I’ve always been a bit skeptical about single sign-on solutions, especially when they are the only thing standing between a would-be attacker and their goal. To me, the idea of a single sign-on solution linking a user to multiple subsystems represents a dangerous risk. A compromise at one point would propagate to other systems instantaneously. However, that doesn’t stop people from relying on them.
Winchester and Eastleigh Healthcare NHS Trust has deployed a single sign-on solution from Evidian to simplify access to key hospital applications, enabling 2,500 staff to better focus on the delivery of essential frontline healthcare services.
...
With 1,700 clinicians at the Trust requiring access to up to 14 different healthcare applications on a day-to-day basis to carry out key services, the Enterprise SSO solution from leader in identity and access management Evidian enables clinicians to use all web-based services with a single user log-in and password.
A single sign-on solution for a hospital or clinic may certainly make things easier for staff— potentially decreasing mistakes and allowing things to flow more smoothly. However, the idea that one person’s password holds so much power is disturbing. I think perhaps it may be best to find some way to compromise. The inherent risk of a single sing-on solution can’t necessarily be overcome— accounts are linked, so access to one means access to all. However, I do believe the risk can be reduced through other methods. A multi-factor authentication system could help harden a single sign-on system like this. Especially when the private data of patients might be at stake.
Making things more convenient doesn’t always mean making them less secure.
I hate being advertised to. I can’t watch cable TV (which I already pay for), listen to the radio (even subscription satellite radio has ads now), goof off on the internet, play a video game, drive in my car, read a magazine, buy groceries, or check my e-mail/snail mail/answering machine without being bombarded by coupons, billboards, commercials, in-game ads, Google AdWords, spam, telemarketing, and third class junk mail. The sad fact is, advertising is everywhere.
Opinions and research vary widely on the question of how many advertisements Americans see during a typical day, with estimates ranging from a few hundred to a few thousand. (via Google Answers) So, it’s no surprise that the advertisement industry is always trying to come up with new and innovative ways to get you to see or listen to their pitch.
One new approach in the internet arena is behavior tracking – a system in which the advertisers work with your ISP to analyze your online behavior to target ads at you (Read about the debate in Congress here). I understand the need of ISPs to maintain logs for legal reasons, but sharing this type of information with anyone, least of all for the purpose of more ads is extremely distasteful to me.
The security problems surrounding spam (another annoying, ubiquitous form of advertising) are difficult enough to deal with. Now I have to deal with (more) privacy implications of ISPs tracking browsing behavior and sharing this with third parties? I wonder how much more degraded the state of security and privacy on the internet has to get before I have to scale back my activities to the essentials, like e-mail and online banking.
And now, for some Futurama:
Leela: Didn’t you have ads in the 21st century?”
Fry: Well sure, but not in our dreams. Only on TV and radio, and in magazines, and movies, and at ball games… and on buses and milk cartons and t-shirts, and bananas and written on the sky.
But not in dreams, no sirree.
According to the Federal Trade Commission’s report (pdf), it gets the job done.
Of the 72% of Americans who had registered their telephone numbers for the “Do-Not-Call Registry,” 18% reported that they currently received no telemarketing calls, 59% reported that Implementation of the national Do not Call Registry they still received some, but far fewer than before they signed onto the Registry, and 14% said they received some, but a little less than before they registered. In addition, when asked about renewing their registrations, 25% of registered consumers had already renewed and 71% were planning to renew.
I’ve never actually added my number to the registry because I didn’t feel a need to. I rarely get calls from solicitors and I tend to screen calls from unknown numbers anyway. But recently, I’ve been experiencing an increase in strange calls with unrecognized numbers. My typical reaction is to google the number or visit whocallsme.com — this usually tells me if it’s a telemarketer or not. But if this keeps up, I might consider adding my number to the list.
From a privacy standpoint, the existence of the list itself is important. Many people view unsolicited calls as an invasion of their privacy. The fact that so many people have placed their numbers on the registry indicates that people respond well to methods of privacy protection that are both easy to use and effective. If protecting your bank statement from dumpster divers, or protecting your phone from wiretaps was as simple as signing an opt-out list, perhaps there would be a decrease in cases of privacy violations and an increase in the number of citizens that feel secure.
Last week, the world’s top computer scientists gathered to discuss security and the weaknesses created by putting it in the hands of people. It was the first “Security and Human Behavior” conference, and many experts on human behavior were invited to help the attendees understand how criminals use social engineering to circumvent security technology.
