Tag Archive for Privacy

| July 28, 2015
Comments Off on Snoops Offer Security Tips

Snoops Offer Security Tips

Snoops Offer Security TipsIn one of the more ironic, notice I did not say tragic, turns in the post-Snowden era, the National Security Agency (NSA) has published a report with advice for companies on how to deal with malware attacks. FierceITSecurity says the report (PDF) boils down to “prevent, detect and contain.” To be more specific, the report recommends that IT security pros:

  • Segregate networksSegregate networks so that an attacker who breaches one section is blocked from accessing more sensitive areas of the network;
  • Protect and restrict administrative privileges, in particular high-level administrator accounts, so that the attacker cannot get control over the entire network;
  • Deploy, configure, and monitor application whitelisting to prevent malware from executing;
  • Restrict workstation-to-workstation communication to reduce the attack surface for attackers;
  • Deploy strong network boundary defenses such as perimeter and application firewalls, forward proxies, sandboxing and dynamic analysis filters (PDF) to catch the malware before it breaches the network;
  • Network monitringMaintain and monitor centralized host and network logging product after ensuring that all devices are logging enabled and their logs are collected to detect malicious activity and contain it as soon as possible;
  • Implement pass-the-hash mitigation to cut credential theft and reuse;
  • Deploy Microsoft (MSFT) Enhanced Mitigation Experience Toolkit (EMET) or other anti-exploitation capability for devices running non-Windows operating systems;
  • Employ anti-virus file reputation services (PDF) to catch known malware sooner than normal anti-virus software;
  • Implement host intrusion prevent systems to detect and prevent attack behaviors; and
  • Update and patch software in a timely manner so known vulnerabilities cannot be exploited.

The author quotes from the report;

I Luv your PCOnce a malicious actor achieves privileged control of an organization’s network, the actor has the ability to steal or destroy all the data that is on the network … While there may be some tools that can, in limited circumstances, prevent the wholesale destruction of data at that point, the better defense for both industry and government networks is to proactively prevent the actor from gaining that much control over the organization’s network.

rb-

For those who have not been following along, the TLA’s have been attacking and manipulating anti-virus software from Kasperskey.

SpyingWe also now know suspect that the TLA’s have compromised at least one and probably two hardware vendors. The Business Insider recalls, way back in 2013, as part of the Edward Snowden NSA spying revelations.German publication Spiegel wrote an article alleging that the NSA had done a similar thing — put code on Juniper Networks (JNPR) security products to enable the NSA to spy on users of the equipment. 

Over at Fortinet (FTNT) they had their own backdoor management console access issue that appeared in its FortiOS firewalls, FortiSwitch, FortiAnalyzer and FortiCache devices. These devices shipped with a secret hardcoded SSH logins with a secret passphrase.

The article seems like advertising for the TLA’s hacking program.

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers and anything else that catches his attention since 2005. You can follow him at LinkedInFacebook and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , , ,
| March 5, 2015
Comments Off on Michigan Phone Spying Stalled

Michigan Phone Spying Stalled

Michigan Phone Spying StalledWarrantless cell-phone spying legislation has stalled in the Michigan House. MLive reports that House Bill 4006 has been pulled from the agenda for the second time in as many weeks. In a flash of rationality, Gideon D’Assandro, a spokesperson for the Republican majority, said new questions about jurisdiction and proposed immunity for wireless providers have popped up. D’Assandro told MLive, “… There’s still questions.

privacy proponentsThe legislation, sponsored by Republican Rep. Kurt Heise of Plymouth Township, has prompted push back from some conservative lawmakers and privacy proponents in the state Legislature after advancing out of committee last month. “It’s been a heated discussion, a passionate discussion, just about the civil liberty issues that are all wrapped up in this,” said Rep. Cindy Gamrat, R-Plainwell.

My concern is … we’re setting precedent authorizing government to access our technology devices, such as phones or computers or GPS in cars. Where do you end up drawing the line?

State Rep. Todd Courser, R-Lapeer, said he understands the value that location information could offer in some emergencies but made clear that he could not vote for the bill in its current form. He told MLive,

I think we also need to make sure we’re giving people the constitutional protections that are supposed to be afforded by our founding fathers.

