Secure Online Banking and Another take on Microsoft and Malware

In this article, I have a few comments on two recent Information Security-related news items.

In a previous article titled "Microsoft's role in the battle against spyware," I commented on the irony of Microsoft profiting from a problem they played a big role in creating. It seems I'm not alone in this sentiment. Gartner's Neil MacDonald, speaking at the RSA conference this week, noted "Microsoft's overriding goal should be to eliminate the need for AV and AS products, not simply to enter the market with look-alike products at lower prices." Many of his comments were absolutely on-point, especially those demanding spyware/adware solutions from Anti-Virus companies as part of their current product offerings, not a separate product. TechWeb has a good summary of his speech that I recommend. While I don't always agree with Gartner, particularly since their irresponsible comments about IDS being dead, what Mr. MacDonald says here is exactly what the industry needs to hear.

In another recent bit of news, a businessman has filed lawsuit against Bank of America, claiming
$90,000(US) was wired out of his account without his permission. After my experience in a Fortune 500 financial institution, this only surprises me because it hasn't already happened. In our organization, there were impressively-tight security controls from a system and network perspective, but the information security team had little to no say in what went on at the application level, particularly for line-of-business applications developed in-house. Due to the perceived role of the information security team, warnings about shortcomings in online banking applications (such as authentication only by card number and pin) fell on deaf ears. It's a shame that things like this have to happen before financial institutions begin taking threats to their customers' accounts seriously. Hopefully other corporations will learn from this mistake so other online banking customers don't fall victim.


An amusing commentary on the state of malware

One of the restrooms at a location where I work has a cheap magazine rack. On occasion, people will leave behind sections of the Washington Post or, more commonly, the free version given to Metro riders called the Washington Post Express. Today, I noticed something different. There was a magazine-sized publication printed on newsprint-style paper in the rack, opened to a page and folded back on itself so as to only show one of the pages. The page contents were divided into three vertical columns, filled with plain-text advertisements for a variety of educational lectures each a few paragraphs in length. At the top, and the center of the page, I saw the following (copied verbatim):

10 ways to avoid the 60,000 Viruses on the Internet
Here is the most valuable computer course you could ever take! Avoid the drive-by download! You'll walk away with a ten point checklist of FREE ways to avoid the 60,000 viruses on the internet. Learn where to test your system for vulnerabilities. Discover which spyware detector is actually spyware! Override your default settings to make your system safe. Find out what the biggest mistake people make with their computer. Why a free firewall is better than Microsoft's and plenty of time for Q&A with "The Computer Guy."
(followed by text about the lecturer)

Knowing nothing about the individual giving this lecture, I have no reason to doubt that the information provided may be very useful to the average computer user. However, I wasn't sure what was more amusing: the text of the advertisement, that the class is $25 for "Nonmenbers" or $15 for "Members" yet you're provided with a "free" checklist, or that the ad was right next to a headline bellowing Astral Travel: How to Induce Out-of-Body Experiences offered by the same organization.

This advertisement was in a magazine from "First Class Inc., a non-profit 'adult-ed' center." This harkens back to my previous call for a comprehensive information security clearinghouse. While the information provided in this lecture may be great, there is an equal chance that it could be bad advice; this organization is hardly an accredited university. The government provides services that serve the public's interest in many aspects: the FDA, the CDC, etc. Why not Information Security as well?


Communications, Privacy Laws, and Security

As far back as 1997, I can remember Voice-over-IP, or VoIP, being called the "next big thing." Today, it seems the prophecies are finally coming true. Unfortunately, the widespread adoption of this technology stands to throw into complete disarray the boundaries of privacy laws intended to protect citizens, and the remediation could have a significant impact on the security industry.

Confusion over the application of the Federal Wiretap Act of 1968 has already arisen with regard to Instant Messaging, and this is a good starting point for a discussion on privacy in a digital environment like the Internet. If I am chatting on AIM from my home computer, sending personal messages to a friend who is at work, the conversation may be recorded. In fact, there is an emerging niche market of products designed specifically for such a purpose. The argument for such monitoring goes like this: every organization has a right (and sometimes obligation) to monitor the use of their computers and networks. There are many reasons for this, not the least of which is making sure sensitive information is not leaked. If someone happens to be chatting up a storm on IM and personal information gets logged, well, too bad. That individual knows the rules. On the other hand, as the user at home, I have no intention of my message being seen by anyone other than the recipient, and I have no way of knowing that my friend is on a network that might be monitored. On its face, mine seems to be the kind of situation for which the Privacy Act was designed, however there is little to no precedent either way. And unlike email, which already has a strange judicial precedent, the technology is not store-and-forward, so the one existing ruling regarding Internet communications cannot be applied. Now, I should know that IM conversations are easily read by third parties, but difficulty of the act of intercepting a conversation has nothing to do with its legality.

These privacy and legal concerns are quickly being realized by adopters of VoIP, except now the technology impacted completely mimics the type of technology the Wiretap Act was meant to protect: voice communications. Every time packets of VoIP data are sent over the Internet, they are most likely being analyzed by packet loggers, IDS's, and a variety of other network monitoring gear. The privacy of this data is entirely in the hands of the people who configured the devices, and the logging of this data falls into the same huge gray area as our IM conversation above. Furthermore, it would be easy to build products to monitor this data in a comprehensive manner, as with the IM conversation recorders above. After all, why not? It's the same communication paradigm: packets of communication data being sent in TCP packets over an IP network. The only difference here is that a person's voice, not fingers, generated the message.

What we have here is quite a conundrum. It's obvious that the current ambiguity with respect to privacy laws cannot last. Lines will be drawn, whether they be in the form of legislation or judicial precedent, and there is a good chance it will make the job of information security analysts considerably more difficult.

I believe that privacy laws are an important part of our democracy in the United States. That being said, security and privacy are often at odds with each other, and some would argue that this is even a zero-sum-game. If you gain security, you lose privacy, and vice versa. Consider what would happen to the job of security analysts if it is determined that neither IM nor VoIP conversations may be monitored. Intrusion detection systems would need to ignore such traffic. However, this leaves a significant gap through which an attacker could penetrate a network, as vulnerabilities are found in the associated protocols or their implementations. As an analyst, I cannot both monitor for malicious traffic and protect peoples' privacy! Any false positive that alarms on normal communication, or any attack that may also lead to the capture of benign traffic, would expose me or my organization to lawsuits. The contrary is just as concerning, as it would be a significant blow to privacy laws in the United States.

The only way to prevent this worst-case scenario is to make sure those who draw the lines in the sand, those who make the laws and set judicial precedent, make exceptions for legitimate and necessary monitoring of network traffic. It is equally important that these exceptions are well-defined, and do not create the potential for loopholes or abuse. In the interim, we must rely on the software and hardware vendors to assist in any way they can. A method for adding legal disclaimers on all IM's entering and leaving a monitored network would be a good place to start. Something similar for VoIP would be very difficult, given the backward-compatibility with POTS systems, but even a brief 2-second "this call may be monitored by networking devices" would work. Of course, there is currently no incentive for companies to install such devices, should they exist. The problem is a complex one, and watching the solution develop in time will be just as exciting as it will be scary.


Administrative Note: Errant Post

It has been brought to my attention (thank you, Kevin) that a draft of an upcoming entry was posted for a brief period of time last night. Often, I write my entries over a period of days, a few minutes or hours at a time. It appears that I accidentally posted last night's "doodlings" instead of saving them. I apologize for the inconvenience. That should teach me to blog after midnight on a work night :-)

Hopefully, the previously-posted doodlings will be translated into rational thought by the end of this evening.