Blog

March 14th, 2014

NEW YORK (PIX11) – But revelation that two Iranian passengers on the flight were able to board using stolen passports – has not eased concerns about what appear to be gaping holes in the international security net that we all rely on once we leave America’s sphere of influence.

As more information pours in regarding the two passengers in question investigators are now slowly turning away from any terror link.

Interpol currently maintains a database that contains millions of lost and stolen passports.

Only three countries – the United States, United Arab Emirates, and the U.K. run travelers’ information against that database.

Sal Lifrieri is a terror and security analyst who tells PIX11, “So if you’re flying through a country, and that’s what we see with this particular case, you can fly into this country, and have a very minimal passport check – and move on to the next country.”

So how can you protect your passport – especially if you’re traveling internationally?

Technology consultant Raj Goel says the answer involves treating biometric, high-tech passports like cash.

“Correct. It’s the same exact concept, except you use slightly thicker plastic. So that somebody walking by can’t just do a brush pass and do RFID cloning of my passport, driver’s license, credit cards – or whatever have you. It takes a few seconds,” said Goel.

Keep it close, and remember that a criminal doesn’t even have to physically snatch your passport if it’s made with something called RFID technology in order to steal the information embedded in it.

Read more: http://pix11.com/2014/03/11/how-to-protect-yourself-against-high-tech-passport-thieves/#ixzz2vvrEsqat

Topic Articles
February 5th, 2014

Article by Raj Goel

I read a moving article on CNN.com about modern day slavery in Mauritania (see http://www.cnn.com/interactive/2012/03/world/mauritania.slaverys.last.stronghold/index.html/ ).

Yes, slavery still exists and 10-20% of the Mauritanian population is currently enslaved. What really hit me hard is that unlike traditional slavery involving chains and physical restraints, modern slavery is primarily mental. The hereditary slaves are born as slaves; they live in villages that have ceremonial fences. Anyone can walk away or run away, and yet very few do. They are so enmeshed in the culture that the thought of walking away doesn’t occur to them.

To quote from the article:

Fences that surround these circular villages are often made of long twigs, stuck vertically into the ground so that they look like the horns of enormous bulls submerged in the sand.
Nothing ties these skeletal posts together. Nothing stops people from running.
But they rarely do.

And a similar form of mental servitude exists in (anti-) social media today. This month, the world celebrates the 10th anniversary of Facebook. What we’re really cerebrating is 10 years of ceaseless onslaught against freedom of speech, freedom of thought and freedom against self-incrimination – also known as the 1st, 4th and 5th amendments of the US constitution.

You could say that I am being hyperbolic in my characterization of Facebook as digital slavery, or that I’m taking poetic license and it’s not really fair to those who suffered, and still suffer, from the shackles of physical and financial servitude. Fair enough.

That said; let’s consider that in traditional slavery, the slave owner claimed ownership over the physical bodies and the output of physical labor from their slaves. Slaves grew cotton, sugarcane, raised cattle, etc and the masters took control of it.

In the modern era, our wealth isn’t generated from our sinews. We don’t break our backs toiling in the fields. Our wealth is intellectual in nature, digital in its form and that is being acquired for free by the lords of the internet.

  • Facebook claims perpetual ownership on your posts, likes, dislikes, photos.
  • Twitter claims perpetual ownership of your tweets, thoughts and stupidities.
  • Instagram, Flickr, etc claim perpetual license on your images.

As Attorney Craig Delsack notes

You grant the social media sites a license to use your photograph anyway they see fit for free AND you grant them the right to let others use you picture as well! This means that not only can Twitter, Twitpic and Facebook make money from the photograph or video (otherwise, a copyright violation), but these sites are making commercial gain by licensing these images, which contains the likeness of the person in the photo or video (otherwise, a violation of their “rights of publicity”).

Amazon controls what you get to read, and has deleted books from kindles remotely. Fittingly enough, the 1st book Amazon stole back from a paying customer was 1984.

Apple claims similar rights on your iPhones, iPads, iTunes and has given itself the right to remotely block or uninstall books, movies, songs, etc.

So what exactly are you buying when you “buy” eBooks from Amazon or Apple? What are you “buying” when you buy songs from Apple, Amazon, and Google? You’re “buying” the temporary right to read that book, watch that movie or listen to that song until the overlords decide that you’ve somehow violated their rights by travelling to a foreign country, visited wrong parts of the internet, etc. And any of these are grounds for them to delete content without reimbursement.

