Hackers vs. Free Online Services: Which is a bigger threat to privacy?

9 04 2012

On the surface, it may seem hackers provide a larger threat to our privacy compared to free online services. However, nothing is free and service providers such as Google and Facebook are collecting hordes of personal information, yet we lack privacy laws that dictate how that information can be used, how it must be stored, and how it is shared. According to [economictimes], “The Whitehouse and Federal Trade Commission have unveiled privacy frameworks that rely heavily on voluntary commitments by Internet companies and advertisers.” We need better assurance than a voluntary commitment.

In the opposite corner, we have hackers. I hate to use the term hacker in a negative context but mainstream media has made the practice the status quo. For lack of a better term, I’ll user hacker to describe someone who writes malicious software or aims to gain unauthorized access to a computer, network, or electronic account. This definition is similar to Kaspersky [kaspersky-1]. Hackers pose a threat to privacy by stealing personal information directly from our PC’s, or by breaking into systems that we’re registered with.

Both are a concern to user privacy. Which provides a bigger threat? Let’s explore the implications of each.

Hackers

Anti-virus software helps keep our PC’s clean, offering the user some level of privacy protection, but what exactly are we protected from? According to [securelist], a website administered by Kaspersky labs, many anti-virus vendors split malware into the following categories: crimeware, spyware, ransomware, and bot-clients. This is not an all-inclusive list, but [securelist] describes them as “the most prevalent, persistent and threatening recent trends”.

Malware is distributed through a combination of vulnerabilities found in software including operating systems, social engineering, and trojans, innocent looking programs that contain a nefarious payload. While malware is still an issue on PCs, even though MS is claiming Windows 7 is 5 times more secure than XP [cnet], an even greater growing threat is on mobile devices. A report by Juniper Networks [juniper] saw a 155% increase in malware samples between 2010 and 2011 and Android devices are the primary target. The report states that, in 2011, 46.6% of samples were for Android, up from 0.5% the year before. The report does not include data for iOS malware due to Apple not releasing data. But Apple devices are not safe.

Forbes [forbes] has a report on Charlie Miller who exposed a vulnerability in Apple’s walled garden and was rewarded by being kicked out of the developer program for a year. Even though iPhones have seen less malware than Android devices, the devices are vulnerable as proven by Geohot [geohot]. Perhaps iOS devices will remain relatively safe while Android maintains the largest market share [gartner].

And if you thought you were safe on a Mac, Dr WEB [drweb] has identified a worldwide Mac botnet with over 500,000 nodes. The website states malware is installed on machines through a Java vulnerability, allowing an Applet to execute code outside of the sandbox and infect the machine. Apple’s knowledge base confirms the vulnerability [apple].

Linux machines are also vulnerable. While viruses are uncommon for Linux machines, likely due to the relatively small number of users, Linux machines are often targeted by attackers as they’re

commonly used to run web servers and other network services. If you’re running a Linux web server at home (or any web server for that matter), check your logs; you’ll likely see repeated attempts from a script to exploit your machine.

Even if your system is “secure”, weak passwords or poor programming on a website can leave you vulnerable. Despite being well-known problems, cross site scripting (XSS) and SQL injection [darkreading] continue to be problems. SQL injection can be used to gain unauthorized access to a system or data, and XSS can be used to access data for an individuals account.

Hackers have a myriad of ways to obtain personal data. Every device we use becomes another attack vector. The other side of the coin contains service providers that we freely give our data to.

Free Online Services

Websites often track users by placing cookies on the user’s computer. The main reason: advertising. Websites track user actions and serve targeted advertisements. According to research done at Stanford [standford], 7 companies identified by Carnegie Mellon’s Cylab as having opt-out policies left tracking cookies in place after the user opted out of tracking. Results of the Cylab report are in [carnegie].

Do not track is a opt in policy that many website vendors are adopting: users that opt in expect that a vendor won’t track their actions. It works similar to a do not call list. Like a do not call list, trust is placed in the service provider to honor the request. Unlike a do not call list, it can be tricky to determine if a service provider is honoring the request.

Users can deter websites from tracking their behavior by deleting cookies. By deleting cookies, the user severs the link between the user and the data collected by the service provider.

But service providers don’t want to lose that link and some go to extremes to keep users from deleting cookies. Besides ignoring the request as mentioned above, Flash cookies are another such mechanism that providers use [schneier]. The Flash browser plugin can store cookies similar to web pages, but when a user clears their cookies, Flash cookies are NOT normally cleared. A website can respawn a deleted cookie by recovering the cookie from Flash. Such a cookie is often called a zombie cookie.

A report by Infoworld [infoworld] in 2010 states how Disney, MySpace, and NBC Universal used Zombie cookies, though they weren’t Flash based. A Stanford researcher found Microsoft guilty as well [standford-2].

The do not track issue was discussed at a 2010 workshop which was attended by W3C, the Internet Society (ISOC), and MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) [ietf]. Notes from the workshop state that unique machines setups can also be used to tie a user back to collected data – after the user has deleted a tracking cookie. This technique is called fingerprinting.

Besides do not track, two other privacy options discussed at the workshop are using The Onion Router (TOR) and the “private browsing” available in many popular browsers such as Firefox [firefox], Internet Explorer [microsoft], and Safari [safari]. Neither technique is sufficient to stop a provider from tracking a user, nor were they intended to block such activities. When using security products, it’s important to understand what they’re intended to protect. What can these technologies do?

