Michael N. Dundas

Have you ever seen the Verified by Twitter logo.  It is suppose to give the public assurance that the person that holds the account is the real person and not someone pretending to be them.  Off and on over the last few weeks I have been trying to find out what the procedure is? What are the requirements?  How to they prove the individual is who they say they are?  Does Twitter intend to role it out to everyone?  I have had no luck.  Any queries seem to go into a vacuum.  They have this page which says:

To prevent identity confusion, Twitter is experimenting (beta testing) with a ‘Verified Account’ feature. We’re working to establish authenticity with people who deal with impersonation or identity confusion on a regular basis. Accounts with a Verified are the real thing!

The first and last statements are what interests me, “To prevent identify confusion” and “Accounts with a Verified are the real thing!”.

I have always been a fan of the music group The Corrs.  One of the members, Sharon Corr has gone out on her own and is creating some songs and getting ready to release an album.  I have been following her on Twitter. She has a Verified by Twitter account. Her twitter ID is @Sharon_Corr.  If I look at her account, from the picture and links to her website and videos I can be reasonable certain it is her.  However, what if you were looking for a different Sharon Corr.  There must be more than one Sharon Corr in the world.  So I randomly tried @SharonCorr.  This person appears to be someone who writes poetry.  But is her name really Sharon Corr?  What if it is and she applies for a Twitter verified account?  Will Twitter verify it and give her the Verified by Twitter logo?  If her name is Sharon Corr, then they should.  But that might confuse someone like myself, looking for the singer Sharon Corr, so maybe they won’t.

How does Verified by Twitter make me feel safe as a user of Twitter?  If they fully roll this program out, they will encounter multiple people with the same name that all have verified accounts.  Maybe they use the URL on the profile page as the key.  If I see that the URL points to Sharon Corr’s website and there is a Verified by Twitter logo I can be certain that the person that has the website URL, also owns the Twitter account.  Of course that would confirm the relationship between the twitter account and the website, not the actual person Sharon Corr.  This of course assumes they know what I am looking for?  How do they know which Sharon Corr I want?

I looked up Taylor Swift for fun.  Her account is Verified by Twitter.  Her ID is @taylorswift13.    There is also a @taylorswift13x.  If you look at the two accounts they are very similar.

Taylor Swift’s real account (I think)

The website doesn’t help, because the URL points to itself.  We know Taylor Swift is popular so if you look at the followers count and combine that with the tweets and news articles you can conclude this is her account … maybe.

A fake Taylor Swift account (I think)

This is probably the fake one because of the follower count.  But then again, maybe this persons name is Taylor Swift and maybe this is the person I am looking for, not the popular one.  I am very confused now and Twitter said in their statement above that they were going “To prevent identify confusion”.  In order to do that, you actually have to know what identity I want to find, you can’t just guess. But that is what they are doing ‘guessing’ what I want based on popularity.  I think Verified by Twitter is just security theater.  The verified account doesn’t help.  Verifying someone is a complex problem and  putting a logo on a page just doesn’t cut it.

Maybe the logo should really be “Twitter verifies this to be the popular person you might be looking for logo”?

There are some interesting events and decisions happening in the restaurant, finance, and healthcare industries.  These and similar events of course affect any companies in other countries such as Canada with international customers in these industries.  A part of me hates to say this, but these data breaches are a good thing.  Breaches force laws which in turn force companies to spend appropriate time and monies on security research, secure software development, secure network architecture, secure deployment and proactive monitoring that should be done.  It puts financial and legal obligations on private companies, which causes the risk factors to change when assessing security.  Far to often, security is one of the first things to be ‘adapted’ when costs get higher than expected or time lines become critical.  If you ask any company they will say security is a primary consideration at all points in the development and release process and in some cases they are being truthful.  However, in many cases the minimum bar with security needs to be raised significantly.  Simply running your code through some basic buffer overflow checks, installing a IPS or firewall, and checking off your ITIL checklist is not enough, not even close.

The private sector has a long way to go with security in software development, network infrastructure, and international laws.  Security breaches force laws and public scrutiny, which in turn holds corporations and individuals accountable.  They are a catalyst which unfortunately I believe is necessary for appropriate change to occur in this area.  What I sincerely hope is that these and similar events cause large corporations and software vendors become much more proactive when it comes to security than is currently the case.  If done properly and pro-actively, less government regulation will be required.   I believe the choice as to how this plays out is with the private sector.  If private sector companies continue doing the minimum, than I suspect regulation will eventually be forced upon us.  I hope that too much regulation is not required.

