SecuSolutions Blog

You might not think of it this way, but your company’s data security is a human resources issue. When employees give you their data, including SIN and banking details, they are trusting you to keep those secure, at least as secure as you keep your client’s details.

What if you didn’t?

What if you were Google?

From Valleywag:

 We all got a letter saying that a break-in occured on May 26 and Google was notified on June 9. Here’s the fun part: “We’ve been informed by Colt [the HR contractor] that specific personal information for employees and dependents included names, Social Security numbers, birthdates, addresses, hire dates, and relationships.” Employees are getting a free year of identity-theft protection.

I’m not sure whether that last is a benefit or a punchline, under the circumstances.

Well, I’m sure we all sympathize.

With the hacker, that is.

The fact is that, if you even think about it, when you’re not using your personal WiFi you probably don’t care if someone outside your circle of acquaintances uses it, since you’re paying by the month and not by bandwidth usage. And in a politely socialist country like Canuckistan, sharing your WiFi bounty(wireless signals want to be free?) with the neighborhood might be thought of as a right civic-minded thing to do.

However.

A couple of worst-case scenarios, presented for your perusal:

• Should someone in, say, your apartment building, manage to intercept some of your snail mail they could conceivably get enough information about you to impersonate you on your own wireless connection, which is a pretty difficult combination to disprove. Hmmm, they’ve got your Visa number AND they’re emailing from (apparently) your own computer? Hmmmm…must be you!
• Should someone using your wireless connection use it in the commission of a crime, guess where the trail will lead first? Not to That Yellow House Across the Way, that’s for sure!
• You wouldn’t (yourself) really do internet banking wirelessly on a network that wasn’t even password-protected, would you? No, of course not, because your spidey sense would tell you what a bad idea that was, right?

Now, promise me that if you want to share the WiFi luv with the universe you will at least set up the password while you are on the connection doing stealth-deserving things. If you don’t care who sees you reading Fleshbot, fair enough, but don’t be doing your taxes online through the ether without at least ensuring you’re the only person allowed in the virtual circuit. Amelia Earhart doesn’t need to see all that information, and neither does the crook down the lane who is looking for a mark.

Oh, and warn your kids about those WiFi banditos; you can never be too careful.

For security reasons, Myspace asks its registered users to videotape themselves reciting their User IDs. Now, whatever you think of the security provided by this as proof of identity and ownership (and in the insane dramaverse that is Myspace, it makes a certain sense) you must admit that, edited together, the brief vignettes have a strange, poetic power.

The arbitrariness of both the numbers and the task itself is highlighted by contrast with the self-evidently sensitive, emo-identified, eyeliner-abusing Myspacers themselves. This is Proof, a two-minute montage of these videos by Brad Troemel and Randi Heylek.

via ValleywagInteresting question: what if someone on this video asks to be taken off, since consent to ID one’s self for security purposes is not identical with consent to participate in an art video? Is that alliance to the Machine and opposition to Art? But : would an emo admit that?

Yes, the Plaza George Orwell in Barcelona is now under the questionable protection of surveillance cameras. His London house is also circled by cameras (London, it should be noted, has the highest CCTV to citizen ratio of any city in the world).

Irony, ladies and gentlemen, is dead. But at least we have footage of the murder…

The Law of Conservation of Catastrophe, one of my favorite sociological principles, maintains that when you try to fix a weakness in an existing system and equal or larger weakness will result in a different part of the system. Software engineers and technical support people have an intimate familiarity with the way this principle works in real life.

Here’s how it works in social media.

Now that Yahoo and Google are dividing the world between them, they are integrating their smorgasbord of services at a rate of knots, the idea being that the users really desperately want to connect all their online identities, their social media pages (oooh, let’s connect my DeviantArt gallery with my LinkedIn profile!), their friends and contacts, and every other piece of information about them the internet may contain.

We have already discussed whether or not that’s a good idea and there is no need to re-hash it here, I trust.

Now let’s discuss what happens if you do go ahead and connect everything up.  The sexually-transmitted disease metaphor, always popular when discussing internet security, applies perfectly.

When you connect your sites together you are exposing each of your sites to the security vulnerabilities of all of your sites. In other words, they all become as vulnerable as the most vulnerable site in your now interconnected online world.

You doubt? Byron Ng found he could access anyone’s private Myspace pictures just by going in through a particular Yahoo phone sign-in. It demanded a username and password, it’s true, but any username and password, not specifically that of the person whose profile you were looking at.

