Microsoft has released its Law Enforcement Requests Report for the first six months of 2013. It is the second such report they have issued. The report “…details the number of requests for data we received from law enforcement agencies around the world, and how Microsoft responds to those requests. It covers requests for data relating to all of Microsoft’s online and cloud services, including Skype.” The report is not permitted to give detailed information about the type and volume of any national security orders (e.g. FISA Orders and FISA Directives), so these are not included in the report. However, they do summarize the aggregate volume of National Security Letters received.
Most of the data is in line with the report for the year 2012, so it makes one wonder about all of the recent hype: Just how much data is really being disclosed? It’s nice to have some real facts from at least one source to help evaluate the current state of things. Here are some of the more pertinent facts:
Microsoft (including Skype) received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts in the first six months of this year. This compares to 75,378 requests and 137,424 potential accounts in the whole of 2012.
Approximately 77 percent of requests resulted in the disclosure of “non-content data”. No data at all was disclosed in nearly 21 percent of requests.
Only a small number of requests result in the disclosure of customer content data, just 2.19 percent of total requests. 92 percent of the requests that resulted in the disclosure of customer content were from United States law enforcement agencies. This is again, broadly in line with what we saw in 2012.
What is interesting is the majority of the requests come from only five countries:
While we see requests from a large number of countries, when you look at the overall number, the requests are fairly concentrated with over 73% of requests coming from five countries, the United States, Turkey, Germany, the United Kingdom, and France. For Skype the requests were similarly concentrated, with four countries, the US, UK, France and Germany, accounting for over 70 percent of requests.
One thing really stands out for me and that is the position that Microsoft is taking on the sharing of information regarding FISA requests and national security. This is encouraging.
We believe this data is valuable and useful to the community that is looking to better understand these issues. However we recognize that this report—focused on law enforcement and excluding national security—only paints part of the picture. We believe the U.S. Constitution guarantees our freedom to share more information with you and are therefore are currently petitioning the federal government for permission to publish more detailed data relating to any legal demands we may have received from the U.S. pursuant to the Foreign Intelligence Surveillance Act (FISA).
Every year, Secunia publishes its Secunia Vulnerability Review. The 2013 version results do not bode well for our state of security. Here are some of their findings from 2012:
In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them.
There’s an average of 4 vulnerabilities per vulnerable product.
Vulnerabilities were discovered in 2,503 products from 421 vendors.
The number shows a 15% increase in the five year trend, and a 5% increase from 2011 to 2012.
One fifth of the criticalities discovered in all products were rated as either ‘Highly critical’ (18.3%) or ‘Extremely critical’ (0.5%).
With an 80% share, the primary attack vector for all products was Remote Network.
Two things concern me: 1. That the trend is increasing; and, 2. That remote attacks are the primary vector. This tells me that we have to get better at hardening our perimeters and educating our users to keep the doors to our network closed.
And, of course, software companies need to work harder at closing security holes.
Time to lighten up a bit. Even though this is a cutely disguised ad for Sophos products, it’s funny. Who doesn’t have someone who comes in for a daily “I forgot my password?” I’ve gotten to the point where I see the faces and know what they need.
According to this nakedsecurity blog post, “A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.” Vulnerability researchers EnableSecurity carried out the study and was reported by WordPress security firm WP WhiteSecurity. The investigators qualified their statistics a bit with this statement: “The tools used for this research are still being developed therefore some statistics might not be accurate.” Nevertheless, it warrants your attention if you are running WordPress.
Here are ten steps that Sophos recommends to bolster your WordPress security:
- Always run the very latest version of WordPress
- Always run the very latest versions of your plugins and themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Enable two factor authentication for all your users
- Force both logins and admin access to use HTTPS
- Generate complex secret keys for your wp-config.php file
- Consider hosting with a dedicated WordPress hosting company
- Put a Web Application Firewall in front of your website
No matter how much we would like to think it’s possible, perfect security is unattainable. Install a moat and 40-foot high walls around your village and the enemy will use trebuchets to throw fireballs at you. Build a stronger lock and someone will come along with stronger bolt cutters. Install the latest firewall and IDS and hackers will use social engineering to attack you from inside the perimeter. No matter what security measures you employ, someone will come up with a way to defeat them. There is no such thing as perfect security.
