Social networks like Facebook and MySpace continue to face security and privacy related issues as functional capabilities expand amd social interactions within the community become more complex.. Here are a couple of examples.

First up, Facebook. It recently acknowledge that a new functional capability called Beacon continues to track user activity long after users have logged off the site and even when users have elected to not display their activities to Facebook friends. Beacon is part of the Facebook Ads platform that tracks user acitivities on Facebook partner sites like Blockbuster and reports those activities to the "friends" of the Facebook account. Account holders may choose to not have those activities reported but it appears that even in that case, the activities are tracked and stored in some Facebook database. As you can imagine, privacy advocates are up in arms. You can read more about this case, if you're interested.

You can assume that these privacy issues will not go away and will continue to plaque Facebook and other social networks. Sometimes, problems are less about guarding privacy but rather the abuse of trust within the social network. Here's a chilling story about how a MySpace teen took her own life because of a cruel prank perpetrated by adult neighbors.

Perhaps the issue is that both the guarding of privacy and the protection of social network subscribers may be at odds with each other. To some extent, that's how it works in real life...we yield some privacy to trusted authorities - banks, hospitals, law enforcement, the state...to gain protective services of some kind or another.

However, striking this balance works in the cyberworld may not be so easy.

Posted by andreyee in Odds and Ends • Privacy/Information Theft • web 2.0 | Permalink | Comments (0) | TrackBacks (0)

The news about Salesforce.com's phishing incident broke almost 2 weeks ago on Slashdot...although there were rumors swirling about for a number of days prior to the report. A Salesforce employee fell victim to a phishing attack that captured his company credentials. The attackers used those credentials to harvest customer contact data and began to send phishing attacks to customers, in the form of fake Salesforce invoices. As you might expect some number of customers fell for the scam and yielded their Salesforce account info.

There are a few interesting implications of this phishing attack, none of which pertain specifically to what Salesforce should or could have done.

Implication #1 - this kind of targeted phishing or "spear phishing" is difficult to monitor and eliminate. When a specific target is singled out, the attack tends to proceed undetected for a while before it becomes evident. No specific remedies or signatures are available to address them.

Implication #2 - until now, most highly phishing attacks have been targeted at financial institutions and consumers. Relatively recent examples include the Bank of America "change of email" scam and ADP.
Not surprisingly, SaaS providers may now be next on the list. Although, the value of the information to scammers may not be apparent, it is likely that phishing attacks against SaaS applications that hold identity and proprietary info will be on the rise.

Implication #3 - phishing is only the starting point for the attack. In the Salesforce incident, it was uncovered that some of the customers who were effectively phished, also had keyloggers and other malware downloaded onto their machines. From the Salesforce letter sent to customers -

"...As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not--they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher... However, a few days ago a new wave of phishing attempts that included attached malware--software that secretly installs viruses or key loggers--appeared and seemed to be targeted at a broader group of customers."

Not a lot of good news there. The point is that in this new Web 2.0, Saas enabled world, there is a Long Tail to this phishing problem...targeted, sophisticated attacks cannot be tackled by simply preaching "security awareness". Nor it is enough to use signature based phishing detection techniques. We need a different approach.

Posted by andreyee in Industry Trends • Privacy/Information Theft • web 2.0 | Permalink | Comments (0) | TrackBacks (0)

If you're one of millions of Americans with a mortgage, consider this - your mortgage company holds much of your privacy/identity info. Yet, have you ever wondered if your information is safe with them?

According to this article, three spreadsheets with social security numbers of over 5000 customers have been iinadvertantly leaked by a former employee of the ABN AMRO Mortgage Group. The problem was traced to the use of a peer to peer (P2P) file sharing tool called BearShare. Here's an excerpt from the article explaining what happened -

Tiversa Inc., a Pittsburgh company that offers data-leakage protection services, traced the origins of the ABN data to a Florida computer with the BearShare software installed..With such peer-to-peer sharing systems, files are obtained directly from another user's hard drive rather than a central hub like traditional Web sites. As a result, once a file begins to circulate, copies can sit on computers all over the world, ready to be grabbed by other users.

Although this data compromise was unintentional, P2P tools are increasingly becoming the weapon of choice in the arsenal of identity thieves. Most companies are clueless about this threat...and unfortunately, some of these companies hold our privacy data

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

This is becoming old hat but another huge privacy exposure was revealed over a week ago. Apparently, 63,000 SSNs of individuals who received Department of Agriculture grants have been out in public view since 1996. The offending website was FedSpending.org and the problem has since been corrected. It's hard to blame FedSpending, a group created by OMB Watch to keep an eye on government spending, since it essentially publishes government contracts and legal documents in a free, searchable database.
The real problem is that privacy info in government related documents like loans and grants are passed around indiscriminately. It makes one question if more blatant privacy breaches are out there.

Here's how it was discovered. Marsha Bergmeier, president of Mohr Family Farms found the breach when she googled her farm name. To her surprise, the details of her land loan including her SSN came up. She immediately notified the Department of Agriculture, her congressman and the website concerned and the problem was quickly corrected. Of course, Ms Bergmeier understands that her privacy info may not ever be private again.

"If somebody downloaded it, it's still out there in the world," she said. "That will never be a private number again."

The Agriculture Department's response?

"There is no evidence that this information has been misused...However, due to the potential that this information was downloaded prior to being removed, USDA will provide the additional monitoring service."

That's comforting, I guess.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

According to an article by the Associated Press, AOL in conjunction with a company called Skyhook have been building a database of locations linked to AIM users. This database is now being used for a feature that allows users with Wi-Fi enabled laptops to map the current locations of people on their buddy lists.

