Archive - June, 2010

Bill C-32, digital locks, and my concerns

June 24, 2010 in Copyright, Security with 0 Comments

I am not a lawyer, nor am I a politician or a copyright expert.   I have been following the copyright debate quite religiously for the last 3-4 years, trying to learn what I can.  In Canada Bill C-32 has been tabled to update the copyright laws.  There has been lots of discussion about the Bill, specifically around the digital lock rules in this bill.   Big industry wants to protect their materials, by making it illegal to remove digital locks, for any reason whatsoever, without permission of the copyright owner.  It also seems that it is illegal to publish tools that would assist others to break digital locks.  Both of these issues concern me.

See, I do research into security technologies as part of my job.  Security is also a personal interest of mine.  As an example, I am currently looking into a particular application that uses SSL to encrypt the data between points.  In order to do what I need to do for the research, I downloaded an open source tool, that basically breaks the SSL.  This allows me to work on my research with the application in question. If that tool was not published due to Bill C-32, then that stops me from doing my research.  I suppose I could create my own version of the tool, but why would I do that if someone already has a tool readily available?  It makes no sense.   The most likely response to my specific example is that SSL isn’t proprietary so it does not matter.  That is true in this case, but what about when I am evaluating a Blackberry PDA or an IPhone?   I suspect RIM and Apple might not take to kindly to me exposing problems in their software.  See, the current Bill C-32 might allow them to do this.   That is bad for security, bad for keeping companies honest.

I think it makes more sense to punish those that use the tools in a wrong way.  If someone was to take the tool, and use it in a botnet to extract credit card information, then the individuals that did this are guilty and should be charged.  The person that made the tool is not the guilty party.  It is like making Smith & Wesson responsible because they created the firearm that was used in a murder.

Overall, I think Bill C-32 has made much progress from the previous bills in Canada.  My hope is that the Government starts to do their job and properly debate the bill and get input from all interested parties, not label people that question them as extremists.

SSL Decryption is becoming the norm

June 22, 2010 in Forensics, Privacy and Anonymity, Surveillance with 3 Comments

A couple of years ago I was at a client’s site in Dubai.  The client was an telco, and I was doing some security consulting for them.   Like many countries in the Middle East, Dubai actively monitors data entering and leaving the country.  Privacy laws as far as I could determine do not exist.  All internet communications are actively monitored.  It is quite common to suddenly see a web page pop up explaining in Arabic that the site you are trying to view is not authorized and you have been denied.  Telcos there have spent millions of dollars on infrastructure in order to enforce these requirements.  The design is not as complex as one might think, just resource intensive.  Resources are required to process the data real-time and staff is required to maintain the infrastructure, look into events and other tasks.  Telcos do this because it is required  by law.  You can not obtain a license as a Telco unless you have monitoring capabilities deployed.

My first day in Dubai, I went to lunch with one of the executives of the Telco.  During our lunch, I asked him how they manage encrypted connections.  He explained that they were currently getting ready to deploy a solution to solve that.  The infrastructure was being upgraded to decrypt all SSL sessions and parse the data as required.   Aside from opening my eyes to the difference in privacy between North America and the Middle East from a privacy perspective, I found it interesting that SSL decrypting was so easily available.   Previously, I had seen software that law enforcement used for this purpose.  I myself had done it for clients using available tools during a engagement.  But these tools were designed more for targeted surveillance, not mass scale.  Like all technology, it improves and gets less expensive over time I guess.

Today, there are many more companies in North America and abroad that either have deployed SSL decrypting capabilities or are in the process of doing so.  Security, diagnostics, audit and legal requirements to know what is coming and leaving their networks and being able to log and trace back data transmissions to the originator are some of the reasons.  One driver is Data Leakage Protection (DLP), currently a very ‘hot’ topic with many new vendors jumping on the opportunity with solutions.  In order to look for data leakage, you need to see past any encryption that might be present.  Cisco, Bluecoat, PaloAlto, Fortinet are just a few companies that offer products for SSL decryption.

