Microsoft Report Challenges Conventional Wisdom on Cybercrime Losses

Posted on October 16, 2011 by Colin J. Zick

It's a pretty technical read, but this recent Microsoft report, "Sex, Lies and Cyber-crime Surveys" by Dinei Florencio and Cormac Herley tries to support an interesting hypothesis:  cyber-crime surveys that suggest huge losses from hacking and phishing aren't reliable.  Here's an excerpt of their thinking:

First, [cyber-crime] losses are extremely concentrated, so that representative sampling of the population does not give representative sampling of the losses. Second, losses are based on unverifed self-reported numbers. Not only is it possible for a single outlier to distort the result, we find evidence that most surveys are dominated by a minority of responses in the upper tail (i.e., a majority of the estimate is coming from as few as one or two responses). Finally, the fact that losses are confined to a small segment of the population magnifies the dificulties of refusal rate and small sample sizes. Far from being broadly-based estimates of losses across the population, the cyber-crime estimates that we have appear to be largely the answers of a handful of people extrapolated to the whole population. A single individual who claims $50,000 losses, in an N = 1000 person survey, is all it takes to generate a $10 billion loss over the population. One unverified claim of $7,500 in phishing losses translates into $1.5 billion.

Tags: , , , ,

Mozilla and Google Announce "Do Not Track" Browser Features

Posted on January 28, 2011 by Colin J. Zick

By Katie Perry

Earlier this week, both Mozilla and Google announced new browser features aimed at giving users greater control over how their personal data is collected online. Microsoft announced a similar initiative in December. 

 

The introduction of browser “Do Not Track” features follows the Federal Trade Commission’s preliminary staff report, "Protecting Consumer Privacy in an Era of Rapid Change:  A Proposed Framework for Businesses and Policymakers,” which supports a “universal consumer choice mechanism for online behavioral advertising.” In its report, the FTC noted that “[t]he most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer’s browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements.”   We discussed the FTC's proposal's in an entry last month.

 

The recent announcements by Mozilla, Google and Microsoft signal the beginning of a larger trend towards the voluntary implementation of “Do Not Track” mechanisms, as companies try to preempt the legislative and regulatory efforts likely to flow from the FTC’s proposed framework.

As far as the specifics of these "Do Not Track" browers, Mozilla’s proposed feature would allow a Firefox user to select a browser setting resulting in the transmission of a “Do Not Track HTTP header” that alerts websites of the user’s desire to opt-out of third-party tracking for behavioral advertising “with every click or page view.” Mozilla’s mechanism relies on the cooperation of third-party tracking companies, however, as the transmission of the HTTP header does not force an opt-out or require that websites comply. 

 

While the Firefox “Do Not Track HTTP header” is still in the works, Google already has a plug-in called “Keep My Opt-Outs” available for its Chrome browser. “Keep My Opt-Outs” which allows users to permanently opt out of online tracking, rather than relying on cookies to save their opt-out settings. The plug-in will only block tracking from companies that already offer self-regulated opt-out services, however. According to Google, more than 50 companies offer opt outs, including the top 15 largest ad networks in the U.S.

Unlike Mozilla and Google, Microsoft has taken a user-generated approach to its “Do Not Track” mechanism, called “Tracking Protection.” The feature, to be included in Internet Explorer 9, would enable users to limit third-party tracking through the use of tracking protection lists identifying which websites they do not want to share information with. By default, the tracking protection lists will be empty, but consumers can create their own lists or add lists created by others, including consumer advocacy groups. Once a user subscribes, the tracking protection list will be automatically updated whenever the creator makes changes.
Tags: , , , , , , ,

Tracking Protection to be Included in Internet Explorer 9: Is This the Tipping Point?

Posted on December 8, 2010 by Colin J. Zick

Microsoft announced yesterday in its IE blog that it will be adding a tracking protection feature to Internet Explorer 9.  In particular, Microsoft promises that:

  1. IE9 will offer consumers a new opt-in mechanism (“Tracking Protection”) to identify and block many forms of undesired tracking.
  2. “Tracking Protection Lists” will enable consumers to control what third-party site content can track them when they’re online.

Together with the FTC's jump into the tracking fray last week, have we reached the tipping point on tracking, so that this is the beginning of the end of it?  Or might this be simply another skirmish in the battle between Microsoft and Google (since Google's primary revenue source is online ads)?

