The increasing popularity of cloud-based solutions has resulted in many new offerings of cloud platforms as well as numerous as-a-service software solutions. We also have storage-as-a-service, to alleviate in-house storage demands; and even supercomputing-as-a-service. Are all of these cloud services robust enough for mainstream, daily use?

Computing is seldom a one-size-fits-all proposition, and what works for one company won’t work for another. The same is true with the cloud. What’s clear though, is that it is here to stay. There are two things that have led more companies to face the cloud question head-on: Available technology in the form of cloud services and solutions, and greater availability of cheap, high-speed connectivity; and simple economics. These two factors have converged nicely.

Continue reading When is in-the-cloud security appropriate?

Worms and other types of malware aren’t just infecting our desktops and notebooks, now they are infecting our mobile devices and smartphones. It was inevitable of course, and users of the mobile devices need to take the same precautions that they do with their PCs. Just last week, it was discovered that the first iPhone worm was released. The worm changes the lock-mode wallpaper.

Not all iPhones are vulnerable though, only those that have been “jailbroken” to allow third-party apps to run. The vulnerability comes in when a phone is jailbroken, but the user doesn’t change the default SSH login password which is put in place by the jailbreaking software. The worm, known as “ikee”, isn’t particularly malicious, it just changes the wallpaper to a picture of Rick Astley, an ’80s pop music star; and then propagates itself to other iPhones.

The fact that this one isn’t malicious is not reassuring, it merely portends a greater influx of malware to mobile devices in the future—and the ones that come after this will without a doubt be of a more sinister nature.

I saw a surprising poll that said 75 percent of respondents thought that the youthful author of the worm “did iPhone users a favour” by raising awareness of a security problem, and the buzz around the blogosphere seems to be sympathetic towards the Aussie hacker, who goes by the name of “Ikee”.  Ikee has identified himself as Ashley Towns and has openly taken credit for the worm, and seems to be working under the mistaken belief that there’s nothing wrong with creating and releasing a worm into the wild if the purpose of it is, as he said in an ABC News interview, “It’s just poking fun and hoping waking people up a little.” The perpetrator is unapologetic, and has been speaking to media and others via Twitter. But I see no justification for propagating a worm, even if the intended purpose isn’t immediately malicious.

Really? When it comes down to it, there’s no such thing as a good virus. Although it may seem harmless to Ikee, the genie’s out of the bottle now, and there will be copycats who don’t just want to “poke fun,” they want to steal. Regardless of intent, he broke the law. Yes, maybe he was trying to “teach us a lesson” about how to treat our iPhones, but is that a legitimate role for him to be playing? Sounds like vigilantism to me. And it’s not completely harmless, as the infected iPhone seeks out other iPhones to send the worm to, the data allowance will be eaten up and the victim may suffer from a larger invoice for data services.

P2P file sharing networks aren’t seen very often on corporate PCs. At this point, most managers have implemented policy to prohibit their use, and admins have implemented technological measures to make sure employees aren’t putting them on their PCs. And that’s all well and good, but it’s not enough.

Do you leave your work at the office at the end of the day? Didn’t think so. Most companies have at least several people, if not the majority of employees, taking work home; and many have staff members telecommuting from home on a regular basis. This too, is a wonderful trend. I personally haven’t seen the inside of a cubicle in 18 years, and this trend is only going to increase. The office is fast becoming obsolete and unnecessary.

But those security measures, and the trend of working at home, work at cross purposes. Security measures in the office usually stop at the network, protecting access to files and applications and ensuring that PCs within the physical boundaries of the workplace are protected against attack. But today, physical boundaries are irrelevant.

We saw this last week when an ethics report from the US House of Representatives was accidentally leaked onto a public P2P file sharing network. The document was an internal file that listed several members of Congress who were being investigated for ethics violations.

There is an argument, which has some legitimacy, which says that ethics investigations should indeed be made public. Citizens have the right to know whether their elected representatives are crooks. But that argument is misplaced. The policy of the Ethics Committee is not to disclose those investigations unless there is a formal investigation, and at that point it would be made public. But that again is besides the point.

