Wikileaks Positive Side Effect for IT

The disclosure of diplomatic cables by the organization Wikileaks got a tremendous amount of attention. Given that the story involves issues related to theft, sexual assault, the moral duty for civil disobedience and just plain gossip, this is not at all surprising.

We shouldn't take any comfort in the notion that this is just an issue for the government. The corporate world may be next. Recently there have been rumors that Wikileak's next target is Bank of America. In addition a hacker group in support of Wikileaks took Mastercard's website down for a period of time in retaliation for Mastercard blocking payments to Wikileaks.

Don't Blame Google For Grabbing Your Data

Why people should secure their own Wi-Fi networks, and what the IT industry can do to help.

Google was taken to task recently when it was discovered that it had captured private payload data from unsecured Wi-Fi networks while its Street View cars traveling to collect data for Google's location-based products.

On the official Google blog, Google owned up to collecting this data mistakenly "even though we never used that data in any Google products." Google added that it collected only fragments of payload data. Despite this, a number of European governments and at least one U.S. state attorney general are launching investigations into Google's alleged invasion of privacy.

While I certainly cannot condone Google's actions, I am a little puzzled by the reaction. Where is the call for personal responsibility? People should be safeguarding their own data.

The Hidden Price Of Free Applications

Access to our personal data is the price we pay for ''free'' services on the Internet.

Privacy issues, the Internet and social media in particular have been getting a lot of attention lately. Facebook has become the poster child for privacy concerns about the data we divulge online.

The villain in all of this isn't the technology, since technology isn't inherently good or evil. The issue is how technology is used. That is driven by the business model of the Internet and social media.

Google, Yahoo, Facebook and others of their type provide so-called "free" services. These companies are funded through advertising. Twitter has been the most notable holdout on monetizing its services, but that won't last forever.

Keeping Data Safe From IT Snoops

How to improve data security and privacy.

A Pennsylvania school district made headlines recently with accusations that two of the district's IT employees were spying on students and took "thousands" of pictures of students in their homes without their knowledge, using the cameras in their school-supplied laptops. The school district contends that the ability to remotely take pictures was a security feature used solely to help locate lost or missing laptops. The situation came to light when the school district accused a student of selling drugs based on pictures taken remotely via the laptop that was assigned to the student, although it had not been reported lost or stolen.

The incident could start making everyone wonder about information technology's role in protecting data and privacy. It begs the question: Who watches the watchers?

IT has the keys to all the sensitive data in your company. This includes not only payroll and personnel records, but also financial records, trade secrets and intellectual property, data regarding pending acquisitions, product launches or other strategic decisions. A rather scary thought if you don't trust your IT folks.

The IT Security Balancing Act

Ultimately, IT is responsible for security breaches even if it's not at fault.

Late last year, Plano, Texas-based Hillary Machinery lost $800,000 to cyber theft when attackers stole the money in a series of transfers from Hillary's PlainsCapital bank account. PlainsCapital was subsequently able to recover about $600,000.

As you might expect, Hillary demanded that PlainsCapital repay the unrecovered funds, saying PlainsCapital didn't provide adequate security measures. Up to this point, there is nothing especially noteworthy about this situation. Sad to say, but cyber theft just isn't all that unusual anymore.

However, what happened next has gotten a lot of attention beyond just west Texas.  PlainsCapital is suing Hillary Machinery, the victim!

Responsible Twittering

The company's security issues are well-known, but users also need to be more responsible about what they tweet.

Twitter, the popular social media app was recently awarded a Pwnie (pronounced "pony") at the BlackHat Security Conference. The reason for this rather dubious honor was due to what some call this year's biggest security failure. Apparently, a hacker was able to gain access to confidential documents by hacking into the e-mail account of Twitter Chief Evan Williams.

Prior to this, a similar incident occurred where someone hacked the password of a Twitter administrator and gained access to user accounts, including that of then President-elect Obama.

