Sunday, February 26, 2012

Facebook Spying Text Messages Will Determine a Change in the Privacy Context ?

At the beginning of February it was the turn of the social network Path to be found uploading its users’ address books from their phones without their consent. Path apologized, deleted data and released a new version of their application where a opt-in mechanism for users to provide this contact information.

A few days later it came out that Google was bypassing privacy settings of Safari and forcing the user with a trick to accept a cookie that allowed the company to track internet usage. Google declared that they were using known Safari functionalities, and that they were not collecting any personal information from users, even if it was true that some advertising cookie were set on the browser.

That was already enough to start a deep discussion about the risks we are exposed using online services, since our personal information are so much important for internet companies to get increasing revenue, for example with targeted advertising or other personalized services.

Yesterday, to give a contribute to this discussion, I posted a "poll". I wanted to understand if people were aware or not that Google privacy police was going to change on 1st March. Also I asked if they were going to disable Web History or no, informing that all the collected data were going to be made available from Google to other services, and that could give evidence of personal tastes about sex, religion, and so on. By far I've got only a few replies, but they are telling me that most people are not going to disable Web History. Lots of times I was told from social experts that people have set very high their "privacy level" when using online services, and I'm personally checking that it is true.

So at this point, I'm wondering if the "Facebook story" that came out today is going to make most people worried (even angry) or no. Apart from that, what is more important it is if this event will be compelling for Authorities to do something more in this area. It is in fact evident that forcing Facebook and Google to regularly privacy audit it is not enough, since their aim is about how to protect info from authorized and unauthorized access, and not how they're going to catch and use our personal information.

According to The Sunday Times, Facebook is accessing text messages of users that have downloaded on their smartphone the social network application (see NOTE at the bottom of the page). It was reported that Facebook has admitted that they're practicing this, and that the users have accepted it in their "terms & conditions" when installing the application.

So, legally Facebook would be protected, but how many users were really aware of those terms ? Should we read carefully pages and pages of terms & conditions before installing any application ? It seems so. Would not it better to guarantee privacy user if certain permissions (and of course reading SMS must be one of them) should require explicit approval via a separate alert when the application first tries to use them ?

I've found this table summarizing which personal data are accessible from main applications under Terms & Conditions acceptance or others opt-in mechanism. It's better to give a look and in case you become worried about something reported here, go to check your privacy settings and change them.

    NOTE: When I published the post the original article in The Sunday Times was available only for newspaper's subscribers and so we can make comments about the information reported from other media such as Fox News and (by the way is belonging to the same R. Murdoch that belongs The Sunday Times). 


Thursday, February 23, 2012

Enteprise Mobility: Application, Platform and Devices

Yesterday I published the results of the Symantec Survey regarding the State of Mobility which addressed: 

- the interest from enterprises to adopt mobile for business applications
- the reasons for enterprises to develop a mobile business plan and the already registered benefits for those who have already started
- the risks coming from the development of a mobile business plan
- average annual cost of mobile incidents
- recommendations to embrace mobility without compromising security

Today I wanted to share another awesome infographic coming from the elaboration of various sources (see below) that is confirming the results from Symantec that we are at the tipping point in the mobility, and also providing interesting information about application, platforms and devices.

Some highlights:

1. In the graphic regarding "smartphone development approach" you can find confirmation of the impact of the IT Consumerization trend. Dependently from the industries we find that the presence of BYOD policy (Bring Your Own Approach) is very significant, ranging from 40% (legal services) to 57% (retail)

2. Iphone is the winner in the ranking for the most preferred smartphone in enterprise in 2011....but what about 2012 ? Surely Android is a tough competitor, even if in my opinion at this moment Iphone is more business-like than Android, first of all because we have too many variety of Androids in the market and any version does allow you to make different things in terms of security and management. 
And what about Blackberry ? Will it be able to maintain his market share ? 

3. Branded applications have increased of 162% in 6 months (March-September 2011)

Enterprise Mobility - Apps, Platforms, Devices Infographic

Symantec survey reveals significant changes in the usage of mobile devices and applications

Wednesday, February 22, 2012

Symantec survey reveals significant changes in the usage of mobile devices and applications

Main analysts predict that 2012 top technological trends are very much related with "mobility": tablets, mobile centric applications, application store and marketplace. The evolution of mobile devices are the catalyst for a new significant change in the life of the people and in the activities within the enterprises. 

Symantec has released the results of its 2012 State of Mobility Survey that included 6,275 organizations—from small businesses to large enterprises—across 43 countries.

