Jason Owens

Learn. Teach. Grow.

You are here: Home / Archives for Security

RSA’s SecurID Breach and What You Can Do Right Now

by 2 Comments

RSA announced they have had a breach of their corporate systems and have stated some information regarding SecurID was stolen. There does not seem to be a direct threat as of this posting, but this is an ongoing investigation and RSA is recommending caution. What should you do?

Two things to keep in mind:

  • Don’t be an alarmist and don’t panic
  • DO focus on what you can do right now

There are many articles right now pontificating on what the breach means, how it was done, what could happen, is this the end of SecurID, are my FOBs safe, etc. Ultimately this doesn’t provide objective information or help you figure out what you need to do or can do right now.

If you’re asking yourself “what should I do?” here are some recommendations for customers and service providers that use SecurID. We may not know what happened yet, but we can look for symptoms of issues and use best-practices.

  • Watch your network, especially your SecurID servers, for unusual or different traffic patterns
  • Create reports in your SecurID servers to watch for
    • failed authentication attempts
    • FOB lockouts
    • authentication during unusual or off-hours
  • Consider changing PIN numbers for FOBs. It may may also be helpful to increase the strength of PIN numbers and passwords
  • Protect usernames and Personally Identifiable Information (PII)
  • Don’t ship FOBs to customer and employees in a active state.
  • Worst-case, consider moving to a different multi-factor authentication solution. Yubico’s Yubikey might be a cost-effective and simple place to start.
  • Review with with users
    • what to do when they lose a FOB
    • risks of phishing and social networking sites
    • stronger security now offered with other sites such as Google’s two-factor authentication and HTTPS for Facebook and Twitter
  • Review with you NOC and Help Desk
    • how to appropriately respond to issues and alerts
    • how to escalate security incidents
  • Consider adding HIDS like OSSec to your environment
  • If you’re a customer of a service provider that uses SecurID to manage your systems
    • ask them what they are doing in response to the issue
    • follow up and review concerns
  • If you’re a service provider, work with your RSA Account Manager, communicate proactively with your customers, and focus on what you can do right now. Securosis has some recommendations as well that you can ask your RSA Account Manager:
    • While we don’t need all the details, we do need to know something about the attacker to evaluate our risk. Can you (RSA) reveal more details?
    • How is SecurID affected and will you be making mitigations public?
    • Are all customers affected or only certain product versions and/or configurations?
    • What is the potential vector of attack?
    • Will you, after any investigation is complete, release details so the rest of us can learn from your victimization?

This is an effective reminder that in security there are no guarantees and nothing is 100% safe. It’s important to view security as juggling probabilities and be prepared for when the worst happens.

References

http://www.rsa.com/node.aspx?id=3872
http://www.sec.gov/Archives/edgar/data/790070/000119312511070159/0001193125-11-070159-index.htm
http://en.wikipedia.org/wiki/Form_8-K
http://securosis.com/blog/rsa-breached-secureid-affected

Related Posts:

Top of Page

Is DeleteMe an Internet Undo Button?

by Leave a Comment

Recently Abine announced a new service called DeleteMe that states it will remove accounts and content from social networks, help users get control of personal information already made public, block junk mail, and more. They have a video introducing the service (embedded below.)

The service has potential, however people should also have realistic expectations. Note that you will also in most cases need to provide credentials to Abine to be able to fully delete accounts (curious then how they will delete accounts then that you might have forgotten about or don’t have the credentials to.)

The site explains who might use the service and why, and it does seem realistic to be able to accomplish some of the services outlined. I don’t know of too many people that are so busy they don’t have time to deactivate social networking accounts. I do however see the service being able to help find accounts you forgot about, uncover integration you might be unaware of, or just plain not knowing how to truly protect or delete an account (deleting a Facebook account for example.)

The video also mentions the service being a resource on privacy laws, methods for removing content from the internet, as well as a full refund offer should they not be able to “solve your problem.” This goes back to realistic expectations. It seems likely that in problematic cases it may be more than just turn-key work, be more costly, and therefore might be more import to define what “solved” means. Also, if you’re fresh out of school and hoping to wipe the slate clean before potential employers start checking up on you, remember that once data is shared it’s difficult to get back once it propagates.

In general the service seems to be better for protecting privacy and getting a handle on who has your information more than for addressing specific social networking content concerns. It also might be helpful at turning up information you might not have known about. And some of the services you could likely accomplish on your own, but if you’re not interested in doing it yourself, don’t know where to start, or have been unsuccessful in getting problems addressed in the past, DeleteMe might be worth a look.

Follow Jason on Twitter @jason_owens

httpvh://www.youtube.com/watch?v=f6Wn_5Ik5t0

Related Posts:

Top of Page

Interview With Abine

by Leave a Comment

This is the second part of a two-part review of Abine’s privacy solution. See the previous post, Abine to Protect Privacy for the first part of the review.

Rob Shavell from Abine and I discussed some questions about Abine’s application, the company itself, and the future.

J: In June this year Abine purchased TACO. How did that come about, what was the process like, and was this something that Abine had always considered pursuing?