That’s just one example. As the conglomeration model spreads through the digital industry, this risk will grow geometrically; your security can even be compromised by sites you don’t join and may not even know about. The hack above works whether the Myspace user with the private pages has a Yahoo ID or not, yet all Myspacers shared this risk until Valleywag posted it and the company disabled it today.

Sometimes you see something and you think…no. Just no.

This is one of those things: The See Me TV decorator mirror, built to look like a closed circuit tv camera.

There’s a point at which ironic reference slides into obscene obeisance and this is it. Having them around the house might tell your friends quite a lot about you, it might not be quite as flattering as you think.

It had to happen.

LifeLock CEO Richard Todd Davis was so confident in his security company that he publicly dared criminals to steal his identity, posting his Social Security Number in the company’s ads.

457-55-5462, for the record.

Can you guess what happened next? I knew you could.

Yes, there are more than 20 different driver’s licenses issued to that particular SSN, which you’d think should have raised some flags in government departments, but then, they don’t generally claim to be in the business of protecting people’s personal privacy.

And thus, a lawsuit was born:

“…a simple background check performed using Davis’ Social Security number reveals that his entire personal profile has been compromised to the extent that the birth date associated with his Social Security number is Nov. 2, 1940, which would [inaccurately] make Davis 67 years old.” The lawsuit maintains that LifeLock, which claims on its Web site to be “the industry leader in the rapidly growing field of Identity Theft Protection,” made false and misleading claims in its multimillion-dollar ad campaign about the level of protection it provides.

“Through its advertisements, LifeLock misrepresents and assures consumers that it can protect against all types of fraud including, without limitation, computer hacking, password theft and other noncredit-related theft,” the suit reads.

But LifeLock doesn’t protect against many forms of identity theft, according to the lawsuit.

The Arizona-headquartered company does place and renew fraud alerts on its subscribers’ credit profiles. But it does nothing to combat breaches involving personal bank, employment or medical information, as well as theft pertaining to government documents and benefits, the suit alleges.

Which, of course, wouldn’t be an issue, if LifeLock didn’t claim to be an all-encompassing security service, guaranteeing $1million against damages arising from identity theft of any of its clients without actually providing prevention or protection. Meanwhile, the company checks security by using its clients’ free annual credit checks, charging them $110 p.a. for the privilege.

And from the Department of You Couldn’t Make It Up, the lawsuit claims that Davis’s co-founder originated the idea while in jail for ripping off the Mirage Casino in Vegas, that he got the money to start the company by stealing his own father’s identity and racking up his credit cards, and that LifeLock’s client list includes people who committed identity theft and used the proceeds to sign up for…LifeLock’s identity theft protection.

Yet one more reason to make sure you’re dealing with the right security company.

Seriously, do we even need to discuss this?

Some quick tips for anonymity online:

• use an anonymous web mail program that does NOT have a backup address; risky for your files, but also safer for your privacy. And use it only for receiving email. Emails you send can be traced back to you.
• don’t use the same user identity for accounts you want to keep separate. If you accidentally started your “secret” blog with an ID that is already somehow connected to yourself, delete the entire blog and start over.
• it’s easy to go from MORE privacy to LESS. It is almost impossible, practically speaking, to go the other way around. When in doubt, start with a private blog.
• don’t use the same password on multiple sites. If one is hacked, they ALL are.
• don’t use a username that is a nickname you have in real life. Like, duh.
• don’t tell your friends. Sure, you may think nobody will ever read your blog. Get over it. In every case of which I’m aware on Wordpress.com, when a “secret” blog has been traceable by a Google search for the blogger’s real name, it turns out to be someone’s friend posting the equivalent of “George has a kewl noo blawg @ georgiessecretblawg.com so go chekkit out!”
• don’t blog from work. Big Brother is watching and he’s wondering why he’s paying you for all that time you spend on Nerve.com.
• don’t write about work. Big Brother has a spidey sense, and a little sister who spends all day online reading blogs.
• never leave comments on other sites with that user ID. They can trace your IP.
• don’t blogroll your “secret” blog on your other sites, and don’t link to it, ever. Everyone can tell when you’re linking to another of your own sites, almost as if there were neon signs pointing it out.
• if you’re really concerned, use an IP anonymizer.
• if the caca hits the fan and you do get dooced, remember that it happened to Dooce and Perez Hilton once, and they’re doing just fine now.

Would you trust these strangers with your precious computer’s security? Would you trust strangers you couldn’t even see or locate? That’s exactly what Web of Trust (WoT) is asking you to do.

