Matt Cohen is Clareity Consulting's Chief Technologist. Matt consults to MLSs, Associations, brokerages, and many real estate industry software companies and has spoken at conferences, workshops and leadership retreats around the country on a wide variety of MLS-related topics. Matt is a well-regarded real estate industry expert on industry trends, software design, product management, project management, and information security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses.
Subscribe
Recent Comments
Cialis Online
Cialis Online
Secrecy is the help...
That's great, until it becomes popular and there's a single vulnerable implementation where your information is intercepted and can then be replayed electronically ad nauseum.
Biometrics are neat, but there's a great rule of thumb (no pun intended) in security - never use a key (cryptographic or physical) you can't change when it has been compromised.
With the latest version of Elcomsoft Distributed Password Recovery (costing about $1,000) it is now possible for someone to 'sniff' a wireless network, intercept just a few packets, then crack your WPA or WPA2 keys in just days or weeks. This works against static keys - anyone using more complicated authentication schemes will not be at risk ... for now.
So, I recommend not using any non-encrypted traffic (other than casual web browsing) when using a wireless network. That means HTTPS, VPN, and other encrypted protocols only. And keep changing those wireless encryption keys - and mitigate the risk as much as you can by using STRONG encryption keys.
This is for my readers who are, or who manage, web application programmers. I sent this update to my security assessment clients about a month ago but the urgency has continued to increase as attack rates are rising ...
I've been seeing a lot more injection attacks on industry sites - some automated, some manual. If you have web applications and haven't been testing for SQL and XSS injections - get on that PRONTO!
Even if you think your input validation is under control be careful - attackers are getting a LOT sneakier:
* Using HTML entities instead of the characters, encodings like UTF-8, long UTF-8, UTF-7, Unicode, US-ASCII and even HEX. Watch out for 'declare' and 'cast' in inputs ... not your friend.
* Not using special characters - leaving off the single quotes, using 'fromCharCode' to create them, or even use a grave accents as a replacement.
* Messing up regular expressions looking for SCRIPT by embedding tabs, spaces, carriage returns - or encoded versions of the same!
* Sending you naughty content not just through traditional inputs and URL strings, but through cookie manipulation.
* Leveraging your platform - such as SSI (if installed), renaming JS files to image extensions for upload, even using your application platform to create the script.
* Going beyond JavaScript and using VBscript.
* Injecting into image tags - including dynsrc and lowsrc attributes, in BODY onloads, in CSS calls, in titles, meta tags, iframes, TD backgrounds, DIV styles, BASE tags, OBJECT tags, XML, Flash actionscript and more!
I think my "favorite" workaround for XSS validation is where the validator gets rid of script tags in inputs but doesn't search recursively, so the hacker inputs [SCR[SCRIPT]IPT]" it gets rid of the middle "[SCRIPT]", leaving.... [SCRIPT]!
And they're using every combination of the above that you can think of!!!
Many of my MLS, association, and brokerage clients have computers in their offices that they allow visitors to use or which are used by employees for limited purposes. Windows Vista Home and Ultimate editions have easy to use controls that you can use to increase the manageability and security of those computers as well as lower the amount of maintenance they need as a result of user activities.
I'm referring to the "Parental Controls" features, which can be accessed through the main Windows menu, selecting Control Panel, and then Parental Controls. Assuming that you only allow your visitors and employees to access computers using a non-Administrative account - an Administrator account would let them change these settings at will - you can use Parental Controls to enforce useful policies for a specific user's login account. These policies include restricting web use to specific sites or types of web sites, putting time limits on when the computer can be used, and allowing or blocking specific programs.
The Web Filter allows you to limit use to specific web sites that you specify. This is a very powerful feature because if you only intend a computer to be used to access the MLS system, your organization's web site, or other specific sites, you can restrict the user to those "white-listed" sites only. If you do that, the chance of them visiting inappropriate sites or downloading malware is greatly reduced. You can also specify specifically that the user can not download any files to the computer. Not letting users save unwanted files decreases how often staff must 'clean' the computers, providing a management cost savings. Vista also comes with a web filter that attempts to block sites based on different types of content (e.g. pornography, hate speech, etc.), however I'm not confident that these filters are foolproof. But if you have a policy regarding harassment or other Internet misuse the least you can do is to enable this type of filtering, perfect or not.
