Ich hasse Facebook!

Monday, August 22nd, 2011

OK I don’t really hate Facebook. Like most people my age, I waste countless hours of my life perusing other people’s updates, watching on green with envy at the exciting things everyone is purportedly doing and smiling about so earnestly.

It’s just my German language skills are fairly poor, if non-existent. I was simply trying to find something suitable to accompany a blog on the Facebook Like button being deemed as illegal by a data protection official in Germany. I think I did alright.

If the story sounds fairly ridiculous, that’s because it is. The Like button, which can be found all over the web like some highly contagious blue and white rash, has been declared in violation of privacy laws in Germany. The reason? Thilo Weichert, a data protection official for the northern German state of Schleswig-Holstein, said it meant users were more at risk of being tracked if they used the button to show their appreciation, according to reports.

Does this not mean that any website using cookies is breaking the law in Germany? That’s what Weichert appears to be getting at. It seems fairly myopic to say Facebook is at fault here when countless other websites will be running cookies doing exactly the same thing.

Germany is known for having privacy laws as strong as Superman on steroids, but this is just silly. The irony, of course, is that Weichert wants people to stop using the Like button without asking them first. Whilst trying to protect civil liberties, he is also taking them away.

It makes me feel a tad queasy but Germany might want to follow the British model (I don’t say that too often): force companies to offer an opt-out option for cookies. It’s such a simple idea it feels like it should have been around since the dawn of the internet – like, erm, Facebook.

As for Zuckerburg and Co, they don’t think they’ve done anything wrong.

“We firmly reject any assertion that Facebook is not compliant with EU data protection standards. The Facebook Like button is such a popular feature because people have complete control over how their information is shared through it,” a spokesperson said. “For more than a year, the plugin has brought value to many businesses and individuals every day.”

Personally, I have qualms over whether users have complete control of their data on Facebook. Then again, how much control do any of us have over our information, wherever it resides? Very little, is the answer. It’s out of control, I tells ya!

Calculating the true cost of cybercrime

Tuesday, August 2nd, 2011

How much does cybercrime actually cost the enterprise? It’s an interesting question, and one that’s hard to answer accurately as there are so many variables from business to business. That hasn’t stopped HP from trying to though. With the publication of new research compiled in association with the Ponemon Institute, HP has revealed (shock horror and oh my giddy aunt etc) that business is suffering significant financial hardship at the hands of the hackers. Well duh! With knobs on…

Seriously though, predictable as the overall conclusion of the Second Annual Cost of Cyber Crime Study is in suggesting that the average enterprise is taking a bottom line hit courtesy of the bad guys (be that through reputational damage or breach recovery costs) the research itself has thrown up some interesting information. How about the natty little statistic that there are now 72 successful cyber-attacks each week (based on a four week period of study), which works out to 1.4 per organisation polled for example. The average cost on an annual basis to business was calculated at a truly whopping £3.6 million ($5.9 million) or a rise of 56 percent on the figures from last year’s survey. The range covered to reach that median annualised figure was from £920,000 ($1.5 million) to £22.4 million ($36.5 million) per year per organisation.

(more…)

Are you spending more and securing less?

Thursday, July 28th, 2011

Ask most people working in the enterprise IT security sphere what they would wish for and the majority will jump down your throat in a mad rush to call for a bigger budget. My elderly mother continues to warn about be careful what you wish for, and I’ve never quite really understood what she means. I doubt very much, to be honest, that she had IT security budgets in mind at any time during the last 80 years but perhaps she should have done. New research would seem to confirm something that I have often thrown out there, and that is the simple fact that money is not the be all and end all of data security. There, I’ve said it. Sorry.

(more…)

Schizophrenic security syndrome

Monday, July 18th, 2011

I’ve just been reading the latest Secunia global vulnerability half year report and, to be honest, it’s doing my head in. Not because it’s boring or predictable, but rather as it seems to indicate a global epidemic of schizophrenic security syndrome.

Here’s the thing, the report itself is based upon data which is extracted from a vulnerability intelligence database that has information on thousands of software products and their vendors, and which is well respected within the security community as being an indicator of the state of software security when looking at the broadest global picture. Secunia’s ability to continuously track vulnerabilities across such a breadth of products puts it in a pretty unique position within the security reporting industry, which is why I tend to take their reports rather seriously. And why this one is leaving me with a huge headache this morning.

(more…)

Wi-Fi cracking nutjob demonstrates why WEP is pants

Wednesday, July 13th, 2011

I’m starting to get fed up telling people that WEP is about as secure as my garden shed, the one with no lock on it as the door doesn’t close properly. I never got around to fixing the shed as it’s only used by cats and fairies (it’s a long story) and I really don’t care if anyone were to break into the thing. You should care about your Wi-Fi connections though, and although I appreciate there’s a difference between the consumer end of the market and the enterprise end, you might be surprised how small that difference often is.

Indeed, I know of many SMEs who simply do not take Wi-Fi security seriously enough and adopt a very consumerist approach to it. One small business owner I know recently introduced free ‘guest’ Wi-Fi for his customers as a way of saying thanks for their trade, but didn’t think of the damage one rogue user could do to that trade as a result. Think I’m being paranoid? Think again matey boy, this is all too real a threat. IT Pro has been warning about the dangers of not taking Wi-Fi security seriously for ages. Especially when WEP can be cracked in seconds, yes it doesn’t even take minutes any more, using tools that can be downloaded easily enough online and allowing them to use the power of pretty much any decently specced PC these days. Take this example of just how easy, and just how dangerous, Wi-Fi can be without some serious security in-between your network and the bad guys.

