List of the most significant programming errors that can lead to serious software vulnerabilities. The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. …
In my presentation, I provide the mapping of CMM maturity levels to software security processes such as security testing (in BSIMM this domain is referred as SSDL touchpoints domain and in SAMM as verification business function) since …
safe web browsing
With the historical changes in technology most data is now stored in computers connected to the internet. Internet privacy is generally interpreted as the isolation from any intrusion or detection by others for any individual or their data while on the web (Standler, 2007). In the U.S. this issue of privacy on the internet has strong fractions on all sides. All groups believe their side is correct. The government believes it has the right to invade an individual's privacy in the interests of national security: the idea is the needs of the many outweigh the needs of one citizen (Alexander, 2008). And there are the companies that collect data that feel it is their right to do so and then use it for their own ends. On the other side of the issue are many Americans who believe that their right to privacy is sacrosanct and this includes their use of the internet; they believe their privacy rights should supersede any and all U.S. governmental concerns.
A U.S. citizen's instinct for “privacy” for their data in relation to the internet is a primal need to protect what they “feel” or “sense” could be important. Logically that does make sense. Personal data like social security numbers, bank account numbers and passwords do need protecting. The data is valuable. And that same person while surfing the web could conceivably download a trial version of a video game with a spyware program attached that sends the personal data to an unknown source exposing the owner of the data to financial loss at the very least. Most experts agree that the levels of privacy intrusion cannot be thoroughly ascertained (Vest, 1998).
Privacy on the internet has been an issue of debate since individuals started surfing the internet. The reality is that there are degrees of privacy for the data for U.S. citizens logging on to the web. Some people would say that lots of general information doesn't need to be kept private or contained and serves some use for governmental agencies, professional facilities and others. And conversely some internet surfers want to shield their data form everyone and view any release of any information as an invasion of their privacy. It really depends on the definition of “private” for the data in question. An individual's private information may be acquired accidentally or intentionally during or after using the web. After that information is transferred into the hands of the party acquiring it; it then becomes personal data that was not contained. So what about the responsibility of that party acquiring the data? They may store it, destroy it, use it or sell it but one thing is specifically positive about this data, if they have it they are in control of your private information. The reality is that then you do not control your own information anymore and your ethical standards may not be theirs (Soma, 2005).
Most times the internet surfer is unaware of the levels of private data being retrieved that are about them. When an individual is surfing the web and has a firewall installed on their home computer the assumption by that individual is that they are anonymous. But in many cases some levels of data can be collected without consent or knowledge; all by using commonly accepted strategies. This type of data retrieval isn't even considered an intrusion on someone's' privacy. These include: the use of cookies (bits of computer code), your Http URL address, the type of browser you use, cross referenced search engine data published and found by spider programs, your use of electronic commence in the past, the e-mails you receive, the spam you have allowed to pop up on your monitor screen and also your IRC and instant messenger history (Vest, 1998).
So the reality is far from the anonymity the web surfer who wants privacy seeks. Safier (2000) points out that guarding an individual's privacy on the internet is difficult with the common practice and extensible use of “cookies” and the coding being transferred between the web and a visitor's computer. Cookies are used as a recognition device by computers to identify and acknowledge requests. Most browsers we use to surf the web automatically support the use of cookies. Cookies assign a unique permanent identifier to your computer to associate any requests made to the visiting website (Schneier, 2008). Cookies have details about your visits to a website in the past and can record what individual parts of the website you have clicked on. They do not contain a surfer's name or address but can be used to help compile a profile to describe you (Safier, 2000).
Many U.S. citizens believe protecting consumer privacy for data should be a mission for our government. But the agendas of our government sometimes are at odds with our need for privacy and security. And the government must balance their active interests in private data against the rules and regulations of our country (Schneier, 2008). Citizen privacy on the web seems to take a back seat when our government invokes a need for national security. Vijayan (2009) writes that historically the US governmental policies have generally held that security of the nation's interests must come first. From that point of logic it is a small leap to the creation of various U.S. legislative acts and the use of exotic software programs by our government.
Safier (2000) writes that President Clinton introduced the U.S. to “Cyberspace and the Information Age” on January 25, 1994 and explained that we as a nation would have instant access in the near future to vast amounts of information and technology. In the following six years this new industry made tremendous strides in the technology needed. As these telecommunications networks and cyberspace became feasible a growing concern was felt by the public towards the new technology (Standler, 2007). A 1992 opinion poll showed that 68% of Americans surveyed agreed that “the present use of computers represents an actual threat to personal privacy” (Shafer, 2000).
Historically in 1986 the Electronic Communications Privacy Act was next enacted.Standler (2007) writes that The “Electronic Communications Privacy Act” (ECPA) specified a citizen's legal protection for our private electronic communications. This “Electronic Communications Privacy Act” explains that “it is illegal to use any form of electronic communication to convict or accuse someone of a crime without obtaining a prior search warrant”. Generally it describes areas of “privacy rights” for people who use “telephones, computers, cell phones or other means of electric transmission of communication like faxes or texting” (Standler, 2007). A number of court cases have questioned if this act protected a U.S. citizen's e-mail messages in transit or storage. The good news is that it does. Wire, oral, and electronic communications in transit are held to be private unless government surveillance is conducted by a court order (Standler, 2007).
