got privacy? Musings on the state of Privacy in a connected world.
A little bit off topic, but having just got back from RSA, and with a bunch of other conferences coming up, I thought I would share this checklist that I pulled together a while ago. Conferences are usually expensive, and you can miss out on many opportunities if you just attend the sessions and then go home. This checklist gives you some tips on how you can maximize the time that you spend at a conference and make sure that you walk away with more than just another folder for your shelf.
Before the Conference
Before the Conference
- Plan which sessions to attend. Note who the speakers are for all of the sessions as well as the content (you generally have access to this information before the conference). Check for target clients, alliance partners and competitors and decide whether it’s worth going to a presentation to be able to get to talk to someone from a key target, or to find out what they are doing.
- Sort out your logistics. Book flights that give you time to get to the conference allowing for flight delays. If the conference is in a hotel (and they often are), try to make sure that you stay in that hotel to a) get the special discounts that the conference will obtain for you and b) make it a lot easier for you to get between your room and the sessions.
- Clear your ‘to-do’ list. Easier said than done, but taking conference calls during the sessions and working in the breaks means missing networking opportunities and not getting value for money.
- Divide and Conquer. Try to find out if anyone else from your company is attending the conference, make contact with them and try to split target sessions between you, compare notes etc.
- Take a lot of business cards. They're easy to carry, and if you don't use them, so what?
- Know what to say. Sooner or later, someone will ask you about your company. Work out what you are going to say about the firm and your role.
- Timing is everything. Try to be around in the general area before the sessions start and during breaks. You never know who you might meet, or what you might find out.
- Be an Ambassador. If appropriate for the dress code, consider wearing branded (or otherwise 'conversation worthy' clothing so that you’re noticeable). At RSA, a woman walked up to me and literally asked for the shirt off my back. Note: This is not always a good thing - and I do have witnesses!
- Work out what you want to get out of each session. Do you want to talk to the speaker afterwards? Would you like a demonstration? How does the session add to what you already know?
- Collect business cards. When you speak to someone, who you might want to contact again, be sure to collect a business card. Write on the back a little about that person (business & personal info), what you discussed and any other useful information to jog your memory when you get back.
- Enter all vendor raffles. You never know what you might win.
- Work the crowd. Sit next to different people at each session and introduce yourself to them. If possible, review the attendee list and be strategic in who you sit next to.
- Maintain a ‘to do’ list. Whenever something strikes you as interesting or you should follow up on, make sure you write it down and then action it when you return to your office.
- Get business cards into your CRM system. A business card in your bag is not much use. In your company CRM system, it shows other people who come into contact with that person who else knows them.
- Follow up. Write personalized emails where appropriate to people that you met, either sending them information that might be of value to them, or suggesting a follow up discussion or meeting.
- Be timely. Make follow-up calls / emails within a week of the end of the conference.
- Keep your CPE certificate. You may be audited one day and be glad you did.
- Share your knowledge. Tell other people in the office what you found interesting, and keep the course material in a place that other people can use it.
Congratulations! If you follow these steps then you will find that you get a lot more out of conferences, both for yourself and the company.
Add Comment
Accessibility and Privacy. A Zero Sum Game? 03/06/2010
While many organizations have a strong desire to make their web-sites useable and accessible for as many people as possible, most likely do not realize that this can result in some loss of privacy for users.
Accessibility can work in a number of ways, either through active involvement by a user choosing certain options on the site, or passively without direct user interaction through good site design, color palette selection and similar. Where active involvement by a user is required, this may be achieved either with them making a conscious choice at the time of using a site, or they may already have made a selection (e.g. choice of browser, screen resolution, use of screen reader) which is communicated to the site at the time of use. For users with disabilities, the availability of appropriate and useable accessibility options may mean the difference between them being able to use a site, or looking elsewhere.
How this overlaps with privacy may not be immediately obvious. Privacy refers to the amount of control that we have over our personal information, and how this is shared and used. On the Internet, Privacy can be taken to mean that you are aware of the information that you are sharing, and this information is used in a way that you are comfortable with until it is destroyed.