(more…)

What do Google+ and Facebook have in common?

Monday, July 4th, 2011

Although many people are still having a bit of a giggle at Google trying, once more, to break into the social networking scene the headline to this piece is not a joke. Yes, I know it’s quite funny to see exactly how Google+ will manage to steal people away from their preferred social networking territory, be that Facebook or Twitter. Hmmm, scrap that and replace with ‘be that Facebook’ to be more accurate. Google has tried before and failed miserably of course, and things are not getting any easier as Facebook continues to get bigger and bigger.

The problem being that once you get active on a social network it’s extremely difficult to move away, for what I would like to think are pretty obvious reasons. Reasons such as the simple fact that your entire online social graph is contained within the boundaries of that place. People invest a fair amount of time and energy building a social graph on Facebook, no, stop laughing at the back again, they really do. Why dump it into the bin of life and start again on Google+ is a question that many will be asking, not only in the media but in the potential user pool as well.

(more…)

What do the experts really think about the cloud?

Wednesday, June 22nd, 2011

Ask a bunch of different ITSec experts if the cloud is a safe place to do business and you get a bunch of different answers. The truth is that there is just no overall consensus of opinion when it comes to data security in the cloud. Which is why I was interested to see that a panel of security experts had got together recently to discuss just this question in a round-robin debate held by hosting outfit UKFast. So what did they have to say?

Ian Moyse, and IT security expert with Webroot, thought that a number of media stories which seemed to suggest that recent data breaches and leaks were at least partly cloud related helped to blur the security issues surrounding cloud adoption. “In fact, in many of those cases, it wouldn’t make a difference if it was a cloud service provider or an on-premise system” Moyse insisted, adding “Issues arise in organisations without the right security processes not just in those with a cloud-based infrastructure.” The notion of the cloud being wrongly accused of being at the root of high profile data breaches was also touched upon by UKFast’s IT Director, Neil Lathwood, who said hacking inadequate security at the perimeter, gaining access to login credentials through illegitimate means or intercepting traffic in transit were the most common causes of data breaches. “These issues exist whether you run your own data centre or you’re in the cloud” Lathwood concluded.

(more…)

Has Google accidentally created a new type of drive-by security exploit?

Monday, June 20th, 2011

Google is always creating new ways to search, but has it gone too far with the latest innovation? Some security experts are suggesting that might just be the case with Google Instant Pages.

Some Google innovations are subtle tweaks to behind the scenes algorithms, although the end results can be anything but subtle as was the case with the recent ‘Panda’ revision which impacted upon search traffic for many innocent web outfits. Then there was the Google Instant innovation, which provided the first stab at predictive searching for Google but not without some controversy.  Having search results appear automagically as your enter your search terms is a great time saver, but once again can impact negatively on providers of web services whose pages do not appear as Google uses a keyword blacklist on Instant search which could effectively make your pages invisible to those users who come to rely upon the Instant way of doing search. (more…)

Microsoft shocks NOONE with WebGL comments

Friday, June 17th, 2011

Not a day goes by at IT Pro when we don’t hear of a new security threat. Be it viral malware, botnets or even just idiots leaving unencrypted USB sticks, if it is an issue, we have seen it.

So, when Microsoft releases a statement on a new security threat, we want to take it seriously. It is just a shame this flaw has been known about for over a month…

WebGL is the 3D rendering standard used in both Chrome and Firefox and can be turned on in Apple’s Safari browser too. It turns out the technology has a flaw, allowing hackers low level access to graphics cards and possible entry to grab at user’s data.

Obviously, it is of no surprise Microsoft is shouting about the flaw from the rooftops, with its browser being the only one missing from the affected list *cue round of applause for Internet Explorer*.

This type of “look how good we are because the other team messed up” marketing is something I have ranted about on this blog before, but this time I am really riled as the findings aren’t even new!

Our security expert, Tom Brewster, heard about the flaw at the beginning of May after research was conducted by Context Information Security, leading to the US Computer Emergency Readiness Team warning users to switch off WebGL in their browsers.

Ok, I am all for making sure people are aware of security holes in their software and giving them ample opportunity to fix the problems and keep their data safe. But Microsoft, with its monthly – and often lengthy – patches, should perhaps think of the “people in glass houses” adage before bringing up old research to make their product look good.

There are plenty of good points about IE, go and brag about them. I am the target audience here as a loyal Firefox user so if you want to convince me to change, you will have to do better than pointing and laughing at the competition.

Watch out for the boy-in-the-browser

Tuesday, June 14th, 2011

It sounds like some sort of Michael Jackson parody, but actually is the boy-in-the-browser something you should be taking seriously? The answer is a resounding yes, with knobs on.

So what is a boy-in-the-browser attack when it’s at home? To answer that, you first have to get to grips with another question: what is a man-in-the-browser (MitB) attack? Well a MitB attack is actually just a Trojan, but one that infects a web browser client and effectively sits there covertly modifying transactional data. No surprise that MitB attacks are most commonly seen targeting online banking services.

The boy-in-the-browser (BitB) is, pretty obviously, actually very similar to the MitB if a little less mature. It’s still a Trojan, it still targets the financial sector, but it does so in a slightly different way. The most obvious being the use of a third party proxy operated by the attacker, with web traffic requests first passing through this and being subject to modification before continuing on to the original destination. This leaves the cybercriminals at greater risk of being shut down if discovered, all it takes is that server to be knobbled, but because the BitB code is relatively simple it can be deployed with much less effort.

(more…)