Sep 11, 2012 – ASIS 58

Social Media & Cloud Computing Threats to Privacy, Security and Liberty, Session 3183
http://www.asis2012.org/Pages/Seminar-Home-Page.aspx

Social Media has quickly woven itself into the very fabric of everyday life. This boom in sharing, even the most banal of details, has had a resounding impact on how our children, employees and colleagues communicate.

Using case studies from the US and around the world, we’ll examine how people have lost jobs, college admissions, college degrees, fortunes and freedom through (un)social media.

We’ll also investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations and governments.

We’ll also discuss some strategies and steps we can take to protect civil liberties and privacy in the age of Social Media.

Social Media & Cloud Computing Threats to Privacy, Security and Liberty

Social Media has quickly woven itself into the very fabric of everyday life. This boom in sharing, even the most banal of details, has had a resounding impact on how our children, employees and colleagues communicate.

Using case studies from the US and around the world, we’ll examine how people have lost jobs, college admissions, college degrees, fortunes and freedom through (un)social media.

We’ll also investigate the rampant OVERCOLLECTION of customer and subscriber data by major corporations and governments.

We’ll also discuss some strategies and steps we can take to protect civil liberties and privacy in the age of Social Media.

In a rare show of honesty, Sergey Brin admitted that

 their data that was now in the reach of US authorities because it sits on Google’s servers. He said the company was periodically forced to hand over data and sometimes prevented by legal restrictions from even notifying users that it had done so.

Of course, he conveniently points the finger at his rivals – Facebook, Apple, Hollywood (RIAA/MPAA).

Yes Sergey, your competition is evil.  So’s your company.  If you don’t want the US government demanding access to all the data that Google collects, then STOP COLLECTING so much data.  START telling your users about the threats to THEIR privacy that you’ve created.  A Google Good-To-Know about ECPA and PATRIOT ACT would be so much nicer than your current ads.

The threat to the freedom of the internet comes, he claims, from a combination of governments increasingly trying to control access and communication by their citizens, the entertainment industry’s attempts to crack down on piracy,

From the attempts made by Hollywood to push through legislation allowing pirate websites to be shut down, to the British government’s plans to monitor social media and web use, the ethos of openness championed by the pioneers of the internet and worldwide web is being challenged on a number of fronts.

In China, which now has more internet users than any other country, the government recently introduced new “real identity” rules in a bid to tame the boisterous microblogging scene. In Russia, there are powerful calls to rein in a blogosphere blamed for fomenting a wave of anti-Vladimir Putin protests. It has been reported that Iran is planning to introduce a sealed “national internet” from this summer.

via Web freedom faces greatest threat ever, warns Google’s Sergey Brin | Technology | The Guardian.

In the EU-vs-Facebook cases, Facebook has sent european citizens 800 PAGES of documents.

In the US, a subpeona merits 62 pages.

So, either the Craigslist killer didn’t use Facebook as much as a dummy German profile, or Facebook held back hundreds of pages of data.  You decide.

If you’d like the full PDF, grab it from http://dl.dropbox.com/u/105727/fb-subpoena-db/index.html

From ZDNET:
The 71-page document is actually two documents in one. The first eight pages are the actual subpoena;the remaining 62 pages are from Facebook. Most of the pages sent over from the social networking giant consist of a single photograph, plus formal details such as the image’s caption, when the image was uploaded, by whom, and who was tagged. Other information released includes Wall posts, messages, contacts, and past activity on the site.

The document was released by the The Boston Phoenix as part of a lengthy feature titled “Hunting the Craigslist Killer,” which describes how an online investigation helped officials track down Philip Markoff. The man committed suicide, which meant the police didn’t care if the Facebook document was published elsewhere, after robbing two women and murdering a third.

via Here’s what Facebook sends the cops in response to a subpoena | ZDNet.

France-based VUPEN is one of the highest-profile firms trafficking in zero-day exploits. Earlier this month at the CanSecWest information security conference, VUPEN declined to participate in the Google-sponsored Pwnium hacking competition, where security researchers were awarded up to $60,000 if they could defeat the Chrome browser’s security and then explain to Google how they did it. Instead, VUPEN—sitting feet away from Google engineers running the competition—successfully compromised Chrome, but then refused to disclose their method to Google to help fix the flaw and make the browser safer for users.