Tags: , , , , , ,

Advocacy Groups File FTC Complaint Over Online Consumer Health Sites and Health-Related Marketing

Posted on November 30, 2010 by Colin J. Zick

In a complaint filed with the FTC on November 23, four advocacy groups asked for "Investigation, Public Disclosure, Injunction, and Other Relief" against several online health giants, including Google, Microsoft, QualityHealth, WebMD, Yahoo, AOL, HealthCentral, Healthline, and Everyday Health

The advocacy groups behind this complaint are the Center for Digital Democracy, U.S. PIRG, Consumer Watchdog and World Privacy Forum.  They allege (in 144 pages, complete with web page screen-shots) that:

"Digital marketing raises many distinct consumer protection and privacy issues, including an overall lack of transparency, accountability and personal control, which consumers should have over data collection and the various interactive applications used to track, target, and influence them online (including on mobile devices).  The use of these technologies by pharmaceutical, health product, and medical information providers that directly affect the public health and welfare of consumers requires immediate action."

Any business that has a web presence should read this complaint; it will show you what these (and other) advocacy groups are complaining about.  While I do not expect the FTC to jump into action based on this complaint alone, it would not surprise me to see an increase in the discussion of regulation and enforcement in this patch of cyberspace during 2011. It is only a matter of time until a consumer health web site has a significant data breach.  Traditionally, such breaches bring increased inforcement activity.

The complaint also cites a FTC complaint made in June 2009 against Sears Holding Management  concerning that company’s dissemination of "a software application for consumers to download and install onto their computers” that violated the FTC Act.  That FTC complaint alleged that Sears Holding:

"failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers, including information exchanged between consumers and websites other than those owned, operated, or affiliated with respondent, information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information (excluding selected categories of filtered information) to respondent’s remote computer servers. These facts would be material to consumers in deciding to install the software. Respondent’s failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
Tags: , , , , , , , , , , , , , , , , , , , ,

Microsoft No Longer Seeking Removal of Cryptome or Leaked Compliance Handbook

Posted on March 5, 2010 by Gabriel M. Helmer

Last week, lawyers from Microsoft issued a demand under the Digital Millennium Copyright Act (DMCA) seeking the removal of leaked copies of Microsoft's "Global Criminal Compliance Handbook" that pulled website Cryptome.org from the Internet, at least temporarily.  The DMCA provides copyright owners with the ability to request that internet service providers remove infringing materials from websites.  Microsoft's DMCA demand to Cryptome's service provider, Network Solutions, apparently resulted in removing Cryptome from the Web entirely, until Microsoft attorneys sent an email withdrawing the DMCA takedown demand.

Microsoft made this public statement:

Like all service providers, Microsoft must respond to lawful requests from law enforcement agencies to provide information related to criminal investigations. We take our responsibility to protect our customers privacy very seriously, so have specific guidelines that we use when responding to law enforcement requests. In this case, we did not ask that this site be taken down, only that Microsoft copyrighted content be removed. We are requesting to have the site restored and are no longer seeking the document’s removal.

Cryptome advertises itself as a site that "welcomes documents for publication that are prohibited by governments worldwide."  The site also promises that "[d]ocuments are removed from this site only by order served directly by a US court having jurisdiction." 

The Microsoft Compliance Handbook, dated March 2008, is a guide for law enforcement officers seeking to investigate users of Microsoft services such as Hotmail email, IM, Windows Live and other services.  The Handbook outlines the data Microsoft keeps with respect to its users and provides law enforcement with instructions on what legal process is necessary for investigators to gain access to specific information.  In the Handbook, Microsoft offers to provide the following information to investigators in response to a subpoena:

Basic subscriber information includ[ing] name, address, length of service (start date), screen names, other email accounts, IP address/IP logs/Usage logs, billing information, content (other than e-mail, such as in Windows Live Spaces and MSN Groups) and e-mail content more than 180 days old . . . .

This provision contrasts with Microsoft's limits on access to other user data, such as recent email,  "e-mail address book, Messenger contact lists, . . . [and] internet usage logs."  According to the Handbook, Microsoft will release this data in response to a search warrant or court order which, unlike a subpoena, must be approved by a judge after the government presents sufficient evidence.