Browser Information Leakage
So how can accessibility compromise privacy? By knowing that a user is visually impaired, and combining that information with other information, for example that they are located in a certain area (from their IP address, or GPS or other location), you could compromise an individual’s privacy. Research has already indicated that between 63% and 87% of Americans can be uniquely identified by birth date, gender and 5-digit zip code (see here and here for the research and here for some analysis by the Electronic Freedom Foundation). If you’re not convinced – check out the Panopticlick “browser fingerprinter”, also from the EFF. When I just tested my browser, its fingerprint was unique amongst nearly 800,000 configurations tested so far.
Logon Information Leakage
Other accessibility options, such as reading text aloud, may be appropriate for an application being used at home, but may impact privacy if they are used in a location such as a library or a bank lobby, or may not even work if the appropriate hardware is not in place. Developers must give thought to where a website may be used when developing privacy options, particularly when the website grants access to sensitive information.
How Privacy can impact Accessibility
Restrictions on sharing information about people’s health and health conditions may impact the ability to plan appropriately accessible services for them. As a result, companies may not have the information that they need to know how to adapt their sites to their user base, reducing their ability to provide accessible information for all.
While none of these issues are insurmountable, the fast evolving fields of Accessibility and Privacy mean that practitioners must be conscious of these areas when designing new applications as in many places there is no standard for managing the overlap of these two fields.
Accessibility can work in a number of ways, either through active involvement by a user choosing certain options on the site, or passively without direct user interaction through good site design, color palette selection and similar. Where active involvement by a user is required, this may be achieved either with them making a conscious choice at the time of using a site, or they may already have made a selection (e.g. choice of browser, screen resolution, use of screen reader) which is communicated to the site at the time of use. For users with disabilities, the availability of appropriate and useable accessibility options may mean the difference between them being able to use a site, or looking elsewhere.
How this overlaps with privacy may not be immediately obvious. Privacy refers to the amount of control that we have over our personal information, and how this is shared and used. On the Internet, Privacy can be taken to mean that you are aware of the information that you are sharing, and this information is used in a way that you are comfortable with until it is destroyed.
Browser Information Leakage
So how can accessibility compromise privacy? By knowing that a user is visually impaired, and combining that information with other information, for example that they are located in a certain area (from their IP address, or GPS or other location), you could compromise an individual’s privacy. Research has already indicated that between 63% and 87% of Americans can be uniquely identified by birth date, gender and 5-digit zip code (see here and here for the research and here for some analysis by the Electronic Freedom Foundation). If you’re not convinced – check out the Panopticlick “browser fingerprinter”, also from the EFF. When I just tested my browser, its fingerprint was unique amongst nearly 800,000 configurations tested so far.
Logon Information Leakage
Other accessibility options, such as reading text aloud, may be appropriate for an application being used at home, but may impact privacy if they are used in a location such as a library or a bank lobby, or may not even work if the appropriate hardware is not in place. Developers must give thought to where a website may be used when developing privacy options, particularly when the website grants access to sensitive information.
How Privacy can impact Accessibility
Restrictions on sharing information about people’s health and health conditions may impact the ability to plan appropriately accessible services for them. As a result, companies may not have the information that they need to know how to adapt their sites to their user base, reducing their ability to provide accessible information for all.
While none of these issues are insurmountable, the fast evolving fields of Accessibility and Privacy mean that practitioners must be conscious of these areas when designing new applications as in many places there is no standard for managing the overlap of these two fields.
Safe Harbor...or Disaster? 02/19/2010
Marcus Morissette, Managing Director and Privacy Practice Lead, Concise Consulting Group
I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance. Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.
As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework. Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework. I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).
Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.
US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data. Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.
It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.
Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).
If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).
While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists. This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.
So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.
I have become increasingly concerned lately with some common misconceptions around the practicality and effectiveness of the Safe Harbor Framework, in particular its Self-Certification approach to compliance. Technically, there are two Safe Harbor frameworks, US/EU and US/Switzerland, but for the purposes of this argument I will focus on the US/EU variation, which is what people typically mean when talking about Safe Harbor.
As a data privacy professional and attorney, I often am faced with advising clients on the scope and benefits of seeking self-certification under the Safe Harbor framework. Lately it has become apparent to me that there is some serious misunderstanding about the benefits of self-certifying under the Safe Harbor framework. I have experienced a widely held belief by both companies (and unfortunately some “privacy” attorneys), that self-certifying and “complying” with the 7 Safe Harbor Requirements is somehow a direct replacement for complying with the EU Data Protection Directive (EU Directive).
