit denial-of-service attacks. Law can hold vendors responsible for poor security.

Home - again, criminal law can be used to punish those who attempt phishing scams. Brenner suggests holding individuals personally responsible through civil liability for home security.

The problem of enforcement and lack of resources is always going to be an issue when using law in this way. However, some strategies remain:

The FSA can be used to ensure law is respected by banks;
The criminal laws real power is in its deterrent value - it sets a baseline of acceptable behaviour, deterring those who would otherwise commit crimes and punishing those who do. Here technology and international cooperation can help. If the law has (limited) success then trust is boosted (however small).

Nevertheless, the issue of enforcement is still a problem That is why we need to focus beyond law in certain circumstances - hence the reliance on the other modalities. However, this does not undermine my central argument. We need to look at law creatively, just as Solove has done. If we do this, it can be seen that law underpins and influences the other modalities.

Consider technology. Reidenberg argues that technology needs the support of an effective legal framework in order to act as a quasi-legal instrument. In the European arena certainly digital signatures and digital certificates needed the backing of law to be truly legitimate. Moreover, Reidenberg argues that technology can be used as law enforcer but in order to do so in needs the legitimacy of law.

Consider norms. Norms are extremely difficult to enforce. At an institutional level at least, the Data Protection Act and Companies Act can force managers and directors to adopt codes of best practices. In this sense law becomes norms.

Consider the market. Liability needs to be attached to vendors in order to drive technological development.

Despite all this however, one flaw still remains - law cannot prevent end-users who inadvertently breach trust themselves. Here, need to focus on creative strategies that supplements the law. Brenner suggest empowering individuals through participation in the legal system - again law is key.

Coming back to may argument about law - law is not infallible - certainly it has its flaws - but, overall, it underpins the whole concept of trust, whether it be punishing data misuse, preventing data leaks or insecurity, creating norms or helping innovation.

I have a quick query - I have read Savirimuthu "Identity Theft and Systems Theory" but I failed to grasp its central argument regarding systems theory.

Nature of the Threat

2008-07-19T09:07:00.001-07:00

The nature of the threat is varied. Bank customers have historically been at a disadvantage: the seminal case of Foley v. Hill declared that customers are merely unsecured creditors in the event of bank insolvency. The recent 'run' on Northern Rock highlights that customers are worried about the safety of their money.

In the context of online banking the nature of the threat goes much further; customers face a wide range of threats associated with being 'online' - so called cyber crime. Cybercrime can be divided into two categories:
1. True cybercrime – crime that would not exist without computers and the Internet
2. E-enabled crime – real-world crime that is perpetrated over the Internet.
It is clear that in relation to true cybercrime, specific legislation is required e.g. Computer Misuse Act 1990

There are numerous types of cybercrime, whether ‘true’ or ‘e-enabled’:
o Hacking – The hacker is the “archetypal 21st Century criminal, using technology as a means of gaining unauthorised access to private computer systems…” Hacking falls under s.1 or s.2 of the CMA 1990.
o Cyber vandalism – Alteration of websites that may affect reputation of companies through visible poor security. Falls under s.3 of the CMA 1990.
o Viruses – A virus is “code which is usually disseminated by email and which will cause a computer to perform specific functions”. Disseminating viruses is caught by s.3 of the CMA 1990 and possibly under criminal damage offences.
o Denial of Service Attacks – A “denial of service attack aims to prevent ‘legitimate’ users from gaining access to or using a particular Internet service. Previously the CMA failed to criminalise DOS attacks but recent modifications have made them criminal offences
o Misuse of credit cards – The internet makes obtaining credit card details quick and efficient. ‘Websniffers’ and ‘keyloggers’, technology that monitors bandwidth and keystrokes respectively, and the ability to purchase already stolen numbers facilities the growth in credit card crime.
o Information theft/misuse – Again, the Internet increases the volume and speed at which such information can be misappropriated. Civil sanctions (confidentiality) and criminal offence, whether theft or under CMA 1990.

Cybercriminals are indeed are new form of criminal; “this is not surprising when one considered the anonymity it can provide, the speed with which it operates, the ease with which a cybercriminal can get online, and the size of the market into which to tap”.

Trust is Essential

2008-07-19T08:58:00.000-07:00

The number and type of threats reduce trust and confidence in e-commerce: non-users are discouraged and users lack confidence, only using it because of ease and convenience.
E-commerce is attempting to allay these fears and improve trust and confidence: for example using SSL and ‘going beyond the norm’ i.e. in the context of online banking using random digits to prevent keylogging.

Trust depends on an individual’s perception of risk and reputation of a bank and is affected by three things, called the antecedents of trust:
1. Shared value – perceived trust in security and mutual concern is significant.
2. Communication – openness, speed of response and quality of information, especially relating to issues of security results in increased trust.
3. Opportunistic behaviour – integrity is key. A customer needs to know that a bank will honour its oblations, especially considering the information asymmetry.

Technology is usually seen as the 'silver bullet' in securing trust. Trust is essential to any form of commercial transaction conducted on the Internet. The geographical displacement and lack of face-to-face dealings potentially erodes trust. Thus, rather than relying on trust between respective parties, individuals trust the ‘system’ or ‘network’ that facilitates the online transaction. In other words, architectural trust replaces party trust. Lessig supports this point: trust-building norms are being eroded by the decentralised nature of the Internet.

To this end, the architecture has to provide: confidentiality, integrity, non-repudiation and identification. These four elements, the cornerstone of information security, is provided by cryptography, or more specifically, PKI (Public Key Infrastructure). PKI employs a complex hierarchy of digital certificates (for identification), digital signatures (to replace traditional signatures) and digital keys (to encrypt and decrypt communications).

However, while PKI is useful in authenticating a person, it does not solve the underlying problem of verifying that identification. In other words, it cannot guarantee that person who is ‘identified’ is who they say they are:

However, authentication is merely a belief, grounded in technological architecture, that certain information is indeed connected to an individual or an entity. Authentication does not provide any insight as to whether that information is true; determining the truth of information is the realm of verification.

Legislation can do little to fill in this gap; attempts to do so have either failed or provided little guidance on how to actually achieve it. Industry, too, fails; the trend of requiring name, address, date of birth and password, for example, is relatively easy to obtain. In essence, technology, both helpful and harmful, advances too fast for government and industry to respond.
Therefore, what is required is technological-neutral solution to a problem that is at its core, a technological-neutral problem. The answer then is to require physical verification of an identity. But this is difficult to achieve in an online world: the whole point of online banking is remoteness. The proposal, while useful in relation to certification authorities, is less so when one considers online banking.

However, laws role should not be underestimated. However, law has a role to play: backbone of providing trustworthiness and legitimacy. Law is preventative and punishes breaches of trust. Law is best used in a three-tiered model of trust:
1. Direct trusting relationship – like one would usually have with a bank – commercial incentives to produce security – market trust!!
2. Market verifiers – gatekeepers, for example the FSA, who ensure banks operate properly.
3. Law – regulate banks and FSA.

Law is crucial at securing trust.

Test Post

2008-06-04T11:28:00.000-07:00

Michael
Here is your blog site