Cloud Storage and Privacy: How much are you willing to pay to protect your data?

28 03 2013

Introduction

We have all been warned that our Internet purchasing habits and how much we share about our day-to-day lives could be placing ourselves at risk of being victimized.  However, in a recent study published by the European Network and Information Security Agency (ENISA), users, even those who have elevated concerns over privacy, do not heed some of these warnings.  In this study, a majority of consumers were willing to submit personal contact information for a mere 67¢ discount on a  $10.05 online-purchase (XRates) (N., Preibusch and Harasser).   So the question is no longer whether or not a user is willing to share information in exchange for discounts, it is how much information is he likely to share in exchange for discounted services?   This blog explores this question as applied to the adoption of cloud-based storage services.

How much privacy are we willing to sacrifice?

As evidenced by the ENISA study, it turns out that most people have a price, and if this study is any indication, the price is not very high.  In many cases, in the presence “free services”, many of us are willing to supply employment history, email addresses of our closest family and friends, phone numbers, birthdays, and political views – to name a few.   So, it turns out that nothing really is for free.  The price paid for free services is personal information that can be used to support targeted advertising revenue – based on your observed behaviors, spending patterns, your political, social, and financial associations, and more importantly, who you know.  By allowing service providers to observe you, they are able to develop a personal profile that can be sold to their ‘affiliates’ (Google).  To gain insight into what is being sold to affiliates, this author conducted a simple experiment using the third-party plug-in, PrivacyFix,  a tool that estimates the advertising value of Google account profiles.   For the experiment, the Google account was configured with a public profile (Google+) to include links to employment history, more than 100 friends, colleagues, and family, and an association with Carnegie Mellon University.  Even configured to blocks placed on most tracking mechanisms, this Google Plus account allows Google to track 55% of pages visited, and is valued at $25.30 per year in advertising (Anonymous).   This $25.30 subsidizes the free services Google provides, effectively offsetting the pricing of paid services.

Cloud based storage services are based on this same model – Google, DropBox, and Box.net (to name a few) offer free cloud-based storage services with options to increase your capacity.  Basic service starts at 5 GBytes, with increasing levels of storage capacity awarded through new customer referrals (e.g. family, friends, and colleagues) (DropBox).  For capacity needs beyond the default 5GByte level, subscription prices start for as little as $.17 per GByte per year (DollyDrive), and include “free” add-on services to support backup and recovery, revision control, but most importantly:  data sharing and collaboration.  Data sharing and collaboration promotes expansion of the customer base, but also promotes vendor lock by virtue of a shared infrastructure.

Strengths & Weaknesses of Commercial Cloud Storage Options

In spite of these somewhat troubling privacy concerns, new Cloud Storage service providers seem to be popping up each year, and while the cost of paid services still offered at a higher price point than local storage, there are some compelling reasons for migrating to the cloud in some cases.

Table 1 identifies some of the key strengths of weaknesses of todays cloud storage solutions as compared to local storage alone.  For most consumers, the key strengths that differentiate cloud storage from local storage (without software & hardware capital investment) is the infrastructure that supports collaboration and the ability to backup and restore data to an offsite location.

Strengths Weaknesses
Increased productivity – data can be seamlessly accessed across devices and operating systems (DropBox). Data Transfer Latency.  As compared to local data transfers, digital transfer technology can be 6800 times slower.[1]
Ease of setup and use.  Many cloud storage service providers include operating system plug-ins to provide accessible cloud storage as a locally mapped storage device. Confidential Information such as your name, likeness, age, email addresses and names of colleagues and friends, and unencrypted data may be shared with unknown third parties (Google).
Flexible Pricing.  Services range from free, to referral based, to pay as you go, to subscription based services (DropBox). Limited liability policies.  Many service providers require that the customer indemnify the service provider against claims for damage (Google).
Data Revision Recovery.  Many services provide the ability to track changes and recover previously saved versions of files (Dolly Drive). Dependency on external provider.  Service Provider may reserve the right to change the terms of agreements at any time (including the right to suspend or discontinue services) (Google).
Data Sharing & Collaboration.  Shared data can be configured to automatically replicate across subscribed devices and users, facilitating improved productivity for shared data (DropBox). Variable Security.  While security and redundancy can be built into any given platform, each provider balances differing sets of quality attributes, which may expose users at unintended vulnerabilities (Borgmann, T. and Herfert).
Elasticity.  Cloud storage capacity is resizable without the need for capital investment. Service switching Interoperability.   Switching service providers is possible; however, some providers deliver unique services, which are not easily transportable to a new service provider (e.g. Dolly Drive Backup versus Microsoft Azure).
Off-site storage.  In the event of catastrophic loss of local storage and processing hardware, Cloud based storage provides a low-hurdle alternative to backup and safe storage. Pricing for paid services.  In 2013, local hard-disk storage cost less expensive than cloud-based storage[2].

