The deal of the year, Facebook buys Whatsapp. And even before the dust settles, the privacy world is screaming murder. The privacy denying company buying a private messaging company spells doom for the privacy of hundreds of millions of users. You are warned to leave Whatsapp if you care for your privacy...
But is your privacy really at stake? Is the merger a new threat?
Facebook knows a lot about you. It knows your friends and relations, your likes, your updates, your whereabouts and it even knows what you would like to post but never really did. Facebook not only has access to your metadat, it has all content as well.
Whatsapp knows a lot about your telephone number. It knows the telephone numbers your phone number connects with and it has an enormous amount of metadata of all connections made.
And since both companies are American, you can bet that the NSA and it's friends have access to these (meta)data too.
But, and it's a big but, as long as a Facebook profile doesn't contain a telephone number, Facebook has no way to connect a profile with all Whatsapp metadata. There is no way to correlate a human profile with a phone profile.
It's a big but, but Facebook and Whatsapp live in different worlds en never the twain shall meet. So in my opinion there is no new privacy risk. If you really care for your privacy surely you would have left Facebook a long time ago?
So as far as I 'm concerned there is no need to dump Whatsapp. There are bigger threats to your privacy.
There's a second but, and that's a bit more tricky. A Facebook app and a Whatsapp app on a smartphone are different apps and they don't share between them, the operating system of the smartphone takes care of separation. Unless the operating system doesn't. I would say, stay away from any Facebook marketed phone...
So, until Facebook asks for your phone number, or you provide your phone number to Facebook, don't worry.
donderdag 20 februari 2014
vrijdag 7 februari 2014
Trust is a one way affair
Cleaning up my blog and I found this snippet of text, waiting for further investigation. Feel free to join the discussion:
Any digital identity can only be trusted, as much as the identity provider (who provided the digital identity) can be trusted. If you don't trust an identity provider, you shouldn't trust it's identities. Seems logical. And even if you do trust the identity provider, you don't have to trust the digital identities from that provider. And you may trust the identity provider, but that is no guarantee that you can trust the digital identities. Or better... there is still no guarantee that there is a real individual behind the digital identity. It all depends on the identity management processes of the provider. But how can you tell which digital identities belong to real individuals?
What's the problem: if someone creates an account on my site, is that identity more reliable than an identity from a third party identity provider, that I may or may not trust?
If the identity is used only for identifying a website user for personalization purposes, then why not allow the use of any identity, trusted or not. If you allow extra permissions for that identity user, then that's up to you.
Allowing permissions for whatever task, should be based on a risk assessment, thereby taking into account classification of information and processes. Then you decide what level of trust is required. And it's up to you to decide what kind of identity is sufficient. It could imply that a gmail or twitter identity is enough for users to log into your site.
Perhaps that's why I don't like current trust models. They are too complex for most purposes. If people trust you to service them, that in itself is no need for you to trust them as well. Why should you? Only if you want them to service you, or get stuff from you and then pay you for it, then you should trust them. Until then, trust is a one way affair.
Any digital identity can only be trusted, as much as the identity provider (who provided the digital identity) can be trusted. If you don't trust an identity provider, you shouldn't trust it's identities. Seems logical. And even if you do trust the identity provider, you don't have to trust the digital identities from that provider. And you may trust the identity provider, but that is no guarantee that you can trust the digital identities. Or better... there is still no guarantee that there is a real individual behind the digital identity. It all depends on the identity management processes of the provider. But how can you tell which digital identities belong to real individuals?
What's the problem: if someone creates an account on my site, is that identity more reliable than an identity from a third party identity provider, that I may or may not trust?
If the identity is used only for identifying a website user for personalization purposes, then why not allow the use of any identity, trusted or not. If you allow extra permissions for that identity user, then that's up to you.
Allowing permissions for whatever task, should be based on a risk assessment, thereby taking into account classification of information and processes. Then you decide what level of trust is required. And it's up to you to decide what kind of identity is sufficient. It could imply that a gmail or twitter identity is enough for users to log into your site.
Perhaps that's why I don't like current trust models. They are too complex for most purposes. If people trust you to service them, that in itself is no need for you to trust them as well. Why should you? Only if you want them to service you, or get stuff from you and then pay you for it, then you should trust them. Until then, trust is a one way affair.
zondag 8 december 2013
Stepping up cybersecurity
We love hypes and in our profession cybersecurity is a hype that doesn't stop to be a hype. The #ditchcyber campaign is started to help busting the hype. Well, allright, let's just add to the hype.