Does your company lessen security requirements due to costs or project time-lines?

photo credit

http://www.flickr.com/photos/imuttoo/3935553419/

On the Securosis blog there has been two posts recently (here and here) about security and taking a default deny position as the best approach to securing a particular service or network.  At a high-level, you block every port / service / protocol that is not defined as being required and then wait to see who complains.  As people complain, you investigate the complaints and figure out what policy changes are required and make them.  The end result is a secure policy allowing only the required access.  At least that is the theory.

I believe that “default deny” is a excellent security goal.  That being said, obtaining that goal has to be weighed against other objectives.  Often, I find many security professionals proclaiming that ‘default deny’ must be deployed, everyone has to make it happen, regardless of the cost to the company, regardless of the risk to the project.  The general sense is that if default deny can not be completely reached, the project should not go forward or should be held up.

This sets a very adversarial tone for everyone involved in the project.  It creates a very binary choice, “you are either with us or against us”, there is no in between.  While this is great in the movies, for the most part, it is not real life.  That positioning breaks down communication, it puts the team on the defensive, and it creates a environment where the team does not want to talk, work, or involve the security experts.   They are seen as unreasonable and unrealistic.  Have you ever been ordered by law enforcement to “stand back”, “show me your driver’s license”, or told you can not cross this line with no explanation as to why?  How does it make you feel?  Did this attitude earn your respect or lessen your respect for them?

The default deny stance is easy, minimal work, and most importantly risk free for the security members of the team.  While that is not a bad thing, it often increases the amount of work for others on the team as well as their responsibility.  In a simple case, if on a project by blocking port 1234/tcp, I force the team to have to re-program the socket interface on the application, which in turn generates a code review, which then generate more work for the Q/A team.  If the team overrides the security experts and says we are not doing that work, the security members can now claim they did their part, the team did not listen and so if there is a breech it is not their fault.  This does not promote a collaborative team environment.

Humans naturally fear the unknown.  It explains why as a society we overreact to terrorists that attempt to blow up planes or all rush to get the latest vaccine for a new strain of bacteria.  In both cases we are more at risk of death from being hit by a car in our daily travels yet we show no fear that will occur.  This irrational fear is re-enforced in courses and books on security.  The result is we see “default deny” as a valid and only solution.   The result is security professionals promoting often with a very hard line just that.

“Default deny” ideally assumes that their is an understanding of a service or application in its entirety.  From the end user interface right down to the bits that traverse the wire  in detail under all conditions.  Years ago this was possible, however todays applications are rarely the result of one teams code from the ground up.  APIs of third party vendor systems are called, third party libraries are used for communication, storage, authentication and many other functions and features.   Today, it is unreasonable to assume that a particular team will understand everything at all levels given the nature of how services on the Internet are built and deployed.  Security professionals are correct in pointing out this is a risk, however it is a risk that is not going to go away and security models have to adapt to manage and minimize the risk.  A simplistic “Default deny” does not accomplish this.

I have consulted for several very large tier 1 service providers.  The default position tends to be a “Default permit”.  From there they determine what is ‘bad’ and craft security policies to deal with and minimize the risk.  While enterprises can afford to take a more “Default deny” approach, this will become more and more difficult.  As services are more and more build by external vendors, use third party APIs and libraries, interact more and more with cloud computing, permit access on PDA devices for services, and the many other services available and yet to be available a different approach is needed.   “Default deny” is a great goal for security of a project, however it needs to be prioritized with and assessed from a risk perspective with other goals of a project.

Do you think that the security community of today needs to change their approach, and behaviour?

http://www.flickr.com/photos/room929/428260081/

Nicole Garton-Jones submitted on slaw.ca today a post entitled Practicing Law on the Road: the Role of the Cloud and the Emergence of the Virtual Law Firm.  In it she highlights the idea of working remotely and using VoIP, Cloud computing and virtual desktops along with your PDA and laptop devices.  Especially when it comes to law firms, my experience is they are often slower to adopt to technological changes that other industries due to a combination of tradition and general need to follow government laws, and procedures enforced by their professional organizations.  It is nice to see a lawyer promoting these technologies, I think that is great for the legal industry.

In her post, she discusses cloud computing, laptops and PDAs and touches on the security.  I feel that the security needs to be given a much more serious discussion.  My experience consulting with small companies and law firms is that they typically do not give security enough time, consideration, or expertise before choosing a technology path.  There are many reasons for this, cost, resources, and time being the main factors.  It is usually discussed when a laptop with sensitive data goes missing, someone realizes there is a keystroke logger on their system, or their server data has been compromised and is leaking onto the Internet bypassing the firewall, IDS, anti-virus, and notice of the system administrators or third party companies hired to provide system administration and security.