Safe Harbor Self-Certification is insufficient for Direct Collection of Personal Data from an EU Data Subject.
US/EU Safe Harbor Self-Certification allows a US company to receive transfers of personal data from an EU data collector if it meets the Seven Safe Harbor Requirements with regards to the collection, processing and storage of personal data. Safe Harbor was created to facilitate the continuation of cross-Atlantic data transfers across the very different data protection regimes of the European Union and the United States.
It is assumed that the personal data collected will be collected by a registered data collector in the EU in a manner compliant with the EU Directive and any applicable national/sub-national implementation of that directive.
Safe Harbor does not allow a self-certified US company to directly collect (act as a data collector) personal data from an EU data subject. In other words, self-certification with the Safe Harbor framework is not a substitute for compliance with the EU Directive and national/sub-national implementation of the EU Directive where a US company directly collects data from EU data subjects (e.g. over the Internet).
If a US Company will be directly collecting personal data from EU data subjects, it will be responsible for direct compliance with the EU Data Directive, each applicable member states national implementation of that directive, and potentially each sub-state’s implementation of the national member state data protection law (if these are more restrictive than the EU Directive).
While this interpretation seems to be clear from reviewing the materials posted at the Safe Harbor website (http://www.export.gov/safeharbor/), it is apparent that considerable confusion exists. This could be detrimental to a company that relies on incorrect advice, and proceeds to collect personal data from the EU under the guise of its Safe Harbor program. It could lead to legal sanctions from the U.S. government (FTC action for deceptive trade practices), and/or legal action from the European Union and EU member states.
So, my advice to those professionals responsible for their organization’s privacy and Safe Harbor programs: make sure your privacy ship is truly anchored in a Safe Harbor, and not heading for the rocks.
How will you mark Data Privacy Day? 01/27/2010
January 28th is Data Privacy Day. In a single generation, privacy concerns have shifted from worrying about who can see through your windows to who might be able to see your medical records on the Internet. Data Privacy Day gives us a chance to reflect on these changes, and to think about what steps we can take to better control personal information and manage our privacy.
The fact is that information, from where you live to how you live, is now available to many companies that you do business with, or in some cases to everyone with an Internet connection. This disclosure can provide many benefits, from customized offers based on purchase history to a free cup of coffee on your birthday. Disclosure also carries risks. Many of us have received notices telling us that our personal information has been lost or stolen, and although most of these instances do not lead to direct harm to us individually, they often cause concern.
Interestingly, the number one privacy concern that most people have is not related to the information that they share. Given the proliferation of social networking and other online activities, people are often comfortable (sometimes too comfortable) when it comes to sharing information in the public (or semi-private) domain. The real concern for many is how information that has been shared with trusted people or organizations will be managed and protected once is out of our direct control. Individuals can reduce this risk by limiting what they share, but we also need to take responsibility for holding organizations to their privacy policies and agreements; they are stewards of your information.
So to mark Data Privacy Day, here are 4 simple things that you can do to improve your own privacy:
1. Think before sharing your personal information. For example, when a shop asks for your phone number at the checkout ask why they need it. Usually the request is because they want a number that uniquely identifies you, rather than because they plan to call you. So, consider declining or just choose a generic number that you can remember. Similarly, if someone asks for your birthday, then January 1st will often suffice.
2. Always opt-out. Unlike Europe, where you need to opt-in to consent to your data being shared, we in the U.S. have to ensure that we opt-out whenever we have the opportunity to restrict companies from sharing information with other companies or partners. It only takes a few seconds, and restricts what can be done with your information. Find those boxes, and tick them.
3. Treat Social Networks like coffee shops. If you wouldn’t talk about it in a coffee shop, don’t talk about it on Facebook or Myspace. If you wouldn’t shout it on a street corner, don’t share it on Twitter! Once you have shared something electronically, it is out of your control, even if you think that only your friends will be able to see it.