R: It’s really not about economics: Abine wants to support privacy-enhancing technologies.  We’ve always been open to working with other privacy add-ons that do the right things for users.  Any add-on or Web service that truly respects users privacy is someone we want to talk to, no matter what.  On the other hand, we don’t want to partner with add-ons owned by advertising companies, or developers looking to collect data, for example.  If any add-on developers who love privacy read this, please get in touch with us – my email is rob at getabine.com
J:  TACO v3 has already received some updates. How does Abine anticipate TACO evolving in the future?

R: TACO is evolving fast and is getting more development time and resources.  TACO users have told us over 300 changes they’d like, and we’re busy at work with these.   We also support the older TACO 2 versions, BEEF TACO, etc.  Of course, we are 100% convinced that TACO 2. alone doesn’t provide an adequate level of online privacy and users should consider combining a few add-ons together or try TACO 3 with Abine to get better privacy online.

J: What are somethings you’ve all learned along the way since starting Abine?

R: Bringing together privacy features into one place is complex.  The users and developers giving us critical feedback are our best teachers.   We also learned that we must commit to native Firefox development even though we have an IE version as well.  Performance is too important – the community let us hear that one pretty loudly.

J: Who is Abine’s target demographic?

R: We want to target the non-technical web user. Anybody who uses the web for anything at all or that has a bundle of important accounts they want to protect and keep private.

J: How do you plan to instill trust in your users?

R: We aren’t asking users to trust us. We’re asking them to trust themselves. By this we mean something very important. We have no access to our users data. This is super important. First, our users “own their data” – of course. But we also do NOT store or see our users private data. This is a key reason why many of our users today store all their passwords in our Privacy Suite and do all their browsing using Abine: they don’t have to make any complicated decisions about who they can trust: it’s simply, factually, technically, more private.

Other key points on trust:

  1. We are very clear about how we are going to make money: by selling services that protect and enhance your privacy, not by selling user data.
  2. You keep your data on your computer, we don’t use the add-on to collect data.
  3. We made the source available for review by Mozilla and others.

J: With regards to instilling trust, I’d agree that you’re not directly asking users to trust Abine. Given the stated target demographic (non-technical users) their basis for trusting the application may be different from say, a security researcher or coder that might review code and sniff traffic. As a result, they may make an evaluation of trustworthiness based on your website, usability, or how Abine communicates with them. There’s the notion that trust is a function of competence plus likability. An example I see of this is people trusting Google based on their performance, actions, and statements rather than their code, or people trusting Mint.com based on good design and the fact that it does what they want it to. For less savvy users, what do you see as challenges in establishing and maintaining a good reputation in order to grow the business?

R: Great points.  Regular users of course can’t do technical reviews of applications.  They’ll need to trust the technical reviews and press.  This is why we make our code available to reviewers who ask for it even though we haven’t open-sourced it yet.   It’s really important for people – no matter how technical they are – to have a basis to trust a company with their personal information.  A somewhat more unfortunate way users learn about how Abine does what it says is when they lose their Abine Master Password: since we really don’t know it, they have to re-install!

J: You history mentions working on previous startups and security projects. What were some of those efforts?

R: Andrew was at @stake as well as the create of linux-based public access terminals in the Boston are in the mid-to-late 90s. Eugene was the founder of Datapower and the Linux Hardware Database. Rob helped companies comply with data privacy laws and worked on products for consumer identity protection at Identity Force.

J: The Abine  website mentions companies “helping people” that were basically slick marketing outfits out to get cash. What are some examples, and what should people look out for?

R: We think consumers should beware of many “identity protection and monitoring services”, “million dollar guarantees” and “free 10 day trials”.  As always, when the marketers come visiting, these kinds of terms pop up. In reality, while these subscription services can help you track down problems once and a while after they happen, they do not address the root causes of privacy. If you’re using these kinds of things, come try Abine. It’s free, and free forever (not just for 10 days).

J: What is the relationship between opyaq.com and Abine?

R: Opayq.com is simply the first of several domains we offer for our users to have safe disposable email addresses (similar to say, www.Mailinator.com.)

J: After purchasing TACO, Abine received some mixed feedback from users regarding the upgrade to version 3.

R: Check out the page and the copy on it, it’s as clear as our team could possibly make it:

J: Why is Abine better than other established solutions used for privacy such as LastPass, Tor, RoboForm, or Google Voice?

R: Now Jason, we love your insightful reviews, but we have to take issue with this question! LastPass stores your passwords online (see your trust question) and Google Voice is the opposite of a privacy product, right? Tor does one thing (and well) and is probably a future partner of ours. The time has come for a company to integrate privacy features and make them available to everyday users, with fantastic customer support.

J: Where does the name Abine come from?

R: For privacy… A Bit Is Not Enough

J: What is your revenue model?

R: We are going to make our money selling additional products and services that directly protect and enhance users privacy, for example fast proxy servers, disposable phone numbers, etc. Whatever value-added services people want around privacy will offer as a business. If it costs us money to provide than we will charge, if it doesn’t than we can offer for free.

