E-Security

		E-Security If there is one thing that has remained consistently true for information security throughout the years, it is that “some things never change”. Despite incidents making frequent headlines, it seems that users and organisations continue to make the same blunders and fall prey to the vulnerabilities, exploited previously. This year’s security incidents ranged from sophisticated cyber-attacks to exploitation of glaringly serious yet, preventable flaws. Meanwhile, privacy remained a major concern for users and organisations everywhere, from the white house to an average user’s browser. Cyber Warfare The year started off with a bang, with Google revealing that, along with several other companies, it had been targeted in a sophisticated cyber-attack – dubbed as Operation Aurora. The attack exploited zero-day vulnerabilities in Internet Explorer to download malware on the targeted computers, allowing the intruders to gain full, system-wide access to carry out corporate espionage and gain unauthorized access to Gmail accounts.

		Apparently originating in China, the incident opened the world’s eyes to the dangers posed by such attack, and also strained relationships by such attacks, and also strained relationships between Google and the Chinese government. Google subsequently announced that it would no longer censor search results in China and later closed its operations in China. While some critics argued that Google withdrew from the Chinese market due to financial reasons, as it couldn’t dominate the local search engine market, privacy proponents applauded Google’s stand against China’s oppressive internet regime. Meanwhile in the US, the Obama Administration received a “B” in Cyber Security from the Electronic Privacy Information Centre (EPIC), in its annual Privacy Report Card. The report acknowledged the challenges for the government in implementing security controls to protect the nation’s infrastructure, while maintaining the free nature of the internet.

		It, however, expressed concern over the growing influence of the National Security Agency (NSA) over the administration’s cyber affairs. Transparency and openness of the NSA’s involvement in cyber-security was stressed to allay any privacy concerns by the general public. Back to the BlackBerry The Middle East and Blackberry went toe-to-toe in the news again, after 2009’s privacy nightmare, in which Blackberry users in the United Arab Emirates (UAE) discovered that the up-date they had downloaded on their devices was actually an e-mail and call monitoring spyware. Most governments, in the region, have not been keen on the fact that they are unable to monitor activities on BlackBerry handsets, due to their strong encryption. This year, the UAE took a firm stand against BlackBerry services until the services were bought in line with the country’s regulations. Although Research in Motion (RIM) initially declined to accommodate the UAE government’s demands, the BlackBerry founders were able to reach an agreement with the UAE government, after which BlackBerry services resumed.

Other countries like India and Saudi Arabia soon followed suit and threatened to ban usage of BlackBerry services until they were allowed access to the encrypted messages sent to and from BlackBerry handsets. Although RIM offered to appease governments by offering some compromise while maintaining client security, it found itself in a precarious position. BlackBerry’s strong privacy controls are a major reason for its popularity among business people worldwide – and yet, not conceding to regulatory demands could put a stop to its business altogether. Facebook Woes Facebook privacy controls have always come under criticism for being too confusing. Which leads users into unintentionally choosing the incorrect privacy settings for their profiles. Although Facebook has taken steps to simplify its privacy controls, they still remain a chore for the average user. This year was especially painful for Facebook, as early in the year the website saw itself in the limelight following the discovery of a privacy bug that allowed users to view the private live chats of their friends, as well as their pending friend requests. The bug was fixed, following a temporary suspension of Facebook’s chat facility. Later, in July, 2010, a security researcher harvested personal details of over a hundred million Facebook users as a demonstration of the website’s poor privacy controls. The researcher used a single line of code to amass this data – user information unprotected by Facebook’s privacy controls – and posted it on The Pirate Bay, a file sharing website. Facebook’s defence was that the information collected by the researcher was already public and available online. However, given the typical Facebook user’s poor understanding of privacy controls, it serves as a grim reminder of just how vulnerable social networks can be to data harvesting attacks. The dust form this incident had barely settled when it came to light that popular applications on Facebook, including Farmville, were violating policies and transmitting user-IDs to advertising companies for tracking purposes. This information was transmitted even if a person had set his profile settings to be private. Despite statements being issued by Facebook that the aforesaid problem arose due to problems with the underlying web browsers and not the application itself, serious doubt was cast on Facebook’s ability to properly secure the privacy of its massive user base. Finally, Facebook promised to take serious action against developers whose applications were found transmitting data outside of Facebook, or those engaged in selling these user-IDs to internet data brokers. Black Sheep in Firefox Security professionals have always warned about the vulnerabilities of public networks and unencrypted websites, and their warnings proved well-founded with the launch of Firesheep, a Firefox add-on that lets its users hijack a Facebook or Twitter session over an open network. While session hijacking tools have existed for years, Firesheep makes the job a mere point and click operation from a nifty sidebar within the browser, which informs the user when anyone on an open Wi-Fi network visits a website that does not encrypt user sessions and is vulnerable to session hijacking. A single click will allow a Firesheep user to take over the existing website session and impersonate the target user. This add on had been downloaded more than 400,000 times, at last count, since its release and its popularity should force websites like Facebook and Twitter to look into the feasibility of encrypting user sessions as a means of thwarting session hijacking. Websites like Facebook, Twitter, and Flickr are especially vulnerable to such (session grabbing) attacks, due to their weak encryption of user sessions. There will, unfortunately, be quite a few aspiring hackers who will try to hijack sessions of unsuspecting users unless proper measures are put in place. The safest way is to avoid visiting such websites, when connected to public access networks, in places such as coffee shops and airports. Conclusion This year has proven, without a doubt, that the decade old debate of privacy and personal freedom at the cost of security still shows no sign of reaching a positive conclusion. As technology becomes pervasive, users can no longer afford to be complacent about their digital identities and must start making conscious choices about how much personal information they are willing to float into cyberspace. In 2009, over thirty million passwords were compromised from RockYou a social networking applications website and posted on the internet. Analysis revealed that nearly a million users used simple expressions, such as “123456” or “password”, as their passwords. This highlights lax attitudes of users towards passwords, despite frequent reports of online identity theft. This year, the situation was no different, as a recent study in the UK revealed that many credit card holders used their birth dates as PIN numbers, for the sake of convenience. This attitude, unfortunately, will make account hijacking a child’s play for the cyber criminals. As we head into 2011, we can expect technology to evolve by leaps and bounds, however, it would still be the obligation of users to properly protect their online identities, rather than to expect websites and organizations to secure their personal information from prying eyes.