Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                   Social Sec...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                  Social Secu...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                          Sta...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  Every Law ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                  Microsoft –...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                      Microso...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  Microsoft ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                      Adobe –...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                    Dell ship...
Brainlink International, Inc.                  You run your business, and leave the IT to us.        HP ships infected USB...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  Walmart, A...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                     Head In ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.        Facebook your country...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                      You run your business, and leave the IT to us.                         ...
Brainlink International, Inc.                      You run your business, and leave the IT to us.                         ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                        Googl...
Brainlink International, Inc.                  You run your business, and leave the IT to us.              Google + Facebo...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                   Facebook +...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                         Four...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  Burglary R...
Brainlink International, Inc.                  You run your business, and leave the IT to us.            Facebook leaked u...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                   Google Sea...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                          Goo...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                     Orkut, B...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                     Orkut, B...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                         Gmai...
Brainlink International, Inc.                  You run your business, and leave the IT to us.             ECPA - Electroni...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                  ECPA - Elec...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                        Googl...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                        Googl...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                    You run your business, and leave the IT to us.                   Google O...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                       Tools ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.        Learn from FTC Health...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                       FTC He...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                       FTC He...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                       FTC He...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                       FTC He...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  PCI-DSS Se...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                        FTC’s...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                        FTC’s...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                    FTC – BJs...
Brainlink International, Inc.                  You run your business, and leave the IT to us.            Priceline, Travel...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  Spyware - ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.              ID Theft – Bank...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                   Hackers t...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                            S...
Brainlink International, Inc.                     You run your business, and leave the IT to us.                          ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                     ATM mach...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                        TJX (...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                  Phishing Sc...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                           VO...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                          Cos...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                   Cost of Br...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                       We Mak...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                            ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.            State Of         ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                   You run your business, and leave the IT to us.                  Air Force ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                             ...
Brainlink International, Inc.                  You run your business, and leave the IT to us.                           Co...
Upcoming SlideShare
Loading in …5
×

2010 10 27 Isc2 Protecting Consumer Privacy

1,278 views

Published on

Learn about threats to YOUR
Customer\'s privacy.

- Googling Your Corporate Privacy Away

- Tools and practices your users are already using that will compromise their privacy.

- Trends in Regulations
- Rules and regulations you need to know to stay current

- Trends in Financial Crimes - New crimes, old crimes with new tools and why your company is so attractive to attackers

- Effective Multicompliance - Tips, Techniques and lessons learned in staying compliant, while increasing profits and maintaining your sanity

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,278
On SlideShare
0
From Embeds
0
Number of Embeds
111
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2010 10 27 Isc2 Protecting Consumer Privacy

  1. 1. Brainlink International, Inc. You run your business, and leave the IT to us. Protecting Consumer Privacy: DO’s, DON’Ts Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. raj@brainlink.com / 917-685-7731© 2010 Raj Goel raj@brainlink.com | 917.685.7731 1
  2. 2. Brainlink International, Inc. You run your business, and leave the IT to us. Agenda • Threats to Consumer Privacy • Government & Society • IT Vendors • Facebook • Google • Learn from the FTC • Case Studies in Failure • Success Stories© 2010 Raj Goel raj@brainlink.com | 917.685.7731 2
  3. 3. Brainlink International, Inc. You run your business, and leave the IT to us. Social Security Numbers – A Brief History 1936 - SSNs established 1938 - Wallet manufacturer includes secretarys SSN card inside a wallet. 40,000 people thought it was their SSN. 12 people used it in 1977. Pre-1986 - kids under 14yrs not required Post-1990 - Kids get SSN # with Birth Certificate Repeatedly, laws state that ―we‖ oppose the creation of a national ID card. SSNs become defacto national ID numbers. Result: Experian, TransUnion, Equifax http://en.wikipedia.org/wiki/Social_Security_number http://www.socialsecurity.gov/history/ssn/ssnchron.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 3
  4. 4. Brainlink International, Inc. You run your business, and leave the IT to us. Social Security Numbers Fraud – Target: Kids The numbers are run through public databases to determine whether anyone is using them to obtain credit. If not, they are offered for sale for a few hundred to several thousand dollars. Because the numbers often come from young children who have no money of their own, they carry no spending history and offer a chance to open a new, unblemished line of credit. People who buy the numbers can then quickly build their credit rating in a process called "piggybacking," which involves linking to someone elses credit file. If they default on their payments, and the credit is withdrawn, the same people can simply buy another number and start the process again, causing a steep spiral of debt that could conceivably go on for years before creditors discover the fraud. - http://www.foxnews.com/us/2010/08/02/ap-impact-new-id-theft-targets-kids-social-security-numbers-threaten-credit- 737395719/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 4
  5. 5. Brainlink International, Inc. You run your business, and leave the IT to us. Standards Explosion US Canada HIPAA/HITECH PIPEDA RED FLAG 3 PIPA/PPIPS laws GLBA RED FLAG 47 States, Wash DC, Puerto Rico, US Virgin Islands Privacy Breach Laws© 2010 Raj Goel raj@brainlink.com | 917.685.7731 5
