Thursday, June 23, 2011

Can Enterprises Crowdsource Security Testing of their Websites?

The rate at which external websites are being hacked demonstrates the lack of an effective defensive mechanism in enterprises. Cyber laws were created to safeguard against script kiddies from hacking into websites and defacing them. These laws scared away much of the early warning system that could have been in place. Hacking for fun is vastly different from hacking for profit.
Would enterprises pay fees to individuals who hacked and privately disclosed flaws be an effective option to find web flaws? Or would it lead to anarchy and mayhem.
Such programs have been in use by product vendors, but not by enterprises.
The advantages:
1.       High Quality Testing
2.       Frequent Testing
3.       Will keep security and IT team on their toes
4.       Reduce the motivation to hack for profit
5.       Value for money as payment will be outcome based.
The disadvantages:
1.       Affect site performance
2.       Reduce the effectiveness of the cyberlaws
3.       Encourage script kiddies
4.       May not be practical to implement
On the whole, I believe a crowd sourcing approach will be a net positive. It will motivate the good guys more that laws deter the bad guys.
I must add a disclaimer to this blog. These are a thoughts and not a recommendation. The key lies in the practicality and legality of the method used for implementation.

Wednesday, June 22, 2011

Hackers are Easy to Train, Difficult to Motivate? As of today that is!

A 19 year old man has been detained in UK by Scotland apparently in connection with the spate of cybercrimes against US Senate, CITI and the CIA. It is commonly acknowledged that hackers are technically sophisticated individuals who do what they do because of self motivation and passion for technology. A 19 year old became technically savvy with 4-5 years of experience. Training hackers to reach this level of excellence is not at all difficult if the individual is properly motivated.

The key goal is to frustrate the development of hackers by raising the bar on technical excellence needed to crack into systems. This is a crucial requirement for a successful cloud based interconnected world.

Unfortunately this is not the case as recent incidents demonstrate that exploits were perpetuated through basic deficiencies in security measures on Internet facing systems. Most of these deficiencies are not due to lack of security knowledge but through broken IT processes, security awareness and use of this awareness, people politics and simple administration errors.

In the future if the bar is not raised, individuals currently engaged en masse in some countries specializing in cyber frauds like email scams may upward skill to the next level of Internet crime, hacking for profit or hire.

Saturday, June 18, 2011

The size of nozzles and security selling

Many times, I have met individuals or read articles which state that security sales are driven by instilling fear, uncertainity or doubt in the minds to customers as opposed to real value. There is always a sneaky suspicion that the security industry creates its own threat vectors to enhance sales. Security sales is similar to selling insurance for an earthquake, if it happens then you chances of severe damage is high. Sales are also driven by product firms which push products whereas customers need control fullfillment and sometimes buy kit that they may not need. But irrespective, the stark reality is that security is underbudgeted in organisations and earthquakes are more frequent then before, particularly when we look back at the major reported breaches in the last six months.

I read an interesting tweet which pointed to an article which said that the "3000" mile limit or 3 months for oil change was simply a marketing gimmick and perhaps not true. It brings in additional revenue for oil firms and service centers. In a similar light, I found the size of nozzles in aftershave, toothpaste, sauce bottles and so forth to have the same shortcoming. Just like the exquiste tailoring of junk food to heighten taste we as individuals simply believe that a squeeze gives us the right quantity.

Now if security sold like sauce then many security officers would indeed be happy.

Friday, June 17, 2011

Entrapment for Theft

How many people would report a case where they were robbed of all the cash they had, watches and jewelry when trying to meet a women they had contacted for sex? Not many or until there was one. Two boys in Mumbai used to post ads and use social networking to lure such men. Once hooked the “women” instructed these men to meet the two boys who drugged and robbed them.

In this particular case the entrapment was for theft and was a petty crime, but the more serious uses of this technique are for blackmail and espionage. Social networks, dating sites, emails and advertisements are methods used to solicit victims.