4. Maintain Healthy Skepticism. Be suspicious about any requests for personal information, even if they look like they come from a person or organization that you know. Many people continue to be fooled by these requests. It’s easy to take a couple of minutes to make a call and confirm that a request is genuine before providing information that could be used to commit identity theft, or cause you other problems.
The fact is that information, from where you live to how you live, is now available to many companies that you do business with, or in some cases to everyone with an Internet connection. This disclosure can provide many benefits, from customized offers based on purchase history to a free cup of coffee on your birthday. Disclosure also carries risks. Many of us have received notices telling us that our personal information has been lost or stolen, and although most of these instances do not lead to direct harm to us individually, they often cause concern.
Interestingly, the number one privacy concern that most people have is not related to the information that they share. Given the proliferation of social networking and other online activities, people are often comfortable (sometimes too comfortable) when it comes to sharing information in the public (or semi-private) domain. The real concern for many is how information that has been shared with trusted people or organizations will be managed and protected once is out of our direct control. Individuals can reduce this risk by limiting what they share, but we also need to take responsibility for holding organizations to their privacy policies and agreements; they are stewards of your information.
So to mark Data Privacy Day, here are 4 simple things that you can do to improve your own privacy:
1. Think before sharing your personal information. For example, when a shop asks for your phone number at the checkout ask why they need it. Usually the request is because they want a number that uniquely identifies you, rather than because they plan to call you. So, consider declining or just choose a generic number that you can remember. Similarly, if someone asks for your birthday, then January 1st will often suffice.
2. Always opt-out. Unlike Europe, where you need to opt-in to consent to your data being shared, we in the U.S. have to ensure that we opt-out whenever we have the opportunity to restrict companies from sharing information with other companies or partners. It only takes a few seconds, and restricts what can be done with your information. Find those boxes, and tick them.
3. Treat Social Networks like coffee shops. If you wouldn’t talk about it in a coffee shop, don’t talk about it on Facebook or Myspace. If you wouldn’t shout it on a street corner, don’t share it on Twitter! Once you have shared something electronically, it is out of your control, even if you think that only your friends will be able to see it.
4. Maintain Healthy Skepticism. Be suspicious about any requests for personal information, even if they look like they come from a person or organization that you know. Many people continue to be fooled by these requests. It’s easy to take a couple of minutes to make a call and confirm that a request is genuine before providing information that could be used to commit identity theft, or cause you other problems.
Marcus Morissette, Managing Director, Concise Consulting Group.
We all know the IT guy/gal (IT Director, network administrator, “IT guy”) (let’s call him/her “IT Joe” for the rest of this post) who is your company’s “Radar O’Reilly” or “go to guy” when it comes to your network. He is the guy who knows how everything works, why the firewalls and routers are configured the way they are, and where all the bodies are buried. He is the guy you call when something goes wrong, and the guy that keeps things going, sometimes through sheer will power.
You (fill in blank here with your applicable C-level title) may think this is great! That it is such an efficient way to run an IT shop. You may have reduced staffing and think that this guy/gal represents such a great level of efficiency. Why have three people around that have the same skill set/knowledge, when you can have one? In this economy, many IT organization have had their numbers cut, and many are probably faced with a Single Point of Failure (SPOF). Or several (which is not necessarily an oxymoron, but is a really bad idea).
With over 20 years of information security experience, including assessments of over 100 organizations, we have seen many different approaches to IT. One constant is that EVERY IT shop has a SPOF. Some are known, some are unknown. SPOF’s not only violate multiple tenets of good information practice, but is just a bad idea. Just a few examples of the potentially negative aspects of a SPOF in your IT organization:
Separation of Duties
Depending on where IT Joe works, he/she may have control over system, system configurations, change management, patch management, etc. that would allow him/her to make any changes without anyone. Do you remember what happened to the City of San Francisco last year? http://www.pcworld.com/businesscenter/article/148469/it_admin_locks_up_san_franciscos_network.html
Going Rogue
What would happen if IT Joe suddenly lost his or motivation or sense of corporate loyalty? Doesn’t get the raise he/she was expecting, or just decided his retirement plan needed to be moved up 15 years at your expense? What damage could they do, what “secrets” do they have that might be of use to your competitor? Also – see above re: San Francisco.
