A few weeks ago, I talked a little bit about the threat of de-anonymization. In this week’s Cyber Risk Report, we discuss another facet to this growing problem of data collection: persistent digital traces deposited through everyday activities. Specifically, we discussed how mobile phone location and activity can uncover habits, relationships, and other inferences about a person’s habits, identity, friendships, and even job satisfaction. If the threat of de-anonymization is eroding our privacy and putting our personal information at risk, then the persistent collection of digital information that could feasibly be de-anonymized is creating a pervasive threat to our personal lives.
Earlier this month, the online edition of Telegraph published an article under the title “50 things that are being killed by the Internet.” Some of the items listed could not solely be attributed to the Internet, but the Internet has contributed and brought them to light (e.g., not paying for music or wanting free but authoritative reference works), and other items are signs of progress (e.g., moving from printed fanzines to online ones). But all that aside, the Internet and the World Wide Web do have tremendous influence on the way we live, work, play and learn.
Today we announced the September 2009 bundle of Cisco IOS Software Security Advisories. In line with our previous announcements, this grouping of advisories discloses security vulnerabilities in Cisco IOS Software.
Information on the vulnerabilities disclosed today can be found at the Cisco Security Advisory listing page. Additionally, we create an Event Response Page (ERP) for our advisory bundles as we’ve done for Microsoft vulnerabilities since June 2007. These Event Response Pages are designed to be a starting point for your vulnerability triage needs. The pages contain links to important documents as well as the assigned CVEs and CVSS scores. The ERP for the IOS vulnerabilities disclosed today can be found over at our Security Intelligence Operations portal.
The bundling concept was implemented in response to feedback that the lack of an announced schedule for Cisco IOS Software vulnerability disclosure was not allowing customers to appropriately plan for and integrate security advisories into their management processes. As a general rule, our advisory bundle timelines are limited to Cisco IOS Software and do not include any other Cisco products or operating systems. However, if the same vulnerability exists in Cisco IOS Software and another product—for example Cisco IOS-XE or Unified Communications Manager—we will work to release the corresponding advisories simultaneously. In fact, this was done today and in September 2008 when we disclosed SIP-related vulnerabilities that affected both Cisco Unified Communication Manager and Cisco IOS Software.
Independent security researchers announced a new vulnerability in Microsoft Windows Vista and Windows Server 2008 on the day of the September Microsoft security bulletin announcement. Although first publicized as a denial of service vulnerability, a security advisory from Microsoft later confirmed that attackers could leverage the vulnerability to execute arbitrary code. Although exploit code in some private vulnerability testing tools has been reported, no public examples of exploit code exist.
The vulnerability relates to flaws in the Windows Server Message Block 2 (SMB2) networking component included in Windows Vista and Windows 2008. Although SMB2 is also included in Windows 7 and Windows 2008 R2, changes in the component has rendered these systems unaffected. No current updates are available that correct the vulnerability on affected platforms.
Paul Ohm’s recent paper about the failures of anonymization brought to light some very compelling arguments against the practice. The goal of anonymization is to remove personally identifying details without removing other usefulness from a dataset. As an example, a company might take out names, social security numbers, day and month of birth, street address and credit card information from their customer dataset, but leave purchase history. Such an anonymized dataset might be useful to a marketing partner to identify trends in some generalized demographics that could help them to make more effective decisions in marketing products to future and returning customers.