I wonder what the number is for other industries

Posted on April 8, 2011 by halberenson

Ponemon Institute did a study of IT security in the energy industry. 75% admit to having suffered a data breach in the last 12 months. 71% of IT Security executives at global energy producers state that their executive management team does not understand or appreciate the value of IT Security.

Some would say this this is criminal negligence. Perhaps not criminal, but clearly negligent. Meanwhile, in Massachusetts failure to maintain good IT security practices, including plugging security holes that result in data breaches, now brings big fines. Is that really what it is going to take to get organizations to take IT Security and privacy seriously?

Maybe we need a “Sarbanes-Oxley” for CIOs. That idea makes my skin crawl, but I do sometimes feel like you need to hit people over the head with a really big club before they take something seriously.

Posted in Computer and Internet | Tagged , , | Comments Off on I wonder what the number is for other industries

I’m glad I’m running IE9

Posted on April 8, 2011 by halberenson

I’ve installed all three of the latest browsers and will try them side-by-side for a while.  Of course, the first thing one notices is that only IE9 has the Tracking Protection List feature.  I’m working on a blog post on that feature specifically, but all I can say is that unlike Firefox and Chrome this capability is built-in to IE9.  Yes, I can get add-ons for the other two to get similar protection.  But I do like it built-in.  BTW, I’m using the Easyprivacy TPL to eliminate (or at least reduce) tracking of my activities on the web.

I did get a phishing email today and decided to see how each browser handled the link it contained.  Firefox and Chrome let me go to the bogus link without warning (not a surprise since they both allow it since they both use the same Google service for identifying phishing sites).  IE9’s Smartscreen filter blocks access to the site with a warning that it has been reported to Microsoft as being a phishing site.    I reported the site to Google and will check back in a day or so to see if Chrome and Firefox are blocking it yet.

Posted in Computer and Internet, Microsoft, Privacy, Security | Tagged , , , , | 2 Comments

Data Breach Update

Posted on April 3, 2011 by halberenson

Two new pieces of news:

1) Add Kroger (parent of King Soopers, City Markets, etc. supermarkets) to the list of company’s whose customer email addresses were lost through the Epsilon breach.  Now aren’t you glad you registered your mail address for that frequent shoppers card?

2) Sure enough a phishing email from Chase slipped through Hotmail’s filters this afternoon.  This one wasn’t customized with a name, so clearly wasn’t from someone who had the lost email addresses.  But it has been worded to make you think it was sent to warn you of the breach and provided a link for you to update your information.  Badly enough worded that most people will realize it is a scam, but a few people will follow that link and give away their personal information.

 

Posted in Computer and Internet | Comments Off on Data Breach Update

Sadly, data breaches are all too common

Posted on April 3, 2011 by halberenson

After blogging about BP’s lost laptop this morning I was checking my mail and discovered a note from one of my financial institutions about a breach at bulk email sender Epsilon that impacts me.  Three of the largest credit card issuers in the U.S. (as well as Tivo) had their customer’s name/email address combo stolen from Epsilon.  For someone like me, whose email address is readily discoverable already) I doubt this means much.  But for anyone who diligently keeps their email address out of the public eye to avoid SPAM, this breach likely means your email address will be sold to spammers and you can expect a major uptick in SPAM.  For example, my wife has two email addresses.  One is her serious address and the other is used in situations where commercial emails (unsolicited or solicited) would be common, or public forums where spammers might get their hands on the email address.  As a result her primary email address gets little spam while her secondary address is flooded.  Has the breach of Epsilon made her diligence all for nought?

A more serious complication may be the more effective crafting of Phishing attacks.  For example, when I get email claiming to be from Capital One saying that my account has been compromised and I need to click on some link to change my password I laugh at it.  I am not a Capital One customer and thus without even reading the mail message I know this is a Phishing attack (trying to get me to reveal my personal data thinking I was revealing it to Capital One).  But when I get the same mail claiming to be from a bank I do have an account at I need to read it very carefully to see if it is a Phishing email.  And then even if I think the mail is real I still don’t click on any links, I type the URL of my bank into the browser directly.  I assume the theft from Epsilon associates the name and email address with the financial institution who gave it to Epsilon, in which case the bad guys know what financial institution I have an account with.  This will let them target anyone whose data was lost with Phishing emails that look more like something their financial institution would actually send them.  For example, say your email address is xyzzyfoonly@hotmail.com and you have a Capital One credit card.  Not only will the bad guys know that they should flood you with email that looks like it comes from Capital One, they will know they can personalize the message with your name (e.g., Dear Mr. Jones rather than Dear Customer”) making it less likely that your “spidey sense” will make you question the email’s validity.  If they keep tweaking and tuning that email they send you every day or week they’ll get it through both your email system’s phishing filters and your own sense of what is real and what is fake and get you to do what they want!