And how does Facebook fit into all of this?

In the 1970s and 1980s, we protested against the Communists and held up East German Stasi as particularly pernicious. At the height of its power, an estimated 10% of the East German population spied on their neighbors.

Today, approximately 128 Million Americans use Facebook.
Every like, dislike, comment is private property of Facebook to be bought and sold like a commodity. Your thoughts, pictures, family photos and privacy are a good sold on the open market.

And what does Facebook provide to its real customers – the corporations and governments?

From https://twitter.com/TheBakeryLDN/status/427531934294880256/photo/1

And that’s just a start…there’s much more that Facebook retains, and makes available to foreign governments.

I hear you. I hear your complaints. Without Facebook, how will you have a social life? How will you go out on dates? Or keep track of family get togethers? Without Facebook, how will you share the family photos?

Scholars find many similarities between modern Mauritanian slavery and that in the United States before the Civil War of the 1800s. But one fundamental difference is this: Slaves in this African nation usually are not held by physical restraints.

Just like the Mauritanian slaves who are held on farms, not by physical shackles, but cultural and mental ones that keep them enslaved. Even though all they have to do is walk away.

No violence, no guns, just put one foot in front of the other.

Will you raise your kids as digital slaves? Or will you walk away…one mouse click at a time?

References:
4th Amendment issues – http://www.businessinsider.com/police-make-fake-facebook-profiles-to-arrest-people-2013-10
1st Amendment Issues – http://www.huffingtonpost.com/tag/facebook-arrest
5th Amendment Issues – http://www.digitaltrends.com/social-media/the-new-inside-source-for-police-forces-social-networks/
1st, 4th, 5th Amendment issues – http://www.nbcnews.com/technology/careful-what-you-tweet-police-schools-tap-social-media-track-4B11215908
http://news.cnet.com/8301-1023_3-57471570-93/facebook-scans-chats-and-posts-for-criminal-activity/
http://arstechnica.com/information-technology/2013/11/staking-out-twitter-and-facebook-new-service-lets-police-poke-perps/
Copyright and IP Ownership – http://www.nyccounsel.com/business-blogs-websites/who-owns-photos-and-videos-posted-on-facebook-or-twitter/
Amazon erases 1984 from Kindle – http://www.nytimes.com/2009/07/18/technology/companies/18amazon.html

Further Reading:
http://www.brainlink.com/2012/10/free-video-protect-your-kids-from-facebook-social-media-threats/
http://www.brainlink.com/2013/10/teach-your-kids-about-the-dangers-of-snapchat/
http://www.brainlink.com/2012/10/prevent-your-kids-from-becoming-accidental-porn-stars/
http://www.brainlink.com/de-volkskrant/
http://www.rajgoel.com/tag/panopticon/

Topic Articles
September 21st, 2013

Below is an excerpt from the Keynote presentation I delivered at GBATA 2013 in Helsinki, Finland. It is based upon my“A Global Overview of Trends in Personal, Corporate and Government Surveillance” presentation.  This article also appeared in the Homeland Security Newswire.

Those who ask you to choose SECURITY OR PRIVACY and those who VOTE on SECURITY OR PRIVACY are making false choices. That’s like asking AIR OR WATER — which do you choose? You need BOTH to live.

Maslow placed SAFETY (of which security is a subset) as 2nd only to food, water, sex and sleep. As humans we CRAVE safety.

As individuals and societies, BEFORE we answer the question “SECURITY OR PRIVACY”, we first have to ask “SECURITY FROM WHOM and WHAT?” and “PRIVACY FROM WHOM AND FOR WHO”?

Until 1215, every Prince, King, Emperor and Conqueror thought he had divine right and was either a god or a manifestation of god. The MAGNA CARTA, for the 1st time in recorded human history, tripped Kings and Emperors of their divine right. WHY? Because the nobility had enough of the incompetencies and cruelties of the ruling monarch. In 1628, Sir Edward Coke established in English Common Law that “A man’s home is his castle” In 1791, The US Bill of Rights gave us the 4th amendment “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

Each of these articles gave us, the citizens, the commoners, rights that were hardfought by a small-band of revolutionaries.

Franklin, Jefferson, Washington, Madison, Adams and countless others bled so that the masses could watch “Keeping up with the Kardashians” today.

Today, every techno-geek with classified access, every sysadmin, every spymaster and bureaucrat in the information acquisition, analysis and marketing machine presumes that he/she is god.