There is, however, such a thing as effective security for a given situation, what I call Minimum Effective Security (MES). I define MES as follows:
Minimum Effective Security is that set of surveillance, barriers and countermeasures adequate to protect against known threats that could reasonably be expected to be leveled against the protected assets.
If you think about it, the key word here is “adequate.” But adequate against what? You have to identify the threats that you could reasonably expect given the value of the assets. So, you first have to establish the impact a successful attack would have: Minor inconvenience, or major loss?
You probably wouldn’t be too concerned about putting up video surveillance cameras to monitor your backyard tool shed nor would a perimeter wall be necessary. Depending on the value of the contents, you might want to install an inexpensive audible alarm and/or motion sensor lights. More than likely, however you’ll simply have good hinges and a strong hasp with a sturdy lock. Adequate.
On the other hand, you would equip your home with a robust, monitored security and fire detection system and you would probably have at least a camera at the main entrance.
How about your home network? You certainly don’t need an expensive commercial grade firewall and IDS; a good consumer grade NAT router with built-in firewall features would probably be adequate. Of course, keeping your system and applications up to date with security patches would have to be part of that mix to qualify as adequate security. Of course, you’ll want a good backup strategy.
If your home network is also part of your business, you’ll need a bit more than the above to qualify as adequate security. You would probably want to encrypt critical data and you’ll certainly want multiple backups with at least one stored offsite.
You get the idea. You have to take a good look at the types of threats you can reasonably expect given your circumstances and then work out what would be adequate. Naturally, there is nothing wrong with going beyond adequate; it won’t hurt a bit to put stronger measures in place if that makes you feel more comfortable.
Just make sure you always achieve and maintain Minimum Effective Security.
According to USA Today, The NSA and its British counterpart, the Government Communications Headquarters (GCHQ) have cracked encryption codes and have inserted secret “back doors” into security software through covert partnerships with technology companies and ISPs.
Perhaps I’ve gotten numb over all of this because I am not surprised.
Our friends at LastPass, however, want to make it very clear that they will have nothing to do with these shenanigans. In fact, they will shut down their service before cooperating with the government goons. Here’s an excerpt from a September 10 blog post:
With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.
In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.
This is right in line with the way I feel about covert government operations and is one of the big reasons I will continue to stick with LastPass. They conclude with this:
We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.
Microsoft’s Patch Tuesday will be a big one, with 14 patches, eight of which address remote code execution holes.
The biggest patch is Bulletin 3, rated critical, addressing remote code execution vulnerabilities in all versions of Internet Explorer from IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT. This patch requires a reboot.
In addition to remote code execution (RCE) vulnerabilities, the patches also address privilege elevation and denial of service flaws.
I’ve written a lot about passwords in this blog and for many security and tech bloggers, it remains and evergreen topic. For all its problems, the password still holds sway as the primary authentication method. But with attacks becoming ever more sophisticated and predictable use of weak, guessable passwords, one has to wonder how long can we really keep on using them?
In theory, a password is an ideal authentication token, assuming knowledge of it resides only in the mind of the owner and it is securely stored on any other systems only in encrypted form. Practically, however, we know that this is rarely the case.
So what does the future hold? How can we replace the ubiquitous password with something more secure and less vulnerable to attack?
In life, we authenticate each other mainly by facial recognition, sometimes by voice (as in over the phone). Faces and voices are all unique and probably impossible to duplicate, though a voiceprint pattern could probably be altered by physical surgery. How about some combination of facial recognition combined with a spoken passphrase? That would give you three factors: face, voiceprint, passphrase.
Palmprints, fingerprints, iris scans could all be used to capitalize on the uniqueness of these things to authenticate you and various combinations of things could be devised.
The problem with these things, however, is that the hardware and software necessary to implement them effectively presents costs in terms of both money and system overhead. Facial recognition and voiceprint could be easily implemented using web cam and built in microphones on laptops and other smart devices.
Without a doubt, we eventually will see the password replaced by better methods. What do you think those methods will be?
Time to lighten up a bit. This hokey “PSA” about phishing is really true, but the payoff in hilarity comes at the end. Pay careful attention to the “date” that Bob managed to finally get from that online dating site.
Hope your July was great and here’s to a fantastic month of August!
One more on the dangers of the internet and this one is the best yet. Good tips wrapped up in a credible story.