Schneier on the Impacts of Information Persistence

February 28, 2009

In a post that I have recently updated a couple times, I argue that there is material risk associated with doing business on Facebook because the social network has claimed ownership of any information and content you host there.  That information and content will remain stationary while your corporation continues to evolve.  Over time, the spread between the two may represent a material risk to your brand.

In a post yesterday, Bruce Schneier wrote about “Privacy in the Age of Persistence.”  His thoughts on this broad topic range across a broad universe of information persistence.  It provides excellent context for the much more narrow issue that I wrote about.  It is another example of his superior writing skills…  For example:

"Data is the pollution of the information age.  It's a natural byproduct of every computer-mediated interaction.  It stays around forever, unless it's disposed of.  It is valuable when reused, but it must be done carefully.  Otherwise, its after effects are toxic."

— References —

“Facebook Claim to Content – Doom for Corporate Use?” https://completosec.wordpress.com/2009/02/16/facebook-claim-to-content-doom-for-corporate-use/

Bruce Schneier, “Privacy in the Age of Persistence.” http://www.schneier.com/blog/archives/2009/02/privacy_in_the.html

Advertisements

McAfee Report – How Much Information Risk – Brazil

February 27, 2009

Last month I wrote about content from this report about China. Today I would like to do the same for Brazil.

For review, McAfee sponsored an international team who surveyed more than 1,000 senior IT decision makers in the US, UK, Japan, China, India, Brazil and the Middle East regarding how they currently protect their companies digital data assets and intellectual property, and performed what appears to be relatively broad research on a range of survey-related topics.

The results of their work was released a few weeks ago under the title “Unsecured Economies.”

They start with an assumption that “a distributed network of unsecured economies has emerged with the globalization of many organizations, leaving informational assets even more at risk to theft and misuse.”

The report describes their findings about cybercrime risks for key global players, along with their conclusions about need for organizations to take a more holistic approach to vulnerability management and risk mitigation in this rapidly-evolving global business climate.

I also read and think about how to characterize information and technology infrastructure and operations risks associated with doing financial services business in Brazil.  With that in mind, I just scanned the 36-page McAfee report for its findings concerning Brazil, and found the following interesting statements:

  1. Respondents reported that there has been an increase in outsourcing activities Brazil [page 5].
  2. Nineteen percent of respondents are storing and/or processing intellectual property in in South or Central America. [page 5]
  3. Respondents estimated that intellectual property worth approximately $1.4 million per firm is stored, accessed and managed overseas at firms in Brazil [page 4]
  4. 27% of Brazilian respondents reported spending 20% or more of the IT budgets on security [page 6].
  5. A number of factors are influencing the trend for companies to store vital information offshore.  Twenty six percent of respondents cited cost reduction. The ability to safely store vital information is a key factor according to respondents in Brazil. [page 6]
  6. Even as the threats increase, 31 percent of Brazilian respondents reported that they will decrease spending on protecting their vital information as a result of the ongoing financial situation. [page 7]
  7. Fifty nine percent of respondents said that they were worried about the security threat from financially strapped employees. . [page 9]
  8. “The current economic situation has potential for laid-off employees to start up companies using the stolen information,” said Rento Opice Blum, a Brazilian lawyer and professor. [pages 9-10]
  9. Approximately 30% of respondents ranked the threat level in Brazil as high. [page 12]
  10. The report explained that Brazil is a large developing nation, people rich and eager to develop the economy. They conclude that there “is concern” that individuals and institutions in Brazil too often choose the cheapest way [not necessarily the ethical way], by investing in industrial espionage. [page 14]
  11. Approximately 15% of respondents said that they would not do business in Brazil. [page 14]
  12. Many regional respondents communicated concern about the enforcement of laws and policies. Brazil was rated by respondents as the most ill-prepared to defend against threats by respondents [they also included Pakistan in that category]. [page 17]
  13. According to Renato Opice Blum, a Brazilian lawyer and professor, “The main problem is that Brazil’s enforcement and judicial systems are too immature to deal with information threats. Brazilian laws do not specifically target information crimes and, hence, companies have to rely on laws designed to address traditional crimes of a more physical rather than virtual nature. This means that the burden of the proof is much higher. [page 17]
  14. Respondents identified industrial espionage as the fourth most serious threat to information. Brazil was highlighted as having a culture that does not embrace the expectation that companies making research and development investments should reap the resulting rewards of their effort. [page 21]

I understand that this is only one source, and may say as much or more about the author’s biases than it does about the “real” risks of doing business in Brazil.  But they, and McAfee must have some strong data, or strong feelings to generate this risk report…  What do you think?

