May 09, 2008

Morphing Privacy Concern

Cookies are still with us, but “so over” as far as being the leading edge of privacy concerns. Most people have since moved on to concerns about targeted advertising. However, based on what I have read, we should be focusing our attention on a new and far more insidious method of tracking individuals and where they go on the Internet.

What is this new method of tracking individuals? Behavioral tracking. Cookies, which rely on tracking an individual through the specific “target” Web sites that she visits, are essentially point shots. Of course, third party cookies are also used, but their effectiveness is limited by users’ browser settings; operational difficulties in aggregating, correlating, and specifically identifying the user; as well as legal constraints (e.g. the 2002 European Union telecommunication privacy directive).

Behavioral tracking attempts to overcome the problems with cookie use by monitoring user behavior further upstream, closer to the user herself. Instead of tracking an individual through the specific “target” Web sites visited, behavioral tracking identifies all Internet usage by an individual by monitoring online activities at the user’s ISP. The upstream collection of users’ Internet usage provides for more information about a user’s interests, and allows for far more precise delivery of advertisements – meaning higher revenue for these more targeted (and presumed effective) ads.

This relatively new method has gone almost completely unnoticed by the public, and even by privacy watchdogs groups (e.g. the EFF, EPIC, and Privacy International), which I would have expected to be paying more attention.

What makes this omission by privacy watchdogs even more interesting is who HAS covered this new method of tracking individuals online: The Wall Street Journal. It’s not that the Journal has taken a sudden interest in privacy concerns. What the Journal is interested in is the effect that this new tracking method could have on established Internet advertising companies such as Google and Yahoo!, and specifically the profound shift in advertising revenue that it could engender towards newcomers such as Adzilla, Frontporch,  NebuAd, Phorm, and/or Project Rialto. Haven’t heard of any of these newcomers? One (or more) of them could soon be a billion dollar company, upsetting today’s advertising status quo.

Of course, this behavior tracking also raises serious questions about user privacy. Users have a way to opt out of cookie use, but it is far more questionable as to how, and how effectively, users can opt out of behavior tracking. Besides, this aggregated behavioral tracking data is almost too tempting to advertisers and law enforcement for ISPs to act in what users may feel is their best interest (read as a further loss of privacy). For that reason, I ask again: where are the privacy watchdog groups on this one?

May 05, 2008

Who’s Watching the Watchers?

“Who’s watching the watchers?” A line from the 1998 film “Enemy of the State” starring Will Smith and Gene Hackman. The film was about a fictional rogue operation at the National Security Agency. (And why is it that NSA’s domain is nsa.gov instead of nsa.mil?)  “Enemy of the State” is widely-reported as having rankled General Michael Hayden, who was Director of the NSA from 1999 – 2005. For example, this was reported in both James Risen’s State of War (2006) and Eric Lichtblau’s Bush’s Law (2008), as well as in comments that Hayden himself made at the National Press Club in January 2006 and other places.  (Both Risen and Lichtblau are reporters in The New York Times’ Washington bureau. Hayden is currently Director of the CIA.)

I can’t help but recall this movie line in light of some recently-reported stories involving information security vis-à-vis several government agencies. For example, in filing suit against AT&T about so-called warrantless wiretapping, the Electronic Frontier Foundation included former AT&T employee and whistleblower Mark Klein’s declaration about the NSA’s use of a commercially available “semantic traffic analyzer” which “…is known to be used particularly by government intelligence agencies because of its ability to sift through large amounts of data looking for preprogrammed targets.”

Another example goes back to July 2007 when Wired reported that “FBI Used Spyware to Find Student Behind Bomb Threats”, stating that:

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surrepti-tiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals [emphasis added]. 

Last week, The New York Times reported: “At Trade Show, China’s Police Shop for the West’s Latest”.  What particularly caught my eye was, “The most intriguing device offered at the show to senior Chinese security agency officials was the Image Masster RoadMasster, a powerful computer system that swiftly copies computer hard drives without leaving any trace and comes concealed in its own color-coordinated briefcase.” I can certainly think of valid use cases for this type of product by enterprise IT departments, but investigative use cases by law enforcement and intelligence agencies do make me a bit nervous.

Finally, being in England last week, I was a bit taken aback to see (multiple times) a rather in-your-face public service announcement on the BBC about the need for British residents to pay their TV licensing fees. As the tag line states, “It’s all in the database”. Even the BBC as “big brother”? Now, I’m really getting nervous. Who is watching the watchers?

