Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

A friend of mine recently had a very Dilbertesque experience at work.  The company my friend works for has been acquired twice in the last three years and all of the dust seemed to be settling.  Sort of…

Locally there were four offices under the corporate umbrella, each a legacy of the acquisitions that had occurred over the last several years.  The parent company decided to consolidate three of the offices and scale down the most remote office by moving some of the staff from that office to the new centralized office.  This was reasonable, and most of the staff saw this as a good business move.  Most of those who did not see it as a good move were from the remote office and would have to drive farther to get to work.

Planning for the move had gone on for a couple of months and was finalized about two weeks before the actual move date.  The new seating chart was printed, offices were assigned, and additional requests were made.  Here is where we take a turn for the weird:

Treating your people like they are worthless: Elimination of a position announced through the new seating chart.

One of my friend’s coworkers found out by looking at the seating chart that he was not going to have a job in two weeks.  Rather than approach this individual before the release of the seating chart, the office manager chose to let things work themselves out a la “Office Space”.  Fortunately, the Milton in this case chose not to resolve the issue with fire but by talking with HR, but this left a bad taste in a lot of people’s  mouths.

Generate a menial or pointless task.

Actually, this one is a little worse than pointless, it is counterproductive.  Time tracking is a part of a lot of people’s workdays. I did it every day when I worked as a consultant, so that we could bill customers for my activities.  This is not a diatribe against time tracking; however, my friend was asked not just to start tracking time, but to go back to the beginning of the year and track all of the time since January 1.  The company wanted real data for that entire time.  Do you remember how you spent your day in fifteen minute increments 6 months ago? 6 weeks ago?  6 days ago?  As a group, the team that was asked to do this questioned the logic behind generating data that would contain a lot of errors and inaccuracy that would then be the basis of the next three years of projections.  They were told, effectively, not to worry about it and that the data analysis team would take care of it.  To me, dear reader, that is like saying, “Create firewall logs for the last 9 months that we can then use as the basis for the upgrade of the existing firewall and Internet connection, even though you only put in the logging system this week.”  Yes, you will have a smaller set of data to work off of but it will be more accurate, and your people will feel better about their work.

So what can you do to avoid putting yourself or your coworkers in such a situation – aside from not working where my friend works?  Treat your coworkers with respect and dignity. If you know of something that is going to have a direct impact on their lives, they need to be made aware of the upcoming change in as timely a manner as possible.  If you are implementing a new system that employees are going to be using, get their feedback and review what they have to say.  Don’t make decisions in a vaccum. If it impacts people, get their input.  Running a business depends on the people that work there; if they don’t feel valued, then the business won’t be valued.

by Dennis Kuntz

The government spends billions in research every year. Quite often the goal of that research is to create more effective fighting machines and mechanisms, better survival techniques, better gear for soldiers, etc. The array of researched technologies is huge, and wartime in particulate can spur a ton of research.

Also quite often, the results of that technology end up being used for civilian purposes. Researchers and scientists in World War II alone created and/or had significant impact in the areas of radar, jet engines, computers, synthetic rubber – the list goes on and on. It’s obvious today how those technologies, invested in by the military and the government primarily for the sake of the war, have been applied to our civilian lives.

Another thing to note about all of this is that the benefits of those government/military technologies have not been limited to the countries in which they were created. As peacetime would creep in, and alliances form where hostility once reigned, technology would be shared. Not to mention that even when those alliances didn’t form, the opposing sides would still have access to enemy technology (captured vehicles, interrogation, etc.) to get a foothold in implementing those technologies themselves.

This brings me to a question about malware. Malware is bad – hence its name. The folks who create it and apply it (as opposed to security researchers that create it for purposes of research) are at the very least not the most scrupulous bunch. There are legions of anti-malware researchers and malware analysts digging into these rogue pieces of software, poking and prodding at them, and figuring out how they work.

This piqued my curiosity: What technology (or use thereof) resulting from malware/anti-malware research has hit the “mainstream civilian” computing world? And no, I don’t mean Sony’s rootkit. I mean application of what has been learned – in obfuscation, more efficient coding techniques, remote distribution applications, etc. – in a way that is useful, but not necessarily matching its intended “wartime” purpose (you cannot make me say the “c—-war” word).

The closest thing I could find – yes, aside from Sony’s blunder – was a paper by Microsoft researchers discussing a “friendly worm” in terms of patch delivery. This is generalized by Bruce Schneier as “benevolent worms”, and which he calls a “stupid idea”.

Despite their ethics, the malware writers are very, very smart. The anti-malware researchers and the malware analysts are also very, very smart. So I pose the question to all of you – what useful applications of what has been learned in the battle against malware are waiting to be used?

In my last blog, I talked about how to build trust with a customer, and the advantages of doing so. By building a relationship of trust, communication becomes more open, allowing the customer to feel comfortable sharing their needs, and allowing the IT service provider to better customize service and anticipate needs. This concept also extends to intra-IT interactions – or regular life interactions, for that matter.

Sociologists will tell you that humans are social creatures – even the most introverted of our species require interaction with others. There is also the concept of the “inner circle” – each person has an “in” crowd that they trust and want to interact with. Evolutionarily, having such a group ensured survival: the group would mutually protect each other and they worked together to find food and raise children. The flip side of this evolutionary model is the rest of the world: If you’re not part of the inner circle, you’re not trusted and are thus treated with suspicion, prejudice, or even disdain. Individuals in your inner circle get the benefit of the doubt when they do something wrong, and you are compelled to help them through it. Individuals not in your inner circle are assumed to be malicious when they do something wrong, and you are compelled to be defensive and accusatory toward them for it.

It frequently surprises me how people assume that things in the IT or business world work so differently than they do in daily life, when there is actually little or no difference. We are the same humans with the same genetic make-up whether we’re home in our sweats or at work in our suits. Everyone knows that the best way to get a new job is to network with people at the target company, and many a manager has been accused of favoritism – Mary got a perk that I didn’t get because the boss “likes her better” (i.e., trusts her more) than me. Even security networks are built on trust (e.g., PGP): if I trust you and you trust John, then I can trust John.

So it stands to reason that if we can increase trust in the workplace, everything gets better: issues get resolved faster, there are fewer nasty surprises, there is greatly increased communication, and a strong desire to be inclusive. This then results in better collaboration between IT teams, which increases sense of ownership that in turn decreases errors and improves the overall quality of deliverables. All of this makes the customer – and thus the boss – happier.

But how do you go about this? Theoretically, it’s simple: communicate and include. Practically, it’s quite a bit more challenging. Make it a point to build trust with your coworkers, especially where you know it doesn’t exist today. At work, your inner circle is most likely your immediate team. But you probably work regularly with other teams. Are you accusatory of them? Do you have a less than impressed opinion? Do you think they screw up or are sub-par? Do they point their fingers at you? Those are the individuals you most want to target. Be sure to have face-to-face meetings with them – it’s a lot harder to think someone’s a jerk when they’re sitting right there. When you invite them to the table, ask everyone (including you and your team) to leave their prejudice at the door. Talk about what’s going wrong openly and honestly, with the intent to fix the problem, not lay blame. This may take some time, but have the good will to keep trying, and consider engaging a practiced facilitator if needed (many people are naturally good facilitators, but if you need someone who has been specially trained, try looking in HR or the training department). Extend gestures of goodwill by inviting the other team to an outing (e.g., lunch or drinks after work) or to meetings that they should’ve been invited to but weren’t. Above all, really listen to their perspective and make an effort to see their point of view. It might take a while, but what you’ll notice over time is increased respect and much smoother workings between you.

It may be a bit pie-in-the-sky, but imagine if you had trust with every team you worked with. I guarantee you’d be a happier employee and you’d enjoy your job a lot more. You’d also get work done faster with higher-quality results, making your customers and supervisors happier, too. And in this tenuous economic climate of cost-cutting and down-sizing, that’s maybe as close to job security as any of us can get.

by Aaron Titus

If you have nothing to hide, why do you need privacy? This question, famously attributed to the McCarthy era, has gained currency again in this era of terrorism and national security. The question implies that privacy is a form of dishonesty, that the things people want to hide are the very things others should know about.

I admit that I bristle every time I hear someone say, “You have nothing to worry about if you have nothing to hide.” Baloney. I have everything to hide! When someone says, “I have nothing to hide,” it’s simply not true. What he really means is, “I have nothing to be ashamed of,” which may be true. But shame is only one, limited reason for confidentiality. Confidentiality is not an admission of guilt.

I have much to hide, for one simple reason. I cannot trust people to act reasonably or responsibly when they are in possession of certain facts about me, even if I am not ashamed of those facts. For example, I keep my social security number private from a would-be criminal, because I can’t trust that he’ll act responsibly with the information. I’m certainly not ashamed of my SSN. Studies have shown that cancer patients loose their jobs at five times the rate of other employees, and employers tend to overestimate cancer patients’ fatigue. Cancer patients need privacy to avoid unreasonable and irresponsible employment decisions. Cancer patients aren’t ashamed of their medical status—they just need to keep their jobs.

A person may share intimate secrets with an ecclesiastical leader that they would keep private from parents, because they fear the parents may not act reasonably or rationally when presented with the same information. During World War II, the government acted unreasonably and irresponsibly with Census data about the location of Japanese-American citizens. Privacy from government entities is paramount.

In addition, can you imagine how much damage you would impose on innocent people if you spoke every thought that came into your head? Or if doctors, lawyers, and accountants disclosed everything they knew about you?

The need for privacy is the recognition that most individuals, organizations, or institutions cannot be trusted to act reasonably, responsibly, in the best interest of the person, or in the best interests of society, when in possession of certain types personal information. Humans are biased. We have limited cognitive and analytical abilities, and never know all of the facts. We are infamously poor judges of character. We change our minds, and come to conflicting conclusions. So, the next time someone asks whether you have something to hide, do not hesitate to say, “Yes, of course I do.”