Table 1, Cloud Storage Strengths and Weakness

The big weaknesses are the limited liability and the potential exposure and spillage of confidential information.  Data Transfer latency, while not a show-stopper, is a significant hurdle to more wide-spread adoption, especially in light of the fact that the average data transfer rates in the United States are nearly 6800-times slower than local disk access (Streams) (Seagate).  Some mitigation strategies exist, such as pre-seeding data stores to mitigate latency, however, this remains to be a significant hurdle for some users.  If we assume that the ENISA study represents a predictive model for cloud storage adoption, then liability and confidentiality are not viewed as weaknesses, so the only weakness that really stands in the path of widespread adoption is price. Today, pricing of cloud-base storage for consumer level plans is about 4 times that of  than local storage (assuming that the average user capitalizes the cost of hard disk space every two years), generally starting at $.17 per GByte per year[1].

Moore’s Law and Storage

Now, if we take into account the pricing history of hard drives and capacity over the last thirty years (Figure 1 and Figure 2), we note that there is a close correlation to Moore’s Law.[2]  Note that in the years between 1992 and 2012 two years, the cost per Megabyte and drops by half every two years.  While it is too early to definitively predict, early evidence does suggest that Moore’s law may prove to predict the future of pricing for Cloud-based storage.  Just since 2011, the starting capacity for free services have doubled, and the pricing on paid services has dropped by half[3].

1
2

Deciding How Much to Adopt

While most users are likely continue using only the “free services” until such time that the price point for paid services drops below the cost of purchasing new hardware, the other strengths referenced in Table 1 may drive early adopters to migrate toward cloud-based storage solutions sooner.  For these early adopters, a cost-decision model may help to identify and quantify relevant economic facets.  Such a decision model would quantify up-front costs, annual investments costs, and operational costs to arrive at a total cost of ownership (Bibi, Katsaros and Bozanis):

TCO/Yr = Cu + Cad + Co

Where Cu are the total upfront costs (enrollment fees and setup, acquisition of hardware and software), Cad are annual investment (annual subscription fees and maintenance fees), and Co represents operational costs, such as annual Internet connection costs, utilities, and in some cases the cost of off-site storage and travel.

__________

Anonymous. PrivacyFix Plug-in Results on Google Plus Author. February 2013.

Bibi, S., D. Katsaros and P. Bozanis. “Business Application Acquisition.” IEEE Software (2012): 86-93.

Borgmann, M., et al. “The Security of Cloud Storage Services.” Technical. Fraunhofer Institute for Secure Information Technology, 2012.

Dolly Drive. “Cloud backup for Mac.” Dolly Drive. February 2013 <http://www.dollydrive.com&gt;.

DollyDrive. Pricing & Plans. February 2013. February 2013 <https://get.dollydrive.com/purchase&gt;.

DropBox. “Dropbox – Tour.” Dropbox. February 2013 <https://www.dropbox.com/tour/2&gt;.

—. “Plans – Simplify your life.” DropBox. February 2013 <https://www.dropbox.com/pricing&gt;.

Google. “Google Apps Terms of Service.” Google Apps. Google. Feburary 2013 <http://www.google.com/apps/intl/en/terms/standard_terms.html&gt;.

McCallum, J. Disk Drive Prices. February 2012. February 2013 <http://www.jcmit.com/diskprice.htm&gt;.

N., Jentzsch., S. Preibusch and A. Harasser. Study on monetising privacy, An economic modelf for pricing personal information. Technical. European Netowrk and Information Security Agency. Berlin: ENISA, 2012.

Seagate. “Hard Drive Data Sheet.” December 2012. Seagate.com. February 2013 <http://www.seagate.com/files/staticfiles/docs/pdf/datasheet/disc/barracuda-desktop-hdd-ds-1770-1-1212us.pdf&gt;.

Streams, K. Global Internet Speeds creep back to 2012. August 2012. February 2013 <http://www.theverge.com/2012/8/9/3230626/akamai-global-internet-speed&gt;.

XRates. Historical Lookup Euro Rates Table. 27 February 2012. 18 February 2013 <http://www.x-rates.com/historical/?from=EUR&amount=1.00&date=2012-02-27&gt;.

