Hackers vs. Free Online Services: Which is a bigger threat to privacy?

9 04 2012

On the surface, it may seem hackers provide a larger threat to our privacy compared to free online services. However, nothing is free and service providers such as Google and Facebook are collecting hordes of personal information, yet we lack privacy laws that dictate how that information can be used, how it must be stored, and how it is shared. According to [economictimes], “The Whitehouse and Federal Trade Commission have unveiled privacy frameworks that rely heavily on voluntary commitments by Internet companies and advertisers.” We need better assurance than a voluntary commitment.

In the opposite corner, we have hackers. I hate to use the term hacker in a negative context but mainstream media has made the practice the status quo. For lack of a better term, I’ll user hacker to describe someone who writes malicious software or aims to gain unauthorized access to a computer, network, or electronic account. This definition is similar to Kaspersky [kaspersky-1]. Hackers pose a threat to privacy by stealing personal information directly from our PC’s, or by breaking into systems that we’re registered with.

Both are a concern to user privacy. Which provides a bigger threat? Let’s explore the implications of each.

Hackers

Anti-virus software helps keep our PC’s clean, offering the user some level of privacy protection, but what exactly are we protected from? According to [securelist], a website administered by Kaspersky labs, many anti-virus vendors split malware into the following categories: crimeware, spyware, ransomware, and bot-clients. This is not an all-inclusive list, but [securelist] describes them as “the most prevalent, persistent and threatening recent trends”.

Malware is distributed through a combination of vulnerabilities found in software including operating systems, social engineering, and trojans, innocent looking programs that contain a nefarious payload. While malware is still an issue on PCs, even though MS is claiming Windows 7 is 5 times more secure than XP [cnet], an even greater growing threat is on mobile devices. A report by Juniper Networks [juniper] saw a 155% increase in malware samples between 2010 and 2011 and Android devices are the primary target. The report states that, in 2011, 46.6% of samples were for Android, up from 0.5% the year before. The report does not include data for iOS malware due to Apple not releasing data. But Apple devices are not safe.

Forbes [forbes] has a report on Charlie Miller who exposed a vulnerability in Apple’s walled garden and was rewarded by being kicked out of the developer program for a year. Even though iPhones have seen less malware than Android devices, the devices are vulnerable as proven by Geohot [geohot]. Perhaps iOS devices will remain relatively safe while Android maintains the largest market share [gartner].

And if you thought you were safe on a Mac, Dr WEB [drweb] has identified a worldwide Mac botnet with over 500,000 nodes. The website states malware is installed on machines through a Java vulnerability, allowing an Applet to execute code outside of the sandbox and infect the machine. Apple’s knowledge base confirms the vulnerability [apple].

Linux machines are also vulnerable. While viruses are uncommon for Linux machines, likely due to the relatively small number of users, Linux machines are often targeted by attackers as they’re

commonly used to run web servers and other network services. If you’re running a Linux web server at home (or any web server for that matter), check your logs; you’ll likely see repeated attempts from a script to exploit your machine.

Even if your system is “secure”, weak passwords or poor programming on a website can leave you vulnerable. Despite being well-known problems, cross site scripting (XSS) and SQL injection [darkreading] continue to be problems. SQL injection can be used to gain unauthorized access to a system or data, and XSS can be used to access data for an individuals account.

Hackers have a myriad of ways to obtain personal data. Every device we use becomes another attack vector. The other side of the coin contains service providers that we freely give our data to.

Free Online Services

Websites often track users by placing cookies on the user’s computer. The main reason: advertising. Websites track user actions and serve targeted advertisements. According to research done at Stanford [standford], 7 companies identified by Carnegie Mellon’s Cylab as having opt-out policies left tracking cookies in place after the user opted out of tracking. Results of the Cylab report are in [carnegie].

Do not track is a opt in policy that many website vendors are adopting: users that opt in expect that a vendor won’t track their actions. It works similar to a do not call list. Like a do not call list, trust is placed in the service provider to honor the request. Unlike a do not call list, it can be tricky to determine if a service provider is honoring the request.

Users can deter websites from tracking their behavior by deleting cookies. By deleting cookies, the user severs the link between the user and the data collected by the service provider.

But service providers don’t want to lose that link and some go to extremes to keep users from deleting cookies. Besides ignoring the request as mentioned above, Flash cookies are another such mechanism that providers use [schneier]. The Flash browser plugin can store cookies similar to web pages, but when a user clears their cookies, Flash cookies are NOT normally cleared. A website can respawn a deleted cookie by recovering the cookie from Flash. Such a cookie is often called a zombie cookie.

A report by Infoworld [infoworld] in 2010 states how Disney, MySpace, and NBC Universal used Zombie cookies, though they weren’t Flash based. A Stanford researcher found Microsoft guilty as well [standford-2].

The do not track issue was discussed at a 2010 workshop which was attended by W3C, the Internet Society (ISOC), and MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) [ietf]. Notes from the workshop state that unique machines setups can also be used to tie a user back to collected data – after the user has deleted a tracking cookie. This technique is called fingerprinting.

Besides do not track, two other privacy options discussed at the workshop are using The Onion Router (TOR) and the “private browsing” available in many popular browsers such as Firefox [firefox], Internet Explorer [microsoft], and Safari [safari]. Neither technique is sufficient to stop a provider from tracking a user, nor were they intended to block such activities. When using security products, it’s important to understand what they’re intended to protect. What can these technologies do?

Private browsing clears out a users complete browsing session to keep the next user from discovering what the previous user accessed. Vendors can still use fingerprinting to identify a user.

According to [tor], Tor “… it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit form learning your physical location.” This description is missing key element: it stops site you visit from learning your physical location by masking your IP address. Like private browsing, a vendor can still use fingerprinting to identify a user.

Websites want to track user habits in order to sell targeted advertising. By itself, this seems harmless enough. The issue is, we don’t have privacy laws that address how the data can be used, how it’s stored, or how it’s shared. Every time a user grants access to their Facebook profile, the user is sharing personal information. The notes on the IETF workshop [ietf] states, “While improvements have been made in obtaining user consent to sharing data between sites, challenges remain with regard to data minimization, ease of use, hidden sharing of data, and centralization of identity information.”

Having excessive personal data in one location has other consequences. According to a US News report [usnews], some employers are asking for Facebook passwords, or to friend someone in HR. Although I compare this type of request to putting a web cam in your living room, at least we’re being asked face-to-face for the information. What if companies could go to Facebook and obtain the info without our knowledge?

Which is worse?

Which is worse? In my opinion, it depends on who you ask. Businesses should fear the hacker while the individual user has more to lose through online services. We have a number of tools and choices to help keep our data safe from hackers. When it comes to online services, the only way to protect our privacy is to not use the Internet, and that’s just not feasible.

____________________

[economictimes]: http://articles.economictimes.indiatimes.com/2012-03-30/news/31260952_1_federal- agency-proposals-internet-users-internet-companies
[darkreading]: http://www.darkreading.com/database- security/167901020/security/news/232800323/sql-injection-still-slams-smbs.html
Advertisements

Actions

Information

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: