A Reuters blog today likened social networking to Jurassic Park. While this is probably the first time anybody has connected dinosaur-related themes to Web 3.0 technologies like social networking, in this case it was probably accurate.

The premise of the note was that social media sites are like Michael Crichton’s fictional dinosaur park—really, really cool technology, but not much in the way of security and safety precautions. This is a problem that cannot be ignored any longer. Like the elephant in the room—or in this case, the tyrannosaurus in the room—it’s too big to look the other way, and it’s not going away any time soon. Social media is here to stay, and with something on the order of a third of Internet users taking advantage of it, security managers have to get on with the business of creating a workable policy.

Why should businesses be concerned about social networking sites? It is after all, something that people play with on their own time (or at least, should play with on their own time), and doesn’t really have anything to do with the business. Or does it? The fact is, social networking is no longer just social. There are two factors at work here that warrant attention. First, on the other side of the office, mostly unbeknownst to the IT and security people, the marketing department is making very good use of social networking as a corporate marketing and communications tool. Companies use Twitter to keep customers and partners apprised of new releases, updates, special promotions and other information. They use LinkedIn to meeting other people interested in making deals, and they even use Facebook to make corporate pages meant to drive traffic to the main site. Most corporations now also have blogs, and even interactive forums where customers can participate in discussions with company staff and other customers. Yes, all those things were originally designed “just for fun,” and the creators of these social tools very likely had no idea that their creations would wind up in so many corporate toolboxes. Yet, here they are.

The second factor at work is that when employees are using social networking for personal reasons, there is often an unintentional carryover into the corporate realm. People make careless references to their employers in their blogs that may be harmful. They post personal information, and they may post corporate information that ought not be posted. And, there may even be links between personal and corporate documents that can be exploited.

The blogger cites the example of the recent episode when a hacker broke into the Google Mail account of a Twitter executive’s spouse. The account was linked to Google Apps, which gave the hacker access to sensitive company documents. Google Apps isn’t a social networking site, it’s a cloud computing-based group of applications-as-a-service. But the observation is still valid and somewhat scary for security people, and highlights the fact that there is an underlying necessity for employees to be careful in their personal networking, so as not to create a threat to corporate networking. Connecting personal accounts to corporate resources has to be against policy—and as always, use strong passwords, and be cautious about posting personal information on social networking sites.

Social media security problems

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

A security advisory issued this week highlighted a serious code execution vulnerability in Mozilla Firefox 3.6. The vulnerability, according to the advisory, is caused by an “unspecified error,” and can be exploited to execute arbitrary code that could be malicious and harmful. The exploit was originally highlighted by Russian security firm Intevydis.

There has been very little reported on the vulnerability to date, with some even suggesting that it is a “hoax.” Don’t believe the hoax suggestion, no matter how big a fan of Firefox you may be—in the security business, things need to be taken seriously. Not doing so is inherently dangerous. That said, there is very little data on how widely circulated the exploit has become, although some sources report an increase in the number of Firefox 3.6 crashes on February 12 and 13.

On the Mozilla blog, Mozilla does not confirm the vulnerability at this point for lack of details on how to reproduce it, but does make a point of saying, “Mozilla takes all reports of security vulnerabilities seriously,” as well they, or any other software organization, should.

The advisory brings up an important issue, which is that even when using the latest version of software and the most recent patches, security is not always bulletproof. Applying patches as they are available, preferably on an automated basis, is always good practice, and it does go a long way towards reducing the incidence of preventable attacks. However, patch management alone isn’t going to keep your systems safe. In fact, in one forum where the vulnerability is being discussed, it is noted that the “Insecure” tab—which is a cool feature, by the way—only shows programs that have patchable exploits. The Firefox exploit has not yet been addressed with a patch from Mozilla, so it isn’t shown there as being insecure.

As such, it’s a classic zero-day exploit, which is a vulnerability that is able to do its dirty work between the time it is discovered and the time when it is patched. At this point, users of Firefox should proceed with caution, and as always with any browser, take standard precautions, avoid opening up unknown or suspicious URLs, use pop-up blockers, and monitor traffic accordingly.

Details sketchy on Firefox 3.6 security issue

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

I have faith that readers of this blog have enough good sense not to use social networking sites to send important emails. However, some of your users may lack that good sense, and so it behooves us all to send out a common sense reminder every now and then—only use your official corporate email for anything important or sensitive! Save the Facebook email messages for updates about parties, casual observations, and idle gossip.

Wall Street Journal reporter Zach Seward got to have a glimpse of some of that idle gossip last week after Facebook made a major blunder, and some people received emails from complete strangers that were meant for somebody else. Seward gives us a glimpse of what goes on in Facebook with a few unnamed excerpts. The editor became privy to love triangles, petty jealousies, teenage parties and other truly fascinating but private missives.

The glitch was caught shortly after it started and was resolved, but not before several emails were incorrectly routed. Although there is no data being released as to how many users were affected, Facebook noted that “During our regular code push early Wednesday evening, a bug caused some misrouting to a small number of users for a short period of time.”

There have been other security blunders in the past, including a glitch in March 2008 that made it possible to publicly view photos that had been marked as private.

A report on the Wall Street Journal details the experience of a Journal editor who received several of the errant messages. According to the report, the editor received over 100 messages, ranging from ordinary to explicit.

Facebook recently redesigned its inbox interface to make it resemble Gmail.

Facebook email glitch sends notes to strangers

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Gmail has always had an encryption option, but until this week, it has been turned off by default. Now IT people, who tend to be a bit paranoid (but in a good way), would have gone through the trouble to switch on the SSL encryption option, but most ordinary users would simply not be aware that it exists. And for that matter, all those paranoid IT people probably wouldn’t have even used Gmail to begin with.

Google announced last week that it would start encrypting all Gmail traffic. In a blog post, Google noted that they initially rolled out the option to always use https back in 2008. This allows email to be encrypted on the path between the user’s web browser and Google servers. However, when Google first enabled the option, it was off by default. Now, SSL will be used by default, with users gaining the option of selecting “Don’t always use https” from the Settings menu. Some may choose to not enable the extra security option for performance reasons, but in reality, the performance hit will be minor, especially for broadband users—and well worth the extra couple of milliseconds. The login page will still remain encrypted. Using encrypted email can stop several types of attacks, such as man-in-the-middle attacks where an attacker may be snooping email in a public WiFi spot. Using encryption also prevents attacks such as DNS poisoning attacks where a domain name record is hijacked and redirected.

Google decided to make the upgrade just hours after they revealed information about having been victimized by specialized attacks, including certain attacks on Chinese human rights activists’ accounts. Users are cautioned however, not to get lulled into a false sense of security, thinking that turning on Gmail’s encryption option is going to prevent all potential attacks—because it certainly won’t. The same anti-virus, anti-spam and anti-malware software installations should continue in full force, regardless of any added encryption.

With Google making the switch, the next big question is whether the other main free email services like Hotmail or Yahoo! Mail will follow suit; my guess is that they will.

Gmail and encryption

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The increasing popularity of in-the-cloud email delivery and email security solutions, and the wealth of innovations available, raises the discussion of whether email administrators should consider cloud-based solutions. While the free, Web-based email remains out of the question for corporate use, some other cloud solutions that offer more robustness and security may be appropriate for some users.

Security is always imposed in cloud-based systems to one degree or another, but a major limitation is that many cloud providers still implement their own proprietary security approaches. While such an approach may well impose good security, this has still limited the uptake of cloud-based models. A more appropriate approach to cloud-based security would be the adoption of a common security model, made available through the cloud platform-as-a-service.

As outlined in “Cloud computing made easy,” co-authored by yours truly, a cloud platform (as opposed to cloud “software as a service” applications) imposes common software elements, which are used by developers to write cloud applications without having to re-invent the wheel for every aspect of each application. The use of a cloud platform is particularly useful for imposing rigorous security, in that it presents a standard security model for managing things like authentication and authorization, role-based access, secure storage, multi-tenancy, and privacy policies. Developers of common SaaS applications may not always be experts in security, but by using the common security model of a cloud platform, the developer is able to draw against the expertise of other developers who are.

The advantage is especially evident for smaller businesses which often lack full-time, specialized IT security personnel. It is much more likely that a cloud provider will have devoted time, money and resources to security, than would a small company with four or five employees, and in such a case, the small business is more secure by leveraging the services of a reputable cloud provider as opposed to running unsecure or marginally secure applications in-house. This of course, assumes that the small business takes the time to conduct due diligence on the cloud provider, examine the service level agreement in detail, and ensure that the provider has taken steps to ensure the security of the applications being accessed.

It is certainly possible for a company to impose tight, near bulletproof security in-house, and this possibility keeps many from moving to the cloud. But the question should not be “is it possible”, but rather, “is it likely.” A realistic examination of a company’s resources, in-house talent, and ability to adhere to sometimes draconian security policies is the first step in the decision. Do you have the money and somebody on hand to implement the technology? And then, once implemented, do you have the management will to impose necessary but potentially unpopular security policies? Besides technical security such as authentication and authorization, and policies such as frequent password changes, physical security must also be imposed—including locked server rooms, personally escorting laid off employees off the premises, and regulated access to the physical equipment. Cloud providers are more likely to impose these measures as a general rule, which may lead to better security.

Security and the cloud

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

A social application site called RockYou suffered an attack that resulted in 32 million usernames and passwords being exposed. And to make a serious problem even worse, the company, which TechCrunch says “has a history of stupidity”, didn’t inform its users until ten days after the fact.

Techcrunch reported on the issue, and RockYou’s statement to the IT blog noted that “On December 4, RockYou’s IT team was alerted that the user database on RockYou.com had been compromised, potentially revealing some personal identification data for approximately 30M registered users on RockYou.com. RockYou immediately brought down the site and kept it down until a security patch was in place. RockYou confirms that no application accounts on Facebook were impacted by this hack and that most of the accounts affected were for earlier applications (including slideshow, glitter text, fun notes) that are no longer formally supported by the company. RockYou has secured the site and is in the process of informing all registered users that the hack took place.”

According to reports, the site had an SQL injection flaw. This type of flaw is quite common, and targets the application’s database layer.

The problem was especially serious because RockYou usernames and passwords are the same as customer email names and passwords, and access to the database could open the door to a flood of spam, not to mention identity theft resulting from breaking into customers’ email accounts.

One hacker did gain access to the full list of unencrypted passwords, which had been stored in plain text, and posted some of it publicly. In true vigilante fashion, the hacker posted part of the file, with the note, “Don’t lie to your customers, or I will publish everything.”

RockYou made two critical mistakes, one in policy and one in technology. The policy mistake was to keep silent on the issue until ten days after the fact. Now, they are dealing with the public relations nightmare of their decision to not act right away in informing their customers. The second mistake was one of technology, and that is storing usernames and passwords in plain text. Storing this in plain text was a disaster waiting to happen, and the company should have known that. It’s not that hard to protect username lists, and simply encrypting the file would have prevented much of the negative fallout the company is now seeing in the press.

RockYou hack could have been prevented

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The issue of “ethical malware” has raised its ugly head this week in the blogosphere, sparking heated discussions and soapbox speeches everywhere. As reported this week in LinuxInsider, a lengthy Slashdot discussion was sparked when a participant wrote, “I was fed up with the general consensus that Linux is oh-so-secure and has no malware. After a week of work, I finished a package of malware for Unix/Linux. Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

The writer, Johannes, is of course correct. Unix/Linux can indeed be vulnerable to malware. We must remember that absolutely no operating system is completely bulletproof. We may like its features, it may have good security, and the OS may be perceived as being “cool”, but it’s not magic. Like any other OS, it’s just lines of code. Armchair computer users that aren’t in the industry may have the incorrect notion of absolute security, but nobody in the business can seriously make that claim with a straight face.

The larger question that is raging on the Slashdot discussion thread is whether Johannes was within his rights to release malware on Linux for the purpose of illustrating his point.

Most people would agree that malware is a scourge on society, and in most cases is illegal. But, Johannes’ malware wasn’t malicious, so was he within the scope of ethical computing to release it? On one hand, the logic is indisputable that by releasing the malware, he was able to highlight a flaw in the OS. And especially when an OS is written the way Linux is written, it’s very likely that any flaw that is brought to public knowledge will be repaired soon enough.

On the other hand, there is naturally a window of vulnerability between when the flaw is made public, and the flaw is fixed, giving the real evil-doers a short but realistic opportunity to exploit it. Would we think it okay for example, if somebody broke into a bank vault one evening, but didn’t take the money, just to show the bank that it could be done? I don’t think there would be any debate about it, the perpetrator would go straight to prison. “White-hat” hacking of this nature may have good intentions, but the writer is taking a risk here that an aggressive prosecutor may decide to pursue the matter in court.

Ethical malware argument raises eyebrows

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The European Network and Information Security Agency (ENISA) has issued one of the most comprehensive reports on the security risks and benefits of cloud computing. The report takes an impartial look at the cloud phenomena, and it starts out with the obvious—that is, cloud computing’s benefits of ease of access, scalability, instant provisioning and monetary savings are undisputable, but the biggest issue holding people back is the security concern.

In many cases, the concern over security is one of perception. We tend to think that things are more secure if we can put our hands on it. But the ENISA paper gets into more specific detail about precisely what the top security risks are:

1. Loss of governance. The biggest and most common concern, ceding control to a cloud provider may create a vulnerability if security isn’t specifically addressed in the service level agreement.
2. Lock-in. A lack of standardization and portability means that it may be difficult to switch cloud providers, or bring service back in-house.
3. Isolation failure. Because it is based on multi-tenancy, the cloud may be vulnerable to guest-hopping attacks or attacks on the cloud’s isolation mechanisms.
4. Compliance risks. The cloud provider may not be able to provide evidence of compliance with regulations to which the customer must comply.
5. Management interface compromise. There may be an increased risk of exposure through the customer management interface.
6. Data protection. The customer may not be able to verify the provider’s data handling processes.
7. Insecure or incomplete data deletion. What happens when you request that your resources be deleted? A true “wipe” of data may not take place, and reuse of resources may pose some risk of deleted information being detected later by another party.
8. Malicious insider. Insider attacks are always a risk, whether on-premise or in a cloud provider.

But it’s not all downside, either, and the report lists several security benefits as well. Most importantly, there’s the obvious differential that exists between what a small business knows it should do, and what it has actually gotten around to doing when it comes to on-premises security. Smaller businesses in particular which may lack in-house expertise and may be short on time or funds often don’t have the best security, and it is often out of date. In such a case, the cloud may present a big security advantage, since the cloud provider is more likely to have security expertise and the staff to implement it. In the case of the cloud provider, it’s a matter of scale. A top of the line security investment at the cloud center is paid for ultimately by distributing the cost between hundreds of customers, which makes it possible to get better protection for all parties.

Cloud benefits and risks highlighted in ENISA report

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

US-CERT has issued a vulnerability note that should worry anybody who relies on SSL VPN products to establish secure web sessions. SSL VPN is a very common method of establishing a secure connection between two remote sites over an Internet connection, where the user connects only through a standard web browser, without the need for any client software. It’s gained popularity because of its simplicity, and because of its clientless nature, it allows for easy, anywhere connectivity. It is commonly used in Internet commerce, and sometimes in cloud-based or remote email.

According to CERT though, many of the commercially available SSL VPN products bypass the security that exists in the web browser, and this could create a security problem. The problem revolves around the “same origin” policy enforced by standard web browsers, which enforce a rule that prohibits active content from accessing data from an external site. However, some of the SSL VPN products do take content from multiple sites, then present it as coming from the SSL VPN by rewriting the URLs that come from the VPN. It would be possible for example, for an attacker to lure a user to a rogue web page, gain access to the VPN session token, and alter content. It would be possible for such an attacker to, for example, use that malicious web page to launch an attack that could capture keystrokes from remote users.

The vulnerability is mostly theoretical, and whether you are vulnerable really depends on how you’ve configured your SSL VPN. It’s important not to take the SSL VPN warning as an indication that you shouldn’t use SSL VPN–such an indication would be unnecessary, and would have a dramatic impact on e-commerce as we know it.

According to CERT, there is no immediate solution to the problem, but there are three workaround solutions: (1) Limit URL rewriting to trusted domains, (2) limit VPN server network connectivity to trusted domains, and (3) disable URL hiding features. In limiting URL rewriting to trusted domains, most firewalls will allow policy rules to be set  to accommodate this neeed, so the VPN can only access specific domains.

SSL VPN vulnerability

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The Wall Street Journal carried an article last week on the US court’s shifting position on whether or not it’s okay for a company to read employee email. Most companies tend to take the position that whatever goes on within the corporate walls–or even within its virtual walls–is company property, and the actual keystrokes that take place on company property are fair game for snooping. However, that’s not always the case.

First of all, let’s take a look at why a company would be snooping on employee email. Are they worried about gossip? Or are they just nosy? In fact, the reasons revolve mostly around concerns of security leaks, and information leaks. Security leaks may occur if an employee is using their personal email account from a work computer. Information leaks can occur from anywhere–and this just involves a company employee emailing sensitive information that they ought not be sending to anyone. If you’re using your email account to send the Colonel’s secret recipe, or some such trade secret to the competition, then the company would like to know about it. Some employers take this very seriously, and use software to check all outgoing emails for sensitive information. Some 38 percent of companies analyze the contents of outgoing mail for these purposes.

The question is, are you allowed to do that? Courts, which in the past were more sympathetic to the employer, are now starting to weigh in favor of employees. The legalities of it get a little hairy, but the basics of it are that it is necessary to describe to every employee, in very specific terms, what the expectations are in regards to employee email privacy. The Journal article cites a particular case where an appeals court ruled that an employee had a “reasonable expectation” of privacy when they sent out an email using their personal account. To quote the article, courts are now finding that “unless they (the employers) have explicitly told the employee they will monitor email, they don’t have the legal rigth to do it–even if the email in question was a personal one sent using a work account, rather than a personal address.”

