Strict enforcement of Information Assurance policies?

Nice article over at Network World.

How do we resolve the issue of acknowledging (to ourselves) that some of our information assurance (IA) policies cannot, or should not, be strictly enforced, while at the same time conveying to staff the importance of always following IA policies?

InfoSec Personnel Management

I found an article on Personnel Management and INFOSEC by M. E. Kabay which I like.  Its basically a paper discussing managerial techniques for managing employees in an organization from an InfoSec perspective.  I particularly like this analogy for how employees

What would you do if you discovered that an employee who used to occupy your current office still had the key? You would politely ask them to give it up. No one would question the reasonableness of such a request. However, when you remove access to the network server room from a system analyst who has no reason to enter that area, you may be treated to resentment, sulking and abuse. People learn about keys when they’re children; they don’t extend the principles to information security. People sometimes treat access controls as status symbols; why else would a CEO who has no technical training demand that his access code include the tape library and the wiring closet?

Unauthorized accesses of data

Officers run a background check on the president.

http://www.wsbtv.com/news/20218458/detail.html

SSH into a Windows computer

Here is an excellent description of how to turn a Windows computer into an SSH server using Cygwin.

Congradulations Dr. Janice

Janice Tsai successfully defended today. Congratulations!

Keys on Pidgin encryption and OTR

As a security and privacy conscious end user I have started encrypting my IM chats with Pidgin Encryption and Off-The-Record Messaging. Both plugins for Pidgin automatically create public/private key pairs which are used to encrypt my IM chats. Unfortunately, I also use many different computers to chat with my friends and by default each computer creates its own public/private key pair. I want my chats to always look like they are coming from me despite the computer I am on so I looked up how to copy the private keys between computers.

In Ubuntu Linux all the relevant files were all listed under the .gaim folder in my home directory. In Windows XP they were listed under the .purple in my Application Data folder.  All you have to do is move the files listed below from the appropriate directory on the original computer to the same directory on whatever other computers you want to use the same public/private key.

On my computer the keys were located in:

Windows: C:\Documents and Settings\UserName\Application Data\.purple

Ubuntu Linux: ~/.gaim

(In some versions of Ubuntu ~/.purple)

OTR

  • otr.private_key
  • otr.fingerprints

Pidgin Encryption

  • id
  • id.priv
  • known_keys

The known_keys and otr.fingerprints files list the public keys of other people who you chat with. You don’t have to move these files if you don’t want to. The otr.private_key, id and id.priv files contain your private key and must be moved.

NSA reading emails of private citizens

Raw Story has a story on NSA’s improper use of wiretapping technology. MSNBC interviewed a former security analyst who discussed how members of the NSA used their wiretapping abilities to read the email of private citizens. Risen reported that Bill Clinton’s emails had been read. He then clarified saying:

“It sounded like, from the former NSA analyst that we interviewed, that it was rare to access the emails of celebrities or famous people, but that it was fairly routine, according to him, for people to access the emails of girlfriends or wives or other people that they might know.”

At SOUPS this week

Repost from July 16th 2009

This week I’m at the Symposium on Usable Privacy and Security. SOUPS is a conference dedicated to making security and privacy applications usable by the general public. Myself and others will be blogging the conference and I recommend those who are interested in making security and privacy more usable take a look at the current research going on.

City jobs require surender of logins and passwords

As part of their job application process the city of Bozeman Montana requires applicants to surrender login names and passwords to all social networking sites they are involved with. The list of sites includes Google, Yahoo, MySpace and Facebook. Supposedly this is so that the city can do a background check and determine that “the people that we hire have the highest moral character.” Read the article for full details but here is my favorite quote:

“You know, I can understand that concern. One thing that’s important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don’t use those. We’re not putting out this broad brush stroke of trying to find out all kinds of information about the person that we’re not able to use or shouldn’t use in the hiring process,” Sullivan said.

Update: Bozeman has decided to change their hiring practices and has apologized for the “honest mistake.”

Update: Looks like North Carolina does the same thing.

Analysis of security breaches

Interhack has a study of security breaches by industry and type. The authors categorized 925 security incidents using a taxonomy they developed. They then analyze the incidents by industry and type of incident. Two interesting points were that the Financial industry had the highest percentage of insider attacks and that incidents caused by insiders were more common than those caused by outsiders.

While the bulk of media attention on threats to private information is given to the activity of outside attackers, these breaches account for only approximately 22% of the instances in our data set. More significant is the number and type of breaches caused by people within an organization. Poor procedures, human errors by staff (Processing and Disposal), and the malicious activities of people on the inside of an organization account for greater than 35% of our observations.