Some news of this week that caught my eye:
25 years ago was the Morris worm. I was there… time flies!
Linkedin has introduced a service called Intro for the moment for Iphone users. Here are some details about it.
I am very puzzled by the “How it works” details, and in particular for all possible kind of issues with the possible use of private, personal or company information. Here there are some relevant arguments against this new service which are worth reading and considering.
A few days ago IDC released (see here and here) a forecast according to which by 2017 87% of connected devices will be tablets and smartphones. Desktop PC sales will be down whereas tablets and smartphone sales will grow double digits.
This does not surprises me, most users do not need a full PC for browsing the web and access the few applications by now mostly “in/on the clouds” that they use. Easy of access, intuitive interfaces and great graphics are more important than the full power of a desktop PC with all possible kind of resident applications (which the user should then manage).
Security and all kinds of management should be done by the device provider, better if almost unknown to the user or with very limited user participation.
Privacy and personal information dissemination are the only issue which involves directly every user, and on this point we will need to improve quite a lot.
Obviously, work related PC requirements are different, and for this use desktop PCs will remain, albeit in reduced numbers.
The DNS provider Web.com has been subject to a Social Engineering attack which allowed a pro-Palestine hacking gang to successfully reset the password of a few important customers, and use the new password to change the resolution of their domain name to other sites. See for example here for a description of the attack.
Again and again, as of today the technical side does not look to be the weak side of ICT Security. In particular cryptography is sound and reliable, and many technical ICT security products deliver what the promise.
On the other side, username + password show another time how much inappropriate they are to support our current security needs. But what can we use instead?
The general problem lies mostly in our ability to make a system “secure” by including logical, physical and procedural measures to give a 360 degrees protection. Indeed, the security level of a system is that of its weakest point, which for most systems means that they are really insecure.
Lax physical security means access to hardware and the possibility to install and run what you want. This is just what happened to some ATMs in Mexico, see for example here.
It is just a reminder that logical security alone does not work. You always have to start from the hardware on which your software runs and have a comprehensive, eg. “holistic”, approach to security.
A recent study by KU Leuven-iMinds researchers points out that device and web-browser fingerprinting is on the raise, in spite of all efforts to limit it like the introduction of the “Do Not Track” HTTP Header.
This does not surprise me since advertisment and marketing are usually at odds with privacy and it is not well understood by most what is the real meaning and breath of the information that it is possible to collect by tracking users on internet.
On the other side, device fingerprinting is a very useful tool for ICT security of web transactions: knowing which device is making the transaction and to which user is (usually) associated, added to the geolocalization of IP addresses and other information, can make the difference between a valid transaction and an attempted fraud.
At the end the most important issue is by whom and how a tool is used, and this holds true in particular for security tools: a gun in the hand of a policeman should be used to a good end, but the same gun in the hand of a thief should be illegal.
ICT “Glitches” are smaller brothers of “Bugs” which in turn can become major security disasters. Well sometimes they can make us (the one benefitting innocently from the Glitch) happy or at least they can make us laugh. This case is quite notable: “Bank error makes restaurant manager the world’s first ever trillionaire (and he even offered to pay off the national debt before the glitch was spotted)”.
I am also addicted to this blog “IT Hiccups of the Week” which sometime reports on some very good discounts (due to some kind or another of Glitch) we just missed at our local supermarket.
Il 26 settembre presento un intervento dal titolo “Fraud Management: affrontare la sfida dell’online banking attraverso la gestione in tempo reale dei Big Data” in collaborazione con HP, al Banking Summit 2013, a Milano.
Venerdì 4 e sabato 5 ottobre sono impegnato come docente per il corso 2013 per la certificazione CISA (Certified Information Systems Auditor) di ISACA,. per AIEA.
Andrea Pasquinucci 