The bottom line is that if your company policy is to read, either by human or software means, employee emails, you need to make sure that every employee had been explicitly informed of that policy. Of course, telling someone you’re going to snoop on them kind of takes the wind out of your sails, but can still be a good preventive measure regardless.

Courts shifting positions on reading employee email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The increasing popularity of cloud-based solutions has resulted in many new offerings of cloud platforms as well as numerous as-a-service software solutions. We also have storage-as-a-service, to alleviate in-house storage demands; and even supercomputing-as-a-service. Are all of these cloud services robust enough for mainstream, daily use?

Computing is seldom a one-size-fits-all proposition, and what works for one company won’t work for another. The same is true with the cloud. What’s clear though, is that it is here to stay. There are two things that have led more companies to face the cloud question head-on: Available technology in the form of cloud services and solutions, and greater availability of cheap, high-speed connectivity; and simple economics. These two factors have converged nicely.

On the economic side, the struggling economy, and the need for more companies to maintain or improve the bottom line by cutting costs, has led to increased reliance on outsourcing. Cloud computing services can be seen as a type of outsourcing; for example, if you’re running anti-spam or another type of security, or all of your email for that matter, through a cloud-based service, then you’re no longer burdening your in-house staff with it (or if you have no in-house IT staff, your office manager, secretary, file clerk, or whoever else may have gotten tasked with it in the past). The administration, provisioning, installation, and maintenance of the physical infrastructure is handled by somebody else. Of course, none of this would even be possible were it not for ubiquitous broadband, which allows even the smallest businesses to connect to the Internet (and all of those cloud services) at incredibly high speeds and with increasing reliability.

The most obvious time when in-the-cloud security is appropriate, is when your company doesn’t have in-house security-specific expertise. Is security being tasked to an IT generalist, or worse, to a non-IT office manager? In the case of small companies, these tasks often get delegated to the office guy who “seems to know a lot about computers” rather than a real IT person, and the result is often disastrous. The advantage to cloud services in this case is that cloud providers tend to employ experts with relevant experience. Those experts can be expensive to hire on your own, but by using the cloud services, you benefit from their expertise without having to pay their full-time salaries.

If your company is considering cloud-based security services, or any cloud service for that matter, the first thing to consider is the reliability of the company. Cloud-based security services are best offered by a company that is well-versed and experienced in security, and has been in business for some time. Second, take a good look at the service level agreement and make sure it has very specific details about performance promises. And lastly, realize that cloud security, like any type of security, while it should be easy to use, is never meant to be a “deploy it and forget it” proposition. Make sure it has good reporting facilities and an intuitive management portal that still affords you some control over the security features.

When is in-the-cloud security appropriate?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

Worms and other types of malware aren’t just infecting our desktops and notebooks, now they are infecting our mobile devices and smartphones. It was inevitable of course, and users of the mobile devices need to take the same precautions that they do with their PCs. Just last week, it was discovered that the first iPhone worm was released. The worm changes the lock-mode wallpaper.

Not all iPhones are vulnerable though, only those that have been “jailbroken” to allow third-party apps to run. The vulnerability comes in when a phone is jailbroken, but the user doesn’t change the default SSH login password which is put in place by the jailbreaking software. The worm, known as “ikee”, isn’t particularly malicious, it just changes the wallpaper to a picture of Rick Astley, an ’80s pop music star; and then propagates itself to other iPhones.

The fact that this one isn’t malicious is not reassuring, it merely portends a greater influx of malware to mobile devices in the future—and the ones that come after this will without a doubt be of a more sinister nature.

I saw a surprising poll that said 75 percent of respondents thought that the youthful author of the worm “did iPhone users a favour” by raising awareness of a security problem, and the buzz around the blogosphere seems to be sympathetic towards the Aussie hacker, who goes by the name of “Ikee”.  Ikee has identified himself as Ashley Towns and has openly taken credit for the worm, and seems to be working under the mistaken belief that there’s nothing wrong with creating and releasing a worm into the wild if the purpose of it is, as he said in an ABC News interview, “It’s just poking fun and hoping waking people up a little.” The perpetrator is unapologetic, and has been speaking to media and others via Twitter. But I see no justification for propagating a worm, even if the intended purpose isn’t immediately malicious.

Really? When it comes down to it, there’s no such thing as a good virus. Although it may seem harmless to Ikee, the genie’s out of the bottle now, and there will be copycats who don’t just want to “poke fun,” they want to steal. Regardless of intent, he broke the law. Yes, maybe he was trying to “teach us a lesson” about how to treat our iPhones, but is that a legitimate role for him to be playing? Sounds like vigilantism to me. And it’s not completely harmless, as the infected iPhone seeks out other iPhones to send the worm to, the data allowance will be eaten up and the victim may suffer from a larger invoice for data services.

