Google Chromecast and Privacy issues

August 2nd, 2013

What has Google ChromeCast got to do with Privacy? Read on below….

There has been a great set of awareness in the media and wow response towards Google’s Chromecast - the USB sized internet media player that enables our currently cable-friendly television  to quickly become internet friendly (aka Smart TV). The price is great but what we have failed to observe is the fact that, until today, for most of us, our digital world was separated (rather disconnected) from television entertainment world.

For most users like me, we do digital stuff on tablet, phone, laptops and desktops (aka. connected digital world) while we watch our entertainment stuff on TV (aka. disconnected video world). So, a marketing organization or ad company could not connect together that I am a technology person and I like watching mystery/thriller TV serials.

With a gadget such as Google Chrome from search engine giant Google, you could be profiled (aka. tracked) because the device could, either today, or in future, connect our ‘connected digital world’ to ‘disconnected video world’ and make sense of who we are and what our interests are.

For example, based on my search practices and my keyword federations in my ‘connected digital world’, search engine system can already create a profile that I am a programmer/ technical person. Now, based on the ‘disconnected video world’, media companies can figure that I like mystery/ thriller stories.

However, now connecting that ‘connected digital world’ to ‘not-anymore-disconnected video world’, Search engine system can create a single profile that I am a programmer / technical person interested in mystery/thriller stories.

You might ask, what does this mean to an ad company or marketing organization? As one example suggests, this means, they (ad company or marketing org) could sell me a CGI-rich mystery /thriller movies from the time, the movie is being made to when it got into a Blu-ray format. Ok, I am not saying that by letting them figure, the world comes to an end. But it only makes my surrounding environment control me and what I am exposed to. Things around me would look tailored for me and ‘controlled’.

In other words, I am merely suggesting that using a search engine from one company is one thing, using a mediacenter (for lack of better definition) is another and I am suggesting that we should avoid mixing both of them.

Although I have simplified the explanation above, you might want to think about privacy and information security issues soon and they might seem to overlap as digital worlds cross over and your information  is threatened by privacy risk and your privacy is threatened by information exposure.

Hold on now! Does this mean, we should stay away from Google Chromecast? I am not! I bought one and I plan to diversify my behavior. Here are some of my thoughts. I will let you know my experience in the next few weeks if I am successful in achieving my goals.

a. Use different accounts to register on different devices as much as possible. For example, have 2 or more different youtube accounts. You can’t get away for Netflix accounts and see below how to avoid search engines from connecting these two.

b. Use duckduckgo search engine - this search engine claims that they do not track you

c. When it comes to buying on amazon or walmart or target or ebay, use firefox in private browsing mode

1. Enter your account name and password every time you want to log in as well as

2. key in credit card information every time you want to buy.

By doing 1. and 2. above in a private browsing mode, cookies are not set to tell the tracking system of the activities you are performing.

Is it worth all the trouble above? Maybe not and depends on how you feel about the environment around you could control you.

Hacked: A bank is hacked! How bad is it?

March 19th, 2013

Below, you will see a credit union bank that got hacked in Feb 2013 (see bottom center of the picture). If you are a member of this credit union, they would have notified you of the potential hack and advised you to stop using  your card or call them to block your card.

The notification message that reached you probably might look something like below

As an information security expert, you can probably read through the notification document and gather some insights. The following are some of the insights what I have been able to collect - if you have additional thoughts, go ahead and comment them below

1. Information security warfare/protection game plan has now been upgraded to Cyber-crime. Gone are those days where you could block all the atypical ports and you would feel comfy! Traffic now happens within port 80 and payloads are exchanged on port 80! Hackers are designing using ‘conventional/usual paths’ through unusual patterns. It is like saying, “thieves are robbing us and they walking in through the main door and taking stuff(!) out through our main-door”!