The point is, the House of Representatives used lax security rules, and needs to tighten them up. Whether the information should have been public or not doesn’t matter; the fact is that they screwed up from a security perspective by allowing something to be made public that they had not intended to be made public.

The Ethics Committee was quick to release a “not our fault” statement, saying that the leak wasn’t caused by their own information systems. But this is only a half-truth. The leak was in fact caused when a junior staffer took the file home and stored it on a home computer where P2P software was installed, and as such, the Committee argues that it wasn’t their systems—but in fact, it was their own lack of policy and oversight that caused it. Security policy once again must go beyond the borders of the enterprise and into every computer that touches the network. If a worker telecommutes, then the computer used for telecommuting—especially if sensitive documents are being worked on—must also comply with corporate policy. And that means no P2P file sharing applications on it.

IT departments often take the time to be proactive (at least if they’re doing their jobs), and educate staff about using complex passwords, changing passwords frequently, avoiding phishing by not clicking on unknown email links and attachments, and all the other standard protections we know to take. But we sometimes forget that amidst all the technical precautions, we must also take physical precautions.

Passwords, PINs, and other sensitive information often comes in printed form before we commit them to memory. It may be in the form of a letter from a bank or a memo from the IT department, or it may even be a password that we wrote down on a piece of paper and stuck in a drawer. What happens to this paper? More often than not, it gets tossed into the waste bin, where it can be easily picked through by an opportunistic identity thief.

Continue reading Physical protection of passwords and sensitive information

One of the biggest user complaints about Windows Vista was the UAC (User Account Control) feature, which generated frequent popups as a way of notifying users whenever anything tried to make changes to the computer. The UAC was in theory a good idea. Spam or rogue email attachments frequently contain malware designed to make changes or trigger a download, and the UAC would let you know when something’s going on. The problem was that it popped up for many routine tasks, and users became annoyed. Now personally, I’d rather have tight security and have to deal with clicking “allow” a few times a day, as opposed to loose security and more convenience, but that’s just me, and I always tend towards paranoia.

According to a Microsoft blog entry, Windows 7′s UAC now has a little more flexibility, with four settings: “Never notify”, “Notify me only when programs try to make changes to my computer (without desktop dimming), “Notify only when programs try to make changes to my computer (with desktop dimming)”, and “Always notify.” Vista on the other hand, was all or nothing, with choices only for “Always notify” or “Never notify.” The risk now however, is that users will tend towards shutting it off completely, since that option is now a lot easier to do—thereby leaving the door open to more attacks.

Of course, Microsoft took a lot of flak over the UAC under Vista, and they’ll probably take more flak now for going in the other direction with Win7′s UAC. The medium setting on Windows 7, which is the default setting, may offer inadequate protection, though time will tell. It is advisable to bite the bullet and use the “Always notify” setting—although it may be a hard sell to get users to agree.

The BBC reported today that Google is the latest in several cloud-based email systems that have been subject to a widespread phishing attack. The British news agency reported seeing two lists with over 30,000 names and passwords, which have been posted online. Google has since discovered a third list.

The cracked email passwords aren’t just from Google’s popular Gmail system though, the list also includes names of Microsoft Hotmail users, along with Yahoo, AOL, and other providers.  The first reports of the scam appeared when Pastebin, a legitimate web site used by programmers to share code, was used to post 10,000 Hotmail addresses.

Are there even more lists out there? Probably. The Neowin blog first reported the hack on Hotmail accounts, noting on October 1 that the lists detail 10,000 accounts with email addresses starting with “A” and “B”. Although only three lists have been detected so far, the alphabetical nature of the lists would imply that there are more floating around to account for the rest of the alphabet.

Bloggers, commentators and security folks are recommending that if you use Hotmail or Gmail, that you change your password immediately. Even better—stop using Hotmail or Gmail and stay away from free cloud-based email services altogether.

For their part, Google issued a forced password reset to all affected accounts, and Microsoft indicated that they too are taking steps to help customers regain control of their accounts.

There’s a bank clerk in Wyoming who is in deep trouble with the boss. According to news reports, an employee of a bank in Wyoming sent an email that contained customer data to the wrong recipient’s Gmail account. The employee of Rocky Mountain Bank made two critical errors: First, they sent it to the wrong address, and second, they attached a file with sensitive information that should not have been attached.