Win the Lottery
What if IT Joe gets wins the lottery? How would your IT organization function without him/her? Who knows how everything works? Is it all in a file somewhere, or did your IT organization just head off to the Caribbean on permanent vacation?
The Solution?
The solution to the SPOF in your IT Organization will vary depending on your company’s particular situation and the size and complexity of your IT Organization. The first step, just like most 12 step programs, is admitting you have a problem. Identify your SPOF or SPOFs, and what factors that led to them becoming a SPOF.
Some specific actions you might consider to address your SPOF problem may include: hiring/grooming more involved CIOs, implementing technology oversight boards, documenting job descriptions, roles & responsibilities, implementing backup-roles, cross-training your IT personnel, and not gutting your IT shops to their bare minimum.
SPOFs need to be handled carefully. Make sure that in trying to resolve the SPOF you don’t cause the issue that you are trying to avoid.
We all know the IT guy/gal (IT Director, network administrator, “IT guy”) (let’s call him/her “IT Joe” for the rest of this post) who is your company’s “Radar O’Reilly” or “go to guy” when it comes to your network. He is the guy who knows how everything works, why the firewalls and routers are configured the way they are, and where all the bodies are buried. He is the guy you call when something goes wrong, and the guy that keeps things going, sometimes through sheer will power.
You (fill in blank here with your applicable C-level title) may think this is great! That it is such an efficient way to run an IT shop. You may have reduced staffing and think that this guy/gal represents such a great level of efficiency. Why have three people around that have the same skill set/knowledge, when you can have one? In this economy, many IT organization have had their numbers cut, and many are probably faced with a Single Point of Failure (SPOF). Or several (which is not necessarily an oxymoron, but is a really bad idea).
With over 20 years of information security experience, including assessments of over 100 organizations, we have seen many different approaches to IT. One constant is that EVERY IT shop has a SPOF. Some are known, some are unknown. SPOF’s not only violate multiple tenets of good information practice, but is just a bad idea. Just a few examples of the potentially negative aspects of a SPOF in your IT organization:
Separation of Duties
Depending on where IT Joe works, he/she may have control over system, system configurations, change management, patch management, etc. that would allow him/her to make any changes without anyone. Do you remember what happened to the City of San Francisco last year? http://www.pcworld.com/businesscenter/article/148469/it_admin_locks_up_san_franciscos_network.html
Going Rogue
What would happen if IT Joe suddenly lost his or motivation or sense of corporate loyalty? Doesn’t get the raise he/she was expecting, or just decided his retirement plan needed to be moved up 15 years at your expense? What damage could they do, what “secrets” do they have that might be of use to your competitor? Also – see above re: San Francisco.
Win the Lottery
What if IT Joe gets wins the lottery? How would your IT organization function without him/her? Who knows how everything works? Is it all in a file somewhere, or did your IT organization just head off to the Caribbean on permanent vacation?
The Solution?
The solution to the SPOF in your IT Organization will vary depending on your company’s particular situation and the size and complexity of your IT Organization. The first step, just like most 12 step programs, is admitting you have a problem. Identify your SPOF or SPOFs, and what factors that led to them becoming a SPOF.
Some specific actions you might consider to address your SPOF problem may include: hiring/grooming more involved CIOs, implementing technology oversight boards, documenting job descriptions, roles & responsibilities, implementing backup-roles, cross-training your IT personnel, and not gutting your IT shops to their bare minimum.
SPOFs need to be handled carefully. Make sure that in trying to resolve the SPOF you don’t cause the issue that you are trying to avoid.
Securing Virtual Worlds 01/17/2010
If a tree falls in a virtual forest, does it make a virtual sound? These days, a lot of trees are falling in a lot of virtual forests and the noise is becoming louder in the real world. There are now university classes taught virtually, simulators replicate situations that are expensive or dangerous in real life and surgeons practice techniques virtually before they attempt the real thing.
As Virtual Worlds (VW’s) have become more complex and functional, they have become more valuable, both to their users and to attackers. Nearly half a million users spent money in Second Life, one of the most popular VWs, in August 2009. Interestingly, over 1000 of these transactions exceeded $4000. The total GDP of Second Life was estimated at around $500m in 2007 – larger than some small countries.
