How much attention would you give e-mail security if you were running for office?

---

One would hope that the people who run for public office in this country with promises of increased domestic security would take some pains to ensure their own security during the campaign. High priorities should of course involve things like having good bodyguards and site security teams when making public appearances, ensuring one’s campaign Web site doesn’t get defaced by people who disagree with one’s policies, and protecting e-mail privacy.While I would dearly love to see someone with an at least marginal understanding of technology get into public office from time to time, I know that might be a bit too much to ask at this point on the national political stage. Lacking personal understanding of such matters, however, one should definitely hire people who know what they’re doing and get them to advise on technical matters — and actually listen to their advice.

I could comment at some length on the difference between people who know how to market technology or can run a technology company and those who actually know technology sufficiently to be credible advisers. In other words, I could comment on the inadvisability of hiring someone like Steve Ballmer as a technology adviser. That’s not the point of this article, though. Instead, I’ll just offer a short list of tips for anyone who might want to run for public office and avoid the embarrassment of failed e-mail security:

1. First and foremost, make sure e-mail authentication is encrypted. This should apply to all e-mail, all the time, but is especially important for circumstances where having your account cracked is not only annoying, but also embarrassing, such as when running for public office on a domestic security platform. Make sure all your campaign staffers are doing so as well.
2. Use encryption for important e-mails. Never underestimate the importance of being encrypted. Make all your campaign staffers use it too.
3. Digitally sign e-mails, and require all campaign staffers to do the same. Use a well tested, proven, cryptographic signing technology, such as PGP or S/MIME, to sign e-mails, so that there should never be any question about the authenticity of an e-mail. While you’re at it, make sure all your campaign staffers understand how to employ cryptographic digital signatures securely — and that you understand how to use it, too.
4. Have a specific computer set up for campaign-related business. Make sure it’s set up to be as secure as possible, and make sure as many features are disabled as can be without crippling your ability to do campaign-related work. Don’t use it for personal Web browsing, non-campaign related communications, or anything else that might put its security at increased risk. Make all unencrypted connections on that computer through a secure proxy. Use that computer — and only that computer — to access your campaign e-mail. For obvious reasons, this computer should probably be a laptop. At least the most important campaign staffers, with the most intimate relationship to the inner workings of the campaign, should employ similar measures.
5. Use POP or IMAP for email, instead of a Webmail account. In other words, don’t be Sarah Palin. This account should be associated with a domain name specific to your campaign (to make it look more official, as well as to provide greater control over e-mail security), and your campaign staffers’ official communications should be carried out via addresses associated with that domain name as well — or perhaps with a second domain created specifically for communications amongst campaign workers.

Some of these measures will of course require the help of technically proficient experts. Get one on-staff if at all possible, or at least hire one on a consulting basis. If you run a small, local campaign that doesn’t have enough money to spend it on hiring an expert, make use of that six degrees of separation principle to find out who your advisers, campaign staffers, and their friends and relatives might know who would be willing to help you out. Once you get such help, listen to the advice you’re given.

You don’t want to be the next candidate for public office whose name is in all the papers having made amateurish mistakes with the security of campaign communications, after all.

Read Source

What is the “anonymous” network? How do they operate, and what do they want?

---

In last week’s article about email security for politicians, I linked to an article at techPresident — BREAKING: Sarah Palin Yahoo! email account hacked. In a statement at the end of the article, its author says:

One very interesting element is the reference to “anonymous.” This “group” — a new kind of online network that up til now has been devoted to disruptive action against Scientology — is very sophisticated and probably impossible to stop.

An (ironically?) anonymous commenter, who posted the first comment to the article, said:

You’ve got it wrong on anonymous. They’ve pretty much attacked anyone and anything that they fancy. They’ve hacked the owner of http://www.tektek.org and Gaia Online as well as others.

Both accounts of the “anonymous network” are missing the real heart of the matter, however. It’s my theory that “anonymous” in this sense is not a group, or a “network”, of activists — but, rather, it is an emergent phenomenon.

The name “anonymous” appears to have started out as a mask over the identities of people who targeted Scientologist Websites. It also appears to have started amongst 4chan members, but probably never had a specific membership. It is more an Internet cultural meme that grew out of a sort of in-joke, predicated upon the notion that the prevalence of online activity by Internet users in general without identifying themselves by any individual name — instead accepting the term “anonymous” as it was handed out by the content management systems of many Websites where they posted discussion comments — can somehow be viewed as a sort of gestalt identity.

