So you’ve been hearing lately about how some Android applications are going rogue and being used to steal users’ data and infiltrate their phones, to sit idly by only to wreak havoc when the user least expects it (ok, so maybe I exaggerated a little there). But there has been a lot of buzz lately about certain apps not playing by the rules, or including certain calls to leach user information. A lot of this buzz has been spun as backlash against Google for allowing these types of applications to exist (instead of having some asininely draconian filtering process like some ‘other’ phone provider).

Well, to help defend Google (which they’ve done a decent job of doing themselves), this one falls back on the users. If you’re an Android user, you’ve most definitely seen a screen similar to this.

This screen tells you exactly (mostly) [kinda] what the application you’re installing has access to, and how far it can reach. It’s your (the user’s) obligation to agree with this and install, or not agree, and cancel out. See those two buttons at the bottom? If you don’t agree and see something that has “Cost Money” in this section and you presumed it was a completely free (as in beer) app, then you’d better click the right (Cancel) button.

(more…)

A colleague lent me his most recent copy of IEEE’s Computer magazine.  Inside was an article entitled A Web 2.0 Model for Patient-Centered Health Informatics Applications (IEEE membership required to read).  Some possible benefits of their proposed approach were listed, including:

• Run deeper analytics across physicians groups and facilities, which can include relevant patient data…
• Provide a wide community of health professionals with feedback on the use and effectiveness of protocols…
• Share similar and alternative protocols and their analyses across many medical facilities and individual providers…

Anyone want to guess what’s completely missing from their approach?  You guessed it, any mention of security.  The commonly misunderstood (and frequently misspelled) HIPAA makes it pretty clear that the privacy and confidentiality of personal health information must be protected.  Even without HIPAA, it would just make good sense to be extra careful when sharing information and running data mining and analytics across large sets of health information.

The only mention of keeping information safe in the article is the fact that there is a division of data between the protocol, protocol modifications, and actual patient data – but it is very difficult to draw such bright, clear lines considering medical records and information.  How can you be sure the protocol modification a doctor submits won’t include information on the patient he tried it on?  Without even mentioning or considering the need for the protection of privacy, confidentiality, and data integrity within such a system, the authors of this article have done themselves and the software community a disservice.  Security requirements and threats must be considered at every phase of the life cycle, especially during the architecture phase.  As Kenneth Van Wyck and Mark Graff put it in their book Secure Coding: Principles and Practices,

As a general rule, the hardest vulnerabilities to fix are those resulting from architectural or design decisions. You may be surprised at how many of the vulnerabilities you have heard of we ascribe to errors at “pure think” time.

By developing an 8 page article published in a respected technical journal without any mention of the need for security controls in such a system, the authors of this article have once again helped me with my job security.  It is still difficult for me to foresee the day where security and risk management training programs won’t be necessary, and we won’t need an information security industry.

A beta release of HTTPS Everywhere was released today. It’s a collaborative project between those at the Tor project and the EFF.

Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.

The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.

It’s good to see a project like this, especially after giants like Google finally step up and start offering more secure search features in their search engine. It’s only in beta so far, but it does look very promising.

One area to look out for though, just because you have a plug-in like this doesn’t mean every site you go to is going to be secure. You still need to check your browser’s security notifications/icons to ensure you’re on a protected site.

In celebration of Facebook’s recent privacy control revamp, I present a very informative tutorial video from the Electronic Frontier Foundation that gives a brief rundown of the changes, the highs, and the lows. This might also be something beneficial to share with friends or relatives on Facebook who may not be in-the-know about the increased focus on privacy control in social networking and social media.

Enjoy:

Lately, Google has been apologizing for mistakenly collecting data from unprotected Wi-Fi networks with the fleet of vans the company has sent out for its StreetView service.  Some have pointed out that, by leaving their wireless networks unprotected, companies had no reason to expect their data would not be collected somehow.