With Google deploying encryption for Gmail and more recently searching, plug-ins such as the EFF Firefox plug-in to help secure your communications, companies are feeling more and more concerned about what data is coming and going.  What worries me is that all these security, legal and audit requirements companies face are actually not helping them in the long run.   If these companies are decrypting SSL sessions that egress and ingress their network, you can be sure that other companies are doing the same to theirs.  The net result is that everything is decrypted and no one has any privacy.

Next time you connect to your bank, doctor’s office, insurance company, Gmail or any site and see secure indications from your browser similar to these

along with the companies re-assurances that the site is secure, keep in mind things may not be as they appear – today even more so than yesterday.

Do you deploy any type of decryption on your network?  If it is deployed are you aware of it?

photo credit

LinkedIn and the new ‘Follow’ feature

June 14, 2010 in Profiling, Social Networking with 0 Comments

LinkedIn has a new follow feature.   If there is a company you are interested in, selecting ‘follow’ will send you notifications when people join, leave, or get promoted in that company.

Up until now, the main reason I used LinkedIn and Facebook was to keep abreast of what is happening in my contacts lives.  Typically LinkedIn are people that I have worked with, and Facebook is more social friends.  This is a really useful feature to myself for a couple of reasons:

Are people leaving a company? If there is a increased rate of people leaving a particular company and you are considering working for that company, you might want to re-consider. Or you might see it as an opportunity.  Regardless of your decision, it gives you valuable insight.  Insight that was not as easily available before social networking.

Transparency. It forces transparency for companies as they do not have any control over LinkedIn.  I love this.  If suddenly there is an increased rate of people leaving a company, public announcement or not, something is up.  Good information to have, especially if you are considering them as a potential candidate for employment or contract work.   The reverse (where a company is suddenly hiring) is also true.

One can suggest that it is not ‘official’ information, but in reality that doesn’t matter.  Forgoing statistics and math,  ask any investigator or law enforcement detective.  If you get enough information from enough people, eventually you will get to the truth.  Sure each piece of information is biased, leaves something out, or has added  titbits for colour, but if you get as much information as you can (sample size), you will start to see what most likely is the situation. At the very least where to focus your efforts to answer the question.  The same applies to information from LinkedIn.   It may not be official, and sure maybe one or two people are potentially mis-representing their position or title, but if there is a sudden change in a company’s employees, there is usually a common set of reasons for the change.

A few months ago when I was looking at changing careers, I was actively on LinkedIn.  Even without the follow feature, it became obvious to me over the weeks that one company I was interested in, was letting people go.  Looking at the profiles of individuals that were leaving,  they had been at the company for a long period of time, and were typically in senior management positions.   The company was not officially downsizing.  Curious, I contacted a few of individuals at the company.  My assessment based on LinkedIn was correct.  They were quietly removing higher paid employees for lower paid ones.  Correlating this information with their hiring positions published, you could see this was clearly the case.

What fundamentally worries me is that companies start to see this as a problem and attempt to ‘fix’ it.  They could do this in several ways.  Dis-courage employees from posting to LinkedIn, offering LinkedIn money to change the perception of their company, or LinkedIn could see it as a business opportunity and offer perception control as a ‘service’ to companies.  I hope this will never be the case, but money talks.  I recently saw a tweet about Facebook, but the concept applies to LinkedIn as well:

RT @ruv: “The most important thing to understand abt Facebook is that you are not fb’s cust, you are its inventory” via @davehyndman

The risk of social networking in this case is we have to trust LinkedIn.  LinkedIn is the control point of this information and we have to trust them to do the ‘right’ thing.  While this might seem okay, one only needs to look at the recent happenings at Facebook to understand what can happen when a company gains a clear majority of followers and controls the information.

I do like this stuff though!  Isn’t behavioural analysis awesome?