Consider: millions of Internet users all over the world leave comments on myriad websites with nothing to publicly identify the sources of these comments other than the shared monicker “anonymous”. If the term is viewed as a name rather than a descriptor, “anonymous” might as well be “Bob”. What if millions of Internet denizens all posted anonymous comments on various Websites and, instead of “anonymous”, were identified by the sites as “Bob” when they didn’t specify names for themselves?

This is, I believe, the sort of thinking that gave rise to the initial slogan of the “anonymous” attacks on Scientology (referred to by many as the Chanology project, after the initiating Website community of 4chan): “We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us.”

People all over the Internet with a dislike for Scientology, or perhaps just a mischievous streak, joined in on the efforts and adopted the name “anonymous” for such activities. Eventually, of course, “anonymous” started appearing to claim credit for other, unrelated activities — some obvious activism, others obviously not, and perhaps just wantonly destructive. It didn’t take long for the concept to grow beyond its originators.

From an article about the Anonymous phenomenon in the Baltimore City Paper:

In an e-mail, Doc describes Anonymous as “the first internet-based superconsciousness.” Anonymous is a group, in the sense that a flock of birds is a group. How do you know they’re a group? Because they’re travelling in the same direction. At any given moment, more birds could join, leave, peel off in another direction entirely.

From the same article:

[A]n anon in his 30s who says he works in homeland security, compares Anonymous to the War on Terror — you can fight terrorists, but you can’t fight an idea. Anonymous, he says, is an idea.

Of course, the idea has grown beyond even necessarily having a single direction, and the flock of birds analogy is more organized than the composition of the “anonymous” illusory identity is likely to become as time goes on. The case of the person who acquired access to Sarah Palin’s email account is a perfect example of this, one person working alone. The culprit operating under the name “anonymous” was, in this case, apparently David Kernell — the son of a Tennessee state representative, and an Obama supporter.

It is a mistake for security experts to view any act of security cracking or online activism signed “anonymous” as part of some even loosely organized group effort. In time, it will surely become more evident that there is no single, central, organizing principle at work in directing the actions of people using the name “anonymous” in this manner. It is a meme, an emergent phenomenon of a social Internet, and a running gag, rather than a definable network of activists or criminals.

Of course, groups may form and use the name “anonymous”, but some evidence beyond sharing the name should be present before assuming any connection between any two acts under that name. The world simply isn’t that simple.

Worried about security issues? Who isn’t? Delivered each Tuesday, TechRepublic’s IT Security newsletter gives you the hands-on advice you need for locking down your systems and making sure they stay that way. Automatically sign up today!

Read Source

A Tennessee Democratic state representative’s son was linked last week to involvement in the breach of the Republican vice presidential candidate’s Yahoo Mail account.

Read Source

A federal grand jury investigation into the compromise of vice presidential candidate Sarah Palin's Yahoo account has apparently concluded its first day of meetings without an indictment.

Read Source

As the FBI focuses in on a Tennessee suspect in the hack on Gov. Sarah Palin’s e-mail account, Fox News commentator gets hacked out of spite.

Read Source

The ease with which Republican vice presidential candidate Sarah Palin’s e-mail was hacked is striking and underscores the importance of improving privacy questions for password recovery. A person claiming responsibility for the hack posted details of what he did Wednesday on a 4chan.org message board. The handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell.
- Perhaps the most unsettling thing about the hack on Republican vice presidential candidate Sarah Palins Yahoo e-mail account was the way it happened.
Rather than some automated tool or complex virus, Google and Wikipedia searches appear to have been the weapons used to knock down the walls guardin…

Read Source

A federal grand jury ended its meeting without issuing an indictment against a Democratic lawmaker’s son in its probe of the hack of Republican vice-presidential nominee Sarah Palin’s Yahoo e-mail account.

Read Source

Nick Farrell the Inquirer, Monday 22 September 2008. 08:15:00

Oh Really?

WIKILEAKS has published a yarn about members who signed up for the web page of Fox News bile merchant Bill O’Reilly. The information came from hackers who were able to obtain a list of Billoreilly.com premium members, including email addresses, site passwords and the city and state where they live. Wikileaks has been in hot water from O’Reilly for publishing US vice presidential candidate Sarah Palin’s personal email messages, which were also obtained by hackers. O’Reilly, host of the TV show “The O’Reilly Factor,” rabidly attacked Wikileaks of “trafficking in stolen merchandise.” O’Reilly’s premium members pay $49.95 per year to access special content on the Web site, including discussion boards….

Read Source

The personal email account of Alaskan Governor and Vice-presidential
candidate Sarah Palin was hacked and some of the contents have been
posted publicly on the Web. Hackers of the Anonymous group have taken
credit for the intrusion and published screenshots of e-mail messages,
contact lists, photos and other information belonging to Governor Palin.

