Information Assurance remains a growing field of expertise, maturing on an almost daily basis. The industry has exploded over the last 10 years even though the concepts of IA has been around since as early as the 1960’s. Although the industry and its practitioners continue to evolve, those in upper-management have a difficult time fully grasping the core principles. As in many areas of management these days, there are far too many gun-shy managers who are more concerned with appearances and perception than properly mitigating risk to the networks they are charged with protecting.

Information Assurance, like any job where managing risk is involved, is about tough decisions. Almost all information assurance choices are not cut and dry, not black and white. Security versus convenience. The vast majority of IA work resides in that gray area, where a case can be made for either argument.

The deciding factors are similar to traditional security models, with risk topping the list. Is the risk, whether small or large, acceptable? Determinations are based on a successful evaluation of the threat. Is it credible? Easy to exploit? Etc…

Risk management is a huge domain of information assurance, and one that practitioners take seriously. IA professionals regularly complete risk assessment and continually evaluate the threat. These opinions are likely regularly compiled in to reports and or briefed to management so they can make informed decisions.

How does this affect information security specifically?

Unfortunately, most in upper management subscribe to the cover your ass mentality. In the majority of cases, upper managers are far more concerned with their careers and peer relationships than pulling the trigger on difficult decisions. When it comes to brass tacks, many upper managers will weasel their way out of a tough decision to save face with their peers.

This is what I have aptly dubbed the, “I don’t want to be a dick” syndrome of information assurance. Managers, whether directly involved in IA or charged with rendering a verdict based on risk assessments performed by IA staff, opt not to make the tough, right decision. Instead, they choose to accept unnecessary risk because they don’t want to be perceived as a dick by those within their organization.

Simply put, in their eyes it is easier to maintain good working relationships with their peers than to properly protect the network. In this day and age, when networks are constantly under attack from unknown, unforeseen vectors, it is important to make tough decisions, otherwise such decisions may have unintended consequences in the future. Playing the CYA game in IA is not an adequate security posture even though it may be a popular route with ones peers.

Adding unnecessary risk to a network is dangerous and can lead to bad things(tm), especially if not properly managed. If upper management is content with taking the easy route then the IA team is going to find it exponentially more difficult to protect the network. Displaying weakness when making IA decisions is tantamount to a General displaying weakness on the battlefield – the enemy will exploit those vulnerabilities to the organizations detriment.

While it is important the IA team not be perceived as the “network Nazi’s” it must not be accomplished by evading complicated decisions when the risk is unacceptable. If there is a valid threat then the decision, while not necessarily inline with the desires of the end-users, should be fairly obvious. IA must not be a roadblock to productivity, however legitimate security concerns must be addressed rather than ignored.

So how is the “Dick” syndrome mitigated?

As I mentioned at the beginning of the article, information assurance decisions are rarely black and white. They are often times difficult, complicated and thorny. In many cases, the choices will likely piss off the end-users who will look for ways around the policies implemented by the IA team.

Being perceived as a dick is fairly easy to mitigate. Listen to your end-users and make them believe you truly care about their operations and productivity. They need to understand that their thoughts are taken in to consideration when the IA team performs risk assessments. Even though the decision to implement may not go the way they desire, if they feel as that they are part of the process then they will understand in the end.

Consistency is key. When IA decisions are constantly going back and forth it sends the wrong signals. End-users feed off of consistency and should come to know what to expect from their IA team. Fear of the unknown is one of the reasons end-users perceive their IA team as the bad guys. Inconsistency leads to uneven application of IA policies, which in turn causes confusion for the end-users. Never send mixed signals.

“NO” can not always be the first answer. When an IA team automatically responds to inquiries with “no” that ends up causing more harm than good, even if the request must be disapproved. This links back to what I mentioned about allowing the users to feel as if they are part of the process. An automatic “NO” answer is decidedly against such a mantra.

Conclusion

IA, like many professions, has its ups and downs, and is filled with days where you may feel like an asshole even though you desire to assist the end-user. Unfortunately, doing the right thing is not easy – it’s tough because the very people who you are providing a service to are staring at you, awaiting a helpful answer.

If you are charged with making difficult IA-related decisions you must think of the risk to the network before anything else. Relationships with peers, with supervisors, with subordinates, must be placed on the back burner. Failure to do so because you “don’t want to be a dick” is dereliction of duty. Placing unacceptable, unnecessary risk to the networks is self-serving and precarious.

Possibly Related Articles:

1. Information Security Basics
2. New Facebook Layout is a Challenge for Management
3. iPhone Sorely Needs Better App Management
4. Flaw In Defense Contracting Of Information Technology Staff
5. Web vs. Desktop Task Management Systems

Ever felt like getting your karaoke on but found yourself to be miles away from the nearest karaoke bar? Ever feel like singing off-key with your BFFs but found yourself to be in a totally different country? Ever go camping and suddenly feel the need to play Rock Band? Never fear, technology comes to your rescue! Mobile carriers in Thailand and USA have what they call a ‘mobile karaoke solution’, enabling users to karaoke over the phone. I kid you not. Just in case there weren’t enough people who think they’re awesome singers when they’re actually not.

Developed in collaboration by NMS Communications, Grammy Thailand and Golden Dynamics, the arrival of mobile karaoke was hailed as the future of the Idol franchise. Like a mini Rock Band, you can sing along to a song over the speakerphone and overlay the recording with your own voice. Just in case that isn’t enough, you can send the whole thing to your friends, and the song can be set as your ringtone. Or your husband’s, just to remind him of your existence everytime someone calls.

