The Problem with IT Security: Why We Are Losing the Battle

IT investment in security is incommensurate with the emerging threats. Most organizations continue to approach security as if the enemy is the former Soviet Union instead of Al Qaeda. During the cold war our defense posture relied heavily on nuclear deterrence, which meant building deadlier bombs and putting them on payload systems that could incinerate entire cities in a flash. On 9/11 it took only a handful of Islamic crazies to bypass our entire security apparatus, shaking our foundation and nearly bringing the entire country to its knees. 

In IT the highest spend continues to be in firewalls and anti-virus software. These are the equivalent of ICBMS swallowing up more and more of the security budget. Both are needed but they don't come close to addressing the new generation of risks. As Adam Muntner of QuietMove notes: "For most organizations -- even some Fortune 1000 companies we work with --- security spending is not even close to be being in line with the risks and threats they are trying to address."

The 5 Big Emerging Threats are:

1. Trusted Users and Partners. We are exposing more and more data to more and more "trusted" people without proper monitoring and authorization.
2. Web Application Vulnerabilities. According to a Gartner estimate 75 percent of current attacks take place through application vulnerabilities. Most organizations, particularly software developers, remain clueless about application security.  
3. Missing or Stolen Devices. Enterprise data is now ubiquitous in everything from unencrypted laptops to mobile phones.
4. Custom Malware. Signature-based anti-virus systems are completely ineffectual against custom malware. Traditional armies wear identifiable uniforms. Guerillas and terrorists don't.
5. Social Engineering. How many of our even "sophisticated" users fall prey to phishing attacks or share their passwords with strangers?

Most security organizations are fighting the old enemy and it's only a matter of time before our organizations experience our version of the Twin Towers.

Source: Baseline Magazine, June 2008. "Closing the IT Security Gap."

Managing Your Privacy Settings in Facebook

I have started to create a series of mini-tutorials on managing your privacy settings in Facebook. The first two are available now:

1. Tutorial 1: Facebook Privacy Settings
2. Tutorial 2: Facebook Privacy Settings

One of the best ways to protect your identity information and intellectual property in Facebook is to take personal responsibility for managing your privacy settings. No matter how Facebook comes out ultimately in terms of stating formally its Terms of Service, if you lock your privacy settings properly there will be a strong presumption that your information will be shared and used by Facebook consistent with your wishes.  Zuckerberg has said publically that: "In reality, we wouldn't share your information in a way you wouldn't want." The only mechanism to express what you want is to use Facebook's privacy settings.

Facebook's New Terms of Service Has Twitter World Buzzing

Monday morning Twitter World awoke to the news (first reported by the Consumerist) that Facebook had quietly changed its Terms of Service (TOS). I was not aware of the old TOS, which in itself was insidious. It gave Facebook an irrevocable and perpetual license to use and sub-license your content and identity information. The new TOS goes further by claiming that it has license rights over your identity information and intellectual property in FB even after you delete your Facebook account and stop using their services.

Is there a way to protect yourself? There might be. 

I am not a lawyer but there is a clause in the new TOS which seems to restrict FB's ability to exercise the license based on your "privacy settings".

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings (emphasis mine) or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof.

Whether this clause or any other clause protects your intellectual property and identity information from invasion against FB, it's in your best interest to lock down all your information by making it explicit to FB that your information is to be shared only with your Friends. If it ever comes down to a legal case, then at least you will have some basis for arguing that FB's privacy settings created the presumption that your content would only be available to your friends and no one else.

Take a careful look at Sophos' recommended privacy settings for Facebook and take to heart their warning that "ID fraudsters target Facebook and other social networking sites to harvest information about you."  Sophos' recommendations are a good start, but the privacy settings have several loopholes that users need to be aware of. I will post how to close some of those loopholes by tomorrow.

Protecting Your Privacy in Facebook

I thought I would begin to summarize some of the lessons I have learned after my Facebook account was hijacked last week. 

A couple of quick tips related to password security that I recommend to all Frequent Facebook Fliers (FFF). Start doing this immediately:

1. Change Your Password Frequently.  If you have not changed your password recently, go to Accounts and then Account Settings in Facebook to change your password.
2. Use a Strong Password. The name of your cat or dog is not a strong password. I recommend reading the article: Strong Passwords: How to Create and Use Them.  Use a Password Checker to verify the strength of your password. (Note: don't try your actual passwords against these password checker sites because most of them accept passwords in the clear. This means your passwords might be intercepted even as you are checking the password! Experiment with password checkers to see what kinds of passwords are the strongest.)
3. Use a Password That's Unique to Facebook. If you are a Frequent Facebook Flier (FFF), then try to develop and use a password that's unique to the Facebook site. I know we  want to limit the number of passwords we need to remember and keep track of, but this is a way of spreading your risk if either your Facebook account or another account is compromised.
4. Don't Use the Default Facebook Login Page. Facebook's default login page (http://facebook.com) is insecure and can be easily spoofed. Instead, set your bookmark to (http://login.facebook.com). In general, whenever you are transmitting passwords or sensitive information such as credit card numbers of social security numbers, don't trust the website unless you see a secure padlock and the name of the web site published at the bottom right hand of your browser. (Note: There is a subtlety here. The padlock and name of the website should not be in the web page but in the browser border. I will illustrate the difference with some visuals later.) In the meantime, make sure that you always use http://login.facebook.com to login to Facebook. Facebook should be condemned for not taking care of this easy fix. It's just plain inexcusable that users have to resort to a workaround.

More lessons learned in future posts.

Facebook Violates It's Own Privacy Policy?

Correction: As I looked further into the code for the Facebook login page it appears that the post method does in fact route to https. I was incorrect. Nonetheless, I would still like FB to investigate how my account was compromised. I need to be convinced that there are not other vulnerabilities in how the application handles authentication (e.g. iphone client).

Trust is the currency of social networking sites: we expect that our private data will be protected and that at the very least site owners will observe basic security practices. In the case of a large and rich company such as Facebook we expect more. So how can a company with a multi-Billion dollar valuation get away with shoddy security practices and, on top of that, violate it's own privacy policies?

Let's take a look at Facebook's published privacy policy under the security section (http://facebook.com/policy.php). The company asserts that "sensitive information" such as "passwords" are encrypted.

Facebook does not encrypt  passwords during login as it claims. How do we know? Compare two web sites (gmail,typepad) that do encrypt passwords during login:

Notice the tell tale sign of an encrypted login session: a) the URL says https:// and b) the bottom right hand of the browser shows a padlock. Now compare that with the facebook login page. No https:// and no padlock. It appears, therefore, that the default login page for facebook does not encrypt passwords, which is a violation of its privacy policy.

Note: Some sites take you by redirection to an https:// page. I don't see that occurring with Facebook. FB does have an https:// page but you can get there only by knowing the URL, which is http://login.facebook.com. If you type in the login.facebook.com you will be redirected to https://login.facebook.com.  You will also end up at the https:// page if you type in an incorrect password at the default login page.

I am mystified why Facebook continues to transmit passwords in clear text (i.e. unencrypted) when the fix is so easy. I am not a security expert and if there are any inaccuracies in my posting, I will correct them if someone can point them out to me.