Time limits are useful if you have users that you only expect to use the computer during a specific time of day and/or when the computer use can be supervised. It's easy to set specific days and hours when the computer can or cannot be used.
The Parental Controls that allow you to "Allow and block specific programs" (Application Restrictions) are also very easy to use. If you limit computer use to only those applications that are needed it increases the computer security by making it somewhat harder for users to install and use unapproved software and for malware to be accidentally executed by the user. Not letting users clog up computers with unwanted programs also decreases how often staff has the 'clean' the computers - additional management cost savings.
There are a number of additional features in the Parental Controls as well, including usage reporting and game-blocking features. Just remember, no one tool will be a silver bullet when it comes to security - but if you have deployed Windows Vista Home or Ultimate editions in your business you may find Parental Controls a useful tool to increase the manageability and security of your computers.
Email is one of the most dangerous activities any of us does online. The way most companies implement email, it’s trivial for email account access to be compromised and for sensitive information (human resources, budgets, etc.) to get into the wrong hands. SPAM reduces our organizational efficiency and malicious software often enters networks through email. What can be done to lower these risks?
First, find out - by looking at your email settings or talking to your network staff or ISP - if you are using an unencrypted protocol (POP or IMAP) to get your email. If so, then someone – an employee or other fellow network user using a ‘sniffer’ tool - can capture your login information and intercept the emails. If your email provider can’t provide you a secure protocol, you must take other steps to encrypt the emails. If you are using a public network, you can encrypt all your network traffic – including your emails – by using a Virtual Private Network (VPN). If your company has a firewall that includes VPN capability and you connect to it before checking your email, then the traffic can’t be ‘sniffed’ as easily.
Note that my blog is hosted by Internet Crusade, and their email solutions are fully capable of secure protocols such as SSL encryption for POP mail – according to Mike Barnett you just have to ask for it and they can hook you up!
You can also encrypt your email and attachments in other ways. While this doesn’t stop people from ‘sniffing’ an insecure email protocol, it can stop people from reading email and opening attachments that are sent to them by accident. Encrypting the whole email is not easy for the non-techie, depends on the platform being used for sending and receiving email, and gets most complex when the sender and receiver are on different platforms. Helping the reader navigate this maze is not something that can be done in a short article. In terms of encrypting files and email attachments on Windows computers, I’m fond of free-to-inexpensive products from http://www.kryptel.com/.
The next tool in your security arsenal is to use company policy to educate employees on safer email behaviors. The policy can include instructions not to use email to distribute offensive materials, not to send or forward SPAM, how to try to recognize phishing, pre-texting, or other social engineering involving email, not to send confidential information via email and when to use encryption, and not to open attachments from un-trusted sources – or even from trusted sources without phone verification. The policy should also set the expectation that email may be monitored for policy compliance, and that there should be no expectation of privacy. The policy may also set email security standards for technical staff to implement, such as whether email servers pass on executable attachments at all.
None of the above steps address SPAM and the tremendous threat of malicious software that can be attached to email. At a time when spammers are becoming ever more sophisticated at evading anti-spam tools and there are free tools are available for hackers to create malicious software that cannot be detected by most anti-virus and anti-malware tools, making the right technology choices is more important than ever. As part of the ongoing support provided after an Information Security Assessment, Clareity Consulting has guided many clients through the maze of technical options that might work best for their individual needs, and strongly encourages its clients to take reasonable steps to secure their email, as it is one of the largest threats to organizational information security.
I'm very excited about some of the new security improvements in the new Firefox 3 browser release.
One improvement is some built-in protection against Cross-Site Scripting (XSS) attacks, though it's important to note that the vulnerabilities extant on many of our industry sites are still not caught by the Firefox filter. Firefox add-ons that I have mentioned in the past on this blog, including NoScript and NoRef are still of value, and the Firefox improvements don't mean vendors don't need to follow secure coding practices consistently and that users don't need to be very careful about the sites they visit.
Another improvement is seen just to the right of the address bar (now called the "Awesome Bar" in Firefox). That area now shows the site's icon (or a blank page if the site has no icon) with a color background that makes it easier for users to see the security status of the page. As you can see below, colors include gray, blue, green (and red) and if you click on the icon you can get more information about the site.
