Hackers vs. Free Online Services: Which is a bigger threat to privacy?

9 04 2012

On the surface, it may seem hackers provide a larger threat to our privacy compared to free online services. However, nothing is free and service providers such as Google and Facebook are collecting hordes of personal information, yet we lack privacy laws that dictate how that information can be used, how it must be stored, and how it is shared. According to [economictimes], “The Whitehouse and Federal Trade Commission have unveiled privacy frameworks that rely heavily on voluntary commitments by Internet companies and advertisers.” We need better assurance than a voluntary commitment.

In the opposite corner, we have hackers. I hate to use the term hacker in a negative context but mainstream media has made the practice the status quo. For lack of a better term, I’ll user hacker to describe someone who writes malicious software or aims to gain unauthorized access to a computer, network, or electronic account. This definition is similar to Kaspersky [kaspersky-1]. Hackers pose a threat to privacy by stealing personal information directly from our PC’s, or by breaking into systems that we’re registered with.

Both are a concern to user privacy. Which provides a bigger threat? Let’s explore the implications of each.

Hackers

Anti-virus software helps keep our PC’s clean, offering the user some level of privacy protection, but what exactly are we protected from? According to [securelist], a website administered by Kaspersky labs, many anti-virus vendors split malware into the following categories: crimeware, spyware, ransomware, and bot-clients. This is not an all-inclusive list, but [securelist] describes them as “the most prevalent, persistent and threatening recent trends”.

Malware is distributed through a combination of vulnerabilities found in software including operating systems, social engineering, and trojans, innocent looking programs that contain a nefarious payload. While malware is still an issue on PCs, even though MS is claiming Windows 7 is 5 times more secure than XP [cnet], an even greater growing threat is on mobile devices. A report by Juniper Networks [juniper] saw a 155% increase in malware samples between 2010 and 2011 and Android devices are the primary target. The report states that, in 2011, 46.6% of samples were for Android, up from 0.5% the year before. The report does not include data for iOS malware due to Apple not releasing data. But Apple devices are not safe.

Forbes [forbes] has a report on Charlie Miller who exposed a vulnerability in Apple’s walled garden and was rewarded by being kicked out of the developer program for a year. Even though iPhones have seen less malware than Android devices, the devices are vulnerable as proven by Geohot [geohot]. Perhaps iOS devices will remain relatively safe while Android maintains the largest market share [gartner].

And if you thought you were safe on a Mac, Dr WEB [drweb] has identified a worldwide Mac botnet with over 500,000 nodes. The website states malware is installed on machines through a Java vulnerability, allowing an Applet to execute code outside of the sandbox and infect the machine. Apple’s knowledge base confirms the vulnerability [apple].

Linux machines are also vulnerable. While viruses are uncommon for Linux machines, likely due to the relatively small number of users, Linux machines are often targeted by attackers as they’re

commonly used to run web servers and other network services. If you’re running a Linux web server at home (or any web server for that matter), check your logs; you’ll likely see repeated attempts from a script to exploit your machine.

Even if your system is “secure”, weak passwords or poor programming on a website can leave you vulnerable. Despite being well-known problems, cross site scripting (XSS) and SQL injection [darkreading] continue to be problems. SQL injection can be used to gain unauthorized access to a system or data, and XSS can be used to access data for an individuals account.

Hackers have a myriad of ways to obtain personal data. Every device we use becomes another attack vector. The other side of the coin contains service providers that we freely give our data to.

Free Online Services

Websites often track users by placing cookies on the user’s computer. The main reason: advertising. Websites track user actions and serve targeted advertisements. According to research done at Stanford [standford], 7 companies identified by Carnegie Mellon’s Cylab as having opt-out policies left tracking cookies in place after the user opted out of tracking. Results of the Cylab report are in [carnegie].

Do not track is a opt in policy that many website vendors are adopting: users that opt in expect that a vendor won’t track their actions. It works similar to a do not call list. Like a do not call list, trust is placed in the service provider to honor the request. Unlike a do not call list, it can be tricky to determine if a service provider is honoring the request.

Users can deter websites from tracking their behavior by deleting cookies. By deleting cookies, the user severs the link between the user and the data collected by the service provider.

But service providers don’t want to lose that link and some go to extremes to keep users from deleting cookies. Besides ignoring the request as mentioned above, Flash cookies are another such mechanism that providers use [schneier]. The Flash browser plugin can store cookies similar to web pages, but when a user clears their cookies, Flash cookies are NOT normally cleared. A website can respawn a deleted cookie by recovering the cookie from Flash. Such a cookie is often called a zombie cookie.

