2011 10 19 raj goel isc2 secure boston cloud computing oversharing over collecting

brainlink You run your business and leave the IT audits to us.

Cloud Privacy Concerns – Oversharing & Overcollecting

Raj Goel, CISSP Chief Technology Officer

Brainlink International, Inc. [email protected] / 917-685-7731


Agenda

• ECPA – the law of the land

• The cost of Insecurity.

• Key FTC Settlements

• Web 2.0 & (un)Social Media

• Stupidity vs Hydrogen

• Government & Vendors

• Success Stories

2 Raj Goel, CISSP / [email protected] / 917-685-7731

©2011 Raj Goel


ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail company's employees can't disclose your e-mails to others.

[...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service.

GMail's big selling point is that they don't simply deliver your mail. They store it for you, and they index it so you can search it.

- Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html


©2011 Raj Goel


• Compelled Disclosure Rules in 18 U.S.C. § 2703 • Section 2703 mandates different standards the government must satisfy to

compel different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary “electronic storage” for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options.

• First, the government can obtain a search warrant. • Alternatively,investigators can use less process than a warrant, as long as they

combine that process with prior notice. • Specifically, the government can use either a subpoena or a “specific and articulable

facts” court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the “subscriber or customer” (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a “2703(d)” order or simply a “d” order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide “specific and articulable facts showing that there are reasonable grounds to believe” that the information to be compelled is “relevant and material to an ongoing criminal investigation.”74 If the judge finds that the factual showing has been made, the judge signs the order. The order is then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators.

- http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860 Professor Orin Kerr, George Washington University - Law School TRANSLATION: After 180 days, Government access to your Gmail, Hotmail, Yahoo

Mail, etc. becomes significantly easier.

4

CSO's and CPOs should know about ECPA

Employees are forwarding emails to GMAIL because it is fast, easy

to use and has copious capacity. The opposite of most corporate

email systems.

How many of your employees are forwarding emails to

gmail/yahoo/hotmail right now?

Raj Goel, CISSP / [email protected] / 917-685-7731 ©2011 Raj Goel


ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail company's employees can't disclose your e-mails to others.

[...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service.

GMail's big selling point is that they don't simply deliver your mail. They store it for you, and they index it so you can search it.

- Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html

5

FBI Abuses Patriot Act

http://www.nytimes.com/2007/03/10/washington/10fbi.html

Sprint received 8 MILLION law enforcement requests in 13 months

http://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint-

received-8-million-law

Your Identity for Sale

http://money.cnn.com/2005/05/09/pf/security_info_profit/index.htm

Google "FBI buys data from private sector"

ECPA - Electronic Communications Privacy Act (1986)



http://www.theregister.co.uk/2011/06/27/google_user_data_subpoenas/


According to Gartner:

2007

– Level 1 Merchants spent $ 125,000 in assessments and $ 568,000 for remediation

– Level 2 - $ 105,000 in assessments and $ 267,000 for remediation

– Level 3 - $ 44,000 in assessments and $ 81,000 for remediation

- Level 4 – varies

• External IP scan costs ranged from $ 150-$2500/year

- http://www.braintreepaymentsolutions.com/blog/what-does-it-cost-to-become-pci-compliant

Cost Of Compliance


©2011 Raj Goel


According to Ponemon Institute Oct 15, 2010:

– Level 1 Merchants spent $ 225,000 in assessments , with some spending over $ 500,000 in assessments alone

- 2% of businesses fail the audits

- 41% rely on compensating controls

- IT depts are in charge or security, but business managers control the budget

• VISA, MC & Amex now allow internal audit teams to perform these assessments, not just the QSAs.

- http://blog.elementps.com/element_payment_solutions/2009/02/pci-compliance-costs.html

Cost Of Compliance


©2011 Raj Goel


Costs of Non-Compliance


©2011 Raj Goel


Cost of carelessness

The Cost of Carelessness 12/5/2005 - http://www.cioinsight.com/article2/0,1540,1906158,00.asp


©2011 Raj Goel


Cost of Breaches 2005-2009

Year Direct Cost Indirect Cost Lost Customer Cost Total Costs

2005 50 14 74 138

2006 50 14 118 182

2007 50 14 133 197

2008 50 14 138 202

2009 50 14 140 204

Other findings:

1. Not 1st time for majority of companies – 84% repeat offenders

2. 1st timers cost: $ 243/record, Experienced Victims: $ 192/record

3. Churn Rates: Average 3.6% / Healthcare 6.5% / Financial Services 5.5%, Healthcare cost: $ 282/record / Retail: $ 131/record

4. 88% breaches due to insider negligence, 44% due to external parties

Source: http://www.networkworld.com/news/2009/020209-data-breach.html


©2011 Raj Goel


They broke the law, your loss! 2008: Malware and/or break-ins compromise 100 million+ records at Heartland

Payment Systems.

