Dec 11 2023

AI and Mass Spying

Category: AI,Cyber Spy,Spywaredisc7 @ 12:31 pm

Spying and surveillance are different but related things. If I hired a private detective to spy on you, that detective could hide a bug in your home or car, tap your phone, and listen to what you said. At the end, I would get a report of all the conversations you had and the contents of those conversations. If I hired that same private detective to put you under surveillance, I would get a different report: where you went, whom you talked to, what you purchased, what you did.

Before the internet, putting someone under surveillance was expensive and time-consuming. You had to manually follow someone around, noting where they went, whom they talked to, what they purchased, what they did, and what they read. That world is forever gone. Our phones track our locations. Credit cards track our purchases. Apps track whom we talk to, and e-readers know what we read. Computers collect data about what we’re doing on them, and as both storage and processing have become cheaper, that data is increasingly saved and used. What was manual and individual has become bulk and mass. Surveillance has become the business model of the internet, and there’s no reasonable way for us to opt out of it.

Spying is another matter. It has long been possible to tap someone’s phone or put a bug in their home and/or car, but those things still require someone to listen to and make sense of the conversations. Yes, spyware companies like NSO Group help the government hack into people’s phones, but someone still has to sort through all the conversations. And governments like China could censor social media posts based on particular words or phrases, but that was coarse and easy to bypass. Spying is limited by the need for human labor.

AI is about to change that. Summarization is something a modern generative AI system does well. Give it an hourlong meeting, and it will return a one-page summary of what was said. Ask it to search through millions of conversations and organize them by topic, and it’ll do that. Want to know who is talking about what? It’ll tell you.

The technologies aren’t perfect; some of them are pretty primitive. They miss things that are important. They get other things wrong. But so do humans. And, unlike humans, AI tools can be replicated by the millions and are improving at astonishing rates. They’ll get better next year, and even better the year after that. We are about to enter the era of mass spying.

Mass surveillance fundamentally changed the nature of surveillance. Because all the data is saved, mass surveillance allows people to conduct surveillance backward in time, and without even knowing whom specifically you want to target. Tell me where this person was last year. List all the red sedans that drove down this road in the past month. List all of the people who purchased all the ingredients for a pressure cooker bomb in the past year. Find me all the pairs of phones that were moving toward each other, turned themselves off, then turned themselves on again an hour later while moving away from each other (a sign of a secret meeting).

Similarly, mass spying will change the nature of spying. All the data will be saved. It will all be searchable, and understandable, in bulk. Tell me who has talked about a particular topic in the past month, and how discussions about that topic have evolved. Person A did something; check if someone told them to do it. Find everyone who is plotting a crime, or spreading a rumor, or planning to attend a political protest.

There’s so much more. To uncover an organizational structure, look for someone who gives similar instructions to a group of people, then all the people they have relayed those instructions to. To find people’s confidants, look at whom they tell secrets to. You can track friendships and alliances as they form and break, in minute detail. In short, you can know everything about what everybody is talking about.

This spying is not limited to conversations on our phones or computers. Just as cameras everywhere fueled mass surveillance, microphones everywhere will fuel mass spying. Siri and Alexa and “Hey Google” are already always listening; the conversations just aren’t being saved yet.

Knowing that they are under constant surveillance changes how people behave. They conform. They self-censor, with the chilling effects that brings. Surveillance facilitates social control, and spying will only make this worse. Governments around the world already use mass surveillance; they will engage in mass spying as well.

Corporations will spy on people. Mass surveillance ushered in the era of personalized advertisements; mass spying will supercharge that industry. Information about what people are talking about, their moods, their secrets—it’s all catnip for marketers looking for an edge. The tech monopolies that are currently keeping us all under constant surveillance won’t be able to resist collecting and using all of that data.

In the early days of Gmail, Google talked about using people’s Gmail content to serve them personalized ads. The company stopped doing it, almost certainly because the keyword data it collected was so poor—and therefore not useful for marketing purposes. That will soon change. Maybe Google won’t be the first to spy on its users’ conversations, but once others start, they won’t be able to resist. Their true customers—their advertisers—will demand it.