I will check some other sources and report back on what I find. I will also summarize what the McAfee report has to say about India in a future post.

If you have additional resources, data, or experience, please let me know.

— References —

McAffee Report “Unsecured Economies“: http://resources.mcafee.com/content/NAUnsecuredEconomiesReport


Need Cultural Change at Adobe – Vulnerabilities Too Numerous

February 25, 2009

From their long and growing list of products and services, Adobe appears to be attempting to dominate the rich, user-centric application, communications, and information-delivery environments.
(see: http://www.adobe.com/products/ and http://labs.adobe.com/)

They have been pumping out new functionality, new development environments, new languages, etc. at a pace that is difficult to imagine.  How do they manage the pool of energy and creativity required to initiate and maintain their current (accellerating) trajectory?

In financial services, “cool” and “new” are not unknown, but we need to manage them into business environments that must constantly demonstrate a threshold level of due care and due diligence.

Adobe products, new and old, keep getting hacked.  On the consumer/customer as well as corporate fronts, the latest include critical vulnerabilities in Flash/AIR/Flex and Adobe Reader/Acrobat.  Both involve remote exploit and potential for executing arbitrary code on an end-user’s PC.  Because Flash and PDF files are found “everywhere” throughout the Internet, this set of vulnerabilities presents a particilarly difficult risk equation for PC users — and for the information security personnel who serve them.

There have been at least 8 publically-disclosed vulnerabilities in Adobe Flash, and at least 6 in Adobe Reader/Acrobat in the last year.  That extended a well-established tradition of vulnerabilities another year.

Because these Adobe products are found on virtually all Windows PCs, the culture at Adobe that generates and accepts this tradition of regularly-vulnerable software must be modified.  We need to raise the volume of our input to Adobe on this topic, and consider going broader with this campaign, maybe even to investors.

What do you think?  What would work most effectively?

— References —
Many of the Adobe collection can be found at: http://www.adobe.com/products/ and http://labs.adobe.com/

Adobe Flash Player (Flex/Air as well) Multiple Vulnerabilities  (Feb 25, 2009 http://secunia.com/advisories/34012/ and http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=773)
Adobe Reader/Acrobat JBIG2 Stream Array Indexing Vulnerability (Feb 2, 2009 http://www.kb.cert.org/vuls/id/905281 and http://secunia.com/advisories/33901/)


SSL/TLS – Maybe Not So Safe

February 20, 2009

Moxie Marlinspike presented New Tricks For Defeating SSL In Practiceat BlackHat DC 2009 this week.  I listened to the presentation this evening.  It is an excellent overview of SSL/TLS implementation vulnerabilities by an individual who is in command of this territory.  If you are in a business that depends upon SSL/TLS for a significant portion of your information risk management, I recommend you listen to this presentation too.

I believe most of us need to think through how much we can depend upon SSL/TLS to mitigate the risks associated with attacks on our sensitive information in transit.  Marlinspike reviewed the history of SSL/TLS implementation weaknesses and attacker’s clever ideas and technology that leave us currently in a situation where many of our best “secure” web sites are  openly vulnerable to man-in-the-middle attacks.  All our “locks” and vendor certifications may be rendered impotent to the types of attacks described by Mr. Marlinspike.

Most financial services corporations maintain “secure” Internet-facing customer, marketer, and partner portals.  A material portion of our security proposition depends on SSL/TLS for maintaining the confidentiality and integrity of the sensitive information that flows between our servers and our client’s browsers.  That equation requires all parties to respect the assumption that there will be onlyone server-browser pair for each session, and any intermediary proxy devices are acting only as purely passive relays.  This presentation will put those assumptions to the test.  I strongly recommend working through this session, and then doing so again with your information security peers, your application security specialists, and maybe even your management.

After you do, I would like to know what you think and what you might be doing differently in the future?

— References —

A recording of “New Tricks for Defeating SSL in Practice” is available at: http://securitytube.net/Defeating-SSL-using-SSLStrip-(Marlinspike-Blackhat)-video.aspx and the slides are available at: http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf

BlackHat: http://www.blackhat.com/

Contact Moxie Marlinspike at:moxie at thoughtcrime.org


Insider Describes High-End Malicious Software Techniques

February 17, 2009

In an interview with Matt Knox, Sherri Davidoff recorded an extended discussion about his work with adware heavyweight Direct Revenue.  Direct Revenue was a New York City company founded in 2002 and known for creating spyware or adware programs — and sued out of business by the State of New York.