Grey is normal - no SSL encryption on the connection or other identifying information about the site.
Blue means you are viewing the site through an SSL certificate and all content (even images) are being transmitted to and from the site encrypted.
Green means there's not only an SSL certificate, but also an "Extended Validation Certificate" (a.k.a. EV Cert) that means the site owner (not just the site) has been validated in some way by a "certifying authority". These certificates are spendy (about $500 / year), and some people complain that they are an unnecessary expense. That will certainly be an ongoing argument!
There's also a RED color - this means a site is known to cause compromise - I'm not going to a site of that nature to collect an image - sorry!
The 'More Information' button lets you see if you have visited the site before today, if there is a cookie (and lets you see the cookie contents), if you have saved passwords for the site in the browser (tsk!), if the connection is encrypted, and also lets you see information about the site owner.
Internet Explorer 7 and Opera 9.5 both also have support for the EV Cert, but I think that Firefox's implementation is the most 'in your face' and in that way, the best.
Some believe (and others don't) that the color approach (including EV Cert) is still vulnerable to homograph and picture-in-picture attacks (sorry about the tech-vocab...) - but I still think this approach is a worthwhile endeavor toward reducing phishing attacks and I applaud Mozilla Firefox for improving its interface to be helpful in this way.
More than half of REALTORS® use Personal Digital Assistants (PDAs) – devices that create a significant information security risk. Real estate professionals use PDAs to store sensitive data, including email, contacts, documents, spreadsheets, passwords, bank account information, and MLS data. More than a quarter of PDAs are lost, according to a 2003 survey conducted by Pointsec Mobile Technologies, and that’s just one part of the problem. PDAs and memory cards are stolen or infected by viruses; wireless transmissions are intercepted, and many professionals don't enable passwords on their devices, allowing anyone who finds or steals their PDA to see their data. Besides keeping as little information as possible on your PDA, there are many steps you can take to secure it:
The most basic step is to reduce the risk of losing the PDA. Keep it locked up in a briefcase, desk drawer, or lockable case when not in use - do not leave the PDA unattended in plain sight.
Require a hard-to-guess password to access the device and its applications - if you don't already require a password on startup, there's nothing to stop someone from accessing your information. Whatever you do, don't configure your PDA applications to memorize your application and web site passwords.
Most people are not aware that viruses can affect their PDA. There are many anti-virus tools for PDAs, and you can download free antivirus software for some PDA models from Trend Micro (http://www.trendmicro.com/download/product.asp?productid=2).
Using a wireless connection poses a substantial risk that your information can be intercepted. If you must use an unencrypted wireless connection, the web sites and email providers you use should provide an SSL encryption option to reduce your risk. If your office or service provider offers a Virtual Private Network (VPN), that will provide an even greater degree of protection.
Many security products for PDAs exist to encrypt the information on the device - they put a password on your data, which you must enter to access the information. Examples include:
To encrypt your data on a Blackberry with a password already set, just click Options > Security and set Content Protection to "Enabled".
There's no such thing as perfect security. If you run a program from an untrusted source on your PDA, none of the steps mentioned above will be a cure-all. But, if you've taken the basic steps to secure your PDA and have your email address on the back, you don't have to worry as much about the information on a lost PDA – and you may even get lucky and have it returned to you.
I received yet another call from a company that had suffered an information security breach and now needs help to assess and address issues. I hate when companies wait until this point to start dealing with security. Everyone is stressed out and demoralized. Worst of all, in this case right after the breach they immediately fired the CTO - the person I would normally be working cooperatively with and providing a hands-on education on information security practices. IMHO, since the executive didn't have a comprehensive information security policy lifecycle in place to address the type of issue that cause the breach, he should have been fired himself, as he was to blame!
This is a quick five-question quiz for brokers and executives (not for techies) that can be used to gauge whether your business is taking key steps to protect itself from information security breaches.
Does your business perform initial background checks on staff?
[ ] Yes[ ] No
Without employee screening – initially and ongoing – you could be putting private consumer information at risk and exposing your company to privacy liability issues resulting from identity theft or other misuse of your client’s private information.