Jan 2009: Inauguration day – Heartland discloses breach

May 2009: Heartland has spent $ 12.6 million (and counting) in dealing with the breach.

Feb 2009: Angie's list notices 200% increase in auto-billing transactions being declined. Auto-billing declines increased from 2% to 4%.

May cost them $ 1 million in lost revenues so far.

“The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply don't respond well to companies phoning or e-mailing them asking for credit card information”

- http://voices.washingtonpost.com/securityfix/2009/05/heartland_breach_dings_members.html?wprss=securityfix


©2011 Raj Goel


TJX (TJ Maxx, Winners, HomeSense) Breach Information stolen from the systems of massive retailer TJX was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials. ... Florida officials said the group used the increasingly common tactic of using the bogus credit cards to purchase gift cards and then cashing them at Wal-Mart and Sam's Club stores. The group usually purchased $400 gift cards because when the gift cards were valued at $500 or more, they were required to go to customer service and show identification, Pape said. - eWeek.com March 21, 2007 Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, said the company rebuffed its request to see documents detailing the safeguards on the company's computer systems and how the company responded to the theft of customer data. The suit was filed Monday afternoon in Delaware's Court of Chancery, under a law that allows shareholders to sue to get access to corporate documents for certain purposes. Court papers state the Arkansas pension fund wants the records to see whether TJX's board has been doing its job properly in overseeing the company's handling of customer data. - Forbes.com, March 20, 2007


©2011 Raj Goel


Key FTC Settlements


©2011 Raj Goel


FTC – ToySmart (2000) ToySmart sold educational, non-violent toys and collected information on children

while it was in business. It’s privacy policies said that it would never share

information with 3rd parties.

Toysmart.com went bankrupt tried to auction off the customer database seperately as

an asset of the company.

"Customer data collected under a privacy agreement should not be auctioned off to the

highest bidder," according to Jodie Bernstein, Director of the FTC's Bureau of

Consumer Protection. "This settlement protects consumers from a winner-take-all

bid in bankruptcy court, ensuring only a family-oriented Web site willing to buy

the entire Toysmart Web site has the ability to do so."

Settlement: Anyone who bought ToySmart must adhere to Toysmart’s privacy policies.

- www.steptoe.com/assets/attachments/937.com


©2011 Raj Goel


FTC – Microsoft Passport (2002) "We believe that Microsoft made a number of misrepresentations, dealing with, one,

the overall security of the Passport system and personal information stored on it;

two, the security of online purchases made with Passport Wallet; three, the kinds of

personal information Microsoft collects of users of the Passport service; and four,

how much control parents have over the information collected by Web sites

participating in the Kids Passport program," [FTC Chairman] Muris said during the

conference call.

The FTC outlined its findings in a six-page complaint. Many of the problems resulted

from Microsoft failing to adhere to its own privacy statements about Passport,

Passport Wallet or Kids Passport.

No penalties, 20 years of reporting to FTC required.

For 5 years, MS to submit advertising materials and all other documentation pertaining

to collection or retention of consumer data.

http://news.cnet.com/2100-1001-948922.html


©2011 Raj Goel

http://www.ftc.gov/os/2002/08/microsoftcmp.pdf


FTC - Sears/Kmart (2009) In 2009, Sears.com and Kmart.com websites offered to 15% of their visitors, via a pop-up, a chance to “talk directly to the retailer”. This pop-up installed spyware on their customer’s (or potential customer’s) computers!

Consumers probably didn't realize that by "new" and "different," the advertisement meant "all-seeing" and "invasive." Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers' email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts. Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small "scroll box"; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking.

Sears was required to delete all data collected under this program.

- http://www.cdt.org/blogs/erica-newland/ftc-finalizes-terms-sears-deceptive-practices-settlement


©2011 Raj Goel

http://www.ftc.gov/os/caselist/0823099/090604searscomplaintaf.pdf

http://www.ftc.gov/os/caselist/0823099/090604searscomplaintaf.pdf


FTC – EchoMetrix/Pulse(2010) Parents paid Echometrix $ 3.99/mo for Sentry Parental Controls. This allowed parents

to monitor web surfing, IM, email, etc.

June 2009 – Echometrix launches Pulse – a “market research” program that analyzed web traffic, social media, IM, etc so that marketers could find out what consumers were saying about their products or services. Companies that bought Pulse could retrieve actuals IM, chat and forum posts.

FTC charged that EchoMetrix failed to adequately inform parents that information collected by Sentry would be sold to marketers. EchoMetrix had vague statements buried in their EULA (sound familiar??)

Settlement: - EchoMetrix must destroy the info from Sentry that was copied into the Pulse Database. It cannot use Sentry data for any other purposes.

http://business.ftc.gov/blog/2010/12/ftc%E2%80%99s-echometrix-settlement-eula-ppreciate-guidance-privacy-disclosures


©2011 Raj Goel


FTC – CyberSpy Software (2010) CyberSpy sold a keylogger, marketed towards parents, spouses and colleagues. They

provided their clients with detailed instructions on how to disguise RemoteSpy

as an innocuous program.

Settlement:

• not assist purchasers in falsely representing that the software is an innocuous file;

• cause an installation notice to be displayed which must include a description of the nature and

function of the program and to which the user must expressly consent;

• cause an icon to appear in the task bar on the user’s desktop when the software is running,

unless the icon is disabled by a person with administrative rights to the computer;

• inform purchasers that improper use of the program may violate state or federal law;

• take measures to reduce the risk that the spyware is misused, including license monitoring

and policing affiliates;

• encrypt data collected by the program that is transferred over the internet; and

• remove legacy versions of the software from computers on which it was previously installed

http://privacylaw.proskauer.com/2010/06/articles/spyware/ftc-settlement-bars-marketing-of-spyware-for-illegal-uses/.


©2011 Raj Goel


FTC – Chitika (2011) Chitika buys ad space, and places cookies on end-users browsers.

When consumers opt-ed out, Chitika stopped displaying ads for 10 days.

After 10 days, Chitika re-started displaying ads to opt-out consumers.

FTC charged Chitika with engaging in “deceptive practices”

Per the settlement, Chitika must:

• Stop making misleading statements about it’s data collection policies

• Every ad must display clear opt-out links with opt-out for 5 years

• Destroy all personally identifiable information collected during defective opt-out

• Chitika must alert consumers that their previous opt-out was not valid.

- http://www.infolawgroup.com/2011/03/articles/enforcement/privacy-enforcement-update-ftc-settles-with-twitter-and-chitika/


©2011 Raj Goel


FTC – Twitter (2011) Twitter promised that “private tweets” were safe.

In 2009, Hackers broke into twitter and make tweets public.

FTC alleged that serious lapses in Twitter’s security allowed hackers to penetrate Twitter. (Hackers brute forced administrative passwords after trying thousands of passwords against Twitter’s login page).

The settlement

• Requires Twitter to update it’s privacy & security policies

• Twitter must honor privacy choices made by consumers

• Independent auditor must assess Twitter’s security every other year for 10 years

http://www.ftc.gov/opa/2011/03/twitter.shtm


©2011 Raj Goel


Threats: Web 2.0 & Social Media

22 ©2011 Raj Goel


• MySpace, Yahoo blame bad APIs for celebrity photos breach • Paris Hilton and Lindsay Lohan's private MySpace photos are all over the Internet now, thanks

to a glitch in the bad APIs.

• http://valleywag.com/5012541/how-a-canadian-computer-guy-got-paris-hilton-and-lindsay-lohans-pics Byron Ng's instructions for viewing any MySpace profile:

• 1. you'll need a Yahoo account. go to www.yahoomail.com and create a yahoo account if you don't have one already. and you will need to go to www.myspace.com to sign up for a myspace account first, if you don't have one already.

• 2.go to http://beta.m.yahoo.com/w/gallery/widget click on the 'mail' button under "sign in to yahoo!"

