Tag Archives: Privacy

How safe are we on social networks?

Posted on October 24, 2011 | 5 Comments

On Thursday the 20th October 2011 I had  a security and privacy conversation with Ike Paahla and SABC’s SAFM listeners at 19:30 on “How safe are we on social networks”. On reflecting on the discussion here are some of the few things to share, starting with this “Gotta Share! The Musical” video.  

:

Firstly let me refer to recent two cases in South Africa which earned themselves titles like “MXit child porn ‘horrific’” and “ “Facebook rapist” Thabo Bester was sentenced to 50 years imprisonment on Friday for raping and robbing two women”. In this last unfortunate event, the dubbed “Facebook rapist” Bester, used social media to lure women to fictitious international modelling scouts and then met them in person, raping and robbing them at knife-point. A clear case of a dangerous criminal who abused a platform provided to share positively and also took advantage of the socio-economic conditions of joblessness and poverty. What could have being done in this instance for in case this was an authentic marketing and advertising agencies out there using the internet and the social platform?  If there is anything positive to talk about this – the justice system acted swiftly and the message is clearly out there. We as users need also to be “streetwise” on how to use technologies to our advantage as we pursue our careers and positive lives. Platforms like Windows Live Essentials 2011 and Skype (which has being integrated with Facebook)  provides family safety  and free real-time online video chat facilities. At the least, you can verify through IM and video before you decide to make physical contact with a person. One of the first friends you must have is Facebook Safety and let’s all read with enthusiasm the posting from this dear friend. An advantage of using the cloud is that security implementation and updates of the application/platform your are using can be readily provisioned by the provider.

In August 2011, we also saw the justice system acting swiftly to apprehend the child pornography pictures distributed through a social network facility popular amongst kids in South Africa. The company worked closely with police to apprehend those who abused its platform and offered officers social media training. MXit also cooperated with the police’s cyber-crimes unit with the following security measures put in place to assist users (the list is not comprehensive):
» Chatrooms were moderated for up to 14 hours a day – especially in teen zones;
» A chatroom-blocking feature was available for parents with children of a sensitive age;
» In compliance with the Child Protection Act, MXit did not allow adults to engage with children or teens. All chatrooms were split into the age groups to ensure interaction was age appropriate; and
» The private chatroom feature was disabled to users aged between 13 and 17 years old.

This two cases highlight the fact that public sector, private sector and the citizens need to work closely supported by legislation and the implementation thereof, highly trained personnel within the overall justice system  and very alerted, security and privacy aware civil society. We can see a clear case for facial recognition technologies when used in conjunction with justice systems around known offenders. This should be done in consideration of a good balance between security and privacy, as discussed in this article “Facial recognition security, privacy issues grab FTC attention”. Resources like Microsoft Safety and Security Centre will also help you with issues around computer security, digital privacy and security online. In addition there are two useful guides (Security in a Box and Protecting Your Security Online) with tips and recommendations useful for anyone working for a non-profit who needs to be mindful about privacy. Both guides are written for citizens in the Middle East and North Africa who want to use technology safely to communicate, organize, and share data.

I’ll leave with with a few questions around Identity and Privacy:

  • Why are people using photos of other people rather than theirs, more in particular – photos of liberation struggle icons (as is the case in South Africa) on their Facebook, Twitter and other social networks  accounts?
  • If one considers that we had telephone directories before with our phone numbers and street address – technologies have added more features like photos, date of births, relatives, etc. in an integrated way. How many of us are willing to give out this as a package at a click of a mouse or keyboard key?

→ 5 Comments

Posted in Cloud, Cybercrime and Fraud, Education, Identity and Privacy, Information Security, Technology

Tagged , , , , , , , , , ,

“Science inside the SDL” – Microsoft SDL Progress Report (2004 – 2010).

Posted on August 22, 2011 | 1 Comment

The Trustworthy Computing group at Microsoft has released an SDL progress report on the evolution of the Microsoft Security Development Lifecycle (SDL) and the progress Microsoft has made in using the SDL and security science to reduce vulnerabilities and mitigate threats to Microsoft software and services. The SDL is a security assurance process that focuses on software development and introduces security and privacy throughout all phases of the development process. The SDL has been a company-wide mandatory policy since 2004.