Cloud computing offers many advantages and cost savings to companies.  It also brings with it the concern of your data being stored off-site, out of your direct control.  With large cloud computing vendors such as Amazon and Google, your data could be across the world in a foreign country and the laws that apply to the protection of that data probably differ from those in your home country.  This has been a topic of discussion for a while now in the Cloud computing arena.  One of the suggestions is to use a ‘private’ cloud.  This is typically a cloud that you own or have more control over where the data is stored.  For example, Canadian Cloud offers a guarantee that “…data are safe and secure on hardware located in Canada, and subject only to Canadian laws and regulations..”  This resolves international issues when it comes to control of data and is appealing.  However, there is much more to consider before choosing a provider.  While Amazon, Google and other large companies are international, they also have the size to attract security professionals that are very knowledgeable and current.  They can afford the resources to properly monitor against attacks to steal your data.  Google recently publicized the discovery of China conducing espionage on its systems.  Will a provider of a smaller cloud offering have the resources to detect such attacks?  If you install your own cloud, do you have the resources to hire individuals capable of detecting these types of attacks?  One could argue that not using Amazon or Google is less secure and you have more risk exposure.  My point is that companies and firms need to consciously assess these decisions based on the sensitivity of the information they are thinking about storing on a cloud system.

Laptop security is still as important weather the cloud is present or not.  It makes sense for an attacker to go after the weakest link and that is almost always the end user device.  Although one may suggest that all the information is on the virtual desktop on the cloud, there may be cases where data needs to be pulled locally.  If this is the case and the data is sensitive you will require encryption.  Even if data is not stored on the laptop ever and therefore there is no need for encryption and the management tasks it brings, installation of malware that will capture keystrokes and gather screen shots is invaluable on the laptop of a lawyer involved in a sensitive case.  This software exists in many places and is easily obtained and deployed.  Proper user device security does not go away.

Between iPhone and Blackberry, currently the Blackberry is much more secure than an iPhone.  Blackberry has the infrastructure including BES servers which allow enforcement of detailed security policies along with a robust management architecture.  BES servers offer the ability to remotely wipe a lost Blackberry as well as the ability to track the location of the phone remotely.  The Blackberry device itself has the ability to wipe all data via a menu option or by simply entering the wrong password a configurable number of times.   By comparison, the current iPhone can have a password in place, but bypassing it is easy once you have the physical device and security policies can be easily overridden by the user of the device.  I fully expect the iPhone to improve in this area as it targets the business market, but currently this is the general state of security with the iPhone.  A company that deploys iPhones or Blackberries needs to consider the type of data on these devices and the required security.  While many users prefer the iPhone over the Blackberry, you are making a security decision when you make this decision as well.  Best to make it consciously and understand the risks you are assuming with your firm and clients data.

Companies and firms need to consciously assess the security requirements of their data independent of any one technology.  Once this is completed, choose and deploy solutions and services that meet those requirements balancing off risk, cost, and convenience.  While there is no such thing as 100% security, you can consciously minimize this exposure, and manage the risk.

How confident is your company or firm that data stored on your local servers, cloud infrastructure, laptops, PDAs and other devices is secure, and can not be extracted or viewed without proper authorization?  If your data was being extracted or viewed without authorization would your security team detect it?  If not, why not?

Bruce Schneier did a talk in August on The Future of the Security Industry.  You can watch the talk here.  He discusses why selling security is hard, why buyers and sellers do not understand each other,  “Best Practice” being a herd mentality, why humans buy stuff, how I.T. is really infastructure and will eventually end up treated as a utility. My favorite part was his discussion of Prospect Theory and how it relates to the decisions businesses and humans make when considering security.  This is not a technical talk and so anyone with an interest in Security from a business or end user point of view will get value from listening to this talk.

A few months back I read a post by CEO Michael Hyatt on why he liked Gmail and why he was having his staff investigate switching their corporate email from Microsoft Exchange to Gmail.  This sparked my interest from the perspective that if he would consider it, other CEOs and companies would probably give outsourcing I.T. to Google serious consideration as well.

I have been looking at Gmail and the other Google services for a completely different reasons, but I have to say that I agree with all his points.  The only reason I can think of that you would not want Google to manage your corporate email would be control reasons.  You no longer have physical control of the servers and functionality that house your email.  This could be a problem for certain groups or businesses where privacy is extremely important as well as potential repercussions if the emails were to become public.  Google states they give you complete control over your email on their system, but that statement is technically not completely truthful.   Google also has access to your emails.  Suppose an employee of Google read and extracted your emails.   Sure Google would discipline and probably let the employee go assuming they could find out who was responsible, but what if the impact is large?  What if for example, the emails of a women’s shelter using the Gmail service were published on the Internet?  What about emails from a law firm concerning a sensitive and active court case were to be posted?  Can you sue Google?  And even if you are successful, it doesn’t change the impact of those emails becoming public.   I have commented similar privacy implications before here.