This increase in functionality and usage has also led to an increase in the number of people attacking the system or the people using it. While some early attacks focused on gaining control of in-world resources or disrupting the experience of other users, more recent attacks try to gain access to real world resources and bank accounts.
While few corporations currently use VWs, it is likely that this will change over the next decade as they become more ubiquitous and gain Enterprise Class features to encourage their adoption. This will increase the urgency to develop a system of controls to protect both users and the environments themselves.
So, as information security professionals, how can we help to make Virtual Worlds a better place to live and work?
To help secure VWs from attack, it helps to think about them as a connected system with a number of components which can each be modeled. This helps us to understand what the attack surface looks like, and understand the key vulnerabilities and how they might be able to be defended against.
The major vulnerability points are:
· Client Software. Once you have installed code on a client machine, that code is vulnerable to being manipulated, either by changing the code itself or changing the way that it interacts with the VW server. This technique was used successfully to hack many online games and resulted in the development of programs such as PunkBuster which control which other programs can be running at the same time as the game client and performing checksums on key files to ensure their integrity.
· The Virtual Environment. Whether it’s performing a certain sequence of events that always produces game currency, or manipulating certain aspects of the VW to operate outside the rules (basically what the character Neo does in the film The Matrix), designers of the VWs are not able to predict every single way that a user might interact with the world, so they have to design safeguards that will work whatever the interaction is.
· The Users. One of the most common attack vectors seen to date is to exploit trust between users to the benefit of an attacker. Most users tend to assume that if they have been interacting with another character in a virtual world for some time, that they can trust them. In reality, many of the cues that we get when interacting in person are masked when interacting with their avatar. Both the appearance and actions of an avatar may be designed to elicit certain responses in the same way that con artists may take on a certain persona to achieve their goals.
Gaming VWs (e.g. World of Warcraft) are by their nature used by very competitive people who would be tempted by anything that might give them an advantage. This has enabled recent attacks to be successful by promising to show how to achieve or obtain certain things within the game world and then downloading malware which is used to steal credentials or set up backdoors on the user’s machine.
While not a new phenomenon, attacks against VWs have been getting more attention as the technology becomes more mainstream and blended attacks result in real-world losses. As security practitioners, we need to understand the benefits and risks related to the use of VWs in our environments and set boundaries appropriately. It is likely that the use of VWs for business purposes will expand in the future, just as social networks have done. Humans are social animals and these technologies provide new and fun ways to interact with our colleagues and clients. We just need to be aware that a virtual bear could be hiding behind every virtual tree and act accordingly.
As Virtual Worlds (VW’s) have become more complex and functional, they have become more valuable, both to their users and to attackers. Nearly half a million users spent money in Second Life, one of the most popular VWs, in August 2009. Interestingly, over 1000 of these transactions exceeded $4000. The total GDP of Second Life was estimated at around $500m in 2007 – larger than some small countries.
This increase in functionality and usage has also led to an increase in the number of people attacking the system or the people using it. While some early attacks focused on gaining control of in-world resources or disrupting the experience of other users, more recent attacks try to gain access to real world resources and bank accounts.
While few corporations currently use VWs, it is likely that this will change over the next decade as they become more ubiquitous and gain Enterprise Class features to encourage their adoption. This will increase the urgency to develop a system of controls to protect both users and the environments themselves.
So, as information security professionals, how can we help to make Virtual Worlds a better place to live and work?
To help secure VWs from attack, it helps to think about them as a connected system with a number of components which can each be modeled. This helps us to understand what the attack surface looks like, and understand the key vulnerabilities and how they might be able to be defended against.
The major vulnerability points are:
· Client Software. Once you have installed code on a client machine, that code is vulnerable to being manipulated, either by changing the code itself or changing the way that it interacts with the VW server. This technique was used successfully to hack many online games and resulted in the development of programs such as PunkBuster which control which other programs can be running at the same time as the game client and performing checksums on key files to ensure their integrity.
· The Virtual Environment. Whether it’s performing a certain sequence of events that always produces game currency, or manipulating certain aspects of the VW to operate outside the rules (basically what the character Neo does in the film The Matrix), designers of the VWs are not able to predict every single way that a user might interact with the world, so they have to design safeguards that will work whatever the interaction is.