• 3. click on 'click here to sign in'

• 4. enter your yahoo id, yahoo password

• 5. then on the top of the screen in the white box, enter: myspace then click Search Widgets Gallery

• 6. you will see a green box in the middle with the word 'myspace' in there.

• 7. click the green myspace.

• 8. see in the middle of the screen it says "add it" - click that.

• 9. click yes when it asks you about sharing info

• 10. go here http://beta.m.yahoo.com/w/gallery/widget

• 11. enter myspace into the box. click search widgets gallery

• 12. click on the green myspace. now, since you have already set it up in the previous steps, it won't ask you to download again

• 13. click on 'go to widget' (that’s right below the 'already added it" text

• 14. now sign in to myspace

• 15. now take the URL I asked you to save above before step 1: http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 and click on it. it may ask you to sign into yahoo or my space. sign in as appropriate. now you should be able to see the person's pictures. if you can only see your own profile, then click on it again http://beta.m.yahoo.com/w/myspace/profile/en.osl?userID=16527727 then it will work.


©2011 Raj Goel 23

http://valleywag.com/5012541/how-a-canadian-computer-guy-got-paris-hilton-and-lindsay-lohans-pics
























• Nov 2, 2007 – hacker compromises Plaxo's Rockyou Opensocial application.

• Adds 4 emoticons to reporter's account.

• Adds emoticon to Plaxo's VP of Marketing John McCrea's profile.

• Same hacker accessed any users's Facebook SuperPoke feed.

http://www.techcrunch.com/2007/11/02/first-opensocial-application-hacked-within-45-minutes/


©2011 Raj Goel 24





















In the EU, the citizens own their data. In the US, the corporations own the data.

If you ask Facebook profile data in the US, you’ll get laughed at.

If you live in the EU however, you can request a copy of your profile data and Facebook is legally obligated to send it to you.

www.Europe-v-Facebook.org is documenting the data that Facebook is releasing to EU users – from 192 pages to 800 pages PER person.

From E-V-F:

Every person in the EU has the right to access all the data that a company is holding about him/her. You can find out how to access your facebook data on the page “your data…”. After we got the first response by facebook it was clear to us that we had to publish this information online. By doing so, we want to make facebook more transparent and show every user which data facebook is holding about us.

There is more Data. Many groups of data are not included in this first set of data we got from facebook. For example data concerning the “like”-function, tracking on other webpages, face recognition, videos, postings on other users walls, indicators for the intensity of relationships, tags that werde removes and many more were so far not disclosed by facebook.

via europe-v-facebook.org.


©2011 Raj Goel 25

http://europe-v-facebook.org/EN/Data_Pool/data_pool.html






We’ve said for years that the internet remembers forever. Here’s proof that Facebook embodies that ethos…Here’s a SMALL sampling of what Zuckerberg collects, repackages and sells…but never deletes….

Pokes are kept even after the user “removes” them.

Facebook is collecting data about people without their knowledge. This information is used to substitute existing profiles and to create profiles of non-users.

Tags are used without the specific consent of the user. Users have to “untag” themselves (opt-out). Note: Facebook has announced changes for this.

Facebook is gathering personal data e.g. via its iPhone-App or the “friend finder”. This data is used by Facebook without the consent of the data subjects.

Postings that have been deleted showed up in the set of data that was received from Facebook.

Users cannot see the settings under which content is distributed that they post on other’s pages.

via Facebook: Releasing your personal data reveals our trade secrets | ZDNet.


©2011 Raj Goel 26

http://www.zdnet.com/blog/facebook/facebook-releasing-your-personal-data-reveals-our-trade-secrets/4552


Messages (incl. Chat-Messages) are stored by Facebook even after the user “deleted” them. This means that all direct communication on Facebook can never be deleted.

The privacy policy is vague, unclear and contradictory. If European and Irish standards are applied, the consent to the privacy policy is not valid. Facebook tried improving it earlier this year.

The new face recognition feature is an disproportionate violation of the users right to privacy. Proper information and an unambiguous consent of the users is missing.

Access Requests have not been answered fully. Many categories of information are missing.

Tags that were “removed” by the user, are only deactivated but saved by Facebook.



©2011 Raj Goel 27



In its terms, Facebook says that it does not guarantee any level of data security.

Applications of “friends” can access data of the user. There is no guarantee that these applications are following European privacy standards.