“We wouldn’t share this with Google for even $1 million,” said VUPEN founder Chaouki Bekrar. “We don’t want to give them any knowledge that can help them in fixing this exploit or other similar exploits. We want to keep this for our customers.” VUPEN, which also “pwned” Microsoft’s Internet Explorer, bragged it had an exploit for “every major browser,” as well as Microsoft Word, Adobe Reader, and the Google Android and Apple iOS operating systems.

While VUPEN might be the most vocal, it is certainly not the only company selling high-tech weaponry on the zero-day exploit market. Established U.S. companies Netragard, Endgame, Northrop Grumman, and Raytheon are also in the business, according to Greenberg. He has also detailed a price list for various zero-day exploits, with attacks for popular browsers selling for well over $100,000 each and an exploit for Apple’s iOS going for a quarter million.

But who exactly are these companies selling to? No one seems to really know, at least among people not directly involved in these clandestine exploit dealings. VUPEN claims it only sells to NATO governments and “NATO partners.” The NATO partners list includes such Internet Freedom-loving countries as Belarus, Azerbaijan, Ukraine, and Russia. But it’s a safe bet, as even VUPEN’s founder noted, that the firm’s exploits “could still fall into the wrong hands” of any regime through re-selling or slip-ups, even if VUPEN is careful. Another hacker who goes by the handle “the Grugq” says he acts as a middleman for freelance security researchers and sells their exploits to many agencies in the U.S. government. He implies the only reason he doesn’t sell to Middle Eastern countries is they don’t pay enough.

via “Zero-day” exploit sales should be key point in cybersecurity debate | Electronic Frontier Foundation.

Could governments and private corporations recognise ANYONE instantly via CCTV?  Remember that

• London is the most densely surveilled city in the world
• The Occupy Wallstreet protesters were heavily surveillanced – audio, video, cell phone towers, photos, police checks – everything
• NYC is aiming to be as camera-surveillance dense as London

A new camera technology from Hitachi Hokusai Electric can scan days of camera footage instantly, and find any face which has EVER walked past it.

Its makers boast that it can scan 36 million faces per second.

The technology raises the spectre of governments – or other organisations – being able to ‘find’ anyone instantly simply using a passport photo or a Facebook profile.

The software from Hitachi Hokusai electric can scan through 36 million faces a second looking for its ‘target’. The software can scan through days of CCTV footage almost instantly

The software from Hitachi Hokusai electric can scan through 36 million faces a second looking for its ‘target’. The software can scan through days of CCTV footage almost instantly

The ‘trick’ is that the camera ‘processes’ faces as it records, so that all faces which pass in front of it are recorded and stored instantly.

via Could governments recognise ANYONE instantly via CCTV? Japanese camera can scan 36 million faces per second | Mail Online.

So let’s get this straight:

1) Symantec failed to stop the SONY Rootkit because Sony is a well-known multinational

2) Symantec released source code to the Indian Government without adequate protections

3) They’ve known about the breach for over 6 years, but until Anonymous threatened them, Symantec kept quite.

So, which is it?

Do Symantec’s DLP, AV and Security Software work, but Symantec FAILED to use them properly?

Or is their DLP/AV/firewall useless junk?

And will Symantec be compensating clients for lost time, failed security and productivity loss?

Threatened by Anonymous, Symantec tells users to pull pcAnywhere’s plug

Source code leaked [over 6] years ago, but now Anonymous hacking group has software in its sights

By Gregg Keizer

January 26, 2012 06:44 AM ET1

Computerworld – Symantec this week took the highly unusual step of telling users of its pcAnywhere remote access software to disable or uninstall the software while it fixes an unknown number of bugs.Security experts said the move was unprecedented for a company of Symantec’s size.”This is the first time I have seen a company of Symantec’s scale tell their customers to stop using a shipping product, especially one that many users depend on for remote access,” said HD Moore, chief technology officer of Rapid7, and the creator of the popular Metasploit penetration testing toolkit.”It’s certainly a new precedent for a security breach,” added Andrew Storms, director of security operations at nCircle Security. “Talk about dirty laundry getting aired.”Symantec’s recommendation was blunt.”At this time, Symantec recommends disabling the product until we release a final set of software updates that resolve currently known vulnerability risks,” the company in a statement Wednesday.

via Threatened by Anonymous, Symantec tells users to pull pcAnywhere’s plug – Computerworld.

Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?

An interesting paper discussed the future of the Fourth Amendment in the cyber world. Can the government legally deploy malware for eavesdropping and remote searches, in order to investigate and control potential criminal activity? This is part one of looking at Susan Brenner’s paper, Fourth Amendment Future: Remote Computer Searches and the Use of Virtual Force.