What can be done about all this? Obviously the technological defenses on all fronts need to continue to be beefed up.  And despite my revulsion to increased legal or regulatory interference I do wonder if the cost of a company losing personal information is too low relative to the damage it causes.  Certainly making it unlawful to share my personal information with any party that I don’t explicitly agree to allow you to share it with would be one step.  Today it all rather murkily described in multi-page privacy policies and difficult (ie, get on the phone and be on perpetual hold) opt-out mechanisms, if it is even possible to opt-out.  That may have to change.

 

 

 

Posted in Computer and Internet, Privacy, Security | Tagged , , , | Comments Off on Sadly, data breaches are all too common

BP loses a laptop containing (unencrypted) personal information

Posted on April 3, 2011 by halberenson

Sadly A BP employee had the personal information about claimants from the Deepwater Horizon spill on a laptop with neither the files nor hard drive encrypted. And it was stolen (http://content.usatoday.com/communities/ondeadline/post/2011/03/bp-worker-loses-laptop-holding-data-for-13k-gulf-oil-spill-claimants/1?csp=34news). It isn’t clear if BP has inadequate policies, inadequate execution, or rogue employee behavior.

Theft or loss of laptops, tablets, smartphones, and even desktop computers is inevitable. Failure to protect their contents is just incompetence. Of course, we need to get much more serious about doing so http://wp.me/p15CUL-2a

Posted in Privacy, Security | Tagged , , , | Comments Off on BP loses a laptop containing (unencrypted) personal information

Consumers vs. Users

Posted on March 29, 2011 by halberenson

I have an incredible backlog of topics and just don’t know where to start.  So, I’ll start with something simple and quick.  In a recent article someone complained about Microsoft referring to “Consumers” rather than “Users”.  Yes, they were complaining that Microsoft called them a Consumer when they felt they were a User.  I find this complaint funny.

Microsoft, like many technology companies, has always struggled with terminology.  Yes these terms actually matter, but sometimes you have to live with suboptimal terminology.  In this case the problem with the term “user” is that EVERYONE is a user of something.  What term best describes a user who makes a purchase for personal use rather than for the use of, or on behalf of, an organization?  That person is called a consumer.  Microsoft didn’t invent that term.  It just tries to use it to differentiate between a user in the organizational context and a user in the personal context.

The problem comes in because the consumer user and organizational user can have dramatic amounts of overlap in the computing world.  Lets face it, when I buy a toaster for my home there is no overlaps with my use of a PC for an organizational employer.  But when I buy a smartphone with my own money and want to be able to read my organizational email, access my organizational calendar, share documents via my organization’s Sharepoint, etc. then there is a lot of overlap.

But Microsoft does have a real problem.  When it builds products with the priority on an organization’s Information Workers, which is Microsoft’s traditional area of strength, those products tend not to be very good for pure consumers.  They don’t even tend to be good for crossover users.  That’s the trap Microsoft got into with Windows Mobile.  All of the energy went into adding features like better centralized device management, better enterprise security features, better integration with Office and various Microsoft enterprise server products, and making it easier to build ruggedized/specialized devices around Windows Mobile;  Doing things to improve Windows Mobile’s user interface and create great entertainment experiences kept getting put on the back burner.

So Microsoft goes and tries to create products that are ideal for the pure consumer, and in the process creates horrible gaps between its offerings.  For example, why does Microsoft have Exchange for organizational email and Hotmail for consumers?  And they aren’t just name changes or variants, they are different offerings with different feature sets and different user experiences.  Oh, I know why things started out that way, but after 13 years you’d think they would have unified the offering.  And to make things worse, sometimes they market the consumer offerings to small business.  As a recent example, ever notice the Windows Live “To the Cloud” ad that features the prospective CEO of a startup using it to collaborate with his co-founders as they try to get funding for their new venture?   Hotmail has also been offered to small businesses under the Office Live program, even though Exchange (and Exchange Online) is owned by the Office organization.  Wow, confusing.

