A while ago, we produced some videos related to security in order to try alternative means of getting the word out on security. Traditional means were not working. We tried white papers, a website and e-mails. The second video in this series has some fun with viruses.
Archive for the 'Security' Category
The key to security is embedded in the word itself:
U R IT
If not you, then who?
If not now, then when?
During your typical day, you may be exposed to situations where you are vulnerable to a security breach. (e.g. PDA or laptop left in a car, unmonitored office doors open to public, contracts in plain view). And then there are the risks to your computers themselves - viruses, hacks and phishers.
You need to be prepared to:
Access - Remediate - Monitor
Building and sustaining an effective information security rogram requires resolve, commitment and know-how. This is why educating agents, staff and executive management on security fundamentals has become essential. As a result, NAR’s Center for REALTOR(R) Technology is launching the ‘Summer of Security’ educational initiative. We want to continue to offer you the "know-how." Together with your resolve and commitment, sound information security is achievable!
The Summer of Security initiative is a part of the REALTOR Secure program and consists of a weekly e-mail containing helpful and relevant information on security issues. Our goal is to create a culture through which you become more conscious of the need for security and better understand why security measures are relevant to you and your business. Our purpose is not just to convey information, but also to compel you to evaluate what you do and how you do it, and make changes as appropriate. This topic is important for you and for our industry.
The Summer of Security effort represents NAR’s commitment to bring you practical information and guidance . Ideas that you can put into action immediately to improve your security and enhance
your business position.
We look forward to presenting this educational initiative to you throughout this summer. We encourage you to share these mail messages with others in your organizations, post them to your web site and publish them in your newsletters, etc. If you would like to recieve the summer of security series on newsletterplease drop me a note andyou’ll be added to the list.
Thanks for tuning in.
A while ago, we produced some videos related to security in order to try alternative means of getting the word out on security. Traditional means were not working. We tried white papers, a website and e-mails. The second video in this series has some fun with Identity Theft from a financial perspective .
Enjoy and I’ll post more over time.
A while ago, we produced some videos related to security in order to try alternative means of getting the word out on security. Traditional means were not working. We tried white papers, a website and e-mails. The first video has some fun with identity theft . We had fun making them, and this venue is as good as any to distribute them.
Enjoy and I’ll post more over time.
I had a post yesterday that focuesed on the security events at Midyear. However, given the attention that the recent breach of personal information at the Department of Veterans Affairs has been receiving, it might be a good time for you to consider your organiztion’s policies and procedures surrounding protection of personal identity information. It appears that the incident could have been prevented if policies, already in place, were followed.
NAR has two programs that directly focus on protecting consumer and employee information.
The recently announced "Deter, Detect and Defend” initative aims to educate consumers, particularly home buyers, about the devastating effects of identity theft and help them protect themselves against it.
NAR’s REALTOR Secure program is an information security best pratices program that allows industry firms to confirm that they have the right policies, procedures and technologies in place to prevent these types of incidents.
And we at CRT are available to help on the security education front. Over a hundred industry firms have benefited from CRT’s outreach program with information security being one of the prime topics.
So to ‘take advantage’of this event you could:
- Review your policies and ensure that you have the appropriate use procedures in place.
- Send a reminder about your policies and the need for following them.
- Use it to educate senior management about the need for protecting information.
- Ask executive management that they reinforce the need to follow security policies to avoid these situations.
The NAR Midyear Legislative Meetings & Trade Expo took place last week in Washington DC. This is one of the best NAR meeting because of the number of attendees and the focus of the events. Besides the business of running NAR and a great trade expo, REALTORS get the opportunity to meet with elected officials and put forth the REALTORS’ agenda on capital hill.
One item that received prominent attention at the Midyear meeting is security. It was a part of many topics as well as having it own session.
First the National Association of REALTORS and the Federal Trade Commission have formed a partnership to prevent identity theft. The program, “Deter, Detect and Defend ,” aims to educate consumers, particularly home buyers, about the devastating effects of identity theft and help them protect themselves against it.
CRT and Clareity Security will be working together on Single Sign-On approaches within RETS (Real Estate Transaction Standard). We are targeting a deliverable for the RETS Group that can be discussed at their next meeting.
Single Sign-on allows you to access several secure applications, but only requires you to "login" once. This capability will be important for bridging MLS Systems and TMS (Transaction Management Systems).
Phone calls will be scheduled for the community throughout the summer and I’ll let you know how you can keep up with this important step forward.
I was at AEI this past weekend in Reno, Nevada. CRT provided wireless Internet access for attendees and participated in several Institute sessions.
The first session was "Information Security - What AEs need to Know." It featured Mac McMillan of CynergisTek and Doug Eddy of MRIS as speakers. The session focused on how information security can be used as a business enabler, threats that are on the rise, and how NAR’s Realtor Secure program can provide resources to an AE to assist their security efforts.
The second session looked at new business models that are on the rise in the real estate industry. It looked at vertical and horizontal search companies, real estate portals, and online brokerage models. It highlighted companies like Zillow.com and Trulia and how AEs can learn from them. It was a lively session with many questions and comments.
Another session presented by CRT was about PolicyPage, CRT’s internet compliance tool. I must commend the attendees at the PolicyPage sesssion - it was at 7:00 am on the last day of the conference and had over 50 attendees. From the reaction of the audience, we at CRT will be anticipating an increase in the number of PolicyPage users.
