Computer Security Articles

A bitter dispute between two leading Internet firms in China has caused the Chinese government to step-in –
Michael Kan on Network World on Security

AFP – The United States is preparing to boost efforts to police Internet privacy, with a push for new laws and a new office to manage the effort, the Wall Street Journal said Friday.

View full post on Yahoo! News: Security News

The Upshot – Worried about who’s watching you online? So are federal regulators. The Obama administration wants to beef up efforts to enforce Internet privacy. It’s planning to create a new online privacy czar, and to push for strong new laws, reports the Wall Street Journal. As part of the effort, the White House has created a special [...]

View full post on Yahoo! News: Security News

The Obama administration is reportedly considering plans to step up policing of Internet privacy issues and to establish a new position to direct the effort.

View full post on Network World on Security

In response to considerable privacy concerns, the federal Office of Personnel Management (OPM) is expected to soon release more details on its plans for a controversial new database containing information on the healthcare claims of millions of Americans.

View full post on Network World on Security

PC Magazine – The European Commission on Thursday proposed a sweeping overhaul to its data protection laws, which would, among other things, require Internet companies to collect as little data as possible about it users and be more transparent about it processes.

View full post on Yahoo! News: Security News

AP – The European Union wants companies such as Google Inc. or Facebook Inc. to give people more control over how their online habits are tracked, requirements that could crimp Internet firms’ ability to target advertising.

View full post on Yahoo! News: Security News

The European Commission on Thursday proposed a sweeping overhaul to its data protection laws, which would, among other things, require Internet companies to collect as little data as possible about it users and be more transparent about it processes.

View full post on PCMag.com Security Coverage

Time.com – A federal court has ruled that the state of North Carolina cannot get records on what Amazon shoppers purchased, but more needs to be done to protect online privacy

View full post on Yahoo! News: Security News

We’re at a cusp of an era where the reputation of one’s on-line social identity is becoming as critical as one’s “real world” reputation. Control over social identity data is the prize for which privacy advocates, individual consumers and business are fighting.

Who Are You?

In a formal setting of the “real world,” we typically think of our identity as our name or perhaps a personal identifier such as the driver’s license number. In the on-line world, though, our identity is defined by our social network and how we interact with its participants.

We are whom we know and what we do with them. That’s our social identity on-line.

Credit Reputation vs. Social Reputation

Trade practices in the “real world” began with the barter system, but ran into limitations where Pearson A wanted an item from Person B, but Person B didn’t want anything of Person A’s. Cash took care of that stumbling blog, and allowed trade to flourish. The next challenge to commerce was cash flow: individuals or companies might not have enough cash to make a purchase today, but would have the cash tomorrow. The system of borrowing (e.g., trading on credit) took care of that limitation. The challenge with borrowing, from the lender’s perspective, is whom to trust? Credit rating bureaus appeared to keep track of persons’ and organizations’ credit worthiness.

The credit worthiness of a customer in the “real world,” often represented by individuals’ FICO scores, represents the person’s financial reputation.

In contrast, an on-line consumer’s reputation and “business-worthiness” is often measured in terms of the person’s social identity. Knowing the consumer’s social identity—his contact details, his on-line friends, his interests—allows companies to engage the person and “convert” him into a paying and hopefully loyal customer.

Individuals look up the social reputation of others all the time as well. You and I do it when we Google a person we just met to see what they wrote about himself and others. We may also look up the person’s profile on a social networking site, such as LinkedIn and Facebook to see if we share any friends and interests. The expectation is that it is hard, though of course not impossible, to create a fake reputation on social network that’s rich with social activities.

Social Identity Reputation Score

How do you know whether an email address of a person is accurate? Look it up in one of many social networks to see if the address is associated with an active profile. How do you know whether the profile is fake? Look at the number of the person’s social connections, the frequency with which the person interacted with others, the time during which the person has been active on-line and the richness of the person’s social networking activity. The more meaningful activities you observe, the more trustworthy is the person’s social identity.

The trustworthiness of the person’s on-line social identity can be measured. We can come up with a formula that accounts for the elements of the person’s social activities, such as those I listed above, and converts them into something we might call a social identity reputation score. Let’s even give it an acronym to make it official: Social Identity Reputation Score (SIRS).

SIRS is the FICO score of the on-line world, and it will be as crucial to the economy in the future as the FICO score is today.

My friend Slava Frid brought up the similarity between the concept of SIRS and Google’s PageRank during our conversation. Just like Google computes a coefficient of importance to elements of an HTML page, so too can we compute a number to measure the relative value (related to trust or importance) of a social identity.

Importance of the Email Address

The workflow for determining the person’s SIRS, which I outlined above, starts with the person’s email address, because the email address can be used to discover the person’s social networking activity.

Companies that aggregate social data, such as Rapleaf, will be becoming increasingly important. They will be increasingly valuable from a business perspective and increasingly scary from a privacy perspective. When describing how individuals are profiled on the web, Om Malik explained:

Think of Rapleaf as the provider of the FICO score about an email address. That email address comes with Facebook ID, Flickr ID, Twitter account information and other social details. For a marketer, or even someone trying to hit you up for business, this is pretty relevant data, for it allows them to target a customer and connect them socially. In another scenario, you can buy an email list of a million addresses for $1000, check them against Rapleaf and end up with about 10,000 emails worth targeting. That’s a pretty good deal.

Rapleaf seems perfectly positioned to calculate people’s SIRS. Maybe the company already does it today.

Privacy and the Social Identity

People often feel comfortable some sharing details about themselves, such as the car they drive, their income and age range, and so on, as long as they maintain anonymity. The notion of anonymity is starting to change in the on-line world: your name and “physical world” details might be less important than your social identity.