But that was the past and before 9/11. The Patriot Act was passed on October 26, 2001(Standler, 2007). This statute contained 15 different provisions; some of these covered new ways in which the “government could keep an eye on individuals and obtain private information” (Walker, 2008). The Patriot Act covers two different forms of power that can be invoked in order to rationalize surveillance (Coie, 2008). Enabled in the Patriot Act; four main methods of cyber surveillance were detailed: “wiretaps, search warrants, pen/trap orders, and subpoenas” (Vijayan, 2009). Our government can now broaden the scope of situations for instigating surveillance. Justifying the surveillance in the past before the Patriot Act usually depended on first separating the territory that was involved: a choice between location: foreign or domestic (Standler, 2007). Schneier (2009) writes that in the U.S. the focus on internet privacy is affected by the post 9/11 politics of security versus privacy and that “security affects privacy only when it's based on identity, and there are limitations to that sort of approach, because of the processes used in auditing”.
The wording in the Patriot Act gives government agencies “a significant way to justify domestic locations” (EFF, 2001). Plesser (2002) writes that “many organizations interested in protecting civil liberties are concerned that the act inappropriately encroaches on the privacy rights of American citizens – and justly so”. Now with the passing and enabling of the Patriot Act; U.S. citizens must worry that there are more parties on the web actively looking for your data and some of them are the people elected and hired to protect you (Plesser, 2002). There is no doubt that our civil liberties are being eroded with the government's ability to “snoop into the private lives of its citizens, while it secretly gathers information for purposes of national security” (Walker, 2008). But spokesmen for governmental agencies would point out that the intrusion into our privacy is an acceptable necessity to stop terrorists and that does seem like a rational argument for the data's acquisition and use (Soma, 2005).
Presently one of our government's major roles is to detect terrorist activities and provide prevention actions.Safier (2000) writes that the “government is a big user of software for detection of data they are interested in” and to trust government regulation to enhance our privacy is a fallacy. Jason (1998) writes that a major method of surveillance by the US government since World War II is the Echelon spy network controlled by the U.S. National Security Agency. It functions as a joint project of a five-nation alliance; the U.S., Britain, Australia, Canada, and New Zealand and is directed at civilians worldwide. The Echelon network is reputed to review millions of phone, fax, and modem signals around the globe at any moment sifting out interesting details (Alexander, 2008). This software system uses a list of keywords linked to other key information categories which, after identifying these qualifiers flag and send the data to analysts in each of the alliance countries (Jason, 1998). The U.S. National Security Agency controls Echelon and has a global staff of 38,000 and its resources are estimated at more than $3.6-billion. It can be assumed that some of this money is going towards programs like the Echelon spy network (Alexander, 2008).
We have had great technological improvements over the years that take advantage of communications and data transfer with more and more of it being relegated to the internet. With these advantages that give us online bill paying, YouTube viewing and the downloading of MP3's into our personal computers; we must change our perspective on protecting our privacy and the data that is behind it. We can never forget that spyware is waiting on the web to steal our private data. Real anonymity on the internet is usually a direct function of an individual's intentional methods to ensure privacy.
One direct way an individual can protect their privacy is to use specific software. “Tor” is a freeware program that helps you defend against many forms of network surveillance by bouncing your requests thru volunteer routers that conceal your IP address (Officer, 2009). By using Firefox or Google Chrome instead of Explorer for a web browser it will make your actions more private. And by using the Firefox browser with the “Torbutton” a web surfer can achieve a high degree of invisibility (Safier, 2000). But these actions and software only work if you also remember to not give away your information while on the web. Never forget that good and bad people are watch the web transmissions as packet coding as it goes between routers that pass your requests to servers on the web (Markoff, 2009). An individual that surfs the web should know what happens “behind the curtain”. To see this for yourself; simply “Google” the word “Wireshark” then download the free software program and install it (Lemos, 2009). Turn it on to record traffic connecting to your network provider node that connects your network card in your computer. It initially shows your network card inside your computer and your service provider address connection to the Internet. Then surprise, hundreds of queries and responses are passing on your public node point that connects to your home computer. Look closely at the data at the side and bottom and see that much of the information is “readable”. This query is for someone's mail slot; this packet is for this address; and so on. This software program is one of many available to gather data about traffic and individuals on the internet and is used by government agencies, companies employed by government agencies, corporations, security people, the simply curious and hackers (Alexander, 2008).
Attacks against our privacy for the acquisition of our data used to be random (phishing) as we surfed on the web. Now targeted individuals are being compromised with direct attacks against individual personal computers. Most notably Markoff (2009) writes that “Canadian researchers have concluded” that “a vast new electronic spying operation has infiltrated computers and has stolen documents from hundreds of government and private offices around the world, including those of the Dalai Lama.” Markoff (2009) describes this “GhostNet” as it is called as malware that is constantly traveling around the web. This newest threat to everyone's privacy doesn't randomly seek out and secure any information available but actively targets specific targets. This change is spyware tactics signals that we must accept and change our assumptions of relative security and privacy when on the internet because of the anonymity of being just one person in vast numbers of web surfers. Now we must all worry that our privacy can be targeted with this new malware that can specifically go after specific targets.
