Wednesday 29 January 2014

Who's Responsible For Your Privacy? Big Companies (And You)

online privacy
While companies can do better about how they protect user privacy, the fact is, we have to take control of our own privacy.
Privacy used to be a fringe conversation, something people thought about only when Facebook or Google rolled out a "new" feature, or when targeted advertising got a little too stalkerish. After almost seven months of reports about various programs run by the National Security Agency and other government agencies, even the average user is beginning to think about what is public and what should stay private.

Consumers generally view online privacy as a "shared responsibility," but it ultimately begins with the user, Brendon Lynch, Microsoft's chief privacy officer, told Security Watch. In a survey of "tech-savvy" consumers in the United States, Belgium, France, Germany, and the United Kingdom, respondents said they want transparency about exactly what kind of data is being collected, how their data is being used, and who it is being shared with.
Murky Privacy Policies
Even so, only 22 percent of survey respondents on both sides of the Atlantic said they actually read the privacy policies in full before accepting them. This likely has more to do with the fact that privacy policies are difficult to read and very confusing to begin with, Lynch said. If the policies become simpler, people will know up front what they are agreeing to and would be able to make better decisions.
This sentiment was echoed during a "Data Privacy Day" panel at Open Trust Alliance's town hall event in New York City today. Sal Tripi, the chief privacy officer of Publishers Clearing House described how the company shrunk its privacy policy so that users could understand right away what was being collected and how it was being used. Users want to know what is happening with their data, but get lost when the language is vague and the information is spread out across multiple policies, he said.
Privacy as a Feature
Users are looking at companies for "technological innovation," and care less about detailed transparency reports, Lynch said. Customers expect strong privacy protections to be built into technology. They also want privacy controls that lets them manage their preferences, Privacy now needs to be a feature, Lynch said.
Companies need to start thinking about the "responsible" way to use data, as opposed to just depending on users to communicate their preferences.
This is particularly important with the prospect of wearable computing and Internet of Things, as there may be times when it wouldn't be realistic to ask for user consent. Certain devices will always be personal, such as wearables, and insisting users have to opt out of data collection just doesn't make sense.
At the OTA town hall event there was also some discussion of how users need to take advantage of the tools that are already available to them, such as turning on "Incognito" browsing on Android or selecting "Do Not Track" on iOS devices. Users concerned about location tracking need to turn off GPS or Wi-Fi networking when not in use. They can also look at app permissions and not install apps that ask for access to location data with no real reason, said Mark Goldstein, a strategic advisor for OTA.
There is a long way to go before we can say we have full control of our privacy online, but there are some things we can do, and companies are beginning to take user concerns seriously. It's a good start.

Why are so many kids still not receiving computer science education?

. The city of Chicago, Illinois recently announced a change to the curriculum for schools in their district that would introduce children as young as primary school to computer science concepts. It would also allow students to count computer science as a core subject that fulfills graduation requirements, rather than simply be an elective.
This sounds like a big step in the right direction, preparing students to deal with an important aspect of twenty-first century life. But what does the boost for computer science, often affectionately abbreviated to comp-sci, mean in the grand scheme of things?

Why does K-12 comp-sci matter?

For those of us who have been out of high school for more than a few years, this announcement from Chicago might come as a surprise. Aren’t all kids getting computer science classes already? You would think so, with so many of us adults already using computers in our jobs, regardless of our job title. And how many more of us are required to have some level of proficiency with technology, no matter what field we work in? Yet, schools are just now starting to introduce computer related curricula?
The percentage of people needing to use computers proficiently seems to be rapidly approaching 100%, at least for skilled jobs in the US. And in terms of job security and satisfaction, technical jobs have much to offer. In lists of the best, the most lucrative and most in-demand jobs, those positions utilizing computer experts are always in the top five. The demand for people who know how to program or maintain computers and networks–especially those who know how to do these things securely–vastly outpaces the supply. (See the We Live Security story on Huge shortage of cyber-defenders.)
Given that there is a massive need for people to take jobs that require computer skills, one might think that getting kids interested in computers would be considered something of the utmost importance. But apparently this is not yet the case. As far as we can tell, in most states in the US, if computer science is offered at all, it is considered an elective subject, which means it does not count towards a student’s graduation requirements. Many students do not have room in their schedule to include electives, and indeed they have to go out of their way to get exposure to those subjects not considered part of their core curriculum.
While Chicago is to be lauded for its recent changes, it is still just one of only a handful of locales in the US that allows computer science to be counted towards high school graduation requirements. With the changes proposed in Chicago, students at all levels of the primary and secondary systems will have more access to computer-related classes. At the elementary and middle school level, students will have access to a computer science “pathway”, which will allow them to get an additional focus on that subject. At the high school level, there will be an “Exploring Computer Science” class at each school, and certain schools will also offer an Advanced Placement (AP) Computer Science Class, in addition to the ability to use computer science classes towards graduation.