All removed friends are stored by Facebook. This was reconfirmed recently.

Facebook is hosting enormous amounts of personal data and it is processing all data for its own purposes. It seems Facebook is a prime example of illegal “excessive processing”.

Facebook is running an opt-out system instead of an opt-in system, which is required by European law.

The Like Button is creating extended user data that can be used to track users all over the internet. There is no legitimate purpose for the creation of the data. Users have not consented to the use.



©2011 Raj Goel 28



The privacy settings only regulate who can see the link to a picture. The picture itself is “public” on the internet. This makes it easy to circumvent the settings.

Facebook is only deleting the link to pictures. The pictures are still public on the internet for a certain period of time (more than 32 hours).

Users can be added to groups without their consent. Users may end up in groups that lead other to false impressions about a person.

The policies are changed very frequently, users do not get properly informed, they are not asked to consent to new policies.



©2011 Raj Goel 29



Trailblazer was commissioned from the Science Applications International Corporation at a cost of $280 million and never worked as intended, while violating the laws on privacy. The final bill for the project, which was cancelled in 2003, is estimated to be over a billion dollars.

But Drake warned that the NSA has not learned its lesson from the incident, and that it was one of the NSA’s deepest, darkest secrets that it had effectively turned online America into a foreign country for legal purposes. More worrying, similar lax attitudes are now pervasive in the corporate world.

“Industry self-regulation is not working, contrary to what you have seen or heard,” he warned. “Let’s not kid ourselves. It’s also patently disingenuous to say that no names are collected, only a computer number, when the technology is out there to discover everything about you electronically.”

- http://www.theregister.co.uk/2011/10/19/nsa_whistleblower_intelligence_thinthread/


©2011 Raj Goel 30


31

Wyden was also scathing about the Patriot Act, pointing out that there were in fact two forms of the legislation, the public law and the interpretation of it by government - the latter being secret. He said that if the American people could see what the secret interpretation was they would be surprised and angry. He said he would love to lay out the way the act was being used, but was bound by secrecy rules. - http://www.theregister.co.uk/2011/10/18/riaa_biggest_threat_innovation_senator/

Raj Goel, CISSP / [email protected] / 917-685-7731 ©2011 Raj Goel 31


32

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." -Albert Einstein



33 http://www.michaelhanscom.com/eclecticism/2003/10/23/even-microsoft-wants-g5s/



34

http://articles.chicagotribune.com/2008-09-20/news/0809190659_1_social-networking-sites-admissions-facebook-profile



35

http://www.usatoday.com/tech/news/internetprivacy/2006-03-08-facebook-myspace_x.htm



36

http://www.readwriteweb.com/archives/social_network_profile_costs_woman_college_degree.php



• Facebook allows developers access to user's full profile.

• Every time you choose to add an application, Facebook asks you to confirm that you

want to let this program both know who you are and access your information. It's impossible for anyone to add any application without agreeing to this set of terms. Once you click okay, that application can technically access quit a bit of public and private profile information.

• While all of the most private information (like your passwords and e-mail addresses) are kept on Facebook servers and require security authentication, a lot of info is available to applications you add.

• According to Facebook's Developers Terms of Use, this can include

• ". . . your name, your profile picture, your birthday, your hometown location, your current location, your political views, your activities, your interests, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, copies of photos in your Facebook Site photo albums, and a list of user IDs mapped to your Facebook friends."

- http://www.removeadware.com.au/articles/facebook-privacy-hackers/


©2011 Raj Goel 37


Farce of the Facebook spy: MI6 chief faces probe after wife exposes their life on Net

“ MI6 faced calls for an inquiry last night after

an extraordinary lapse of judgment led to the new head of MI6's personal detailsbeing plastered over Facebook.

