Microsoft CardSpace Broken Already

It is a simple attack, but it seems that Microsoft’s latest attempt to create a secure retail experience on the web has already been compromised. ComputerWorld
provides a simple explanation:

The attack against CardSpace involves directing a user to a malicious Web server. In the explanation, the attack involves modifying the victim’s DNS settings — another trick known as “pharming” — and directing the person to the malicious Web server, which is then able to grab the authentication token.

This suggests that there is an improper trust relationship to initiate communication, which is not far from the problem already faced by web consumers. What then is the benefit of CardSpace?

California AB 1298?

There was some minor news
towards the end of 2007 about an extension of the California privacy laws. In brief (pun not intended), AB1298 was written to include medical data in the definition of what should be protected by breach law. The now famous SB1386 was too narrow.

California’s data-breach law – the first in the nation – previously covered only financial information. It took effect on July 1, 2003, and inspired similar laws in more than 40 states. Most of those laws don’t cover medical information, however; Delaware and Arkansas are among the few that do.

In July 2006, Republican Gov. Arnold Schwarzenegger issued an executive order to store medical records on computers, which probably will result in more data breaches, said Robert Herrell, a legislative assistant to Assemblyman Dave Jones, D-Sacramento, who wrote the bill.

I hardly think it fair to give such credit to CA without mentioning the medical records provision of HIPAA. Anyway, the big deal is that medical information is unprotected and people need to know when it is mismanaged to the point of being lost or stolen:

Federal privacy and security regulations have not been enough to protect patients as medical information moves onto computers. A survey in 2006 by Phoenix Health Systems showed that 39 percent of health care providers and 33 percent of insurers reported security incidents in the previous six months. Only 56 percent of providers had implemented federal security standards and 78 percent complied with federal privacy standards. Thirteen percent of insurers were out of compliance with federal privacy standards.

[…]

California’s law also was written because the World Privacy Forum, a nonprofit group in San Diego, issued a report in 2006 on medical identity theft. About a quarter of a million people per year are victims of this crime, according to Pam Dixon, the report’s author.

“I think a lot of organizations will end up being surprised by this law,” Dixon said.

They really should have been headed in that direction anyway. I am just surprised that several months have passed since October 2007 when AB 1298 became law (with a vote of 76-0!) and I have not been hearing more AB 1298 discussion. Perhaps breach disclosure/privacy laws have become mainstream.

The best report I have seen so far on this was published by Frank Russo, where he describes in detail the benefits of both AB 1168 and AB 1298.

Why I Love Gartner

Newsflash: Gartner says social-networking technology could be the next security threat. Or maybe not the next one, but soon. Or maybe not soon, but eventually. You know, like they have noticed that people use social networking and software delivered over the Internet so those are probably going to have some security issues with them, and at some point you should probably think about it. Maybe think about it right about when you are already thinking about it and say to yourself “oh, yeah, Gartner said this would be a problem“.

Pescatore didn’t provide specific timeframes for these next-generation threats, but he says they could hit anywhere from two to six years from now.

“Threat forecasting is fun – it’s like weather forecasting and about as precise as weather forecasting,” Pescatore says. “But the key is if the climate changes, we want to understand it.”

Great stuff. Gartner, thanks for offering to understand and notify me of climate change after it has already happened, or predict that the weather will be different two to six years from now.

This smells a lot less like weather forecasting and more like gag-gift rocks that say “If I’m wet, it’s raining; If I’m missing, it’s really, really windy”.