As you can see in the infographics below it comes out that there have been significant changes in the usage of mobile devices and applications: mobile devices are now mainstream business tools and business agility is the main driver for mobile adoption from organizations, being efficiency their top goal. 

Organizations are also aware of risks coming from the adoption of mobile, appearing on the top 3 of 41% of organizations, more than any other.

Enterprises have already suffered a variety of losses, measured by direct financial expenses, loss of data, and damage to the brand or loss of customer trust. 

It is not surprising that half of the organizations see mobile computing as somewhat to extremely challenging.

In my opinion the key recommendation is to make an effort to understand as soon as possible the mobile risks and threats you will need to mitigate according your mobile business plan and the potential impact of BYOD trend in your organization. 

Mobile security and management should be integrated into the overall enterprise framework and administered using compatible solutions and unified policies, that should include DLP, encryption and strong authentication.

Sunday, February 19, 2012

Anonymous Intercepts FBI and Scotland Yard Phone call

Surprising news emerged a few days ago regarding the interception by Anonymous of a call between the most relevant Secret Services, FBI and Scotland Yard, where efforts against hacking were discussed.

The following media contains a recording of the call. Furthermore an email was published containing the email addresses of call participants.

The FBI confirmed the illegal interception and is running an investigation to found the responsible of the crime.

Officers used a conference bridge for the meeting and presumably Anonymous intercepted the call details (number and PIN code to access the meeting) since one participant forwarded such details to his personal mail that was monitored. 

Saturday, February 18, 2012

Internet risks blackout on 8 March 2012


March 8th 2012 many people and businesses may find it impossible to surf the Internet. It would happen for those users whose computers are infected with a trojan called DNSChanger.

The history in brief is as follows. Last November the FBI dismantled command & control (C&C) servers of the botnets to which referred all the computers affected by the DNSChanger malware. To prevent that the infected machines could break down the internet, FBI replaced the malicious C&C servers malicious with other servers able to redirect traffic to the real destinations. On March 8 these temporary servers will be removed from service and the computers still infected would not be able anymore to connect to the internet. It is urgent then to  make sure you do not have the computer infected with this malware and eventually repair (the advice to do this are available on the net, just do a search)

Here is a video telling the story

UPDATE ON FEB 21st 2012

To determine if you are infected, and how you can clean infected machines you can connect to

Tuesday, February 14, 2012

Google Wallet Security

A recurrent discussion during security conferences in the last year was about that mobile threats will becoming more and more significant accordingly to the increasing usage of mobile devices for financial activities. 

I can absolutely agree with that. In fact it is money, or it would be better to say, revenue opportunities, to drive "investments" inside the malware producer community that is becoming very much similar to a real industry. At this regards there are a couple of articles I suggest you to read if you're interested with the evolution of malware merchants.

Also security researchers are going to focus much more on this area to search for vulnerabilities. 

I've just found out a video where a security researcher demonstrates a vulnerability in the Google Wallet. 

Google Wallet is a mobile payment system (developed by Google of course) that allows its users to store credit cards, gift cards, etc, as well as redeeming sales promotion on their mobile phone. Google Wallet uses NFC (Near Field Communication) to allow payments by tapping the phone on any enabled terminal. 

The vulnerability that is described in this video is impressive since it is very easy to be exploited, in fact it doesn't require any extra software or tools. The vulnerability allows to easily steal prepaid funds out of devices that are lost or stolen (in Google wallet the funds are tied with the device itself and not the Google account).

Google was very responsive and decided to temporarily stop provisioning prepaid credit cards to prevent any exploitation of this vulnerability

Just to complete the view about vulnerabilities on Google Wallet, I must refer that a few days ago, another vulnerability was also identified in the Google Wallet that could allows to reveal a user's Google Wallet PIN. In that case it not so easy to make an exploit since it requires for the attacker to get first the root credential of the mobile phone. Of course if the phone was jailbreaked that step is already over.

It is not difficult to predict that mobile phone-based credit card payments will become a burgeoning industry... for many industry players including malware merchants.

Saturday, February 11, 2012

The Path To The Cloud As We Know It Today

Cloud is the new paradigma for IT transformation. It makes possible to introduce a kind of revolution in your IT model. It helps you to make efficiency and improve company's income since Cloud shifts your IT expenditures from capex to opex. When you move into the Cloud you can think to evolve your business model in a way you never thought before since the Cloud makes you available all the resources you need with dynamic provisioning, great scalability, and paying for use.

Or perhaps do you think that Cloud is nothing new and it is just that a marketing guru changed the name to something that already existed since long ?