Here are some interesting topics that came out of this conference:
A study soon to be published will reveal when we are more likely to surrender private information about ourselves. One conclusion was that we are more likely to answer private questions when we are not given any assurance of confidentiality because it makes us suddenly aware of our privacy.
Another set of research looks into the question of improving the fallback password system that many sites employ. Instead of asking questions that might even be difficult for the true user to answer, the proposed method has the user choose things that they like and dislike from a list.
Finally, this MSNBC posting reveals a new idea in security training that was presented at the conference. Instead of periodic reminders to be wary of phishing and e-mail attachments, companies may attempt to fool their own employees. Those who fail the tests would learn by shame or possibly by hearing about it in an employee review.
Dell recently sponsored a study on the number of laptops lost in airports. The findings are a little surprising— apparently, they estimate that over 12 thousand laptops are lost each week at airports across the United States.
Potentially more frightening is the fact that the majority of these laptops go unclaimed and are eventually “disposed of.” According to the study:
Only 33% of laptops lost and found in airports are reclaimed. The other 67% of subsequently found laptops remain in the airport until they are disposed of. As a result, there are potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.
This goes beyond the loss of physical data. Sure, the laptops cost money, and losing one will always carry at least the monetary cost of the hardware. But, the fact that these laptops can (and probably do) contain some sensitive information is certainly more worrisome. Either private data belonging to the owner, or private data belonging to the company the owner might work for may be at risk.
It seems perfectly possible for a shady individual to walk up to the “lost and found,” give a detailed description of a common laptop make and model, and walk away with a shiny new laptop that might contain information worth more than the device itself.
With the rapid explosion of the laptop / portable-computer industry, it becomes more and more important for users (and companies) safeguard the information stored on them. For the average user with little technical knowledge, an often over-looked technique would be the simple act of labeling the laptop with their contact information. At least this would allow a good Samaritan or the airport staff to potentially return it to the rightful owner.
[T]he problem with the nothing to hide argument is the underlying assumption that privacy is about hiding bad things. Agreeing with this assumption concedes far too much ground and leads to an unproductive discussion of information people would likely want or not want to hide. As Bruce Schneier aptly notes, the nothing to hide argument stems from a faulty “premise that privacy is about hiding a wrong.”
The deeper problem with the nothing to hide argument is that it myopically views privacy as a form of concealment or secrecy. But understanding privacy as a plurality of related problems demonstrates that concealment of bad things is just one among many problems caused by government programs such as the NSA surveillance and data mining.
Your government is working so hard to prevent terrorism that they are trampling your rights to privacy. I used to be in the ‘nothing to hide’ camp, but we are clearly slipping quickly down this slope into dangerous territory. Another quote from the paper:
The potential future uses of any piece of personal information are vast, and without limits or accountability on how that information is used, it is hard for people to assess the dangers of the data being in the government’s control.
Election day is coming, folks. Making changes in Washington is the only way to tell the government we are more afraid of losing our rights than we are of terrorism. Ben Franklin said “Those who desire to give up freedom in order to gain security will not have, nor do they deserve, either one.”
Verizon business has released a first of it’s kind study (Press Release) on data breaches. They reviewed over 500 investigations on hundreds of corporate breaches. Their results were surprising:
73% were from external sources, while only 18% were insiders. 39% of the breaches were because of business partners. However, within the internal sources, they were broken down into 50% of breaches were caused by the IT admin, and 41% by employees (I guess the IT admin doesn’t count as an employee?). Within the Business partner category, 57% of breaches were from a partner asset or connection.
Whoa – you mean a company could break into my system through a business partner’s system? </sarcasm> A lot of people (and companies) don’t realize this. They don’t verify the security of the third parties they deal with. This is very important to evaluate, especially if the business partner has access to your data – even if it stays on your network.
This is a first of it’s kind report, and it will probably be one of the few, as companies do not make this information public, so only investigators have access to this kind of data.
The research was done by the Verizon Business Investigative Response team on cases that they were directly involved with over 4 years (2004-2007)
The report is fairly short, and only includes aggregated data, but it’s well worth reading to see what “really” happens. What I’d like to see is a better breakdown of their client demographics – like company revenue rather than just company type and size.
Please visit our brand new re-launched website for Gemini Security Solutions. The new site has whitepapers, security tools, and a lot more information about what we can do for you.