What should be less surprising to me but totally wasn’t, is that this isn’t a new application. In 2003, Nokia showcased a mobile karaoke application called air.karaoke developed by Alatto, but totally failed to make an impact on the karaoke world, despite marketing it only in Asia which should be like shooting fish in a barrel.

The next step was, of course, a TuneWiki application which allows you to do all that and then some, clearly because TuneWiki isn’t being sued enough for things like publishing lyrics online. TuneWiki is available for both iPhones and Blackberry in both paid and free versions, but sadly no version is as yet available for Symbian users. TuneWiki even lets you search for other TuneWiki users in the area, just in case you’re walking down the street and feel the need to do a duet, I guess.

So seriously, just in case you ever feel that you need to rock out at the top of your lungs while air guitaring, you totally can. But before I say goodbye to my ears and eardrums respectively, here’s a community service message: Sometimes when your family tells you that of course, dear, you have a lovely voice and you could totally be the next Mariah Carey/Jamie Foxx/Beyonce, they’re just telling you that to make you feel good and so that they can tick the box next to ‘Be A Supportive Family Member’ on their ‘Being A Good Person’ list in their head. I beg of you, listen to reason.

Possibly Related Articles:

1. Does U.S. Mobile Carrier AT&T Rule All App Store Applications?
2. Finding Your Blogging Voice
3. Apple Giving Up On the iPhone Push Notification Service?

Macintosh is better than Windows, and Microsoft is run by idiots. Appleʼs software is open source whereas Microsoftʼs software is all closed source and therefore it sucks balls. You wonʼt get any friends when using Windows, whereas youʼll be the most popular person in the world when using Mac. Simply said, Mac is so much better than Windows.

Does this sound familiar? It probably does since most of us had to deal with Apple fanboys at least once. It gets even worse when you try to explain to them why they are wrong since they simply refuse to accept the fact that they donʼt know anything about Apple or Macintosh at all. What makes me even more angry is that whenever you finally manage to get the time to explain to them theyʼre wrong, all they say is “Youʼre just a Windows fanboy”. Excuse me? A Windows fanboy ? Werenʼt you the fanboy screaming about how great Apple is, while at the same time not being able to name a few Apple computers besides the iMac and Macbook?

But it doesnʼt stop there. Not only are the fanboys a problem, but Apple itself is a problem as well. Since the beginning they have fought for open platforms which would give the user freedom to use the technology in pretty much any possible way. In fact, this was one of the main things Apple advertised in the early days. Remember the 1984 Apple commercial in which a rebel throws a hammer through a screen thatʼs brainwashing people? It stands for the freedom of technology and how to use it. Exactly the opposite is happening now 25 years later.

Take a look at Macintosh and the iPhone OS. Both are closed source (with some open source parts). On top of that, all iPhone applications have to first be verified by Apple. Mac OS X [luckily] doesnʼt have those kind of restrictions, mainly because itʼs nearly impossible to restrict applications for a desktop operating system. Nevertheless, Apple is still doing the opposite of what they told people they would do.

Mix fanboys with a hypocrite company and you end up having a very, very bad day. Obviously Apple fanboys arenʼt the only fanboys, Windows and Linux fanboys are just as worse. I remember a person from a party who claimed that Ubuntu is the best operating system since it was so damn secure. I didnʼt even bother to reply since it was already hilarious enough. Another common mistake that people make is that they think Macintosh computers are for design related work only. Truth is, almost any Windows application has a little (or big) brother that runs on Macintosh. The only downside of a Macintosh is that there arenʼt that many games available for it.

Face it, Mac is better than Windows. My writing skills rock and yours suck. After not having written for more than a month I decided I had to make a comeback, and whatʼs better than writing an article about the best operating system in the world.

Possibly Related Articles:

1. Apple Responds to Microsoft Accusation that Macs are Too Cool
2. Microsoft Announces Foray into Retail Store Sales Ala Apple
3. Microsoft Training vs. Apple Training – Part I (of II)
4. Apple And Microsoft Still In Love After 25 Years
5. Microsoft Training vs. Apple Training – Part II (of II)

Many a time have there been office workers who arrive at their workplace in the bleary hours of the morning, fire up their coffee makers, poke blindly at their CPUs until it hits the power button either by sheer luck or accident, opened Internet Explorer and gone, “WTF? When did my company get a content filter?”

In the unfortunate real world of cubicles, phone extensions and annoying colleagues, this is a very real issue faced by many a web surfer. You can link them all the ‘Surfing The Internet Makes people More Productive’ articles that you want, but companies, big and small are cracking down on staff members who enjoy the odd visit to social media sites, online comic sites, blogs, and so on and so forth. How, then, will the everyday office minion find entertainment on a Monday morning while their brain is booting up? What will the trainees and interns do while their bosses are out for meetings?

Never fear, the internet is full of those who believe in the freedom of speech and surfing, and there hasn’t been a cyberwall put up that people haven’t found a way around. The answer is, in theory, ridiculously simple: a proxy that re-routes your surfing via a website that looks nice and safe to your company’s content filter.

In practice, there are 2 questions that you first need to ask:
1. What is your company’s policy on surfing the net?
2. How good is your company’s content filter?

Before deciding to get around the company’s content filter, one should always understand the company’s policy on surfing the internet – Will your browsing history be logged? What will the company do in cases of breach of policy? Have there been cases in which they have taken action against a staff member? Always know what you’re getting into before you’re knee deep in it.