The internet has become a tool of the despots – and EVERY country and EVERY corporation is becoming THE STASI.

During the cold war, the US & the west demonized the USSR and the communists for denying their subjects/citizens property rights; freedom of speech; freedom of thought; freedom of religion.

Today, US, UK, AU, NZ, CHINA, Russia, India, everyone nation spies on it’s citizens. They all do it in the name of SECURITY and protecting the citizenry from terrorists. I don’t recall the US constitution or ANY other government’s charter that required it to guarantee it’s citizens 100% safety or 100% security. Defense of the common good – yes. Decent infrastructure – yes.

Freedom from crime and terrorism is possible…but only if you live in a jail cell.

Privacy of thought is a basic HUMAN right.

We prized ourselves in the west for fighting for the dissidents such as Solzhenitsyn & Sakharov. We even gave some of them Nobel peace prizes and visas to the West. Today, the US government (and others around the world) jail more dissidents, whistleblowers and freedom fighters than ever before. And corporations such as Amazon, Apple, Google, Adobe, SONY, Disney, etc. deny us basic property rights by “licensing” software and media to us.

Today, every elected politician, president, senator, prime minister and king, sees honest dissent as subversive.

Before you answer the question “SECURITY OR PRIVACY”, ask yourself the question – from whom; for who and for how long.

When Vladimir Putin praises PRISM and the NSA, then I think we have a problem. When Steve Wozniak points out the similarities between our lack of rights in cloud and the communists, I think we have a problem.

In every generation, a new King John; a new Khruschev and a new Solzhenitsyn is born. It’s OUR job as citizens to DEFEND the rights given to us by our respective constitutions and DEMAND that they be conferred on our WEAKEST citizens, not just the strongest or the wealthiest.

Feel free to have a reasonable (or unreasonable, as long as good beer or bourbon are involved) debate with me at ASIS59 in Chicago or wherever you catch me next – Hague, Helsinki, Washington DC, Chicago, Curacao, New Zealand – I will be bringing my opinions and research to a conference near you :-D

Topic Articles, CISSP
April 18th, 2013

This article originally appeared in De Volkskrant – http://www.volkskrant.nl/vk/nl/2844/Archief/archief/article/detail/3394833/2013/02/16/Vrees-de-Little-Sisters.dhtml

Everybody spies on everybody on the Internet. Your blogs, emails, tweets and Photos can [and will] always and everywhere be used against you ICT expert Raj Goel warns. He fights for privacy and self-determination rights of the computer user.

On New Years day a young man from Colorado wrote on Facebook: “Jesus, I was so drunk last night. Sorry to the person whose car I grazed tonight. “Five minutes later one of his Facebook Friends called the police, the same day the man was arrested for driving by after a collision.”

Another example. An American man who had translated a Thai book into English on Facebook, was arrested when he visited his family in Bangkok. The book was critical about the Thai king and according to Thai law prohibited. The offer of the police: if you say that you are guilty, then you only get a few years in prison, if you plead innocent then we lock you up for 20 years. The man is now sentenced for of 2.5 years cell. All his Facebook Friends who could read the translations, are guilty of “lese-majeste” according to the Thai law. They can forget a holiday in Thailand.

“Of course it’s good as a drunk driver is arrested after a collision, “says ICT expert Raj Goel. “But what people do not realize is that your blogs, emails, tweets and photos can be used as evidence against you. And messages that are acceptable in a western Democracy may be punishable in other countries. Internet has no boundaries.”

Goel fights as a missionary for awareness and the lack of human rights in the cyber world. He speaks on international conferences, such as recently in The Hague. His children, 9 and 11 years, can only use email under his supervision and may not use social media . “As long as I don’t trust them with the the car keys, they are not allowed to go on the digital highway without parental supervision. If your children do have permission”, he says, “make sure that they are aware of the dangers.”

Criminals

In the ‘normal’ world the record of a minor won’t haunt him his whole life.

A 16-year-old American boy who had sex with his girlfriend, shortly before her 16th birthday, and wrote about it on Facebook, was arrested and sentenced. He is now branded as a ‘pedophile’ and ‘sexual predator’ for the rest of his life. The internet does not forget.

A woman found it out the hard way – she was seeking custody of her children. She said in court that she never used drugs. The lawyer and her ex found photos of her through social media where she smoked hash [marijuana]. She was sentenced – not because of the hash – but because of perjury. The children live with her ex-husband now.