We could limit this capability. We could prohibit mass spying. We could pass strong data-privacy rules. But we haven’t done anything to limit mass surveillance. Why would spying be any different?

This essay originally appeared in Slate.

 #artificial intelligence, #espionage, #privacy, #surveillance

Mass Government Surveillance: Spying on Citizens (Spying, Surveillance, and Privacy in the 21st Century)

InfoSec tools | InfoSec services | InfoSec books | Follow our blog | DISC llc is listed on The vCISO Directory

Tags: espionage, Mass Spying, Pegasus spyware, privacy, rtificial intelligence


Jul 15 2023

Self-Driving Cars Are Surveillance Cameras on Wheels

Category: Cyber surveillancedisc7 @ 12:06 pm

Police are already using self-driving car footage as video evidence:

While security cameras are commonplace in American cities, self-driving cars represent a new level of access for law enforcement ­ and a new method for encroachment on privacy, advocates say. Crisscrossing the city on their routes, self-driving cars capture a wider swath of footage. And it’s easier for law enforcement to turn to one company with a large repository of videos and a dedicated response team than to reach out to all the businesses in a neighborhood with security systems.

“We’ve known for a long time that they are essentially surveillance cameras on wheels,” said Chris Gilliard, a fellow at the Social Science Research Council. “We’re supposed to be able to go about our business in our day-to-day lives without being surveilled unless we are suspected of a crime, and each little bit of this technology strips away that ability.”

[…]

While self-driving services like Waymo and Cruise have yet to achieve the same level of market penetration as Ring, the wide range of video they capture while completing their routes presents other opportunities. In addition to the San Francisco homicide, Bloomberg’s review of court documents shows police have sought footage from Waymo and Cruise to help solve hit-and-runs, burglaries, aggravated assaults, a fatal collision and an attempted kidnapping.

In all cases reviewed by Bloomberg, court records show that police collected footage from Cruise and Waymo shortly after obtaining a warrant. In several cases, Bloomberg could not determine whether the recordings had been used in the resulting prosecutions; in a few of the cases, law enforcement and attorneys said the footage had not played a part, or was only a formality. However, video evidence has become a lynchpin of criminal cases, meaning it’s likely only a matter of time.

The Race to Create the Autonomous Car

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Autonomous Car, cars, crime, law enforcement, privacy, Self-Driving Cars, surveillance


Feb 13 2023

How to Make Sure You’re Not Accidentally Sharing Your Location

Category: Information PrivacyDISC @ 10:42 am

YOUR DEVICES AND apps really, really want to know where you are—whether it’s to tell you the weather, recommend some restaurants you might like, or better target advertising at you. Managing what you’re sharing and what you’re not sharing, and when, can quickly get confusing.

It’s also possible that you have inconsistencies in the various location histories logged by your devices: Times when you thought you’d switched off and blocked location sharing but you’re still being tracked, or vice versa.

Here we’ll cover everything you need to consider when it comes to location tracking, and hopefully simplify it along the way. Whether you want to give out access to your current location or not, you should be in control of these settings, and not be caught unawares by additional options that you missed.How Location Tracking Gets Confusing

Screenshot of Google location sharing history

What happens if you distinctly remember turning location tracking off on a device, yet your position is still popping up on a map? Or maybe you thought you’d left the feature on, yet you’re seeing gaps in your location history? There are a few explanations, but essentially you need to remember all the different ways your location can be logged: by your devices, by your apps, and by websites you visit.

For example, you might have disabled location tracking on a phone but left it enabled on a tablet. Alternatively, you might have a laptop that’s tracking where you are in the background, even though you thought you’d disabled the feature in the apps you use. If you want location tracking completely enabled or disabled, you need to factor in all these different ways of keeping tabs on where you are.

If you have a Google account, this is a good illustration. Head to your account settings on the web, then choose Data and Privacy and Location History. Select Devices on This Account, which may reveal some phones, tablets, and laptops that you’d forgotten about—any device with a check next to it in this list is saving your movements to your Google account for future reference.