Understanding what you’re up against is also essential for your convenience. There are content filters (like mine) that actively work to identify proxy URLs and ban them, and then there are filters that just ban the basics that the company has installed for the looks of it. In the case of the latter, it’s very simple to get around it, just choose a proxy from a proxy list like TechFAQ and you’ll be surfing in 0.0001 seconds.

In the case of the former, it’s a little bit more complicated. The content filter will update its list of proxy URLs daily. Every morning, you’ll have to find a new URL that works. However, after the first couple of days, you’ll notice that there are URLs that are more likely to work. For example, in the case of Me vs My Content Filter, I’ve noticed that URLs with ‘proxy’ in it or ending in .cc are less likely to work, while URLs ending in .info are far more likely to work. Innocuous URLs that sound like http://www.howtoworkharder.info or http://www.homeworkforschool.info are also preferable because my server logs my browsing history. Some proxy websites also have daily emails listing their latest proxy URLs that can be delivered for your convenience to your inbox.

You’ll notice that it’s a bit annoying to keep using the proxy, and in some cases, it’s difficult to access password-protected websites like GMail using a proxy – and for good reason. Always be careful when surfing by proxy and make sure to never do so when using internet banking because a proxy isn’t always secure and allows the transfer of unencrypted data, meaning that your password could be leaked. I mean, there has to be a reason that your company instituted a content filter.

With this information, it should be easier for you to face up to that big bully of an IT Policy.

Possibly Related Articles:

1. Control Of Your Online Content – Think Again
2. Dear Safari…

Back in May 2009, Stephen Wolfram launched an ambitious effort that seemed likely to re-carve the landscape of internet search — www.WolframAlpha.com. Stephen’s project provides precise [and sometimes amusing] answers to what seems to be nearly every category under the scientific sun.

With Statistics, Physics, Geography, Medicine and Nutrition to name just a few, WolframAlpha search is unequivocally a stellar scientific tool. Using it though [for everyday search] is like walking into a physics class to find a recipe on how to make meatballs.

Compare WolframAlpha with Google on the other hand and you’ll find Google is more like walking into your local library to find a book on, well, just about anything. Google’s scientific and statistical search response may not be as polished and precise as Wolfram’s, but nonetheless the data is out there. What Google does that WolframAlpha doesn’t is give

So now that everyone has spent their hour or so wishfully plugging search strings into WolframAlpha, has the hype faded? Or is Stephen Wolfram just scratching the surface of our world’s future in intelligence-based internet search.

Can WolframAlpha become the next omniscient community library.

Still a ways to go — If you search WolframAlpha for ‘rich chuckrey?’, you get zero. Not even a blip of my existence. I’m quite certain WolframAlpha’s awareness of my ‘existence’ is a low priority for entry into the WoflramAlpha database, but this is where the relevance of Wolfram’s search engine lies [and currently ends]. Google however knows who I am on Twitter and other social networks.

Plugging through WolframAlpha gives me a feeling that much of what’s returned back through its search engine is 99.999999% textbook response. No better than a scientific bot.

It may very well be that, on August 29, 2029, deep space algorithmic calculations predict WolframAlpha will become self-aware. But until that sci-fi day comes, for current practical and even scientific search, Google still rules the day. Even Bing has come to the table with strong search relevance whereas WolframAlpha is [by far] still a static scientific calculator geared more for that high school science project or college physics thesis.

Google take note: The potential for a new internet search order makes Stephen Wolfram’s futuristic vision for WolframAlpha a key milestone in search engine development. Where Stephen takes his project next might just shape the future of world wide web search.

Possibly Related Articles:

1. Google is Not In Danger Thanks to The Pirate Bay Guilty Verdict
2. Confessions of a Google Addict – Where Is My Google Dashboard?
3. Searching For Results: A Comparison of Search Engines
4. Google Chromium for Mac OS X First Impressions
5. Google Street View, Angry Villagers And Cheating Spouses

Earlier this week the internet was abuzz over Apple rejecting the official Google Voice (GV) iPhone app. This story was quickly followed by Apple removing every GV-enabled app already available in the App Store. The official GV app and all previously approved GV-enabled applications appear to have been removed from all international App Stores. Based on many accounts, the culprit behind this dastardly deed is none other than AT&T. Does this mean that AT&T, the U.S. mobile carrier, has veto authority across all U.S. and international App Store applications?

Outside of the obviousness of how utterly irresponsible Apple is behaving with their lack of professional administration of the App Store, I have to wonder why Google Voice is not allowed in the U.S. App Store and the other international App Stores. One logical explanation is that Google only submitted the official GV app to the U.S. App Store since Google Voice is currently only available for U.S. consumers. That still does not explain the perceived authority AT&T has displayed over the entire U.S. App Store.

I have never seen this information published anywhere, and a few quick web searches did not really yield a solid answer, but is the U.S. App Store intended solely for U.S. consumers who posses a valid U.S. address?

For example, are U.S. expatriates living in non-English speaking countries supposed to be forbidden from the U.S. App Store, thus forced to use the App Store tied to the country the live? If this is not the case, which I suspect, then why is AT&T allowed to dictate what applications are available to international consumers not using AT&T as a mobile provider?

Customers of SoftBank in Japan using GV-enabled applications do not interfere with the AT&T network whatsoever. Why does AT&T get to make the availability determination for the whole of the U.S. App Store even when the potential traffic will not travel through their network?