Apr 24, 2008

The View from Japan

I’m in Tokyo this week, speaking at RSA Conference Japan 2008. I’ve been to Japan several times previously, and have spoken at the Conference before. While security technology tends to be nearly the same worldwide (assuming availability – which, given political considerations, might not always be a valid assumption), the business environment around deployment of such security technology can vary by location.

Japanese culture is significantly different to American culture and cultural differences impact how businesses operate. And how businesses operate determines their levels and types of risk – and therefore what types of security technologies tend to be employed, where, and why.

However, Japanese enterprises are indeed facing the same information security problems that American enterprises are. Malware, spam, and phishing are big problems here, just as they are in the United States. Just as enterprises in the United States are worried about these scourges in the context of their own systems and personnel, Japanese enterprises are also worried about these scourges from the perspective of their customers – specifically, with regard to customers’ online interaction with enterprises.

Until a couple of years ago, Japanese security programs tended to lag behind their American and European equivalents, both in spending and implementation. That “gap”, however, has now largely eroded, and the closing of that “gap” is largely due to two factors.

First, most Americans probably have no idea what Winny is (a Japanese peer-to-peer software). Even many information security professionals are unaware of Winny. In Japan, however, if you have anything to do with information security, you will be all too well-aware of the security problems associated with Winny that have occurred in the last two to three years, as there were several highly-publicized embarrassments for Japanese enterprises (including government agencies).

Second, Japan has had its own corporate scandals, with Livedoor being probably the most “spectacular”. Because of those scandals, Japan now has its own version of the United States’ Sarbanes-Oxley legislation, known popularly in Japan as J-SOx.  (Officially, J-SOx is the Financial Instruments and Exchange Law, and became effective in June 2006.) Because of J-SOx, enterprise spending on information security has increased significantly.

While Winny is yesterday’s news in Japan, J-SOx is definitely today’s news. And like information security technologies, information security risks are becoming “homogenized” – same problems, different culture.

Apr 17, 2008

Product Capabilities

Spending last week at the RSA Conference in San Francisco, I had an opportunity to wander the exhibit floor and see what the 400+ vendors were selling.

At a high (“stratospheric”) level, products usually go in two distinct directions. Many products effectively go “down” – that is, these products effectively provide increasing technical granularity, often at the expense of the product’s breadth of scope. These products become increasingly niche – narrower, but deeper.

Alternatively, many products go in the other “direction” – that is, these products effectively aggregate capabilities. These products become increasingly broad, but do not go deep.

This usual either/or dichotomy sometimes hampers information security practitioners. No one wants to deploy yet another point product (“YAPP”) just to achieve breadth of security coverage, but that is often the stark choice if there is a need for deeper capabilities or greater technical granularity. Likewise, it is not really desirable to have to give up the technical depth or granularity needed for investigations or forensics, just to reduce the number of point products deployed. In effect, we would like to have our cake and eat it too. Unfortunately, that is a product “luxury” that is not often presented to us.

My best advice -- look hard, listen closely, and cut through the marketing-speak, and you too will sometimes be rewarded. Depending on your requirements, this either/or dichotomy can sometimes be skirted.

Apr 14, 2008

The ‘Death’ of ‘Best Practices

Spending last week at the RSA Conference in San Francisco with just a few thousand of my closest information security colleagues, there is a lot of information to look at and listen to. Pleasantly, there is one thing that I am seeing little of, and hearing even less of. One of the trite phrases of our profession that has always bothered me is “best practices”.

For years we have been listening to consultants and vendors banter about “best practices”. Whose best practices? Which best practices? Show me an agreed-upon definition of best practices, and I’ll buy you a Ferrari. The phrase has been so often invoked without context or definition as to have zero meaning and just be bothersome. OK, I think you understand my feelings on this.

Not hearing that trite phrase much this week, I am hearing what to me are acceptable substitutes to express the need for some agreed-upon set of measures that constitute a necessary baseline for enterprise information security.

Steve Katz, who headed information security programs in the financial services industry for years, talked about ‘sound, prudent, and effective practices’. That phrase is far more meaningful to me, but it was apparently too long for many consultants and came to be truncated as “best practices” instead. I like Steve’s phrasing much better.

Alternatively, Craig Shumard of Cigna, and others, use the expression “due care,” which speaks to being able to pass most audits and stand up with confidence in a court of law. Again, I like this phrase much better. There is some context and definition to it.

Mar 26, 2008

Tim's Podcast

Listen to Tim's thoughts on the role of the CSO, directions in information security and his panel at RSA Conference 2008 on The Future of SIEM.

<Listen online | Download> (5:34)

Mar 19, 2008

Cyber Storm II

Last week I had an opportunity to visit the Cyber Storm II exercise which was held at the U.S. Secret Service (USSS) headquarters in