The Wall Street Journal had an article today on Ten Things your IT Department Won’t Tell You
(I was able to access it without a username, but YMMV). First off, the article is talking about circumventing your company’s IT security policies – in many cases, this means say goodbye to your job. In other cases, it means serious legal trouble for you and your company.

All companies have sensitive information – formulas, financial data, processes, etc – for example, the Coca-Cola formula. This information is labeled sensitive or secret for a reason. In the case of companies, this information makes or breaks the company. In the case of the government, it protects everyone in the country. In a lot of cases, these policies are protecting your social security number, credit card information, or identity.

There are two ways this information can get out of the company. 1) Someone breaks into the company (physically or over the network) and steals it. 2) They find the information in the “public”. Many of the tactics given in the WSJ article make it easier for the above to happen.

Let’s just go through the tactics one by one and why policies tend to prohibit that particular action.

1. Sending Giant Files. Yeah, it’s annoying that company mail servers can’t send files as large as Gmail can, but disk space, and the capability of backing up that disk are not cheap. Most servers use SCSI disks, which run about twice what those cheap consumer grade disks you buy from CompUSA do. Most employees do not need to be sending larger than 5MB files (the typical quota). If your company or job requires you to be sending larger files – tell your IT department, and tell them why! They can adjust the quotas to better fit with your business needs. Placing your files on an external server such as YouSendIt allows people other than your intended recipient to read the file. And, unless the company is taking precautions, anyone who can break into those servers can also read it. Many company policies permit files/information t leave their network if they’re encrypted, so at least encrypt the data before you send it out of your network!

2. Using software your company won’t allow. There are typically two reasons for this one. 1) Companies want their employees to work, and installing video games on company computers won’t get much work done. 2) A lot of software has spyware that will make your system vulnerable. Take for example the recent Pfizer case where an employee’s spouse installed P2P software and SSNs were shared. Point is, the IT department vets all the “approved” software to make reasonably sure that there is no spyware or other malicious software along for the ride. What you can do: If you need a specific piece of software to do your work, talk to your manager and your IT department about it. If you really need it for your job, you’d be surprised at what they’ll let you install. If there’s just something you have to have that IT won’t approve – there’s probably a darn good reason.

3. Visiting blocked web sites. There are many web sites that other people may feel offended by, and it’s a legal liability to allow you to visit those sites. The whole, you’re supposed to be at work thing comes into play here as well. If you should be surfing for work, you probably have access. Web sites sometimes take advantage of bugs in browsers to retrieve information they shouldn’t have access to. And if your company is like most larger companies, they aren’t always running the most up-to-date software. They’re really trying to protect you as best they can. If you need to get to a blocked site for work purposes, talk to the IT department, they can probably work something out with you.

4. OK, this one I agree to on principal, privacy nut that I am. You should always clear your cookies and browsing history, whether on your work machine or home machine. But here we get back to your company has the right to watch all traffic going in and out of the computer/laptop/network. If you know you shouldn’t be doing it, removing your browser cache isn’t going to help.

5. Accessing your work computer from home. OK, this one I have a major problem with. If you can search your files, so can other people. I don’t care if you have a password on it. Unless you know what you’re doing, the password probably isn’t strong enough. Also, even the metadata (Title, author, etc) of a document can be considered sensitive. Imagine a company memo titled “Details of how the hackers broke in and stole all of our customer’s SSNs.doc” With some of the naming conventions I’ve seen, this title isn’t that far-fetched. Just the existence of that file is a lawsuit waiting to happen. If you need to access your work files from home, 1) get yourself a company asset – laptop or desktop to use for it, and 2) get some kind of secure connection to your office, whether that’s dial-up or a VPN. Most companies have remote access for their employees, and if they don’t, consider whether you really need to access the files from home. On top of that, unless you are a security expert (and even if you are), your home computer is not as well protected as a company system is. It’s just another opportunity for the sensitive information to be stolen.

6. Posting company information to a public server. If you do this, you deserve to be fired. The place you’re posting to may not have the same protections as your company servers, or even your company laptop. Most of these don’t even use SSL to transfer your files. You are not the only one with access to these servers.

7. Tracking employee communications. The article is right – this option is to catch people who are sending company information out. In many cases, you have to send company information out. In all these cases, you should use encryption. In the course of my typical day, I send about 10-15 e-mails to clients or co-workers discussing client confidential information. There are places for transmitting information, but make sure you know what they are and if you have the right/permission to send that information. The extremely long legal disclaimer at the bottom of your e-mail does absolutely nothing. If someone wants to keep/use that information, they’ll just ignore it.

8. NEVER EVER forward your company e-mail to a 3rd party service. Many policies require e-mail to be deleted after 90 days. There is an actual legal reason for this (one I don’t necessarily agree with, but it’s there). If there’s no e-mail trace, it didn’t happen. It’s called plausible deniability aka Cover Your Ass. The archiving requirements of the third party may not agree with your company’s. Also, the access to the e-mail isn’t controlled as tightly. I’m sure many of you have heard of people losing their gmail/yahoo/hotmail account passwords – which someone else just helped themselves to. The web-mail services are good, but are they as good as your company’s? Are you willing to take that chance? On top of that – anyone who’s watching their mail server logs closely, will notice that you’re forwarding to outside the company, then you’ll be handed your pink slip pretty darn soon.
If you need to access your e-mail from home, that’s what a laptop and dial-up or VPN is for.