Posts at Cryptome, as well as CNet, Tom's Hardware, The Register,describe the Handbook variously as a "spy guide" and "wiretap guide."  Cooperation with government agencies has been a touchy subject for privacy advocates and service providers in the wake of alleged abuses by some that occurred after the 2001 terrorist attacks.  However, the heart of the controversy generally has been the disclosure of customer information without any legal process or court involvement.  In this case, Microsoft's Handbook merely identifies what data is available in response to formal legal process, such as subpoenas, warrants and court orders. 

 

Tags: , , , , ,

Incident of the Week: Ever-Growing Breach Involving Passwords for Hotmail, Gmail, Yahoo, AOL, Earthlink and Comcast

Posted on October 8, 2009 by Jeff Bone

What started out as an incident involving the leak of 10,000 user names and passwords for Windows Live Hotmail accounts continues to grow, both in terms of users and companies affected.  According to reports from the beginning of the week, more than 10,000 user names and passwords from Hotmail were posted by an anonymous user on the site pastebin.com.  The list was limited to accounts starting in A and B, leaving the fear that numerous more accounts had been affected.  The original reports speculated that the breach was the result of a hack of Hotmail or a phishing attack.  But more information is surfacing that indicates that the breach is much larger than many first thought.

Subsequent reports have revealed that as many as 20,000 accounts have been compromised across numerous email providers, including Yahoo, AOL, Comcast, Earthlink and others, and that .  These reports noted that the affected companies believed that the breaches occurred because of phishing attacks (although one researcher, Mary Landesman, who works for ScanSafe, has said that "it's more likely that the massive lists . . . were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses."

As more details emerge, it seems that more questions remain to be answered.  Exactly how many passwords have been compromised, and from how many companies?  Was the breach due to a single massive phishing attack, multiple smaller fishing attacks, or some type of malware? Why were lists of affected users posted online?  Whatever the answers, it might be a good idea to take a few minutes to change your email passwords from a computer that has been swept for viruses and malware.

Links:

 

Tags: , , , , , , , , , , ,

Conficker Worm Still Lurking, Threat Remains

Posted on June 29, 2009 by Ramzi Ajami

While the media frenzy surrounding the Conficker worm may have died down over the past several months, recent reports suggest that the computer worm is alive and well, and continues to expose PC users worldwide to the risk of identity theft and other mischief. 

Conficker (also known as Downup, Downandup, Conflicker, and Kido), a computer worm that attacks Microsoft Windows operating systems, was pegged by the media to wreak havoc worldwide on April Fool’s Day of this year. In the weeks leading to what some experts dubbed our “digital Pearl Harbor,” numerous reports surfaced documenting the sheer scope of the worm’s reach: in addition to infecting millions of Windows operating systems worldwide, the worm also reportedly infiltrated the French government’s naval systems – forcing the French to ground their warplanes – and the British Parliament’s computer network.

Despite the massive media furor, April Fool’s Day passed with relatively little disruption. However, recent reports suggest that Conficker not only remains active – but that it has begun its bid to steal users’ private and financial information.

In its June, 2009 report, ESET, a security and anti-virus firm, listed Conficker as one of the top malicious threats to PC users, accounting for nearly 10% of all computer infiltrations worldwide in May, 2009. Other security experts have also reported that Conficker continues to infect computers at an alarming rate of up to 50,000 computers daily -- in part due to the worm’s ability to spread across computer networks with alarming efficiency, and to access even out-of-network computers by infecting popular computer-to-computer plug-in peripheral devices (such as USB drives and external hard drives). 

Despite its aggressive success in infecting computers worldwide, however, Conficker’s purpose still remains relatively unclear. Experts warned that, in theory, infected computers would essentially be transformed into “zombie machines” that follow almost limitless commands and download software from remote servers -- whatever those instructions or software may be, suspected to range from keystroke logging to spam generators

Not surprisingly, Conficker’s recent activity confirms that at least one of its purposes is to steal users’ financial information. Beginning in April, 2009, infected computers have begun installing bogus security software (or "scareware") in a bid to defraud users into paying for fake anti-virus programs. The software alerts users that their computers are infected with Conficker -- but unwitting users who agree to pay for the fake anti-virus software not only lose $50 in exchange for more malicious software, but also risk having their financial information stored and stolen, opening a gateway to identity theft

It is unclear if the worst is over. Conficker remains active, and its “commands” from remote servers can prompt infected computers to download further malicious software compromising users’ security and hijacking their computers in any number of ways. While the "scareware" tactic that Conficker has displayed so far may be transparent to even mildly sophisticated PC users, it should serve as a warning that the worm is actively pursuing users' private and financial information -- and may employ any number of methods to access it.  