· The Users. One of the most common attack vectors seen to date is to exploit trust between users to the benefit of an attacker. Most users tend to assume that if they have been interacting with another character in a virtual world for some time, that they can trust them. In reality, many of the cues that we get when interacting in person are masked when interacting with their avatar. Both the appearance and actions of an avatar may be designed to elicit certain responses in the same way that con artists may take on a certain persona to achieve their goals.
Gaming VWs (e.g. World of Warcraft) are by their nature used by very competitive people who would be tempted by anything that might give them an advantage. This has enabled recent attacks to be successful by promising to show how to achieve or obtain certain things within the game world and then downloading malware which is used to steal credentials or set up backdoors on the user’s machine.
While not a new phenomenon, attacks against VWs have been getting more attention as the technology becomes more mainstream and blended attacks result in real-world losses. As security practitioners, we need to understand the benefits and risks related to the use of VWs in our environments and set boundaries appropriately. It is likely that the use of VWs for business purposes will expand in the future, just as social networks have done. Humans are social animals and these technologies provide new and fun ways to interact with our colleagues and clients. We just need to be aware that a virtual bear could be hiding behind every virtual tree and act accordingly.
Why “Gap” is a 4-letter word (part 1) 01/13/2010
One of the major problems that organizations face when they’re reviewing their compliance program is understanding why they are doing what they are doing and how to achieve a ‘steady state’ where compliance becomes part of the scenery rather than an ongoing struggle. For many organizations, this state seems to be receding ever further into the distance. Each year bring more controls that need to be implemented and monitored. Every gap analysis finds more gaps and every effort at remediation appears to lead to little relief.
Part of this issue is that for most organizations a ‘gap analysis’ is about the worst thing that they could be doing. A ‘gap analysis’ frames the situation to prejudice an outcome and rarely helps an organization get closer to a steady state of compliance. Framing is a term from linguistics which describes how the choice of words activates certain emotions and thought patterns. With a ‘gap analysis’ the framing works like this: Gaps are bad. Analyzing and fixing gaps is good. Having no gaps is best of all. However, in practice there are always more gaps to be found. Existing gaps may reoccur in other forms or auditors will just dig deeper to find smaller and smaller gaps. But seeking to identify weak areas is good. It shows that we care about what is wrong. Therefore we should do gap analyses.
Even in organizations that are highly compliance focused, this approach doesn’t make a lot of sense. It provides a never ending stream of ‘remediation activities’ and ‘refresh testing’ which keeps people employed and consultants in business, but it may or may not contribute to making organizations more secure or compliant. And after a point, there is not much point in being more compliant than is enough to achieve a particular sign-off or to provide a level of due care should an organization be sued.
Man drives into post. World gasps. 11/30/2009
A man drives out of his own driveway and drives into a post. This story probably wouldn't even make the local paper unless it was a slow news day, but because the man in this particular situation was Tiger Woods, this has been front page news on both sides of the Atlantic.
What reasonable expectation can celebrities have to privacy? What right to privacy should celebrities reasonably expect, in circumstances where they are involved in minor incidents that the rest of us would not expect to of real interest.
As of this afternoon, Tiger has said that he won't be playing any more golf tournaments until 2010. I'm sure that he doesn't need the money, but unfortunately, this is likely to fan the flames even further.
So - what expectations of privacy should anyone be able to expect in a situation like this. Have celebrities, by their very status, given up any expectation of privacy in any circle of life? It's interesting to ponder whether there is a sliding scale of privacy which is inversely proportional to how famous (or rich?) someone is.
To me - that seems to be an equivalent of (Security Through Obscurity) (call it Privacy Through Obscurity) which doesn't really sit very well. If we really want privacy to be protected we need to make sure that it is actively defended, rather than gradually eroded as someone becomes more "interesting".
What reasonable expectation can celebrities have to privacy? What right to privacy should celebrities reasonably expect, in circumstances where they are involved in minor incidents that the rest of us would not expect to of real interest.
As of this afternoon, Tiger has said that he won't be playing any more golf tournaments until 2010. I'm sure that he doesn't need the money, but unfortunately, this is likely to fan the flames even further.