Photo’s can be used against you in various ways. What most computer users are unaware of , says Goel, is that shooting with a Smartphone which the GPS is turned on – which is almost always the case – not only reveals when and what time a picture is taken, but also where. The wife of John Sawer, head of the British Secret Intelligence Service MI-6, three years ago had shared pictures of her family on Facebook during a holiday in Southern France. Facebook Friends could not only admire the Sawers in their swimsuit, but through the metadata in the digital photos also their – location. The result: bodyguards in the pictures had to be replaced, friends in the photographs had to be provided with British government paid security. This fiasco has cost the UK government millions of euros.

Security Strategy

The children of Michael Dell, the owner of Dell Computers, had uploaded pictures of their holiday in Fiji on their social media pages. This way the address of this wealthy family was easy to track. Their security efforts, for which Dell, Inc. paid $ 2.7 million per year, immediately became worthless.

Another computer magnate, John McAfee, founder of the anti-virus software company, got arrested in Guatemala in early January. He was a fugitive for several months, under suspicion that he killed his neighbor in Belize. The journalist who interviewed McAfee in Guatemala, published pictures of him on his website. [The metadata in the photos was not redacted] within a day the police knocked on the door of McAfee’s hiding place.

“If these computer moguls and their children are making these stupid mistakes”, says Raj Goel, “how can you and I protect our children? Do they know the risks of their online behavior?” Goel cites the example of police officers in Wisconsin that are spending time on the Internet disguised as a beautiful young woman. The “beauty” is trying to be friends on Facebook with as many young people as possible. Once pictures are detected of the minors drinking alcohol (that’s what I read in an article), they are fined $227 by the police for underage drinking and may get a criminal record.

The New York City Police Department discovered in the computer of a pedophile the complete profile of a 12-year-old girl in Pennsylvania, hundreds of miles away. Through the internet, he knew her friends, classmates, hobbies, pet, cheerleading team and favorite clothing brand. Under a false name, he had friended the girl and her school friends. “He knew more about her than her parents and teachers,” says Goel.

According to investigators, the man had planned to kidnap and abuse the 12-year-old. He very accurately mapped the route she traveled to and from school and all her stops along that route and at what time she made those stops. “He knew all this without ever being near her”.

“The smartphone is the best spying tool ever invented”

A survey of American educational facilities by Kaplan showed that profiles on social media sometimes affect the admission of young people to schools. This includes contacts with friends and relations. Several admissions committees admitted that they sometimes have refused students on the grounds of their social media profile. The same applies to managers, they look increasingly on LinkedIn and Facebook in equal candidates for a job. “You have a clean profile,” says Goel, “but if your internet friends are unsavory, they may choose some other applicant.”

Goel finds it unacceptable that many rights that are guaranteed in the physical world, lack on the Internet. He wants to unleash a new struggle for human rights, but now for the cyber world.

A struggle for privacy rights, copyright and especially the self-determination of the computer user.

Why do companies collect your data? And why are they preserved for eternity?

“Collectively, all of us have built one large jail cell around the world,” says Goel. “And the smartphone is the best spying tool ever invented.” About thirty thousand times per month a mobile phone tells a provider where a phone is located. Because the device is usually in the pocket or handbag’s owner, the provider can determine within a meter’s accuracy which routes a consumer takes. Data stored in databases remains forever.

Last year the FBI was rebuffed by a court for placing GPS trackers under vehicles of suspects which according to the judge was an unauthorized invasion of privacy. Later when the FBI submitted the GPS data of the mobile phones they had acquired from the cell phone carriers, this was accepted as admissible evidence. Why? “Because you are not the owner of the location data of your phone,” says Goel. “Your cell provider is the legal owner. The investigators did not even need to show a court order to recover it. Waving a badge is enough.”

Love Letters

The same applied to the discovery of the love letters from former CIA Director David Petraeus in his gmail account. “If he had received the letters from his mistress through the postal mail, FBI agents would have needed a search warrant from a judge to read them. But because they were emails, the FBI didn’t need court approvals to acquire the emails”, says Goel.

The discovery of those letters cost Petraeus his position as head of the most powerful intelligence agency in the world.

Investigation services on the web are increasing in power.In the Netherlands the parliament discusses about giving the police permission to hack a citizens private computer. If the police should hack on computers of citizens. In Europe the Ministers of justice investigate the possibility of how a criminals server can be infiltrated that is abroad – which usually is the case -, the internet knows no boundaries – without violating the sovereignty of a country. Goel thinks that the sovereignty of the individual citizen is already violated too much.