Are office visitors ever left unattended in employee areas where computers are left logged in or sensitive information is on desktops or in unlocked filing cabinets?
[ ] Yes[ ] No
Physical security is often a far bigger risk for information security than computer settings. Whether it’s a backup tape, a piece of paper from the listing or closing process that has sensitive consumer information on it, or information on an employee, physical security is your first line of defense in information security.
Do you have security policies covering everything from how to handle sensitive information to how to securely install and configure computers? Are new employees trained on these policies initially and are veteran employees “refreshed” at least annually?
[ ] Yes[ ] No
Policies and procedure are the bedrock of an information security program. Without a thorough set of policies educating employees on how to help your business stay secure, and without ongoing education, monitoring and enforcement of policies, it’s likely that best practices in information security are not practiced in your business.
Does your IT person run a number of security tools on your web applications, network and all of your servers, workstations and laptops at least once per quarter (ideally each month) and give you an executive-level status update on the security of your applications, network and computers?
[ ] Yes[ ] No
Your IT person should have some formal education in information security, have a complete security tool-set, use it regularly, and keep the broker/owner/CEO apprised of risks, so that you can take management responsibility for information security and allocate resources to address emerging risks.
Have you had a security assessment performed by an independent third party in the past two years, reviewed the results with them, and understood your risks and created a project plan to address those risks?
[ ] Yes[ ] No
Information security is a specialized field – it takes an outside, independent expert to reliably assess the risk so that you can take steps to improve your business’s security practices.
If you answered any of these questions with a ‘No’, then you may want to think about taking a more active role to manage your company’s information security exposure. A security breach can cost six or seven figures to recover from and can also cause significant damage your organization's brand and reputation.
The most innocent employee activities can have the worst security consequences for employers, and uncontrolled Internet use is a perfect example of this. Employees visit sites where they download content violating HR policies, share 'entertainment' sites and videos that distract other employees from work, and even download malicious software that can cause network compromise. Instant messaging (IM) has many of the same issues. What can be done?
The first step is to enact a firmer Web and IM use policy. At its most stringent, the policy can ban IM use and restrict Web use to mission critical web-sites – but that can create a less than pleasant work environment. A less strict IM policy may be to allow IM use only between employees, restricting employees to an 'internal-only' IM identity, not allowing them to IM with outsiders, and not allowing advanced IM features such as file sharing, audio or video. A less strict Web use policy might only allow traffic to specific, approved, non-work-related web sites. Even if management goes further and does not significantly restrict Web use, it's still important to have policies. While not an exhaustive list, a policy might include statements such as the following:
Employees must only use approved software to access the Internet, and software configurations must not be changed by employees without manager approval, including installation of browser plug-ins and Active-X controls.
Any personal use must not interfere with normal business activities, must not involve solicitation, must not be associated with any for-profit outside business activity, and must not potentially embarrass the company.
The Internet, including the Web should not be used for the transmission of any offensive, obscene, defamatory or illegal materials.
Employees must not download executable files from the Internet unless that download is required for performance of their job, and in that case programs should only be downloaded from trusted sources, with extreme caution.
Sensitive information about employees, customers, or other company-confidential information should never be published to the Internet.
There should be no expectation of privacy when using the company network and that traffic might be logged and reviewed to ensure policy compliance.
Policies are good, but do little to protect your company on their own. It is important that employees are regularly educated and re-educated on all of your company policies. Your company can be further protected by putting technical solutions in place that reflect the policy and enable monitoring and enforcement, or even take steps to proactively either only allow the limited uses you define or allow a broader range of use but stop prohibited uses. Clareity has guided many clients through the maze of technical options.
Clareity strongly encourages its clients to make considered choices about employee Internet use, implement policies that balance risk and benefit, and take steps needed to monitor and enforce such policies, including implementation of appropriate technologies to protect their company from security and other risks inherent in Internet use.
Many of our consulting clients are planning hardware replacements and since most still use Microsoft products, they are asking about the security of the next generation of Microsoft Windows. Here are some key points.
Windows Vista includes many exciting security features, including improved Firewall, Defender, and a Malicious Software Removal Tool. It allows for more organizational control over software installations via Software Restriction Policies. For the more technically minded, one can also download and install security templates from Microsoft that make the computer harder to hack into-but this can take a more technically minded person to do without causing computer problems.
