News and Commentary :: by WadeW and You (08/28/2009)
Friday, August 28th, 2009
I’m starting a new feature on the blog this week: “News and Commentary :: by WadeW and You“. Yes, it’s another news of the week post, but I wanted to make it something more than a collection of articles that I enjoyed or found interesting. So I decided that I would take each of the news items and provide my commentary on the article or topic in question. I’ve also made a couple upgrades to the blog, including adding DISQUS as the comment platform in hopes that YOU will also provide your commentary/insight/throw Shmoo balls/etc. and voice your opinion. So here’s to a new venture that will hopefully spur some great conversations.
http://ha.ckers.org/blog/20090824/google-safe-browsing-and-chrome-privacy-leak/
One thing that Robert doesn’t really touch on is the ethical responsibility of product and software companies. While I concede that a machine ID and a user ID isn’t much in the grand scheme of things, but it’s yet another data element that Google has tied to our identities. Since I’m an avid Google Reader user, I decided to take a peak at the ever expanding social functionality in the app to connect with a few contacts. Google kept telling me I should customize my profile, so I did. In the portion where you provide your favorite URLs, there was a list of my accounts on various other sites (Twitter, Facebook, LinkedIn, Tumblr, etc). I was a little surprised to see all that information listed right there, even though I’ve searched for my name numerous times before and have seen them returned in results. Still, I can’t help wonder why they need to track that information? And more importantly at what point is aggregating that much public information a privacy issue? Think about it, Google AdSense is on the vast majority of webpages.
http://www.cio.com/article/499829/8_Dirty_Secrets_of_the_IT_Security_Industry
Dirty little secrets? Not so much, mostly just common sense. Companies that spend money on compliance tools end up sending out mass notices to their customers to inform them that their financial information has been stolen – soon enough, that knowledge will be as common as needing a network firewall. I’m not insinuating that compliance with industry guidelines and tools don’t have their place in the picture, but they need to be part of a comprehensive, planned, and human operated solution, not just a hodge podge of red/yellow/green status lights and checkboxes. The same money that is spend on the all ‘fix it fast’ and ‘compliance me’ (TM) solutions that really give you nothing except avoiding a fine can be re-invested into security staff that can plan and execute true solutions that will not only help you avoid fines, but will also give you true enterprise security.
http://danielmiessler.com/blog/from-password-reset-mechanisms-to-openid-a-brief-discussion-of-online-password-security / http://danielmiessler.com/blog/password-reset-mechanisms-the-online-security-threat-nobodys-talking-about
I’m really glad this topic is getting some press. I wrote about ASQs a few months ago and have since been noticing some changes in the options available for password reset functionality. Google allows you to select between secondary email reset, SMS, and ASQ. Additionally, there’s a 24hrs waiting period after the email notification is sent out to the secondary email address before you can leverage the other 2 methods. Very nice. MyOpenID (my OpenID provider) offers password, certificate based authentication, and telephone based authentication – pretty awesome options! Alas, the recover password functionality simply sends an email with a 11 character variable that you click to recover your account. Not too happy about that. There you have it, Google has given some serious thought to security in password recovery, MyOpenID, not so much.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1366077,00.html#
Paper – http://conferences.sigcomm.org/sigcomm/2009/workshops/wosn/papers/p7.pdf
I applaud this kind of research. I think it’s critical that those of us who understand the importance of unique identifiers, data aggregation, cookies, URLs, and data privacy need to keep an eye out to the kind of data these sites are forcing our browsers to transmit without our knowledge. That being said, hopefully the majority of you are using AdBlock, RequestPolicy, NoScript and have your browser destroying cookies periodically. I will say that my curiosity got the best of me, and I spent some time running around the social networks with my local web proxy recording traffic and subsequently analyzing a lot of HTTP headers. Yes, there are unique identifiers, yes there are referrers, but at no point did I see any of the beacons even being provided any sort of PII. Do certain applications put PII in URLs? Sure, but I’m a little skeptical about just how much PII could be harvested. None the less, good study.
http://www.briansolis.com/2009/08/why-authenticity-matters/
This is a very interesting post, especially for those of us in the security community that are largely known by our screen name of choice. When I started blogging and joining up to the various social networks, I was compelled to use my own name…or the wadew variation – Woolwine is sometimes a lot for people to consume. I was determined for folks who read and follow my work online to be able to make the immediate connection should they ever meet me in person. But back to the article at hand, how do YOU know that I’m really Wade Woolwine? Honestly, you don’t. Even though I’ve executed on most of the items in the list (at least the personal blogging part) and have ClaimID, domain registrar, and OpenID, you still “trust” that I’m not John Smith who renamed himself Wade Woolwine to appear at the top of Google search results.
http://www.thetechherald.com/article.php/200935/4323/Criminals-sending-malicious-CDs-to-credit-unions
Social engineering is a required pillar in a number of different attacks. From XSS to SQLi, malware proliferation to CSRF all of these attacks (often) require that the attacker trick the user into visiting a URL crafted for disaster. So what are we (security professionals) doing about it? Security awareness training of course! But ask anyone around your company to give you 3 words to describe that training and you’ll likely hear terms like “boring”, “mandatory”, “pointless”, “waste of time”. How do we change this? How do we become more effective at socializing basic security practices like not clicking on random links without investigating them?
In this time of shrinking budgets, reduced staff, and other various financial constraints, security departments world wide are looking for ways to justify the expense of a well rounded application security program. 
DandyID
Friendfeed
claimID
Disqus
Facebook
Twitter
myOpenID
Google Profiles
Linkedin