By Ms. Smith on Tue, 11/08/11 – 2:24pm.

It’s a huge day on the privacy front, where technology, privacy and the Constitution had a head-on collision, and now the Supreme Court is hearing arguments about and “seeing shades of 1984″ in warrantless GPS tracking. The future of the Fourth Amendment looks a bit bleak in this digital age, so I hope SCOTUS does the right thing for the USA. Along those lines of surveillance without a warrant, I read an interesting paper about the Fourth Amendment in the cyber world and the government deploying malware for eavesdropping in order to investigate and control potential criminal activity. It provoked some deep, unpleasant, and yet realistic thoughts about how much virtual force is done now via stealthy spying Trojans which are launched by law enforcement for remote computer searches.

Susan W. Brenner, of the University of Dayton School of Law, wrote: Fourth Amendment Future: Remote Computer Searches and the Use of Virtual Force. She divided her focus into two main topics. The abstract states, “The first is the use of certain types of software, most notably Trojan horse programs, to conduct surreptitious, remote searches of computers and computer media. The other tactic is the use of ‘virtual force,’ e.g., using Distributed Denial of Service and other attacks to shut down or otherwise disable websites that host offending content and/or activities.”

via Privacy and Security Fanatic: Fourth Amendment’s Future if Gov’t Uses Virtual Force and Trojan Horse Warrants?.

Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License

At the start of this year, it seemed as if Facebook wanted to utilize its identity infrastructure already on millions of websites in order to issue your Internet driver’s license. Apparently that wasn’t aiming quite take-over-the-world high enough, since it now appears as if Facebook, via a trademark application, wants to issue your in-real-life offline identity cards as well.

By Ms. Smith on Mon, 10/17/11 – 1:23pm.

At the start of this year, it seemed as if Facebook wanted to utilize its identity infrastructure already on millions of websites in order to issue your Internet driver’s license. Apparently that wasn’t aiming quite high enough, since it now appears as if Facebook has future plans to issue your offline identity cards as well. Facebook filed for a trademark for “goods and services” to use Facebook on “cards, namely business cards and non-magnetically encoded identity cards” that could be read by NFC and RFID-enabled devices. If that didn’t make you shiver, then the new trademark application states, the “business card and identity card design services” and “printing services” would be for “facilitating social and business networking through the provision of data for use on business and identity cards.”

Like Google Plus, Facebook regards pseudonyms as a sin and wants to kill off anonymity. Many sites have cut back on comment spam, though, by requiring Facebook Connect which in turn requires a user’s real identity. Countless millions of websites have avoided the headaches and hassles of managing their own identity system by implementing the free and easy code for Facebook Connect to manage online identities. In fact, logging in, “liking” and sharing via Facebook has literally become a critical part of the Internet’s identity infrastructure.

via Privacy and Security Fanatic: Facebook Wants to Issue Your IRL Offline ID & Internet Driver’s License.

Secret Snoop Conference for Gov’t Spying: Go Stealth, Hit a Hundred Thousand Targets

Forget passive monitoring; go stealth to hit your target says the Hacking Team which sells hacking techniques and tools for invasive surveillance of the masses. Better yet, hit a hundred thousand targets. As the Police once sang, “Every breath you take and every move you make…I’ll be watching you,” and that seems to sum up the Italian vendor Hacking Team and what it pimps at Intelligence Support Systems (ISS) conferences.

By Ms. Smith on Thu, 11/10/11 – 3:21pm.

Forget passive monitoring for government spying; go stealth to hit your target says the Hacking Team which sells hacking techniques and tools for invasive surveillance of the masses. Better yet, hit a hundred thousand targets.From the Hacking Team brochure PDF – Fair Use We looked at legal means, with a Trojan horse warrant for remote computer searches. But what about those areas of mass surveillance without a warrant that seem shaded grey and lawfully questionable to many of us concerned about privacy? There are interesting conferences in which the doors are locked to Joe and Jane Doe, but thrown wide open for intelligence agencies and law enforcement. So what goes on behind those doors that are shut to the general public? IIS World Americas is open only to “law enforcement, intelligence, homeland security analysts and telecom operators responsible for lawful interception, electronic investigations and network intelligence.” There are many vendors of products that assist the government in spying, but the Hacking Team should send an eerie eavesdropping chill up your spine.

via Privacy and Security Fanatic: Secret Snoop Conference for Gov’t Spying: Go Stealth, Hit a Hundred Thousand Targets.