Theft Fear

According to a recent opinion survey by the International Telecommunication Union (ITU), the biggest online fear is of stolen personal information:
These concerns over privacy were reflected in users’ fears while surfing, with theft of personal information the most commonly cited concern by over one quarter of respondents. Another quarter feared viruses and worms. Nearly one fifth were worried about spyware, while scams and fraud ranked slightly lower (13 per cent). Only 8 per cent found spam something to be afraid of, rather than just a nuisance (Figure 1, left chart), perhaps reflecting a grudging acceptance of spam or improvements in filtering.

Promoting Global Cybersecurity ITU announces results of global survey and launches cybersecurity gateway on World Telecommunication Day 2006 ITU Press Release, Geneva, 17 May 2006

Such fears cause 64% of respondants to avoid some online activities out of fear. Continue reading

Local IPTV

Cringely harps on something I’ve been saying for a while, too:
The Internet television story, even as written here in columns going back as far as the late 1990s, pushed the idea of enabling the aggregation of widely-dispersed viewing audiences, allowing programming to thrive that might not be successful on any local station, much less on the national network. A good example is NerdTV, which wouldn’t attract enough viewers on most PBS stations to even generate a rating, yet when offered as an Internet download, drawing from a global population, makes some pretty good numbers. But there is no concept called “local” in this aggregation model, so stations tend to feel threatened by it; if the network can reach local viewers directly, what need is there for a local station?

But it doesn’t have to be that way, because the supposed strengths of centralization aren’t really strengths at all when viewed in terms of the much more imposing issue of bandwidth costs, where all the advantages are local. Local Heroes: Could the Key to Successful Internet Television Be…PBS? By Robert X. Cringely, PBS, June 8, 2006

What about the opposite of NerdTV? Local football! Continue reading

Proactive Honeypotting

OK, here’s something I don’t do often: praise Microsoft.
Strider HoneyMonkey is a Microsoft Research project to detect and analyze Web sites hosting malicious code. The intent is to help stop attacks that use Web servers to exploit unpatched browser vulnerabilities and install malware on the PCs of unsuspecting users. Such attacks have become one of the most vexing issues confronting Internet security experts. Strider HoneyMonkey is a project of the Cybersecurity and Systems Management group in Microsoft Research.

Strider HoneyMonkey Exploit Detection, Microsoft Research

Instead of waiting around for attacks to happen, this project emulates average users in web browsing, and catches spyware and attacks that occur as a result. Sort of a proactive honeypot. Clever.

This goes beyond traditional Internet security, which normally builds forts and waits for the enemy to attack. This project sends out multiple scouts to entice the enemy to attack ambushes. This is real intelligence, and moves into risk management.

-jsq

PS: Thanks, Chez, for the pointer.

USB Social Engineering

Why bother with traditional social engineering, when you can let a USB drive do it for you?

It was really amusing to watch the reaction of the employees who found a USB drive. You know they plugged them into their computers the minute they got to their desks.

I immediately called my guy that wrote the Trojan and asked if anything was received at his end. Slowly but surely info was being mailed back to him.

Social Engineering, the USB Way, Steve Stasiukonis, darkreading, 7 June 2006

So much for the traditional network perimeter.

-jsq

PS: Thanks, Johnny.

VoIP CALEA Considered Risky

The FCC has required extension of CALEA to VoIP. An all-star cast of Internet security and protocol people beg to differ:
In order to extend authorized interception much beyond the easy scenario, it is necessary either to eliminate the flexibility that Internet communications allow, or else introduce serious security risks to domestic VoIP implementations. The former would have significant negative effects on U.S. ability to innovate, while the latter is simply dangerous. The current FBI and FCC direction on CALEA applied to VoIP carries great risks.

Security Implications of Applying the Communications Assistance for Law Enforcement Act to Voice over IP, by Steve Bellovin, Matt Blaze, Ernie Brickell, Clint Brooks, Vint Cerf, Whit Diffie, Susan Landau, Jon Peterson, John Treichler.

Which is more valuable? A free, extensible, and relatively secure Internet, or one controled by a state? Continue reading

Mega-Cats: What is Insurable?

Interesting post in Specialty Insurance Blog about mega-cats, i.e., catastrophes so large the insurance industry can’t insure them, at least not without losing many small insurance companies.
There have been and will continue to be large scale disasters that the insurance industry is entirely capable of absorbing, including significant levels of terrorism and hurricane losses, as has been demonstrated with the events of 9/11 and the most recent hurricanes. What needs to be the focus of the discussions is the level of exposure that is above the insurance industry’s capacity, such as the mega-cat hurricanes (see here) hitting the most exposed areas that the experts are concerned about. There has not been much distinction between these exceedingly rare events and other catastrophes that the insurance industry can absorb – but may not want to.