The American Patriot Act, that came into force after the attacks on the World Trade Centre in 2001 requires each provider to hand over all data on their customers to law enforcement, without notice to their users, when asked by the FBI. The provider cannot inform their users subsequently.

Google has announced that the search engine and Gmail provider in 2012 was forced to provide the personal information of 54 thousand users (from different countries, also from the Netherlands) to investigation services. Other social media sites, like twitter, Facebook and Linked-in, and web shops like Amazon are not publishing what information they had to release. But the total information the police have gathered, will be many, many times more than the 54 thousand of Google that they admit to releasing.

Lies

“At least as bad”, Goel says, “is the fact that it is almost impossible to get providers to remove incorrect information about a user from a search engine. Even if someone lies about someone else, removal requires costly litigation or other methods, usually paid for by the victim,” says Goel. “It is the same as the location data from your phone; not you, but the provider is the owner of everything that’s on social media.” A court in New Zealand, required Google to change incorrect information about a NZ citizen, under penalty of $100,000. Google paid the fine.

The same is true for photos that Google was ordered by a judge to delete from the internet, and later still were popping up again. Without realizing it, internet users leave their fate in the hands of browsers and social media.

Goel says “you have no power over your internet content.” “New legislation is required that would decrease the power of Internet companies. The provider should not determine what happens with digital information – users should be able to correct or delete information from these [Facebook, Google, etc] databases”.

Did the digital world become a Big Brother Society?

“It’s not Big Brother, but the Little Sisters that we must fear,” says Goel. “If something happens anywhere, it is published immediately via Smartphone, cameras or social media and lives online forever.”

“We don’t live in a society where one eye watches everyone, but where billions of eyes are increasingly spying on each other. This is a kind of control that even George Orwell could not imagine.”

Contacts:

Wil Thijssen
Politie- en justitieverslaggeefster
De Volkskrant
w.thijssen@volkskrant.nl
+ 31 20-5623417
+ 31 6-55816338
www.vk.nl

Raj Goel
CTO & Co-Founder
Brainlink International, Inc.
raj@brainlink.com
917-685-7731
www.brainlink.com
www.rajgoel.com

Reprinted by permission of
De Volkskrant’s copyright team 3/11/2013.

April 18th, 2013

isp7cover

High-tech professional criminals are getting ever more clever

Malicious attacks on databases and incidents of online and other tech-related thefts continue to evolve in number and manner leaving both consumers and businesses scrambling to pay for the damage to their reputations and bottom lines. The Identity Theft Resource Center reports that in the first half of 2009, 18.4 percent of all breaches were from insider theft. That’s up from 15 percent in 2008 and 6 percent in 2007. During the same period, the ITRC reports that hacking totaled 18 percent of all data breaches, compared with 11.7 percent in 2008. Combined, these malicious attacks are up more than 10 percent in 2009, with data breaches and insider theft accounting for 36 percent of the 250 reported breaches
this year.

Information security experts, including ITRC, say companies must implement effective data-protection policies and systems to safeguard their businesses and customers. Knowing what you are up against is a solid start in planning a defense against would-be thieves—from both inside and outside your company.

What follows are some of the latest trends in information security breaches and technology-related theft examples that hold valuable lessons for information security professionals.

Identification Theft

Identification theft continues to run rampant because so much of the information required to commit ID theft is available online due to inadequate controls, data leaks or human behavior.

For instance, ITRC reports that as of June 15, 2009, only 0.4 percent of all breaches involving laptops or other portable storage devices had encryption or other strong protection methods in use. Another 7.2 percent of reported breaches had data password protection. That leaves 92.4 percent of sensitive data with no protection at all. And ITRC reports that many of these breaches are repeated events affecting the same company or agency.

PrivacyRights.org reports that between 2005 and 2009, companies reported losing more than 431 million data records, primarily those of U.S. citizens. Stolen personal information has, in turn, created a vast black market for hijacked credit card numbers and bank account credentials. As of April 2009, Symantec reports that hijacked credit card numbers were being sold for as little as 6 cents per card in lots of 10,000.

ITRC suggests any entity that requests personal information should have the technology and policies in place to limit access of sensitive information. For instance, companies can set up verification systems so that a consumer should not be asked for his or her Social Security number to view, for instance, a current balance.

