Interesting explanation of JSON security

If you have partial control over some of the JSON data it’s possible to steal the data by manipulating it using UTF-7

[…]

If you are pen testing JSON feeds make sure the web site in question prevents external inclusion of the data via script or even better recommend the site does not expose the data publicly if privacy will be compromised. Twitter solved the information disclosure problem by requiring authentication for its JSON and other feeds consider doing the same if the data has to be exposed.

I often see references to anonymous behaviour as cowardly or some other negative connotation. It is especially strange to me to see security professionals denigrate all forms of anonymous speech. Although there are risks to allowing a voice without a known identity, the risk of requiring an identity also has to be weighed.

Shoq Value gives an interesting (albeit lengthy) example of the balance.

At 10:47 (on May 29th), this email arrived, demonstrating nicely exactly why I remain anonymous. It’s because critics will always try to intimidate or silence people by any means they think are available to them.

Whereas the intimidating critics may themselves be anonymous, Shoq does not call them cowards or advocate for an end to their anonymous speech. Instead, the tool of anonymity is recognised as a double-edged sword.

Ireland has published the Twenty-Second Annual Report of the Data Protection Commissioner, an office established by the 1988 Data Protection Act and amended in 2003 to implement provisions of EU Directive 95/46.

Aside from quantitative data (almost 400% increase in breach reports) it has many interesting qualitative stories with analysis. Here are a few examples:

Insurance companies are admonished for collecting data on risk yet not protecting it sufficiently from risk.

Several examples are given of insurance company employees caught performing unauthorised database searches for usual reasons — curiosity about celebrities and news stories, and to help their family and friends.

…far too many individuals in insurance companies had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed.

Unlike the move in America to put a tamper-proof “black box” on all vehicles, the Commissioner recommends tracking devices have an obvious and usable “privacy” switch.

We explained that the use of tracking systems in vehicles can give rise to data protection issues if they are not deployed in a manner that takes account of the legitimate privacy expectations of vehicle drivers, particularly when they are off-duty. Monitoring or tracking, including in-vehicle monitoring, must comply with the transparency requirements of the Data Protection Acts. Staff must be informed of the existence of the tracking equipment and of the purposes for which their personal data is processed.

3rd-party certification audits of cloud environments are politely questioned in relation to “sectoral regulatory restrictions”; as I’ve mentioned before, not all compliance requirements are equal:

It remains the responsibility of the organisation that chooses to outsource to the “cloud” to ensure that the data is safe. The well-established EU model of a data controller entrusting data to a data processor applies in many cases. Outsourcing requires not only a written contract but also active measures to ensure data is secure in the “cloud”. If a cloud provider has taken the trouble to certify to recognised security standards such as ISO 27001 and SAS 70 or its successor SSAE 16, this provides significant reassurance about data security. But an organisation considering outsourcing also needs assurances about robust access controls, reliable data back-up systems and procedures in the event of data security breaches. Particularly where an organisation is subject to sectoral regulatory restrictions – financial services is a prime example – the organisation may not be satisfied to rely on third party certification and may want to carry out some form of audit at first hand.