Sunday, September 30, 2007

Canada's privacy commission investigated the TJX breach 

You may remember the TJX data breach: 45 million customers of TJ Maxx and related stores had their credit card numbers stolen.

Some Canadians were victimized at stores in Canada, and Canada has some real privacy laws. The government investigated.

Canada's privacy regulations expect that businesses will tell customers why they're accumulating personal information, collect only what they need, and get rid of it as soon as it's no longer needed.

The stores failed on all counts. Customer credit card numbers were kept longer than required by the bank contracts, allegedly for use in "troubleshooting" credit card processing. The Canadian government never got an explanation that satisfied them about why that was necessary, and the stores never told the customers that their credit card numbers would be kept for years.

The government report actually seemed more worried about another data breach, of customer driver's license numbers. The report points out that those are valuable to crooks and hard for the innocent to change. Here the stores had a good business reason to collect personal information, because they were asking for ID from people returning merchandise without a receipt. Seems logical at first.

But this is a good example of storing more information than is really needed. What TJX could have done, and what they did do after talking to the government, was store the result of scrambling the driver's license number in a way that can't be unscrambled. Then every time someone returns something without a receipt, the store can scramble the driver's license number again, check the records, and see whether the same person has returned an unusual amount of merchandise, all without storing the actual driver's license number.

The US could use some privacy laws like Canada's. Does anyone ever tell you how long they're keeping your personal information, or what they plan to do with it?


Thursday, September 27, 2007

Do you use AOL's own software for AIM? 

It reportedly has a problem that allows people to run software on your machine simply by sending you an IM, without you having to do something like click on a link or open a file.

This won't get fixed until next month.

This is a good time to experiment with one of the better IM programs, such as Pidgin, which work with other IM services too.

Full article about the AIM vulnerability


What should you do about the Google holes? 

In case you missed them, there were a couple of news stories recently about security problems in GMail.

Google's already fixed them, but of course there might be others.

If you want to protect yourself against tomorrow's problems, it's safest not to stay logged in to Google while doing other web surfing. Also run the NoScript Firefox extension, and stay out of bad neighborhoods.


Saturday, September 22, 2007

Closed-circuit cameras in public 

Many places, especially in the UK, are installing CCTV cameras to watch public places. Outside George Orwell's home, in a 200 yard radius, there are 32 cameras.

But, we are told, there are tradeoffs between safety and privacy.

Hogwash. CCTV cameras do not help solve crimes

via Bruce Schneier


Trends in mobile phone security 

Security writer Gary McGraw has a fairly good article about security problems with cell phones.

He's most worried about destructive viruses, but today's trends are in the opposite direction. Viruses are a for-profit business these days and it's much more likely that a virus will leave your phone operational so it can dial premium-rate numbers controlled by the crooks.

The big mystery is why it hasn't happened yet. It's possible that phones smart enough to catch and spread a virus aren't common enough right now. That will change.


Friday, September 21, 2007

What to do about the PDF problem 

By now you must have heard that opening the wrong PDF file can compromise your computer.

The good news is that bad guys, as far as anyone knows, aren't taking advantage of this yet. And they don't have examples to work from to create a booby-trapped PDF, because the researcher who found the problem hasn't published how-to information pending a fix by Adobe.

There's no word on whether the bug affects other programs for reading PDFs. I use Foxit on my Windows machine.

Until Adobe releases a patch for the PDF reader, think twice about opening a PDF from a stranger and, since a PDF can be embedded in a web page, continue being careful what neighborhoods you visit on the web.


Sunday, September 16, 2007

Physical security: lighting: when less is more 

I was reading an article about astronomy and found some lessons for security. It turns out that many of the lighting changes that astronomers want in order to keep the sky dark actually improve security of the lighted areas.

What would you guess happened when the San Antonio public schools turned off much of their outdoor lighting? Vandalism dropped.