Despite all of these capabilities, Vista does not come thoroughly secured “out of the box.” To get a handle on how to secure Vista, one needs to download, understand, carefully test, and implement the many items described in the Windows Vista Security Guide available from Microsoft at http://technet.microsoft.com/en-us/bb629420.aspx.
One of the security features that comes built in with Vista is called User Account Protection (UAP). It makes you either click “OK” or type a password on endless dialog boxes to do anything that requires administrative privileges. While this feature may work for computers where people don’t do much but surf the Web and read e-mail, it’s infuriating to anyone else, especially actual system administrators, who would likely rather maintain two accounts-one user account and one where they can get work done without all the extra clicks. The biggest problem with this feature is that all these dialogs eventually blur into a “click to get work done” button that nobody bothers to read any more. While this was most likely a good concept, I don’t think this feature was well thought out on the execution side.
Then, there’s Windows Server 2008. The best thing about that operating system is that you can install it for a specific role (e.g. Web, mail, or file server) and only those parts of the operating system needed to fulfill that role get installed or activated. Not only should this make the computer more efficient, but it makes the servers more secure. There are also other useful security features, including fine-grained password policies and easier to use and manage encryption-a must for those who store sensitive information. Note: 35 states currently have breach notification laws. Do you do business in or with anyone in one of them?
Another very exciting Server 2008 feature is Network Access Protection (NAP). NAP monitors the health of computers when they connect or communicate with the network. NAP can check computers running Windows Vista, Windows Server 2008, or Windows XP with Service Pack 3 for firewall, antivirus, and antispyware settings and to ensure that Microsoft Update Services is enabled (so that security patches are downloaded).
Noncompliant computers can be given limited connection to your network and redirected to a site where they can find out how to fix problems.
For those of you actively looking at deploying Windows Server 2008, here’s a security guide for that operating system (OS).
You may also wish to look for the “Changes in Functionality from Windows Server 2003? document on the Microsoft site.
Hopefully, your company policy ensures that someone is responsible for making sure computers are set up securely and security is maintained. While there’s no such thing as “100% Secure,” if you take advantage of the new features Microsoft is offering through its next generation of operating systems, you can really raise the bar for security and in doing so, protect your clients and you.
Two neat Firefox plugins (if you value your privacy and security):
RefControl: RefControl is a free extension for Firefox that lets you control what gets sent as the HTTP Referer on a per-site basis. - http://www.stardrifter.org/refcontrol/
NoScript: This free, open source add-on for Firefox that allows JavaScript and Java execution only for web sites of your choice. - http://noscript.net/
The following is a high-level overview of a session from Clareity Consulting's 2007 MLS Executive Workshop. Every year the Clareity's Workshop provides fresh, in-depth updates on the most pressing issues facing MLS executives and leaders and creates an intimate environment for participants to share their knowledge and experience with each other. You can check the dates and/or register for next year's event on the Clareity Consulting web site – www.callclareity.com
Listings and other real estate content were at one time jealously guarded by brokers, and in turn by the MLS – especially when it came to putting that content on the Internet. Though MLS public web sites are still controversial in some corners, the recent trend has been toward wider distribution of such content and the question of day is no longer "Should my listings be available on multiple Internet sites?" and is more commonly, "Where should I send the listings?" There have been two trends contributing to the current environment: the first trend is the market slow down which has increased pressure on brokers and agents to facilitate greater marketing exposure for properties and the second trend is a part of wider culture, the "Web 2.0" trend of "syndication".
In the "Web 1.0" world, companies wanted all consumers to visit their site and stay as long as possible. In the "Web 2.0" world, the trend is to make content available to other sites or have customized information delivered directly to individual site subscribers. The most common mechanism for this is called "RSS", which stands for Really Simple Syndication.
So, what we have traditionally referred to as listing distribution could also be referred to as content syndication. Such syndication may benefits all parties. Today, consumers must typically visit multiple sites to see all the listings for their area: Realtor.com/Move.com, Yahoo!, craigslist, Google, NewHome Source, FSBO.com, Trulia, remax.com, coldwellbanker.com and numerous other sites. When listings are fully syndicated, consumers may not need to visit multiple sites. For the broker or agent, syndication drives listing exposure across numerous online platforms - generating new traffic and content exposure — making syndication a free and easy form of advertisement.