According to news reports, the employee, realizing they had sent it to the wrong address, tried to “recall” it after sending it. Huh?? How long has this employee been using email? Just about anybody that isn’t living in a cave knows that you can’t recall an email once you’ve sent it out. That’s why standard procedure should include at least a quick once-over of the contents and recipient list before hitting the “send” button.

The attachment that was sent contained customer information, including social security numbers and loan data.

Continue reading Bank learns its lesson, you can’t recall email

It seems as though the move to cloud computing is inevitable, at least for parts of the enterprise. It’s gaining in popularity, and it has the incredible attraction of being cheap—which makes cloud services a favorite for corporate bean counters. But are those bean counters listening to their security guys before deploying it?

There are still security and privacy concerns to be addressed. According to a recent Unisys poll, security and privacy concerns are still big barriers to cloud computing. The survey asked, “What do you see as your greatest barrier to moving to the cloud?” And 51 percent cited security and data privacy. Twenty-one percent cited integration of cloud applications with existing systems as a potential barrier.

Continue reading Is cloud computing safe?

By now, every business knows that they need to archive their emails, for convenience, as well as for compliance, e-discovery, and disaster recovery purposes. But once archived, how long do you need to keep them?

There’s really no fixed answer, as is often the case when lawyers are involved. But what’s most important is that there is a written policy about data retention, and that it is followed to the letter, documented, and has an audit trail. The reason for this is clear. Suppose for example, that you are subject to a lawsuit, and opposing counsel has demanded records pertaining to a certain subject. You provide records going back two years. But you have no written policy on data retention. Guess what? Even if the records you provide show no evidence of your guilt, you still lose by default. That is of course, assuming that your opponent has a competent lawyer. The logic behind this is that since you have no retention policy, you may have deleted older emails that showed your liability. 

Now suppose that you do have a written retention policy that says you archive all emails for two years. But, there’s no formal audit trail that shows when those archives are accessed. Again, you lose. Opposing counsel will argue that without an audit trail, there is no reason to believe that you haven’t gone in and erased the evidence! Oh, those tricky lawyers.

Continue reading Email archives, retention periods, and tricky lawyers

If you still think your web-based email account is safe enough to use for business (or anything else for that matter), take a look at an article in last week’s Washington Post. The story details an account of the “other woman” who engaged the services of a cracker web site called YourHackerz.com to break into her boyfriend’s email and her boyfriend’s wife’s email.

The service is able to quickly deliver a password to a customer, for a surprisingly small fee. And YourHackerz.com isn’t the only one of its kind; there are dozens of similar services on the Internet that advertise their dark services freely. For a hundred bucks, they promise to “crack all major web based emails”, including Yahoo!, Hotmail, AOL and Gmail. The service even provides proof cracking before payment. How’s that for good marketing?

Although the cracker service bureau doesn’t specify their techniques, the Washington Post article speculates that they use a Trojan horse technique, which sends the victim an email with a link to a greeting card or some other innocuous-looking item, which when downloaded, launches a keystroke grabber that captures passwords and then sends them back to the host. It’s quite likely that these types of services use a combination of techniques.

The first thing to do to protect yourself is to realize that yes, there are people who want to read your email. Probably more than you think. And it’s very easy for those people to get access, for a small fee, from one of these cracker services within just two or three days. We all tend to think we’re immune. We think nobody can break in, and what’s worse, we think nobody wants to. Unfortunately, it happens all the time, and when we least expect it. Spying, espionage, and just plain snooping happens every day, both in business and in social life. It may be to steal our bank accounts, or it may just be to gather corporate secrets or personal information. If you think your spouse is cheating on you, how far would you go to confirm it?

Regardless of what motivations people may have to crack your email password, there are things that you can do to protect yourself. First and foremost, don’t use free webmail accounts. These are the easiest to crack by far (as Sarah Palin found out). Next, use complex passwords. This can actually only go so far as a means of protection though—if the cracker has a keystroke grabber, no matter how complex your password is, it can be stolen. Use encrypted email for sensitive messages, and connect to your login screen using a secure session.