Links
Tags: , , , , , , , , , ,

Highlights from the IAPP Privacy Summit - March 11-13, 2009 Washington, D.C.

Posted on March 15, 2009 by Gabriel M. Helmer

Between March 11, 2009 and March 13, 2009, the International Association of Privacy Professionals (IAPP) hosted a Privacy Summit in Washington, D.C. that featured keynote presentations from fraud expert Frank W. Abagnale and information security guru Bruce Schneier. The three-day event included dozens of breakout sessions with industry experts and government officials.  Read some of the highlights below.

  •  Frank W. Abagnale spoke at length about his life, made famous by the Spielberg movie "Catch Me If You Can."  What became clear through his stories was that armed with only an agile mind, Mr. Abagnale was able to compromise a series of security and anti-fraud systems at financial institutions and other businesses.  And today, according to Mr. Abagnale, it is "4000 times easier" because of the leaps made in computer technology.  "Technology breeds crime. It always has. It always will."
  • Bruce Schneier, a luminary in the field of information security, spoke at length about how "data is today's pollution problem" - a problem that requires a new generation of professionals fluent in technology and law to manage a new "data environmentalism." 
  • Peter Cullen, Microsoft's Chief Privacy Strategist and member of the Consumer Privacy Legislative Forum (now called the Business Forum for Consumer Privacy) discussed the CPLF's decision to first generate a set of self-regulatory privacy guidelines before seeking to draft a comprehensive federal privacy standard.  According to Mr. Cullen, businesses "need self-regulation" and to compile what have become best practices before attempting to impose a single federal standard.  "[L]egislation is only part of the puzzle" and "bad legislation [would be] worse than no regulation." 
  • A panel of security experts from (ISC)2, discussed the roles of the Chief Privacy Officer and Chief Information Security Officer during incident management.  The panel also outlined several essential elements of an incident response plan, including: (1) a procedure for ensuring that a breach initiates an incident response team meeting, (2) a procedure to confirm that a breach has occurred, (3) anticipation and preparation of likely scenarios, (4) draft press releases and notifications, and (5) identifying key consultants and vendors used in investigating and resolving incidents.
  • Representatives from Google and Salesforce.com discussed privacy issues raised by cloud computing models that may require different types of end user licenses, policies and agreements.  Key issues include: (1) selecting the cloud model that is appropriate for your needs; (2) data persistence - ensuring that there is an appropriate policy for destruction of data; (3) data centralization and security - the more data served by a single service, the more of a target it will become for those seeking unauthorized access; (4) data use - centralizing data permits the cloud provider with the ability to provide additional services, but what limits should apply to the service provider's use of that data?
  • A legislative update - the consensus is that consumer protection is one of Congress' top priorities and that Congress may be moving towards authorize the FTC to regulate information security more broadly. 
  • Jeffrey M. Kopchick, Senior Policy Analyst for the FDIC, reported that federal agencies involved in the development of federal Red Flags Rules were preparing FAQs regarding compliance with those rules that should be published in the near future.   He also indicated that because banks and other financial institutions have been subject to those rules since November 1, 2008 (unlike many other companies, who will see the rules go into effect on May 1, 2009), a number of common problems have been observed by FDIC examiners: (1) confusion in identifying what accounts give rise to the risk of identity theft; (2) insufficient oversight of third party service providers; and (3) lack of internal training to teach staff how to recognize red flags and mitigate the harm from identity theft.
  • Joel Winston, Associate Director of the FTC's Division of Privacy and Identity Protection, updated members on recent trends in FTC enforcement.  He indicated that the FTC intends to harmonize rulemaking on information security under a single federal standard evident in the recent Red Flags Rules: requiring businesses to adopt "reasonable and appropriate procedures." Given the speed of innovation, the FTC believes that requiring "reasonable" protections is the only manner for regulation to keep pace with technology.  The FTC has considered and rejected suggestions that it impose specific security tools on businesses, as some states (including Massachusetts) have done.  "Technology is too fluid."  For example, "encryption may not always be the perfect solution - there could be good alternatives."  The FTC appears to be unwilling to extend the May 1, 2009 deadline for enforcement of the Red Flags Rules and will be expecting businesses to demonstrate good faith efforts to comply with the regulations.

Links:
Tags: , , , , , , , , , , , , , ,