What is happening elsewhere?

Every country seems to have a slightly different focus in their educational system, and this is apparent not only by viewing what is considered a “core subject”, but by looking at what elective classes are actually chosen by students. There are a few subjects that are internationally considered required subjects: Reading, Math, and Science. (N.B. In this context Science includes only traditional sciences, not computer science). Beyond this, each country adds other subjects that they consider to be exceptionally important.
To get an idea of the differences in culture, let’s look at a couple of very dissimilar examples, both of which are considered very successful in terms of their test results for those universal “core subjects”. In Finland, which is generally the country in Europe whose scores in Reading, Math and Science are consistently highest, there is less focus on taking standardized tests or doing hours’ worth of homework. Students are strongly encouraged to take multiple languages aside from their native one, and being strong in natural languages seems to be a primary focus for their educational system.
In Korea, another very highly-rated country, things are very different. Students typically go to school for incredibly long hours and have homework on top of that. The curriculum is not so strongly focused on any one area of education, though students are expected to learn both Korean and English. In both Korean and Finland, like in the US, computer science is considered an elective. But in practice, Korean students get much more exposure to computer-related topics, in part because those long days give them more time to get exposure to a wider variety of subjects.
Another important difference in the culture of schools in Finland as opposed to Korea is that there is much more focus on digital literacy and ethics in the latter, and by 2015 all textbooks in Korea are expected to be digital. This is a long way from either country considering computer science a required science subject, but it does at least expose Korean students to computers as a powerful tool, and they are indeed taught about using that tool ethically.
But digital literacy is not the same as understanding how computers actually work. There is a range of different types of classes covering computer related subjects that begins at “digital literacy”, includes “information and communication technology” and ends with true “computer science”. Most countries do not cover computer science in this latter sense, but cover something much more simplistic. A class or standardized test in “computer science” in many countries may cover no more than basic Java programming or familiarity with office productivity suites. For those of us in a computer-related field, this definition is laughably inadequate. This paper written by Simon Peyton Jones from Microsoft Research, in conjunction with several international educators, offers a very thorough breakdown of what computer science actually entails in various countries.
The current situation can be, frankly, a little depressing. Very few places offer in-depth computer education to students before college, those that do may employ teachers that arguably have less experience in the subject than the average student. As a result the classes have little utility and are often declining in popularity. But fortunately, there are things that you and I can do to help this situation, to ensure that our future coworkers are better prepared.

What can we do about it?

The things that you and I can do about the current state of computer related education can be broken down into two areas: Encouraging change in policy, and helping expose students to computers and code. Here are a few suggestions for how you can get involved:
There are also plenty of organizations on a local level that offer mentorship opportunities, which are a great way to expose kids to careers in Science and Technology (especially those of us in less obvious or traditional areas of computer-related employment). For instance:
Kids are now growing up in a world where computers are a part of almost every home, which means many of them are accessing the Internet without a good understanding of how it works, or how to use it safely. By educating them early and often on how best to use these powerful tools, we will not only help protect them from potential harm, but give them the promise of lucrative and meaningful employment when they reach adulthood.

German security agency warns bot ‘army’ has harvested 18 million emails and passwords

Scans of a huge botnet have revealed that it has harvested at least 16 million usernames and passwords for email sites and other online services, according to a report released German security agency, the Bundesamt für Sicherheit in der Informationstechnik (BSI).
The agency has not revealed what malware is behind the attack, which is also sending spam from the infected computers, according to The Register’s report. It’s also not clear what the email-password combinations provide access to.
Tim Griese, a spokesman for BSI, said that although around half of those affected are German email addresses (ie from the German .de domain, there are .com addresses on the list, acccording to PC World‘s report.
Griese said, ““We can’t tell more about the background,” while the investigation was ongoing, and this was also the reason that the BSI had not released details on which botnet was involved, or the which malware was behind the attack.
The BSI’s FAQ says that users who are affected should check their computer, and other computers in the home for malware, and that, “ Users should change all passwords they use to log on to social networking sites , online shops , e- mail accounts and other online services.”
According to The Inquirer’s report, a website (German-language only at present), allows users to check whether their email is among the list of victims.
Pasting an address into a box on the site results in the BSI sending victims an email with a code displayed on screen – a move which should prevent the cybercriminals sending fake emails masquerading as the BSI.  “This reply e-mail also contains recommendations on necessary protective measures,” the agency said.
Under German law, it is illegal for the government to contact users directly, even in cases such as this, according to PC World’s report.
ESET Senior Research Fellow David Harley says:“Where your login credentials have been revealed, it’s obviously a good idea to change your password. However, an attacker is likely to assume that you use the same credentials on other sites, and he may try them on other sites of interest to him. (Of course, they may not be sites of interest to you.) So it’s a good idea (if an irksome task) to change your password on other sites that do use the same credentials.”