  6. 6. Brainlink International, Inc. You run your business, and leave the IT to us. Every Law has Protected Fields • Names • Vehicle ID or license • Postal address • Device identifiers • Tel & fax number • Web URLs • Email address • Internet protocol • SSN • Biometric ID • Medical record number • Full face, comparable • Health plan number image • Certificate/license • Latanya Sweeney showed that 87% of all Americans can be identified by number ZIP Code, DOB, sex.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 6
  7. 7. Brainlink International, Inc. You run your business, and leave the IT to us. IT Security Reality "For many small businesses, the CIO is somebodys child down the road whos really good at Nintendo.― - Howard Schmidt, US CyberSecurity CZAR© 2010 Raj Goel raj@brainlink.com | 917.685.7731 7
  8. 8. Brainlink International, Inc. You run your business, and leave the IT to us. Threats: Vendors© 2010 Raj Goel raj@brainlink.com | 917.685.7731 8
  9. 9. Brainlink International, Inc. You run your business, and leave the IT to us. Anti-Virus Scareware Which one is from a real company? Which one is fake?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 9
  10. 10. Brainlink International, Inc. You run your business, and leave the IT to us. Microsoft – Blocks Updates for non-Pirates Microsoft has 97% of the desktop market. 1980 – Today - In India, China, Eastern Europe, MS *ACTIVELY* encouraged piracy of their products. Nov 11, 2004 – Microsoft blocks security & patch updates for pirated XP copies http://www.techspot.com/news/16279-microsoft-to-block-updates-for-pirated-xp-copies.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 10
  11. 11. Brainlink International, Inc. You run your business, and leave the IT to us. Microsoft – We make your life difficult Inventory, Asset & Patch Management: • WSUS, System Center, MOM are a pain to install. • Often incur additional license and manpower costs. Alternative: • Wsusoffline.net – 1 small program, can update a single machine or complete network. • Belarc.com – amazingly good license key & config evaluator • NEWT from Komodolabs.com – insanely good asset auditor© 2010 Raj Goel raj@brainlink.com | 917.685.7731 11
  12. 12. Brainlink International, Inc. You run your business, and leave the IT to us. Microsoft – We run Linux like we run Windows Oct 2010 – IP addresses belonging to Microsoft host 1000+ fraud websites. DDOS KrebsOnSecurity.com MS slow to respond. Unknown how MS IPs were breached. MS blames faulty linux kernel.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 12
  13. 13. Brainlink International, Inc. You run your business, and leave the IT to us. Adobe – Insecurity is our middle name Adobe Flash is the root of Browser Insecurity “Chrome or IE8 on Windows 7 with no Flash installed. There probably isnt enough difference between the browsers to get worked up about. The main thing is not to install Flash!‖ http://gizmodo.com/5483024/security-expert-flash-is-the-root-of-browser-insecurity-oh-and-ie8-isnt-so-bad© 2010 Raj Goel raj@brainlink.com | 917.685.7731 13
  14. 14. Brainlink International, Inc. You run your business, and leave the IT to us. Dell ships infected server motherboards July 2010 – Dell blames “human error” for shipping thousands of infected Server motherboards – Poweredge 310, 410, 510, T410. http://www.theregister.co.uk/2010/07/23/dell_malware_update/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 14
  15. 15. Brainlink International, Inc. You run your business, and leave the IT to us. HP ships infected USB keys to Enterprise Customers April 2008 – HP ships infected keys to Enterprise Customers using Proliant servers. http://www.engadget.com/2008/04/07/hp-sends-server-customers-virus-infected-usb-keys/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 15
  16. 16. Brainlink International, Inc. You run your business, and leave the IT to us. Walmart, Amazon sells infected Picture Frames Jan 2009 – Hundreds of thousands (millions?) of picture frames sold by Walmart, SamsClub, Amazon ship from the factory with embedded malware. NOTE: Picture frame sales 2007 - 5 million 2008 - 7.4 million 2009 - 9.8 million http://articles.sfgate.com/2009-01-02/business/17196259_1_frames-digital-photo-wal/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 16
  17. 17. Brainlink International, Inc. You run your business, and leave the IT to us. Threats: US© 2010 Raj Goel raj@brainlink.com | 917.685.7731 17
  18. 18. Brainlink International, Inc. You run your business, and leave the IT to us. Head In The Sand – American Express Dec 2008 – American Express’ site has XSS flaws – twice in less than 6 months. http://www.theregister.co.uk/2008/12/20/american_express_website_bug_redux/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 18
  19. 19. Brainlink International, Inc. You run your business, and leave the IT to us. Head In The Sand - Ameriprise Mar-Aug 2009 – Russ McRee reports XSS bugs to Ameriprise Financial. No Response or fixes. There should be something on your site that says If you see a security issue on our site, please report it.’ http://www.theregister.co.uk/2009/08/20/ameriprise_website_vulnerabilities/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 19
  20. 20. Brainlink International, Inc. You run your business, and leave the IT to us. Head In The Sand - MLB Jan 2009 – MLB and other top 1000 sites serve ads from malware providers. ScanSafe researcher Mary Landesman said the outbreak first landed on her radar screen on January 4. She searched in vain for a way to alert MLB administrators to the problem. http://www.theregister.co.uk/2009/01/08/major_league_baseball_threat/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 20
  21. 21. Brainlink International, Inc. You run your business, and leave the IT to us. We buy Snakeoil Security BankA, BankB both suffer privacy-related losses. BankA buys SnakeOil Security. Attackers see BankA has becomes *slightly* harder to attack. BankA sees 35% reduction in losses. Attackers increase attacks on BankB. SnakeOil Sales brochure says “BankA uses our product, sees 35% reduction in losses” BankB buys Snakeoil security. BankB sees drop in losses. Attackers create new attacks against BankA. Hmm…time to upgrade SnakeOil software! BankA sees lowered attacks. BankB gets told…BankA upgraded, saw fewer attacks. You HAVE TO UPGRADE to SnakeOil 2.0. Did Security actually increase? Does SnakeOil Actually work? - http://threatpost.com/en_us/blogs/effect-snake-oil-security-090710© 2010 Raj Goel raj@brainlink.com | 917.685.7731 21
  22. 22. Brainlink International, Inc. You run your business, and leave the IT to us. Threats: Social Media© 2010 Raj Goel raj@brainlink.com | 917.685.7731 22
  23. 23. Brainlink International, Inc. You run your business, and leave the IT to us. Facebook of the nation... Facebook allows developers access to users full profile. Every time you choose to add an application, Facebook asks you to confirm that you want to let this program both know who you are and access your information. Its impossible for anyone to add any application without agreeing to this set of terms. Once you click okay, that application can technically access quit a bit of public and private profile information. While all of the most private information (like your passwords and e-mail addresses) are kept on Facebook servers and require security authentication, a lot of info is available to applications you add. According to Facebooks Developers Terms of Use, this can include ". . . your name, your profile picture, your birthday, your hometown location, your current location, your political views, your activities, your interests, your relationship status, your dating interests, your relationship interests, your summer plans, your Facebook user network affiliations, your education history, your work history, copies of photos in your Facebook Site photo albums, and a list of user IDs mapped to your Facebook friends." - http://www.removeadware.com.au/articles/facebook-privacy-hackers/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 23
  24. 24. Brainlink International, Inc. You run your business, and leave the IT to us. Facebook your countrys security away... MI6 chief faces probe after wife exposes their life on Net “ MI6 faced calls for an inquiry last night after an extraordinary lapse of judgment led to the new head of MI6s personal detailsbeing plastered over Facebook. Millions of people could have gained access to compromising photographs of Sir John Sawers and his family on the social networking website. ...“ http://www.dailymail.co.uk/news/article-1197757/New-MI6-chief-faces- probe-wife-exposes-life-Facebook.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 24
  25. 25. Brainlink International, Inc. You run your business, and leave the IT to us. Online Profiles What about your kids? (you know, the future interns, tomorrows new hires, your future boss...) - Gmail @ School - Facebook disclosures ―For Some, Online Persona Undermines a Résumé‖ ―At Facebook, a popular social networking site, the executive found the candidates Web page with this description of his interests: "smokin blunts" (cigars hollowed out and stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang. It did not matter that the student was clearly posturing. He was done. "A lot of it makes me think, what kind of judgment does this person have?" said the companys president, Brad Karsh. "Why are you allowing this to be viewed publicly, effectively, or semipublicly?" At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.― –http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=5090© 2010 Raj Goel raj@brainlink.com | 917.685.7731 25
