Is Your Cloud Computing Data Protected? Does You Use PIE?

The Recording Industry Association of America (RIAA) has filed legal action against Box.Net, a “cloud” service which allows users to share, manage and access business content online. What got the RIAA excited? They want to investigate some of Box.Net’s users who they believe is using the service to infringe on sound recordings.

One of the concerns today with cloud computing is what happens when the cloud computing company is served legal papers. They would need to turn over the files along with the cloud computing company’s encryption keys for the files making the data viewable.

I have been using cloud computing for a number of years however I don’t want my provider to turn over my data to a 3rd-party for them to read the files. I encrypt all of the files that I store in the cloud before it leaves my PC so only I know the key. If my cloud computing company is compelled to turn over my data, all they will get is unreadable noise. I give the same advice to clients.

Steve Gibson of the wonderful “Security Now” podcast was calling this process “pre-egression encryption” but the acronym needed some work. He now calls this: pre-Internet encryption “PIE” which is a better acronym.

Does the “Operation Aurora” Hack of Google and Other US Companies Change Cybersecurity?

I think that “Operation Aurora,” the hack in 2009 of Google and other companies apparently by the Chinese government is “seminal event” in the world of cybersec. The attackers apparently found their targets via social networks. They used e-mail with a URL. If the target went to the website using Internet Explorer 6 a zero-day vulnerability was used to plant a trojan. The trojan had a unique signature so it was not detected by anti-virus. The attackers were well organized. The message for me is a) if you have something of value, attackers will spend the time and effort to customize their attack, b) Google has some of the most sophisticated cybersec technology available but it was not able to spot a problem, and c) humans are the weakest link in the chain.

Here is a URL from a white paper on “advanced malware exposed” from FireEye which I hope has value for you. It has a good expose on Operation Aurora. http://i.techweb.com/audiencedevelopment/JPS/100/051911/AdvMalwareExposedbyFireEye.pdf

A Great Debate on the Limits of Privacy & Legislation to Restrict Data Use

In Vermont, unless a doctor consents, the state’s prescription confidentiality law now prohibits the distribution and use of prescriber-identifiable data for marketing purposes. This could change, depending on if the U.S. Supreme Court decides if this law is a violation of the First Amendment. Data-mining and pharmaceutical companies claim that the ban violates free speech rights.

http://www.informationweek.com/news/global-cio/interviews/229402274

Passwords May No Longer Be the Problem – Password Reset IS the Problem

Bad guys are looking for the weakest link. I worked at one of the world’s largest ISPs for many years. We continually told our customers to use strong, OK, stronger passwords than what they were using previously using. Many customers listened.

Unfortunately the bad guys moved to the weakest link, the “I forgot my password please reset it question.” What is your pets name? What is your favorite color? Favorite food? Where were you born? What a bonanza for bad guys! The subset of correct answers is small. Few people would answer that their favorite food is Brussels Sprouts. Dictionary attacks are trivial. Unlike a password which may contain a special character or a change in capitalization, password reset answers are almost guaranteed to be in a dictionary and likely a small one. Not only were the answers found in a dictionary if the attacker was a little smarter they could often find the answer online via Facebook, LinkedIn, My Space profiles, or using a search engine.

Additionally the password reset processes are often not setup to limit the number of attempt, IP addresses are not logged, and other security mechanisms normally used for passwords are not used for reset questions.

Suggestions:

a) If you are going to use the correct answer for your pet aardvark’s name then modify the capitalization, add punctuation, letters, etc.

b) Use a random set of characters like a password and write them down in a safe place. You can also use the notes section of Lastpass.

2011 Privacy Chutzpah Award? Using a webcam to spy on customers

The award goes to Aaron’s rental for allegedly renting PC’s and then using its webcam and keylogger to spy on customers. Couple finds out when employee shows up at their home with a webcam photo of them. They call the police. Law enforcement confirmed that the product permitted the company to routinely take webcam photos, screenshots, and log the keystrokes of its customers without their knowledge or consent. A class action lawsuit has now been filed.

Who at Aaron’s thought of this? What was the purpose? This just amazes me.


http://arstechnica.com/tech-policy/news/2011/05/lawsuit-computer-rental-store-aarons-spied-on-users-at-home.ars

Backups, The 3-2-1 Rule

When I work with clients I ensure that not only do they protect their data from bad guys but also from natural disaster, fire, theft, lightning, hard drive failure, etc. After Hurricane Katrina I spoke with some AOL customers who were having a difficult time getting access to their money since their paperwork was destroyed by the flood. Backups including off-site are key. Use the 3-2-1 rule.

At least 3 copies of every essential file
At least 2 different media
At least 1 copy stored in a different location

My essential files are copied to my Windows Home Server (one of Microsoft’s best products that few people know about), to a weekly backup of the Server which is stored on a fireproof, waterproof hard drive, and to both Amazon & Rackspace’s online backup using Jungle Disk (the best desktop backup product around). I use both hard drive and cloud drive media (I guess technically the files are all stored on hard drives). My files are also off-site with Amazon and Cloudspace.

Regularly test your backups to make sure you can read them. Being a cybersecurity/privacy pro my off-site files are all encrypted using AES-256 and I am the only one with the key (OK, a trusted person else also has the key).

My Favorite Firefox Security Add-On, NoScript

Security pro’s have been advising people to “stay away from dangerous websites.” I agree that pornography, game cheat codes, and file sharing sites are probably more dangerous than CNN but you can also get infected from a malicious advertisement appearing on CNN or any “legitimate” site. Turning off scripting, the most likely source of malware, is an important step.  It is simple to do.

https://addons.mozilla.org/en-US/firefox/addon/noscript/

Once you install NoScript, view this video which explains how to use it. http://www.youtube.com/watch?v=sAxZS5SKOyA