In typical goobermental double-speak, Heise, the sponsor of the bill to legalize NSA-style phone snooping in Michigan told MLive that allowing warrantless access to private citizens’ phones could actually strengthen civil liberty protections. Heise even told MLive he does not think that notifications for cell phone owners who the State of Michigan snooped is necessary.

I am not a crook

Warrant-less access to private citizens phones could actually strengthen civil liberty protections

Of course, law enforcement groups and Verizon (VZ) indicated support for the proposal to gain even more access to citizens’ private information. As now written, the snooping does not require a warrant. All a police officer needs to access a private citizen’s phone records, is to have a note signed by a supervisor.

rb-

Get hold of your House Rep (contact info here) and tell them to keep NSA-style warrant-less phone spying out of Michigan and vote this bill down.

Stop the slide down the slippery slope, despite what the Koch Bros. and ALEC want.

Of course, the cops can just call their friends at Homeland Security and get the data and end-run the Constitution.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , ,
| December 4, 2014
Comments Off on Privacy for Drivers

Privacy for Drivers

Privacy for DriversFord Motor Company (F) Global Marketing Director Jim Farley touched off a privacy storm when he told an audience at the Consumer Electronics Show that the automaker is tracking their travels thanks to their in-car navigation systems. He told the crowd in Las Vegas that the automaker tracks driver behavior, “We know everyone who breaks the law, we know when you’re doing it.

automaker are tracking travelsThe auto manufacturers have installed “black boxes” on most modern cars. The black boxes are capable of tracking, gathering, and storing vehicle information. In fact, the Fed has proposed that such tracking technology become standard equipment on all cars.

Privacy firestorm

Even though Ford quickly backed down from Mr. Farley’s claims, the comments created a privacy firestorm. As a result, TheDetroitBureau.com reports that privacy advocates accelerated increased pressure on manufacturers to reveal what info that collects on “black box’s” they’re doing with the personal data they do collect – and put limits on how it can be used.

black-boxes are capable of tracking, gathering and storing vehicle information.

In response, a group of 19 automakers has gotten together to lay down some ground rules, which they hope will assuage fears about the accessibility and use of the material. According to the article, the makers say the information won’t be given to government officials or law enforcement agencies without a court order, sold to insurance companies or other companies without their permission.

The automakers agreeing to the “rules,” which they submitted to the Federal Trade Commission, include Aston Martin, BMW, Chrysler (STLA),  Ferrari, Ford, General Motors (GM), Honda (HMC) Hyundai, Kia, Maserati, Mazda, Mercedes-Benz, Mitsubishi, Nissan, Porsche, Subaru, Toyota, Volkswagen, and Volvo.

Self-imposed data collection “rules”

Future carThe author speculates that the automakers are willing to abide by the self-imposed “rules” because they believe actual laws could become onerous. Sen. Edward Markey, D-MA is skeptical of the impact of the “rules.” He called them “an important first step,” but said it remains unclear “how auto companies will make their data collection practices transparent beyond including the information in vehicle manuals.”

Senator Markey noted that the automakers did not offer consumers an opt-out option for whether sensitive information is collected in the first place. He plans to legislate an answer. He said in a statement, “I will call for clear rules — not voluntary commitments — to ensure the privacy and safety of American drivers is protected,” Markey said in a statement.

The automakers also committed to “implement reasonable measures” to protect personal information from unauthorized access. Privacy experts are concerned that in recent years many vehicles have had a variety of GPS and mobile communications technology built into them.

Cloud securityThe TheDetroitBureau explains these devices record and sends all types of information which privacy advocates are afraid the data could be used by the government against the owners of vehicles. Some worry that many three-letter agencies and law enforcement will use data from the device to track citizens. Marc Rotenberg, executive director of the Electronic Privacy Information Center said that legislation is needed to ensure automakers don’t back off their self-imposed “rules” when they become inconvenient. He said,

You just don’t want your car spying on you. That’s the practical consequence of a lot of the new technologies that are being built into cars.

Pop-up ads on in-car touch screens

The black boxes now installed in new vehicles could also be a safety issue for drivers. The article speculates that the rising level of interactivity of cars could open the door for pop-up ads in cars. These automakers’ “rules” do not end the possibility that Pop-up ads could appear on the touch screens of cars, trucks, and SUVs as folks are motoring down the road.