 


[1] According to the Internet archive waybackmachine.org:  DropBox Pricing 2011-2013.

[2] A profoundly accurate prediction by Intel co-founder Gordon Moore once stated that the number of transistors on a processor would double every two years.

[3] According to the Internet archive waybackmachine.org:  DropBox Pricing 2011-2013.


[1] Assuming a typical uplink data transfer rate of 7 Mb/s (Streams) as compared to SATA hard disk transfer rates is excess of 6 GB/s (Seagate).

[2] Based on 2012 prices of SATA II hard disk price:  $.07/GB as compared to Cloud-based Storage solution priced at  $.17/GB/Yr.

 

Advertisements




Inferences on Non-Sensitive Data

28 11 2012

Before there was technology, just by your name itself, at least, 2 things can be infer about you – your gender and your race. For example, the name, Muhammad Hafiz, tells that the person is male and he is either Asian or Arab. But for me to make such inference, I would have to have cultural knowledge about the origin of the name and where it is most commonly used and etc.

With face-recognition technology, an anonymous person on the street can be identified by their name. In an experiment, picture of a subject was taken onsite and then it was uploaded to a cloud-computing cluster. The picture was then compared with searchable Facebook profile pictures to find a match and afterwards subject is asked to confirm their picture in the result set. A ratio of 1:3 out of 93 subjects has acknowledged their picture [1].

Sensitive data is defined as “any data that must be kept secure” [2]. Thus, name and face are considered as non-sensitive data. This is because you cannot possibly keep your name secure; people need to call by your name to make a conversation and a letter or parcel needs a name for someone to claim that it belongs to them. As for your face, unless you wear a mask all the time or your are wearing a “burqa”, a clothing that covers your face and shows only your eyes, there is no way you can keep it secure too.

When we talk about privacy and security, the concern is mostly on sensitive data. Examples of sensitive data are birth date, SSN and geo-location. Birth date and SSN are kept protected so that attacker cannot steal your identity, while you would want to keep your location protected because you do not want people to find out where you are and infer what your are doing at the location. However, there are increasing examples of how non-sensitive data can betray your privacy and thus leads to the disclosure of your sensitive data.

Example #1: Accelerometer in your mobile device

Accelerometer is what makes the screen on your mobile device to change to landscape or portrait when you tilt it horizontally or vertically. To be more accurate, accelerometer is “a device that can measure the force of acceleration, weather caused by gravity or by movement” [3]. In a paper, accelerometer is known to be able to infer the location of a mobile device. This is done by analyzing the motion signature of the device. The motion signature can tell us whether the person is on public transportation like bus or subway or if the person is near us [4].

Example #2: Loyalty card

In my Economic Analysis class, Professor Lim has mentioned about the benefit of loyalty card to the merchant endorsing it. To the customers, the benefit of using the card is to get discount on items, buying bundled items and collecting reward points. But merchants are actually collecting the information to study about our buying pattern or to measure the price elasticity of the item.

In conclusion, when making privacy policy, there is a need to protect non-sensitive data too because the proliferation of these data knowingly leads the disclosure of sensitive data that we have work hard to secure in the first place.

__________

  1. Acquisti, Alessandro. Privacy in the Age of Augmented Reality. 2012. Web. <http://www.youtube.com/watch?v=Kcz0hUtYVXc>
  2. Glossary. Web. <https://www.securecoding.cert.org/confluence/display/java/BB.%20Glossary>
  3. What does the iPhone accelerometer do? Web. <http://electronics.howstuffworks.com/iphone-accelerometer.htm>
  4. Jun Han, Emmanuel Owusu, Le T. Nguyen, Adrian Perrig, Joy Zhang. ACComplice: Location Inference using Accelerometers on Smartphones. 2012. Web. <http://www.truststc.org/pubs/843/han_ACComplice_comsnets12-1.pdf>




New Online Data Privacy Rules?

12 04 2012

On March 26, 2012, the Federal Trade Commission (FTC) issued its final report on online data privacy entitled “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations For Businesses and Policymakers”.[1] While the FTC did not require businesses to immediately make any changes, it encouraged companies engaging in online commerce to adopt “best practices” in protecting consumer data otherwise Congress would legislate that protection.[2] The “agency suggests Congress pass something resembling the Fair Credit Reporting Act, or an update of that act. Under the FTC’s suggested legislation, people would have access to the information collected and stored about them, and, perhaps, be able to delete or edit it.”[3]

The major recommendations from the report include:

  • Design and construction of added privacy and accuracy components at every stage of the software development life cycle
  • Simplified and easy to understand mechanisms for consumers to choose what data is collected and with whom that data is shared
  • Disclosure and viewing of the consumer data already collected by online firms[4]

