EYE ON SECURITY

The World of Secure Development.

October 2007

So with the recent kerfuffle over Comcast's network management policies, it seems prudent right now to ask just what the heck are they actually doing, and why?

The simple answer seems to be that they are limiting activities on their network that tend to hog lots of bandwidth. Fair enough. I'd say they have a right to keep some users from hogging all the network capacity. But here's what I don't understand (and I'm not a network engineer, so maybe some of you out there can clarify this for me): why target specific kinds of traffic or specific applications like peer-to-peer file sharing? Wouldn't it just be simpler (and fairer) to impose a monthly transfer limit for all customers? I could imagine many fair ways to implement this — you could throttle users back to something closer to dial-up speed if they hit their monthly maximum, for one thing. If everyone knew the limit, no one would have any legit reason to complain if they went over it.

But instead, the company is not stating any clear policy, and is instead limiting customer's traffic in ways the customer is never informed about. What are Comcast's rules of the road, and why do none of their customers know what these rules are?

I can think of a couple of reasons why Comcast might be doing things this way. First, I might be wrong about the simplicity of imposing caps. Maybe it is far simpler to just monkey with the specific traffic that comprises the worst of the bandwidth hogging: BitTorrent traffic. In this case, it's a question of expediency.

Or maybe it is simple to impose caps, but Comcast fears a customer backlash if they start clearly stating limitations to customers who will see such limitations as a throttling of their service — in essence, a diminution of service without a commensurate diminution in rates charged. In this case, its a question of Comcast trying to be stealthy, and solve their problem while staying under the radar.

Whatever the reasoning, it's clear that Comcast, by their own admission, is doing something to limit certain traffic generated by some of its customers, without stating any clear policies about what that limitation is, and how it is applied. I'm not saying Comcast can't manage its network. But I think they owe it to their customers to come clean about how they're doing it.

Posted by Kevin Carlson at 12:45 PM  Permalink |

I suppose that being immersed in the tech world can lead to seeing things as technological problems, when in fact, they are simply sociological problems. Maybe that's why I was among those who associated the crime of identity theft primarily with computers. In my mind, I think I pictured identity thieves as hackers.

But really, what's easier: hacking in to some institution's or individual's computer, or dumpster diving for credit-card receipts? A recent study released by the Center for Identity Management and Information Protection at Utica College, seems to confirm that the dumpster divers outnumber the hackers by a wide margin.

The study used data from 517 closed Secret Service cases that involved an identity theft component. Of these, fully half did not involve using the internet in any fashion. Of the remaining half that did use the internet in some way, it is difficult to determine the extent to which the internet was the primary means of committing the crime. The study does state, however, that in only 10 percent of the crimes was the internet the only means of committing the crime.

Really this is just more evidence that an organization's security is only partly a question of hardening your software. As long as account numbers are being printed on paper, and those papers can be carelessly thrown away, the best software in the world won't save you. Ditto for social engineering. If organizations don't train employees to recognize scams, the biggest vulnerabilities may remain as gaping holes.

Posted by Kevin Carlson at 01:13 PM  Permalink |

Oh, the things that show up in my inbox. Apparently, it's easier than ever before to be a stalker. If you want to keep track of someone's whereabouts every second of every day, well, you're in luck. There's an affordable product designed just for you: the Trackstick.

This lovely little device has convenient magnetic mountings for quickly and quietly attaching it to your victim's (err, surveillance target's) car, and is integrated with Google Earth so that you can see a bird's eye view of everywhere the device has been.

Now I'm sure that this is a great tool for law enforcement and the Homeland Security folks. But what's most worrying to me is the first line of the company's description of its product:

"The Super Trackstick is the perfect tool for individuals, law enforcement and government agencies looking for a way to track anything that moves."

Notice that "individuals" come first in that list. And at $269, it's cheap! (Well, relatively.)

Made any enemies lately? I'd check under my rear bumper for one of these little babies, if I were you.

Posted by Kevin Carlson at 01:02 PM  Permalink |

I absolutely sympathize with legitimate businesses when they lose money to piracy. In my book, it's wrong to steal movies. But it's equally wrong to put the whole burden of preventing piracy on the shoulders of honest customers. Not just wrong, but blindingly stupid as a business decision.

So then I have to confess to being mystified by the BD+ Blu-ray copy protection that is just now beginning to ship on Blu-ray discs. It seemed like a huge aggravation for consumers, and unsurprisingly, it's turning out to be just that. With the recent news that Fantastic 4: Rise of the Silver Surfer and The Day After Tomorrow on Blu-ray discs are failing to play on several players from Samsung, LG, Sony and Panasonic, Blu-ray disc vendors have managed to lob the unwelcome copy protection ball back into the consumer's court.

To make the discs play, customers must update their firmware. Except that for some of them, there is no new firmware update to be had. This leaves them in the infuriating position of having to watch their new movies on the schedule of their player manufacturer's software development team.

Now, if this happened once in a blue moon, they might be able to get away with it. But how long do you think it's going to take before a new crack motivates the movie studios to release yet another updated copy protection scheme that forces yet another firmware update?

And let's talk about those updates. Even when they're ready in a timely fashion, the average consumer faces unprecedented hurdles in applying these updates. Never before has there been a stand-alone entertainment appliance that required more specialized knowledge simply to make the thing perform its basic task. You either have to have a home network to plug the thing into, or you have to download .iso images and burn them to discs. Now, I can tell you, my Mom has neither a home network, or the knowledge to download and burn .iso images. And that is always the threshold that a consumer device should pass—can your mother use it? (Okay, some of you may argue that a TiVo is pretty complicated, and requires some fiddling. But I would say that to get it to perform its basic tasks, you don't need the network connection.)

I'm a technophile—I eagerly awaited a high-definition DVD format, and was looking forward to watching movies in stunning clarity on my HD TV. But, for the first time I can remember, I have decided to stick with an older technology because I can't tolerate the inconvenience and restrictions of meddlesome, intrusive DRM. I say "long live standard-def DVDs" until something more intelligent comes along.

Posted by Kevin Carlson at 12:30 PM  Permalink |

According to the CSI Computer Crime and Security Survey, some interesting changes are afoot in the world of computer crime. First, the damages claimed are growing - the average annual loss claim from computer criminal activity is up to $350,000 from last year's average, which was $168,000. Given the number of high-profile security breaches we've seen in the news over the past year, that doesn't really sound too surprising. But there's more bad news.

The survey also shows that the nature of the damages suffered has changed. The number one problem is now financial fraud, not losses from viruses, which had claimed the top spot for the previous seven years. This is bad news simply because viruses are often only malicious mischief, however damaging that mischief might be. Fraud is by definition more targeted and focused, and generally means that the target of the fraud was probed and analyzed for weaknesses. It's harder to defend against an attack that was specifically designed for your organization than it is to defend against a lowest-common-denominator threat designed to infect as wide a swath of machines as possible.

If you happen to be in San Francisco this Thursday, you can register to hear CSI Director Robert Richardson present the findings from the 2007 Computer Crime and Security Survey.

Or, if you're looking for more, check out the CSI Conference and Expo, held November 3-9 in Arlington, VA.

Posted by Kevin Carlson at 04:58 PM  Permalink |