2. Regulations such as PCI can give you ‘comfort’ not guarantee. Because PCI is more focused on protecting data through conventional (translation: following usual patterns, for example: blocking usual ports) data-at-risk, data-at-rest and data-in-transit. Mal-wares are unusual beast with unusual patterns

3. These are zero-day attacks and even companies specialized with hacking experts take time to reverse engineer by which zero-day attack would have been few-weeks-attack old

But, however, there is also a positive note to this:

a. Tools such as pro-active IPS (such as FireEye), SIEMs and Teams of collaborating cyber-threat experts message out to each other to warn and identify the symptoms of the pattern

b. Mal-ware hacker psychology has been better understood in the last ONE year - countries have united together to bring down Stuxnet/Grum etc. Of course, countries have leveraged such psychologies to control the turn-out of events. In any case, we are now in a better place than a year or two years ago where we would wonder - “Yes, I see traffic going out to some place on the internet but I don’t know what they are sending in the payload and why they are reaching out”. Now we know that they are reaching out to command-and-control to download additional worms/similar. Now we know there are randomly created domain names and it is hard to detect them and we are collectively bringing those domains down.

c. Last but not the least, there is a considerable education about Mal-ware to collaborate and converge on how to counter these attacks.

d. There are specialized companies with teams to detect such attacks.

What does this mean to Info-sec professionals like us?

a. Need more analysis experts with cyber traffic experience

b. Mal-ware warfare is just beginning - more to come as the ‘cyber surface area’ has just increased with mobile - mobile users, mobile operating system, mobile apps.

c. Lastly, there are more jobs to be created in this field as the warfare gets more tough as it reaches a peak and then probably stabilizes. I am not sure when that ’stabilize’ would happen and what that would mean.

Comments? Thoughts?

COBIT-5 - CIO dashboard

March 19th, 2013

I was looking for a framework that enables me to provide a dashboard at the CIO level. This dashboard, in my vision, would extend the control objectives accross the IT organization from the business alignment through IT life-cycle. COBIT-5 was something that drew my attention.

I did some research on COBIT-5 over the past few weekends and COBIT-5 is quite a progression if you have not matured into COBIT-4.

The following might sound a bit boring but please bear with me here.

As you know, COBIT-5 is not just a risk management framework, it is an overall governance and IT management framework.

At the least, one needs to identify management objectives then define scope (see diagram below) process areas, control objectives. If the process area coverage is too large, you can focus on just Risk Management portion. You can probably focus/pick risk management domains at this time. Then you could leverage the management guidelines (recommended by COBIT-5 handbooks) and develop a maturity road map

Furthermore, you will need to find a balance between Governance (policy compliance and such) vs. Management of IT (plan-build-run-measure and such) layers of COBIT-5. For example, certain areas such as Supply-chain or Infosecurity or DR may need additional emphasis on governance

Specifically, the scope in COBIT-5 has enormously increased which now includes People management, Business alignment etc. and I am not sure if a certain governance team (Infosec team, DR team, COmpliance team) can leverage this alone.  Even, a combined GRC team may find it overwhelming given the current IT spending trend in the industry. I believe it takes a village (or rather enterprise IT) to align with COBIT-5.

COBIT-5 has definitely a good balance of governance (processes to measure IT) and IT management (processes to run IT). So, compared to ITIL, the plus I could see coming out of this framework is, we can leverage COBIT-5 for an executive level dashboard to provide a ‘measured’ view of where each processes are and their overall health. This could provide an overall comfort for a CIO at all times.

Now, you can’t execute this alone in the industry - in my opinion, you need multiple companies adapting this to exchange practice notes and mature together.

How do we do it? I do not have the answer.

Symantec DLP vs. Websense DLP - my opinion

September 5th, 2012

From my experiences of both the DLP technologies, below is a quick comparison table that I have come up with. Please share anything else that I might have not yet covered.

Comparision of DLP technologies - Symantec DLP vs Websense DLP

Comparison of DLP technologies - Symantec DLP vs Websense DLP