  26. 26. Brainlink International, Inc. You run your business, and leave the IT to us. Online Profiles What about your kids? (you know, the future interns, tomorrows new hires, your future boss...) - Gmail @ School - Facebook disclosures You can purchasePersona Undermines a Résumé‖ that ―For Some, Online a persons online profile report ―At Facebook, a popular social networking site, the executive found the candidates Web consolidates information from various social networks, credit page with this description of his interests: "smokin blunts" (cigars hollowed out and reports, with marijuana), shooting people and obsessive sex, all described in vivid slang. stuffed etc in a single document. It did not matter that the student was clearly posturing. He was done. Recruiters president, Brad Karsh. of judgment does this person have?" saidor "A lot of it makes me think, what kind companys are vetting online profiles when interviewing publicly, "Why are you allowing this to be viewed the submitting or semipublicly?" effectively, candidates. At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.― – http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=5090© 2010 Raj Goel raj@brainlink.com | 917.685.7731 26
  27. 27. Brainlink International, Inc. You run your business, and leave the IT to us. Online Profiles What about your kids? (you know, the future interns, tomorrows new hires, your future boss...) - Gmail @ School - Facebook disclosures DoesSome,Compliance Policy, or Employee handbook, have a ―For your Online Persona Undermines a Résumé‖ ―At Facebook, a popular social networking site, the executive found the candidates Web procedure for dealing with online postings regarding page with this description of his interests: "smokin blunts" (cigars hollowed out and terminations? stuffed with marijuana), shooting people and obsessive sex, all described in vivid slang. It did not matter that the student was clearly posturing. He was done. How of it makes me think, what kind of judgment does this person have?" said or "A lot soon president, Brad Karsh. can they allowing or facebook the companys after termination"Why are you twitter this to be viewed publicly, effectively, or semipublicly?" otherwise advertise their new, unemployed, status? At New York University, recruiters from about 30 companies told career counselors that they were looking at the sites, said Trudy G. Steinfeld, executive director of the center for career development.― – http://www.nytimes.com/2006/06/11/us/11recruit.html?ex=1307678400&en=ddfbe1e3b386090b&ei=5090© 2010 Raj Goel raj@brainlink.com | 917.685.7731 27
  28. 28. Brainlink International, Inc. You run your business, and leave the IT to us. Google – Stealing with Free Clicks Jan 2010 – Google sells ads via WhenU and dozens of other intermediaries. You could be paying for clicks on YOUR OWN SITE. Marketing thinks Google’s ROI is high – in reality, this is fraud even the mob never dreamed of. And yes, if Google wanted to, or was forced to, they could curtail this immediately.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 28
  29. 29. Brainlink International, Inc. You run your business, and leave the IT to us. Google + Facebook = Seeds of future destruction Gmail, Facebook, MySpace, etc. take advantage of the ignorance of kids, senior citizens and society at large to trade long-term privacy for online games, convenience and "fun". What looks cute today, will become embarassing 20 years down the road. Topless pictures, angry rants, teenage pranks, etc. Except, on the web, NOTHING ever gets deleted.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 29
  30. 30. Brainlink International, Inc. You run your business, and leave the IT to us. Recommended Reading • http://www.brainlink.com/news/138/24/Is-Your-Company-Googling-its-Security-and-Privacy-Away-Raj-Goel-investigates.html • http://www.brainlink.com/news/150/24/InfoSecurity-Issue-6----DATA-LEAK-Googling-AWAY-your-Security-and-Privacy.html • http://www.eff.org/cases/warshak-v-usa • http://blog.jayparkinsonmd.com/post/92060107/the-promise-of-google-health-and-data-liquidity-in • http://google.about.com/od/experimentalgoogletools/qt/GoogleFluTrends.htm • http://www.schneier.com/news-062.html • http://threatpost.com/en_us/blogs/effect-snake-oil-security-090710© 2010 Raj Goel raj@brainlink.com | 917.685.7731 30
  31. 31. Brainlink International, Inc. You run your business, and leave the IT to us. Facebook + Google + Picasa = Kryptonite http://www.geekculture.com/joyoftech/joyarchives/1452.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 31
  32. 32. Brainlink International, Inc. You run your business, and leave the IT to us. FourSquare, Facebook Places, etc. UK Ministry of Defense (MoD) warns that Facebook Places (which is enabled by default!) provides a targetting pack for terrorists. "The main concern relating to the use of the application, is that it may inadvertently compromise the locality of a military user," the document says.‖ http://www.theregister.co.uk/2010/10/01/mod_facebook_places/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 32
  33. 33. Brainlink International, Inc. You run your business, and leave the IT to us. Burglary Ring uses Facebook to choose victims Burglary Ring in Nashua, NH committed 50 break-ins, stole $100,000+. Targetted victims who posted their location on Facebook. http://gawker.com/5635046/real+life-burglary-ring-uses-facebook-to-choose- victims Adam Savage, Mythbusters, posted photo of his new truck, parked in front of his house. Fans (and crooks!) discover his address via GeoTags embedded in the photo. http://text.broadbandreports.com/forum/r24657556-MythBusters-stalked- down-with-geotag-photos© 2010 Raj Goel raj@brainlink.com | 917.685.7731 33
  34. 34. Brainlink International, Inc. You run your business, and leave the IT to us. Facebook leaked user’s real names to advertisers Oct 14, 2010 - The personally identifiable information was relayed in referrer headers that were sent over three months to advertisers when users clicked on banner ads, according to an amended complaint filed this week in US District Court in San Jose, California. The header, which is included in URLs that lead to an advertising webpage, shows the Facebook address the user was browsing when he encountered the ad. The information is designed to help advertisers serve content thats geared to his age, location and interests. http://www.theregister.co.uk/2010/10/14/facebook_privacy_complaint/ NOTE: Google’s doing this as well. Claims it’s standard practice.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 34
  35. 35. Brainlink International, Inc. You run your business, and leave the IT to us. Threats: Google© 2010 Raj Goel raj@brainlink.com | 917.685.7731 35
  36. 36. Brainlink International, Inc. You run your business, and leave the IT to us. Google Search – Start of the spiders web... Googles cookies do not expire until 2038. All of Googles properties (Google, Gmail, Orkut, Google Desktop, etc.) have deep-linked cookies that expire in 2038. Each Google cookie has a unique GUID. Every time you search, the search queries are tied back to your cookie. Google does not delete anything. Google response to John Battelle: 1) "Given a list of search terms, can Google produce a list of people who searched for that term, identified by IP address and/or Google cookie value?" 2) "Given an IP address or Google cookie value, can Google produce a list of the terms searched by the user of that IP address or cookie value?" I put these to Google. To its credit, it rapidly replied that the answer in both cases is "yes."© 2010 Raj Goel raj@brainlink.com | 917.685.7731 36
  37. 37. Brainlink International, Inc. You run your business, and leave the IT to us. Google Cookies– the 2-year myth Googles cookies do not expire until 2038. ―Google will start issuing our users cookies that will be set to auto-expire after 2 years, while auto-renewing the cookies of active users during this time period. In other words, users who do not return to Google will have their cookies auto-expire after 2 years. Regular Google users will have their cookies auto-renew, so that their preferences are not lost. And, as always, all users will still be able to control their cookies at any time via their browsers.‖ - http://googleblog.blogspot.com/2007/07/cookies-expiring-sooner-to-improve.html Translated into English: The cookies expire 2 years AFTER complete inactivity. If you use Google products/services, the 2 year period restarts NOW!© 2010 Raj Goel raj@brainlink.com | 917.685.7731 37