Global Supply Chain Risks

Fake receipts and counterfeit gear are just a couple of examples of crimes that have swept through global supply chains. Fake receipts include everything from fake ticket stubs and railway passes sold online by unscrupulous companies to fake restaurant or taxi receipts turned in by unscrupulous employees looking to pad expenses.

One recent business scammer fraudulently raised $50 million from local investors by using fake receipts to support a lie about the number of existing U.S. customers signed on with his business. In another case, Chinese authorities reported seizing several warehouses full of fake receipts worth an estimated $147.3 billion dollars.

Another booming criminal business is the production and sale of counterfeit technology. For instance, the U.S. Federal Bureau of Investigation recently discovered nearly $2 million in counterfeit Cisco Systems gear that leading private companies and leading government agencies were using unknowingly.

Government investigators and industry experts say the Cisco example highlights a need for companies’ IP protection teams, resellers, law enforcement liaisons and customer service teams to stay in touch and be aware of red flags such as customer complaints.

Online Banking and Mortgage Fraud

Banks across the globe have spent billions of dollars over the past few years encouraging consumers to shift to online banking. And businesses everywhere have implemented more and more selfserve transaction methods — online and in person.

However, not all security ramifications have been thought out. For instance, if a customer logs into her bank account and a piece of malware transfers funds out of her account, who is liable?

In the U.S. home mortgage industry, meanwhile, reports of criminals targeting owners of rental properties or second homes with attractive refinancing offers are on the rise. Using data supplied by the victims, the criminals forge credentials, refinance properties and abscond with the funds.

And when risky business practices in the subprime loan and mortgage market played out as a leading cause of the global financial meltdown, many people were surprised to find out just how many banks and lenders had inadequate internal digital controls.

In one sample case, a vocational nurse violated HIPAA’s provisions and stole the identification of a 72-year-old woman. The nurse and three accomplices were able to cash out $165,000 of the woman’s home equity.

Spam, Malware and Insecure Coding

According to a new survey by the Messaging Anti-Abuse Working Group (MAAWG), 12 percent of Internet users admitted clicking on spam because they were interested in the product or service offered. Eighty percent said they didn’t believe they were at risk from malware when doing so.

And it’s not just criminals who are peddling fake antivirus software or bogus spyware, or botnet herders hijacking machines. For instance, the New York attorney general’s office in 2007 fined Priceline, Travelocity and Cingular for using adware programs to market their products.

Meanwhile, insecure or bad coding— whether it’s a flaw in APIs from the same vendor that has acquired other companies or multiple companies agreeing on the same insecure standards or singlevendor flaws—is likely here to stay.

For instance, HIPAA is touted as a good first step in protecting the electronic storage of medical data, but it only applies to doctors, hospitals, insurance companies and the government. It excludes pharmaceutical companies and services to which consumers voluntarily give their health information. Industry watchers say new online health concerns, such as Google Health, Microsoft Health and other services that are exempt from HIPAA-required controls, will lead to further privacy erosions due to flaws in their APIs or third-party APIs.

The Bottom Line

The Ponemon Institute reports that in 2005, the cost for companies that lost 10,000 records or more was $138 per record to clean up. By 2008, the cost per lost record rose to $202. Multiply that by 10,000 records and it skyrockets to more than $2 million.

Security experts say the best defense is to learn from trends in crimes, and use the knowledge to revise and build better policies and systems in cooperation with industry peers and government agencies—because you will be targeted again.

Topic Articles
April 18th, 2013

isp6cover

The search giant saves a lot of information. Here’s what you should know.

It’s no secret that Google retains search data and meta- data regarding searches—in fact, it’s quite open about doing so. What’s unsure, though, is the long-term threat to information security and privacy.

Let’s review Google’s elements.

Google Search: This search engine is gathering many types of information about online activities. Its future products will include data gathering and targeting as a primary business goal.

All of Google’s properties — including Google search, Gmail, Orkut and Google Desktop—have deeply linked cookies that will expire in 2038. each of these cookies has a globally unique identifier (GuID) and can store search queries every time you search the Web. Google does not delete any information from these cookies.

Therefore, if a list of search terms is given, Google can produce a list of peoplewh o searched for that term, which is identified either by IP address or Google cookie value. Conversely, if an IP address or Google cookie value is given, Google can also produce a list of the terms searched by the user of that IP address or cookie value.