The fact is when you outsource a service or function, you are giving up some control and security, no matter what any company tells you.  It many cases it might be well worth the cost, but it is important to assume this risk consciously.  Does anyone remember Hushmail? (They are still around).  For years they boasted that even Hushmail could not read your email because it was encrypted in storage with PGP encryption.  Without your passphrase or private key that you provide to connect to their service, decryption was not possible.  A company using their service was being investigated by the DOJ.  Despite, PGP, Hushmail was able to provide them with all the relevant emails of the company that were stored on the Hushmail servers. Yes, any company or citizen must comply with a court order, but technically they should not have been able to and they advertised this fact.  I am not advocating not compling with a cout order, obviously that would be bad for any business.  But, if a government can go to a outsourced company, provide a court order for a hosted companies email, documents, calendars, and part of the order is they are not to communicate any knowledge of or actions resulting from the court order, their hands are tied and you don’t know anything about it.  If you host your own email at least they have to serve you with the court order so you know something is up.  The applicable laws may be different too.  Google servers are housed in the United States which I believe brings them under U.S. law.  This could have implications as well.

Ever wonder how you can track someone on the Internet or prove that someone did something. How do the bad guys do it? How do the good guys do it? This is an excellent example! Good investigative work and a little social engineering thrown in for good measure.

I recently read a post here and here by EFF on laws that make it a criminal offense to simply access an e-mail server or to test if personal data of yours kept by a third party can be accessed by others. This lead me to an article referred to in the first one with more detail on some of the cases (that article is here).

With respect to the Internet, the court needs to view ‘authorization’ in the same context as the expectation of privacy. When a person is sitting in their home, they have a certain expectation of privacy. They expect that covert cameras are not capturing pictures or movies of them and their family. They expect that their conversations, movements, and actions are not being recorded. This expectation changes when a person leaves their home. Security cameras can and do record them walking down the street. An audio conversation between them and a store clerk could be recorded by store equipment (currently not likely, but I suspect it would be considered legal). This type of activity is expected and assumed. You can not claim that a store you were in or the city you were in did not seek your permission to record you prior to being recorded. Privacy is not assumed in public.

In my opinion the same is true for systems on the Internet. If an entity places a mail server on the public Internet, then it is reasonable to expect that it will be connected to, both for reasons it was intended and reasons it was not. Expectations that a mail server will only be used by individuals to route e-mail or route e-mail that is ‘authorized’ is not the responsibility of individuals on the Internet. It is the responsibility of the owner of the server to ensure this. I send e-mail all the time, and I have no idea what servers are accepting and routing my e-mail to the appropriate destination (yes, I can figure these things out but that is not the point). If an individual directly routes e-mail to a server that should not accept or route the e-mail, the company needs to configure their servers to not accept this. The company needs to configure their servers and networks so that they are not open to attack.

Similarly with a web server. If someone is accessing a server that contains their personal medical information and they notice the URL in the browser is: https://medicalfiles.medi/userProfile.asp?id=1234. The user then changes the URL to https://medicalfiles.medi/userProfile.asp?id=1235 and suddenly they are viewing someone else’s profile information, that is completely the responsibility of the company that owns of the server. The company chose to put the server on the public Internet. The company chose to develop, purchase, or otherwise use a particular application to allow private user information to be displayed. The company chose a set of methods to secure this information and ensure that only the authorized individuals could access specific information. With these choices comes a responsibility and consequences for not living up to that responsibility.

Just as there is no expectation of privacy in public, there should be no expectation of proper or in-proper authorization for a server on the Internet. It is the owners responsibility to configure their servers and network devices correctly to enforce the authorization they desire and failure to do so is their own fault and responsibility, period.

I was rebuilding my Fedora VMware image today. Attempting to install TrueCrypt 5.x, I became very frustrated. It made me realize my expectations have changed. I no longer want to have to understand every single application I use, how to compile it, its associated dependencies and specifics. On one hand learning this still interests me to this day. Unfortunately, I no longer have the free time I once had to do this for every application I require — so I just want it to work. Since a quick install didn’t seem to be an option, I started compiling TrueCrypt from source and adding in all the dependency libraries etc. During this process, I discovered a entry by Oliver Meyer. He published a simple step by step procedure. It is easy to understand and well done. Highly recommend it.

-mike.

Excellent review of the latest version of Truecrypt 5.0 by Steve Gibson. Truecrypt is completely open source software. I’ve personally used it for years. This version of Truecrypt support full system disk encryption and does this on the fly, no need to re-install your operating system. You can even decrypt the drive without re-installing or rebooting.