The Security Catalyst

A posting on Darkness Productions, alerted us to GTalkR, a Flash based service for chatting on the Google Talk system. It has, what looks like, a very pretty and easy to use interface. Om Malik took a look at it, and he liked it, though he questioned the storage of chat logs on their servers.

After we took a closer look, we think he neglected to question and explore what happens when you provide your username and password to this service — it appears they have access to all aspects of your Google Account. This is a major problem. Personally, I don’t want anyone else having my information, let alone the information of hundreds, possibly thousands, of others. My links for the privacy policy and terms of service weren’t functioning. No insights into the storage architecture they are using makes me nervous. I suspect the creators are well intentioned, but that doesn’t remove the need to pay attention to privacy and security.

Now, I’m all for having apps created to make using other apps easier. However, neglecting any of the “CIA Principles” to do so, just seems wrong. If this service were on Google servers, run by Google employees, this might be a different story, but alas, this is not the case.

Use this with caution - and always be careful before giving out your username and password.

Get your copy of the FREE (no-strings-attached) eGuide: Protecting your Identity in a Disaster Here

A few months back I was being interviewed by a local television station in the wake of hurricane Katrina. As I was answering some basic questions, I was explaining to the producer that the real risk now (at the time after the immediate impact of the hurricane was felt) was for people to protect their identities. The producer basically responded with “yeah, that’s nice.” I was deeply bothered by this response.

As I see it, this is the disaster within the disaster - the last thing you need during a disaster is to deal with identity theft. As I read accounts of personal papers (birth certificates, social security cards, and other important — and private — records) floating down the river, all I could think about was “what if that information ended up in the ‘wrong’ hands?”

Worse (!), during a crisis when people are getting involved and helping - and seeking to be helped - it’s a great opportunity for fraudsters to take advantage of people. I’m still concerned that some con-artists are impersonating relief and government workers to trick people into giving up their personal information.

Imagine applying for a loan to rebuild your house and then find out you are denied a loan due to bad credit?? That is clearly a disaster!

I decided to take action. Specifically, I felt a strong need to make sure that good and easy to understand information was made available to those who needed it. I immediately called a friend who is a victim of identity theft (and has recently written a book about his experience) and convinced him to work with me to draft a quick and easy to understand guide on how to protect your identity during a disaster. We authored a FREE, no-strings-attached eGuide to how to protect your identity during a disaster. It’s 20 pages of the most important information we could distill into four phases:
1 - what to do before disaster strikes
2 - what to do as the disaster strikes (if you can)
3 - immediate steps to take after the disaster
4 - quick actions in the event you think your identity has been stolen

While writing this guide, I realized that this is good information for anyone - especially since any of us may have to deal with a disaster when we least expect it (wild fires, house fires, flooding, and other natural and man-made disasters). In the spirit of helping to make sure people are prepared, we are making this guide available free of charge.

Get your copy of the guide here. Feel free to link back to this guide and share it with anyone you think will benefit!

I would appreciate any ideas and suggestions for how we can improve this information and make a difference through education.

Happy Thanksgiving!

I am thankful for the excellent feedback I have received, as well as the encouragement and support! Based on that feedback, I am happy to announce some continuing improvements to the Security Catalyst:
- Addition of a Marantz PMD 670. The Marantz will be used to record the shows, as well as capture “in the field” interviews.
- Bias Peak Pro 5 software. Each show will get some post-processing to ensure consistent levels and top quality in sound.
- Introduction of an editorial and and production team. The contributors to SecurityCatalyst.com are now working as a production team to plan and prepae each of the shows.
- Revised format

Instead of one weekly 50 minute podcast that covered current events and then looked at issues the corporation might face, we have separated it into two different weekly podcasts:

The Security Catalyst
Released on Thursdays, this will have a simplified format that quickly touches on the “Hot Topics” of the week and then focuses on an “In-the-Trenches” issue with some ideas, insights and suggestions that benefit the security professional, practitioner and businesses. We’ll look ahead to upcoming topics so you can help! We are working to produce this as a weekly 30 minute program.

The Security Catalyst Insider
This show, released on Monday, will be a brief look at the top security issue or issues either in the news or facing corporations today. The purpose is simple: introduce the topic, describe key actions that we need to take and then provide the language and some suggestions for how to explain this to the people around you (family, friends, co-workers, end users and your bossses!). This show will be kept to 30 minutes to give you the information you need for a successful week!

The entire security catalyst team is going to be working on researching topics that we’re all facing in the field - at a personal, professional and business level. In the coming weeks, look for information on plaxo, linkedin, wireless security, compliance, policies and other topics you need to be more effective!

Tell me what you think! SecurityCatalyst - at - gmail.com

Things to do:
* subscribe with the RSS 2.0 feed(s) to your right
* check out the message board @ Security Synergy (registration required)
* add yourself to the security catalyst map
* Call the listener feedback line: 206-333-1936
* If you liked the show, tell a friend; if you didn’t, tell me!

Download or listen to Security Catalyst #6 here (38 minutes long)

This episode focuses on the “In the Trenches” aspects and is part of our drive toward a tighter format. Expect more crispness in next Thursday’s episode - and look for the Hot Topics episode to come out on Monday’s (also a tighter format). Thanks to Matt and Josh for pre-production planning.

On Today’s Show
Feedback from Josh

Google-Riya
We look at the potential privacy concerns if Google buys Riya - and examine the need for an opt-out system.

More on SONY
We take a look at the corporate and policy implications that we need to consider.

In the Trenches
We need to focus on the security basics of Confidentiality, Integrity and Availability (CIA)
Great guidance for this can be found in FIPS-199 - and I highly recommend you download and read this brief and highly useful document.

Your feedback is needed!
I am evaluating Plaxo (with the help of others) to determine if this is safe to use, or if it provides a security risk. I need your help!
If you use Plaxo and love it, I want to hear from you - and why.
If you don’t use Plaxo, I’d like to know why?
And if you’re not sure, let me know what questions or concerns you have, so I can address them in the next week.

The following track from the podsafe music collection of podshow were used during episode #5.
BAJA TAXI

My Odeo Channel (odeo/05bfd30ce4a46511)

I just realized that I find it very amusing that the debacle that has arisen from the rootkit(s) installed by Sony has called so much attention to a message that those of us in the security world have been repeating for slightly more than a decade:

Disable the Windows “feature” called Autoplay (also Autorun).

This is what makes installation programs begin automatically when a CD is inserted in the drive, and, as has been revealed by Sony’s anti-customer actions, this software does not always have to be for your benefit.

Here’s the Microsoft article on how to disable Autoplay/Autorun: http://support.microsoft.com/default.aspx?scid=kb;en-us;126025

Also, a quick discussion of Rootkits, and how to tell if you’ve got one:
www.windowsitpro.com

And, a link directly to RootKit Revealer, widely considered the best utility out there for rootkit detection on Windows:
http://www.sysinternals.com/utilities/rootkitrevealer.html

I found that Plaxo had a connector between Thunderbird and their online service, reviewed their privacy policy and terms of service (quickly), signed up and gave it a shot. Generally, most people don’t argue with the request, and it sure is easy to update my contacts.

That immediately, then, sets off some bells for me, and I wonder if I have done something intelligent, or something foolish.

I’m going to take a few days and dig deeper - and maybe even score an interview for the podcast to try to provide some insight for anyone interested.

Rumors are flying to the effect that Google is looking to purchase, or may have already purchased Riya, developers of a new facial recognition technology designed to allow its users to group photographs by the names of people in their pictures, group by subject, group by date, as well as group by the text of signs in their pictures, which Riya can also detect and read.

Not only will users of Riya be allowed to search their own collections of photos by name, etc., they’ll be able to make them publicly searchable as well.

I think you can expect to see significantly more from us here at Security Catalyst on this particular subject. Thus, right now, I’m just going to run through a quick overview of my thoughts on it. It seems to me that more and more technology to make it mind-numbingly simple to invade a individual’s privacy is coming into existence.

One thought that occurs to me is the idea that, if I accidentally appear, recognizably, in the background of a Riya user’s photograph, and they make it publicly searchable, it begins to, possibly, reveal much more about me that I might like.

Here’s just one example scenario: let’s say I’ve left a city to get away from an abusive relationship, althought I haven’t bothered to change my name or appearance. In my new home, I make new friends, who have, use, and love Riya. Once I appear in one of their pictures, and they identify me, it opens a giant hole in my protection. Not only does Riya now have some indication of what I look like, it probably knows who I am, and where I spend time, if only occasionally. Since it knows these things, it can start to recognize me in other pictures….

I’d like to just run through an abbreviated list of the people that I expect to be very enthused about this technology, combined with the people who might be scared by it:

Stalkers/Stalkees
Organized crime/Former “organized crime” members within the Witness Protection Program
Government TLA’s/Organized crime
etc… etc….

I’m going to cut this particular article short right about here. The more I think about the implications of this, the more my scalp is starting to crawl.

Definitely watch this space for a more in-depth analysis of this one. This is not as in-depth an examination as I’d like to perform of this question, and your host, the original Security Catalyst agrees, so we will probably be assembling a forum to discuss it further, and put out a significantly more thorough paper.

Thanks to Darkness Productions for the heads-up.

Welcome to Security Catalyst #5. Thanks to the excellent feedback, we have another exciting program to help take a look at the security behind the story.

Note: If you are currently subscribed, you will notice the feeds are going to change in the next few days (hopefully before the next show). We are switching to feedburner, and using the “smartcast” options.

If you’re ready, download show #5 here (42 MB, 45 minutes long)

On todays show
Parental Responsibility
Parental Responsibility Act, 2000
New Jersey Senate passes “parental responsibility” legislation

Sony, the Saga Continues
Sony, Rootkits and Digital Rights Management Gone Too Far
Microsoft to Zap Sony DRM ‘Rootkit’
World of Warcraft hackers using Sony BMG rootkit
Sony Suspends CD Copy Protection

Federal Privacy
Microsoft Pushes For Federal Privacy Legislation

Skype Blocking (again)
US company hopes to block Skype in China

The following tracks from the podsafe music collection of podshow were used during episode #5.
BAJA TAXI
Chasing Echoes

Things to do:
* subscribe with the RSS 2.0 feed(s) to your right
* check out the message board @ Security Synergy (registration required)
* add yourself to the security catalyst map
* Call the listener feedback line: 206-333-1936
* If you liked the show, tell a friend; if you didn’t, tell me!

We are going to start using feedburner, hopefully within the next week. We’re still working through the architecture a bit, but once it’s mapped out and we make the change, we’ll post it clearly so you can subscribe to everything, some things or, I guess, nothing.

Greetings, I’d like to introduce myself, as I’m hoping you’ll be seeing a lot of me around here. My name is Matt Yoder, and I’ve been an advocate for the improvement of computer security for over a decade now. In the daytime, I act as a Systems Administrator for a sizable state university in Colorado. In my spare time, I pursue multiple hobbies, including keeping abreast of the state of systems and network security.

Michael, your Security Catalyst and Bald Security Expert has asked me to join him in this forum to help make this site a resource for all things security-related. This will include links to significant news stories, with commentary by myself, vignettes from my own experiences in security and systems administration, and, I hope some “thought experiments,” designed to get you thinking, yourself, about security-related topics.

Commentary, feedback, and story suggestions can be sent to me at acronym@acr0nym.com

I’d also just like to thank Michael for this opportunity to contribute to something I envisioning becoming an excellent resource for security news and information!