Millions of people could have gained access to compromising photographs of Sir John Sawers and his family on the social networking website. ...“

http://www.dailymail.co.uk/news/article-1197757/New-MI6-

chief-faces-probe-wife-exposes-life-Facebook.html


©2011 Raj Goel 38


In an experiment, 41% of Facebook users were willing to divulge highly personal information to a complete stranger. This according to IT security firm Sophos, which invited 200 randomly selected Facebookers to befriend a bogus Facebook user named “Freddi Staur” (an anagram of “ID Fraudster”). Of those queried, 87 responded to the invitation, among them 82 people whose profiles included personal information such as their email address, date of birth, address or phone number. In total:

• 72% of respondents divulged one or more email address

• 84% listed their full date of birth

• 87% provided details about their education or workplace

• 78% listed their current address or location

• 23% listed their current phone number

• 26% provided their instant-messaging screen name

Yikes. You’d think institutional privacy concerns would be enough to make folks think twice about expanding their Facebook networks with reckless gusto, wouldn’t you? Guess not.

http://digitaldaily.allthingsd.com/20070814/facebook-privacy/

39


http://www.sophos.com/pressoffice/news/articles/2007/08/facebook.html

http://www.sophos.com/images/common/misc/facebook-freddi-big.jpg






http://www.newscientisttech.com/article/mg19025556.200-pentagon-sets-its-sights-on-social-networking-websites.html







UK Ministry of Defense (MoD) warns that Facebook Places (which is enabled by default!) provides a targeting pack for terrorists.

"The main concern relating to the use of the application, is that it may inadvertently compromise the locality of a military user," the document says.”

http://www.theregister.co.uk/2010/10/01/mod_facebook_places/

40












Burglary Ring in Nashua, NH committed 50 break-ins, stole $100,000+. Targeted victims who posted their location on Facebook. http://gawker.com/5635046/real+life-burglary-ring-uses-facebook-to-choose-victims

Adam Savage, Mythbusters, posted photo of his new truck, parked in front of his house. Fans (and crooks!) discover his address via GeoTags embedded in the photo. http://text.broadbandreports.com/forum/r24657556-MythBusters-stalked-down-with-geotag-photos

Burglary Ring uses Facebook to choose victims


©2011 Raj Goel 41

http://gawker.com/5635046/real+life-burglary-ring-uses-facebook-to-choose-victims

















http://text.broadbandreports.com/forum/r24657556-MythBusters-stalked-down-with-geotag-photos















Facebook leaked user’s real names to advertisers

Oct 14, 2010 - The personally identifiable information was relayed in referrer headers that were sent over three months to advertisers when users clicked on banner ads, according to an amended complaint filed this week in US District Court in San Jose, California. The header, which is included in URLs that lead to an advertising webpage, shows the Facebook address the user was browsing when he encountered the ad. The information is designed to help advertisers serve content that's geared to his age, location and interests. http://www.theregister.co.uk/2010/10/14/facebook_privacy_complaint/ NOTE: Google’s doing this as well. Claims it’s standard practice.


©2011 Raj Goel 42

http://www.theregister.co.uk/2010/10/14/facebook_privacy_complaint/








Kim Jong-Il’s Grandson has a facebook problem

Oct 3, 2011 - South Korean media discovered Kim Jong-Il’s grandson’s Facebook page on Saturday and are having a field day picking over his blog and photo galleries. Turns out he’s just a geeky high schooler who likes American movies and gets in comments flame wars. 16-year-old Kim Han Sol is the son of Kim Jon-Il’s exiled eldest son, Jong Nam. He lives in Macau and China, and just enrolled in boarding school in Bosnia-Herzegovina. Judging from his Facebook pictures, the fact that his grandfather is the world’s most notorious dictator hasn’t impeded his social life. http://gawker.com/5846077/kim-jong+ils-teenage-grandson-is-having-a-facebook-scandal


©2011 Raj Goel 43

http://gawker.com/5846077/kim-jong+ils-teenage-grandson-is-having-a-facebook-scandal




















http://consumerist.com/2009/05/new-zealand-bank-error-fugitives-foiled-by-facebook-status-update.html


©2011 Raj Goel 44



©2011 Raj Goel 45

http://www.theolivepress.es/spain-news/2011/08/26/facebook-photo-blunder-leads-to-mafia-arrest-in-marbella/



©2011 Raj Goel 46

http://charlotte.cbslocal.com/2011/09/29/n-c-mans-facebook-photo-leads-to-arrest/



©2011 Raj Goel 47

http://www.huffingtonpost.com/2010/08/16/arrested-over-facebook-po_n_683160.htm


Standards Explosion

US HIPAA/HITECH

GLBA

RED FLAG

47 States, Wash DC,

Puerto Rico, US Virgin

Islands Privacy Breach

Laws

Canada PIPEDA

3 PIPA/PPIPS laws RED FLAG


©2011 Raj Goel 52


Every Law has Protected Fields

• Names

• Postal address

• Tel & fax number

• Email address

• SSN

• Medical record number

• Health plan number

• Certificate/license number

• Vehicle ID or license

• Device identifiers

• Web URLs

• Internet protocol

• Biometric ID

• Full face, comparable image

• Latanya Sweeney showed that 87% of all Americans can be identified by ZIP Code, DOB, sex.