Ok, confusing is too kind.  Outlook claims to work with the Windows Live Calendar yet I have problems using them together all the time.  Right now in fact I’m having a problem with Outlook being unable to sync some of my appointments, a problem I never have with Outlook and Exchange (for which Outlook was designed).  In fact, it has gotten so bad that I prefer to use the web interface for Windows Live Hotmail and Windows Live Calendar over Outlook.  So even when Microsoft tries to unify its offerings, it does a mediocre job.

Perhaps the most confusing place in Microsoft’s offerings is around Windows Phone 7.  Microsoft broke out of the trap it was in with Windows Mobile by aggressively moving all Enterprise-related work to lower priority when producing Windows Phone 7.  That worked, but it does leave WP7 way behing the Blackberry in meeting Enterprise requirements.  And even behind the iPhone (which, for example, supports VPNs and local SQL databases, neither of which are available on WP7).  But they did create a good consumer product.  Hopefully the next major update will bring the crossover user fully into the fold.

It gets less confusing when you get to Microsoft’s Interactive Entertainment Business.  There Consumer means “consumer of entertainment”, and they compromise little for that crossover user.  The XBox could have some very interesting applicatibility outside the gaming/entertainment realm, but no one is going to pursue that angle.  Zune happily blew up the Windows Media Player/Windows Media Center strategy of integrating the media experience into the overall Windows platform experience in favor of a more Apple-like pure consumer offering.  Kinnect will probably break the mold, but only because Steve Ballmer seems to recognize that he has the lead in a technology that redefines all user experiences in the future.

The bottom line here is that when Microsoft says “consumer” they mean a product designed to be sold and serviced through retail channels, primarily to users purchasing the product for their own (or their family’s) rather than organizational use.  I have no problem with the terminology.  But it shouldn’t let Microsoft off the hook for addressing the real needs of users, and that includes consumers who are also organizational users.  And what I think neither Microsoft nor most of the analysts and press who follow them get is that it is Microsoft’s failure to delight the crossover audience that is at the core of its malaise.

Posted in Microsoft | Tagged | Comments Off on Consumers vs. Users

Better article on apparent Iranian exploitation of DNS flaws

Posted on March 24, 2011 by halberenson

Fake SSL certificate problem is an example of DNS Flaws

Posted in Computer and Internet | Comments Off on Better article on apparent Iranian exploitation of DNS flaws

I didn’t have to wait long to prove my point (vis a vi getting serious about security)

Posted on March 24, 2011 by halberenson

An attack on Internet infrastructure has been tied to Iran.

http://news.cnet.com/8301-31921_3-20046588-281.html?tag=nl.e703

 

Posted in Computer and Internet | Comments Off on I didn’t have to wait long to prove my point (vis a vi getting serious about security)

When are we going to get serious about computer/network security (Part 2)?

Posted on March 19, 2011 by halberenson

Consider the first sentence of Internet Engineering Task Force (IETF) RFC 4272 published in 2006 and be afraid, be very afraid.  It reads “Border Gateway Protocol 4 (BGP-4), along with a host of other infrastructure protocols designed before the Internet environment became perilous, was originally designed with little consideration for protection of the information it carries. ”  Or consider this statement from the February 2003 US Department of Homeland Security’s The National Strategy to Secure Cyberspace “Of the many routing protocols in use within the Internet, the Border Gateway Protocol (BGP) is at greatest risk of being the target of attacks designed to disrupt or degrade service on a large scale.”  So in the 8 years since DHS highlighted the risks in BGP and called for it to be replaced by a secure version how much progress has been made in addressing this problem?  Close to zero.  There has been a lot of talk, and in 2009 (6 years after the report) DHS finally started funding research into securing BGP.  But practical progress, zero.

BGP isn’t the only internet protocol that has security problems.  While few users have even head of BGP, many have at least seen the initials DNS (for Domain Name System).  DNS is what takes internet names (e.g., www.mydomain.com) and translates them into addresses (e.g., 192.168.0.1) so you can actually access them.  Imagine if you typed www.mybank.com into your browser and instead of actually going to the web page for your bank you went to a phishing site that stole your bank account password?  All too easy if DNS is compromised.  The lack of security in DNS was recognized in 1990, but it took 20 years before the rollout of DNS Security Extensions (DNSSEC) started to gather steam.  It will be a few more years until DNS has been fully secured.

I could go on, but I think I’ve already made the point.  The Internet is a house of cards that could collapse any time.

