Dragan on Security

In 1987, Computer Professionals For Social Responsiblity (CPSR) began a tradition to recognize outstanding contributions for social responsibility in computing technology. The organization wanted to cite people who recognize the importance of a science-educated public, who take a broader view of the social issues of computing. We aimed to share concerns that lead to action in arenas of the power, promise, and limitations of computer technology.

The award is named for Norbert Wiener - (1894-1964), who, in addition to a long and active scientific career that brought the word “cybernetics” into the language and laid the foundation for many aspects of modern computing, was also a leader in assessing the social implications of that new and emerging technology.

CPSR’s 2008 Norbert Wiener Award given to Bruce Schneier. Bruce publishes his insights on his web site, blog, and in his current bestselling book: “Beyond Fear: Thinking Sensibly about Security in an Uncertain World”.  He is author of famous book Applied Cryptography and many other books.

Previous winners include Phil Zimmermann, Peter Neumann, Marc Rotenberg, Mitch Kapor, Douglas Engelbart, and more than a dozen other luminaries.

There is interesting call for papers for an Elsevier’s special issue of Electronic Commerce Research and Applications on Social Networks and Web 2.0. You can submit your manuscripts online. Papers will be reviewed and published depending of reviewers’ decisions.

It will cover many of relevant topics related to this hot and fast evolving area. I’m particularly interested in privacy and protections issues of social networks and Web 2.0.

Important dates are:

• Optional abstracts: April 15, 2008
• Initial submission: June 15, 2008
• First round reviews: August 15, 2008
• Resubmission by: October 15, 2008
• Final acceptance: December 15, 2008

In recent post on this blog, I described some of StumbleUpon privacy risks. BBC Technology News now have article about privacy problem related to Facebook, another social networking tool. Under title Facebook faces privacy questions they talk that Facebook is to be quizzed about its data protection policies by the Information Commissioner’s Office. It says:

The investigation follows a complaint by a user of the social network who was unable to fully delete their profile even after terminating their account.

Currently, personal information remains on Facebook’s servers even after a user deactivates an account.

Facebook has said it believes its policy is in “full compliance with UK data protection law”.

We will see how this will be solved. Anyway, social networking come to its dark side because of increasing number of security and privacy problems.

See list of Validated 140-1 and 140-2 Cryptographic Modules. You’ll find there that the standard crypto providers such as DSSENH and RSAENH are now certified FIPS 140-2 on Windows Vista.

It seems that Microsoft is going to attract Linux Security experts to join and to bring different perspective to Widnows security. Recently, Crispin Cowan, who is responsible for a number of very well respected Linux-based security technologies such as StackGuard, the Immunix Linux distro, SubDomain and AppArmor, joined the core Windows Security Team. Crispin will work on User Account Control (UAC) and integrity levels, an area he knows a great deal about. Microsoft expects he’ll bring a different perspective to the Windows team, based on his security knowledge, experience and skills. Crispin holds and Ph. D. degree from University of Western Ontario, Canada.

You can visit Crispin’s web page and see more about his work.

Be careful, be very careful when use social networking sites! Some social networking sites and some sites that pretend to be social networking, but are marketing profiling sites, may pose huge privacy risk. I will talk here about very popular StubmleUpon which shouldn’t but actually yes.

When you sign for StumbleUpon, you have possibility to email everyone on your mail lists including MSN/hotmail, Yahoo mail, Gmail, AOL, facebook, Outlook, Outlook Express etc and call to join you on your friends list. It is offered through very simple user interface in browser.

If you chose to use this possibility you will need to provide your user name and password for MSN/hotmail, Yahoo mail, Gmail! Seems as password scam, isn’t it.

Much more, if you choose to Outlook i.e. tick radio button next to the Outlook logo it will immediately start downloading add-on called StumbledUpon Contact Import. I hope that you have proper Security level set in your IExplorer; otherwise you will provide them with list of all your Outlook contacts by just one (even accident) click.

If you click on above image, you’ll see larger size image and read message which says “Don’t worry, it’s safe :)”. Message ends by smile, yes… Funny! By reading terms and privacy policy of StumbleUpon, you probably will not find many details about this. It looks like usual benign privacy policy without mentioning high privacy risks that you are exposed to by using this social networking site.

After sending question to support using Web based contact form, automated response arrived which I answered by additional e-mail question stating urgency of response. There is no answer on these questions yet.

There are also other privacy risks of this social networking site including list of friends visible by everyone, visited (stumbled) Web sites, contacts, preferences, messages etc. StumbleUpon offers its toolbar which is considered as spyware by some antispyware scanners.

There is also post on Steve Riley’s blogthat talks about some FaxBox. When you sign up for FaxBox, they ask for your permission to email everyone in your address book (FanBox knows how to talk to most webmail systems).

My recommendation is to avoid clicking on anything suspicious, especially something which will talk to your mail clients, Web based mails and your contacts there. Or to say it stronger: do not click on anything like this never ever!

There is also earlier post on this blog “The Privacy Risks of Social Networking Sites”.

Note:StumbleUpon sent many visitors to my blog and it seems that some stumblers like this blog - thanks all of them. But I have to be honest – StumbleUpon poses privacy risk.

One of main persons behind Microsoft SDL, Michael Howard analyzes recent Symantec and IBM Vulnerabilities in his post on MSDN SDL blog.

Michael says:

The vulnerabilities are not in Symantec code, yet Symantec customers are still open to attack. The issues lie in a small number of file parsers used in many applications created by a third party vendor. As you probably know, file parsing vulnerabilities are very common, and even though the number of such bugs has dropped significantly in Microsoft products, in the past we had many. Thankfully, the SDL’s fuzzing requirements have significantly helped reduce the number of parsing-related vulnerabilities in our products.

And also:

… the same bugs affect IBM’s Lotus Notes 7.0.2 and some other products too.

In summary, Michael says:

Bugs are interesting, you can learn a lot from your own bugs, but also from the bugs in other products. From an SDL perspective, there is nothing new about any of these vulnerabilities. It also appears that the DLLs are not compiled or linked with any other defenses. If I had my way they would be SDL compliant, and have as many defenses as possible as the parser code is an inch away from the Internet, and is used in a mission critical defensive position. What’s interesting to me is how many other products out there consume these giblets? Because those products have security bugs too!

Based on this we can say that Microsoft’s SDL process is becoming very powerful and usable instrument and way to produce more secure software.