Here are some links to documents that may help you deal with cybersecurity.
Confused? Just pick the 9 steps ebook (by Dejan Kosutic). He clearly shows that cybersecurity is just a subset of Information security.
Enjoy.
Here are some links to documents that may help you deal with cybersecurity.
- 3 steps to Cybersecurity
- 4 steps to Cybersecurity
- 5 steps to Cybersecurity
- 6 steps to Cybersecurity
- 9 steps to Cybersecurity
- 10 steps to Cybersecurity
- 10 steps to cybersecurity
- 12 steps to Cybersecurity (warning: direct pdf download)
- 21 steps to Cybersecurity
- Sensible steps to Cybersecurity
- Big step to Cybersecurity
- First step to Cybersecurity
Confused? Just pick the 9 steps ebook (by Dejan Kosutic). He clearly shows that cybersecurity is just a subset of Information security.
Enjoy.
donderdag 14 november 2013
Adobe lesson learned: do not use complex passwords!
By now we all learned about yet another password leak, this time at Adobe. Not just some incident, no, it's a big one, with some 130 million passwords in the open. A big scandal too. And of course we are amazed at the large number of too obvious passwords chosen by the Adobe customers. Passwords like '123456' and 'secret' are amongst the most frequently chosen passwords. Are we really surprised? No of course not. We already knew that people are not very aware about the security risks involved.
Who are those customers? They are people like you and me, consuming services anywhere on the internet, Services like those offered by Adobe. And for most of those services the provider wants to know who you are by asking you to register an account. So, many of us did.
Accounts
Let me tell you about the way I create accounts. In order to protect my privacy I have to protect both my identity and my behavior. So I try to separate my digital life from my real life as much as possible. And I bet that I'm not alone in this. My preferred method is to create an account using an alias. And since providers want to reach my alias, I need to provide an email address. If possible I use a disposable, or a fake email address. Next I have to pick a password. '123456' will do just fine. Why?This password is not there to authenticate, it's there because the provider wants me to provide a password to ensure my permission to use a service. But I didn't use a real digital identity, I just claimed some capacity to download whatever I want from the provider. I don't care about protecting it, because in real life it just doesn't exist, and in all fairness, it's worthless. In fact I may have created an Adobe account a long time ago, but I don’t even remember it. And if I don't care, it's just not relevant how secure it is or how complex the password is. The only thing that I need to take care of is to NOT use one of my regular identities and passwords.
That's my real protection. As long as a provider or a hacker for that matter, cannot link the non-existing identity with a real identity, there is no danger for my real privacy if the provider or hackers publish '123456'. I couldn't care less. So, lousy providers like Adobe are not really a risk for me. I was right in not trusting them.
A far better way for providers to connect to customers would be to let them use an external identity, that way you don't need to register an account with the provider and the provider doesn’t need to protect it, there is no password... If you are free to pick an external identity like facebook, Twitter or LinkedIn, then the risks of data leakage are far less. There's another privacy issue, because those identity providers know your interests because of the federation stuff. I will not elaborate on this issue, but if you have enough digital identities, every identity provider only knows part of your interests, part of your activities and thus part of your identity. Divide et Impera.
Threats
The Adobe leak led to a lot of noise in the security community. There were two main comments: Adobe is stupid by not enforcing better security, I agree. And: users are stupid for using simple passwords, well, I don't fully agree. And I will explain this:Account and identity management is tricky. There are two risks:
1) Someone knows you and tries to steal your identity.
2) Someone knows your password and your login name and tries to find out your real identity and reuse that information
The first risk can be real, but it need not be that big, provided that you think about a few best practices. Protect your behavior. If someone doesn't know to relate your real identity to a digital identity, not a lot of harm can be done in the digital world, in Cyberspace.
As I mentioned, the second risk can be neglected as well, if you understand it and act upon it. I hope/believe that most of the Adobe top 20 passwords are used by people who knew this. In my opinion most of the accounts used are disposable accounts. And preferably accounts that cannot be linked to real identities.
Password complexity
Both reactions to the Adobe leak came down to one issue: password complexity. Fact was that Adobe didn't enforce password complexity, not in the user space, not by using good practices for cryptography. Second fact: lots of users didn't use complex passwords.Password complexity is difficult. A password needs to be complex for a few reasons:
- You don't want it to be easily guessed by someone who knows your digital identity.
- You don't want it to be easily cracked by someone who has access to your encrypted password.
Yet at the same time you want it to be easily remembered, by yourself.
The first risk is in fact the risk that we need to manage to mitigate the threat of someone who knows you to steal your digital identity, that's the first identity risk. It's the risk of someone retrieving an identity => password combination based on known identity information.
The second risk is more difficult to manage. The enormous amounts of processing power makes this risk hard to mitigate, password cracking isn't that hard to do anymore. This risk works the other way around: someone tries to retrieve a password => account combination based on known password information. Encryption of the password in transit and in storage does help safeguarding the password information, but it will probably only help temporarily. So we are trying to use one measure, password complexity, to tackle different risks. This may seem efficient, but in fact it's not what we need to do.
In order to prevent identity => password retrieval, we need password complexity. No one should be able to retrieve a password based on identity knowledge alone.
One example is Phishing: an attacker tries to retrieve secret information from a known identity. That means that the real, or physical identity => digital identity => password trail needs to be protected. And since the password is the valuable item, the password needs to be secured. That means using complex passwords (and to fight phishing: educate users to not hand over secret information!).
To prevent retrieval of a valuable identity based on a found password, another mechanism is required. If someone retrieved a password, he may be able to retrieve the digital identity, but he should not be able to retrieve the real identity behind the digital identity. Why?
This might lead to misuse of the identity => password risk!
If the password => identity trail can be found, an attacker might gain knowledge to intercept other identity => password combinations. The identity is the valuable resource, so you need to protect your identity. And the best way is to use disposable identities or external identities in those cases that you have to trust providers.
This leads to an interesting conclusion
Adobe user accounts with complex passwords, may well be more at risk than accounts with easy to guess passwords: customers using a complex password may well have used a valuable identity, expecting the complex password to protect it. How about that?
In my next post I will introduce a real simple complex password method.
vrijdag 4 oktober 2013
What US-Cert should have said about the Adobe hack
This is what US-Cert said in a rather pointless advise:
"US-CERT advises that Adobe customers be aware of possible fraudulent account activity."
What US-Cert should have said instead: Advise for Adobe customers: If you have an account at Adobe: Change your password.
But that's not all: If your Adove account has a username/password combination and/or emailaddress that you use for other websites services as well, change your password on all the other sites too.
And perhaps, if US-Cert could spare some time and effort (thank you #shutdown) they could have added this:
Advise for all service providers: Get rid of password management by moving to federation protocols like OAuth or OpenID Connect. If you don't store passwords, you can't lose them.
And an advise for Adobe and all other providers: Please don't ignore secure programming guidelines.
What US-Cert should have said instead: Advise for Adobe customers: If you have an account at Adobe: Change your password.
But that's not all: If your Adove account has a username/password combination and/or emailaddress that you use for other websites services as well, change your password on all the other sites too.
And perhaps, if US-Cert could spare some time and effort (thank you #shutdown) they could have added this:
Advise for all service providers: Get rid of password management by moving to federation protocols like OAuth or OpenID Connect. If you don't store passwords, you can't lose them.
And an advise for Adobe and all other providers: Please don't ignore secure programming guidelines.
dinsdag 1 oktober 2013
Get your #ditchcyber #wegmetcyber certification
You may have read my rant about the misuse of the word cyber, but I am not the first nor the only person to condemn the cyber misuse. Chris Baraniuk posted an interesting article about the history of the misuse of Cyber. Recommended!
And of course, as mentioned in Chris' article not every use of Cyber is bad. Cyberspace, cybercafé, cybersex, cyberpunk, I don't mind you using those combinations. Trouble starts when politicians use the term without a knowledge about or vision towards security. In those cases the purpose of using cyber is to create FUD, fear, uncertainty and doubt. It's also a great recipe for really saying nothing:
"Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool -- and therefore strange, spooky. ["New York" magazine, Dec. 23, 1996]" (source).
I call onto the responsible politicians, military and police officials to not use the word cyber anymore. You should address the risks that you can ifdentify. If you can't identify a risk or a threat it's just not there. And if you live by fearing the unknown, you will be a threat to others. As we witness everyday.If you feel the same, join the #ditchcyber or #wegmetcyber campaign. It looks like the blog entry that I posted earlier last week had an interesting spin-off. The post is now being used a manifesto for the @cyberxpert community. This new Twitter account is the official speaking voice of cyber experts who support the #ditchcyber (or #wegmetcyber in Dutch) campaign. In a few days the @cyberxpert Twitter account attracted several dozens of followers. Nothing special perhaps, that happens a lot these days. But these followers are allowed to add one of the @cyberxpert titles to their Twitter handle to show that they are the real cyber experts. We use 2 different titles: people can add RCX and/or CCX to their name. RCX is the abbreviation of Registered CyberXpert, CCX means Certified CyberXpert. One can use the title only by following the @cyberxpert twitter account and by supporting the #ditchcyber or #wegmetcyber campaign. So join the #ditchcyber campaign, follow @cyberxpert and show your support!
donderdag 29 augustus 2013
Ditch Cyber campaign
A few weeks ago I started my #ditchcyber campaign, or #wegmetcyber in Dutch. The reason for doing this is that in my opinion the word cyber is misused a lot. Right now cyber is connected to almost every event that is happening on the internet, in the cloud, in datacenters, at home and in the office. In many cases cyber, followed by another term, has a very negative meaning, if someone uses the word Cyber it's about trouble. War, crime and we need cyber security, a cyber army and cyber police to help us against these cyber threats.
And now this means that the audience only knows about cyber where it has this special negative meaning. Cyber requires special cyber forces to guard us from risk.
And what is really the case? It's about information security. It's about professionalism. It's nothing more than managing bits and bytes. But we are just too lazy to do it right, or we just spend too little money to make it secure. And then when something bad happens, a data leak, or a ddos attack, or whatever crosses your mind, then there is the big CYBER excuse.
Well excuse me, you don't hide stupidity in empty words.
I don't want to be rude, but most incidents are of our own doing, they are human errors. Nothing new. Data leakage, like Manning's, happen because of lousy access control and bad logging. Hack attempts because of lacking configuration and patch management. Ddos because of bad architecture. Priviliged account misuse because of social engineering. Identity theft because of lacking awareness. Fraud because of lacking segregation of duties, lack of governance. Foreign intelligence acting hostile? Because of our own lacking governance and our being pennywise.
Did I mention cyber? Sorry, no way. Nothing new, just the same old errors. But since we call everything Cyber, we obfuscate our own lack of responsibility and lack of accountability. Makes it so easy...
So here I am, a lonely cyber warrior, ditching cyber. Feel free to join the campaign.
And please lookup the real meaning of cyber everything on wikipedia.
#ditchcyber (@alcyonsecurity came up with this translation, thanks!)
#wegmetcyber
And now this means that the audience only knows about cyber where it has this special negative meaning. Cyber requires special cyber forces to guard us from risk.
And what is really the case? It's about information security. It's about professionalism. It's nothing more than managing bits and bytes. But we are just too lazy to do it right, or we just spend too little money to make it secure. And then when something bad happens, a data leak, or a ddos attack, or whatever crosses your mind, then there is the big CYBER excuse.
Well excuse me, you don't hide stupidity in empty words.
I don't want to be rude, but most incidents are of our own doing, they are human errors. Nothing new. Data leakage, like Manning's, happen because of lousy access control and bad logging. Hack attempts because of lacking configuration and patch management. Ddos because of bad architecture. Priviliged account misuse because of social engineering. Identity theft because of lacking awareness. Fraud because of lacking segregation of duties, lack of governance. Foreign intelligence acting hostile? Because of our own lacking governance and our being pennywise.
Did I mention cyber? Sorry, no way. Nothing new, just the same old errors. But since we call everything Cyber, we obfuscate our own lack of responsibility and lack of accountability. Makes it so easy...
So here I am, a lonely cyber warrior, ditching cyber. Feel free to join the campaign.
And please lookup the real meaning of cyber everything on wikipedia.
#ditchcyber (@alcyonsecurity came up with this translation, thanks!)
#wegmetcyber
Abonneren op:
Posts (Atom)