RSS Icon
Between the continued growth of listing content syndication and the evolution of data standards such as RETS (the Real Estate Transaction Standard), the MLS may have an evolving role to fill in the collection of data and its syndication. First, RETS 2.0 will make it more feasible for real estate professionals to manage their listings in a number of systems and have those changes syndicated. This may mean that an agent enters and manages a listing in the MLS and has it syndicated to the broker back-office system, other systems they use, and web sites – much as it is today – but it could also mean that the agent can manage listings directly into the broker system and have syndicated to the MLS and other systems. Managing that syndication may become a core function of the MLS and other real estate software. This scenario is illustrated below:
While it is clearly up to brokers to determine where their listings are advertised, as an industry it is in our best interest to encourage balancing the benefits of content distribution with the interests of those that have worked to create the content as well as providing appropriate levels of information security and consumer privacy.
While some MLSs have started dealing with their information security responsibilities, in terms of MLS system authentication and the hacking threat, less attention has been paid to listing distribution. Some say, "This is information already out there on the Internet – its 'public' information. We don't publish the consumer's name or phone number. So what's the big deal?" If a consumer provides information to an agent for the purpose of selling their home and, due to uncontrolled distribution or inadequate information security practices, the consumer is immediately overrun with telephone, mail or email marketing from real estate related services it could lead to backlash and damage the trust in the real estate professional. It's all too easy to scrape the content off of most MLS web sites, and combining that information in a "mash up" with even the most basic reverse telephone directory creates a consumer privacy issue. If industry critics like Dave Barry have their way and open up access to the MLS, we will surely have other attorneys attacking the industry for that breach of consumer privacy.
As the scope of content syndication continues to expand it will be important for MLSs, brokers and others that may distribute content to implement next generation data distribution policies – addressing the security of everything from data exports created directly from the MLS to RETS feeds and other content distribution mechanisms. Such policies must:
establish common practices used to evaluate and establish third party relationships
establish conditions on those relationships and responsibilities within them
determine the data that may be accessed
describe how that data may be securely transmitted and stored
enumerate numerous other detailed steps needed to provide appropriate information security for the content to which third parties, are entrusted.
While providing information security assessments to MLSs and brokers, Clareity has found that such policies are rarely thoroughly defined or implemented. Clareity has worked with a number of clients to adopt and implement more robust listing distribution policies, integrate these policies into appropriate contracts, educate staff and members and third parties on those policies, and implement pro-active controls as well as means for monitoring and enforcement. There are hundreds of details to attend to in such a policy, and it is rare that Clareity finds a policy that is better than 'fair' during an assessment. Ask yourself, "Does my policy cover secure coding practices to ensure listings can't be scraped off member or MLS/IDX vendor web sites? For the secure transfer of information using encrypted protocols? For the encrypted storage of information, in databases and on backups? For security compliance monitoring mechanisms?" Again, there are scores of detailed questions to be asked, and which need be addressed in a comprehensive policy.
The current trend toward increasing listing content syndication is going to create new roles for the MLS and new challenges for our industry. Finding a balance of giving the consumers access to the information they desire and protecting broker rights, industry interests and consumer privacy will be very important, and Clareity encourages its clients to take security of data distribution to the next level through policy, agreements, MLS rules, education, implementation, monitoring, and enforcement so they are prepared for the future of listing content syndication.
About the author:
Matt Cohen is Clareity Consulting's Chief Technologist. Matt has spoken at many conferences, workshops and leadership retreats around the country on a wide variety of MLS-related topics, and is a well-regarded real estate industry expert on software design, product management, project management, data center reliability, scalability, and information security. Clareity Consulting was founded in 1996 to provide information technology consulting to the real estate industry and its related businesses. For more information, visit www.callclareity.com
Submit Feedback
Member Login
Blogs Homepage
Featured Entries
Recent Entries
Recent Comments
Tags
My Starred Entries
Create A Blog
RSS Feed
Member Login
Join RealTown
Request Password
RealTown RSS Feed