SDL Report

The SDL is freely shared with the software industry and development organizations, and it has been adopted (sometimes in adapted form) by a variety of ISVs and IHVs, government agencies, and end users’ development organizations. If you’re not yet using the Microsoft SDL, this report should help you understand why it’s an effective and efficient process, which can help your organization optimize its software security.

An independent analyst report by Forrester Research, “Application Security: 2011 and Beyond” also recommends the adoption of a prescriptive application security methodology, such as the SDL.

→ 1 Comment

Posted in Information Security

Tagged , , , , , , ,

Windows Internet Explorer 9 (IE9) caught an exceptional 99.2% of live threats.

Posted on August 16, 2011 | 1 Comment

NSS Labs, an independent security research and testing organization, that publishes respected reports on a range of security related topics, and is well known for their previous browser security reports. Most recently, they released a report specific to the EU in July that demonstrated IE8 and IE9 offered industry-leading protection against socially-engineered malware.

The new reports (one focused on data from across the globe, the other specific to Asia Pacific),  shows that SmartScreen continues to offer the industry leading protection against socially engineered malware. According to the global NSS report, “IE9 caught an exceptional 96% of the live threats with SmartScreen URL reputation, and an additional 3.2% with Application Reputation.” The graph below compares the test results from various browsers and shows that Internet Explorer blocks 5X more malware than competitive browsers.



NSS: Mean Block Rate for Socially Engineered Malware Worldwide Data

 

clip_image002[20]

Source: NSS Labs, August 2010 – Global Socially Engineered Malware Protection

The other reports looked at socially engineered malware targeted towards people living in the Asia Pacific region and in Europe. As you can see below, in each region the results remained consistent – Internet Explorer 9 maintains a lead in protecting users from live threats.



NSS: Mean Block Rate for Socially Engineered Malware By Region

 

clip_image002[16]

Source: NSS Labs, Asia, Global, Europe

We continue to improve the quality and protection SmartScreen technology offers; this is evident in how much faster SmartScreen is in blocking malware. Since the October 2010 NSS report, the average time taken by SmartScreen filter to block a threat has gotten 28% faster, if Application Reputation is considered, then the average time has improved by 85%.

Not only has the effectiveness of the technology improved, but so has the speed at which it is able to identify socially engineered malware. For our customers this translates into fewer infections and headaches.

Internet Explorer is designed with your security and privacy in mind. Innovative features such as SmartScreen and Application Reputation are examples of technologies that help protect you as you browse from an increasingly prevalent threat – socially engineered malware. According to Bruce Hughes from AVG Technologies, “Users are 4 times more likely to come into contact with social engineering tactics as opposed to a site serving an exploit.” As this threat becomes more common consumers need better protection and the SmartScreen filter in Internet Explorer is designed to directly address this threat.

When it comes to browsing the web safely, your browser choice matters. If you haven’t already done so, download Internet Explorer 9 and experience a safer browsing experience.

→ 1 Comment

Posted in Identity and Privacy, Information Security, Technology

Tagged , , , ,

Yes!, Free Computer Security and Privacy Course from Microsoft

Posted on July 5, 2011 | 1 Comment

Security breaches, Internet attacks, privacy invasions—they’re all daily news events now. And the fact is, the problem won’t be solved by software alone. An important part of the solution is to address decisions that dilute people’s feeling of security and privacy.

Good handling of privacy and security inspires user confidence, which can lead to an increased use of your product or service. For example, dealing decisively with privacy and security breaches can result in higher trust ratings than before the incident.

As part of the effort to “secure the human” – human capacity development (HCD) through  this course will help YOU gain confidence in computing by explaining the risks and threats to computer security and privacy so that you can understand and prevent them.

Computer Security and Privacy Course Topics

Lesson 1: Introduction to Computer Security and Privacy

Objectives
1.1 Explain computer security and privacy.
1.2 Identify natural threats to your computer.
1.3 Identify measures to protect your computer against natural threats.
1.4 Identify threats to your computer from human actions.
1.5 Identify measures to protect your computer against threats from human actions.

Lesson 2: Protecting Your Computer

Objectives
2.1 Identify guidelines for protecting your computer.
2.2 Identify best practices for securing online and network transactions.
2.3 Identify measures for securing e-mail and instant messaging transactions.

Lesson 3: Protecting Your Family from Security Threats

Objectives
3.1 Identify measures that you can use to protect your privacy.
3.2 Explain how online predators operate.
3.3 Identify guidelines to protect your family from online predators.

Lesson 4: Keeping Your Computer Secure and Updated

Objectives
4.1 Explain the security settings on your computer.
4.2 Identify the options for keeping your computer up-to-date.

Lesson 5: Computer Ethics

Objectives
5.1 Explain intellectual property and copyright as they apply to computing.
5.2 Identify acts of copyright violation and the measures to prevent those acts.
5.3 Identify the legal concerns associated with information exchange.

This course can take you 2-3 hours if you have a basic computer course training or similar experience and can be accessed online here. Enjoy learning.

→ 1 Comment

Posted in Information Security, Education, Identity and Privacy

Tagged , , , ,

Information Protection and the Cloud

Posted on May 14, 2011 | 1 Comment

Depending on which cloud model you use (Public or Private), there will be challenges for compliance due to the fact that while your data might be in compliance in the cloud, it doesn’t mean you don’t have compliance obligations. Having a trusted stack and good audit trails will be critical to getting trust in the cloud model. We should be able to deal with Data-at-Rest, Data-in-Transit/Motion and Data-at-Endpoint collectively. Identity and privacy are very key as people, organizations or governments move more and more of their data to the cloud, their identity is the access point to that data, hence the data should be easily identifiable through different methods of classification. The strongest security controls available are no protection against an attacker who gains unauthorized access to credentials or keys.

Implemented Data Classification helps to decide which data is ready for the cloud, under which circumstances, and with which controls.

The sensitivity of the data involved in the operation of a service is a critical factor in determining whether the service can be managed by a service provider, and if so, which access controls can be utilised to ensure compliance obligations are met throughout the transaction. Implementing a sound data classification approach to identify the sets of data involved in the transaction and determine the control mechanisms that apply to each under specific circumstances can help organisations make these decisions. Organisations need to determine their level of comfort with data handling and information management, no matter where the data is stored or how it is transmitted. This basic guideline also applies to on-premise environments today.

Additionally, it is important to be aware of several challenges surfacing with the delivery of cloud services, including data sovereignty, access to information, and data partitioning and processing.

Over the years regulations have been developed for the protection of data. These regulations are tied to specific jurisdictions—the limits, or territory in which authority may be exercised. With the advent of cloud computing, data may be stored outside of the originating territory or in multiple territories or locations. Hosting of data outside the customer’s jurisdiction or co-location of data can present information management and access issues associated with the question of whom, or what entity, has “sovereignty” over the data. Some new cloud services today are trying to address these challenges by allowing customers to specify where data is physically stored.

When the management and control of information moves from one party to another, organisations can lose the ability to protect, retrieve, or move information. It is therefore important to understand who controls the identity and authorisation system for access to information, where the back-up data is stored, whether encryption of data is supported, what cost is associated with the encryption solution (e.g. feature loss), and how access to data is granted and managed if there is a dispute with the service provider. For example, are there guarantees that the service provider will not retain any data if/when the service is cancelled?

Finally, if data is stored in a “public cloud,” it may possibly reside on infrastructures shared with other organisations. Strong data protection practices can still be followed to ensure data is partitioned and processed appropriately. It is important for organisations to understand who has access to their data and to consider whether that risk is acceptable before they allow their data to be processed in the cloud. They also need to understand the architecture of the cloud service provider and to gain assurances about how shared virtual machines are secured against various forms of potential attack from other virtual machines on the same physical hardware being used by malicious individuals.

Here are some links for further reading:

Windows Azure™ Security Overview

Information Security Management System for Microsoft Cloud Infrastructure

→ 1 Comment

Posted in Identity and Privacy, Information Security, Technology

Tagged , , , , , , , ,

Data Privacy Day

Posted on January 28, 2011 | 1 Comment

Data Privacy Day (DPD) is an international event that aims to increase awareness of privacy and data protection issues. DPD takes place every year on January 28.

Protection of Personal Information Act

  • To promote the protection of personal information processed by public and private bodies; to introduce information protection principles so as to establish minimum requirements for the processing of personal information; to provide for the establishment of an Information Protection Regulator; to provide for the issuing of codes of conduct; to provide for the rights of persons regarding unsolicited electronic  communications and automated decision making; to regulate the flow of personal information across the borders of the Republic; and to provide for matters connected therewith.
    The Act recognises that:
    * section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
    * the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
    * the State must respect, protect, promote and fulfil the rights in the Bill of Rights;

→ 1 Comment

Posted in Identity and Privacy

Tagged ,