Passwords: How's that still a thing?

Passwords.

How is this topic still a thing? 

In two words: Mark Zuckerberg. 

In June 2016, Mark Zuckerberg got hacked and his secret password was revealed for all to see. Did it meet all those wonderful rules we learn in information security school? Was it ISO27001/2 compliant? 

Well his password was "dadada" - so I'll let you decide. 

The Wall Street Journal's Nathan Olivarez-Giles had a great article on hacking/passwords. 

The article refers to a site where you can check to see if you've been hacked https://haveibeenpwned.com/ - definitely worth checking out. 

Of course the next step is to then change the password on the 7 million devices you own, but who says hackers make your life boring? 

Passwords are the best illustration of trade-off between convenience and security: you don't want the bad guys getting but at the same time you want to make it easy to use your email and the other services that you use.

One possible antidote to this unending saga of deal with hackings - managing the convenience versus security divide - is the use of password manager services. 

WSJ's Geoffrey Fowler had an article which reviewed "1Password, Dashlane, LastPass and PasswordBox"; giving the win to Dashlane.

Of course two factor authentication, as Oliveraz-Giles points out, is a key control that we all need to implement in our lives - especially since many popular services are making it easier two use such a feature. 

The fact passwords continue to be an issue reminds us that the most challenging aspect of a system is not the technology, but the people that use them.

Can we live in the cloud? Prof Jeff Jarvis intends to find out

On This Week in Google (TWIG) episode 169, Jeff Jarvis, professor of journalism at CUNY, announced that he will be attempting to live only in the cloud and abandoning the comforts of offline desktops.  He recently moved to the Android eco-system (i.e. for his mobile device and tablet), which he accredits to Google's wide range of services from maps to Google Docs. Taking it to "whole nother level", Jeff is planning to live only in the cloud once he gets his hands on Samsung's ultra-cheap Chromebook, which is expected to retail for $249. The Chromebook (as its names suggests) is based on Google's Chrome OS, where the OS is basically the Chrome browser. Here's the ad in case you missed it:


As illustrated in the ad, the concept is that the Chromebook is something that everyone and anyone can use. The premise is: if you primarily do everything in the browser, then you really don't need a full laptop. A few years ago, as Leo Laporte pointed out in the episode, this experiment by the way of netbooks failed. Does Jeff have a fighting chance or will Leo tell Jeff "I-told-you-so" after Jeff experiment ends? Well, I think Jeff does have a fighting chance. Firstly, cloud computing has matured significantly since netbooks have hit the scene. Secondly, people are now accustomed to using tablets and smartphones as a way to get things done.

In a way the Chromebook represents an intersection between the trend of cloud computing and thin client devices and taking technology back to the early years of computing, where users had to "dial-in" from their "dumb terminals" into powerful mainframes. Except the Chromebook,smartphones, and tablets are replacing the dumb terminals, while the cloud computing service providers are replacing the mainframe.

Why should information security & privacy professionals care about this?

It is really about the price point. If Jeff Jarvis can successfully move to the cloud with this device, it means that the economics of the consumerization of IT has arrived. Think of a 10-person small business that is starting up. It really just needs email and office productivity apps for their clients. The IT cost would be $2500 for the hardware and then recurring cost of $500 a year for the Google Apps. The traditional  Dell laptop + MS Office license would cost about $6480 upfront + the cost of an email server + the IT resources an effort to maintain/patch the laptops and the server.

In terms of data redundancy, one could argue that all the data is on the cloud so it's actually safer. Theoretically, if the owner loses their Chromebook, they can just change their password and then the Chromebook is essentially just a "dumb" piece of hardware with no data. And as illustrated by these stats, this is no small benefit. Of course, cloud computing does have its risks as mentioned on a previous blog post and this publication (which I co-authored for the CICA). It's not that the risks in the cloud are insurmountable, but they are different then the ones we are accustomed to dealing with.

From a usability and information risk perspective I would ask these questions to Jeff Jarvis about his experiment:

• Printing: What are the hiccups in terms of producing and printing formatted documents? What I am thinking about are the mundane things like resumes, reports and the like. 
• Working with Luddites: How do you work with others that are not in the cloud? Sometimes working with a colleague the most efficient way to transfer a number of documents is via USB, especially when the other party does not have Internet access (e.g. think of locked down company laptops). 
• Handling Sensitive Data: What is the sensitivity of the data that is being on the cloud? For example, we keep private things like tax files that contain SSNs, SINs, income, etc offline. So how would one keep such things private or is it matter of just living in public? For readers that are unfamiliar with Jeff Jarvis, he takes "what's the harm approach and has written two books (click here and here) on the topic of being more open and social with one's information. But I hope he can appreciate not everyone uses his "privacy settings" :)
• Trusting cloud providers: What due diligence does someone do before trusting a cloud provider? I suppose this is a "leading question".  Accounting associations in Canada (i.e. the CICA) and the US (AICPA) have established Service Organization Control (SOC) Reports. These reports replaced the SAS 70 Type II reports in the US and Section 5970 Reports in Canada. So do you need this type of assurance before dealing with companies? Going back to the tax return example, one solution would be to use cloud-based tax services. But how do you establish trust that this information is appropriately. One may attribute my repetitive use of the tax return info to the fact that I am an accountant. However, to be fair Gina Trapani on a previous episode of TWIG did point out an accountant should not be putting tax info on the cloud unless it was encrypted. 
• Securing data on the lost Chromebook. If the Chromebook is lost, what are the precautionary measures the person has to take? In other words, the theory meet reality. 
• Making local backups:  Currently, we back from offline to the cloud, but how does this work in reverse? The reason this is important is illustrated by Mat Honan's Apple iCloud account getting hacked and watching helplessly as his data got deleted. 
• Working without internet access: How many times does the lack of internet access due to being in a subway or non-WiFi become an obstacle to being productive?
• Working through cloud outages: What happens if there is a disruption at the cloud provider or underlying infrastructure? Jeff lives in NY (and judging by his tweets; he's doing okay), so he does have some experience dealing with such a scenario given the disaster brought to his area by Hurricane Sandy. 