You can click Turn Off to disable this, but note the caveats that are listed in the confirmation box that appears onscreen: Your location might still be logged by your mobile devices, by the Find My Device service that helps you recover lost hardware, and by Google Maps when you’re navigating or searching around the area you’re in. This Location History setting is more of an overall toggle switch, affecting features such as the Google Timeline and the ability to quickly look up places you visit regularly.

From the main Google account screen, there are several more places where your location gets logged and shared: Click Data and Privacy then Web & App Activity to manage location data saved by Google Maps and other apps and websites, and click People andSharing then Manage Location Sharing to see a list of specific contacts who can see where you are through various Google services.Managing Location Tracking on Mobile

Screenshot of Android location sharing settings

The steps to manage your location on Android vary slightly depending on the manufacturer of your phone, but the menus and instructions involved are broadly similar. On Google Pixel devices, you can open up Settings then select Location: You’ll see the Use Location toggle switch, and if you turn this off, none of your apps will be able to know where you are, nor will Google.

If you leave the Use Location toggle switch on, you can customize location access for individual apps further down on the same screen. Note that you can choose to allow apps to know where you are at all times, or only when the app in question is running in the foreground—tap on any app in the list to make changes.

Over on iOS, it’s a similar setup. If you select Privacy & Security from Settings, and then tap Location Services, you can turn off location tracking for the phone and all the apps on it. If you choose to leave this enabled, you can manage individual app access to your location via the list underneath. As on Android, you can choose to restrict apps to knowing your location only when the particular app itself is running, or allow them to monitor it in the background too.MOST POPULAR

Erasing the location data that’s been collected on you is a complex process, as you need to check the records and the settings of every app that’s ever had access to your location. For Google and Google’s apps, you can head to your Google account on the web, then choose either Location History or Web & App Activity under Data and Privacy to wipe this data from the record. You’ll also find options for automatically deleting this data after 3, 18, or 36 months.

Apple doesn’t log your movements in quite the same way, but it does build up a list of places you visit frequently (like your home and perhaps your office) so you can quickly get to them again. To clear this list on your iPhone, open Settings then choose Privacy & SecurityLocation ServicesSystem Services, and Significant Locations. You can clear this list and stop it from populating in the future.Managing Location Tracking on Desktop

Screenshot of Windows location sharing settings

Your laptop or desktop computer is unlikely to be fitted with GPS capabilities, so it won’t track your location in quite the same way as your phone, but applications, websites, and the operating system will still have some idea where you are—primarily through the locations that you sign into the web from (via your home Wi-Fi, for example).

On Windows, you can open up Settings and then choose Privacy & Security and Location. As on Android and iOS, you’ll see you can turn location tracking off for individual applications (via the toggle switches on the right) or shut it down for the entire computer (the option at the top). The same screen lets you see which apps have been using your location, and enables you to wipe the log of your travels—click Clear next to Location History to do this.

When it comes to the same process on macOS, you need to click the Apple menu and select System SettingsPrivacy & Security, and Location Services. The next screen looks very similar to the Windows one, with toggle switches for individual applications as well as for macOS itself—turn off any of the switches where you don’t want location access to be given. If you click Details next to System Services on this screen, you can clear the list of “significant locations” Apple has saved for you, just like on iOS.

If location tracking is on for your computer and your browser of choice, that means individual websites such as Facebook, Amazon, or the Google Search can know where you are as well. Sometimes this is useful, of course (for getting the right weather forecast), but there might be times when you want to turn it off if you’re trying to keep your whereabouts private.

https://www.wired.com/story/how-to-not-accidentally-share-your-location/

Incognito Toolkit: Tools, Apps, and Creative Methods for Remaining Anonymous, Private, and Secure While Communicating, Publishing, Buying, and Researching Online

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Anonymity, privacy


Feb 19 2022

Google Privacy Sandbox promises to protect user privacy online

Category: Information Privacy,Security and privacy LawDISC @ 12:34 pm

Google announced Privacy Sandbox on Android to limit user data sharing and prevent the use of cross-app identifiers. The company states that the Privacy Sandbox technologies are still in development.

“Privacy Sandbox on Android will strengthen privacy, while providing tools app developers need to support and grow their businesses. It will introduce new solutions that operate without cross-app identifiers – including Advertising ID – and limit data sharing with third parties.” reads the announcement.