Another point I am interested in is the partnership between Apple and AT&T. Is the entire U.S. App Store somehow tied to AT&T? Think about that for a moment – if it is, then there is potential collusion and anticompetitive behavior taking place. Not as if that ever happens, right?

I wonder if one of the contractual obligations between Apple and AT&T is that AT&T gets some form of right of first refusal for all applications submitted to the U.S. App Store. Essentially, when AT&T deems necessary, they merely ask Apple to pull an app or disapprove a submission and the app is banished from the U.S. App Store. Based on the treatment of GV, the pulled GV-enabled applications and the SlingPlayer app, one certainly has to wonder if this is a possibility.

I have been quite disappointed since Apple started acting so irrationally with the App Store back in the first place. But now I am severely dismayed and wonder if this is even fixable. Apple, with its peculiar and secretive nature, will undoubtedly remain tight-lipped and never publicly comment on the issue.

The only good news to come out of this is that the FCC is looking in to the GV rejections. The agency sent letters to Google, Apple and AT&T, querying all three companies on the issue. Hopefully there is reconciliation, and the type consumers require – allowing GV-enabled applications in to the App Store.

Possibly Related Articles:

1. The iPhone App Store is One Huge Joke
2. Microsoft Announces Foray into Retail Store Sales Ala Apple
3. Apple Pulls Head Out of Its Ass, Allows Eucalyptus in App Store
4. Apple Condones Murdering Infants, Realizes It Screwed Up and Pulls App from App Store
5. Skype On The iPhone – Coming Soon To An App Store Near You

Being safe and smart when using the Internet is an issue that has been around since the rise of chatrooms and the exploitation of naive individuals by social predators. In other words, forever. The emphasis on being safe and not giving away details has always been young children or teenagers, since they’ve always been regarded as more trusting and the natural prey of social predators. It was assumed, of course, that adults would be more practical and less naive. As usual, we took for granted the processing power of the human brain.

While social networks like Facebook can give you access to invitations to parties and special online contests, it also opens you up to other things, such as:

• Being served legal papers, like the Australian couple who missed payments on their home loan
• Getting arrested, like the burglar who was nabbed by police via Facebook
• Being murdered because you changed your Facebook status, like this woman
• Getting fired because you surfed Facebook while you took a sickie like this woman
• Being outed by your wife when your job requires as much anonymity as possible like the head of Britain’s MI6 intelligence agency
• Getting fired because you decided to write your own book about your students like this teacher, even if it did contain the real names of your students
• Getting fired because you complained about work like this teacher

Of course, there are also real life incidences for which I have no links, for example:

• A certain relative’s girlfriend whose photo of her in a bikini was hijacked and put on a Malaysian porn website.
• Numerous instances when the opening conversation upon meeting some friends began with, “Oh my god, guess who just changed his/her status on Facebook to single/in a relationship”.
• An email that went around with the whole email thread of an employee of an Australian company who was fired because he took a sickie after a night out drinking and decided to declare so on his Facebook.
• Acquaintances who you haven’t seen for years creepily knowing almost everything that’s going on in your life because you or your friends put it up on Facebook.

Your first reaction might be that these people were idiots (which is quite likely to be true) and should have set their privacy settings properly. Well, think about it. If your manager asks you to be his friend on Facebook, do you say no? Even if he doesn’t, many companies have an IT policy allowing them to log your every key and browser history so they know exactly what websites you visit and what you type. Not many are aware of this because, let’s face it, who bothers reading the IT policy?

These are real issues facing real people. What may seem like an innocent statement may come back to bite you in the ass, especially if the practice of firing employees for comments, suggestions or insinuations made on social networking websites becomes common practice like it has in Australia and America. It’s about time that people start being smarter about social networking. Here are some suggestions to prevent any unintended issues when on a social networking site:

• Don’t forget who can see what you’re typing or putting up. Even if you’ve set your privacy settings to only allow approved people to view things, think about who has access to it. Can people who were not meant to see it (e.g. colleagues or bosses) have access to it?
• When posting photos, think about what you’re posting. Is this something that you wouldn’t mind going around? There is always the inherent possibility that someone will save the photo and put it up somewhere else, even if he is your friend.
• Be mindful that your work computer could be monitored by your company’s IT department, and excessive social networking while at work can raise red flags. Read your company’s IT and Privacy Policies carefully.
• For God’s sake, if your boss is a friend on Facebook, don’t advertise the fact that you’re taking a sickie when you’re actually not ill on your Facebook page! Also, don’t call him an anally retentive asshole, no matter how anally retentive he is.

Possibly Related Articles:

1. New York Times Issues Facebook Gag Order – Ethical Dilemma With Social Networking
2. Government Must Embrace Social Networking, Not Ban It
3. Social Network Mayhem
4. iPhone Is The Killer Mobile Social Networking Device
5. Facebook And Twitter Harming Our Brains?

Security clearances are not your sugar-coated M&Ms handed out on Halloween night to neighborhood kids tricking and treating. The United States government takes painstaking steps to determine a person’s [or an agency's] eligibility to access sensitive information and in turn issues a certificate of qualification.

But what have clearances come to stand for? Are they just a showpiece for employment eligibility or power play? Or worse yet, have clearances become an excuse to act inappropriately.

A recent article on FederalTimes.com points out standards for background investigations may be falling below acceptable levels. This is alarming considering how close a clearance ties a person’s character to the protection of national security.