Assuming Jeff actually does gets his Samsung Chromebook and goes through with this experiment, I will post an update to this post.

Did the SC Supreme Court legalize industrial espionage on the cloud?

As reported in Ars Technica, the South Carolina (SC) Supreme Court iruled that gaining access to someone else's email does not violate any laws, specifically the Stored Communications Act. In the case, Jennings vs Jennings, the husband (M. Lee Jennings) was suing his ex-wife's (Gail M. Jennings) daughter-in-law, Holly Broome, (from a previous marriage) for unauthorized access to his personal email account. Holly had guessed the correct answers to the secret questions and gained accessed to his email accounts. She had been asked by her mother-in-law to look at M. Lee Jennings's email because he admitted to her that he was having an affair and had exchanged email correspondences with this woman. Holly printed the emails and provided it to Gail and her defense team, who used it against ML Jennings during their divorce trial.

The Supreme court found that the hacking was not in violation of the Stored Communications Act (SCA) because cloud-based email does not meet the "definition of "electronic storage" within the SCA [which] requires that it must be both temporary and intermediate storage incident to transmission of the communication and storage for the purposes of backup protection".  It should be noted that, as pointed out by William Shapiro on this episode of This Week in Enterprise Tech (it's the first segment so you don't have to listen to the whole episode), that this judgment is only limited to South Carolina.

Wow. In these few small sentences, the SC Supreme Court has allowed unauthorized access to anything that is stored on the cloud. In the last few posts on the UWCISA blog, I have commented on industrial espionage and Microsoft's move of Office to the cloud. On my entry on cloud I noted that the cloud pretty much gives access to law enforcement:
"In terms of privacy, the way the privacy rules works is that if the provider tells you in the ToS that they will hand over things to law enforcement then they are covered from a privacy compliance perspective. (See the Privacy Commissioner's handling of the complaints against CIBC). Furthermore, as noted in this article both American and Canadian law enforcement and other agencies can access what you put on Office 365 and they don't need to do tell you about it. "

On my entry on industrial espionage, I highlighted that, in addition to the risks highlighted by US government officials on using Chinese hardware manufacturers, "it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese."

Furthmore, I have been immersed in the last few week's in Kevin Mitnick's (wiki, his site) Ghost in the Wires, which details how he hacked into Motorola, Sun, and other major companies.Once you read his story, you will quickly realize how this ruling by the SC Supreme Court makes it open season on any corporation that uses the cloud as means to outsource processing. If an average person, like Holly Broome can access confidential email - imagine what a determined hacker like Mitnick could do!  For example, if you use Google Docs or the soon to be released Microsoft Office 365, then a competitor can gain access without violating the SCA and use that information. Will this judgement spur hackers to relocate to South Carolina and access all types of confidential information stored on the cloud? Of course they can't take patented or copyright information, but what about companies that likely don't have such information patented, trademarked etc or protected by other laws (e.g. privacy legislation, theft of credit cards, etc)?

It's interesting how vulnerable cloud, and technology in general, is to the inability of law makers and judges to see into the future. Common sense would dedicate that a person that buys or uses a service and keeps it secret via a password, expects that the information to be confidential to them. But I am not a lawyer, just an accountant in tech. That being said, it is unlikely that Google, Microsoft, Amazon, and the other tech giants will take this ruling lying down. One can expect that they will use their dollars and influence to allay fears that their services are safe from "legal industrial espionage".

Huawei & ZTE: Corporate spies or victims of non-tariff trade barrier

On this episode of the TWIT network's Tech News Today had an interesting discussion regarding the recent allegations that Huawei and ZTE were spying on US companies that purchase and use their equipment. As they hosts of the tech news show pointed out, Congress does not have any evidence that the firms were involved in such activity, but were rather concerned with the relationship of the two companies with the Chinese government. Another interesting point that they pointed out was that Cisco would benefit from such a ban. And according to this article, Cisco has paid $640,000 in lobbying on "measures to enhance and strengthen cyber security". As one analyst quoted by Bloomberg put it, "This is going to allow Cisco and Juniper to compete more fairly". However, Huawei too has been lobbying the US government to the tune of  $820,000. Although many have cited Chinese hackers as a threat, for example, it is suspected that Nortel was targeted over a ten-year period by such hackers. However, it is important to recognize that other factors are at play on the specific issue of ZTE and Huawei and that the risk of Chinese hacks should not be overstated. After all, non-Chinese companies do conduct industrial espionage against one another. For example, SAP had to pay $120 million to Oracle for such activity, which occurred in 2007. But if you raised the threat of German firms hacking to get into American companies, people would think you are not well. So although this threat is real, it is not new and it's not just coming from the Chinese.