  38. 38. Brainlink International, Inc. You run your business, and leave the IT to us. Orkut, Buzz, etc – the threads strengthen By submitting, posting or displaying any Materials on or through the orkut.com service, you automatically grant to us a worldwide, non- exclusive, sublicenseable, transferable, royalty-free, perpetual, irrevocable right to copy, distribute, create derivative works of, publicly perform and display such Materials. - Orkuts Terms Of Service© 2010 Raj Goel raj@brainlink.com | 917.685.7731 38
  39. 39. Brainlink International, Inc. You run your business, and leave the IT to us. Orkut, Buzz, etc – the threads strengthen Information contained in Orkut Profiles: * Full name * E-mail address * Phone numbers * IM information * Age/DoB * Postal Address * Relationship status / children. * Sexual orientation * Political view * Religion * Ethnicity * Drinking habits/preferences * Hobbies and interests© 2010 Raj Goel raj@brainlink.com | 917.685.7731 39
  40. 40. Brainlink International, Inc. You run your business, and leave the IT to us. Orkut – Brazil & India Google has designed a special Orkut admin tool for deleting or blocking illegal content, and given Brazilian police access to this tool. This means that if youre on Orkut and you say something that in Brazil could be considered illegal (such as celebrity gossip, Consumerist-style corporate bashing, mistreating animals), the Brazilian police can censor the community where this "illegal" speech is seen. - boingboing.net Never mind the bat signal - cops in India have been equipped with a sort of ―red phone‖ e-mail address at Google. The search engine giant, according to various Indian sources, wants to help put a stop to hate speech and other objectionable content that’s been showing up on Orkut.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 40
  41. 41. Brainlink International, Inc. You run your business, and leave the IT to us. Gmail – threads merge • One key risk is that because GMail gets your consent to be more than an e-mail delivery service -- offering searching, storage and shopping -- your mail there may not get the legal protection the ECPA gives you on E-mail. • The storage of e-mail on 3rd party servers for more than 180 days almost certainly causes the loss of those privileges. • This in turn creates a danger that we may redefine whether e-mail has the "reasonable expectation of privacy" needed for 4th amendment protection. • Correlation of search and mail has real risks. - Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 41
  42. 42. Brainlink International, Inc. You run your business, and leave the IT to us. Gmail – threads merge (2) •Knowing someone is using Gmail because their email address is rajgoel@gmail.com is easy. •What if your business partner, client or prospect uses raj@stanford.edu or raj@chinatech.com-- can YOU tell if its hosted at Gmail? •The plans, proposals, research, recommendations, etc. you email out – are they being indexed at google?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 42
  43. 43. Brainlink International, Inc. You run your business, and leave the IT to us. Gmail Patents – Weaving the threads Patent #20040059712 - ―Serving advertisements using information associated with e- mail‖ allows Google to create profiles based on the following data: * Information about the sender, including information derived from previous interactions with the sender * Information about the recipient, including information derived from senders address book or from previous interactions with the sender * Information about a recipient based on a profile or information about the sender (the example from that patent is: "Sender is a wine enthusiast and has recently searched for and/or browsed pages related to wine, suggesting that recipient may also be interested in wine") * Information from other e-mails sent by sender * Information from other e-mails received by recipient * Information from other e-mails having the same or similar subject text * Information about recipient from senders contact information * Directory and file information based on the path name of attachments sent in previous e-mails (e.g. building an index of filenames on sender or recipients computer) - http://www.epic.org/privacy/gmail/faq.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 43
  44. 44. Brainlink International, Inc. You run your business, and leave the IT to us. ECPA - Electronic Communications Privacy Act (1986) ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and that your e-mail companys employees cant disclose your e-mails to others. [...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same private letter, but simply a database service. GMails big selling point is that they dont simply deliver your mail. They store it for you, and they index it so you can search it. - Brad Templeton, Chairman of the Electronic Frontier Foundation, http://www.templetons.com/brad/gmail.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 44
  45. 45. Brainlink International, Inc. You run your business, and leave the IT to us. ECPA - Electronic Communications Privacy Act (1986) FBI Abuses Patriot Act http://www.nytimes.com/2007/03/10/washington/10fbi.html ECPA declared that e-mail was a private means of communication, and that we might hope for the same level of privacy in it as we have in phone calls and letters. Among other things, it means that police need a wiretap warrant to read your e-mails, and13 months Sprint received 8 MILLION law enforcement requests in that your http://www.eff.org/deeplinks/2009/12/surveillance-shocker-sprint- e-mail companys employees cant disclose your e-mails to others. received-8-million-law [...] E-mail in transit is protected, but those in law enforcement advocate that once mail is processed and stored, it is no longer the same privateSale but simply a database service. Your Identity for letter, http://money.cnn.com/2005/05/09/pf/security_info_profit/index.htm GMails big selling point is that they dont simply deliver your mail. They store it for you, and they index it so you can search it. - Brad Templeton, Chairman of the Electronic Frontier Foundation, Google "FBI buys data from private sector" http://www.templetons.com/brad/gmail.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 45
  46. 46. Brainlink International, Inc. You run your business, and leave the IT to us. ECPA - Disclosure Rules • Compelled Disclosure Rules in 18 U.S.C. § 2703 • Section 2703 mandates different standards the government must satisfy to compel different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary ―electronic storage‖ for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options. • First, the government can obtain a search warrant. • Alternatively,investigators can use less process than a warrant, as long as they combine that process with prior notice. • Specifically, the government can use either a subpoena or a ―specific and articulable facts‖ court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the ―subscriber or customer‖ (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a ―2703(d)‖ order or simply a ―d‖ order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide ―specific and articulable facts showing that there are reasonable grounds to believe‖ that the information to be compelled is ―relevant and material to an ongoing criminal investigation.‖74 If the judge finds that the factual showing has been made, the judge signs the order. The order is then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators. - http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860 Professor Orin Kerr, George Washington University - Law School TRANSLATION: After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. becomes significantly easier.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 46
  47. 47. Brainlink International, Inc. You run your business, and leave the IT to us. ECPA - Disclosure Rules • Compelled Disclosure Rules in 18 U.S.C. § 2703 • Section 2703 mandates different standards the government must satisfy to compel different types of communications. To compel a provider of ECS to disclose contents of communications in its possession that are in temporary ―electronic storage‖ for 180 days or less, the government must obtain a search warrant.67 To compel a provider of ECS to disclose contents in electronic storage for greater than 180 days or to compel a provider of RCS to disclose contents, the government has three options.ECPA CSOs and CPOs should know about • First, the government can obtain a search warrant. • Alternatively,investigators can use less process than a warrant, as long as they combine that Employees are forwarding emails to GMAIL because it is fast, easy process with prior notice. • Specifically, thehas copioususe either a subpoena or a ―specific and articulable facts‖ to use and government can capacity. The opposite of most corporate court order pursuant to 18U.S.C. § 2703(d), combined with prior notice to the ―subscriber or email systems. customer‖ (which can be delayed in some circumstances).73 The court order found in § 2703(d), often referred to as a ―2703(d)‖ order or simply a ―d‖ order, is something like a mix between a subpoena and a search warrant. To obtain the order, the government must provide ―specific and articulable facts showing that there are reasonable grounds to believe‖ that the How many of your employees are forwarding emails to information to be compelled is ―relevant and material to an ongoing criminal investigation.‖74 If the judge finds that the factual showing has been made, the judge signs the order. The order is gmail/yahoo/hotmail right now? then served like an ordinary subpoena; investigators bring or fax the order to the ISP, and the ISP complies by turning over the information to the investigators. - http://papers.ssrn.com/sol3/papers.cfm?abstract_id=421860 Professor Orin Kerr, George Washington University - Law School TRANSLATION: After 180 days, Government access to your Gmail, Hotmail, Yahoo Mail, etc. becomes significantly easier.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 47