Master Sgt. Rosene Goods, 56th Medical Group first sergeant sheds a bright light on how the military approaches security clearances. Pay close attention to the last consideration regarding technology systems:

Defense Department regulation 5200 2-R tells us that the ultimate determination of whether the granting or continuing of eligibility for a security clearance is clearly consistent with the interests of national security and must be an overall common sense determination based upon careful consideration of the member’s allegiance to the U.S., foreign influence, foreign preference, sexual behavior, personal conduct, financial considerations, alcohol consumption, drug involvement, emotional, mental and personality disorders, criminal conduct, security violations, outside activities, and misuse of information technology systems.

A quick example of misuse might be where a cleared government employee prints non-work related and potentially demoralizing material from his US government workstation.

The agency at this point has a prime opportunity to set strong precedence that this type of activity is not tolerated. And that this type of behavior is clearly not a case for the proverbial carpet lift. Any inaction by the agency inevitably sets a somber mood for overall agency morale. An inappropriate level of response by the agency also succeeds in diminishing security clearance value.

Comparing this employee’s actions to an employee printing out a work-sponsored insurance statement, well, it’s like comparing apples and oranges.

I hold an expired top secret clearance from days back in the Air Force and as a US Department of Defense contractor. The investigative process tied to acquiring that clearance [and keep it] was exhaustive. I felt confident that clearances weren’t just handed out to anyone. And the LAST thing I would do as a cleared employee is misuse my agency’s technology assets — not even to the smallest degree. Not even as a joke.

More commentary from Master Sgt. Rosene Goods:

…the individual may be disqualified if available information reflects a recent or recurring pattern of questionable judgment, irresponsibility or emotionally unstable behavior.

Those with active US government security clearances are expected to maintain the highest degree of work ethics. If you hold a clearance, then the next time you think about behaving in a questionable manner, think twice. Your clearance [and your image] is on the line.

Possibly Related Articles:

1. Flaw In Defense Contracting Of Information Technology Staff
2. Information Security Basics
3. Stop Password Masking – Is Usability More Crucial Than Security?
4. Navy Federal Credit Union Web Site Operating with Security Issue
5. A Small Touch Of Rich’s Hidden TechMiso Gems

Online banking users are hopefully aware of the need to login to their banks web-based system using secure means, such as via a web site protected using SSL encryption. Every legitimate bank offers such protection, normally disallowing customers the ability to login via unsecure means. But not every bank appears to be conscious of the myriad of potential security risks associated with their site. Navy Federal Credit Union is plagued by a huge security vulnerability on their web site and is possibly the easiest bank on which to perform a phishing expedition.

Updated – August 12, 2009: Added correspondence from the RSA Anti Fraud Command Centre and SliceHost Support regarding a take-down notice and trademark infringement claim. This little article has apparently generated some interest and visibility by an NFCU “security” contractor.

Updated – August 15, 2009: The saga appears to have come to an end as the RSA AFCC responds to SliceHost after TechMiso stipulates the content was not infringing. The attack dogs are ostensibly caged for now.

As web browsers have matured throughout the years their ability to quickly and easily identify secure web sites has gotten exponentially better. Years ago the only way to determine if a genuine SSL connection was established was to look for the lighted “lock” icon in both Internet Explorer and Netscape.

Fast forward to today where all current major browsers display the SSL connection status in the browser location bar. For example, Firefox 3.5 uses the leftmost side of the location bar to visually present the validity of the certificate presented by the server. If a valid Certificate Authority can verify the authenticity of the certificate, if company information is present in the certificate and if the fully qualified domain name on the certificate matches the one in the address bar then the background color of this area is green to let users know they are essentially safe from a potential phishing attack.

Any other combination of the above will result in a different background color, alerting to a probable security issue. At this juncture users should not attempt to login because there is a high risk for their data being stolen or misused.

But even with all the security controls offered by browser vendors, nothing can stop people from forsaking security for convenience. In this case, Navy Federal Credit Union (NFCU) does just that – it offers customers the ability to login to their web based banking system from their unsecured home page. How many users merely enter their credentials in the form provided without ever thinking twice about whether the site they are visiting truly is NFCU?

Even though the web browser does not display any sign of a secure connection or an authentic connection to navyfcu.org, rest assured most users make use of the convenient form on the home page. This is a huge security risk because it is ripe for phishing. By allowing users to login to an online bank from an unsecure, unverified site, those same customers could be tricked in to entering their credentials from just about any domain.

To their credit, NFCU does offer the ability to enter login credentials from a secured page. By clicking the home page “sign on” button with an empty form users are then redirected to an SSL-enabled page where they are assured the site being visited is in fact the authentic NFCU web site.

Even though the NFCU home page is unsecured and offers the ability to enter details on a potentially phished page, the form data is in fact submitted via secure means. So although users may use this less-than-secure yet convenient method of logging on to NFCU, their credentials are secure – assuming they are entering the data from the authentic site.

But the secure transportation of data to NFCU is not the issue in question. The issue is the complete and utter disregard NFCU displays for the potential for their customers to be phished by malicious attackers seeking to gain access to NFCU customer accounts. Any bad guy could easily copy the entire contents of the NFCU home page and everybody would be none the wiser because NFCU fails to follow industry standard security best practices.

The best solution to this issue is for NFCU to completely remove the login form from their home page and replace it with a huge “LOGIN HERE” button which, when clicked, takes users to the secure login page. It is easy to implement, can be done in a mere 5 minutes and is exponentially more secure than the current method. Additionally, this mitigates the potential risk from any phishing site because users will be able to identify NFCU via browser security controls.