Identity Protection Goes Beyond Technology

We need to include the "human element" in our identity protection schemes

Identity theft and security is always in the spotlight through the constant stream of news stories about companies losing confidential customer or client data, such as social security numbers, credit card numbers, health histories and so forth. These "breaking news" stories now seem to happen so frequently that we scarcely pay attention to them unless, of course, we are directly impacted by them. They have, however, heightened the public awareness and have even spawned new identity protection businesses.

IT companies rightly react to this by developing new technologies to improve security and eagerly market these to CIOs as a way to protect the personal information of their customers and clients. While we should use these appropriately we can't rely just on technology for identity protection.

Security In The Cloud

Recent High Profiles Breaches Highlight Security Flaws That Are Not Just In The Cloud

In the past few months there have been some high profile security breaches involving cloud applications that may give people pause in using the cloud.  These got a lot of publicity because of the victims involved.

The first was Vice Presidential candidate Sarah Palin's Yahoo email account being hacked.  The second was a hacker gaining control of then President-Elect Barack Obama's Twitter account.

Protecting The US From Foreign Hackers

A recent Op-Ed piece in the Houston Chronicle, "U.S. must update laws defending against foreign hackers" caught my attention.  Congressman Jim Langevin (D-RI) and Congressman Michael McCaul (R-TX) wrote the piece in concern about foreign threats to our information technology systems and made some suggestions on possible improvements.  Although not in total agreement I do think they make some excellent points.

First, however, I feel the need to comment on the emphasis on foreign threats.  Putting the argument in terms of a "foreign" threat smacks of sensationalism and xenophobia.  If an American hacks my computer and steals my personal information I find no comfort in the fact that the thief wasn't a foreigner.  Cyber security is an issue of real significance.  Let's not trivialize it with sensationalism.  The bottom line is that a threat to cyber security is an important issue regardless of where that threat originates.

Langevin and McCaul get to the heart of the issue nicely when they say:

"Our national leaders have been far too slow to understand the scope and significance of this threat. America's laws for cyberspace are decades old, written for primitive technologies in a less-connected era. Our bureaucracy is organized for an industrial age. We are not prepared to meet the threats of the 21st century."

They then make a suggestion with which I whole-heartedly agree:

Security and the Myth of the Superuser

Bruce Schneier runs a great blog, Schneier on Security and I stumbled across a post of his from last May entitled The Myth of the Superuser.  In a very understated way Schneier refers to what he describes as  a "very interesting law journal paper".  It certainly is.  The paper in question is The Myth of the Superuser: Fear, Risk, and Harm Online by Paul Ohm, Associate Professor of Law and Telecommunications at the University of Colorado Law School.

The abstract states:

"Fear of the powerful computer user, "the Superuser," dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, ambiguous laws intended to ensnare the Superuser, but which are used instead against inculpable, ordinary users. This response is unwarranted because the Superuser is often a marginal figure whose power has been greatly exaggerated.

The exaggerated attention to the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely-held fear of the Internet. Building on the social science fear literature, this Article challenges the conventional wisdom and standard assumptions about the role of experts. Unlike dispassionate experts in other fields, computer experts are as susceptible as lay-people to exaggerate the power of the Superuser, in part because they have misapplied Larry Lessig's ideas about code.

The experts in computer security and Internet law have failed to deliver us from fear, resulting in overbroad prohibitions, harms to civil liberties, wasted law enforcement resources, and misallocated economic investment. This Article urges policymakers and partisans to stop using tropes of fear; calls for better empirical work on the probability of online harm; and proposes an anti-Precautionary Principle, a presumption against new laws designed to stop the Superuser. "

Don't let the "law journal" label scare you away.  This really is a very interesting and thought-provoking read.  Although phrases like "exaggerated attention to the Superuser"  and "overbroad prohibitions"  mind lead you to think that Ohm is downplaying the risk of lax computer security but upon careful reading I don't think he is.  Rather what he is suggesting is a more balanced and reasoned approach to security.