Jul 16 2009

Common Information Security lapses

Category: Information SecurityDISC @ 4:36 pm

Information Security Wordle: RFC2196 - Site Se...
Image by purpleslog via Flickr
User Security
  • Opening email attachments with integrated email clients

  • Not updating client software

  • Downloading untrusted software

  • Not creating or testing backups

  • Using wireless router connected inside the LAN
  • Strategic Security

  • Not providing training to security personnel

  • Only addressing physical security, neglecting data security

  • Not validating security fixes

  • Relying on firewall for all security needs

  • Not evaluating impact on reputation and data of security breach

  • Not implementing long term security decisions, relying on hot fixes to put out fires

  • Not addressing issues, neglecting security as policy
  • Operational Security

  • Not hardening internet connected host

  • Connecting test systems to the internet

  • Not updating systems on a regular and emergency basis

  • Using unencrypted protocols for management, reporting

  • Choosing bad default user passwords, changing passwords in insecure manner, or notifying users in insecure manners

  • Not testing or maintaining backups, not understanding the intricacies of backup software and procedures

  • Tags: Backup, Information Security, poor security, Security, security mistakes

    Oct 08 2008

    Skype and Information Privacy

    Category: Information PrivacyDISC @ 1:00 am

    According to an SF chronicle article by Peter Svensson (Oct 3, 2008, pg. c4) “A Canadian researcher (Nart Villeneuve) has discovered that the Chinese version of eBay Inc.’s Skype communication software snoops on text chats that contain keywords like “democracy”. “

    In other words, the Chinese version of Skype was used for surveillance of text messages between two users. Researcher Nart Villeneuve not only found that the application was filtering specific words but that it was also passing the messages caught by the filters to other servers. Because of poor security on those servers, Nart was able to recover more than a million messages from those servers.

    Well, based on Skype’s previous claim that messages between two systems are encrypted and only public keys on those systems can decrypt those messages, this is questionable. Also, this revelation does not agree with Skype’s claim that software discards the filtered messages.

    Now the question arises that how do we know that our text messages on Skype are not being tapped in the United States?

    Are privacy and security laws only applicable to consumers but not the corporations? If that’s true then our state of security and privacy is in pretty dire shape. It seems like consumers’ information is for sale to the higher bidder without our consent or appropriate compensation.

    Without any credible evidence, our Govt. should not be able to perform wholesale surveillance (profiling) for the sake of security. We are building a society of fear where everybody is under surveillance and is a suspect until proven innocent, which sounds like we are living in a police state.

    Laws of secrecy and unnecessary surveillance will ultimately diminish the fundamentals of democracy. To lift the cloud of secrecy behind these sorts of initiatives the public needs to put pressure on their public representatives to dig out the truth. Otherwise the mound of voluminous data from surveillance can be used to harass innocent people and be used as a tool to distract from reality.

    We cannot expect our information to be secure unless we trust our Govt. to protect our privacy and corporations to secure our information.

    Skype’s China Spying Uncovered

    (Free Two-Day Shipping from Amazon Prime). Great books

    Tags: compensation, credible evidence, democracy, dire shape, encrypted, filtering, poor security, reality, snoops, surveillance, voluminous