The fact that Skyhook has this information isn't anything new. They've been driving the streets of major cities for a number of years mapping Wi-Fi access points and detecting signal strength. Apparently, they have now over 16 million access points recorded from over 2,000 cities. What's new is that they're teaming up with AOL and using that info in conjuction with AIM. This will mean that some degree of privacy and anonymity with AIM users is compromised.

The Skyhook plug-in, available as a free download, adds a new grouping to AIM's buddy list window called "Near Me." That group will feature the names of any buddies who opt to share their locations and who are within a set distance from the AIM user.

Clearly AOL thinks that this will provide them a leg up in the IM wars. Marcien Jenckes who heads up the AIM division is convinced that this is functionality that IM users really care about.

"As we build these platforms for people to connect, we find that context is very important...people think through what's the right mechanism. It might depend on how much time I have to talk or how involved I want to be in the conversation or what I'm doing. Proximity or location is another one of those factors that will play an increasing role."

Mr Jenckes may be right but there some who are voicing big concerns regarding security and privacy. In my opinion, it depends on the implementation. If AIM users have the opportunity to opt into this feature as opposed to having it included by default, it's ok by me. After all, there are all kinds of information that we choose to make public that infringe upon our anonymity or privacy but we expose the information because we deem it beneficial to do so. The point is whether we have a choice.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

Bruce Schneier, CTO of Counterpane Internet Security and author of the best-selling books such as Applied Cryptography and Beyond Fear, discusses security and privacy in a talk held at USC.

Here's the link to the audio. It's definitely worth checking out.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

Phishing scams are on the rise, almost doubling in the 1st half of 2006 when compared to the last six months of 2005. According to a Symantec report released a week ago, the number of scams grew by 81% and increasingly targeted the "weakest link" - home users. To get an idea of how fast this problem is proliferating, note that the Anti-Phishing Working Group reported a while ago that from Nov 2004 to Nov 2005, the number of phishing attacks doubled. Now, if you believe the Symantec report, it's almost doubled again in a mere six months. You can download the entire report here from the Symantec website.

Many of the search sites and social networking sites are becoming launch points for a variety of phishing exploits. Google recently had one discovered and reported by Eric Farraro on his blog. Perhaps as hackers find attacking Microsoft platforms passe, they're moving on to new technology giants on the landscape like eBay, MySpace and Google. Well, fame and fortune has its price...

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

The Commerce Department recently reported that it has lost over 1,100 laptops in the past five years with the Census Bureau accounting for 672. I'm deriving from this that keeping count of human population is somewhat easier than keeping track of laptops. As you might imagine, some of these laptops contained critical information including personel related data.

In the missing laptops derby, Census Bureau is far and away the winner. Coming in a distant second is NOAA (yes, they're the weather guys!) which lost 325 laptops. Details of the entire story here.

At least one congressman is trying to tackle the problem in the only way he knows how - via legislation.
Rep. Tom Davis, R-Va., chairman of the House Committee on Government Reform, is putting forth legislation that requires all federal agencies to tell the public when they have data breaches of sensitive information. I commend Tom Davis for his efforts but the long term solution will be multi-dimensional including both legislation and technology. I think ongoing battle to secure privacy data will result in increasing traction for Software as a Service (SaaS). I know SaaS already has traction but it's mostly because of its simplicity of deployment and management.
It's also most popular in the SMB market but security concerns will drive its use into large enterprises and as a model for legacy systems as well. Mark my words, it'll happen.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

This is like deja vu' all over again. Here's another case of a missing computer potentially compromising identities of over half a million injured workers in New York.
(Hat Tip: Martin McKeay, ComputerWorld Security Blog)

Names, addresses, SSNs of these workers from two workers compensation funds are potentially compromised because the computer storing this information has been stolen. No, let me restate that. To be specific - this computer provided by NY state to the CS Star contracting company is not technically stolen but actually "cannot be located" according to a letter sent to those impacted by this situation.

Now, don't get me wrong. I have some sympathy for that excuse...I tend to be forgetful and sometimes the keys to my car "cannot be located" temporarily on a Monday morning...in 10th grade, at times I was found it necessary to tell my math teacher that my homework "cannot be located"...but I think the state of NY could do a little better than that.

See a trend with this and the Veterans Admin situation? In the near future, there are probably going to be far more identities compromised by careless handling of laptops and other computers than from hackers compromising an electronic transaction. We may transact bits & bytes for a living but we live in a physical world. Security policy enforcement must involve connecting the dots between the two.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (0) | TrackBacks (0)

The identity theft of 26 million U.S. veterans and spouses has sparked debate and numerous investigative meetings. That significant data breach will cost us taxpayers over $100M to notify the affected parties and offer credit protection against potential abuses.

You might be thinking that this compromise of privacy information is a rare occurance or a red herring but in fact, this is merely the latest and best publicized incident in recent history. To get a better view into the number and frequency of compromises look at the record and chronology of these events at http://www.privacyrights.org/ar/ChronDataBreaches.htm

Furthermore at the time of writing, the www.privacyrights.org hadn't yet updated to include this latest faux pas.

http://www.cio-today.com/story.xhtml?story_id=111003TREALO

When will organizations get serious about security? Who knows? Unfortunately, it often requires unfortunate incidents like the Veteran's Administration debacle to spur change. I'm not usually in favor of legislating our way to security but laws like California's SB 1386 legislation need to become nationally adopted. SB 1386 holds companies legally and financially responsible for communicating to customers should information held or stored about any California resident be violated. It's created the necessary incentive for at least some organizations to take seriously the stewardship of privacy data.

Meanwhile companies need be responsible to act before they get acted upon.

Posted by andreyee in Privacy/Information Theft | Permalink | Comments (1) | TrackBacks (0)