Alternatively, NFCU can do what Chase has done and merely secure their home page via SSL, redirecting all http visitors to their https site. This approach essentially provides the same level of assurance the previous method does, but in a different manner. Assuring users they are visiting the authentic NFCU home page rather than some mirrored version being run by malicious attackers is the ultimate goal.

The NFCU web site has been run like this for years. Considering today’s climate, I find it very peculiar they continue to take on such liability and allow their users to be potentially phished so easily. While I am amazed to a degree, since the average user does not entirely comprehend these issues in full it does make sense to see NFCU allow this vulnerability to persist.

If your bank is doing anything similar, ensure you take the necessary steps to protect your login credentials from being phished. Otherwise, if there is no other recourse, close your account and contact the bank to explain why you will no longer conduct business with them to their lacking security controls.

Update 1 – July 19, 2009. It seems this article generated some interest from the RSA Anti Fraud Command Centre, a company “under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.” It seems they are not too happy with the spirit of this post, which is pretty peculiar considering that we are pointing out a pretty serious, long-standing security flaw with the Navy Federal Credit Union web site. Here is the first email I received from the RSA Anti Fraud Command Centre:

Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

RSA has been made aware that a domain name, which abuses Navy Federal Credit Union’s trademark, has been registered with you. This domain http://techmiso.com/2434/navy-federal-credit-union-web-site-operating-with-security-issue/ not only violates Navy Federal Credit Union’s copyright, trademarks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against the bank and the bank’s clients.

The fraudulent website not only represents a misuse of Navy Federal Credit Union’s intellectual property; its purpose is to mislead the Navy Federal Credit Union clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

We specifically would ask that you also take the following actions (if relevant or possible):

Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.
If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data
relates can be notified and take steps to protect their credit.

Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

We specifically would ask that you also take provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,

RSA Anti Fraud Command Centre

Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com
http://www.rsa.com
For more information about RSA’s AFCC http://www.rsa.com/node.aspx?id=3348

Navy Federal Credit Union Legal Department
contact Julie Griffin
AVP., Telecom
Tel: 703.206.3327/ 571.283.9930/ 703.919.9939
email: Julie_griffin@navyfederal.org

*”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.

At first glance I thought the RSAS AFCC email was bogus because of the what appears to be some severely lacking English skills. For an official inquiry, the email was peculiarly worded. After all, RSA surely must employ personnel capable of coherent and literate English skills. It just seemed really odd to go after TechMiso for an article designed to help point out a fatal flaw with NFCU’s web site and inform users of a smarter way to login to the banks site.

But after performing a bit of checking I was unable to find anything to truly lead me to believe this was a phishing attempt or a falsified claim. So I immediately responded to the RSA Anti Fraud Command Centre as well as Julie Griffin, the NFCU representative RSA asked me to contact, with the following reply:

Did you people bother to even read the article written at “the domain” specified in your email? Or, do you merely allow your bot to crawl the Internet uninhibited so that it may send out potentially libelous communications without verifying the authenticity of such claims prior to their transmission?

The article, which coincidentally I authored, is written about a web security vulnerability on the navyfcu.org web site. Ironic how a blog devoted to technology is improperly targeted by a business whichclaims it is under contract with NFCU for “preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims,” especially when the article was written to help shed light on a security issue with
NFCU’s web site!

Might I suggest you consider looking at the navyfcu.org web site and resolving the issue I outlined in the article at the URL cited below? More importantly, is it too much to ask that a human actually read the article before an automated bot send out emails to web site owners without verifying the validity of any potential issues?

If you have a specific claim with the TechMiso article then please kindly clarify your concern without the use of a form letter. We are more than willing to assist because we care about NFCU and its customers, hence the article we wrote which addresses our concern with security vulnerability on navyfcu.org.

TechMiso has no reason to immediately shut down because there is absolutely nothing fraudulent in use. As I mentioned, if you have an issue then please clarify what your concern is.

I look forward to hearing back from you.

Best Regards,

Scott Jarkoff
Faithful NFCU customer

I received the following response from RSA, which essentially completely ignored anything relevant.

Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

The problem with the material on the blog is that it suggests that Navy Federal’s website is not secure.

You claim in your Blog that you care about NFCU and its customers whereas the blog you wrote only confuses and frightens the customers.

The bank has asked RSA Security to try taking the offending blog down.

It is true that the first page isn’t https secured but it is secured in different ways.

We will forward the complaint to the bank regarding the first login page.

Sincerely,

RSA Anti Fraud Command Centre

Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com
http://www.rsa.com

For more information about RSA’s AFCC http://www.rsa.com/node.aspx?id=3348

Navy Federal Credit Union Legal Department
contact Julie Griffin
AVP., Telecom
Tel: 703.206.3327/ 571.283.9930/ 703.919.9939
email: Julie_griffin@navyfederal.org

*”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information, such as their credit or debit account numbers, checking account information, Social Security Numbers, or banking account passwords, through an imposter’s Web site or in a reply e-mail.

Their stipulation is that the material on TechMiso suggests the NFCU web site is not secure? Uh, hello – it’s not. If you read the entire article then you will understand why we make the claim we’re making. I wonder if these people are required to pass some form of English comprehension prior to signing on with RSA.

At this point I really questions whether this was a valid claim or not. It seemed so peculiar, and lacked any legal basis, that I decided to ignore any further emails from the RSA AFCC. I ended up receiving nothing more from this supposed security company.

It was at this point that Jennifer Sadler, someone purporting to be an NFCU Public Relations employee commented on the blog post, thanking us for the post. As far as I was concerned, this was proof positive that NFCU did not have an issue with the post and recognized the issue with their web site.