What the future will bring is an educated guess. Personal privacy on the internet is being eroded from all sides on a continual basis. Vijayan (2009) writes that another infringement into US privacy is now being considered. This internet security bill introduced in the U.S. Senate this second week in April 2009 is the latest proposed intrusion. The cyber security bill seeks to give our president new powers over private-sector networks. Called the “Cyber Security Act of 2009″; this bill would “give the president the power to declare security emergencies and then curtail or shut down Internet traffic to and from any compromised federal or critical infrastructure networks” (Markoff, 2009). It proposes giving a individual's right to connecting to or operating in privacy on the internet “be superseded simply when a medium to high level governmental official deems it necessary” (Vijayan, 2009).
The reality is that due to technological advances in the last 35 years most everyone's personal data is stored numerous times somewhere on the web (Soma, 2005). This data is scattered and stored on a host of various tax and census government computers, bank and credit card account infrastructure computers, hospital databases and more. So what is the answer to creating and maintaining a person's privacy? Sandler (1997) writes that the easiest method is to never disclose any information to anyone but this extreme action then disallows a range of useful activities: surfing the internet, paying bills, entering medical records, applying for a job, taking a college class online and checking bank balances. So rather than be totally reclusive maybe the answer lies in using various protection software and in watching where and when we go online and to whom and how we allow our information to be gathered. We must never assume that the gatherers are willing and able to protect and keep private our data. That is our responsibility.
References
Alexander, N. (2008). Social Repression and Internet Surveillance. Information clearinghouse. Retrieved on March 21, 2009 from http://www.informationclearinghouse.info/article18998.htm
Coie, P. (2008).Privacy: Government Regulation. Internet Law Treatise. Retrieved March 29, 2009 from http://ilt.eff.org/index.php/Privacy:_Government_Regulation
EFF. (Oct 31, 2001) Analysis of The Provisions Of The USA PATRIOT Act That Relate To Online Activities Retrieved April 7, 2009 from http://www.eff.org/Privacy/Surveillance/Terrorism_militias/20011031_eff_usa_patriot_analysis.html
Lemos, R. (2009). Tenuous trail leads from Ghost Net to hacker. Security Focus. Retrieved April6, 2009 from http://www.securityfocus.com/brief/940
Markoff, J. (2009 March 28).Vast Spy System Loots Computers in 103 Countries. The New York Times. Retrieved April 4, 2009 from http://www.nytimes.com/2009/03/29/technology/29spy.html?_r=1
Officer, C. (2009). Protecting your Privacy on the Internet. OPC IT and Internet Issues. www.privacy.gov. Retrieved April 7, 2009 from http://www.privacy.gov.au/internet/internet_privacy/#2.2
Plesser, R. (2002 March). USA Patriot Act. Electronic Frontier Foundation.www.USADOJ.gov. Retrieved April 10, 2009 from http://74.125.47.132/search?q=cache:I-QWrGgYY5AJ:www.usdoj.gov/olp/pdf/sunsets_report_final.pdf+Plesser,+R.+2002+March.+USA+Patriot+Act+For+Internet+And+Communications+Companies.&cd=6&hl=en&ct=clnk&gl=us
Safier, S. (2000). Between Big Brother and the Bottom Line: Privacy in Cyberspace. Virginia Journal of Law and Technology. Retrieved April 7, 2009 from http://www.vjolt.net/vol5/issue2/v5i2a6-Safier.html
Schneier, B. (2008 December 15). Audit. Crypto-Gram Newsletter. Retrieved April 5 2009 from http://www.schneier.com/crypto-gram-0812.html#1
Soma, J. (2005 June 11). Balance of privacy vs. security: a historical perspective of the USA PATRIOT Act. Rutgers Computer & Technology Law Journal. Retrieved April 7, 2009 from http://www.accessmylibrary.com/coms2/summary_0286-12328237_ITM
Standler, R. (2007). Privacy Law in the USA, www.rbs2.com. Retrieved March 31, 2009 http://www.rbs2.com/privacy.htm
Vest, J. (1998 August 18). Listening In -The U.S.-led ECHELON spy network is eavesdropping on the whole world. Village Voice.com Retrieved April 10, 2009 from http://www.villagevoice.com/1998-08-18/news/listening-in/
Vijayan, J. (2009, April 3). Erosion of Individual Privacy. Next Chapter: The Web of Foundations. Retrieved April 5, 2009 from http://www.mega.nu/ampp/privacy.html
Walker, B. & Raschke, G. (2008). Right to Privacy vs. National Security. How can the privacy rights of U.S. citizens be balanced against the government's need to secure its citizens and their information assets? National Security for the 21st Century. Gatech.edu. Retrieved April 5, 2009 from http://www.library.gatech.edu/security/privacy.htm
xp security centre