Google is also committed tp fighting and reducing covert data collection.

The goals of the Privacy Sandbox are:

  • Build new technology to keep your information private
  • Enable publishers and developers to keep online content free
  • Collaborate with the industry to build new internet privacy standards

Google will continue to support existing ads platform features for at least two years. The IT giant is inviting developers to review the proposed solution and provide their feedback through the Android developer portal.

“Starting today, developers can review our initial design proposals and share feedback on the Android developer site. We plan to release developer previews over the course of the year, with a beta release by the end of the year. We’ll provide regular updates on designs and timelines, and you can also sign up to receive updates.” concludes the announcement. “We know this initiative needs input from across the industry in order to succeed. We’ve already heard from many partners about their interest in working together to improve ads privacy on Android, and invite more organizations to participate.”

The Watchman Guide to Privacy

Tags: Guide to Privacy, privacy


Nov 15 2016

Encryption keeps you safe from malware

Category: data securityDISC @ 1:02 pm

 

Cryptographically secure pseudorandom number g...

Cryptographically secure pseudorandom number generator (Photo credit: Wikipedia)

The Electronic Frontier Foundation aims to protect Web traffic by encrypting the entire Internet using HTTPS. Chrome now puts a little warning marker in the Address Bar next to any non-secure HTTP address. Encryption is important, and not only for Web surfing. If you encrypt all of the sensitive documents on your desktop or laptop, a hacker or laptop thief won’t be able to steal your identity, or takeover your bank account, or perhaps steal your credit card information. To help you select an encryption product that’s right for your situation, we’ve rounded up a collection of current products.

 

Available Encryption Software to protect your information assets:

 

Folder Lock can lock access to files for quick, easy protection, and also keep them in encrypted lockers for serious protection. It combines a wide range of features with a bright, easy-to-use interface. Read the full review ››

 

Cypherix PC creates encrypted volumes for storing your sensitive files. Lock the volume and nobody can access the files. It does the job, though it lacks secure deletion. Read the full review ››

 

Cypherix SecureIT  handles the basic task of encrypting and decrypting files and folders in a workmanlike fashion, but it lacks advanced features offered by the competition.  Read the full review ››

 





Tags: data encryption, disk encryption and file encryption, encryption, Identity Theft, Information Privacy, privacy


Apr 03 2014

Is privacy a dependency of information security

Category: Information Privacy,ISO 27kDISC @ 10:59 am

Privacy

Privacy (Photo credit: g4ll4is)

Is privacy a dependency of information security?

by Jamie Titchener

If you read the news on a regular basis, you will find that most of the cyber security or data protection articles play heavily on the fear of an individual’s privacy being compromised.

But what many people don’t seem to realize is that privacy is in fact a dependency of information or cyber security. Only by having in place adequate information or cyber security policies and procedures can an organization ensure the privacy of their stakeholders, including customers, staff, suppliers, etc.

Whilst there are some unique challenges faced in the area of privacy relating to governmental legislation such as the UK Data Protection Act, organizations can start to effectively address many of the privacy concerns that their stakeholders have by adopting an approach such as implementing an ISMS that complies with ISO/IEC 27001/2.

By combining the right mix of people, process and technology in an ISMS, organizations can effectively manage many of the privacy risks that people are concerned about.

Find out more about ISO/IEC 27001 in An Introduction to ISO/IEC 27001 2013.




Tags: Corporate governance of information technology, Information Security Management System, iso 27001, privacy


Dec 03 2009

2010 Compliance Laws

Category: pci dss,Security ComplianceDISC @ 2:13 am

Information Security Wordle: PCI Data Security...
Image by purpleslog via Flickr
In 2010 there will be two important compliance laws introduced which will affect the majority of North American organizations and many global organization too.

45 US States followed California when they introduced “SB1386“, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.


  • From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

  • Every organization who collect, owns or licenses personal information about a resident of the Commonwealth shall be in full compliance with 201 CMR 17.00 (The Massachusetts Data Protection Law) on or before March 1, 2010.



  • Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!
    To help you comply with these impending laws ITG have developed a range of solutions which are aim to make the process as cost effective and simple as possible:

    The Nevada PCI DSS Law:

    The PCI DSS requires you to:

  • apply a number of specific controls, or safeguards.

  • These include documented policies and procedures; as well as

  • a number of technical IT and network configurations.

  • You will also have to provide staff with appropriate training; and

  • You will have to have quarterly scans.



  • PCI DSS v1.2 Documentation Compliance Toolkit
    toolkit-book-pci-dss

    This PCI DSS v1.2 compliance toolkit is specifically designed to help payment card-accepting organizations quickly create all the documentation required to affirmatively answer the requirements of the PCI DSS as set out in the Self Assessment Questionnaire (v1.2).


    201 CMR 17.00 – The Massachusetts Data Protection Law:

    201 CMR 17.00 & ISO 27001 Toolkit
    mass_dpa_law

    will save you months of work, help you avoid costly trial-and-error dead-ends, and ensure everything is covered to current 201 CMR 17.00 / ISO 27001 standard.

    This version of the ISMS Documentation Toolkit is ideal for those who owns or licenses personal information about a resident of the Commonwealth.

    Reblog this post [with Zemanta]




    Tags: 201 CMR 17.00, california, iso 27001, ISO/IEC 27001, Law, Massachusetts, Massachusetts Data Protection Law, Nevada, Nevada PCI DSS Law, Payment Card Industry Data Security Standard, PCI Express, privacy, sb 1386


    Oct 30 2009

    HIPAA and business associate

    Category: hipaaDISC @ 10:14 pm

    medical-symbol
    How ARRA and HITECH provisions affect HIPAA compliance
    AIS reported taht the new HITECH Act requires hospitals, providers, health plans and other HIPAA covered entities (CEs) to meet a February 2010 deadline for revising their business associate (BA) agreements. New language in BA amendments should require BAs to comply with (a) the HIPAA Security Rule,(b) new security breach notification rules and related strategies that CEs choose to implement, and (c) new privacy obligations imposed on CEs by the HITECH Act. Developing and maintaining effective BA relationships should be a top compliance priority for CEs, since privacy and security breaches often take place at the BA level and can be just as damaging to a covered entity’s reputation. With February approaching and lots of tricky questions to resolve, covered entities need a quick crash course in what their options are for designing and implementing these amendments in the next three months.

    While the HITECH Act did not come right out and say “business associate agreements must be revised,” it does stipulate that certain provisions “shall be incorporated into the business associate agreement between the business associate and the covered entity.” Among them: business associate agreements must be amended to reflect the new mandate that BAs must comply with the Security Rule, should be amended to provide the covered entity with adequate notice in the event of a security breach, and should incorporate new privacy obligations imposed on CEs by the HITECH Act

    Reblog this post [with Zemanta]




    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", breach of privacy, covered entities, health insurance, hipaa, hipaa privacy, hippa compliance, hitech, hitech act, hospital, privacy, SOX HIPAA, status of arra and hitech


    Jul 28 2009

    PCI DSS Law and State of Nevada

    Category: Information Security,pci dssDISC @ 12:09 am

    Information Security Wordle: PCI DSS v1.2 (try #2)
    Image by purpleslog via Flickr

    45 States followed California when they introduced “SB1386”, the Security Breach Information Act, which has specific and restrictive privacy breach reporting requirements.

    Similarly to the SB1386 Law, California, Massachusetts & Texas are already looking at making PCI DSS Law and history tells us that when California moves, everyone else follows!

    From the 1st January 2010, ALL businesses that collect or transmit payment card information, will be legally obliged, by Navada Law, to comply with PCI DSS.

    Not only does this effect Navada-based organisations, it affects EVERY organisation that collect or transmit payment card information about any person who lives in Nevada.

    Where One leads – others WILL follow!


    Reblog this post [with Zemanta]




    Tags: california, Credit card, Nevada, Payment card, pci dss, privacy, Security, Texas


    May 18 2009

    Security breach and notification

    Category: Security BreachDISC @ 1:05 am

    California Flag
    Image by victoriabernal via Flickr

    California was the first state in the nation to pass a data breach notification law in 2003, and it’s now planning to broaden the notification for companies doing business in the state. Notification will require specific information about the breach to the consumer and send notices to the state authorities at the same time.

