The following article illustrates the dangers of using web-base collaborative applications.
Google Privacy Blunder Shares Your Docs Without Permission
by Jason Kincaid on March 7, 2009
In a privacy error that underscores some of the biggest problems surrounding cloud-based services, Google has sent a notice to a number of users of its Document and Spreadsheets products stating that it may have inadvertently shared some of their documents with contacts who were never granted access to them.
With Windows XP, to clear the page file on shutdown go to Control Panel->Administrative Tools-> Local Security Policy->Local Policies->Security Options->Shutdown: Clear Virtual Memory Pagefile … enable it. It is wise to enable this setting on every computer you use.
We tell people to travel with a “clean” laptop. However, Windows creates a lot of temporary files. The most damaging can be the Page file. Everything that went into virtual memory is there in a file on the hard drive. Of course you should also use a good file erasure programme before shutting off the laptop.
Evidence Eliminator and similar software can kill out files and perform other tasks. But their use can raise red flags in a legal dispute.
But the wiper programs don’t ensure a clean getaway. They leave behind a kind of digital calling card.
“Not only do these programs leave a trace that they were used, they each have a distinctive fingerprint,” Kessler said. “Evidence Eliminator leaves one that’s different from Window Washer, and so on.”
I recommend the use of file erasure tools, especially when crossing international borders with computers. If you use such a programme regularly you have plausible deniability if you’re accused of erasing data to keep it from the police or the courts. If you always use it, then its “fingerprint” will always be there. If the install date matches the computer’s purchase date, then they can’t say you did this to eliminate the evidence the courts or police were seeking. Also, get a receipt for the wiper programme to show when it was purchased for the same reason.
File erasure programmes are part of prudent security practices and should not be viewed as something suspicious.
This is not a new issue. A 2004 PC World article described the technology. In February, 2008, I wrote about the EU concerns that these secret printer ID codes may break EU Privacy laws. The EFF has a list of the printers that print these secret codes used by the US government to match a document to the laser printer that produced it.
Another article about this appeared in USA Today a few days ago.
Printer dots raise privacy concerns
The dots, invisible to the naked eye, can be seen using a blue LED light and are used by authorities such as the Secret Service to investigate counterfeit bills made with laser printers…
Privacy advocates worry that the little-known technology could ensnare political dissidents, whistle-blowers or anyone who prints materials that authorities want to track.
The dots are produced only on laser devices and not ink-jet printers, which are most commonly used at home…
As an investigator, this might present an opportunity if the dot pattern is consistent enough to be matched to a particular printer or printer type without being able to decode the dots. If this were the case, then you might not need the ability to decode the dots in some instances. For example, at a company with many different types of laser printers. The process of elimination might indicate which printer(s) could have created a document.
An interesting study that found that 87% of data breaches are the result of incompetence and carelessness.
Another study shows that a large disconnect between the executives tasked with protecting customer data and marketing departments, which use the data for advertising purposes or share it with third parties.
a third of marketing execs said they don’t place any limits on the data they share with third parties, such as e-mail marketing agencies or online advertisers. By contrast, 75% of privacy officers believe that their companies limit the sharing of customer data.
These findings are a good reminder that asking questions will yield useful data that they shouldn’t divulge. It’s all in how you ask the question.
Online advert system Phorm could make the net less secure and breaches human rights, the service’s creators have been told.
BT, Virgin and Carphone Warehouse have signed up to trial Phorm.
Phorm works by connecting a users’ web surfing habits to a series of advertising channels in order to target adverts.
Keywords in websites visited by a user are scanned and connected to advertising categories, and then matched to particular adverts.
James Ashton writes on The Times Online:
Experian, the credit checking company, is braving mounting concerns over internet privacy with plans to launch a service that will track broad-band users’ activity so they can be targeted with advertising.
Through Hitwise, the web-site company it acquired for £120m a year ago, Experian has held talks with internet service providers to sell its monitoring technology.
Observers expect it to compete in part with Phorm, an AIM-listed company that has stirred controversy after being recruited by BT, TalkTalk and Virgin Media to track their 10m customers’ behaviour so they can be sent advertising messages on the websites they are looking at.
However, the key difference is that Hitwise, which describes itself as an “online competitive intelligence service” would play little part in dispatching the advertising to web pages itself, something that Phorm does through its Open Internet Exchange.
I previously wrote about Bill C-27 and how it will make it an offence in Canada to recklessly make available or sell personal information knowing it will be used to commit fraud.
Google, and others, offer tools such as on-line word processing but your data is housed by that entity, usually in the USA, and is thus subject to the US Patriot Act, and other laws that allow government surveillance of your data.
In my view, using these Web-based collaborative tools amounts to Reckless Personal Information Handling.