The report includes five main action items for the FTC to focus on:

  • Enabling consumers to eliminate the amount of data collected about them through a “Do-Not-Track” mechanism
  • Expansion of the rules to include mobile devices such as smartphones
  • Establishment of a “data broker” centralized website to define the data broker organizations and how those organizations collect and process consumer data
  • Recognition of the privacy risks associated with “large platform providers” such as browser and operating system vendors, phone companies, and social media firms such as Facebook
  • Creation of “codes of conduct” unique to each industry[5]

Analysis

With respect to the construction of privacy components, the recommendations comprehend a known fact in software development: retrofitting production software to meet a requirement is considerably more difficult and expensive than including that requirement in the design and development effort. While the privacy requirements have not been fully defined, “The final FTC Privacy Report is a must-read for virtually every company that collects or uses identifiable consumer data – online or otherwise.”[6] Individuals involved in information technology in the companies that process consumer information will need to make assumptions and modify their software accordingly regarding how user information is collected, stored, and disseminated based on the information in the FTC report.

The “simplified and easy to understand” mechanisms recommended by the FTC aren’t necessarily met by existing software. On Microsoft Explorer version 8, the user must go to the Tools menu, select Internet Options, then Privacy. On the Privacy menu there are options for “InPrivate Filtering” and Cookie Handling” as shown in Figure 1 below.

Figure 1 – Privacy Options

According to Microsoft Online Help, “InPrivate Filtering works by analyzing web content on the webpages you visit, and if it sees the same content being used on a number of websites, it will give you the option to allow or block that content. You can also choose to have InPrivate Filtering automatically block any content provider or third-party website it detects, or you can choose to turn off InPrivate Filtering.”[7] As can be seen from Figure 1, the InPrivate default settings used within GM are to:

  • Allow collection of InPrivate data
  • “Disable toolbars and extensions when InPrivate browsing starts
  • Override automatic cookie handling
  • Accept First-party Cookies
  • Allow session cookies
  • Block Third-party Cookies”[8]

The Tools option from Internet Explorer also includes “InPrivate Filtering Settings”. Those settings on my PC listed over 100 websites where the web company was “Allowed” to collect data from my workstation. There are options to “Block” this data collection, but none of the websites were blocked.[9]

To determine whether a central repository of data on me existed, I did a Google search on my name and found over 22 million sites referenced. While my name is relatively unique, the references included others with the same first and last names. To narrow the search, I selected my name at General Motors, with the results showing over 71 thousand references, including:

  • Facebook
  • Twitter
  • LinkedIn
  • White Pages
  • Blogs from CMU classes
  • A professional publication while I was a consultant
  • Sites that had collected my name from public records[10]

Note while I have accounts with Facebook, Twitter, and LinkedIn, there is no personal information on those sites and my phone number is unlisted, so individuals who do provide personal information should have considerable more data online.

Other Views

Larry Magid, who writes about the internet for Forbes and other publications, agrees: “One area where the commission did call for “targeted legislation” is to address consumers’ lack of control over how data brokers collect and use our information. The amount of information floating around about each of us is staggering. Anyone with a phone, a bank account or a “loyalty” card, such as the one I use to get fairer prices when I shop at Safeway, is giving up information every time they shop, make a call or get on an airplane … So, thank you FTC for outlining a broad approach to transparency when it comes to accessing our own data. Now it’s time for Congress to enact legislation that truly benefits consumers, not just those who profit from our information.”[11]

Google, not surprisingly, had a dissenting opinion: “What is sometimes referred to as tracking is often data collection that helps ensure the security and integrity of data, determines relevancy of served content and also helps create innovation opportunities. It is important not to let a single negatively-loaded term obscure the fact that data collection is the source for the creation of value as well as the legitimate concerns of different parties.”[12]

The FTC membership was also not unanimous in publishing the report. Commissioner J. Thomas Rosch wrote “the current state of “Do Not Track” still leaves unanswered many important questions” (which leaves IT organizations guessing regarding the complete requirements of how to implement “Do Not Track”), “opt-in” will necessarily be selected as the de facto method of consumer choice” and “although characterized as only “best practices,” the Report’s recommendations may be construed as federal requirements”.[13]

Conclusion

While the FTC report was not met with universal agreement and still leaves portions of the implementation open to interpretation, the report in my view is a welcome improvement to online activity. There is:

  • Far too much software that has been developed that doesn’t sufficiently include privacy requirements,
  • The current methods to protect privacy are vague, confusing, and difficult to implement, and
  • The amount of data being collected for even security conscious individuals is excessive.