Note to iPhone worm author: Don’t do us any more favors

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

P2P file sharing networks aren’t seen very often on corporate PCs. At this point, most managers have implemented policy to prohibit their use, and admins have implemented technological measures to make sure employees aren’t putting them on their PCs. And that’s all well and good, but it’s not enough.

Do you leave your work at the office at the end of the day? Didn’t think so. Most companies have at least several people, if not the majority of employees, taking work home; and many have staff members telecommuting from home on a regular basis. This too, is a wonderful trend. I personally haven’t seen the inside of a cubicle in 18 years, and this trend is only going to increase. The office is fast becoming obsolete and unnecessary.

But those security measures, and the trend of working at home, work at cross purposes. Security measures in the office usually stop at the network, protecting access to files and applications and ensuring that PCs within the physical boundaries of the workplace are protected against attack. But today, physical boundaries are irrelevant.

We saw this last week when an ethics report from the US House of Representatives was accidentally leaked onto a public P2P file sharing network. The document was an internal file that listed several members of Congress who were being investigated for ethics violations.

There is an argument, which has some legitimacy, which says that ethics investigations should indeed be made public. Citizens have the right to know whether their elected representatives are crooks. But that argument is misplaced. The policy of the Ethics Committee is not to disclose those investigations unless there is a formal investigation, and at that point it would be made public. But that again is besides the point.

The point is, the House of Representatives used lax security rules, and needs to tighten them up. Whether the information should have been public or not doesn’t matter; the fact is that they screwed up from a security perspective by allowing something to be made public that they had not intended to be made public.

The Ethics Committee was quick to release a “not our fault” statement, saying that the leak wasn’t caused by their own information systems. But this is only a half-truth. The leak was in fact caused when a junior staffer took the file home and stored it on a home computer where P2P software was installed, and as such, the Committee argues that it wasn’t their systems—but in fact, it was their own lack of policy and oversight that caused it. Security policy once again must go beyond the borders of the enterprise and into every computer that touches the network. If a worker telecommutes, then the computer used for telecommuting—especially if sensitive documents are being worked on—must also comply with corporate policy. And that means no P2P file sharing applications on it.

P2P networks at the root of accidental disclosures, once again

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

IT departments often take the time to be proactive (at least if they’re doing their jobs), and educate staff about using complex passwords, changing passwords frequently, avoiding phishing by not clicking on unknown email links and attachments, and all the other standard protections we know to take. But we sometimes forget that amidst all the technical precautions, we must also take physical precautions.

Passwords, PINs, and other sensitive information often comes in printed form before we commit them to memory. It may be in the form of a letter from a bank or a memo from the IT department, or it may even be a password that we wrote down on a piece of paper and stuck in a drawer. What happens to this paper? More often than not, it gets tossed into the waste bin, where it can be easily picked through by an opportunistic identity thief.

A recent survey showed that a surprising 79 percent of all businesses do not destroy sensitive information on paper that is being discarded or recycled. The UK-based survey showed that 64 percent of businesses have a clear policy on handling written documents with sensitive information, and 32 percent of employees admitted to discarding sensitive documents directly into the trash.

The survey, which was conducted as part of National Identity Fraud Prevention Week, says that identity fraud results in over £1.2 billion every year. Forty percent of the companies surveyed said they throw away information on customers, including home addresses, phone numbers, and even photocopies of passports, all of which can be used to perpetrate identity theft. Individuals are as vulnerable as businesses, and the report says that 44 percent of Britons still do not shred documents with sensitive information. And here’s a shocking statistic. The survey showed that half of all households threw away everything a criminal would need to perpetrate identity theft, and that 79 percent of all household waste had at least one item that could help a criminal.

The answer of course, is simple, non-technical and inexpensive. First, put a policy in place that says all documents with any personal information must be destroyed; and second, install paper shredders in convenient locations throughout the office.

Physical protection of passwords and sensitive information

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

One of the biggest user complaints about Windows Vista was the UAC (User Account Control) feature, which generated frequent popups as a way of notifying users whenever anything tried to make changes to the computer. The UAC was in theory a good idea. Spam or rogue email attachments frequently contain malware designed to make changes or trigger a download, and the UAC would let you know when something’s going on. The problem was that it popped up for many routine tasks, and users became annoyed. Now personally, I’d rather have tight security and have to deal with clicking “allow” a few times a day, as opposed to loose security and more convenience, but that’s just me, and I always tend towards paranoia.