The Globe and Mail recently published an interesting article about this:
Patriot Act haunts Google service
by SIMON AVERY, Globe and Mail March 24, 2008
Some other organizations are banning Google’s innovative tools outright to avoid the prospect of U.S. spooks combing through their data. Security experts say many firms are only just starting to realize the risks they assume by embracing Web-based collaborative tools hosted by a U.S. company, a problem even more acute in Canada where federal privacy rules are at odds with U.S. security measures.
When I travel for work, I undertake what some people consider extreme measures to protect proprietary client data from theft by officials at international borders. These officials do not need warrants to seize or examine anything in your possession when crossing a border and that makes border officials excellent spies. This issue arose recently regarding the actions of the US border officials:
In Canada, one law firm has instructed its lawyers to travel to the United States with “blank laptops” whose hard drives contain no data. “We just access our information through the Internet,” said Lou Brzezinski, a partner at Blaney McMurtry, a major Toronto law firm. That approach also holds risks, but “those are hacking risks as opposed to search risks,” he said.
Creating a “blank laptop” entails more than just hitting the delete key or even using a utility to overwrite existing data. The hacking risk is also greater than most people realize, especially with wireless connections. Even with secure end-to-end encryption, traffic analysis can yield very useful intelligence.
I just found this:
“WikiLeaks.org is developing an uncensorable version of WikiPedia for untraceable mass document leaking and analysis.”
I’m not sure how I might use this site, but it does have some very interesting instructions on how to submit material anonymously.
Current privacy regimens are just that — they try to keep information from being disclosed. Unfortunately, the people who brought about these regimens did not understand the difference between privacy and security of the transaction.
Securing the transaction is a three part process of Identification, Authentication and Authorisation. You cannot have authentication without identification and you can’t have authorisation without authentication. Privacy regimens make Identification difficult, and Authentication nearly impossible.
In the UK, they want to create one trusted system to provide the identification in a new national Identification Card. This sounds good, but it will not work. This approach creates one point of failure that does not provide any alternative and independent methods of authentication. Once an offender has compromised or tricked the system, it will no longer be trustworthy, yet no alternative will exist to protect the transaction. This is an Identity based system not an Authentication based system. In this system, once you establish your identity no authentication is required.
It seems to me that the privacy advocates are jockeying for a position as privacy guardians who will produce your identity and eliminate the “need” for authentication. Am I the only one who sees the dangers of this?
As an Investigator, I try to find corroborating evidence and fact check everything possible, especially the identity of the people involved. How will I legally do that as this oppressive culture of privacy becomes entrenched? How will businesses conduct transactions when they are prevented from properly authenticating the identity of their customers?
The January 2008 issue of Popular Mechanics magazine has an excellent article titled Surveillance Society: New High-Tech Cameras Are Watching You. This article outlines some of the new video surveillance technologies and how they are used.
In a letter to Ask.com, EPIC and several other privacy organizations have asked CEO Jim Lazone to change AskEraser, a new search tool that the company says “will offer its searchers unmatched control over their privacy.” After a study of the search product, EPIC found that Ask Eraser (1) requires an opt-out cookie, (2) creates a quasi-unique identifier, and (3) will be disabled without notice. All three attributes create substantial privacy risks for Internet users.
Apart from the cookie issues the following is quite disturbing when you read the ask.com news release describing AskEraser and the following in the EPIC letter:
Ask inserts the exact time that the user enables AskEraser and stores it in the cookie, which makes identifying the computer easier. The letter recommends using a session cookie that expires once the search result is returned.
Ask’s Frequently Asked Questions for the feature notes that there may be circumstances when Ask is required to comply with a court order and if asked to, it will retain the consumer’s search data even if AskEraser appears to be turned on. Ask does not notify searchers when the feature has been disabled and misleads them into believing their searches aren’t being tracked when they actually are, the EPIC letter said.
OAKLAND, Calif., Dec. 10 —Will privacy sell? Ask.com is betting it will. The fourth-largest search engine company will begin a service today called AskEraser,which allows users to make their searches more private. Ask.com and other major search engines like Google, Yahoo and Microsoft typically keep track of search terms typed by users and link them to a computer’s Internet address, and sometimes to the user. However, when AskEraser is turned on, Ask.com discards all that information, the company said.”
Rapid7 announced that an attacker with a directional antenna and a laptop can eavesdrop on wireless keyboards manufactured by Microsoft, Logitech, and other vendors, capturing every keystroke from a distance of over 30 feet away. This leaves corporate networks open to illicit intrusion and data theft that will probably look like a data breach originating from within the company.
For a look at the hacker will get, go to this interesting presentation.
Would this be Reckless Personal Information Handling if this vulnerability was exploited at your company?