J: Are there any plans for a version of Abine for Safari, Chrome, or mobile devices?

R: Yes.  We’ll be making announcements here in the next few months, for sure.  We have a looong waiting list of users that want this on their browser and platform of choice.

J: Does the eventual shift to HTML5 have any impact on Abine or its functionality?

R: We see HTML5 as having only a minor impact on our vision and technology roadmap at this point, though some of the demos out there are pretty impressive.

J: What do you see as upcoming challenges for Abine?

R: Because of recent press and users concerns, we expect a lot of competition.  We just want to stay close to the community that cares about their online privacy and to take our direction from them instead of worrying about others.

J: What do you see as some upcoming milestones for Abine in the next 6-12 months?

R: Abine’s got to earn the respect of the privacy and technical community by building a great set of solutions.  We’re totally focused on product: performance, simplification, better smoother features, in short, online privacy that works.

Follow Jason on Twitter @jason_owens

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
* Who is your target demographic?
We want to target the non-technical web user. Anybody who uses the web for anything at all or that has a bundle of important accounts they want to protect and keep private.
* How do you plan to instill trust in your users? We aren’t asking users to trust us. We’re asking them to trust themselves. By this we mean something very important:
We have no access to our users data. This is super important. First, our users “own their data” – of course. But we also do NOT store or see our users private data. This is a key reason why many of our users today store all their passwords in our Privacy Suite and do all their browsing using Abine: they don’t have to make any complicated decisions about who they can trust: it’s simply, factually, technically, more private.
Other key points on trust: 1. We are very clear about how we are going to make money: by selling services that protect and enhance your privacy, not by selling user data. 2. You keep your data on your computer, we don’t use the add-on to collect data. 3. We made the source available for review by Mozilla and others.
* You history mentions working on previous startups and security projects. What were some of those efforts? Andrew was at @stake as well as the create of linux-based public access terminals in the Boston are in the mid-to-late 90s. Eugene was the founder of Datapower and the Linux Hardware Database. Rob helped companies comply with data privacy laws and worked on products for consumer identity protection at Identity Force.
* You site mentions companies “helping people” that were basically slick marketing outfits out to get cash. What are some examples, and what should people look out for? We think consumers should beware of many “identity protection and monitoring services”, “million dollar guarantees” and “free 10 day trials”. As always, when the marketers come visiting, these kinds of terms pop up. In reality, while these subscription services can help you track down problems once and a while after they happen, they do not address the root causes of privacy. If you’re using these kinds of things, come try Abine. It’s free, and free forever (not just for 10 days).
What is the relationship between opyaq and Abine?
opayq.com
simply the first of several domains we offer for our users to have safe disposable email addresses (similar to say, www.Mailinator.com
)
* Why is Abine better than other established solutions used for privacy such as LastPass, Tor, RoboForm, or Google Voice? Now Jason, we love your insightful reviews, but we have to take issue with this question! LastPass stores your passwords online (see your trust question) and Google Voice is the opposite of a privacy product, right? Tor does one thing (and well) and is probably a future partner of ours. The time has come for a company to integrate privacy features and make them available to everyday users, with fantastic customer support.
* Where does the name Abine come from?
For privacy…
A Bit Is Not Enough
* What is your revenue model?
We are going to make our money selling additional products and services that directly protect and enhance users privacy, for example fast proxy servers, disposable phone numbers, etc. Whatever value-added services people want around privacy will offer as a business. If it costs us money to provide than we will charge, if it doesn’t than we can offer for free.

Related Posts:

Top of Page

Update Facebook Settings to Disable Location Tracking

by Leave a Comment

Facebook recently implemented a new feature, called Places, that allows you to post your physical location, much the same way that other applications like Foursquare, Gowalla, and others do. The Facebook feature also allows others to check you in at location, enabling people to post where you are and where they saw you.

This feature is enabled by default. If you turn off this feature for yourself, it can still be possible for other people to post your location on your behalf. Granted, there’s nothing preventing someone from posting a status update saying they saw you somewhere, but if you want to disable the ability to be tracked with Facebook’s new location services, read on.

From what I can tell there are three different setting that need to be disabled. Go to Account > Privacy Settings > Customize and make the following changes:

Under “Things I Share”

  • Places I check in to: Only Me
  • Include me in “People Here Now” after I check in: Disable

Under “Things others share”

  • Friends can check me in to Places: Disable

Facebook also has a Places FAQ page that provides more information on this new feature.

UPDATE: After reading “How to Disable Facebook Places” tonight on Lifehacker I found I missed a fourth item. You have to also prevent your friend’s applications from collecting your location. This is not in the same Privacy settings screen, it’s under Account > Privacy Settings > Applications and Websites (in the lower left.)

  • Edit your settings
  • For the section called “Info accessible through your friends” click “Edit Settings”
  • Uncheck “Places I check in to” and save your settings

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.20 out of 5)
Loading...

Related Posts:

Top of Page

Categories

RSS US-CERT Alerts (5 Recent)

1 FREE Audiobook Credit RISK-FREE from Audible.com