One loophole in the guidelines identified in the blog, if customers agree at the time they buy the car, they could receive messages from advertisers who want to target motorists based on their location and other personal data according to the author. Some safety advocates are concerned about pop-up ads possibly popping up on in-car touch screens while drivers are behind the wheel. Henry Jasny of Advocates for Highway and Auto Safety warned the Associated Press.

There is going to be a huge amount of metadata that companies would like to mine to send advertisements to you in your vehicle … We don’t want pop-up ads to become a distraction.

rb-

Who is listeningThe road to hell is paved with good intentions and full of pot-holes. I covered Cisco’s try at monetizing driver data here. Industry officials say they want to assure their customers that the information that their cars stream from the vehicle’s computers to automakers (or Feds) via OnStar. Sync, Automatic, In-Drive, or Car-Net won’t be handed over to authorities without a court order, sold to insurance companies, or used to bombard them with ads for pizza, gas stations, or other businesses they drive past, without their permission.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Cars | Tags: , , , , , , , , , , , , , , , ,
| September 18, 2014
Comments Off on 10 Policies to Minimize BYOD Risk

10 Policies to Minimize BYOD Risk

Mandatory Authorization ProcessThe challenge for employers offering BYOD, according to schnaderworks, a labor and employment blog from Schnader Harrison Segal & Lewis LLP, is finding the right cost/benefit balance for their businesses. In developing an effectivebring your own device” (BYOD) policy, employers must first identify which employees will be eligible for the program according to the blog.

Onc10 Policies to Minimize BYOD Riske the basic parameters are set, the lawyers stress a written policy is essential to set up ground rules and permit enforcement to protect the company’s data and other interests. They suggest the following steps are key to establishing an effective BYOD policy:

1. Establish a Mandatory Authorization Process:  The lawyers say this should be completed before an employee can use company data and systems on a personal mobile device.

Require Password Protection2. Require Password Protection:  Each authorized device should have the same password protection as an employer-issued device.  According to the article, such protections include limiting the number of password entry attempts, setting the device to time out after a period of inactivity, and requiring new passwords at regular intervals.

3. Clarify Data Ownership:  A BYOD policy should specifically address who owns the data stored on the authorized device. It should be clear that company data belongs to the employer and that all company data will be remotely wiped from the device if the employee violates the BYOD policy, terminates employment, or switches to a new device. The policy should also alert employees that it is their responsibility to backup any personal data stored on the authorized device states the article.

Spell Out Procedures In Case of Loss4. Control the Use of Risky Applications and Third Party Storage:  Schnader Harrison Segal & Lewis recommends employers may want to ban the use of applications that present known data security risks, such as the use of “jailbroken” or “rooted” devices and cloud storage.

5. Limit Employee Privacy Expectations The BYOD policy should clearly disclose the extent to which the employer will have access to an employee’s personal data stored on an authorized device and state whether such personal data is stored on the company’s backup systems. The article recommends minimizing the co-mingling of company and personal data. Employers may want to install software that permits the “segmenting” of authorized devices.  However, no matter what measures the company takes to preserve employee privacy, the policy must emphasize that the company does not guarantee employee privacy if an employee opts in to the BYOD program.

Control the Use of Risky Applications6. Address Any Business-Specific Privacy Issues:  Certain businesses are subject to legal requirements about the storage of private personal information (such as social security numbers, drivers’ license numbers, and credit and debit card numbers, etc.) which may need to be addressed in a BYOD policy.  The blog points out that HIPAA requires native encryption on any device that holds data subject to the act. An employer may need to put in place processes prohibiting or limiting remote access for certain categories of sensitive data.

7. Consider Wage and Hour Issues:  Permitting employees to use an authorized device for work purposes outside of the employee’s regular work hours may trigger wage and hour claims. The lawyers suggest the BYOD policy should set forth the employer’s expectations about after-hours use  (such as a requirement that non-exempt employees must refrain from checking or responding to work emails, voice mail, and texts after hours) (rb- Yeah).

BYOD policy8. Ensure Compliance with Company Confidentiality Policies.  The author says a BYOD policy should reiterate that an employee using an authorized device must comply with all company policies on confidentiality and the “acceptable use” of company information.