According to a Microsoft blog entry, Windows 7′s UAC now has a little more flexibility, with four settings: “Never notify”, “Notify me only when programs try to make changes to my computer (without desktop dimming), “Notify only when programs try to make changes to my computer (with desktop dimming)”, and “Always notify.” Vista on the other hand, was all or nothing, with choices only for “Always notify” or “Never notify.” The risk now however, is that users will tend towards shutting it off completely, since that option is now a lot easier to do—thereby leaving the door open to more attacks.

Of course, Microsoft took a lot of flak over the UAC under Vista, and they’ll probably take more flak now for going in the other direction with Win7′s UAC. The medium setting on Windows 7, which is the default setting, may offer inadequate protection, though time will tell. It is advisable to bite the bullet and use the “Always notify” setting—although it may be a hard sell to get users to agree.

Windows 7 and security

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

The BBC reported today that Google is the latest in several cloud-based email systems that have been subject to a widespread phishing attack. The British news agency reported seeing two lists with over 30,000 names and passwords, which have been posted online. Google has since discovered a third list.

The cracked email passwords aren’t just from Google’s popular Gmail system though, the list also includes names of Microsoft Hotmail users, along with Yahoo, AOL, and other providers.  The first reports of the scam appeared when Pastebin, a legitimate web site used by programmers to share code, was used to post 10,000 Hotmail addresses.

Are there even more lists out there? Probably. The Neowin blog first reported the hack on Hotmail accounts, noting on October 1 that the lists detail 10,000 accounts with email addresses starting with “A” and “B”. Although only three lists have been detected so far, the alphabetical nature of the lists would imply that there are more floating around to account for the rest of the alphabet.

Bloggers, commentators and security folks are recommending that if you use Hotmail or Gmail, that you change your password immediately. Even better—stop using Hotmail or Gmail and stay away from free cloud-based email services altogether.

For their part, Google issued a forced password reset to all affected accounts, and Microsoft indicated that they too are taking steps to help customers regain control of their accounts.

Phishing scam targets Gmail

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

There’s a bank clerk in Wyoming who is in deep trouble with the boss. According to news reports, an employee of a bank in Wyoming sent an email that contained customer data to the wrong recipient’s Gmail account. The employee of Rocky Mountain Bank made two critical errors: First, they sent it to the wrong address, and second, they attached a file with sensitive information that should not have been attached.

According to news reports, the employee, realizing they had sent it to the wrong address, tried to “recall” it after sending it. Huh?? How long has this employee been using email? Just about anybody that isn’t living in a cave knows that you can’t recall an email once you’ve sent it out. That’s why standard procedure should include at least a quick once-over of the contents and recipient list before hitting the “send” button.

The attachment that was sent contained customer information, including social security numbers and loan data.

Then apparently the employee sent another email to the person that had incorrectly been sent the information, asking them to delete it without opening or reading it, and also asked the person to contact the employee. Again, huh??

First of all, if I get an email from a bank with an attachment and I’m not expecting it (which I’m usually not), I will simply delete it without looking at it, thinking it to be spam, which it usually is. Chances are, the recipient did the same. And if I get an email with a bank address asking me to make contact, again, no dice. Not gonna do it. On the off chance that the recipient even saw the emails, they were well within their rights to ignore the request.

However, the bank didn’t see it that way, and now they’re suing Google to try to get them to identify the recipient. Google said no dice to the bank, and again, Google is well within their rights to refuse without a court order, and bravo for Google for not providing the information.

And to make it even worse, the bank asked the court to seal the case so customers wouldn’t learn about the breach. In most states, banks and financial institutions are legally obligated to notify customers about such breaches, and the courts quite appropriately refused to seal the case.

Bank learns its lesson, you can’t recall email

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

It seems as though the move to cloud computing is inevitable, at least for parts of the enterprise. It’s gaining in popularity, and it has the incredible attraction of being cheap—which makes cloud services a favorite for corporate bean counters. But are those bean counters listening to their security guys before deploying it?

There are still security and privacy concerns to be addressed. According to a recent Unisys poll, security and privacy concerns are still big barriers to cloud computing. The survey asked, “What do you see as your greatest barrier to moving to the cloud?” And 51 percent cited security and data privacy. Twenty-one percent cited integration of cloud applications with existing systems as a potential barrier.

To their credit, vendors of cloud-based systems of all sorts, email and otherwise, are tackling the problem with new layers of security. But will it be enough? A Dark Reading article interviewed the former black hat known as “mafiaboy”, who claims that cloud computing will ultimately cause a “meltdown” of the Internet due to the inherent security vulnerabilities. According to the reformed hacker, cloud computing done on a massive scale will transform the Internet into a “hacker haven.”