Orkut: Google’s social- networking site contains confidential information such as name, email address, phone number, age, postal address, relationship status, number of children, religion and hobbies. In accordance with its terms of service, submitting, posting or displaying any information on or through the Orkut.com service automatically grants Orkut a worldwide, nonexclusive, sublicensable, transfer- able, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, and publicly perform and display such data.

Gmail: The primary risk in using Gmail lies in the fact that most users give their consent to make Gmail more than an email-delivery service and enable features such as searching, storage and shopping. This correla- tion of search and mail can lead to potential privacy risks. For example, email stored on third-party servers for more than 180 days is no longer protected by the electronic Communications Privacy Act, which declares email a private means of communication.

Gmail Mobile: mobile phones are increasingly being sold with Gmail built in, and if not, it can be down- loaded. The questions to ask: How uniquely does your mobile phone identify you as the user, and when was the last time you changed your phone and your identifiers?

Gmail Patents: Gmail’s Patent #20040059712 emphasizes “serving adver- tisements using information associated with email.” This allows Google to create profiles based on a variety of information derived from emails related to senders, recipients, address books, subject-line texts, path name of attachments and so on.

Google Desktop: Google Desktop allows users to search their desktops using a Google-like interface. All word-based documents, spreadsheets, emails and images on a computer are instantly searchable. Index information is stored on the local computer. Google Desktop 3 allows users to search across multiple computers. GD3 stores index and copies of files on Google’s servers for nearly a month.

Chrome: Chrome is Google’s browser. It’s available for download today and will eventually be installed on new PCs. some of the risks it poses include:

  • Every URL visited gets logged by Google
  • Every word, partial word or phrase typed into the location bar, even if you don’t click the Enter/Return button, gets logged by Google
  • Chrome sends an automatic cookie with every automatic search it performs in the location bar.

Android: Android is Google’s operating system for cell phones. It retains information about dialed phone numbers, received phone-call numbers, Web searches, emails and geo- graphic locations at which the phone was used.

Google Health: This product allows consumers— such as employees, coworkers and customers—to store their health records with Google. Recently, CVS Care- mark, along with Walgreens and Longs Drugs in the United States, agreed to allow Google Health users to import their pharmacy records.

Organizational Threats

Uninstalling these products or using competitive tools can mitigate many of these threats. but what about the dangers to your organiza- tion? One example is Google search with its Google Flu Trends (www.google.org/flutrends).

Google has correlated flu data from the u.s. Centers for Disease Control (CDC) from 2003 to the present with its own search data. spikes in users’ searches about flu treatments correlated tightly with the CDC data. Flu Trends has demonstrated Google’s ability to analyze search data for a specific term or set of terms. And it can retain this data and where it came from because Google in its privacy policies states that it records IP addresses.

So, what’s to stop Google from analyzing all search data from your organization’s net- works? What’s the difference between analyzing flu trends and “Top 100 search terms from XYZ Corp.”? Or what if a company were to correlate regional threats from swine flu with search data from Google Health/Prescription data and then analyze the health of its employees and detect long- term effects?

Overall, the most critical threat is reliance on Gmail— whether the setting is uni- versities, cities, companies or countries switching to Gmail en masse, or the newest employees in the organization using Gmail as their primary or sole email platform.

Questions to ask your security team: How big is the organization’s email archive? How many years of emails are saved? If your organiza- tion switches its email host- ing service to Google Gmail, what happens to the privacy and confidentiality clauses in your employee and customer contracts?

Another area of concern for hosted email is the potential of having to turn that data over to the government. Google, Yahoo and Microsoft have a history of complying with the united states’ and foreign governments’ requests for information. If such data is turned over, how much corporate security is being eroded?

Consider the amount of money and manpower dedi- cated to handling microsoft Windows patches, viruses, spyware and botnet detec- tion. Imagine the impact that reliance on Google products could have on corporate privacy and security.

Topic Articles
April 2nd, 2013

For years, clients asked us what was the REAL cost of non-compliance (with HIPAA, PCI, etc).  Thankfully, Dr. Ponemon & his team put some real numbers to the cost of breaches.

 

Now, I’m constantly asked “what’s the harm in posting on facebook”, “using dropbox or google drive”, “buying Google glasses” or “why should we care about drones – video cameras watch us anyway”.

 

Prof. Neil Richards is diving head-on into this pool and he’s got some smart things to say.