FBI makes arrests in global email-hacking ring

The FBI has announced several arrests in a worldwide coordinated effort to break up a gang of email ‘hackers for hire’. Two men were arrested in Arkansas: Mark Anthony Townsend, 45, from Cedarville, and Joshua Alan Tabor, 29, from Prairie Grove.
Townsend and Tabor had been running the ‘needapassword.com’ website, which advertised their ability to illegally obtain passwords to email accounts. Nearly 6,000 people’s accounts had been affected by the site, according to the FBI. Three further arrests were made for hiring hackers: John Ross Jesensky, 30, from Northridge, California; Laith Nona, 31, from Troy, Michigan, and Arthur Drake, 55, from New York. Jesensky had paid $21,675 to a Chinese website in return for email passwords.
Overseas agencies made further arrests, in an operation controlled by the FBI. In China, police arrested the owner of ‘hiretohack.net’, Ying Liu. Liu had been responsible for stealing 300 passwords between January 2012 and March 2013. In India, Amrit Tiwari, 32, was arrested for carrying out email password hacks on behalf of ‘www.hirehacker.net’ and ‘www.anonymiti.com’. Four arrests were also made in Romania by the Directorate for Combating Organised Crime, connected to six further email hacking sites which had been linked to breaches of 1,600 email accounts.
According to ZDnet.com, prosecutors in the US have filed four separate cases against the five US-based defendants. Townsend and Tabor are charged with a felony violation, and could face up to five years in prison if convicted. All five are expected to plead guilty.
Customers of the websites involved would submit email addresses they wanted hacked, and make deposits via Paypal to the hackers once the passwords had been obtained. Those who paid hackers for their services are charged with misdemeanour offences, and face maximum sentences of 12 months in prison.
No details have been released by the FBI concerning the methods used by the hackers to break into email accounts, but Mother Jones reports that the schemes used spear-phishing attacks to trick owners into providing access to their email accounts. Townsend and Tabor advertised their site as a service to find out if your spouse was cheating. Yahoo and Gmail accounts were both hacked, and one bank account associated with the site had reportedly received approximately $150,000 in eighteen months.

Signature and encryption-based defences will not keep hackers out of your data reserves

Security padlock image
Businesses are leaving their data open to abuse by believing traditional outdated security practices will protect them against hostile hackers, according to security firm FireEye.
FireEye's European director of systems engineering Yogi Chandiramani told V3 that traditional defences are no longer able to deal with the advanced cyber threats businesses now face.
"The first problem is all today's advanced threats and malware are capable of bypassing traditional tools, ones that are filtering or signature based. At a basic level this is because the hackers know them, they've been around so long the attackers know how they work," said Chandiramani.
"Already we're seeing a high number of zero-day exploit attacks using new ways to bypass controls. In 2013 alone we saw 12 new techniques capable of bypassing traditional defences and we expect to see more this year."
The FireEye security expert added that even robust security measures, such as encrypting stored data are not capable of dealing with the new techniques.
"Once the user's machine is compromised, when they've gotten into the workstation, they can get most things, even encrypted data. This is because the encryption keys are on the machine," said Chandiramani.
Chandiramani added that the techniques are being increasingly used by hackers to mine company data. "Today we are tracking 160 advanced persistent threat (APT) campaigns across the world, each of which is mounting attacks designed to target specific types of information in various types of organisation," he said.
The attacks are capable of mining data from a variety of sources and it makes little difference whether this is stored in the cloud or on premise. "Attackers have been very successful as the internet is a great platform through which they can mount sophisticated attacks," he said.
"But despite this the human factor is still the biggest source of compromise. Today we're so connected, a basic breach via a malicious weblink or something equally simple can snowball. Companies all work with each other, it's the nature of business, so once an attacker gets into one company they can use it as a stepping stone to another."
Chandiramani said businesses will need to adopt intelligence-based defence strategies to deal with the new wave of threats that could compromise their stored data. "The key thing is to get tech that can detect incoming threats. It takes three minutes to compromise a network and months to clean it up," said Chandiramani.
"It's also about threat intelligence, seeing the threats before they hit, knowing which ones are likely to target you. Finally, it's about having the right people in the organisation, who are able to create and instigate a plan of action about what to do when the company is attacked."
FireEye is one of many companies reporting a marked increase in the number of data-mining attacks targeting business. Russian security firm Kaspersky reported uncovering a new version of the Java-focused Icefog campaign targeting a "major US oil company" earlier in January.