And so we have another example of what can happen when data and communications are left unprotected.  You’re even susceptible to accidental disclosure of information.  What other accidents might occur?  One thing that comes to mind is accidental loss of bandwidth.  Someone who doesn’t know any better might turn on their laptop and find that they have Internet access.  What they didn’t realize is that they automatically connected to your network, and while they are streaming high-quality video, your employees are struggling to get their work done.

Accidents will happen.  If you must have a wireless network, and you still have not secured it, do something about it (hint: WPA2).

Have you ever looked into researching your family tree? Have you noticed what kind of information you can find out about people, especially older people who have been around since the 1930 census (and pretty soon, the 1940 census)? Upon death, social security numbers are published in the Social Security Death Index, and some of that information is still useful. For example, my father passed away in 2000, my mom still receives social security benefits based on his SSN – which is now public information. All of the joint accounts they had together are mostly still with his social. It would make it easy to steal the identity of a dead person. The SSDI is supposed to prevent that, but it doesn’t always work.

Additionally, genealogy searches turn up information about living people as well – things such as the US Public Records Index – which includes current address information and birthdate – all useful information if you’re searching for someone. By default, most web sites “hide” living relations in your family tree, but you have an option to make it public (and there are incentives to do so to find more about your family).

If you’re interested in genealogy, try using some of your skills to find information about someone not in your family tree (the older they are, the more likely you’ll find information), or if you know how to find information about people, there are genealogists waiting to talk to you to help them find long lost relatives.

This has been a debate among policy writers since personal e-mail started to become popular: Can your company monitor/sniff/access your personal e-mail?

Up until this week, it was commonly accepted that you didn’t use company resources to access/read/write your personal e-mail if you didn’t want it to be monitored. However, that seems to have changed – in one specific case. In New Jersey, a woman used her company laptop to exchange information with her lawyer over a web-based e-mail over an issue at work that later went to court. The company used her e-mail communications (presumably) cached on the laptop as evidence against her in court.

While this is (so far) the first case I’ve heard of like this, it doesn’t mean that all employees have personal e-mail privacy all the time. The first thing is that this was in NJ state supreme court, which only applies in that state – however, the case is likely to influence other courts. The second is that the e-mail was considered client-attorney communications – which are “sacred” in most cases. A defendant could tell his lawyer that he did murder someone and the lawyer can not disclose it except under very specific circumstances. Finally, the e-mail was “reasonably” protected – she used a web based service and did not store the password on the laptop.

While it seems to be a blow to companies’ abilities to monitor employee communications, it only applies in specific cases. Either way, as an employee, it’s a better idea to keep your personal e-mail/life separate from your work life.

Last weekend, people from all corners of the technology converged on Austin, Texas for the 2010 South By Southwest Interactive (SXSWi) conference. Much of the coverage has echoed the focus of an old real estate mantra: Location, location, location. In a rivalry dubbed the “geolocation wars,” mobile start-ups Foursquare and Gowalla competed for attention as attendees used GPS-enabled phones to record electronic check-ins at various conference events. And while these two players often come up in reports on location-aware social networking, Twitter has begun letting users record where they tweet (giving new meaning to the word “follow”), and sources indicate Facebook will be rolling out a similar feature soon.

Across the Web, sites are adding features that will quite literally put them on the map. And while letting the online world know where you are offline can certainly offer benefits, the sudden overlap raises fresh privacy concerns. One tongue-in-cheek response, aptly named “Please Rob Me,” drew attention to Foursquare users who publicly broadcasted when they were not at home. From a security perspective, problems have been observed on several platforms. An early flaw in Google Buzz risked exposing private location data. One researcher has noted that Gowalla’s API can apparently override privacy settings, then demonstrated location spoofing. Foursquare does not verify location, making fake check-ins trivial. But Foursquare also uses HTTP Basic authentication, meaning an attacker could steal logins sent over open Wi-Fi connections.