People’s privacy considerations on line are starting to change beyond protecting the person’s “physical world” identity. Individuals recognize that they need to give up some information about themselves to establish a social identity. However, we want to control which aspects of our identity are available to which entities.

This granularity of social identity data sharing is the crux of privacy debates, and the reason we are concerned about issues such as Facebook data sharing and data aggregators such as Rapleaf.

As on-line social networks increase in importance for regular, “real world” interactions, so will the criticality of social identities. The battle is only still at its onset.

I wrote several posts on social networking and associated security risks. If you’re interested in this topic, be sure to take a look.

— Lenny Zeltser

View full post on Lenny Zeltser on Information Security

Lookout Mobile Security will soon start selling a premium version of its smartphone security software that includes new privacy and backup and restore features.

View full post on Computerworld Security News

Every day we hear about a new kind of attack on privacy launched through Facebook. BitDefender’s now-in-beta SafeGo app aims to make Facebook safe and fun again.

View full post on PCMag.com Security Coverage

A company that compiles profiles of Internet users for targeted advertising said it is no longer passing user identifiers used by Facebook and MySpace to advertising networks due to privacy concerns.

View full post on Computerworld Security News

Facebook Thursday announced that it will start encrypting User IDs before they are transmitted to third-party Web sites.

View full post on Computerworld Security News

218 million “class members” probably won’t settle for Farmville dollar

A suit has been filed in U.S. District Court in San Francisco on behalf of a Minnesota woman charging game maker Zynga with leaking the personal information of 218 million Facebook members in violation of federal law. The suit seeks class action status. (Story in The Register of the UK here. )

The action follows by three days an investigative story by The Wall Street Journal that found a large number of Facebooks apps – including Zynga games such as Farmville and Mafia Wars  – leaked the user IDs of Facebook players and their friends to outside companies. (Story here.)

Users’ privacy on the Internet has been a dicey proposition (some say non-existent) for most of the net’s history. Social engineering techniques early on became about as refined as cryptographic algorithms.

The compromise of personal information from breached company, university and government systems made high-profile headlines. That resulted in security standards and laws that required notification of those whose information was compromised (California’s breach notification law, HIPPA, etc.)

The rise of spyware took the issue to entirely new levels and created a whole anti-spyware component of the anti-virus industry.

The most recent controversy over social media exposures (especially by young people) and persistent tracking cookies just refined the concern.

The central question in all of this for the Internet user should be: “will there be some new technology in the future that will circumvent all existing safeguards and compromise my personal information yet one more time?”

If Internet history is any guide, answer is “yes.” There has been a long chain of innovative methods for extracting personal data from any place it is stored and it appears that will never end.

Hackers and virus writers solved the problem years ago. They use pseudonyms (and more than one in known cases.)  We haven’t heard of any widespread use of pseudonyms by the average user on social media sites, but we predict it isn’t far off. And it’s not like we’re suggesting it, but changing accounts every few months on things like web email and social media sites and using false personal data like dates of birth would sure play havoc with tracking systems. It will probably give you a whole new selection of spam too.

Hey, on the Internet no one has to know you’re a dog (or your real DOB.)

Tom Kelchner

I stand corrected.

I’ve been told The Register has a sizable staff in the U.S. and half its 5.5 million unique readers are in the U.S. So when I wrote “The Register of the UK” that wasn’t really accurate.

View full post on Sunbelt Blog

My company hired a new employee recently and as part of my responsibilities, I ran a basic background check for our new hire. If you’ve never seen a professional background check, you will most likely be shocked by the level of detail that can be gleaned from public records.

View full post on Computerworld Security News

Many Facebook applications share users’ personal information with advertising networks and other Internet-tracking companies, according to a Wall Street Journal report.

View full post on PCMag.com Security Coverage

After taking a beating from users over privacy issues this year, Facebook got the message and gave users more control over their information.

View full post on Network World on Security

The user data collected by some iOS apps can be correlated to real-world identities, posing a privacy risk to iPhone, iPod touch, and iPad users. According to research from Bucknell University, a majority of iOS apps transmit user data back to their own servers. But because some store more info than others—and in some cases, in plaintext—it can be easily pieced together to reveal more about individual users than they bargained for.

Bucknell University Assistant Director of Information Security and Networking Eric Smith authored the paper, entitled “iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs).” He and his team studied a total of 57 applications from the App Store—a combination of the Top 25 Free apps as well as some from the News: Top Free app sections. Sixty-eight percent of those applications transmitted the device’s UDID back to the app’s servers, though “several instances” were encrypted via SSL.

Read the comments on this post

View full post on Security

The UK could be fined by the EU for failing to comply with internet privacy legislation.

View full post on Network World on Security

AFP – The European Commission said Friday it was taking the British government to court for failing to protect Internet user privacy.

View full post on Yahoo! News: Security News

Researchers have created Android-based code that tracks what applications on a smartphone actually do with the data they have access to. They do a lot, it turns out, and most of what they do is unknown to the enduser

View full post on Network World on Security

PC World – U.S. Web users are increasingly asking for tougher online privacy protections, even as they give more and more of their personal data to websites, and Internet-based companies are asking for certainty about privacy rules from U.S. regulators even as they also ask for flexibility to create new products, a U.S. official said Monday.

View full post on Yahoo! News: Security News

Facebook received welcome news that the Canadian Privacy Commissioner is satisfied the social network addressed privacy complaints lodged against it two years ago, but the social networking site is not yet entirely off the hook.

View full post on Network World on Security