  48. 48. Brainlink International, Inc. You run your business, and leave the IT to us. Google Desktop – feeding the spider Google Desktop – allowed users to search their desktops using a Google-like interface. All word files, spreadsheets, emails, images were instantly searchable. Index information was stored on the local computer. Google Desktop 3 allows users to search across multiple computers. GD3 stores index and copies of files on Googles servers for up to 30 days. This may violate Family Educational Rights and Privacy Act (FERPA), HIPAA, state privacy laws.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 48
  49. 49. Brainlink International, Inc. You run your business, and leave the IT to us. Google Desktop – feeding the spider How Google Desktop 3 works: • Computer A and computer B both download Google Desktop, which indexes all files on the hard drives and sends text copies of Office documents (Word, Excel) and other files to Google. • Computer B signs into Google, searches for a file on Computer A and retrieves it. Google says it only keeps the data for 30 days and will delete the files if not accessed. [...]"Unless you go to the trouble of configuring Google Desktop carefully, it will cough up your tax returns, medical and financial records, and any other text files you happen to have." - USA Today, Feb 9, 2006 http://www.usatoday.com/tech/news/computersecurity/2006-02-09-google-privacy_x.htm© 2010 Raj Goel raj@brainlink.com | 917.685.7731 49
  50. 50. Brainlink International, Inc. You run your business, and leave the IT to us. Google Alerts Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your choice of query or topic. Is someone at Citibank researching ―windpower in India‖? ―terrorism in Niger Delta‖? Google knows: - whos researching it (GUID/email) - How many people are doing it. - Popularity of story or search - Trend Activity© 2010 Raj Goel raj@brainlink.com | 917.685.7731 50
  51. 51. Brainlink International, Inc. You run your business, and leave the IT to us. Google OpenSocial (hacked within 45 minutes) Many Sites, One API. (many sites, single point of insecurity??) Engage.com Friendster hi5 Hyves imeem LinkedIn MySpace Ning Oracle Orkut Plaxo SalesForce.com SixApart Tianji Viadeo XING ―First OpenSocial Application Hacked Within 45 Minutes‖ - http://www.techcrunch.com/2007/11/02/first-opensocial-application-hacked-within-45-minutes/ ―[A hacker] added a number of emoticons to Plaxo VP Marketing John McCrea’s profile within 45 minutes of it launching.‖© 2010 Raj Goel raj@brainlink.com | 917.685.7731 51
  52. 52. Brainlink International, Inc. You run your business, and leave the IT to us. Google Chrome Chrome is googles browser, based on the Webkit framework. Dangers: - Google knows every URL you searched (same as every other browser) - Google knows every character you type! Even if you dont hit enter - Google tracks every ―auto suggestion‖ http://coderrr.wordpress.com/2008/09/03/google-chrome-privacy-worse-than-you- think/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 52
  53. 53. Brainlink International, Inc. You run your business, and leave the IT to us. Google Android Android is Googles mobile phone OS. Default Search: Google GPS locator enabled? Check handset Every search, call, map lookup, tracked by google. Just like the iPhone application store, Google can remotely disable applications. Google can also remotely INSTALL applications. What does THAT do to your security standards? Asset Management?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 53
  54. 54. Brainlink International, Inc. You run your business, and leave the IT to us. Google Android Android apps security is worse than Windows. - Free android wall paper app downloaded millions of times. Sends collected user data to China. - http://www.theregister.co.uk/2010/07/29/suspicious_android_app/ - 20% of tested Android apps allow developers access to sensitive or private data - http://news.cnet.com/8301-27080_3-20008518-245.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 54
  55. 55. Brainlink International, Inc. You run your business, and leave the IT to us. Google Android The researchers found that two-thirds of the 30 apps in the sample used sensitive data suspiciously, half share location data with advertising or analytics servers without requiring "implicit or explicit user consent," and one-third expose the device ID, sometimes with the phone number and the SIM card serial number. In all, the researchers said they found 68 instances of potential misuse of users private information across 20 applications. http://news.cnet.com/8301-27080_3-20018102-245.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 55
  56. 56. Brainlink International, Inc. You run your business, and leave the IT to us. Tools & Strategies: Scoping Policies© 2010 Raj Goel raj@brainlink.com | 917.685.7731 56
  57. 57. Brainlink International, Inc. You run your business, and leave the IT to us. Learn from FTC Health Breach Rule Differentiates between ―unauthorized access‖ and ―acquisition‖ (1) the employee viewed the records to find health information about a particular public figure and sold the information to a national gossip magazine; (2) the employee viewed the records to obtain information about his or her friends; (3) the employee inadvertently accessed the database, realized that it was not the one he or she intended to view, and logged off without reading, using, or disclosing anything.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 57
  58. 58. Brainlink International, Inc. You run your business, and leave the IT to us. FTC Health Breach Rule “If an entity’s employee loses a laptop containing unsecured health information in a public place, the information would be accessible to unauthorized persons, giving rise to a presumption that unauthorized acquisition has occurred. The entity can rebut this presumption by showing that the laptop was recovered, and that forensic analysis revealed that files were never opened, altered, transferred, or otherwise compromised. “ ―Unauthorized acquisition will be presumed to include unauthorized access to unsecured PHR identifiable health information‖© 2010 Raj Goel raj@brainlink.com | 917.685.7731 58
  59. 59. Brainlink International, Inc. You run your business, and leave the IT to us. FTC Health Breach Rule PHR related entities include non-HIPAA covered entities “that access information in a personal health record or send information to a personal health record.” This category could include online applications through which individuals, for example, connect their blood pressure cuffs, blood glucose monitors, or other devices so that the results could be tracked through their personal health records. It could also include an online medication or weight tracking program that pulls information from a personal health record.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 59
  60. 60. Brainlink International, Inc. You run your business, and leave the IT to us. FTC Health Breach Rule PHR identifiable health information = 1)“past, present, or future payment for the provision of health care to an individual,” e.g. database containing names and credit card information, even if no other information was included© 2010 Raj Goel raj@brainlink.com | 917.685.7731 60
  61. 61. Brainlink International, Inc. You run your business, and leave the IT to us. FTC Health Breach Rule 2) “the fact of having an account with a vendor of personal health records or related entity,” e.g. the theft of an unsecured customer list of a vendor of personal health records or related entity directed to AIDS patients or people with mental illness would require a breach notification, even if no specific health information is contained in that list. Can you apply this principle to ALL data in your company’s possession?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 61
  62. 62. Brainlink International, Inc. You run your business, and leave the IT to us. Doing It Wrong© 2010 Raj Goel raj@brainlink.com | 917.685.7731 62