Update 2 – August 12, 2009. After figuring that the “fight” with the RSA AFCC was over because I had not heard from them in almost a month, I was very surprised to see an email from SliceHost support with the subject line “Trademark Infringement” sitting in my Inbox this morning. It seems the attack dogs at the RSA AFCC have not had enough miso soup and were back for more.

Apparently not convinced by our earlier conversation, these clowns have resorted to making a trademark infringement claim, most likely on the small little graphic in the upper-right of the post. Fair use? Moron in a hurry test?

Here is the email in full:

Dear Customer,

We have received a complaint alleging that you are infringing on the complainant’s trademark rights. A copy of the complaint is attached hereto.

We have established the following procedure for handling trademark infringement complaints where our customers appear as respondents:
(1) Upon receipt of a complaint, we will forward it to you.
(2) If you agree to take down or otherwise disable access to the allegedly infringing content, we will notify the complainant. If you do not agree to so, we will require that the complainant furnish us with the following information:
a) Federal trademark registration numbers the complainant relies on for his rights in the trademark(s) at issue. The trademark(s) must be registered on the principal register and registrations must be issued and active (not pending, not expired, cancelled, or abandoned).
b) The owner of the furnished trademark registrations as it appears on record with the USPTO. The name of the complainant must appear as the registrant of record.
c) The complainant must submit a statement attesting that, to the best of his knowledge, you do not have any implied or express permission from the complainant or his authorized parties to use the mark(s) nor do you make fair use of the mark(s).
In the event the complainant is unwilling or unable to supply the information, as outlined above, we will not provide assistance.
(3) If the complainant is able to satisfy the above information requirements, we will advise you that the complainant’s asserted rights appear valid and serve you with a 30-day takedown notice. In the event of non-compliance within the 30-day period, and absent any legal process served by you on Rackspace, precluding Rackspace from carrying out the takedown, Rackspace will be required to proceed with disabling access to the allegedly infringing content.

Please be advised that in the event Rackspace has to comply with the takedown demands, and you believe that the complaint is unsubstantiated, Rackspace recommends that you consult with your attorney regarding options relieving Rackspace of such responsibility.

Thank you for your attention to this matter.

Regards,
Renee Graves
Rackspace AUP
——————————————————-
Dear Sirs:

RSA, an anti-fraud and security company, is under contract to assist Navy Federal Credit Union in preventing or terminating online activity that targets, or may potentially target Navy Federal Credit Union’s clients as potential fraud victims.

RSA has been made aware that a domain name, which abuses Navy Federal Credit Union’s trademark, has been registered with you. This domain http://techmiso.com/2434/navy-federal-credit-union-web-site-operating-wi
th-security-issue/ not only violates Navy Federal Credit Union’s copyright, trademarks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against the bank and the bank’s clients.

The fraudulent website not only represents a misuse of Navy Federal Credit Union’s intellectual property; its purpose is to mislead the Navy Federal Credit Union clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.

Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website.

We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.

We specifically would ask that you also take the following actions (if relevant or possible):

* Please provide us with a tar/zip file of the source code for
this site, so that we may analyze it to help prevent further attacks.
* If any customer data has been captured that is stored on your
systems or equipment, please send us that data so that the customers to
whom that data

relates can be notified and take steps to protect their credit.

* Please provide a copy of any records you maintain that indicate
the name, contact information, method of payment or similar information
that may be useful in helping learn the identity and location of the
customer for whom the website has been operated.
*

We specifically would ask that you also take provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.

Sincerely,

RSA Anti Fraud Command Centre
Tel: +44(0)800-032-7751 (UK)
Tel: +1-866-408-7525 (US)
Fax: +972-9-9566658 (EU)
Fax: +1-212-208-4644 (US)
E-mail: afcc@rsasecurity.com
http://www.rsa.com

For more information about RSA’s AFCC

http://www.rsa.com/node.aspx?id=3348

[49450]
—-
Slicehost Support
support@slicehost.com

What a complete and utter set of lies by the RSA AFCC! NFCU needs to settle these attack dogs down. What is there to gain by going after TechMiso other than a hot, steaming bowl of miso soup goodness?

I opted not to remove the content and promptly responded to the good folks at SliceHost with the following:

Hello Renee,

Thank you for the email and for contacting me about the trademark complaint submitted by RSA.

I do not agree to take down or disable access to the content specified in the complaint because I stipulate there is no trademark infringement taking place. The content is not an attempt to mislead NFCU clients but, rather, to inform them about a serious long-standing security issue with the NFCU web site. I already rejected the entire claim when RSA contacted me directly.

The article in question displays an image depicting a small portion of the NFCU web site, specifically the account access login form, and is in no way infringing on any NFCU trademarks. The article delves in to a long-lasting security issue with the NFCU web site and does not make any attempts to misrepresent NFCU or its trademarks. Our use of any potential NFCU marks under this claim are fair use.

More importantly, the infringement claim does not pass the “moron in a hurry test” at all. Any user visiting the content in question will surely *not* be confused in to believing they are at an officially sanctioned NFCU web site. For more information on the “moron in a hurry test” please visit http://en.wikipedia.org/wiki/A_moron_in_a_hurry

As I already mentioned, I have been in contact with RSA regarding this matter. They emailed me directly and I responded saying we will not remove the content because there is no infringement, misrepresentation or attempt to phish NFCU clients. In fact, an NFCU representative that RSA asked us to contact ended up commenting on the blog post, offering thanks for pointing out the security flaw.