©2011 Raj Goel 53


IT Security Reality

"For many small businesses, the CIO is somebody's child down the road who's really good at Nintendo.“

- Howard Schmidt, US CyberSecurity CZAR


©2011 Raj Goel 54


1936 - SSNs established

1938 - Wallet manufacturer includes secretary's SSN card

inside a wallet. 40,000 people thought it was their SSN. 12 people used it in 1977.

Pre-1986 - kids under 14yrs not required

Post-1990 - Kids get SSN # with Birth Certificate

Repeatedly, laws state that “we” oppose the creation of a national ID card. SSNs become defacto national ID numbers.

Result: Experian, TransUnion, Equifax

http://en.wikipedia.org/wiki/Social_Security_number

http://www.socialsecurity.gov/history/ssn/ssnchron.html


©2011 Raj Goel 55






• The numbers are run through public databases to determine whether anyone is using them to obtain credit. If not, they are offered for sale for a few hundred to several thousand dollars.

• Because the numbers often come from young children who have no money of their own, they carry no spending history and offer a chance to open a new, unblemished line of credit. People who buy the numbers can then quickly build their credit rating in a process called "piggybacking," which involves linking to someone else's credit file.

• If they default on their payments, and the credit is withdrawn, the same people can simply buy another number and start the process again, causing a steep spiral of debt that could conceivably go on for years before creditors discover the fraud.

http://www.foxnews.com/us/2010/08/02/ap-impact-new-id-theft-targets-kids-social-security-numbers-threaten-credit-737395719/


©2011 Raj Goel 56


































57

PATRIOT Act – Global Reach


http://www.windows7news.com/2011/06/23/patriot-act-azure-cloud-security/


58

Irish Govt warns against using MS, Amazon, Google, etc.


http://www.aidanfinn.com/?p=10367


59

http://www.theregister.co.uk/2011/10/17/verizon_privacy/



60

Andrew Orlowski compared Amazon Silk to Phorm, the intercept-and-track service trialled in the UK by BT and still being deployed elsewhere, pointing out how both have the potential to invade users' privacy pretty equally. When Phorm started collecting data, there was uproar. When Amazon announced the same thing, it seemed as if no one cared. http://www.theregister.co.uk/2011/10/17/amazon_silk_privacy/


http://www.theregister.co.uk/2011/09/29/amazon_silk_looks_phormulaic/


61

http://techland.time.com/2011/09/28/onstar-reverses-position-wont-track-you-if-you-cancel-service/



Hackers transfer $ 378,000 from Poughkeepsie to Ukraine

http://www.finextra.com/News/fullstory.aspx?newsitemid=21055

ATM hackers steal $ 9 Million in 1 day

http://www.wired.com/threatlevel/2009/02/atm/

Banking Trojan steals $ 438,000

http://news.cnet.com/8301-27080_3-10363836-245.html

Bank Of America vs. Lopez

http://www.americanbanker.com/usb_issues/115_4/-246231-1.html

Latanya Sweeney – What information is “Personally Identifiable”

http://www.eff.org/deeplinks/2009/09/what-information-personally-identifiable

“Trends in Financial Crimes”

http://www.rajgoel.com/infosecurity-issue-7-%e2%80%93-trends-in-financial-

crimes-2


Googling your privacy away

• http://www.rajgoel.com/infosecurity-issue-6-%e2%80%94-data-leak-googling-away-your-security-and-privacy

• http://www.rajgoel.com/category/articles

Warshak vs USA

http://www.eff.org/cases/warshak-v-usa

Snakeoil Security

http://threatpost.com/en_us/blogs/effect-snake-oil-security-090710

http://www.rajgoel.com/infosecurity-issue-6-%e2%80%94-data-leak-googling-away-your-security-and-privacy






























John Snow – London Cholera 1849-1854

1830 – Cholera kills 60,000 deaths

1849 – He identified GEOGRAPHIC CLUSTERS of outbreaks

- Identified that the WATER SOURCE was the vector long before CHOLERA GERM was identified