A report by Infoworld [infoworld] in 2010 states how Disney, MySpace, and NBC Universal used Zombie cookies, though they weren’t Flash based. A Stanford researcher found Microsoft guilty as well [standford-2].

The do not track issue was discussed at a 2010 workshop which was attended by W3C, the Internet Society (ISOC), and MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) [ietf]. Notes from the workshop state that unique machines setups can also be used to tie a user back to collected data – after the user has deleted a tracking cookie. This technique is called fingerprinting.

Besides do not track, two other privacy options discussed at the workshop are using The Onion Router (TOR) and the “private browsing” available in many popular browsers such as Firefox [firefox], Internet Explorer [microsoft], and Safari [safari]. Neither technique is sufficient to stop a provider from tracking a user, nor were they intended to block such activities. When using security products, it’s important to understand what they’re intended to protect. What can these technologies do?

Private browsing clears out a users complete browsing session to keep the next user from discovering what the previous user accessed. Vendors can still use fingerprinting to identify a user.

According to [tor], Tor “… it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit form learning your physical location.” This description is missing key element: it stops site you visit from learning your physical location by masking your IP address. Like private browsing, a vendor can still use fingerprinting to identify a user.

Websites want to track user habits in order to sell targeted advertising. By itself, this seems harmless enough. The issue is, we don’t have privacy laws that address how the data can be used, how it’s stored, or how it’s shared. Every time a user grants access to their Facebook profile, the user is sharing personal information. The notes on the IETF workshop [ietf] states, “While improvements have been made in obtaining user consent to sharing data between sites, challenges remain with regard to data minimization, ease of use, hidden sharing of data, and centralization of identity information.”

Having excessive personal data in one location has other consequences. According to a US News report [usnews], some employers are asking for Facebook passwords, or to friend someone in HR. Although I compare this type of request to putting a web cam in your living room, at least we’re being asked face-to-face for the information. What if companies could go to Facebook and obtain the info without our knowledge?

Which is worse?

Which is worse? In my opinion, it depends on who you ask. Businesses should fear the hacker while the individual user has more to lose through online services. We have a number of tools and choices to help keep our data safe from hackers. When it comes to online services, the only way to protect our privacy is to not use the Internet, and that’s just not feasible.

____________________

[economictimes]: http://articles.economictimes.indiatimes.com/2012-03-30/news/31260952_1_federal- agency-proposals-internet-users-internet-companies
[darkreading]: http://www.darkreading.com/database- security/167901020/security/news/232800323/sql-injection-still-slams-smbs.html
Advertisements




Public Cloud Adoption: Considerations for Managing Operational Risk

20 02 2012

by Chris Ortyl

Adoption of cloud computing presents significant challenges to virtually every organization, across industries and sectors. Business and IT leaders face a daunting task navigating the array of cloud technologies, products and service offerings, and filtering vendor hype from operational reality. Further complicating matters is the multiple service and deployment models available to cloud consumers, as well as new fee structures and cost models associated with on-demand, IT as a utility service sourcing and provisioning.  Organizations must assess and rationalize cloud service offerings and capabilities relative to business objectives and business requirements. In addition to the potential benefits and opportunities, considerable analysis and due diligence is required to understand operational risk, as well as data privacy, legal and compliance issues inherent in the cloud computing paradigm.[1] A risk-based approach is essential to development of a solid cloud security strategy.

NIST defines three cloud service models (SaaS, IaaS, PaaS), and four deployment models (public cloud, private cloud, hybrid cloud and community cloud).[2] Of the four deployment models, public and hybrid cloud configurations present the most significant risk as they entail extension of the organization’s value chain to an external business entity. The public and hybrid models also involve use of 3rd-party computing resources and placement of data assets outside the organization where they are hosted and placed under control of the cloud service provider (CSP). The pooled resource, multi-tenancy hosting model and potential lack of data location specificity raise significant information security concerns and challenges. Security and risk management become more crucial when CSPs host sensitive data such as personally identifiable information (PII) and other restricted data.

Cloud security continues to evolve, and organizations struggle to keep pace with increasingly creative and sophisticated attack methods and tactics. “Cloud solutions are subject to conventional attacks — buffer overflows, password attacks, physical attacks, exploitation of application vulnerabilities, session contamination, network attacks, man-in-the-middle attacks, social engineering, and so on.”[3] In addition to external threat consideration, the risk management practitioner must assume that attackers can be legitimate users with valid accounts and unimpeded access to the cloud service. The increased insider threat potential renders many conventional security controls such as firewalls and security zones irrelevant.