  63. 63. Brainlink International, Inc. You run your business, and leave the IT to us. PCI-DSS Security vs. Marketing • Banks are ―rebating‖ penalties, absorbing penalties or spreading penalties to all merchants • No real teeth – most large offenders are still in business. • VISA’s ―Verified By VISA‖ program violates PCI rules • Rule enforcement is opaque and seemingly arbitrary.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 63
  64. 64. Brainlink International, Inc. You run your business, and leave the IT to us. FTC’s RED FLAG Rules What are the ―red flags‖? Warning signs that ID theft may, or has, occurred. “Financial Institutions” and “Creditors” must develop and implement written ID theft prevention programs that: 1. Identify relevant Red Flags for the covered accounts that the creditor offers or maintains and incorporate those Red Flags into its program; 2. Detect Red Flags that have been incorporated into its program; 3. Respond appropriately to any Red Flags that are detected; 4. Update the program periodically to reflect changes in risks from identity theft to customers and to the safety and soundness of the creditor from identity theft.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 64
  65. 65. Brainlink International, Inc. You run your business, and leave the IT to us. FTC’s RED FLAG Rules - This is GLBA for Attorneys, Doctors, Hospitals, Small Businesses, etc. • AMA, ABA and others have sued to exempt their members • Currently excludes businesses with less than 20 employees • Compliance extended 5 times – currently, not till Dec 2010© 2010 Raj Goel raj@brainlink.com | 917.685.7731 65
  66. 66. Brainlink International, Inc. You run your business, and leave the IT to us. FTC & DSW ―Shoe retailer DSW Inc. agreed to beef up its computer security to settle U.S. charges that it didnt adequately protect customers credit cards and checking accounts,... The FTC said the company engaged in an unfair business practice because it created unnecessary risks by storing customer information in an unencrypted manner without adequate protection.... As part of the settlement, DSW set up a comprehensive data-security program and will undergo audits every two years for the next 20 years. ― - ComputerWorld.com 12/1/2005 According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million. This is the FTC’s seventh case challenging faulty data security practices by retailers and others. - www.ftc.gov 12/1/2005© 2010 Raj Goel raj@brainlink.com | 917.685.7731 66
  67. 67. Brainlink International, Inc. You run your business, and leave the IT to us. FTC & Choicepoint ―The $10 million fine imposed today by the Federal Trade Commission on data aggregator ChoicePoint Inc. for a data security breach is yet another indication of the increasingly tough stance the agency is taking on companies that fail to adequately protect sensitive data, legal experts said. And its not just companies that suffer data breaches that should be concerned. Those companies that are unable to demonstrate due diligence when it comes to information security practices could also wind up in the FTC’s crosshairs, they added. • ChoicePoint will pay a fine of $10 million... • In addition to the penalty, the largest ever levied by the FTC, ChoicePoint has been asked to set up a $5 million trust fund for individuals... • ChoicePoint will also have to submit to comprehensive security audits every two years through 2026. ― UPDATE: 12/6/06: FTC 01/26/2006 victims of identity theft as a result of the data breach who - ComputerWorld.com announced that had out-of-pocket expenses can now be reimbursed. The claims deadline was Feb. 4, 2007.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 67
  68. 68. Brainlink International, Inc. You run your business, and leave the IT to us. FTC – BJs Wholesale Club ―According to the FTC, BJs failed to encrypt customer data when transmitted or stored on BJs computers, kept that data in files accessible using default passwords, and ran insecure, insufficiently monitored wireless networks. ...affected financial institutions filed suit against BJs to recover damages. According to a May securities and Exchange Commission filing, BJs recorded charges of $7 million in 2004 and an additional $3 million in 2005 to cover legal costs. Under terms of the settlement, BJs will implement a comprehensive information-security program subject to third-party audits every other year for the next two decades.― - InformationWeek 6/16/2005© 2010 Raj Goel raj@brainlink.com | 917.685.7731 68
  69. 69. Brainlink International, Inc. You run your business, and leave the IT to us. Priceline, Travelocity, and Cingular fined for using adware Priceline, Travelocity, and Cingular, three high-profile companies that advertised through nuisance adware programs have agreed to pay fines and reform their practices, according to the New York Attorney General. “Advertisers will now be held responsible when their ads end up on consumers’ computers without full notice and consent,” Andrew Cuomo said. “Advertisers can no longer insulate themselves from liability by turning a blind eye to how their advertisements are delivered, or by placing ads through intermediaries, such as media buyers. New Yorkers have suffered enough with unwanted adware programs and this agreement goes a long way toward clamping down on this odious practice.” - PressEsc.com January 29, 2007© 2010 Raj Goel raj@brainlink.com | 917.685.7731 69
  70. 70. Brainlink International, Inc. You run your business, and leave the IT to us. Spyware - Bank Of America / Joe Lopez lawsuit ― A Miami businessman is suing Bank of America to recover $90,000 that he claims was stolen and diverted to a bank in Latvia after his computer was infected by a "Trojan horse" computer virus. Although consumers are routinely hit with "phishing" E-mails carrying bank logos intended to dupe them into revealing IDs and passwords, this is the BOA settled withaJoe Lopez, after negativebank claimingin an first known case of business customer of a U.S. publicity, to have undisclosed settlement.of a hacking incident. suffered a loss as a result In a complaint filed earlier this month, Joe Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract in not alerting him to the existence of a virus called "coreflood" prior to April 6, 2004, the date the alleged theft took place.‖ - http://www.informationweek.com/showArticle.jhtml?articleID=60300288© 2010 Raj Goel raj@brainlink.com | 917.685.7731 70
  71. 71. Brainlink International, Inc. You run your business, and leave the IT to us. ID Theft – Bank Of America & Margaret Harrison Margaret Harrison, a young wife and mother living in San Diego, first noticed the problem four years ago when she applied for unemployment. [...] She investigated and found out a laborer named Pablo has been using her Social Security number. And while Margaret pays for credit monitoring, she says the Equifax credit reporting bureau never noticed the problem until she told the agency. Now Equifax has put a fraud alert on her account. And then theres this: Last month, the Bank of America sent her a new debit card bearing her name and Pablos picture! Margaret says the Bank of America claims it cant take any action against Pablo because he pays his bills on time — that her case is in what they call "a reactive state." - MSNBC Feb 6, 2006 ―Hey, that’s not me! A new wrinkle in ID theft‖© 2010 Raj Goel raj@brainlink.com | 917.685.7731 71
  72. 72. Brainlink International, Inc. You run your business, and leave the IT to us. Hackers transfer $ 378,000 from Poughkeepsie to Ukraine US vs WARSHAK http://www.finextra.com/News/fullstory.aspx?newsitemid=21055 ATM hackers steal $ 9 Million in 1 day http://www.wired.com/threatlevel/2009/02/atm/ Banking Trojan steals $ 438,000 http://news.cnet.com/8301-27080_3-10363836-245.html Bank Of America vs. Lopez http://www.americanbanker.com/usb_issues/115_4/-246231-1.html Read “Trends in Financial Crimes” http://www.brainlink.com/news/159/24/InfoSecurity-Issue-7---Trends-In-Financial-Crimes.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 72
  73. 73. Brainlink International, Inc. You run your business, and leave the IT to us. Spyware - Sonys DRM Rootkit Oct 31, 2005 - Mark Russinovich, a security researcher, discovers that Sonys CDs install a rootkit Nov 3 – Sony releases rootkit remover. Ed Felten dismisses the rootkit remove as junk Sonys rootkit used to defeat World of Warcrafts security Nov 15 – Sonys rootkit uninstaller ―create huge security hole‖ Nov 15 – Dan Kaminsky estimates Sonys rootkit has infected 568,200 sites, including government and military networks. Nov 16 – US-CERT, Dept of Homeland Security, advises: ―Do not install software from sources that you do not expect to contain software, such as an audio CD.” Nov 17 – Amazon offers refunds on infected Sony CDs. Nov 21, Army/Airforce exchange as well. New York, Texas and Florida Attorney Generals sue Sony. - boingboing.net Nov 10 – 2 Trojans target Sonys rootkit - http://news.zdnet.co.uk/internet/security/0,39020375,39236720,00.htm Attorney fees & expenses exceed $ 4,000,000. Total costs to Sony unknown. - sonysuit.com© 2010 Raj Goel raj@brainlink.com | 917.685.7731 73