My personal view is legitimate companies should immediately work to implement the FTC’s recommendations, and Congress should enact similar legislation to govern those companies who choose to circumvent the rules.


[1] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

[2] Ibid

[3] FTC Issues Final Report On Online Privacy Recommendations, Marketing Land, 3/26/12, Pamela Parker http://marketingland.com/ftc-issues-final-report-on-online-privacy-recommendations-8620

[4] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm

[5] Ibid

[6] FTC Releases Final Privacy Report and Framework for Protecting Consumer Privacy, Privacy and TechComm Client Alert, Patton Boggs LLP, http://www.pattonboggs.com/files/News/f362e7db-4c27-4a5a-a444-05d620bad7f2/Presentation/NewsAttachment/b9242d77-c0ec-489a-ae9b-0872415f79a7/TechComm_Client_Alert_FTC_Privacy_Report_03_28_12_2012.pdf

[7] Windows Help and Support, InPrivate: frequently asked questions, installed on my computer

[8] Windows Internet Explorer, Internet Tools options, status on my GM computer, April 7, 2012

[9] Windows Internet Explorer, InPrivate Filtering options, status on my GM computer, April 7, 2012

[10] Google search on my name at General Motors, April 7, 2012

[11] Ibid

[12] Transparency and Choice: Protecting Consumer Privacy in an Online World, Alma Whittena, Sean Harveyb, Ian Fettec, Betsy Masielloc, Jochen Eisingerd, Jane Horvathe, http://static.googleusercontent.com/external_content/untrusted_dlcp/research.google.com/en/us/pubs/archive/37350.pdf

[13] FTC Issues Final Commission Report on Protecting Consumer Privacy: Agency Calls on Companies to Adopt Best Privacy Practices, March 26, 2012. http://www.ftc.gov/opa/2012/03/privacyframework.shtm





Hackers vs. Free Online Services: Which is a bigger threat to privacy?

9 04 2012

On the surface, it may seem hackers provide a larger threat to our privacy compared to free online services. However, nothing is free and service providers such as Google and Facebook are collecting hordes of personal information, yet we lack privacy laws that dictate how that information can be used, how it must be stored, and how it is shared. According to [economictimes], “The Whitehouse and Federal Trade Commission have unveiled privacy frameworks that rely heavily on voluntary commitments by Internet companies and advertisers.” We need better assurance than a voluntary commitment.

In the opposite corner, we have hackers. I hate to use the term hacker in a negative context but mainstream media has made the practice the status quo. For lack of a better term, I’ll user hacker to describe someone who writes malicious software or aims to gain unauthorized access to a computer, network, or electronic account. This definition is similar to Kaspersky [kaspersky-1]. Hackers pose a threat to privacy by stealing personal information directly from our PC’s, or by breaking into systems that we’re registered with.

Both are a concern to user privacy. Which provides a bigger threat? Let’s explore the implications of each.

Hackers

Anti-virus software helps keep our PC’s clean, offering the user some level of privacy protection, but what exactly are we protected from? According to [securelist], a website administered by Kaspersky labs, many anti-virus vendors split malware into the following categories: crimeware, spyware, ransomware, and bot-clients. This is not an all-inclusive list, but [securelist] describes them as “the most prevalent, persistent and threatening recent trends”.

Malware is distributed through a combination of vulnerabilities found in software including operating systems, social engineering, and trojans, innocent looking programs that contain a nefarious payload. While malware is still an issue on PCs, even though MS is claiming Windows 7 is 5 times more secure than XP [cnet], an even greater growing threat is on mobile devices. A report by Juniper Networks [juniper] saw a 155% increase in malware samples between 2010 and 2011 and Android devices are the primary target. The report states that, in 2011, 46.6% of samples were for Android, up from 0.5% the year before. The report does not include data for iOS malware due to Apple not releasing data. But Apple devices are not safe.

Forbes [forbes] has a report on Charlie Miller who exposed a vulnerability in Apple’s walled garden and was rewarded by being kicked out of the developer program for a year. Even though iPhones have seen less malware than Android devices, the devices are vulnerable as proven by Geohot [geohot]. Perhaps iOS devices will remain relatively safe while Android maintains the largest market share [gartner].

And if you thought you were safe on a Mac, Dr WEB [drweb] has identified a worldwide Mac botnet with over 500,000 nodes. The website states malware is installed on machines through a Java vulnerability, allowing an Applet to execute code outside of the sandbox and infect the machine. Apple’s knowledge base confirms the vulnerability [apple].