    The notices which consumers currently receive are basically too little too late, meaning they might say that your information may have been compromised and these notices may be released several months after the incident.

    notice

    California’s new legislation will force the organization to admit the extent of the compromise, so consumers can assess their own risks in a timely manner. Heartland, the credit card processor, has been sued by the banks to recover the breach notification cost. Should the credit card processing company which had a security breach be responsible for the cost of the notification?

    Current notification does not inform you where and how your credit card information was compromised so that at least you can stop shopping from that merchant. When consumers ask specific questions regarding the breach to the credit card company customer service representative, they will deny any knowledge of the breach and will say something along the lines of, when all the legal information has been taken care the credit card company will send you a detailed letter about the breach.
    Now in case of a processor security breach, the credit card company might issue notices to several hundred thousand people. Without specifics, that particular notice might have “crying wolf” effect and consumers might not take any action.

    Last week a well publicized security breach at UC Berkeley exposed the records of 160,000 people. The hackers had access to the vulnerable system for more than six months before they were discovered, which clearly shows lack of monitoring control and due care.
    When a young college student affected by the breach receives a “may have been breached” notice he or she immediately will worry about his/her credit and possibility of identity theft. Now the question is why a student has to bear the burden of the negligence by the merchant or campus and lack of reasonable security safeguards. After issuing such notice that the private information “may have been compromised,” the responsibility of keeping an eye on your credit is transferred to you. The problem is some fraudulent transactions might not be noticed for at least a year.



    Reblog this post [with Zemanta]




    Tags: Computer security, Credit card, due care, Identity Theft, Law, privacy, sb 1386, University of California Berkeley


    Apr 09 2009

    Social networks and revealing anonymous

    Category: Information PrivacyDISC @ 3:02 am

    Image representing Twitter as depicted in Crun...
    Image via CrunchBase

    Privacy is a fundamental human right and in US a constitutional right. Advancement in technology are breaking every barrier to our privacy; at this rate individuals will be stripped of their privacy unless we enact policy protections. In this situation we need to define reasonable privacy for a society in general while keeping threats and public safety as a separate issue. Social networks are becoming a repository of sensitive information and usually privacy is anonymize by striping names and addresses. Fake profiles have been created on social network to be anonymous and a user may create multiple profiles with contradictory or fake information.

    Arvind Narayanan and Dr. Vitaly Shmatikov from Univ. of Texas at Austin established an algorithm which reversed the anonymous data back into names and addresses.

    The algorithm looks at the relationships between all the members of social networks an individual has established. More heavily an anonymous individual is involved in the social media, easier it gets for the algorithm to determine the identity of anonymous individual.

    One third of those who are both on Flickr & Twitter can be identified from the completely anonymous Twitter graph, which deduces that anonymity is not enough to keep privacy on social network. The idea of “de-anonym zing” social networks extends beyond Twitter and Flickr. It is equally applicable in other social networks where confidential and medical data can be exposed such as medical records in healthcare.

    “If an unethical company were able to de-anonymize the graph using publicly available data, it could engage in abusive marketing aimed at specific individuals. Phishing and spamming also gain from social-network de-anonymization. Using detailed information about the victim gleaned from his or her de-anonymized social-network profile, a phisher or a spammer will be able to craft a highly individualized, believable message”

    Now is it reasonable to say that social network wears no clothes?

    Personally identifiable information
    California Senate Bill 1386 defines “personal information” as follows:
    • Social security number.
    • Driver’s license number or California Identification Card number.
    • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.

    Names, addresses, email addresses and telephone numbers do not fall under the scope of SB 1386.

    HIPAA Privacy defines “Individually identifiable health information” as follows
    1. That identifies the individual; or
    2. With respect to which there is a reasonable basis to believe the information can be used to identify the individual.
    The term “reasonable basis” leaves the defining line open to interpretation by case law.

    Arvind Narayanan and Dr. Vitaly Shmatikov paper.