9. Plugging external devices – whether USB, Blackberry, etc into your work computer may or may not be covered in your security policies. The primary reason for forbidding this is that you can bring viruses and spyware into the company. Then this software has free reign of your network to find and share sensitive files. It’s not just your security you’re trusting any more, but everyone else’s as well. And last I checked, not everyone’s a security expert – that’s why I still have a job

10. I can’t really help you with this except to suggest you find another job where you’re challenged enough to not be bored.

Most companies have really good reasons for the security policies they adopt. Find the IT group and ask why a policy is why it is. If they can’t tell you, find out who can. If no one can, maybe it’s a bad policy, and should be changed. IT security people realize that you have to get your work done too, so if a policy is interfering with you getting your work done, approach them and ask how you can do the same thing within their policies. Most of them are more than willing to work with you to let you get your work done.

Tuesday July 3’s Wall Street Journal had an article entitled “Signing Up for E-Signatures”. You can read the WSJ excerpt here, or go to this person’s blog who has copied the whole thing.

The software for computerizing pen-and-ink signatures on contracts, mortgages and other important documents was too complicated for most people to use…

I have just written a letter to the editor to respond to this article. Here is what I wrote:

Dear Editor,

I happened to read Ms. Buckman’s article “Signing Up for E-Signatures” in Tuesday’s Wall Street Journal. I would like to provide some information on the drawbacks and alternatives to E-Signatures. My company, Gemini Security Solutions, Inc. is a small information security consulting firm focused on the life sciences and financial sectors. As a result we work closely with customers that have to make decisions about signing technologies on a regular basis.

The largest problem with E-Signatures is that it essentially locks the user into using and maintaining one single vendor’s solution forever. I’ll provide an example from the pharmaceutical sector. 21 CFR Part 11 (the FDA regulation on electronic records and electronic signatures) requires “accurate and ready retrieval throughout the records retention period.” A common minimum records retention period in the pharmaceutical industry is two years beyond the ‘life of the product’. In the case of medical devices inserted into individuals (intraocular lenses, stents, etc.) this would be the remaining lifetime of the patient—in some cases 75+ years.

E-Signatures do not bind the information which is signed to the identity of the signer. They just make a reference of the fact that at a given date, a given user signed or approved a record. The system and information must be protected to ensure authentication of the user is done accurately, and careful logging is performed to give auditors something to examine if a record comes into question later. However, there are no standard mechanisms for performing the authentication of the users, and no standard formats for storing the E-Signature or even the logging information. If you wish to examine the validity of a signature after a certain date, you either have to use the same product that captured it, or reverse-engineer their formats. In 21 CFR Part 11, E-Signatures are only permitted in “closed systems”, meaning the electronic records will never be leaving that system.

E-Signatures should be contrasted with Digital Signatures. Digital signatures require the use of a public key infrastructure (PKI) and use certificates and private keys to provide stronger signature capability suitable for open as well as closed systems. A digitally signed record binds the signer’s identity to the data they sign. Any change to the data can be instantly detected and the signature invalidated (as opposed to E-Signatures, where only a careful examination of the logs by an auditor will reveal this change, assuming the change is made through the product and not at some lower level). Standard interoperable formats such as Cryptographic Message Syntax (CMS) can be used, allowing the movement of signed records between systems and between vendors.

Much fuss has been made about the difficulty of managing a PKI, certificates, and smart cards. The last seven years has brought great strides in the simplicity and commoditization of security technologies such as PKI. Modern operating systems (Windows, OSX, etc.) all come with PKI support throughout the desktop — PKI is used behind the scenes to validate signed executables, secure websites, etc. Applications such as Microsoft Office, Adobe Acrobat, and many others come with support for PKI-based digital signatures and encryption. While PKI technology can be used for authentication, signatures/approvals, and confidentiality, E-Signatures only provide a solution for signatures/approvals. A PKI can enable organizations to replace all passwords with certificate-based authentication, and provide the capability to perform persistent digital signature and strong encryption. The cost savings in avoiding password resets alone can often provide a sufficient return on investment, and combining this with the advantages of using electronic workflows and documents instead of pushing paper makes clear the value of PKI.

Sincerely,

Peter Hesse
President, Gemini Security Solutions, Inc.

DVD Jon has been able to activate an iPhone without activating its phone features so that you can use the iPhone as a wifi-enabled PDA/iPod.

Combined with the fact that users have already found the name and password for two accounts, including root and you have to wonder how long until either:

• a Skype or other VOIP program will be able to run on the iPhone using only its wifi capability
• The iPhone can be truly unlocked and run on any GSM phone network (not just AT&T/Cingular)

Pretty neat – allowing a user to recognize their own handwriting to authentication themselves.

On the contrary Dynahand needs no extra hardware or memory. You simply need to submit a variety of handwriting samples to open a Dynahand account. And to log on you need to select your own handwriting from the list displayed.

Of course there are many problems with this – family, friends, and eve ex-boyfriends will probably know what you’re handwriting looks like. You could however write in a certain way that you’re sure to recognize – maybe dot your “i“s a bit to the left or something like that. It takes time to set up though, and is best as a goodie to protect items that are likely to get in the hands of strangers – PDAs and laptops for example.

[via Slashdot ]