In any event, thanks again for the email. Please let me know how you would like to proceed at this point.

Best Regards,

–
Scott Jarkoff
http://techmiso.com/

It should be interesting to see what type of response this generates. I am very interested in pursuing this and seeing how far the rabbit hole leads and where we end up.

Update 3 – August 15, 2009. I had not had an opportunity to update the site yesterday due to a very busy day at work. The latest actually arrived in my inbox Friday morning, August 14, 2009. The most recent email I sent to SliceHost, in response to the take-down notice RSA sent our hosting provider, seems to have convinced RSA to back down. The wonderful folks at SliceHost support sent me the following concise email:

Hello Scott,

I just received the following response from the complainant.

I will go ahead and close the ticket at this time. We will continue to monitor the incoming complaints and will let you know if something arises. Thanks for your cooperation in this matter. If you have any further questions or concerns, please feel free to contact us!

Kindest Regards,
Renee Graves
Rackspace AUP

—————————————————————————————————————
Dear Rack Space Team,

Please disregard the shut down request email below.

Best Regards,
RSA AFCC

I am very glad to see RSA has opted to stop fighting such a pointless battle. They would have made better use of their time and energy working to reconcile the issues with the NFCU web site rather than attempting to silence a blog aimed at helping inform their customers (incidentally, I am an NFCU customer so I care about this stuff) of a long-standing security issue.

I want to thank the SliceHost Support Team for their kind, professional and very helpful assistance with this issue. In this day and age, it is nice to have a provider who comprehends these types of issues and does not automatically act to disable a web site without allowing their customers to first respond to the take-down notice. This is a testament to their excellent customer service, and clearly depicts why SliceHost is one of the most popular web hosts these days.

Possibly Related Articles:

1. Stop Password Masking – Is Usability More Crucial Than Security?
2. On Twply, Giving Out Your Password and Other Security Issues
3. Hacked Twitter Accounts Highlight Need To Be Security Conscious
4. New No-Cost Security From Microsoft?
5. Security Clearance

I’m a homeowner, and only just recently decided to move into the house that I own. You may wonder what this has to do with TechMiso and why you should care. The answer is pretty simple: technology is all-encompassing and simplifies so many things in life. While I may have said that I’m unlikely to write about interior designing, I will write about the tools available to the average internet user that will simplify designing, decorating and making a dream home reality.

It has to be said that deciding how to overhaul a house and what to put in it is overwhelming. There are so many things to consider. First is, of course, the cost. Second is how to make the house comfortable and home to you by reflecting your personality. This kind of thing is highly subjective and is where I got stuck. How am I supposed to decide what to do to the damned pile of bricks if I don’t have anything in front of me to visualise? Especially since after a few trips back and forth to and from the place, I discovered that the house in my mind fits any amount of couches and tables and chairs, but the house in reality fits substantially less. After talking to a few people, I discovered that these were common issues with new homeowners, especially for those who can’t afford interior designers.

The answer was, of course, the internet. I thought, “Screw this. There has to be something on the net to help me.” Simple Google and Bing searches with the right search strings gave me several answers that ridiculously simplified my tasks.

• ColorSchemer is a website that helps you generate colour schemes for your home. You can use it to help you decide what colors to paint your walls or what colour furniture you need. There is also a downloadable version for your PC. The program isn’t just for choosing colours for your home, but for anything involving colours.
• The Plan Collection is essential if you’re starting from scratch and have no idea what to do. The website has a huge library of sample home plans. This really is like playing the Sims, except it’s much more detailed. The downside of the website is that it doesn’t seem to show plans for terraced or town houses and the like. Even so, it will really help a n00b to visualise what could be home.
• Of course, there are also softwares that allow you to design 3D models for your home. For example, there’s DesignWorkshop Lite, a free home design software which offers a good selection of basic features for someone who may only need it for just one home. For those who plan on doing it quite often, you may want to spend a bit (or a lot) more on more user friendly and extensive software. Here’s a selection of home design softwares with reviews and a list of specs. Some of them even let you design your landscape.

In general, there’s a lot of useful advice out there for those moving into their first home. The most useful I’ve found so far are:

• Decide what style you want your house to be. A green house? A modern house? Would you prefer something more kitschy? Once you decide on this, you’ll find it much easier to decide what you actually want in the house.
• Set out a budget for everything, including any renovation costs, installation costs, and the cost of furniture. It doesn’t matter if you keep having to change the figures. What matters is that you have an idea of exactly how much you’re spending.
• If you’re not sure how much to spend or if a brand you’re looking at is a good one, the general rule of thumb is to look around and see what people say about it. This especially applies to things that you want to last forever, like your bathroom tiles or your appliances. Googling or Binging for user reviews are essential to make sure you’re buying a good product.
• Don’t forget to think about the little things: security systems, fire extinguishers, power points, insurance, etc.
• Don’t be swayed by discounts or sale items. Before you go shopping, spend some time in the place and think about what you need. Take extensive measurements so you know the size of the furniture that should go into a particular spot. Otherwise, you may end up with a couch that’s way too big or a desk that’s too small.

Decorating your house really is a little bit like playing the Sims, especially if you use design tools that you can find online. Unfortunately, there’s no Undo command for real life, so make sure you know what you want. This is, of course, just a brief article on some things that I’ve found useful so far. If you have any tips or online tools that were useful to you, do feel free to share.

Possibly Related Articles:

1. Smartphones Enrich Your Life