Private browsing clears out a users complete browsing session to keep the next user from discovering what the previous user accessed. Vendors can still use fingerprinting to identify a user.

According to [tor], Tor “… it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit form learning your physical location.” This description is missing key element: it stops site you visit from learning your physical location by masking your IP address. Like private browsing, a vendor can still use fingerprinting to identify a user.

Websites want to track user habits in order to sell targeted advertising. By itself, this seems harmless enough. The issue is, we don’t have privacy laws that address how the data can be used, how it’s stored, or how it’s shared. Every time a user grants access to their Facebook profile, the user is sharing personal information. The notes on the IETF workshop [ietf] states, “While improvements have been made in obtaining user consent to sharing data between sites, challenges remain with regard to data minimization, ease of use, hidden sharing of data, and centralization of identity information.”

Having excessive personal data in one location has other consequences. According to a US News report [usnews], some employers are asking for Facebook passwords, or to friend someone in HR. Although I compare this type of request to putting a web cam in your living room, at least we’re being asked face-to-face for the information. What if companies could go to Facebook and obtain the info without our knowledge?

Which is worse?

Which is worse? In my opinion, it depends on who you ask. Businesses should fear the hacker while the individual user has more to lose through online services. We have a number of tools and choices to help keep our data safe from hackers. When it comes to online services, the only way to protect our privacy is to not use the Internet, and that’s just not feasible.

____________________

[economictimes]: http://articles.economictimes.indiatimes.com/2012-03-30/news/31260952_1_federal- agency-proposals-internet-users-internet-companies
[darkreading]: http://www.darkreading.com/database- security/167901020/security/news/232800323/sql-injection-still-slams-smbs.html
Advertisements




Social Privacy

8 09 2011

After steamrolling over every other social network save for Twitter, Facebook has emerged as one of the primary means for people to communicate and share information. According to Facebook’s own statistics, there are 750 million users with an average of 130 friends each [1]. With so many people connected to so many others, massive amounts of information are being created all the time. We all know what kind of information exists out there on Facebook: birthdays, hometowns, relationships, and so much more. However, what happens to this information after it is published is often overlooked or ignored. All information that a user posts on Facebook is subject to the site’s privacy policy, but honestly, how many people do you think actually read the entire policy? Upon clicking the “Sign-Up” button, every user states that he or she read and agreed to the privacy policy (and the terms of use), but I am willing to bet that most people never even clicked the link to view it, or entirely missed the small text stating the agreement.

I know that I did not read the privacy policy when I created my account 4 years ago, and probably didn’t look at my sharing settings at all until I started reading about privacy concerns with Facebook, so I wanted to do a little research on what The Social Network itself says is done with my information. Facebook’s privacy policy is large; weighing in at roughly 5800 words, the document requires a lot of effort to get through, and even more to understand what it is saying. According to their policy, the information that a user provides can be used in multiples ways. The site uses user activity data to improve the day-to-day functioning of the website, for example. The site will also suggest other pages on Facebook based on your interests, or similarly suggest friends based upon who you are already friends with [2]. This is pretty vanilla stuff that most people understand and accept when using the site.

There are some troubling parts of the privacy policy, though. Facebook also uses collected information to target advertising, a money-maker for the site. The policy states that advertisers can “choose the characteristics of users who will see their advertisements” and that Facebook “may use any of the non-personally identifiable attributes we have collected…to select the appropriate audience for those advertisements” [2]. Other services, like social ads (ads with your friends’ pictures next to them) make use of users’ personal interests. However, you can opt out of ‘services’ like these if you find the right page (good luck). This idea of settings that are ‘opt out’ instead of ‘opt in’ seems like a problem, especially if users have no idea they’ve ‘ opted in’ in the first place. Another especially concerning section of the privacy policy concerns information shared with the ‘Everyone’ setting. According to the policy, this information may “be accessed by everyone on the Internet (including people not logged into Facebook), be indexed by third party search engines, and be imported, exported, distributed, and redistributed by us and others without privacy limitations” [2]. In short, if any information is shared with this setting, anyone can find it and Facebook can do whatever it wants with it. These policies should make users think more carefully about what they put online.

Facebook has faced criticism in the past over its privacy policies, so it has always been a work in progress. Most recently, Facebook announced they will be rolling out a series of changes to the way users can control their own privacy. Users will soon be able to more easily see what content is shared with whom, approve tagged photos before they show up on their profile, and easily view their profile from the perspective of another user [3]. These are features that were either previously non-existent or buried underneath a series of links.

These are all great things for Facebook to do from a user standpoint, but it seems to me that there is an inherent irony when it comes to a social network increasing user privacy control. Facebook is a business, and its business is to get people to share information. The site would love for every user to share their information with the ‘Everyone’ privacy setting. The more information users share, the more Facebook is able to use it to improve their bottom-line. So the take home-point here is that you really have to be careful when it comes to social networks. Take a look at Facebook’s privacy policy to start, and understand just what your rights are when it comes to your information. And if your information is something you’d rather not share, just keep it off the internet in the first place.

_______________

[1] https://www.facebook.com/press/info.php?statistics

[2] https://www.facebook.com/policy.php

[3] http://www.pcmag.com/article2/0,2817,2391750,00.asp