I believe that this interview provides an excellent window into how tough business competition can gradually evolve into malware-enabled cybercrime on a vast scale.

Mr. Know explains in detail how after starting with just a unique Registry key entry, they moved onto using an executable, then to a randomly-named executable, followed by an executable which is shuffled around a little bit on each machine, then one that was obfuscated, to an executable that ran only as a series of threads that could communicate with one another and ensured that the company’s browser helper object (BHO) was installed and healthy, along with whatever other software they were installing at any given time was also available.

Mr. Knox also helped create “unwritable” registry keys and file names, by exploiting what he described as an “impedance mismatch” between the Win32 API and the NT API.  Modern Windows has inherited much from the NT kernel, which was fundamentally a Unicode system.  As a result, all the strings internally are 16-bit counter Unicode.  At the same time, the Win32 API is fundamentally ASCII.  There are Unicode strings that can’t be expressed in ASCII that is available via the Win32 API. Important to malicious software writers are strings with a Null in the middle of them.  Using this technique, Mr. Knox and Direct Revenue could, for instance, write a Registry key that had a Null in the middle of it.  And with any user interface based on the Win32 API people would be able to see the key, but they wouldn’t be able to interact with it.  That happened because when they asked for the key by name, they would be asking for the Null-terminated one (the first half of the Unicode string).  Because of that, they were able to make registry keys that were invisible or immutable to anyone using the Win32 API.  Interestingly enough, this was not only all civilians and pretty much all of their competitors.  He also said that this technique even worked against most of the antivirus companies.

In describing the scale of what they were up to, Mr. Know described that, “I would just write some …code, put that up on the server, and then immediately all sorts of things would go dark.  It amounted to a distributed code war on a 4-10 million-node network.”

Professional malware coders understand their primary target — Windows — very intimately, and understand how to achieve their goals.  Sherri Davidoff asked Mr. Knox “In your professional opinion, how can people avoid adware?”  He responded, “Um, run UNIX.”

This is an extensive interview and it is followed by a string of comments that are also worth your time.  The techniques used by malware authors are interesting, but Mr. Knox’s discussion of their business is something not often documented.  In the Information Security profession, we all ought to better understand what we are up against.  I believe that this is an excellent window into a slice of it.  What do you think?

— References —

“Interview with an Adware Author.”  http://philosecurity.org/2009/01/12/interview-with-an-adware-author

Matt Knox: http://mattknox.com/

Sherri Davidoff: http://philosecurity.org/author/sherri

Direct Revenue: http://en.wikipedia.org/wiki/Direct_Revenue


Facebook Claim to Content – Doom for Corporate Use?

February 16, 2009

I am not a lawyer.

That said, risk management conventions might drive you and your company to seriously consider reducing your use of Facebook for any corporate activities, marketing included, until the current Facebook content “ownership” issues get worked out.

Your shareholders generally own corporate intellectual property.  In many situations that IP represents material current and future value.

Your marketing investments may be diluted by use of your words and images in ways that are not under your control and not in support of your tactical and strategic plans.

Facebook re-wrote its Terms of Service (TOS) on Wednesday, February 4, 2009.  Then around mid-day, Suzie White, Facebook’s Corporate Counsel for Commercial Transactions, wrote a short explanation for the TOS change.

What followed was blogger/twitter uproar, with consumerist at the center…

Facebook founder Mark Zuckerberg attempted to resist that energy with “On Facebook, People Own and Control Their Information” posted today at 2:09pm.  He offered his philosophy, and some misdirection, but little of substance about the specific TOS changes, their legal meaning, and their place in Facebook strategic planning.

The new TOS is available here: http://www.facebook.com/terms.php, including:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service...

For comparison, a previous version of their TOS is available at: http://web.archive.org/web/20071012215843/www.facebook.com/terms.php

Facebook little in the way of copyright preferences.  When taken in the context of their TOS details, businesses whose value is more concentrated in creative work and intellectual property, or whose value is largely associated with customer, partner, and supplier “trust” might want to consider investing much of their Web2.0 collaborative energy elsewhere while this gets sorted out.