And it might not be such a bad idea, actually.

As Bill Mullins reports on his blog Tech Thoughts:

WOT (Web of Trust), a free Internet Browser resource that has established an impressive 4.5/5.0 star user rating on CNET, tests web sites you are visiting for spyware, spam, viruses, browser exploits, unreliable online shops, phishing, and online scams. WOT which integrates with search engine results from popular search engines including Google, Yahoo, MSN and other popular sites, provides impressive protection against Internet predators and helps you avoid unsafe web sites.

So far, so good, and also so standard. Nothing unusual about the tasks it performs. What separates WoT from the competition is a unique refinement in the area of social engineering, rather than software engineering: like the Zagat ratings or the hallowed Digg, it solicits users’ feedback and incorporates it into the service, essentially turning its clients into volunteers for the project of keeping everyone’s computers safe. Bill Mullins sums it up:

The advantages of members participation in exchanging their personal knowledge about a web site, in my view, cannot be overemphasized. It allows for a new and exciting trend in Internet security, and that is the concept of “people driven security”. A concept that encompasses the philosophy, that we are all responsible for each others security on the Internet. According to WOT, the user community now has reputation data on over 18 million sites worldwide. The shared information on a site’s reputation includes trustworthiness, vendor reliability, privacy, and critical in the current Internet environment, child safety.

That is both a revolutionary concept and a very impressive implementation. As time goes on, the data will become even more refined and the reach of the volunteer analysts will expand, making WoT ever more reliable and up-to-date.

While the idea of essentially open-sourcing your computer’s security may sound terrifying, there are sound reasons to look to this product as an example of Web 2.0 that’s more help than hype.

Soooooooo…you weren’t thinking of trusting Facebook with your private data, were you? Not after all we’ve discussed right here on this very blog. Of course not. You’d never, for instance…pay Facebook to advertise on it and then at their prompting, say, upload a detailed scan of your Driver’s License to Facebook, only to find it posted on your public page. Now that’s value for your advertising dollar, eh? Here’s what Valleywag has to say about it (yes, I know we’re all about the Valleywag lately, but they’re on a streak):

Facebook allows musicians and their labels to promote music through official Musician Pages, but before allowing them to upload music, Facebook requires the page administrators to submit identification in case of copyright…The [victim] tells us he’s tried to contact Facebook about the problem — sending four emails and calling four times — but all he’s gotten in response so far is the…brushoff via email.

Social media sites are the most powerful information distribution system within the internet, itself the most powerful communication medium the planet has ever seen. They are, consequently, some of the least secure locations for your private details. As Robert Scoble found when he complained about social media and privacy, and as any kid who’s played with a Wii in the bathtub has discovered, sometimes the newfangled toys are not the safest.

There is going to be a lot of tension about Facebook until it adds much better privacy controls. Some things deserve to be open to the public (and to Google). Glad to see Facebook is recognizing that. But other things should only be kept for close personal friends. I wish I could set Facebook stuff to be shared with the audience I want to share that media with (whether or not I usually want to make my stuff totally public).

Personally, Facebook would do a lot better to listen to danah than to listen to the tech geeks like me who want more publicly-available features on Facebook.

There are a lot more people in the world who are like my wife and who want to keep things hidden than there are like me who want to have publicly-available resources.

I really wish there were a service that serves both our needs, though.

Scoble’s commenters referred him to good, old-fashioned LiveJournal. It may not be slick, it may not be glamorous, but it is a site that has blossomed as a direct result of allowing its users to strictly control who has access to their information, and it defends those infowalls with everything it’s got.

If you insist on sticking with FB rather than LJ or LI, check out what engtech’s got to say about How to Use Facebook Without Losing Your Job Over It.

As you can guess from my previous series on online pseudo-anonymity, something that collects as much personal information as Facebook scares the bejebus out of me. From the address book import I can clearly see that everyone I’ve ever even remotely known is already on Facebook, and the default settings mean they’re all sharing all kinds of personal information they may not be aware of.

The potential downside a lot of my friends and acquaintances don’t realize is that Facebook is more like LinkedIn than MySpace and it is “on the radar” of your employers. People have already lost their jobs because of their Facebook activity. Most people don’t think about online privacy concerns like these unless they’ve had a bad experience because of being too free with information.

But Facebook can be used safely and with little impact on the rest of your life by following these tips…

Well, what are you waiting for? A call from the boss?