Additionally, there are security concerns unique to, or exacerbated by cloud computing. The Cloud Security Alliance (CSA) report, “Top Threats to Cloud Computing”[4] outlines specific considerations for cloud adoption. The CSA report also offers guidance on cloud service model applicability, potential impact areas and candidate remedial approaches. In addition to IT-related concerns, cloud computing raises a variety of legal and compliance issues not typical of traditional enterprise applications. These include matters of funding obligations, export controls, indemnification, data ownership and retention, exit strategy, and court order and subpoena protocols, to name a few.

A comprehensive, risk-based approach and process framework is essential to managing high-value, mission critical assets and services, while at the same time increasing assurance in their ability to achieve mission objectives. The framework must also address continuity and sustainability requirements to ensure assets and services continue to meet mission objectives in times of stress and uncertainty.

The Carnegie Mellon University Software Engineering Institute (SEI) CERT Resilience Management Model (RMM) provides a capability-based framework and model for establishing, managing and continuously improving operational resilience from an enterprise perspective.[5] CERT-RMM integrates the disciplines of security management, business continuity management, and IT operations management to provide a holistic approach to operational risk management.[6]

RMM process areas such as Risk management (RISK), External Dependencies (EXD), Technology Management (TM), Asset Definition and Management (ADM) and Controls Management (CTRL) provide a starting point and foundation to systematically address risk associated with external CSP service and solution due diligence, sourcing and implementation.  The model can also increase an organization’s ability to respond to new and evolving threat and vulnerability profiles as cloud computing continues to mature.

In addition to managing cloud computing risk, the CERT-RMM can be applied across the organization to integrate, manage and improve operational resiliency at the larger enterprise level.

____________________

[1] NIST: “The NIST Definition of Cloud Computing, Publication 800-145.

[2] IDG-CSO: “ Security still a concern for those considering cloud move” (http://www.csoonline.com/article/683274/security-still-a-concern-for-those-considering-cloud-move)

[3] InfoWorld, “ Cloud Security Deep Dive” (http://www.infoworld.com/d/cloud-computing/download-the-cloud-security-deep-dive-660)

[4] Cloud Security Alliance, “Top Threats to Cloud Computing V1.0”, March 2010.

[5] Caralli et al., ”CERT Resilience Management Model – A Maturity Model for Managing Operational Resilience”, Carnegie Mellon University, Software Engineering Institute, 2011.

[6] Caralli et al., Technical Report “CERT Resilience Management Model – Improving Operational Resilience Processes”, Carnegie Mellon University, Software Engineering Institute, 2010.





Choosing a Secure Cloud Service Provider

8 12 2011

Cloud computing is a promising technology that offers flexibility and cost savings to organizations. However, before going for cloud offerings organizations have to understand the associated security and compliance implications.

The security issues of cloud computing can be broadly classified into: security issues faced by the cloud service providers and security issues faced by the cloud service customers. It is the duty of the cloud providers to ensure that their cloud infrastructure is secure and that their customer’s data and applications are protected. The cloud customers on the other hand have to ensure that their cloud provider has taken proper security measures to safeguard their data and applications.

From a security perspective, the providers and consumers of cloud services have to worry about privacy, compliance and legal issues.

Choosing a cloud service provider is an important decision for an organization. Organizations have to assess the security risks involved when choosing a provider. Below are few of the security issues that technology research and advisory firm Gartner suggests that customers raise with their potential cloud providers.

Before selecting a cloud provider, customers have to make sure the provider has sufficient security programs to safeguard their data. By keeping sensitive data outside the organization, customers are exposing themselves to an inherent level of risk as the data is no longer under the same controls as their in-house programs. Therefore, it is important that the customers know who (administrators) have access to their data and the level of access and what access controls are in place.

Cloud service providers have more than just one customer therefore it is in the interest of the customer to know which other companies the provider is servicing and if there is a risk of exposure of the customer’s data to competitors. Customers should ensure that appropriate measures are taken by the providers for data segregation. Customers should ensure that the cloud service providers are subject to appropriate external audits and security certifications.

Usually customers are unaware of where their data is located. Customers should ask providers to store and process data in particular jurisdictions. This will ensure that the customer know the legal implications of storing their data in particular locations. Customers should also obtain commitment from the providers to obey legal privacy requirements on their behalf.

Customers should make sure they understand and are comfortable with the cloud provider’s disaster recovery plan and management. Customer should ask the provider about their ability to completely restore data and how long it will take.

Investigation in a cloud environment is a challenge. This is because logging and data for multiple customers may be co-located and spread across multiple hosts and data centers. Therefore, customers should get contractual commitment from providers that effective investigative support will be provided and that the provider is experienced in providing such support.

Finally, customers should ensure that appropriate measures are taken by the provider to give the customer’s data back in a format that can be imported to a replacement application in case the provider gets into a situation that it can no longer provide cloud services.