- Those with BETTER water sources were 20 times LESS LIKELY to die

- He did door-to-door validation/census to check water sources and his data

- RESULT: London took APPROPRIATE public health safety measures to control contaminated public water sources


©2011 Raj Goel


Dr. Samelweis – 1840s During 1840’s many women died of childbed fever. Often the child

became ill & died as well

Dr. Samelweis noticed that of the 2 clinics he was managing, one had a HIGHER rate of mortality than the other

- Mothers were ill during birth or up to 36 hours afterwards

- Observed that problem started during the examination of the mother during dilation

The deaths were caused by MEDICAL STUDENTS who had just come from the morgue after performing autopsies and then proceeded to conduct pelvic examinations on laboring mothers.

This contradicted over 2000 YEARS of medical dogma and practices since Hippocrates.

He instituted hand-washing of medical staff between each procedure

66



Getting it Right

Medical marijuana advocates estimate that the aggregate annual sales tax revenue that's paid by the approximately 400 dispensaries in California is $100 million.

- http://www.npr.org/templates/story/story.php?storyId=89349791

Cost of War on Drugs in 2010 (so far):

$ 23 Billion (and counting) - http://www.drugsense.org/wodclock.htm

What was your overall IT spending last year? How much on questionable security products?


©2011 Raj Goel


Getting it Right “Anesthesiologists pay less for malpractice insurance today, in

constant dollars, than they did 20 years ago.

That's mainly because some anesthesiologists chose a path many

doctors in other specialties did not. Rather than pushing for laws

that would protect them against patient lawsuits, these

anesthesiologists focused on improving patient safety.

Their theory: Less harm to patients would mean fewer lawsuits. “

- Deaths dropped from 1 / 5,000 to 1 / 200,000 – 300,000

- Malpractice claims dropped 46% (from $ 332,280 in 1970 to $

179,010 in 1990's!

Premiums dropped 37% from $ 36,620 to $ 20,572. - http://online.wsj.com/article/0,,SB111931728319164845,00.html?mod=home%5Fpage%5Fone%5Fus


©2011 Raj Goel


Air Force demanded, and purchased, SECURE Desktops

2006 – After years of attacks, and dealing with a hodge-podge of desktop and server

configurations, The US Air Force develops the Secure Desktop Configuration

standard. All vendors are required to sell computers to the USAF (and later DOD, other

government agencies) with standardized, locked down configurations of:

•Windows

•MS Office

•Adobe Reader

•Norton AV

•Etc

US Dept Of Energy requires Oracle to deliver it’s databases in a secure configuration

developed by the Center for Internet Security (www.cisecurity.org)


©2011 Raj Goel


Spyware - Sony's DRM Rootkit Anastacia CD costs retailer 1,500 Euros

Sep 14, 2009 – German Judge orders retailer to pay Plaintiff 1,500 Euros.

200 Euros – 20 hours wasted dealing with virus alerts

100 Euros – 10 hours for restoring data

800 Euros – fees paid by Plaintiff to Computer Expert to repair his network

185 Euros – legal costs incurred by plaintiff

“The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it.

The court ordered the retailer of the CD to pay damages of 1,200 euros.”

http://torrentfreak.com/retailer-must-compensate-sony-anti-piracy-rootkit-victim-090914/

http://www.heise.de/newsticker/Verkaeufer-muss-Schadensersatz-fuer-Sony-Rootkit-CD-zahlen--/meldung/145233

70 ©2011 Raj Goel

http://torrentfreak.com/retailer-must-compensate-sony-anti-piracy-rootkit-victim-090914/


Brainlink provides COMMON SENSE BASED IT

Security and Privacy Breach law compliance

audits

Information Security Audits

IT Consulting for Healthcare

If you like what you're hearing, hire us!

www.brainlink.com Raj Goel, CISSP / [email protected] / 917-685-7731

©2011 Raj Goel 71


Contact Information

Raj Goel, CISSP

Chief Technology Officer

Brainlink International, Inc.

C: 917-685-7731

[email protected]

www.brainlink.com

www.linkedin.com/in/rajgoel


©2011 Raj Goel

2011 10 19 raj goel isc2 secure boston cloud computing oversharing over collecting

Documents