Image, and the marketing used to craft and support it, tends to evolve.  Unexpected use of historical content could diminish the value of current marketing investments.  Under some circumstances it might even reduce the value of your brand.

Amanda L. French has compared some of the Facebook terms of service with those of MySpace, Flickr, Picasa, YouTube, LinkedIn, and Twitter.  This might help provide some context.

UPDATE 1: After attempting to sell  a position that he summarized as: “In reality, we wouldn’t share your information in a way you wouldn’t want.” Mark Zuckerberg announced today (16 Feb 2009) that “we have decided to return to our previous terms of use while we resolve the issues that people have raised.”

UPDATE 2: In a very different tone, Mark Zuckerberg announced a replecement for his “trust us” theme with a new process involving member voting on Facebook proposals for governing principles, along with rights and responsibilities (27 Feb 2009).  He introduced this new process by explaining that: “Our main goal at Facebook is to help make the world more open and transparent. We believe that if we want to lead the world in this direction, then we must set an example by running our service in this way.”  Implementation, he explained, is grounded on the concept of “giving you a greater opportunity to voice your opinion over how Facebook is governed.”  To that end, he announced that the corporation is “publishing two new documents for your review and comment. The first is the Facebook Principles, which defines your rights and will serve as the guiding framework behind any policy we’ll consider—or the reason we won’t consider others. The second document is the Statement of Rights and Responsibilities, which will replace the existing Terms of Use.”

Publishing documents and permitting member discussion about those documents strikes me as a little underwhelming.  It is easy, it is cheap, and it keeps members busy.  About 24 hours after the announcement, Google News listed 214 “related articles, and my quick scan of the headlines and summaries, and a very few full reads leads me to believe that the initial response is generally positive.  Depending on how this plays out, it may be no more than a keen misdirection ploy by Facebook to focus member’s energy on a collection of non-binding words so that the corporation can get back to business.  Mr. Zuckerberg explained that the corporation is still going to create new and disruptive technologies, and that “products must be consistent with the Principles and in compliance with the Statement of Rights and Responsibilities, they will not be subject to the notice and comment or voting requirement.”

The Facebook principles include: Freedom to Share and Connect, Ownership and Control of Information, Free Flow of Information, Fundamental Equality, Social Value, Open Platforms and Standards, Fundamental Service, Common Welfare, Transparent Process,and One World.  The Facebook Statement of Rights and Responsibilities includes around 170 statements and assertions under the headings: Privacy, Sharing Your Content and Information, Safety, Registration and Account Security, Protecting Other People’s Rights, Mobile, Payments, Share Links, Special Provisions Applicable to Developers/Operators of Applications and Websites, About Advertisements on Facebook, Special Provisions Applicable to Advertisers, Amendments, Termination, Disputes, Definitions, and Other.

So, what about information security?  All this commenting and voting will not change the fundamental issue of controlling your intellectual property and managing your brand.  Facebook leadership says that they will continue to do evolve their business without notice, comment, or voting.  That looks a lot like where this current puff-up started.  If your company uses Facebook as a channel for any part of your operations, communications, and/or marketing, you still need to carefully consider how events can play out over time.  Facebook business practices will continue to evolve.  Think through how that might impact your value proposition as you evolve your company.  Here is what I see as the key risk: unexpected or unwanted use of historical or legacy content could diminish the value of “current” marketing investments.  Under some circumstances it might even reduce the value of your brand.  That is the kind of risk that can be taken lightly.

I am curious about how you and your company are dealing with this situation.  What issues are most important in your discussions?

— References —

Current Facebook Terms of Service (TOS): http://www.facebook.com/terms.php

Earlier Facebook Terms of Service (TOS): http://web.archive.org/web/20071012215843/www.facebook.com/terms.php

Suzie White, Facebook’s Corporate Counsel: http://blog.facebook.com/blog.php?post=50531412130

“On Facebook, People Own and Control Their Information” by Mark Zuckerberg, posted today at 2:09pm.  http://blog.facebook.com/blog.php?post=54434097130

Twitter: http://search.twitter.com/search?q=%23facebooktos

Consumerist.com “Facebook’s New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.'”  By Chris Walters, 6:14 PM on Sun Feb 15 2009. http://consumerist.com/5150175/facebooks-new-terms-of-service-we-can-do-anything-we-want-with-your-content-forever