We don’t know if his claims of cloud computing hastening the demise of the Internet as we know it aren’t a bit exaggerated, but he makes some very good points, not the least of which is that today’s hackers are for the most part, in it for the money, as opposed to yesterday’s hackers who saw it sometimes as a challenge or a game. And the lure of ill-gotten gains is powerful indeed. And with everything in the cloud, the Internet will become more of an attractive nuisance than it already is. For a criminal, cloud computing will just be too much of a temptation.

Is cloud computing safe?

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

By now, every business knows that they need to archive their emails, for convenience, as well as for compliance, e-discovery, and disaster recovery purposes. But once archived, how long do you need to keep them?

There’s really no fixed answer, as is often the case when lawyers are involved. But what’s most important is that there is a written policy about data retention, and that it is followed to the letter, documented, and has an audit trail. The reason for this is clear. Suppose for example, that you are subject to a lawsuit, and opposing counsel has demanded records pertaining to a certain subject. You provide records going back two years. But you have no written policy on data retention. Guess what? Even if the records you provide show no evidence of your guilt, you still lose by default. That is of course, assuming that your opponent has a competent lawyer. The logic behind this is that since you have no retention policy, you may have deleted older emails that showed your liability. 

Now suppose that you do have a written retention policy that says you archive all emails for two years. But, there’s no formal audit trail that shows when those archives are accessed. Again, you lose. Opposing counsel will argue that without an audit trail, there is no reason to believe that you haven’t gone in and erased the evidence! Oh, those tricky lawyers.

Now suppose that you have a long-standing, written retention policy that says you archive all emails for two years, and you do have an audit trail. There is an email that shows you’re guilty, but it’s three years old and long gone. Guess what? You win! Tricky you!

When you’re creating that retention policy, make sure to get input from every stakeholder. It’s not always necessary to archive every email for the same period of time. Your policy may state for example, that emails in the Legal department be archived for three years; Accounting for two years; and Marketing for one year.

Your retention policy should also include a paragraph for putting a “legal hold” on any email that may be near the end of the retention period, if you have any reason to believe that it may be needed in the future.

Lastly, is it necessary to archive everything? In general, yes, but keep in mind that spam and advertisements will only clog up your archives, and do not need to be included. Take every effort to eradicate your spam email before the archiving process.

And above all, remain consistent! Those tricky lawyers will look for evidence that you may have deleted an email ahead of schedule–even if it was spam–and will use that to try to prove that you don’t follow policy.

Email archives, retention periods, and tricky lawyers

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators

If you still think your web-based email account is safe enough to use for business (or anything else for that matter), take a look at an article in last week’s Washington Post. The story details an account of the “other woman” who engaged the services of a cracker web site called YourHackerz.com to break into her boyfriend’s email and her boyfriend’s wife’s email.

The service is able to quickly deliver a password to a customer, for a surprisingly small fee. And YourHackerz.com isn’t the only one of its kind; there are dozens of similar services on the Internet that advertise their dark services freely. For a hundred bucks, they promise to “crack all major web based emails”, including Yahoo!, Hotmail, AOL and Gmail. The service even provides proof cracking before payment. How’s that for good marketing?

Although the cracker service bureau doesn’t specify their techniques, the Washington Post article speculates that they use a Trojan horse technique, which sends the victim an email with a link to a greeting card or some other innocuous-looking item, which when downloaded, launches a keystroke grabber that captures passwords and then sends them back to the host. It’s quite likely that these types of services use a combination of techniques.

The first thing to do to protect yourself is to realize that yes, there are people who want to read your email. Probably more than you think. And it’s very easy for those people to get access, for a small fee, from one of these cracker services within just two or three days. We all tend to think we’re immune. We think nobody can break in, and what’s worse, we think nobody wants to. Unfortunately, it happens all the time, and when we least expect it. Spying, espionage, and just plain snooping happens every day, both in business and in social life. It may be to steal our bank accounts, or it may just be to gather corporate secrets or personal information. If you think your spouse is cheating on you, how far would you go to confirm it?

Regardless of what motivations people may have to crack your email password, there are things that you can do to protect yourself. First and foremost, don’t use free webmail accounts. These are the easiest to crack by far (as Sarah Palin found out). Next, use complex passwords. This can actually only go so far as a means of protection though—if the cracker has a keystroke grabber, no matter how complex your password is, it can be stolen. Use encrypted email for sensitive messages, and connect to your login screen using a secure session.

Password theft is big business

Free ebook download: Top 10 Most Popular Troubleshooting Posts for Email Administrators