Here's the problem. Poorly thought out lighting causes glare and blinds the people who might otherwise see criminals. Meantime it illuminates the target for criminals and saves them from risking attention by using a flashlight.

Motion detector lights that stay off until someone moves in their field of view are good. People notice change and look when they turn on.

Fixtures with reflectors and shades that keep light from going off to the side are good.

Lights that flood an area that's not visible from the street only help the intruders.

Rutgers professor Marcus Felson's advice about lighting for crime prevention

International Dark-Sky Association


Saturday, September 15, 2007

An educational resource 

via the blog of my favorite security expert, Bruce Schneier:
Only mildly funny, but it makes some points better than I could.


Friday, September 14, 2007

Sometimes it's putting things together that's dangerous 

This time it's Firefox plus Quicktime, the media player. People are arguing now over whether to blame Quicktime or Firefox. That doesn't matter. What does matter is that something disguised as a media file can take over your computer.

Definitely happens on Windows, reports are mixed about whether it happens on Macs. Some reports say that it happens on Internet Explorer but that Microsoft's new security precautions contain it, other reports say that nothing happens.

What you need to do to protect yourself is to stay out of bad neighborhoods and run the NoScript Firefox extension, which protects against this and many other problems.

via the folks at Watchguard.

UPDATE 9/18:

The Firefox developers have made a change to Firefox that should prevent it from happening. When Firefox asks for permission to upgrade, say yes.


Tuesday, September 11, 2007

Is your cell phone really turned off? 

Have you ever had a paranoid mood where you stopped to think what a great bugging device your cell phone would make?

It has a microphone, it's always with you, it knows where you are if it's a recent model, and it's regularly talking to the base station in between calls so that people who call you get their calls sent to the right base station. If it's a new phone it may have a GPS chip so it knows your exact position.

Political dissidents in some countries worry about cell phones that are programmed to act as bugs even when they're supposedly switched off. These dissidents will ask visitors to pull the batteries out of their cell phones before any sensitive conversation.

That may sound paranoid, but it may also not be enough.

One experimenter found that he could pull the battery during a phone call and the phone would keep going for ten or fifteen seconds. That's with the power-hungry radio transmitter going. It could last much longer if all it were doing was recording audio.

Fortunately, unlike malicious software, this isn't something normal people need to worry about.


What is Tor, and why is it in the news? 

Tor stands for "The Onion Router", and it's software and servers for anonymous Internet use. For example, it's handy for bloggers in oppressive countries.

Imagine that you needed to send physical mail without anyone being able to tell where it came from or, if they watched you send it, where it was going. You might wrap the mail inside envelopes inside other envelopes, each addressed to some third party, with instructions to remail the inner envelopes. The first recipient would open the outermost envelope and follow the instructions on the next envelope in, which would go to someone who didn't know where the mail got started. The first recipient wouldn't know the final destination because it was inside the inner envelope.

That's how Tor works, except instead of physical mail it's network data, and instead of opaque envelopes it uses encryption. Delivering the data requires peeling off one layer after another, just like peeling an onion, so the process is called "onion routing".

It works, but it's not magic and you still have to think about security issues.

For example, you need to get the software from some place you can trust. The regular distribution is through the Electronic Frontier Foundation. There's malicious software going around that sends email urging you to use Tor and including a link to download it which actually takes you to a place that installs malicious software.

The other thing to remember is that "anonymous" doesn't mean "confidential". When Tor traffic reaches its destination, it's readable unless you've encrypted it yourself. The last link in the chain of relays can read all the traffic going through it. If you've somehow identified yourself, then your cover is blown. This actually happened recently: a Swedish security nerd set up a Tor relay configured to the the last link in the chain of relays and watched what was going through. The security researcher, Dan Egerstad, found some interesting things: "The e-mail messages seen by Egerstad included discussions of military and national-security issues between embassies and sensitive corporate e-mail messages, he said."


This page is powered by Blogger. Isn't yours?