Read Source

Sometimes, discussing how security can be improved is interpreted as blaming the victim. This may be one of the worst obstacles in the way of good security practice advocacy.

---

In Webcasts, personal discussions, forum discussions, and professional consultations, I am often asked questions that relate to the reason for poor uptake of security practices. Anyone with an eye toward information security trends can see that there are a lot of basic, minimal standards of security that are simply ignored by many — if not most — people in a position to make decisions about security.

The answer to that question is a complex one. Usually, such discussions come with an implied answer on the part of the person asking. For instance, in Integrated Security: Simplified and Scalable Threat Management, the common question of how much of the corporate world’s security failings are the fault of management came up. Unfortunately, it really isn’t that simple a matter. In some organizations, management’s failure to recognize the importance of certain security measures may well be the major roadblock. In others, that isn’t the problem at all.

Probably the most annoying, and the most dangerous, reason for poor security that I have ever seen is the fallacious application of the principle that one should not blame the victim for the crime. Obviously, one shouldn’t direct ethical or moral opprobrium toward the victim of a robbery because she forgot to lock the house, the victim of a murder because he was hanging out in a dangerous part of town, the victim of a rape because she was dressed provocatively, or the victim of a botnet infection because he didn’t properly secure his computer.

On the other hand, this doesn’t mean the victim of the botnet infection should not have secured his computer.

Last week’s article Email advice for politicians discussed some ways one can protect oneself against security breaches such as the incident of Sarah Palin’s Yahoo! email account being cracked and contents of emails being passed on to Wikileaks. The violation of her email security made for big news, and I used that news as an opportunity to explain some measures I would have employed for my own email security, had I been a Presidential candidate’s running mate instead of her.

A response to that article in discussion comments suggested that the point of the article was to blame Sarah Palin for the security violation rather than the security cracker who committed the act. That could not be further from the truth; my point was not to lay blame at Sarah Palin’s feet, but to help others learn from the experience, so they would be better armed against attempts to violate their email security in the future. The question of blame was never addressed in the article.

That discussion comment was emblematic of a long-standing trend, however. Any suggestion that one should protect oneself, that developers should take responsibility for the secure design of their software, and that taking a position of willful ignorance on matters of security only enables security crackers, may encounter accusations of blaming the victim dismayingly often. The most common case, in my experience, is someone reacting to the suggestion that Microsoft is too lax in its vulnerability handling policies by demanding that everyone stop “blaming” Microsoft for the behavior of malicious security crackers.

I’ll spell it out for you, in no uncertain terms, on the subject of both these examples:

1. Microsoft is not to blame for the behavior of malicious security crackers. The only people who should be arrested for crimes involving violation of computer security are the people who actively violated computer security or conspired to aid such violations. On the other hand, this should not prohibit anyone from keeping in mind the security characteristics of Microsoft’s operating system and application software, and it does not excuse Microsoft’s tendency to misrepresent its software’s security to its customer base.
2. Sarah Palin is not to blame for the behavior of malicious security crackers, either. It is unfortunate for her that she did not have, or follow, good advice with regard to email security, but a comprehensive understanding of information security is certainly not a prerequisite for taking public office. On the other hand, there is speculation that she uses unofficial email accounts to conduct campaign business specifically to violate the spirit of Alaskan Freedom of Information laws while abiding by their letter. Judging by the reported content of the cracked email account, it seems likely this estimation of her email policy is true, which leads to two problems:
   • She may have made the classic mistake of violating what amounts to workplace security policy because she doesn’t want to have to live within its restrictions — and, in so doing, she made it easier for malicious security crackers to violate her email security.
   • By behaving in a manner that circumvents transparency regulations, she may have attracted more scrutiny from activist security crackers than would otherwise be forthcoming, thus in effect attracting that kind of attention in the first place.

Thus, while my previous article did not in any way blame the victim for the act, this was in part only because that wasn’t the point of the article. If the speculations about the propriety of Sarah Palin’s email practices are correct, however, it may in fact be appropriate to lay some small part of the blame at her feet. That isn’t even the point of this article, though.

The point of this article is that, regardless of whether someone should have to shoulder any blame for being the victim of a security violation (and most of the time, the victim should not be blamed at all), the lessons one can learn from the unfortunate examples of others are still valid. If you cannot see that suggesting stricter security measures to avoid befalling the same fate as the victim of a security breach is not the same as blaming the victim, you may well leave yourself wide open to such security violations yourself.

That doesn’t put you on equally low ethical ground with the malicious security crackers who violated your security, of course. It does, however, suggest that your mindset is not well oriented toward protecting yourself against the dangers of the world.

Read Source