So - what expectations of privacy should anyone be able to expect in a situation like this. Have celebrities, by their very status, given up any expectation of privacy in any circle of life? It's interesting to ponder whether there is a sliding scale of privacy which is inversely proportional to how famous (or rich?) someone is.
To me - that seems to be an equivalent of (Security Through Obscurity) (call it Privacy Through Obscurity) which doesn't really sit very well. If we really want privacy to be protected we need to make sure that it is actively defended, rather than gradually eroded as someone becomes more "interesting".
Privacy implications of Twitter Lists 11/02/2009
Twitter has recently rolled-out a new feature - the ability to create sub-groupings of people that you follow, and share them with other users. This has a number of useful benefits, including the ability to be able to group people into certain subject areas (for example, you might have a list of people that you work with, and another one for friends outside work).
Let's start with the good privacy feature that has been build into the current version of lists - the ability to mark lists private or public. This is a sensible idea and has been implemented in a way that is easy to use (although we would prefer it if the default was for lists to be private rather than public - but this does seem a little like splitting hairs!)
Unfortuntely - the way that the lists have been set up currently are open to a number of forms of abuse. The primary reason for this is because a user does not have to authorize being added to a list. i expect that this is a useful (and necessary) feature for the top-ranked users, who could be added to hundreds or thousands of lists and would not want to have to accept every single request to add them.
On the other hand - this does mean that people can add you to lists without your permissions - and some of the following could occur:
1. You are added to a list that gives away some information which you didn't want shared (e.g. parents of XYZ Middle School) - this could be significant information leakage, dependent on which lists you are added to.
2. You are added to a list that isn't relevant to you (not so bad)
3. You are added to a list maliciously or acciedentally that is damaging to your reputation (e.g. Registered Sex Offenders)
There needs to be a trade-off here. On one hand, we could subject everyone to "list spam" and render the feature next to useless. On the other hand, there could / should be some better tools to manage what lists you are on, and to remove yourself.
Although lists "follow" you in the same way as people do - you can't seem to block the list, just the person who created the list.
It's a brave new world out there. Would be interested to hear others experiences and thoughts on this.
Let's start with the good privacy feature that has been build into the current version of lists - the ability to mark lists private or public. This is a sensible idea and has been implemented in a way that is easy to use (although we would prefer it if the default was for lists to be private rather than public - but this does seem a little like splitting hairs!)
Unfortuntely - the way that the lists have been set up currently are open to a number of forms of abuse. The primary reason for this is because a user does not have to authorize being added to a list. i expect that this is a useful (and necessary) feature for the top-ranked users, who could be added to hundreds or thousands of lists and would not want to have to accept every single request to add them.
On the other hand - this does mean that people can add you to lists without your permissions - and some of the following could occur:
1. You are added to a list that gives away some information which you didn't want shared (e.g. parents of XYZ Middle School) - this could be significant information leakage, dependent on which lists you are added to.
2. You are added to a list that isn't relevant to you (not so bad)
3. You are added to a list maliciously or acciedentally that is damaging to your reputation (e.g. Registered Sex Offenders)
There needs to be a trade-off here. On one hand, we could subject everyone to "list spam" and render the feature next to useless. On the other hand, there could / should be some better tools to manage what lists you are on, and to remove yourself.
Although lists "follow" you in the same way as people do - you can't seem to block the list, just the person who created the list.
It's a brave new world out there. Would be interested to hear others experiences and thoughts on this.
Privacy After Death 11/02/2009
Does someone's right to privacy end once they are dead? In the US, we do not have a constitutional right to privacy in the same way that Europeans do (yet!), but explicit provisions in HIPAA (Health Insurance Portability and Accountabilty Act) maintain that information about an indivudual should be maintained as private after their death, but other regulations such as the Freedom of Information Act may conflict in certain situations, in addition to free speech rights guaranteed under the First Amendment.
In the EU, the right to personal privacy explicitly survives death
Some interesting links around this subject can be found at:
Is there privacy after death?
Privacy after death debated.
Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
In the EU, the right to personal privacy explicitly survives death
Some interesting links around this subject can be found at:
Is there privacy after death?
Privacy after death debated.
Some more thoughts on this topic from Rebecca Herold (@privacyprof) who had written a couple of thought pieces around this topic here and here