Federal Government of Nigeria:"Cyber Crime Bill Seeks Powers to Intercept SMS, Emails"

The Federal Government has initiated a draft law that empowers security agents to intercept and record
electronic communications between individuals, and seize usage data from internet service providers and mobile networks.

If the Cybercrime Bill is enacted into law, authorities can intercept and record personal emails, text messages, instant messages, voice mails and multimedia messages, in order to facilitate a criminal investigation.

These are contained in the details of the bill that President Goodluck Jonathan submitted to the National Assembly last week, a copy of which was obtained by Nigeria Newsday.
The bill empowers security agencies to ask telecommunication companies to conduct surveillance on individuals, and release user data to authorities.

A warrant would not be required in cases of "verifiable urgency" to intercept and record electronic communications under the new bill.

But where there is no urgency, an ex parte order of a court is needed before a law enforcement officer conducts a cybercrime investigation.

Under a subheading titled 'Interception of electronic communications,' section 22 of the bill says, "Where there are reasonable grounds to suspect that the content of any electronic communication is reasonably required for the purposes of a criminal investigation or proceedings, a judge may on the basis of information on oath:

"(a) order a service provider, through the application of technical means to collect, record, permit or assist competent authorities with the collection or recording of content data associated with specified communications transmitted by means of a computer system; or

"(b) authorise a law enforcement officer to collect or record such data through application of technical means."

The bill defines "electronic communication" that could be intercepted to include "communication in electronic format, instant messages, short message service (SMS), e-mail, video, voice mails, multimedia message service (MMS), fax and pager."

Instant messaging is a type of chat which offers real-time text, video and audio transmission over the Internet. It includes Blackberry Messenger, WhatsApp, WeChat, Google Hangout, Yahoo Messenger, Facebook Messenger, 2go and others.

Based on the bill, "interception" includes "listening to or recording of communication data of a computer or acquiring the substance, meaning or purport of such and any acts capable of blocking or preventing any of these functions."

Section 21 of the bill also states that security agencies can order internet service providers or telecom companies to "preserve, hold or retain any traffic data, subscriber information or related content."

Where a service provider refuses to release its subscriber data requested by the security agencies, the firm is liable to N10million fine, while each of its directors, managers or officers shall be liable for three years jail term, N7 million fine or both.

The Federal Government's bill is coming nearly a year after an Israeli company, Elbit Systems, announced that it won a Nigerian government's $40 million internet monitoring contract.

Other areas covered by the bill include transmitting false electronic messages, child pornography, paedophilia and cyber-terrorism.

Section 15 (1) provides for a jail term of not less than one year or a fine of N2 million for "any person who, by means of a public electronic communications network persistently sends a message or other matter that (a) is grossly offensive or of an indecent, obscene or menacing character or causes any such message or matter to be so sent; or (b) he knows to be false, the purpose of causing annoyance, inconvenience or needless anxiety to another or cause."

Also, the bill prescribes death sentence to a person who commits crime against Critical National Information Infrastructure, which is defined as "certain computer systems, networks and information infrastructure vital to the national security of Nigeria or the economy and social well-being of its citizens."

However, if the offence does not result in death but leads to "grievous bodily injury," the offender shall be liable to imprisonment for a minimum term of 15 years.

A life imprisonment also awaits "any person that accesses or causes to be accessed any computer or computer system or network for purposes of terrorism." The bill says "terrorism" shall have the same meaning under Terrorism (Prevention) Act, 2011, as amended.

The bill imposes at least a 10-year jail term or N20 million fine for any person convicted for producing and distributing child pornography.

It specifies 10 years in jail, N15million fine or both for paedophiles.