So, what’s the problem here?  For one thing, the Internet was never supposed to be a mass market success.  If you go back to the early 90s the Internet was an academic environment and most technologists predicted that interconnected commercial utilities (e.g., AOL, or Microsoft’s original MSN) would become the mainstream network solutions.  Even many of those who believed in the Internet thought that a commercialized parallel to the academic network would emerge rather than having the existing academic network just opened up to the public.  (For full disclosure, in 1993 I expected that a parallel commercial Internet would appear, with utilities as islands within that network each offering a community experience that the typical end-user found more comfortable than just being thrust into the wilds of the network.)  So what really happened?  The “Academic Internet” was opened to the public and was adopted so quickly that it overwhelmed all alternative solutions.  The industry was forced to “go with the flow”, and that included living with a set of protocols that hadn’t been designed for the potential hostilities that the having all the worlds communications and commerce traveling over the network might attract.

So if the existing Internet protocols aren’t secure, and we’ve known that for quite some time, why don’t we fix them more quickly?  Quite simply, because we are more afraid of disrupting the Internet than we are of the security risks.  Just think about SPAM for a minute.  How frustrated are you when mail you really want to receive ends up in your Junk folder?  Now imagine that we fixed the SMTP protocol so that only fully authenticated mail was ever delivered to you.  That would eliminate a lot of SPAM, but at the same time there would be a period of perhaps years in which even more mail you really want would either not be delivered at all or would end up in your Junk folder.  That would happen because not every email server and client would (or could) upgrade at the same time.  So instead we have some extensions that make it easier for anti-SPAM filters to recognize valid email but we haven’t made a real dent in SPAM.  Now take that another step.  Imagine a rollout of a secure BGP in which some ISPs were actually unable to connect to the Internet until they upgraded to “Secure BGP”.  We can’t just flip a giant switch and instantaneously get all the ISPs on these new protocols at the same time.  It can take years to roll them out.  To put this in a more concrete perspective, imagine a small ISP covering a midwest town in the US.  What if they didn’t have the money to buy new “Secure BGP” compatible routers or the manpower to perform the transition?  What happens when we declare January 1, 2012 “Secure BGP” flip-the-switch day?  They probably go out of business and leave that town with no Internet access at all.

There is another factor here.  While we know that these protocols aren’t secure, they haven’t actually been compromised.  We have had ISPs accidentally misconfigure routers in a way that the BGP weaknesses allowed to cause a major Internet outage.  But we haven’t had someone intentionally exploit BGP’s problems to misroute Internet traffic.  On the other hand, the reason that DNSSEC rollout is accelerating is that we have had security researchers actually demonstrate the ability to exploit flaws in DNS.

So in the absence of actual disasters, and with a desire to avoid disrupting the Internet experience, the industry simply does nothing.  That is a little too harsh, but it is all to close to the truth.  We will wait until something bad happens, potentially very bad, before we get serious about fixing the Internet protocols.

What constitutes very bad?  Well of course we could have some “hackers” decide to exploit BGPs weaknesses for commercial gain.  But I think a more likely scenario is a cyberwarfare one.  The weaknesses in BGP and the other Internet protocols are well-known.  I would think that every nation that has a cyberwarfare operation has figured out how they could disrupt these protocols in practice.  And they are just sitting on those techniques until they need them.  Yes, even a minor player like Libya might have the capability to disrupt or steal information transmitted over the Internet and could decide to do so in response to the UN-approved no fly zone.  Nations like North Korea and Iran almost certainly have this capability.  It is sad that we’ll likely wait until one of them demonstrates it before we get serious about fixing the Internet protocols.

One doesn’t have to wait for an attack on Internet protocols to see how slow we are being in response to the Cyberwarfare threat.  DHS’ 2003 strategy also called for securing SCADA (supervisory control and data acquisition) systems.  The big news in 2010 was Stuxnet, a worm that targets these systems.  Most believe it was created by government entities specifically to target Iranian nuclear facilities.  I guess in this case many of us are happy that their were vulnerabilities that could be exploited.  But Iran uses generally available commercial equipment, which means that many other facilities in many industries around the world could be similarly attacked.  I wonder if suppliers and users of the systems targeted by Stuxnet, and similar systems from other suppliers, are rushing to secure them?  Keeping in mind that it is 8 years since DHS called for them to be secured, how many more years will it take for the vast majority of these systems to actually be secured?

The bottom line here is that we keep making the wrong cost/benefit tradeoff in security.  We tolerate bad security in the name of better user experience, lack of customer disruption, etc. until something really bad happens.  We need to swap our priorities and make preventing really bad things from happening more important than preserving the status quo.  There are tradeoffs to be made here for sure (e.g., UAC in Windows 7 vs UAC in Windows Vista), but the bottom line is having a secure system has to come first.  And we need to get our existing systems and protocols into a more secure state ASAP.