Wednesday, June 15, 2011

Eight Political Issues around Security and Privacy in Cyberspace

As cyberspace becomes a dominant form of global communications and trade, so does its political use. This is the first part of a multipart blog on the eight key political issues around Internet security and privacy.  
Corporate and Military Espionage: Countries accuse each other of hacking to retrieve economic, military or political secrets. Most notably is the ongoing war between US and China. China believes such accusation hurt its business interest and America believes its loosing investment in research.

Political Whistleblowing:  Sites such as WikiLeaks created an international diplomatic furore by publishing US diplomatic cables that are used by the political establishments of many countries in faceoff’s between governments and the opposition. Disclosures on these sites also cover companies such as Swiss Banks and their secrecy laws. Governments claim these cables violate national security, media takes them as truth and companies have tried to claim the same privacy rights as individuals.

Social Networking and Privacy:  By far the most popular among individuals who have posted a large amount of personal data in cyberspace and whose privacy rights are constantly threatened by evolving technology, software defects and default privacy settings of social networking sites. The current low key launch of Facebook’s facial recognition feature evoked considerable flack as it was rolled out without informing users to change their default settings for additional privacy.

Democracy, Westernization and Cultural Change: Social networking and Internet content transcend borders bring different opinions and ideas into conservative cultures. Some of these trigger people creating social unrest, toppling governments and signaling the winds of political change. Many governments react with censorship, policing and tough laws against online publications.

Governments and privacy: Governments seek to regulate cyberspace to monitor voice and data traffic. There is an ongoing debate on the extent of monitoring needed to ensure that an individual’s right to privacy is not trampled upon.

Military Uses of the Internet: A large number of countries are building Cyber Commands to prepare for the control of cyberspace.  Stuxnet, a malware that severely damaged the Iranian nuclear facility demonstrated that governments are willing to use malware as weapons.  Governments are also alleged to have teams of hackers who steal military secrets as well as selective hack to monitor government email accounts and communication. The larger debate here is on the military rules of engagement in cyberspace.

Cybercrime: There are several global crime rings which operate out of many countries specializing in non violent cyber crime such as email scams and other frauds. Unfortunately since the impact of the crimes is less that violent crime, drugs, gambling and it involves law enforcement agencies in different countries it has not yet received much attention.

Piracy:  Paid digital content such as music and video’s are frequently exchanged online using file sharing sites. These exchanges violate copyright agreements of content owners. Content owners have primarily focused their attention on prosecuting file sharing sites, and recently in some cases their users. As the value of content grows in cyberspace, legal activity will increase unless a technological way emerges to ensure the owners right on the content.

Sunday, June 5, 2011

Cry over Censorship is Simply an Attempt to Evade Regulation by large online businesses

India notified new security amendments to its IT ACT on data privacy and regulation of online content. These amendments effectively states that websites shall inform users not to publish any material that is “blasphemous, would incite hatred, is ethnically objectionable, would infringe on patents, or threaten India’s unity or public order.” It also places liability on the intermediataries for content that falls into these non permitted categories.  Obviously this move has raised hackles and cries of censorship from providers citing lack of control over what users publish and highlighting their efforts to filter or remove content that obviously violates certain principles based on reports from individuals or governments. These providers claim that such filteration would result in an economic slowdown as Internet growth would be curtailed based on what these providers consider as a  restriction to the freedom of expression and advocate a regulatory framework which helps protect internet platforms and people’s abilities to access information.”
While I agree with the premise that users who post the content should be liable, the core issue is that the very same intermediataries have allowed them to post content using unverified and anonymous identities facilitating the use of their sites for objectionable activities. There is no intent to stop this practice. While self regulation is a good practice, the only real deterrent will be the threat of prosecution and this can happen only if the user is known and there is a uniform cyberlaw agreement between countries. Both of which are unlikely to happen in the near future.
A good regulatory framework would be one where users are liable when they can be identified and traced, and content hosters liable where the user is unverified or they fail to take action on censorship requests. This has to be balanced with checks to ensure that regulation does not become censorship in the hands of the Government.

Related Reads

Censoring the India Web ! Why shoot Kapil Sibal?

 Eight Political Issues around Security and Privacy in Cyberspace