____________________





Compliance Concerns of Cloud Security

12 10 2011

With list of companies like Google, Amazon, Sales Force, Microsoft, VMware and many others aggressively working on this domain, suggest that this is big and will be growing. Now, with clouds potential to host services like IAAS, SAAS and PAAS, IT management for many of the user organizations will be far simpler and will reduce the cost as well along with many other advantages. These services are provided in the four deployment models. They are Public, Community, Private and Hybrid model.

However, there has been growing concerns on Compliance with Cloud Security in public models of deployment. This needs to be addressed in virtual as well as in physical environment.

The regulation of the specific industry like in health services, financial services and insurance also adds to the complexity of compliance and governance required[i].  It also needs to address the issue of the cross boundary where some information should not cross the boundaries of the country. In some cases, it may violate the national regulation for privacy and audit which governs that organization. Also, the cloud service provider must be complaint with the compliance policies so that the integrity of the data can be maintained. It also possesses an insider threat. One other concern is how the data and information would be destroyed if they switch between the cloud vendors.

To address these concerns, we can choose cloud based services in a more judiciously level like what data needs to uploaded on cloud and who should access that data and with what accesses. We can secure the information with better compliance policies.

Like authentication and authorization policies must be applied so that data and information is only accessible to the concerned personnel only2. Also, confidentiality must be maintained even for the data on cloud. The policies can help the information to be protected at the client as well as vendor location in case of insider threat or if the data is industry specific. Also, if the data or the information is highly confidential and its loss can jeopardize the existence of the company, then company can also opt to host such information on its location and remaining services from the cloud. Security policy like sensitive information labeling policy and sensitive information distribution policy must also be incorporated for a company and a vendor. This will help the unauthorized access to its employee as well as to the admins of the vendor, or access can be granted with limited permissions. The contract should also be in place with vendor for implementation of secure information disposal policy which might be required on termination of contract or when the time has arrived for disposition of data. An audit of vendor’s cloud service center should be done and it must be disclosed with the customers. This will help its clients to be security complaint and will make the vendor aware of the non complaint issues.

The industry specific cross boundary concerns can only be addressed with the help of a vendor (in case of public cloud model), where he must agree to disclose his location of the data and service center.

The cloud vendor if acting as the extension of the client organization will greatly reduce the compliance concerns of cloud and will greatly reduce the security issues.





Security in the Cloud

7 09 2011

With cloud computing and storage offerings from companies like Amazon and Salesforce.com growing in popularity from consumer and enterprise standpoints, one area that sometimes is overlooked is how to manage security in cloud applications. With so many people using cloud applications already, it can be easy to assume on an individual level that what Amazon or Google offers must be safe, otherwise why would everyone else be using it?  However, the establishment of the Cloud Trust Authority as well as the Cloud Security Alliance suggest otherwise. Thus, from an executive standpoint, what things must you consider if you are thinking about moving company data to the cloud? What types of security offerings have evolved from the increased demand for secure cloud applications?

There are three general layers to examine cloud security at: 1. How security-critical is the data being put into the cloud? 2. How secure is the actual cloud? 3. How secure is the data as it moves between me and the cloud?

1. How security-critical is the data being put into the cloud?

Combined with performance and availability concerns usually associated with the cloud, high-risk data usually would not be put into the cloud. For example, would you put critical, competitive differentiating information into the cloud? Arguably one of the reasons Salesforce.com has succeeded as a cloud service is because it offers services in Customer Relationship Management, which, while it is a valuable resource, is not of the same criticality level as business-differentiating product engineering plans. Thus, anyone thinking about moving into the cloud must first consider, what is the security need for the data I plan on placing in the cloud?

2. How secure is the actual cloud?

Once decided that the data can be placed in the cloud, one once consider – how safe is the actual cloud? Will other businesses using the same cloud vendor be able to access my information as well? What are the security precautions my cloud vendor is taking to make sure my data will only be accessed by me?

3. How secure is the data as it moves between me and the cloud?

Lastly, while your own network or machines can be watertight, and the cloud you are putting that information in can be completely locked down, what about that data as it moves between you and the cloud? That is where vendors such as CipherCloud come in. The encryption that companies such as CipherCloud provide not only assures customers that their data will be safe as it moves to and from the cloud, but also that it will be safe inside the cloud as well, as only the customers are privy to the keys, not the cloud service providers.

It will be interesting to see how the security environment for the cloud will evolve as it is expected that cloud adoption will rise rapidly in the near future.  Hopefully this also encourages you to think about what types of personal information you are allowing Google, Amazon, etc. to store in their clouds for you.