  74. 74. Brainlink International, Inc. You run your business, and leave the IT to us. Spyware - Sonys DRM Rootkit Anastacia CD costs retailer 1,500 Euros Sep 14, 2009 – German Judge orders retailer to pay Plaintiff 1,500 Euros.  200 Euros – 20 hours wasted dealing with virus alerts  100 Euros – 10 hours for restoring data  800 Euros – fees paid by Plaintiff to Computer Expert to repair his network  185 Euros – legal costs incurred by plaintiff ―The judge’s assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it. The court ordered the retailer of the CD to pay damages of 1,200 euros.‖ http://torrentfreak.com/retailer-must-compensate-sony-anti-piracy-rootkit-victim-090914/ http://www.heise.de/newsticker/Verkaeufer-muss-Schadensersatz-fuer-Sony-Rootkit-CD-zahlen-- /meldung/145233© 2010 Raj Goel raj@brainlink.com | 917.685.7731 74
  75. 75. Brainlink International, Inc. You run your business, and leave the IT to us. Fake Receipts, Chinese Style “ More than 1 million bogus receipts worth 1.05 trillion yuan (147.3 billion U.S. dollars) were confiscated in the case. The national treasury would lose more than 75 billion yuan in tax revenue if the receipts were put into circulation, officials said.” - http://english.people.com.cn/90001/90776/6359250.html Good News: Ringleader gets 16 years in jail. Bad News:  One of their customers claimed his company was NASDAQ listed and raised $50M from unsuspecting investors.  How many of YOUR vendors are claiming financial health using fake receipts?  How many of YOUR employees padded their expense accounts using fake receipts?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 75
  76. 76. Brainlink International, Inc. You run your business, and leave the IT to us. Fake “Chisco” gear Chinese vendors are selling counterfeit cisco gear at aggressive prices Per FBI Presentation - eGlobe Solutions - $ 788,000 in counterfeit gear - Todd Richard - $ 1,000,000 in counterfeit gear Fake equipment found in: - US Naval Academy, US Naval Air Warfare Center, US Naval Undersea Warfare Center - Marine Corps, Air Force, US Air Base (Spangdahelm, Germany) - Bonneville Power Administration - General Services Administration (GSA), FAA, FBI, other agencies and universities - Raytheon - Lockheed Martin (who violated rules by NOT using a GSA IT Vendor) - MortgateIT – bought from a Authorized Cisco reseller. 30 WICs faulty. “Ciscos Brand Protection does NOT coordinate with Ciscos Government Sales”© 2010 Raj Goel raj@brainlink.com | 917.685.7731 76
  77. 77. Brainlink International, Inc. You run your business, and leave the IT to us. ATM machines with default passwords ...News reports circulated about a cyber thief who strolled into a gas station in Virginia Beach, Virginia, and, with no special equipment, reprogrammed the mini ATM in the corner to think it had $5.00 bills in its dispensing tray, instead of $20.00 bills. ... Dave Goldsmith, a computer security researcher at Matasano Security began poking around. Based on CNNs video, he identified the ATM as a Tranax Mini Bank 1500 series. [he also found manuals for Triton and another vendor – approx 250,000 ATMs] ... He then set out to see if he could get a copy of the manual for the apparently-vulnerable machine to find out how the hack worked. Fifteen minutes later, he reported success....[he found] * Instructions on how to enter the diagnostic mode. * Default passwords * Default Combinations For the Safe - Wired.com, September 20, 2006© 2010 Raj Goel raj@brainlink.com | 917.685.7731 77
  78. 78. Brainlink International, Inc. You run your business, and leave the IT to us. TJX (TJ Maxx, Winners, HomeSense) Breach Information stolen from the systems of massive retailer TJX was being used fraudulently in November 2006 in an $8 million gift card scheme, one month before TJX officials said they learned of the breach, according to Florida law enforcement officials. ... Florida officials said the group used the increasingly common tactic of using the bogus credit cards to purchase gift cards and then cashing them at Wal-Mart and Sams Club stores. The group usually purchased $400 gift cards because when the gift cards were valued at $500 or more, they were required to go to customer service and show identification, Pape said. - eWeek.com March 21, 2007 Arkansas Carpenters Pension Fund, which owns 4,500 shares of TJX stock, said the company rebuffed its request to see documents detailing the safeguards on the companys computer systems and how the company responded to the theft of customer data. The suit was filed Monday afternoon in Delawares Court of Chancery, under a law that allows shareholders to sue to get access to corporate documents for certain purposes. Court papers state the Arkansas pension fund wants the records to see whether TJXs board has been doing its job properly in overseeing the companys handling of customer data. - Forbes.com, March 20, 2007© 2010 Raj Goel raj@brainlink.com | 917.685.7731 78
  79. 79. Brainlink International, Inc. You run your business, and leave the IT to us. Barings, Societe Generale 1995 Barings Bank: $ 1.4B losses 2008 Societe Generale: $ 7.1B ―Nick Leeson, [...] said Thursday that a massive fraud by a Société Générale employee showed that banks still do not have risk-management controls in place. "The first thing that shocked me was not necessarily that it had happened again. I think rogue trading is probably a daily occurrence among the financial markets," Leeson told the British Broadcasting Corp. [...] "What theyre looking for is profit, profit now, and that tends to be where the money is directed," said Leeson‖ - International Herald Tribune, http://www.iht.com/articles/2008/01/24/business/leeson.php ―An internal investigation into billions of euros of losses at Societe Generale has found that controls at the French bank "lacked depth". The results of the investigation also show that rogue trades were first made back in 2005. - http://news.bbc.co.uk/2/hi/business/7255685.stm© 2010 Raj Goel raj@brainlink.com | 917.685.7731 79
  80. 80. Brainlink International, Inc. You run your business, and leave the IT to us. Hannaford RulingMarch 2008:• Attackers installed custom malware (spyware) to capture data in motion across Hannafords network• Hundreds of servers and POS terminals compromised• 4.2 million records breached – Credit AND Debit cards• Customers filed class-action lawsuitsMay 13, 2009 ruling:―U.S. District Court Judge Brock Hornby threw out the civil claims against the grocer for its alleged failure toprotect card holder data and to notify customers of the breach in a timely fashion. In dismissing the claims,Hornby ruled that without any actual and substantial loss of money or property, consumers could not seekdamages.The only complaint he allowed to stand was from a woman who said she had not been reimbursed by her bankfor fraudulent charges on her bank account following the Hannaford breach.In a 39-page opinion, Hornby wrote that consumers with no fraudulent charges posted to their accounts couldnot seek damages under Maine law; neither could those who might have had fraudulent charges on theiraccounts that were later reversed.―- http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133075&taxonomyId=17&intsrc=kc_top© 2010 Raj Goel raj@brainlink.com | 917.685.7731 80
  81. 81. Brainlink International, Inc. You run your business, and leave the IT to us. Phishing Scam nets 3300 eBay Employees Sept 24, 2010 - Romanian authorities said they have detained a man suspected of absconding with more than $3m by snaring 3,305 eBay employees in a spear phishing campaign last year. Liviu Mihail Concioiu is under investigation for carrying out two phishing attacks that were directed solely at eBay employees, according to a press release from Romanias DIICOT agency. In the first, he netted user names and passwords for 1,784 employees and in the second he got another 1,521 employee credentials. The suspect then used 417 of the stolen accounts to log in to eBays internal network, where […] he accessed details about high-value eBay customers. - http://www.theregister.co.uk/2010/09/24/ebay_spear_phishing_attack/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 81
  82. 82. Brainlink International, Inc. You run your business, and leave the IT to us. VOIP Attacks Businesses have switched to VOIP to lower phone bills. Securing VOIP is not their forte. Perth, Australia business loses $120,000 within 46 hours. http://www.zdnet.com.au/thousands-lost-in-rising-voip- attacks-339306478.htm© 2010 Raj Goel raj@brainlink.com | 917.685.7731 82
  83. 83. Brainlink International, Inc. You run your business, and leave the IT to us. Summary© 2010 Raj Goel raj@brainlink.com | 917.685.7731 83
  84. 84. Brainlink International, Inc. You run your business, and leave the IT to us. Cost of carelessness The Cost of Carelessness 12/5/2005 - http://www.cioinsight.com/article2/0,1540,1906158,00.asp© 2010 Raj Goel raj@brainlink.com | 917.685.7731 84