Posted in Computer and Internet, Security | Tagged , | 1 Comment

Of course there will never be another standalone “Zune” PMP

Posted on March 19, 2011 by halberenson

Although there are many other topics I have plans to blog about, I can’t resist responding to the noise in the system about Microsoft.  And there has been a lot of recent noise about the future of Zune.  First rumors start that there will never be a follow-on to the Zune HD and then Microsoft issues a sort-of but actually very ambiguous denial.  So let’s do a little analysis here and see what I think the real answer is. 

With Apple’s iPod Touch, essentially an iPhone without a phone, taking over the high-end of the Personal Media Player (PMP) space that Microsoft has been competing in with the Zune HD, the speculation has been that a Zune HD replacement would look a lot like Windows Phone 7 without the phone.  I agree that makes a lot of sense.  After all, Microsoft has a great user experience with WP7, a large developer community, a rapidly growing application marketplace, and of course the Zune app already running on it.   And I actually believe Microsoft is going to do exactly this, have a Zune HD successor that is essentially a phoneless WP7 device.  They just won’t call it a Zune.  And it will be far more than a PMP.

Microsoft has essentially three consumer brands, Windows, Xbox, and Zune.  “Windows” is the brand for general purpose platforms that are targeted at running just about any application.  There are sub-brands to indicate optimizations of the platform for specific environments, but keep in mind that “Windows = General Purpose Platform”.  Zune is Microsoft’s brand name for media experiences.  XBox is Microsoft’s brand name for entertainment.  Now some will point out that XBox is really the brand name for a gaming console, or perhaps for anything TV-centric (aka, when Microsoft says 3 screens they generally mean to deliver the TV experiences via the XBox).  But lets dissect this a little further.

Despite being arguably the most successful gaming console, there is more watching of Netflix on XBox than there is playing games.  Meanwhile the most unique and successful aspect of Windows Phone 7 is the XBox Live gaming platform.  And Kinnect, currently only available as a peripheral for the XBox, has instantly become the iconic representative of the next generation of Natural User Interface (NUI).  XBox can even play Zune Media.  With XBox Microsoft has a brand name that is well-recognized, well-regarded, and associated with innovation and the best in home entertainment.  As you think through where XBox is and where it could be going there is a very visible gap.  Where is Microsoft’s portable gaming device?  And if they offer one, then how would it differ from the PSP and NDS?

So if you were Microsoft and you looked at your assets, your branding, and your competitive gaps what would you do?  I could go through the full argument (including that most iPod Touch owners seem to play games on them) but lets cut to the chase.  Microsoft doesn’t need to create a “Zune Touch”, it needs to create an “Xbox Portable”.  And it has all the assets to do so.  At its simplest this could just be a phoneless WP7 device, or Microsoft could enhance things with Kinnect-like capabilities and higher end processor and graphics.   Microsoft could build this device itself, or it could create a new WP7-style chassis definition and let anyone (Samsung, Dell, Nokia, HTC, etc.) make them.  In fact, one reason we might not have seen this device yet is that Microsoft is waiting on the so-called Mango release of WP7 to enable an “Xbox Portable Chassis” and perhaps other capabilities (e.g., native as opposed to just Managed Code apps, something game developers have been asking for).

Of course an XBox Portable would have a Zune client and play all the media (music, video) that WP7 can play.  So it would meet the needs for a Zune HD successor.  But whereas the Zune HD has no competitive advantage over the iPod, an XBox Portable would bring together everything needed to become the premier portable entertainment device.  Including the more respected XBox name.  Yes, names matter.  As a Zune the market will ignore it, as an XBox it could instantly be the top consumer product introduction of the year (whichever year they introduce it).  Even though it would be the identical product.

When you combine the fact that all Microsoft consumer products now offer the ability to consume media with the failure of the Zune PMPs to catch on it is unclear what the value of the Zune brand is.  It certainly is not something that makes sense to be a peer of Windows, XBox, or Office (Microsoft’s other big broad brand).  Zune is more of a service name than a top-level brand, and I think that’s what we’ll see the term relegated to.  It would be wise for Microsoft’s Interactive Entertainment Business (IEB) to adopt XBox as the top-level brand for all its direct consumer offerings.  And I predict they’ll do just that.

Posted in Computer and Internet, Home Entertainment, Microsoft, Mobile, Windows, Windows Phone | Tagged , , , , , , | 2 Comments