Linux machines are also vulnerable. While viruses are uncommon for Linux machines, likely due to the relatively small number of users, Linux machines are often targeted by attackers as they’re

commonly used to run web servers and other network services. If you’re running a Linux web server at home (or any web server for that matter), check your logs; you’ll likely see repeated attempts from a script to exploit your machine.

Even if your system is “secure”, weak passwords or poor programming on a website can leave you vulnerable. Despite being well-known problems, cross site scripting (XSS) and SQL injection [darkreading] continue to be problems. SQL injection can be used to gain unauthorized access to a system or data, and XSS can be used to access data for an individuals account.

Hackers have a myriad of ways to obtain personal data. Every device we use becomes another attack vector. The other side of the coin contains service providers that we freely give our data to.

Free Online Services

Websites often track users by placing cookies on the user’s computer. The main reason: advertising. Websites track user actions and serve targeted advertisements. According to research done at Stanford [standford], 7 companies identified by Carnegie Mellon’s Cylab as having opt-out policies left tracking cookies in place after the user opted out of tracking. Results of the Cylab report are in [carnegie].

Do not track is a opt in policy that many website vendors are adopting: users that opt in expect that a vendor won’t track their actions. It works similar to a do not call list. Like a do not call list, trust is placed in the service provider to honor the request. Unlike a do not call list, it can be tricky to determine if a service provider is honoring the request.

Users can deter websites from tracking their behavior by deleting cookies. By deleting cookies, the user severs the link between the user and the data collected by the service provider.

But service providers don’t want to lose that link and some go to extremes to keep users from deleting cookies. Besides ignoring the request as mentioned above, Flash cookies are another such mechanism that providers use [schneier]. The Flash browser plugin can store cookies similar to web pages, but when a user clears their cookies, Flash cookies are NOT normally cleared. A website can respawn a deleted cookie by recovering the cookie from Flash. Such a cookie is often called a zombie cookie.

A report by Infoworld [infoworld] in 2010 states how Disney, MySpace, and NBC Universal used Zombie cookies, though they weren’t Flash based. A Stanford researcher found Microsoft guilty as well [standford-2].

The do not track issue was discussed at a 2010 workshop which was attended by W3C, the Internet Society (ISOC), and MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) [ietf]. Notes from the workshop state that unique machines setups can also be used to tie a user back to collected data – after the user has deleted a tracking cookie. This technique is called fingerprinting.

Besides do not track, two other privacy options discussed at the workshop are using The Onion Router (TOR) and the “private browsing” available in many popular browsers such as Firefox [firefox], Internet Explorer [microsoft], and Safari [safari]. Neither technique is sufficient to stop a provider from tracking a user, nor were they intended to block such activities. When using security products, it’s important to understand what they’re intended to protect. What can these technologies do?

Private browsing clears out a users complete browsing session to keep the next user from discovering what the previous user accessed. Vendors can still use fingerprinting to identify a user.

According to [tor], Tor “… it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit form learning your physical location.” This description is missing key element: it stops site you visit from learning your physical location by masking your IP address. Like private browsing, a vendor can still use fingerprinting to identify a user.

Websites want to track user habits in order to sell targeted advertising. By itself, this seems harmless enough. The issue is, we don’t have privacy laws that address how the data can be used, how it’s stored, or how it’s shared. Every time a user grants access to their Facebook profile, the user is sharing personal information. The notes on the IETF workshop [ietf] states, “While improvements have been made in obtaining user consent to sharing data between sites, challenges remain with regard to data minimization, ease of use, hidden sharing of data, and centralization of identity information.”

Having excessive personal data in one location has other consequences. According to a US News report [usnews], some employers are asking for Facebook passwords, or to friend someone in HR. Although I compare this type of request to putting a web cam in your living room, at least we’re being asked face-to-face for the information. What if companies could go to Facebook and obtain the info without our knowledge?

Which is worse?

Which is worse? In my opinion, it depends on who you ask. Businesses should fear the hacker while the individual user has more to lose through online services. We have a number of tools and choices to help keep our data safe from hackers. When it comes to online services, the only way to protect our privacy is to not use the Internet, and that’s just not feasible.

