Tuesday, May 31, 2005

House votes to outlaw spyware

From Reuters:

"Consumers have a right to know and have a right to decide who has access to their highly personal information that spyware can collect," said California Republican Rep. Mary Bono, who sponsored one of the bills.
The bills prohibit a number of practices often associated with spyware, such as reprograming the start page on a user's Web browser, logging keystrokes to capture passwords and other sensitive data, or launching pop-up ads that can't be closed without shutting down the computer.
The practice known as "phishing" -- in which scam artists pose as banks or other businesses in an attempt to trick consumers into divulging account information --would also be outlawed. "

Hard to enforce, but certainly a good first step. Spyware sucks up way too much of my day, and the security issues raised by phishing, which combines the two hardest to police vulerabilities, users and the web, into one nasty little package is an especial headache.

Wednesday, May 25, 2005

Seven Laws

Catchy title, what?

From IT Observer comes this well written and timely piece called The Seven Laws of Information Risk Management. Number 6 is a good example:

"6. Be afraid - it will happen to you Expect the unexpected by assigning responsibilities before a privacy breach occurs. Information theft only happening to the "other guy" is just a myth and the chance is greater than 50 percent that it has already happened at your organization. Access to customer demand forecasts, financial records and patents is very valuable, not just to your trusted partners, but also to thieves and harvesters."

Wednesday, May 18, 2005

Wi-Fi Webcast

From ZDNet by way of Tech Republic comes this webcast---

"IT professionals who administer wireless networks often find that, in addition to securing their organizations' own Wi-Fi access points, they must also police rogue wireless hot spots that are brought in by employees or students. Such rogue hot spots can conflict with an organization's own wireless networks, causing headaches for administrators and putting those networks at even greater risk of incurring security breaches. "

Watch it, learn, and report back.

Monday, May 16, 2005

Wireless Security

I have been asked a lot recently about wireless networks, and how to secure them. On this subject there is good news and bad news. Sadly sometimes its the same news. So let's do some FAQ's here, and see if I can clear up a few questions.
Q: Is a wi-fi network as secure as a wired network?
A: Nope. All of your traffic is broadcast via radio waves, which means that anyone with a wireless card can tune in. Using a laptop to troll for unsecured wireless networks is called wardriving. Ten minutes in the parking lot of any medium sized medical office complex will provide a wardriver with a half-dozen networks just laid out for the asking.
Q: Can wi-fi be made more secure?
A: Yep. Jeff at HIPAA blog has some excellent suggestions here. Your basic security concern with any network, wireless or not, is to conform to what security experts call the CIA model-- Confidentiality, Integrity, and Accessibility. You want your information to be confidential--- meaning that it stays off of the phosphor of the bad guys, have integrity, meaning that the bad guys haven't changed it, and accessible to the folks who need it, but not accessible to those who don't.
Q: Okay, then. Let's talk about confidentiality and how to achieve it.
A: To start with, encryption is your friend. It is possible to encrypt/decrypt your information without the user having to do anything--- we call this transparency. Use a protocol like WEP to keep the blackhats out. Make certain that the default names and passwords have been changed on your wireless router. And try to limit the range of your wireless broadcast to the offices you are in. Wardrivers love to be able to sit in a car in your parking lot, and crack your system at leisure.
Q: Integrity seems important.
A: It is! One of the favorite tricks of malicious users is to change stuff around, which is pretty funny unless it is your customer information, patient health records, or your website being changed. A strong password policy is the least you can do. Couple this with biometrics like fingerprint scanners or tokens like smartcards and you will be killing two birds with one implementation--- your personnel will have access and non-personnel won't.
Q: Fine. So how do I do all this?
A: Here is one of my favorite sources--- The Unofficial 802.11 Security Web Page. If this seems too much for you, consider hiring a consultant. Your network can be hardened by a pro in a surprisingly short time, and the cost of the hired gun is far less that you might think. Especially if someone gets into your system and changes your order forms so they point to something that would make your Marine Corps DI blush.