9. Spell Out Procedures In Case of Loss or Theft:  The employer should set up a specific protocol to be followed in the event an authorized device is lost or stolen. The blog says the process should include the prompt reporting of a lost or stolen device and the remote wiping of the device.

Insure Compliance with Company Confidentiality Policies10. Document Employee Consent:  Finally the law firm, in good lawyer form, suggests the employer should get an employee’s written consent to all terms and conditions of the BYOD policy.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| January 9, 2014
Comments Off on Ban Cubes

Ban Cubes

Ban CubesSarah Green at the Harvard Business Review reported on research by Jungsoo Kim and Richard de Dear at the University of Sydney. They looked at the impact of office cubes on office-dwellers productivity. The brainiac’s found furniture design impacts how the staff works. There are three key factors sound privacy, visual privacy, and temperature.

impact of office design on office-dwellers productivityThe study found that 30% of workers in cubes were dissatisfied with the noise level of their workspaces. 25% of workers in partitionless offices, were dissatisfied with the noise level of their workspaces. Worst yet, according to the data, is that these workers can’t control what they hear or who hears them.

Most despised feature

HBR says the lack of sound privacy was the most despised issue in the survey. They found that 60% of cubicle workers and half of all partitionless people indicating it as a frustration. Researchers guess that the partitionless people are slightly less bothered by it because at least they can see where the noise is coming from. This gives them a sense of control — no matter how illusory. It’s likely that partitionless office dwellers are listening to music on headphones to block out distractions.

Susan Adams at Forbes reports that workers assigned to cubes are the least happy among us. With open plan dwellers are not far behind. In addition to the sound privacy complaint, more than 30% of people who don’t have their own offices feel frustrated by a lack of “visual privacy.”  In other words, they have to look at their colleagues whether they like it or not. Almost as many find the general noise level frustrating.

Cubes decrease work satisfaction

Forbes cites researcher Kim who said that open office plans decrease work satisfaction in a statement:

Open plan office layouts have been touted as a way to boost workplace satisfaction and team effectiveness in recent years. We found people in open-plan offices were less satisfied with their workplace environment than those in private offices.

The researchers found the single most important issue was a lack of space. That held true no matter what kind of office you had — an enclosed office, cubes, or an open layout.

Shrinking cubesSo if workers hate cubes why do architects and bosses love cubes? Most likely they looked at studies that have shown we only spend 35% of our time at our workstations, so they decided to make everything modular or abolish the office to save money and let the collaboration flow. But Ms. Green says not so fast. Previous research, cited by Kim and de Dear, has already shown that noise decreases key productivity.

… the loss of productivity due to noise distraction … was doubled in open-plan offices compared to private offices, and the tasks requiring complex verbal process were more likely to be disturbed than relatively simple or routine tasks.

Forbes explained that the idea behind open-plan offices is that workers will be more likely to talk to each other and collaborate. But it turns out that was a theory that was not based on empirical evidence. HRB ran a piece that described a study of employees at Scandinavian Airlines. Apparently, after the airline made their HQ über comfy and management encouraged employees to hold “impromptu meetings” and “creative encounters.” Instead, just 27% of employee exchanges happened in public spaces. Two-thirds of employee exchanges still took place in private offices, most likely because people can hear each other better and protect themselves from being heard by unwanted ears.

Unintended consequence

unintended consequencesAnother unintended consequence of open office spaces: they aren’t good for people who tend to be more on top of their work, according to a study covered by Annie Murphy Paul in Time magazine. Open office planners thought that workers would help one another with challenging tasks. But it turns out that while those who need help do better, those who offer help fare worse. Forbes concludes that is not surprising when you think about it. If I know how to do a task, I’m better off getting on to the next thing, and not losing time trying to teach a less-able coworker.

The not-so-surprising bottom line of the study according to Forbes is that workers in their own offices came out ahead in every category studied. Those who sit in cubicles are the most miserable, expressing the highest degree of dissatisfaction in 13 out of 15 categories.

rb-

Not only do cubes kill worker productivity, but they are also a major pain to support. First, the floors have to be trenched and then underground pathways have to be built and inspected before the floor is patched. Hopefully, the cement guys don’t fill the boxes with cement and then the furniture people miss their marks so cable gets exposed and the owner complains about a sloppy install.

Ban cubes !!!

Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , ,
« Older Entries   Recent Entries »