Every day I can talk with people thinking one way or the other.

Personally I'm convinced we're talking about something revolutionary since a company adopting Cloud services needs to RETHINK itsself in terms of business model, internal and external processes, competences, etc.

Of course if we just focus on the technological point of view, we can tell that what we actually call Cloud has some analogy with someother things in our past. 

Here is an interesting infographic that illustrates these analogies from the past and the path towards the Cloud as is.

Infographic: Value of Cloud Computing Services Through the Years | Team Up Magazine - Marco Bavazzano's newspaper |
Cloud Computing

Thursday, February 9, 2012

What we can learn from Italy recently managing a crisis on Critical Infrastructures

Many European countries have been crossed from a snow storm during the last days. I read that about 450 people are dead and that East has been the most wounded area (particularly Poland, Hungary, Romania, Bosnia-Herzegovina) 

Also large part of Italy was covered from heavy snow and got very low temperature. Storm and frozen hit even a usually mild temperature town such as (the beautiful) Rome. 

I'm not writing to take either the side of those who say that this is a further demonstration that the weather is becoming more and more unstable (because of pollution, nuclear tests, etc etc), or the side of those who say that this is just winter time. I'm interested about some lessons learned (in my opinion) that can help to building or improving a governance model for "Critical Infrastructures Crisis Management". 

In fact the storming event in Italy made a deep impact on transports, electricity and gas supply chain that are with no doubt critical infrastructure since their survivability is essential for business and social life.

For a few days railway transportation has been under chaos in many Regions and car traffic has been very difficult for long time in some areas. Few villages are not reachable even today. Thousands of people have been without electricity for hours and hours, also including a large hospital in a main town in the North and few others deficiencies in the infrastructure of other medical buildings. 

The gas supply chain was also stressed from this natural event. You must know that Italy import about 90% of his consuming energy from abroad. As you can imagine, last days we've asked our suppliers to provide us more resources because of the low temperature. Unfortunately our requests could not be satisfied since our suppliers (mainly from Russian) were experiencing bad weather conditions and we've seen our stocked resources going dangerously down and for this reason it was decided to reduce energy to 400 enteprises (that indeed had months ago agreed to subscribe a more convenient contract that includes the reduction of energy in case of emergency)
I think I made clear that during the last days Italy managed a crisis over some national Critical Infrastructure (and besides it is expected another snow storm coming on Friday night!)

Was it well managed ?

I think it was managed at the best from the people that were engaged with all the different situation I told before, but that indeed we would have done much better with a single point of coordination.
Not less important of course would have been to attribute a leading role to coordinate all the prevention activities in the area of Critical Infrastructure, since it came out that resources in place (over different fields) were not available (e.g. it was not possible to delivery snow chains for public bus in Rome and for this reason they couldn’t travel for 1 day)

At least for the first aspect, that is crisis management, we were in a better position in the past than now. Just as an example, about 2 years ago Italy experienced a terrible earthquake in a region called Abruzzo and we were able to nominate one person in charge with crisis management after only a few hours the catastrophe happened (even if it was night time). That man was the Chief of a governmental body called Protezione Civile (trad. Civil Protection).

Unfortunately recently something changed in the national legislation that doesn't allow it to happen anymore so easily. In fact now every region need to activate a formalized process to get the support of the central body....and that may takes days/weeks not hours. Eight days was the time needed to complete this process for the Concordia crisis (do you remember the cruise ship that sank in front of L'Isola del Giglio a couple of weeks ago?). Even more important now the cost (other than coordination) of this kind of activities has been delocalized into the region while before the central body of Protezione Civile kept the budget, so they don’t take easily a decision to declare a national emergency situation (they didn’t  actually for the consequences of this natural event even in the more devastated regions)

That is not really a good thing since in the future we're probably going more often to manage crisis that have interactions over different critical infrastructure. That depends from the obvious fact that our social and business life is going to depend more and more from global networks that are interdependent one with the other. Besides factors that may cause a deep impact over a critical infrastructure are increasing significantly with the evolution of the threat landscape related with the cyberspace. Cyber attacks (because of sabotage, war, etc) might determine a severe outage of any critical infrastructure since Information Technology and IP network have deepened into energy and power distribution, transport, and of course telecommunication

I hope this considerations are agreed from the people that are defining the national approach for the protection of the critical infrastructure.

Sunday, February 5, 2012

Security Predictions for 2012: poll results

At the mid of December I created a poll about "Security Predictions for 2012". The poll wanted to collect opinions about the most significant issue for business.