  85. 85. Brainlink International, Inc. You run your business, and leave the IT to us. Cost of Breaches 2005-2008 Year Direct Cost Indirect Cost Lost Customer Cost Total Costs 2005 50 14 74 138 2006 50 14 118 182 2007 50 14 133 197 2008 50 14 138 202 * 2009 TOTAL COSTS = $ 204 Other findings: Not 1st time for majority of companies – 84% repeat offenders 1st timers cost: $ 243/record, Experienced Victims: $ 192/record Churn Rates: Average 3.6% / Healthcare 6.5% / Financial Services 5.5% Healthcare cost: $ 282/record / Retail: $ 131/record 88% breaches due to insider negligence, 44% due to external parties Source: http://www.networkworld.com/news/2009/020209-data-breach.html© 2010 Raj Goel raj@brainlink.com | 917.685.7731 85
  86. 86. Brainlink International, Inc. You run your business, and leave the IT to us. They broke the law, your loss! 2008: Malware and/or break-ins compromise 100 million+ records at Heartland Payment Systems. Jan 2009: Inauguration day – Heartland discloses breach May 2009: Heartland has spent $ 12.6 million (and counting) in dealing with the breach. Feb 2009: Angies list notices 200% increase in auto-billing transactions being declined. Autp-billing declines increased from 2% to 4%. May cost them $ 1 million in lost revenues so far. ―The trouble is that convincing customers who had once set up auto-billing to reestablish that relationship after such a disruption is tricky, as many people simply dont respond well to companies phoning or e-mailing them asking for credit card information‖ - http://voices.washingtonpost.com/securityfix/2009/05/heartland_breach_dings_members.html?wprss=securityfix© 2010 Raj Goel raj@brainlink.com | 917.685.7731 86
  87. 87. Brainlink International, Inc. You run your business, and leave the IT to us. We Make it Easy (to commit crimes) Criminals have existed as long as society has. And they always will. However, we as IT/Security/Business/Government professionals make it easy for them to commit crimes: - “Its not MY problem syndrome” - Bank Of America ID Theft, UK Banking rules, No liability for software vendors - Burden for compromise is on the victims (ID theft, house theft, spyware) - The selfish gene - Sony DRM rootkit, RIAA lawsuits, expired DRM - Stupid IT tricks - Shipping with default passwords - Textbooks, documentation showing insecure or poor coding practices - Poor Privacy/Security planning - ID theft is a growing problem today, because no one thought about limiting scope of SSN usage in 1934 - What do Facebook, MySpace, Gmail teach our kids about privacy? - Are you looking at security and privacy in a holistic, global manner?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 87
  88. 88. Brainlink International, Inc. You run your business, and leave the IT to us. Summary Neither you, nor your clients or staff own social data. Google/Facebook do. Flaw in ANY of Google’s (or Facebooks or Twitters) or 3rd party applications can expose consumer data. This sets the stage for ID theft, Insurance Theft, Employment Denials and increased Government and Corporate surveillance like nothing else. Most privacy policies have loopholes you could drive a battleship through. Encrypt, Encrypt, Encrypt. Plan on having a breach…and dealing with it.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 88
  89. 89. Brainlink International, Inc. You run your business, and leave the IT to us. Users treat their computers like cars. They assume theres a lemon law for software, or a seatbelt protecting them from themselves. Nothing could be further from the truth. People like new technology, new tools. However, they dont always understand the risks involved.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 89
  90. 90. Brainlink International, Inc. You run your business, and leave the IT to us. State Of Security in a nutshell© 2010 Raj Goel raj@brainlink.com | 917.685.7731 90
  91. 91. Brainlink International, Inc. You run your business, and leave the IT to us. Medication & Counter- Taxes, Tolls, Insurance medication fees Late fees, mortgage fees, balance overdue fees Windows License fee Antivirus Fee ID Theft protection Fee Are we treating our customers and ourselves as more than Revenue Enhancement machines?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 91
  92. 92. Brainlink International, Inc. You run your business, and leave the IT to us. Success Stories© 2010 Raj Goel raj@brainlink.com | 917.685.7731 92
  93. 93. Brainlink International, Inc. You run your business, and leave the IT to us. Getting it Right Medical marijuana advocates estimate that the aggregate annual sales tax revenue thats paid by the approximately 400 dispensaries in California is $100 million. - http://www.npr.org/templates/story/story.php?storyId=89349791 Cost of War on Drugs in 2010 (so far): $ 23 Billion (and counting) - http://www.drugsense.org/wodclock.htm What was your overall IT spending last year? How much on questionable security products?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 93
  94. 94. Brainlink International, Inc. You run your business, and leave the IT to us. Getting it Right ―Anesthesiologists pay less for malpractice insurance today, in constant dollars, than they did 20 years ago. Thats mainly because some anesthesiologists chose a path many doctors in other specialties did not. Rather than pushing for laws that would protect them against patient lawsuits, these anesthesiologists focused on improving patient safety. Their theory: Less harm to patients would mean fewer lawsuits. ― - Deaths dropped from 1 / 5,000 to 1 / 200,000 – 300,000 - Malpractice claims dropped 46% (from $ 332,280 in 1970 to $ 179,010 in 1990s! Premiums dropped 37% from $ 36,620 to $ 20,572. - http://online.wsj.com/article/0,,SB111931728319164845,00.html?mod=home%5Fpage%5Fone%5Fus© 2010 Raj Goel raj@brainlink.com | 917.685.7731 94
  95. 95. Brainlink International, Inc. You run your business, and leave the IT to us. Air Force demanded, and purchased, SECURE Desktops 2006 – After years of attacks, and dealing with a hodge-podge of desktop and server configurations, The US Air Force develops the Secure Desktop Configuration standard. All vendors are required to sell computers to the USAF (and later DOD, other government agencies) with standardized, locked down configurations of: • Windows • MS Office • Adobe Reader • Norton AV • Etc US Dept Of Energy requires Oracle to deliver it’s databases in a secure configuration developed by the Center for Internet Security (www.cisecurity.org)© 2010 Raj Goel raj@brainlink.com | 917.685.7731 95
  96. 96. Brainlink International, Inc. You run your business, and leave the IT to us. ISO 8583 – ATM Standards 1987 Version 1993 Version 2003 Version Each organization maps their data to the standard when communicating with other firms. Where’s the Industry standard for SECURE INTERNAL DESKTOP CONFIGURATION? SECURE CLIENT CONFIGURATION?© 2010 Raj Goel raj@brainlink.com | 917.685.7731 96
  97. 97. Brainlink International, Inc. You run your business, and leave the IT to us. Conficker Working Group Dec 2008 – Conficker Released. Feb 12, 2009 – Microsoft offers $ 250,000 reward for identifying authors Mar 31, 2009 – Nmap, Nessus, other tools release conficker detection tools Current Status: Conficker practically eradicated (just like SmallPox) However, Zeus and other bots are using what they learned from Conficker.© 2010 Raj Goel raj@brainlink.com | 917.685.7731 97
  98. 98. Brainlink International, Inc. You run your business, and leave the IT to us. Microsoft – Security Champion! Microsoft to assume control of Waledac domains http://www.scmagazineus.com/microsoft-to-assume-control-over-waledac-domains/article/178492/ Microsoft sues hotmail domain squatters (ho0tmail, hot5mail, etc) http://blog.seattlepi.com/microsoft/archives/198358.asp Microsoft sues fake Antivirus peddlers http://www.darkreading.com/security/antivirus/showArticle.jhtml?articleID=220100423 Microsoft sues spammers who abused it’s spam filters http://www.esecurityplanet.com/news/article.php/3888571/Microsoft-Sues-Spammers-Who- Abused-Its-Spam-Filters.htm Microsoft Security Essentials – Free AV software that works exceptionally well http://www.microsoft.com/security_essentials/© 2010 Raj Goel raj@brainlink.com | 917.685.7731 98
  99. 99. Brainlink International, Inc. You run your business, and leave the IT to us. Shameless Self-Promo Brainlinks provides COMMON SENSE BASED IT Security and Privacy Breach law compliance audits Information Security Audits IT Consulting for Healthcare If you like what youre hearing, hire us! www.brainlink.com© 2010 Raj Goel raj@brainlink.com | 917.685.7731 99
  100. 100. Brainlink International, Inc. You run your business, and leave the IT to us. Contact Information Raj Goel, CISSP Chief Technology Officer Brainlink International, Inc. C: 917-685-7731 raj@brainlink.com www.brainlink.com www.linkedin.com/in/rajgoel© 2010 Raj Goel raj@brainlink.com | 917.685.7731 100

×