    Social network privacy video


    httpv://www.youtube.com/watch?v=X7gWEgHeXcA

    Reblog this post [with Zemanta]




    Tags: Anonymity, Flickr, Personally identifiable information, privacy, Security, Social network, Twitter, Vitaly Shmatikov


    Apr 02 2009

    Cloud computing and security

    Category: Cloud computingDISC @ 5:55 pm
    File:Cloud comp architettura.png

    https://commons.wikimedia.org/wiki/File:Cloud_comp_architettura.png

    Cloud computing provide common business applications online that run from web browser and is comprised of virtual servers located over the internet. Main concern for security and privacy of user is who has access to their data at various cloud computing locations and what will happen if their data is exposed to an unauthorized user. Perhaps the bigger question is; can end user trust the service provider with their confidential and private data.

    “Customers must demand transparency, avoiding vendors that refuse to provide detailed information on security programs. Ask questions related to the qualifications of policy makers, architects, coders and operators; risk-control processes and technical mechanisms; and the level of testing that’s been done to verify that service and control processes are functioning as intended, and that vendors can identify unanticipated vulnerabilities.”

    Three categories of cloud computing technologies:

    • Infrastructure as a Service (IaaS)
    • Platform as a Service (PaaS)
    • Software as a Service (SaaS)

    Cloud computing is offering lots of new services which increase the exposure and add new risk factors. Of course it depends on applications vulnerabilities which end up exposing data and cloud computing service provider transparent policies spelling out responsibilities which will increase end user trust. Cloud computing will eventually be used by criminals to gain their objectives. The transparent policies will help to sort out legal compliance issues and to decide if the responsibility of security breach lies on end user or service provider shoulders.

    Complexities of cloud computing will introduce new risks and complexity is the enemy of security. The organizations and end users should be mindful of this security principle before introducing this new variable into their risk equation. As a consumer you need to watch out and research your potential risks before buying this service and consider getting a comprehensive security assessment from a neutral third party before committing to a cloud vendor.

    Possible risks involved in cloud computing
    Complete data segregation
    Complete mediation
    Separation of duties
    Regulatory compliance (SOX, HIPAA, NIST, PCI)
    User Access
    Physical Location of data
    Availability of data
    Recovery of data
    Investigative & forensic support
    Viability and longevity of the provider
    Economy of mechanism

    Continue reading “Cloud computing and security”




    Tags: Cloud computing, cloudcomputing, compliance, Computer security, iaas, IBM, Information Privacy, Infrastructure as a service, paas, Platform as a service, Policy, privacy, saas, Security, security assessment, Security Breach, Services


    Dec 05 2008

    Telcos and information privacy

    Category: Information PrivacyDISC @ 2:26 pm

    Mobile Phone
    Image via Wikipedia

    With the economy in the tank, breach of privacy is not going to be a priority in Obama’s administration to do list. It will be quite difficult to make it a priority when Obama has signed a bill indemnifying telcos from suits due to privacy breaches.

    During the presidential election campaign, Verizon employee gained unauthorized access to President-elect Obama’s mobile phone records. You might assume that if telcos are having a hard time protecting the privacy of high profile individuals, how would that make you feel as a cell phone owner? Don’t you wonder why the mainstream media didn’t publicize this case of high profile privacy breach more widely?

    Basically Telcos have been immunized from privacy lawsuits so that big brother can snoop around our private phone records as they please. In this instance, law only applies to people and makes it illegal to snoop on each other but the telecom entities have been granted an exception by congress. Legal ruling require law enforcement to meet high “probable cause” standard before acquiring cell phone record. In recent report, document obtained by civil liberties group under FOIA request suggest that “triggerfish” technology can be used to pinpoint cell phone without involving cell phone provider and user knowing about it.

    Organizations should implement directive, preventive and detective controls to protect the privacy of information. Where directive controls include the policies, procedures, and training. Preventive controls deal with the separation of duties, principle of least privilege, network, application and data controls. Detective controls involve auditing, logging and monitoring.