Of course, trailblazing applications are not the only ways people can share their location. Facebook users often leave a trail of event RSVPs that show past places visited. But even on the real-time Web, data can leak accidentally. A study of posts on Twitpic, a Twitter-based photo-sharing service, found that some pictures’ EXIF data included GPS information. In one case, an iPhone snapshot even included compass and accelerometer metrics.

All of these ways to track users, particularly when combined with other content, can create real risks for companies seeking to shield sensitive transactions or avoid corporate espionage. Similarly, those using company-owned devices with GPS capabilities ought to be aware of how such functions are used. With the online world increasingly intersecting the real world through geolocation services, it’s time to figure out what place they have in a secure business environment.

An uproar was recently started in reference to some privacy concerns about the new release from Google, Google Buzz. One of the first to sound the alarm was a blogger who was quite explicit about disliking some of its default options (and by explicit I mean “NSFW language” explicit, the post is here) which prompted some quick changes from Google.  In order to start using Buzz, you have to create/modify your Google public profile which will appear next to all of your activity in the Buzz feed.  By default, the public profile would display all those you follow. Chances are you’ve followed everyone in your contact list, so you just made your whole contact list public.  Now in the new behavior:

A box titled “How do you want to appear to others” will now include a check-box that says “Show the list of people I’m following and the list of people following me on my public profile.” To hide your followers, click the box, or click the “View and edit the people you follow” to customize your account.

The interesting thing here to me is that Buzz is essentially a service like Facebook or Twitter, designed to let other folks know what you are up to.  The fact that there is a privacy uproar around it is somewhat amusing, because it is designed to provide the opposite of privacy – to provide your followers information about what you are doing.  If you don’t want to share this information, don’t use Google Buzz!

I’ll enlist a famous quote from Scott McNealy, then CEO of Sun Microsystems: “You have zero privacy anyway. Get over it.”

It is amusing to me what people – especially young people – are willing to post online.  As a child, my parents once told me that once you say something you can’t take it back.  In today’s Internet-connected age, this holds true and is even more significant: once you say something online, hundreds if not thousands of people will see it instantly, and potentially billions of people will be able to track it down in archives, Google searches, the wayback machine, or in countless other ways.  Be careful what you share online.  Be careful what you say.  It might–probably will–come back to haunt you.

Recently, Imperva released a study (pdf) of the passwords extracted from the December 2009 RockYou security breach that resulted in the compromise of over 32 million user accounts. This study examined some statistics of the passwords retrieved, including the number and variation of characters use to construct them. The results were pretty bad. Here are the highlights:

-30% of users had passwords made up of 6 characters or less. Most brute force attempts are moderately successful against short passwords.

-Over 50% of passwords were all lowercase, or all numbers. This is bad because the keyspace is reduced. Even a password that is longer than 6 characters is weakened if it has a small character set distribution.

On the surface, these two statistics aren’t a good look at all, especially considering the ease with which an attacker could successfully guess simple passwords.

Also, in many cases, a password breach may not just make a user’s account vulnerable on the breached site, but can also lead to their account being compromised on other sites as well (plenty of people use the same password on multiple sites).

However, there is an alternative way to interpret this data. Although there is no way to verify this, it could be the case that users are starting to give value to the importance of some accounts AND the security of the website associated with it. And those accounts that are of low significance (like a site they just sign up on to play a game) get simple, easy-to-remember passwords, while accounts of greater personal significance (banks, primary email, etc.) get the more robust passwords. Similarly, it could be the case that users think sites like RockYou are sketchy anyway, and thus more likely to get hacked than other more-serious sites.

So, in a way, the user could be protecting themselves from a site breach. I know I wouldn’t care if I had a RockYou account and the site got breached since I wouldn’t really use that same password anywhere else important. It may be annoying, but it is much better than knowing that my super-secret 28-character password is sitting on some stranger’s computer simply because somebody left the door open.

So if you think of this report from the perspective of users managing risks reasonably instead of users being victimized, it almost makes sense that 29,000 people had ‘123456′ as a password.