The conference was titled "Find Your Winning Combination." That theme reminds me that there are many aspects and groups that need to be combined for a successful association. One aspect of an association and its MLS that is constantly increasing is ‘technology’ and the conference sessions certainly reflected that. Many sessions featured a technology theme which indicates just how important it has become for success in real estate. One that I found informative included the AE Forum where the new "The Consumer: Catalyst of Change" report was covered. Another well attended and lively session included "The Future Face of REALTOR® Associations and MLSs." Both these sessions stressed how technology and the consumer use of it is changing real estate information needs and practices.
The mainstream media is finally picking up a story that’s had the geek press abuzz for a week or so; Since about mid-2004 Sony BMG Music Entertainment has been shipping CDs with a certain Digital Rights Management scheme on them. This DRM has been revealed this week to actually be a rootkit.
A rootkit is a set of software tools frequently used by a third party (usually an intruder) after gaining access to a computer system. These tools are intended to conceal running processes, files or system data, which helps an intruder maintain access to a system without the user’s knowledge. (source: http://en.wikipedia.org/wiki/Rootkit)
As per the definition, this rootkit used spyware-like techniques to hide its presence, and didn’t provide any means to uninstall it. If you were smart enough to be able to detect it and remove the rootkit, it would end up breaking the functionality of your operating system. For example, after it was removed, you could find that your CD and DVD drives have gone missing.
It also had some other interesting attributes. Using its “cloaking abilities” a programmer found a way to use it to disable/evade anti-cheating mechanisms in the popular World or Warcraft on-line role playing game. Once people started going over the files with a fine-tooth comb, it was discovered that it appears to contain code from the open source projects LAME and VLC, violating the terms of their licenses.
Due to the outcry, Sony released an uninstaller which could be loaded via the web. However, the uninstaller caused an even bigger security problem than the original rootkit. Once you ran the uninstaller, it stayed around and any web site you visited after that point could download any code it wants down to your computer and execute it.
Renowned security technologist Bruce Schneier wrote Real Story of the Rogue Rootkit for Wired. Schneier starts with a nice summary of what has happened on the security side of things and anti-customer attitude that seems to be coming from Sony. Unlike everyone else who has been screaming just about the security, Schneier takes a look at a more interesting and scary aspect.
The story to pay attention to here is the collusion between big media companies who try to control what we do on our computers and computer-security companies who are supposed to be protecting us.
…
What do you think of your antivirus company, the one that didn’t notice Sony’s rootkit as it infected half a million computers? And this isn’t one of those lightning-fast internet worms; this one has been spreading since mid-2004. Because it spread through infected CDs, not through internet connections, they didn’t notice? This is exactly the kind of thing we’re paying those companies to detect — especially because the rootkit was phoning home.
…
The only thing that makes this rootkit legitimate is that a multinational corporation put it on your computer, not a criminal organization.
I really suggest you read the whole article. Its a great primer of the disasters that can happen down this way. The think that is lucky for us as computer users (and Sony as a company) is nothing was compromised as a result of this. It could have been much much worse rather than just egg on Sony’s face, think about the infections at the Department of Defense (mentioned in the Schneier article.)
We often hear talk about using DRM in real estate, some of the suggestions are pretty draconian and anti-customer. As people in the real estate industry we need to look at nightmare scenarios like this as an example of what not to do. I’d rather sit back and let the people at the forefront of DRM take the lumps and figure out what works and doesn’t work. This is a single company taking a lump, but if the real estate industry as a whole makes a wrong DRM turn, it could be disastrous for the industry as a whole.
One last thing, in case you’re curious or are afraid you might be infected, a list of CDs that are infected can be found this on this page provided by the Electronic Frontier Foundation (EFF).
I’d like to also give a big word of thanks to BoingBoing for their insanely good coverage of this. I wouldn’t have half the information stated above if they hadn’t linked to it.
In the past year, we at CRT have been involved in many discussions about the use of two factor authentication in the real estate industry. Two factor authentication is a more secure method for user to access systems then the traditional user ID and password combination. Two factor authentication reduces the risks associated with passwords like hacking, guessing and sharing. Two factor authentication combines something you have with something you know to provide access authorization to a system - like ATMs or in real estate’s case to an MLS system. Two factor authentication also requires the use of a one time code (OTC) as the required password or part of the password when combined with a user PIN.
Within real estate there have been several implementations of two factor authentication for user access to MLS systems. Recently there have been case studies published reviewing a couple of these implementations. These studies can assist you if your investigating these alternative.
In its October issue SC Magazine reviewed an implementation at the Consolidated Multiple Listing Service in Columbia, S.C. This implementation featured the use of the Secure Computing strong authentication solution and was headed by Clareity Consulting.
Another review takes a look at the implementation of a strong authentication solution at the Mid Florida Regional MLS. The Mid Florida implementation used the RSA SecurID token and was supported by the Secure Content Group.
CRT believes that two factor authentication can play a significant role in protecting real estate information if implemented properly and for the right reasons. However, we’ve been approached by organizations who seem to be putting the cart ahead of the horse, when considering two factor authentication. In one instance, a large MLS wanted to implement a two factor solution, but would not support a policy that required members to change their password on a regular interval. They were willing to throw tens of thousands of dollars at the perceived issue, but were not willing to take a stand that required members to change their passwords because of the politics involved and push back they might receive. This does not seem like the right reason to implement strong authentication. We at CRT are in favor of standards that requires users to change MLS access passwords on a regular interval. In our experience we’ve seen the implementation of a password ‘change’ policy eliminate many ‘rogue use’ issues.
In addition to the companies mentioned above, those considering two factor authentication may want to consider companies like PortWise and Swivel. These two factor companies employ ‘token less’ solutions (utilizing a members cell phone or other mobile device) that can offer a significant saving when compared to the cost of deploying a hardware based solution like RSA and Secure Computing. A token less solution eliminates much of the expense of the hardware token and its distribution administration.