Hurricanes Insurable? 8 June 2006

And of course there’s the question of whether mega-cats will remain exceedingly rare or whether with climate change they will become more frequent.

-jsq

Encryption Cheaper Than Cleanup

Interesting post in Emergent Chaos about whether encryption really is cheaper than cleaning up after identity theft or other breaches of security. The bottom line seems to be that we don’t know the bottom line, because we don’t have a good handle on the costs of breaches and we know even less about how many breaches there really are.

It seems to me that encrypting large datasets on backups, or when mailing them by e.g. UPS to another location, is so trivially easy that it should be worth it to increase resilience as simple risk management.

Some aspects of risk management can’t be easily quantified, so decisions have to be made anyway.  Just doing it like it has always been done is a decision, too.

-jsq

The Internet Freeway

Leave it to Larry Lessig to sum up the net neutrality discussion:

Now Congress faces a legislative decision. Will we reinstate net neutrality and keep the Internet free? Or will we let it die at the hands of network owners itching to become content gatekeepers? The implications of permanently losing network neutrality could not be more serious. The current legislation, backed by companies such as AT&T, Verizon and Comcast, would allow the firms to create different tiers of online service. They would be able to sell access to the express lane to deep-pocketed corporations and relegate everyone else to the digital equivalent of a winding dirt road. Worse still, these gatekeepers would determine who gets premium treatment and who doesn’t.

No Tolls on The Internet, By Lawrence Lessig and Robert W. McChesney, Washington Post, Thursday, June 8, 2006; Page A23

It’s that last sentence that is the real rub. We’ve always had different speed connections to the Internet. What could happen now is that telcos could decide who gets which speed and which quality of service based on who they are and what content they are providing, not just on whether they can pay the price.

Continue reading

Sprinkling Rationality

Here’s an interesting obituary about a fellow who ran a book club for intellectuals in the former eastern bloc:

George C. Minden, who for 37 years ran a secret American program that put 10 million Western books and magazines in the hands of intellectuals and professionals in Eastern Europe and the Soviet Union, died on April 9 at his home in Manhattan. He was 85.

George C. Minden, 85, Dies; Led a Cold War of Words By DOUGLAS MARTIN, New York Times, Published: April 23, 2006

The article quotes an academic paper of a few years ago as saying of his program that:

the initiative sprinkled reality into an "unnatural and ultimately irrational" system.

The recipients of the books in question, ranging from James Joyce to Nabokov to Solzhenitsyn, thought the publishers were altruistically donating them.

Continue reading

Curtain Walls Considered Ineffective

The other day I was staying in Roslin Castle, south of Edinburgh. Very nice location, above a bend of the river Esk, down the hill from Rosslyn Chapel. And in the old days, defensible: shoot your arrows from across the river or up the bank, we don’t care! Or try climbing the cliff and walls while we’re dropping rocks on you!

And then gunpowder came. Much of the castle is missing, due to Henry VIII of England’s troops in 1544. Nearby heights that were formerly only good for viewing the castle suddenly became ideal launching points for cannon balls, which, unlike arrows, could knock down castle walls. There are a few towers and part of the curtain wall left, as well as three quite dank dungeons, but most of the superstructure is gone. The livable part was built in 1622; very recent by Scottish standards.

What has this got to do with the Internet?

A second threat is a softening, if not disappearing, of the network perimeter. For a long time, we were able to get some semblance of securing the enterprise by establishing firewalls and [demilitarized zones] and maintaining the somewhat guarded perimeter. Now with BlackBerries, PDAs, wireless, executives traveling and using the Internet in hotel rooms, and people with VPN access from home systems, the perimeter is an illusion. But security policies and technologies have not kept up with that change. A big vulnerability in many environments is that you still have policies and people viewing the enterprise as protected with a firewall, and that’s simply not the case.

Security expert recommends ‘Net diversity By Carolyn Duffy Marsan, Network World, 05/30/06

This is from an interview with Eugene Spafford. Internet curtain walls, also known as firewalls and perimeters, are also obsolete. Not completely, of course; they can still keep idle tourists out, but they want stop a determined enemy.

There’s much more; the whole interview is well worth reading. Continue reading