____________________

[economictimes]: http://articles.economictimes.indiatimes.com/2012-03-30/news/31260952_1_federal- agency-proposals-internet-users-internet-companies
[darkreading]: http://www.darkreading.com/database- security/167901020/security/news/232800323/sql-injection-still-slams-smbs.html




Look Who’s Watching … Webcams, Privacy and Common Sense

29 02 2012

by Mike Timko

While this is certainly not a new topic I believe it is an area that should garner more press and concern. As more and more homes add Internet based cameras to communicate with family members or to monitor what is going on when they are not there, the concern over privacy should be considered paramount – yet it appears to be much more of an afterthought. While there certainly is a category of users who wish to broadcast their webcams to any user or group, I am only focusing on the intentional hacking of a personal webcam of which the owner has no intention of public access.

Webcam Proliferation

More than 79% of laptops have webcams and that number continues to rise.[1]   Laptops, desktop computers and smartphones are not the only places webcams are being used. They are also not just being used for chatting or keeping in touch with family members. Increasingly people are adding home monitoring systems that can either be tethered to a webcam or operate independently via a Wi-Fi connection, thus making them easy to install them almost anywhere. Home video monitoring is not new, but with Internet capability, the ease of access to these cameras has greatly increased. Early on, this was a place that the home automation enthusiast or hobbyist dabbled in by hobbling together various components to create a home monitoring system with some sort of Internet connection. Now you simply have to do a search for home video monitoring and you can find inexpensive systems available at your local big box or office supply store. People that are concerned about the security of their home or need to monitor a location can install these systems in a very short time, which is part of the issue. The ease of setup makes securing webcams a secondary thought and many people simply accept the default configuration.  [2] Most people that buy these types of systems do not have the technical background to do more than connect the system, which is the appeal. There are an increasing number of smartphone apps that make access to these systems even easier. One that immediately comes to mind is iCam from SKJM.com. The app and related software allows you to legitimately control the webcams or Wi-Fi enabled cameras in your home or business with great ease. In fact there have been news stories of people who have stopped burglaries in action via quick utilization of this app. [3] I personally use this product and have liked the fact that I can monitor my home when not there.  I am however, concerned that others could try and do the same. Since this software requires the cameras to be on – the ubiquitous “green light”, is always lit and thus the awareness of the active status of the cameras is diminished.

Gaining Access

Do a simple search for “hacking a webcam” on the Internet and there are multiple results from simple techniques on how to break in to a webcam with actual tutorials, down to software that will assist the would-be hacker or voyeur.   While there is certainly no way to regulate the distribution of this information, it is clear that consumers need to be ever vigilant in securing against prying eyes.  There are some basic steps any user of webcams can take to be sure they are doing the most to secure their devices. It can be as simple as installing anti-virus software or enabling a firewall. Wi-Fi connections should always be secured with at least WPA to add an additional level of protection in accessing the camera. [4] A recent article in Wired magazine detailed how a hacker exploited a known vulnerability in a particular brand of webcam to the extent of listing all the detailed steps necessary and the related code to make it even easier. He was able to access and control cameras even if they were password secured using their net address and some clever hacking. [5] While the company will be issuing a firmware update to resolve this issue the very idea that this oversight could have occurred is very disturbing. This certainly raises the question of what other brands or devices can be remotely accessed even with basic security in place.

To the Forefront

An incident that has garnered much media attention was the spying of students in the suburban Philadelphia school district of Lower Merion. The school district asserts that the cameras are only activated on the school-owned laptops if there were reported stolen, however the investigation uncovered thousands of pictures from computers that were not reported missing by the student. [6] A class-action lawsuit was filed against the district alleging that the school invaded the students’ privacy. The fact that the school administrators could remotely take pictures was acknowledged by the district and may have actually tried to hide the fact that they were engaged in this activity. [7]  An issue with this case is the legal recourse the families have. According to Title III of the Omnibus Crime Control and Safe Streets Act of 1967 known as the “ Wiretap Act”, it is forbidden to record phone or personal conversations using a hidden microphone, but there is no provision for webcam regulation. An appellate court case in 1984 upheld that ”video surveillance does not ‘intercept’ any communication, and therefore held that Title III neither authorized nor prohibited the surveillance.” [7] In the time that has elapsed since the 1984 decision and subsequent recommendations, there has been no action to amend Title III. We need to have legislation that can protect us and take in to consideration existing technologies but be flexible enough to look forward as well.

Boardroom Break-in

In a recent event, HD Moore of Rapid7, a computer security firm was able to write a computer program that allowed him to search the Internet and obtain the addresses of thousands of videoconferencing sites from major corporations to private legal discussions. The primary reason that he was able to gain access was the end users lack of concern involved with securing these systems. Most companies contacted simply wanted the systems to work and be easy to access by external entities with which they want to conference. What they did not consider was the presence of people trying to access these systems who have no legitimate reason. Mr. Moore was able at times to zoom and pan the cameras as well as listen to the conversations. [8]

One Final Thought

The lesson learned is a simple one – treat any web-connected camera as a portal to the outside world and protect that feature/vulnerability accordingly. The advent of even smaller cameras and wireless devices will only make securing them a higher priority. Considering the time it takes to amend laws, it is important that we look out for our best interest.