The reason I did this poll is that we could see during those days lots of predictions published from some guru or vendors, but I wanted to understand what was the general opinion of the security community.

You can see the available options reported in the box below

Here are the final results of the poll. I've collected 157 votes distributed as follows:

I've also received 11 comments that I'm very pleased to report here:

Thomas Hemker (voted for cloud security incidents) • Cloud Security Incidents include from my point of view also that people use non-comapny-approved cloud-services (e.g. Dropbox, Google) to store and exchange sensitive business information.

Stephen Russell (voted for mobile threats) • Hacking, cybercrimes, cybertheft alone. sloppy Co policies leaving loose laptops about with key data etc. NOT vetting hirees or vendors PT workers etc.

Alan Hunter (voted for cloud security incidents) • I agree with Thomas. It is a new technology, and as such, a prime target for cyber attacks, if not for "evil", then just to say they can.

Josie Weigand (voted for cloud security incidents)• Security monitoring and policy concerns go hand and hand. Everything else falls under each of these. If you fail on monitoring your systems effectively and lack the policies in which to follow, all security risks will pose a threat. Too many times, those that have the authority have pay grades too high to effectively monitor those with responsibility. Security is everyone's responsibility.

Balaraman K (voted for risks coming from social networks) • I think Social Networking sites are the biggest threat to Business in the years to come. Those face and non face books can erode all your IT Security Budget. Ironically they cannot be totally blocked. Increasingly, social networking may be the way to do Business, to be in touch with your customers. They will also be the biggest threat to security.

Sean Cullen (voted for cloud security incidents) • Cloud security incidents for me. Since most companies are realizing that outsourcing business processes/components to the cloud are not only cost effective as well as scalable - and they are eager to reap the benefits. Normally, an attacker would have to do quite a bit of research in order to gather intelligence on a target, since typical systems are masked behind firewalls, NATs etc. Cloud services on the other hand, by nature, are visible and are inherently designed to be accessible from anywhere by anyone. There will undoubtedly be integration issues with their current systems that could be the source of a potential exploit, so, with any new technology; caution should be at the forefront when implementing new technology when aligning Cloud services with your business.

David Gallego (voted for cloud security incidents) • I am concerned about Cloud computing. You are trusting sensitive information with a third party that you have no control over. You have no control over who the provider hires, the security systems in place, or even where the data is located.

Tokunbo Omiyale  (voted for cloud security incidents) • I do agree it has to be cloud computing . I do think its serious security implications has been properly thought through before pushing the product to the market.I am pretty concerned using corporate data as a security test guinea-pig.

Thomas Pridham (voted for Privacy Concerns) • I am really concerned about 'cloud computing/platform' - it almost makes it sound magical and people (end-users especially) don't really care or know where their data's in a magical cloud somewhere with (hopefully) some really good security protection.

Clark Willis  (voted for cloud security incidents) • The biggest issue will be "consultants" scamming companies into spending money through unqualified fear; after that, it will be the early adopters of the cloud scam.

Scott Brown (voted for cloud security incidents) • We already live in the cloud... where is your email hosted? How much information do you store on sites like this? Most companies already have a cloud technology, i.e. email scanning, web hosting services, but as Corporates move into cloud hosted services they increase the risk for themselves and users to be targeted. The more Businesses using the same cloud technology the bigger the payoff for hacking it... Technology is like everything else in life... using a single technology in moderation is better than over indulging in it.

Saturday, February 4, 2012

Italian Parliament stops national SOPA

Most people have not been even aware that also in Italy there have been lots of complaints against a proposed regulation with the same contents as the well known SOPA. In fact the same struggling scenario we have seen in the United States has been replicated here. On one side contents providers and on the other side ICT industry players plus "digital citizens"

Today in Italy there are only 2 entities that are allowed to force ISPs to block access to web contents:

1. Since January 2007 is active a procedural flow between Polizia Postale e delle Comunicazioni and ISPs to block the access to pedopornography websites

2. Another procedural flow is active since February 2006 between AAMS (Monopoli di Stato) and ISPs to block the access to illegal online game websites 

The proposed regulation wanted to force ISPs to block the access to web contents following a request from any interested person or entity. 

Finally, after a long path, two days ago one of the 2 parliament houses in Italy has cancelled this proposal.

But that is not the end of the story... 

In fact in the next days it is expected to be released a note from the Authority for the Communications that should establish economic and administrative sanctions against "copyright piracy"

What is SOPA - the internet blacklist bill