    Verizon case shows lack of detective controls. Organization should have a clearly defined privacy policy which states that private information should be logged, monitored and audited. High profile individual should be identified and documented and reviews of audit logs should be conducted to identify inappropriate access to the privacy information of high profile individuals. The authorized person who has access to private information should be audited on regular basis to find out if they are following the privacy policies and procedures of the company. For privacy information, log who accessed which data, for who and when. Managers should train and monitor subordinate to help protect privacy information, which not only educate the subordinate but also serve as a major deterrence. Privacy is an essential ingredient of liberty and must be guarded with utmost due diligence.

    “Those who give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety” Benjamin Franklin

    Presidential Phone Compromised

    Privacy Debate: Shouldn’t Public Demand High Threshold?
    httpv://www.youtube.com/watch?v=HR6IEz4T7Yw

    Reblog this post [with Zemanta]




    Tags: auditing, Barack Obama, breach of privacy, Civil liberties, detective, directive, Lawsuit, logging, mobile phone, monitoring, preventive, privacy, Security, tiggerfish, Verizon


    Aug 25 2008

    Laptop security and vendor assessment

    Category: Laptop Security,Vendor AssessmentDISC @ 2:37 am

    Another report of a laptop stolen, this one containing reams of sensitive customer information. The laptop was later returned in the same office complex, to a room which was reportedly locked; however, the sensitive data on the laptop was not encrypted.

    According to a San Francisco Chronicle article by Deborah Gage (Aug 6, 2008, pg. C1): “A laptop containing personal information on 33,000 travelers enrolled in a fast pass program at San Francisco International Airport turned up Tuesday in the same airport office from which it had been reported missing more than a week ago.
    The machine belongs to Verified Identity Pass, which has a contract with the TSA to run Clear, a service that speeds registered travelers through airport security lines. Verified Identity operates the program at about 20 airports nationwide.
    The computer held names, addresses and birthdates for people applying to the program, as well as driver’s license, passport and green card information. But, she said, the computer contained no Social Security numbers, credit card numbers, fingerprints, facial images or other biometric information.
    Travelers in the Clear program pay to have the TSA verify their identities. In return, they receive a card that gives them access to special security lanes in airports so they can avoid standing in line to go through security.
    The TSA said in a statement that Verified Identity was out of compliance with the administration’s procedures because the information on the laptop was not properly encrypted. Now the company must undergo a third-party audit before Clear can resume, the TSA said.”

    When TSA states that the vendor (Verified Identity) was out of compliance, does that make the vendor liable for negligence? Not unless this was stated clearly in the contract that the vendor will be liable if customers’ private data is exposed unencrypted. Which means private data should be encrypted if it’s at the server, in transit or on the laptop.
    This brings the question if the 3rd party service provider (vendor) should be considered for the security risk assessment and how often. This question should be considered before signing a service contract with the vendor and what criteria or standard should be used to assess the vendor. Should this assessment include the security office 3rd party cleaning staff, perhaps yes, considering sometime cleaning staff does have an access to very sensitive areas in the organization? Many of the controls applied to contractors should be more or less the same as applied to regular employees but the contractor who has access to sensitive information potentially should have more controls then the regular employees, which should be clearly defined in the service contract.
    Before signing the service contract, due care requires the organization should always assess the vendor’s security posture based on their own information security policy and ISO 27002 standards. Depending on the risk assessment report, the organization can negotiate the controls necessary to protect the security and privacy of their data and customers with given vendors. At this point the organization needs to make a decision, if the vendor is up to par as far as information security is concerned and if negligent, give them some sort of deadline to improve controls to become a business affiliate. Depending on the level of data sensitivity, some vendors might be required to acquire ISO 27001 certification to become a business partner. This clause should be clearly included in the service contract.
    Assessing the vendor on a regular basis might be the key to know if they are complying with the required security clauses mentioned in the service contract and make them potentially liable for non-compliance. If the vendor fails the assessment the organization should follow up with the vendor to remediate those gaps within a reasonable time frame, otherwise this constitutes a breach of the contract.

    Laptop Security
    httpv://www.youtube.com/watch?v=dytZBBlDMJs


    (Free Two-Day Shipping from Amazon Prime).




    Tags: assessment, business affiliate, compliance, data sensitivity, iso 27001, iso 27002, laptop stolen, privacy, service contract, social security numbers, TSA, verified identity