_______________

[1] “Webcam Penetration Rates & Adoption”, http://weareorganizedchaos.com/index.php/2011/07/05/webcam-penetration-rates-adoption/

[2] “How to Find Hidden Webcams on the Internet – For Free”, http://donatello.hubpages.com/hub/How-to-Find-Hidden-Webcams-on-the-Internet—For-Free

[3] “SKJM in the News”, http://skjm.com/news.php

[4] “Webcam Hacking: How to Protect Yourself”, http://voices.yahoo.com/webcam-hacking-protect-yourself-9045547.html?cat=15[5] “ Flaw in Home Security Cameras Exposes Live Feeds to Hackers” , http://www.wired.com/threatlevel/2012/02/home-cameras-exposed/

[6] “School District Allegedly Snapped Thousands of Student Webcam Spy Pics”, http://www.wired.com/threatlevel/2010/04/webcamscanda/

[7] “Video Laptop Surveillance: Does Title III need to be updated?”, http://www.judiciary.senate.gov/pdf/3-29-10%20Bankston%20Testimony.pdf

[8] “Cameras May Open Up the Board Room to Hackers”, http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=1&scp=4&sq=cameras&st=cse





Security and Privacy issues with GPS Tracking /Navigation

14 12 2011

Although GPS consumer products have many advantages like allowing users to update their maps with the current road information, but there are some security concerns associated with GPS as well. Hacking a GPS device is commonly referred to as “spoofing”.

“In spoofing, a spoofer creates a false GPS signal, sending an incorrect time and location to a certain receiver.”[1]In this case, the target does not know that the signal is a false one. For a normal GPS user, being a couple of microseconds off the real time is not a big deal but few microseconds off could cause power generators to explode as some power generators uses GPS signals to sync electrical grids to power stations. GPS is also used in various other places like – To help avoid plane collisions, air traffic controllers use GPS. Financial transactions time-stamping in banks is done using GPS. To monitor criminal’s activities, GPS receivers are used by police[2].

Stingrays is the technology used by police to track people’s location. This technology works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It sends a signal to the phone and locate it as long as it is powered on.[3] This device is used by police to locate suspects and also by rescue teams to find people lost in remote areas or buried in rubble after accident.

So, the ill effects of spoofing can be falsifying the geographical location of criminals or falsifying the location of lost people in remote areas to protect criminals or various other reasons. The extent of spoofing can be as worst as plane crashes and generators exploding.  But, it is difficult to build a spoofer as cost of creating a spoofer is as high as $1million[4] and it takes as less as around a week to build a spoofer. Military GPS systems are difficult to be spoofed as they use encryption technology which is not used by normal GPS systems[5].

To prevent these spoofing attacks and to protect GPS systems, manufacturers of GPS systems should consider encryption technologies or other technologies to make GPS systems safer and better. GPS technology makes the world more vulnerable to these attacks, but another technology like encryption can help prevent these spoofing attacks on GPS systems.





Simple Rules to Help Protect Your Information and Privacy Online

8 11 2011

Internet has become such a powerful tool these days that people often tend to lose track of their security measures and unknowingly disclose information which is not supposed to be disclosed.

Hence, while using internet it is very important to keep an eye on subtle details which can help protect and preserve information from being used by unauthorized sources.

Do not reveal personal information incessantly:

Configure your web browser using preferences, whether you want to reveal personal information or not. Be more careful if the computer is being used by multiple users.

Keep a clean email address:

Do not publicly throw away your email address and get spammed. Keep a separate email address for personal use and use an email address with dummy name to email large number of people.

Beware of phishing sites:

Be cautious of phishing sites as they can extract confidential information from you by having look-n-feel of a genuine site. Only reveal sensitive data over a secure connection.

Make sure your home computer is equally safe:

Most home computers are very unsafe. Make sure your computer is turned off when not in use as system hackers are always in search of unsafe computers which are the most vulnerable.

Use encryption:

Seek out internet service providers and add-on products which provide good encryption to protect against threats.

Hence, considering the above points, it becomes obvious that online privacy is of optimum importance.

References:

https://www.eff.org/wp/effs-top-12-ways-protect-your-online-privacy