Amanda L. French, PhD, “Facebook terms of service compared with MySpace, Flickr, Picasa, YouTube, LinkedIn, and Twitter.” February 16, 2009 – 2:28 pm: http://amandafrench.net/2009/02/16/facebook-terms-of-service-compared/

“Facebook: Relax, we won’t sell your photos.” Caroline McCarthy, http://news.cnet.com/8301-13577_3-10165190-36.html?part=rss&tag=feed&subj=TheSocial

Updates #1 from: http://news.bbc.co.uk/2/hi/technology/7894476.stm  and http://news.bbc.co.uk/2/hi/technology/7896309.stm

Updates #2 from:

“Governing the Facebook Service in an Open and Transparent Way.”

McAfee Report – How Much Information Risk – China

February 13, 2009

McAfee sponsored an international team who surveyed more than 1,000 senior IT decision makers in the US, UK, Japan, China, India, Brazil and the Middle East regarding how they currently protect their companies digital data assets and intellectual property, and performed what appears to be relatively broad research on a range of survey-related topics.

The results of their work was recently released a couple weeks ago under the title “Unsecured Economies.”

They start with an assumption that “a distributed network of unsecured economies has emerged with the globalization of many organizations, leaving informational assets even more at risk to theft and misuse.”

The report describes their findings about cybercrime risks for key global players, along with their conclusions about need for organizations to take a more holistic approach to vulnerability management and risk mitigation in this rapidly-evolving global business climate.

I was recently thinking about how to consider information and technology infrastructure and operations risks associated with doing financial services business in China.  With that in mind, I scanned the 36-page McAfee report for its findings concerning China, and found the following interesting statements:

  1. More than 60 percent of Chinese respondents cited “safer storage available elsewhere” as a reason for storing or processing sensitive data outside of their home country [page 6].
  2. 33% of Chinese respondents reported spending 20% or more of the IT budgets on security [page 6].
  3. Societal protection (enforcement and other actions) of information assets is weaker in (India and) China than in developed countries [page 6].
  4. Even as the threats increase, Chinese respondents said that investments to protect intellectual property will be decreased 14% because of the financial downturn. [page 7]
  5. Respondents reported losing intellectual property worth an average of $7.2 million US. in China [page 7].
  6. 51% of respondents stated that the threat level in China country is high — more than any other country [page 12].
  7. 62% of U.S. respondents identified China as the greatest threat to information security [page 13].
  8. Pakistan, China and Russia, in that order, were also perceived to have the worst reputations for pursuing or investigating security incidents.  Respondents cited corruption among law enforcement and the legal systems as well as poor skills among law enforcement as top reasons for the reputation rating [page 13].
  9. Twenty-six percent of respondents had purposely avoided storing and/or processing data in China.  Respondents pointed to both the lack of privacy and intellectual property protection as the primary reasons why China’s threat to sensitive data was so high [pages 14 and 15].
  10. Like many developing economies, China’s growth has far outpaced its ability to create and enforce legislation or—even more importantly—cultural attitudes toward protecting digital privacy and sensitive data [page 14].
  11. “China is a large developing nation,” said Dr. Timothy J. Shimeall of Carnegie Mellon University.  “They are people rich but not resource rich.  They are eager to develop the economy.  The cheapest way, not necessarily the ethical way, is to indulge in industrial espionage.  This is a concern with respect to other developing countries like India and Brazil also” [page 14].
  12. As companies in established economies invest millions, if not billions of dollars in research and development (R&D) activities, the dominant expectation has been that the investing parties should reap the rewards of any resultant success in the marketplace.  However, not all cultures embrace this philosophy, particularly in emerging economies such as China and Brazil [page 21].
  13. As China and Russia’s economies soften, there will be even more pressure to “appropriate” intellectual property as a means to continue economic growth.  Organized crime and state-sponsored groups in both Russia and China will continuously seek out new and profitable targets [page 23].

I understand that this is only one source, and may say as much or more about the author’s biases than it does about the “real” risks of doing business in China.  But they, and McAfee must have some strong data, or strong feelings to generate such a grim risk report…  What do you think?

I will check some other sources and report back on what I find.  I will also summarize what the McAfee report has to say about India and Brazil in a future post.

If you have additional resources, data, or experience, please let me know.

— References —

McAffee Report “Unsecured Economies“: http://resources.mcafee.com/content/NAUnsecuredEconomiesReport


%d bloggers like this: