Category Archives: Technology

The Most Read Terms and Services, how age-guessing tool tell us about our uses of personal information

In the last 48 hours, age became a hot topic on Facebook, thanks to Microsoft How-Old.net free age-guessing online tool. It proves age is still a contentious topic, regardless gender, race and obviously age. A marvellous marketing gimmick!

As it always happens, once a story caught fire, a few risk aversive or investigating minds start to dig deeper and uncover an inconvenient truth — the terms of this service authorise Microsoft to use user photos more than just age-guessing. Exactly what are the future uses are unknown!

Working in cloud computing and outsourcing for the last 5 years, it is not unusual to see such user terms and conditions. Most of them are crafted in a way that almost all risks are excluded from the service provider liability. The legal counsels are paid to read all reported and unreported court cases and protect company like Microsoft in this case.

The basic assumptions of data privacy protection is in question here and this case offered a chance to review it.

 Consent from user is enough? 

For How-Old.net, clearly the intention of user uploading the photo is to find out the age and gender. User don’t expect it to tell if you have diabetes or your sexualities (it maybe possible with enough data points !). However,  the service provider terms open to possibility of others uses of the photo, without specifying what it will be. Service providers are giving themselves some elbow room for future innovations. This is actually a typical way how commercial terms response to data privacy legislations.

Most data privacy law requires informed and specific uses of personal data. The rationale is  as long as users consent with the uses of PII, there is NO violation of data privacy law. However, we have seen software or web services terms tries to include extensive scope of uses and sometimes non-restrictive uses. Users are either lured to give consent or just ignore the terms completely. User gives consents rather spontaneously !

 

For those like to read the legal terms , extracted here.

However, by posting, uploading, inputting, providing, or submitting your Submission, you are granting Microsoft, its affiliated companies, and necessary sublicensees permission to use your Submission in connection with the operation of their Internet businesses (including, without limitation, all Microsoft services), including, without limitation, the license rights to: copy, distribute, transmit, publicly display, publicly perform, reproduce, edit, translate, and reformat your Submission; to publish your name in connection with your Submission; and to sublicense such rights to any supplier of the Website Services.

No single prediction is perfect, so I look at four

As 2015 approaches, it is time for new year resolutions and wishes. For security industry, we are busy preparing for another eventful year!!

When preparing for our budget and project portfolios, it maybe useful to look at predictions from leading security vendors.  Cyber security is an intelligence game. Can Websense, Sophos, FireEye and TrendMicro predictions help us? I will write another post to provide my thoughts.

Legend : Orange cells are directly related to Smartphone. Red words are related to payment systems.

2015 Cyber Security Predictions

Websense Sophos FireEye TrendMicro
Healthcare will see a substantial increase of
data stealing attack campaigns
Exploit mitigations reduce the number of useful vulnerabilities Mobile and Web-based viruses remain a scourge, and hardly a week goes by without hearing of another data breach or a new malware. More cybercriminals will turn to darknets to share attack tools, stage attacks, and market stolen goods.
Attacks on the Internet of Things will focus on
business use cases, not consumer products
Internet of Things attacks move from
proof-of-concept to mainstream risks
Mobile ransomware will surge in popularity. Cryptolocker attained a measure of success this year, and so attention is expected to further turn to mobile in order for attackers to gain access to your phone and contacts. There will be bolder hacking attempts as cyber activity increases.
Credit card thieves will morph into
information dealers
Encryption becomes standard, but not everyone is happy about it Point-of-sale (PoS) attacks will also become a more popular method of stealing data and money — and PoS attacks will strike a broader group of victims with increasing frequency. An exploit kit that specifically targets Android users will surface.
Authentication consolidation on the phone
will trigger data-specific exploits, but not for
stealing data on the phone
More major flaws in widely-used software that had escaped notice by the security
industry over the past 15 years
 As retailers strengthen their defenses and more criminals get into the game, cyberattacks will spread to “middle layer” targets including payment processors and PoS management firms. Targeted attacks will become a norm.
New vulnerabilities will emerge from decades
old source code
Regulatory landscape forces greater
disclosure and liability, particularly
in Europe
Attacks on the enterprise supply chain will surge, as less mature or financially able companies become weak links in an ecosystem where only top firms can bolster their defenses to acceptable standards. Bugs in open source apps will continue to be exploited.
Email threats will take on a new level of
sophistication and evasiveness
Attackers increase focus on mobile
payment systems, but stick more to
traditional payment fraud for a while
Lack of adequate response could result in a major brand going out of business  New mobile payment methods will introduce new threats.
As companies increase access to cloud and
social media tools, command and control
instructions will increasingly be hosted on
legitimate sites
Global skills gap continues to increase, with
incident response and education a key focus
With such risks in the corporate realm, cyber insurance as an industry is expected to grow. We won’t see head-on IoE/IoT device attacks, but the data they process will tell another story.
There will be the new (or newly revealed)
players on the global cyber espionage/cyber war battlefield
Attack services and exploit kits arise for mobile (and other) platforms   More severe online banking and other financially motivated threats will surface.
  The gap between ICS/SCADA and real
world security only grows bigger
   
  Interesting rootkit and bot capabilities
may turn up new attack vectors
   

Soon will come the software defined transaction (SDT) age.

“It’s comforting to imagine that, in the end, the power of innovative technologies and business models will win out over status-quo thinking and entrenched interests, all for the public good.”

From a security and risk management point of view, a central or using the author’s words “the powers that have traditionally controlled those transactions” provides assurance on quality of service, security and privacy protections. However, with new technologies most of this assurance features could be delivered by software. 

Soon will come the software defined transaction (SDT) age.

 

April 27, 2014

Microsoft tries to address PKI issues in IE11 (SmartScreen and SNDS)

Digital certificate is widely used and the Internet cannot work without it. However, PKI (the framework digital certificates based on) has lots of issues. Last year in ISO SC27 meeting at ENISA there was a special meeting on PKI. Many issues are only raised without a conclusion, same as most issues brought international meetings.

Microsoft with a 10% – 20% footprint (depends on which report ) of browser market is taking steps in managing this madness. In a recent blog post, “A novel method in IE11 for dealing with fraudulent digital certificates” explain their strategy. I think Microsoft action is very responsible and will help to mitigate issues with fraudulent digital certificates. Certificate and its associated private key is very sensitive and must be handled with security in mind. In my over 10 years audit experiences, I had seen many engineers or administrators treated private key same as a configuration file. In most enterprise, there is general lack of documented procedures or best practises to administrate digital certificate. Malicious attackers may abuse this weakness and create fraudulent certificates.

In IE11, Microsoft uses SmartScreen Filter to detect and report high risk uses of certificate. Three scenarios are explained in the blog post:

1. A website is using a certificate that is capable of being used as a subordinate CA. This would indicate the certificate has been issued wrongly

2. If a website suddenly presents a different certificate only to a certain region where a different CA issued the certificate. This might indicate a possible MITM attack in a specific country or region

3. There was a sudden and significant change in the fields a CA includes in certificates it issues. For example, omission or change in the OCSP responder location. This would indicate a CA was either compromised, or has not followed standard operating procedures.”

There is a practicality issues with item 2 above with a 24×7 website. Suppose Apple adm update the SSL certificate on midnight, APAC region users will be the first batch of users using this updated and also different certificate. Will IE11 warn user regarding this new SSL certificate although it is updated due to normal refresh? I hope Microsoft will add intelligent to their detection algorithm and take consideration of the effective date of old SSL cert.

Another important control Microsoft implemented is ” domain registrants could be notified by email when new certificates with their domain names appear in our database. The domain registrant would have the option to report suspicious certificates to us and notify the CA to revoke the suspicious certificate.” In short, Microsoft is sharing the uses of certificate of specific domain to who claimed to the domain owner. The domain owner will need to take action accordingly. This is a responsive strategy by increasing transparency. (There is a new trend in security industry on sharing info and responding timely, in additional to defence in depth principle. Will write on this trend later when I finish reading “Responsive Security” by Meng-Chow Kang)

It is a prefect design in theory. My first question is who read such warning email! Is the email recipient understand the risks when reported by SNDS? Time will tell.