Privacy


According to Val Rahamani, general manager of IBM’s Internet Security Systems, “The security business has no future” (¶ 2). The rapid growth of threats recently, as well as reports that 90% of websites are vulnerable, has made me wonder if we, as IT people, can keep up. I do think Rahamani has it right with this statement:

“The security industry is flying by the seat of its pants,” Rahamani said. “Security infrastructure has been dictated by the bad guys… as new threats arise, we put new products in place. This is an arms race we cannot win” (¶ 3).

But what is the alternative? According to Rahamani, “security companies must sell their customers solutions that assume ‘everyone is infected’ so that they can safely do business, which makes a business sustainable” (¶ 5). It will be interesting to see what IBM ISS does bring out in the future. But throwing this challenge out at RSA Conference 2008, it better be a good solution.

— Higgins, K. J. (2008, April 10). IBM: The Security Business ‘Has No Future’. Dark Reading. http://www.darkreading.com/document.asp?doc_id=150830.

Advertisements

Why? If not, you might see your former job posted on Monster.com while searching for a new job. The reason? This article by Tim Wilson describing an FTC settlement against ValueClick that might mean your company is liable for the inadvertent release of data.

In a nutshell, the decision means that enterprises could be found negligent for promising to protect user data but subsequently failing to implement the security precautions required to meet those promises. If you promise good security and then fail to provide it, it could weigh against you in court, the decision says” (¶ 4).

And trust me, if you are responsible for ensuring the security of the data, or the computers, and the company has to pay out a few hundred thousand or even millions, you will most likely be on Monster.com looking for a job the next day.

The problem? How do we secure those notebooks that travel around? This is a nightmare scenario to anyone in IT.

It all started when the spouse of a Pfizer employee used file-sharing software on a company laptop, presumably to swap music or other content with other P2P users. Unknowingly, the laptop user also exposed 2,300 work files, including those containing sensitive Pfizer employee data–names, Social Security numbers, addresses, and bonus information resident on the laptop” (Foley, ¶ 2).

One way or another, you have to find a way to secure your data. A data dissemination policy is a good start. Work with senior managers and define a set of data that will not be available outside the application where that data is used. For instance, in the case of employees, why do you need social security numbers in a spreadsheet? Wouldn’t just an employee number be sufficient? No name, no address, no phone number, just employee ID and the relevant data.

An acceptable use policy for computers should already be in place at your company, detailing exactly what applications are allowed to be installed and who is allowed to use the computer. In my opinion, installation of a P2P application like BearShare or LimeWire should be grounds for immediate, and public, dismissal. Nothing brings home the point more than to say, “Pete will no longer be with us because he installed an application from the forbidden list.”

And last, rally the IT troops and come up with an encryption policy regarding data that resides outside the core corporate databases. If you don’t, start polishing up your resume.

— Foley, J. (2008, March 17). Your Data and the P2P Peril. Network Computing. http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=206904104.

— Wilson, T. (2008, March 17). FTC Deal Suggests Enterprises Could be Liable for Poor Security. Dark Reading. http://www.darkreading.com/document.asp?doc_id=148572.

Anyone who has had to meet someone at the airport can attest to the pain of waiting around for a delayed flight. But here is a cool site that allows you track not only one flight, but all flights by airline, aircraft type, departure, or destination airport. You can also look at the history of a specific airplane ‘tail number’ and see where it has traveled over the past few days. From a privacy point of view, that might not be a good thing, especially if you’re a private pilot and want to fly somewhere without your friends or spouse knowing. 🙂

They also have a cool animation of all aircraft traffic throughout a 24-hour period. Very interesting if you’re into aviation.

Better think again. This article describes a hack where the memory of a computer that has just been rebooted can be read, passwords harvested, and subsequently hacked. It specifically mentions Microsoft’s BitLocker and Linux’s dm-crypt as susceptible to this hack. If we as IT managers think our wandering notebook computers are protected, this article is a wake up call. Or as the article quotes, “Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them” (¶ 6).

— Sawyer, J. H. (2008, February 25). The Crack in Whole-Disk Encryption. Dark Reading. http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=146727

I was reading this article where presenters at the Black Hat conference had hacked the GSM encryption used for phones and could now listen in on cell phone calls and read SMS messages. It got me to thinking on a larger scale about privacy and security, and whether protecting ourselves was something we should be worried about.

I do what I can to protect my personal information when I shop online and visit sites. I use a tool to keep Google Analytics from building a history on me so I don’t have to put up with targeted marketing when I visit sites based on where else I have gone on the Internet. But in the end, is this hack really a concern for most of us? I remember back in the 80’s when you could buy radios that would listen in on calls, and they weren’t really all that interesting.

How much of what we do on our cell phones today is really all that private? Are we creating a concern where one really doesn’t exist? As for national security matters, I would hope that they are using encryption technology on top of that used by GSM or the other technologies, but does it really matter for the average citizen? Is corporate espionage really all that sophisticated? The social networking attacks and “dumpster diving” are usually much more productive, I would imagine, than trying to capture cell phone conversations of executives from among the thousands of calls being handled within the area of a corporate office.

As someone who usually travels to Canada once a year for a vacation, this article caught my eye:

You’ve probably heard about the search and seizure of electronic devices (laptops, cellphones, MP3 players, and more) by U.S. Customs and Border Protection” (¶ 1). Actually, I hadn’t, so I read the Washington Post article it references. Coming just after my post about wiretapping, I’m beginning to wonder if restraint and due process have been eliminated? I will readily admit I don’t stay as current with news as I should, but I like to think the government targets only those who have been identified as potential terrorists or allies of terrorists. But this article makes me wonder if the government has become too aggressive in its use of intelligence gathering methods. Even though I do nothing illegal, either in the U.S. or while traveling, this makes me wonder if international vacation travel is worth it anymore. Of course, what we don’t know, is whether the people who were targeted at the airports were suspected of doing something illegal.

By the way, the article on Dark Reading gives some good advice on how to protect your sensitive information if you do travel overseas…and it’s good advice regardless of whether you go overseas or not.

— Sawyer, J. H. (2008, February 13). Evil Bits: Protecting Yourself from the Border Patrol. Dark Reading. http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=146029