From his abstract:

First, we must recognize that surveillance transcends the public-private divide. Even if we are ultimately more concerned with government surveillance, any solution must grapple with the complex relationships between government and corporate watchers. Second, we must recognize that secret surveillance is illegitimate, and prohibit the creation of any domestic surveillance programs whose existence is secret. Third, we should recognize that total surveillance is illegitimate and reject the idea that it is acceptable for the government to record all Internet activity without authorization. Fourth, we must recognize that surveillance is harmful. Surveillance menaces intellectual privacy and increases the risk of blackmail, coercion, and discrimination; accordingly, we must recognize surveillance as a harm in constitutional standing doctrine.

via The Dangers of Surveillance by Neil Richards :: SSRN.

 

Also look at what Bruce Schneier has to say about it at http://www.schneier.com/blog/archives/2013/03/the_dangers_of.html

 

Topic Articles
April 2nd, 2013

What’s the difference between your laptop and your smartphone?

When it comes to information leakage, not much.

As the Wired article shows, cell phone wipes leave almost as much data behind as reformatting hard drives.

In both cases, the user thinks they have deleted data and purged traces.

In both cases, low cost tools can recover mountains of sensitive data.

Thinking about selling that old cell phone for cash?  Or donating it to charity?  You’d be better of getting it shredded…

 

Few things are more precious, intimate and personal than the data on your smartphone. It tracks your location and logs your calls. It’s your camera and your mobile banking device; in some cases it is a payment system in and of itself that knows what you bought and when and where and for how much. All of which explains why you wipe it before sending it off to a recycler or selling it on eBay, right? Problem is, even if you do everything right, there can still be lots of personal data left behind.

Simply restoring a phone to its factory settings won’t completely clear it of data. Even if you use the built-in tools to wipe it, when you go to sell your phone on Craigslist you may be selling all sorts of things along with it that are far more valuable — your name, birth date, Social Security number and home address, for example. You may inadvertently sell your old photos, nudes and all. The bottom line is, the stuff you thought you had gotten rid of is still there, if someone knows how to look.

“There are always artifacts left behind,” explains Lee Reiber,

via Break Out a Hammer: You’ll Never Believe the Data ‘Wiped’ Smartphones Store | Gadget Lab | Wired.com.

Topic Articles
April 2nd, 2013

After the NCSC 2013 presentation, Peter Teffer interviewed me.

 

Here’s a (very poor) Google translation of his original Dutch article

If we do not ask, we will not get. Facebook, Google, Apple and other Internet and technology companies are only good for our privacy concerns, as consumers make on the barricades stand. “It is time to demand that your data are yours and not others,” said the American consultant Raj Goel, who recently gave a lecture in The Hague on social media and privacy.

Goel earns his money include giving such lectures – he has written a book that he wants to sell and companies hire him because he was known as a computer security expert. But that does not mean he does not believe in the importance of his message. “The battle for privacy is the next step in the civil rights struggle.”

It is not in the interest of Internet to our privacy and actually we do governments do not expect much. Only when consumers require smart phones and social networking really consider privacy, we will not thousands of times per month be spied, argues Goel.

Can we ordinary people large, powerful companies have reason to do what we want? “Yes,” says Goel. “Look at the history. 150 years ago we had no right to clean air or clean water and food. Only when someone like Upton Sinclair in 1905 the unhealthy conditions of the food described, the company said: enough, we want clean and healthy food. “

Cultural change is not impossible, emphasizes Goel. Forty years ago nobody read leaflets for drugs or labels of food. Nowadays. “If you are willing to five or ten minutes to devote to reading your food packaging and ask your doctor why certain medications are needed, then why not five minutes can take time to ask questions about the technology you use? “

Instead of just saying, wow, what a nice phone, we should also look at the privacy concerns of a product. “Make sure you’re more conscious consumer. Twenty years ago you had only eggs. Now you have free range eggs, organic eggs, free range. We have fair clothing and food. It is now time for honest technology. “

 

http://peterteffer.com/2013/03/29/strijd-voor-privacy-is-volgende-stap-van-burgerrechtenstrijd/

Topic Articles
April 2nd, 2013

The NCSC conference 2013 was an amazing event #1

 

Michael Ahti’s presentation on how China controls their internet (and how other countries are copying their model) was education and slightly frightening.

He clearly explains why the Chinese government encourages copycat sites and how Beijing uses citizens and the internet to control the regional Mandarins.

 

HIGHLY RECOMMENED!

 

Topic Articles