Google's biggest threat is no longer Microsoft. It is itself.
As the company harvests copious quantities of personal data, it becomes dramatically better at serving customer needs...
...and at freaking them out over privacy concerns.
In other words, Google gets stronger with every Google Doc created, every Google Voice call dialed, and every Gmail e-mail sent. It becomes stronger because data is the heart of the Web's biggest businesses, as Redmonk analyst Stephen O'Grady implies.
But in so doing Google also becomes more threatening to the very consumers it is trying to serve.
Google Dashboard is meant to change this by putting consumer data back in the hands of consumers. It's a move that follows on Google's earlier pledge to "open data" and its Data Liberation Front.
As CNET reports, Dashboard lets people review the personal data Google has stored for them, delete it, and alter future collection policies. It's a great way for Google to mollify concerned users, putting control back in their hands.
Still, it's almost certainly never going to be used by the vast majority of Google users. Ever.
Why? Because for all our hand-wringing over privacy--and for good reason--the reality is that most of us, most of the time, really don't care. Or, rather, if accessing useful services or getting work done more efficiently requires some privacy concessions, we gladly concede.
It's not that we don't value our privacy. It's just that in many contexts, we value other things as much or more. We weigh the risks versus the benefits, and often the benefits trump the privacy risks.
It's the same thing with file formats. For years we've been agonizing over Microsoft's lock-in of customers through proprietary file formats (.pst, .doc, etc.). Now Microsoft is opening up the specifications for file formats like .pst (Outlook file format), and yet it will almost certainly change little to nothing in what products most people use most of the time.
People don't use Microsoft Office because they're forced to. They do so because it's convenient. (Yes, an argument can be made that it's convenient because Microsoft has forced network effects through lock-in.)
This, incidentally, is exactly the reason that Wednesday night I declared a ban on Microsoft Office in our family in favor of Google Docs--and didn't opt for OpenOffice (which we also use). I got sick of having to recover documents and perform other IT tasks related to a locally installed office suite, open source or proprietary. And I find it easier to let Google handle the back-end IT operations.
I wasn't trying to evade lock-in. I was trying to increase personal happiness.
Am I concerned about Google snooping on the documents we write and store in Google Docs? Let's just say I worry more about my time fixing Office than whether Google gleans any information from my 12-year old's seventh-grade essay.
Dashboard leaves Google in the prime position of being able to honestly say that it doesn't control user data, while still delivering increasingly beneficial services based on that data. It will not change the way that the vast majority of consumers use Google, but it just might change the way they think about Google.
A very smart move by Google, one that all data-driven businesses should emulate.
Follow me on Twitter @mjasay.
Harriet Pearson, chief privacy officer, IBM
(Credit: IBM)Harriet Pearson once joined a petition signed by Facebook users, urging the social-networking site to do more in terms of privacy.
But the privacy expert considers herself a moderate when it comes to protecting her personal information.
Pearson, IBM's chief privacy officer for the past nine years and also its security counsel since last year, says each person needs a mental model to assess the benefits or risks associated with providing personal data. In the same way, she said, governments ought to be thoughtful when drafting policies and laws on data protection.
In town recently for Singapore's annual GovernmentWare conference, Pearson sat down with ZDNet Asia to discuss data protection legislation, the need for a balanced view regarding data breach notification, and why Asian regulators should not "photocopy" European law books.
Read more of "Asia's lawmakers need not copy Europe" at ZDNet Asia.
The personal information you give to businesses may not be as secure as you hope, according to a new survey.
Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute.
The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry's Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information.
Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they've been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen.
(Credit:
Imperva)
Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees.
"Companies devote 35 percent of their IT security budgets to PCI compliance on average, making cost a significant obstacle, especially for smaller companies," Amichai Shulman, Imperva's chief technology officer, said in a statement. "This is why Imperva is recommending that the PCI DSS Council modify the requirements for larger and smaller companies to take into account different environments and security needs."
Another problem stems from the priorities of the organization itself. Of those questioned, 55 percent didn't feel their CEO strongly supports PCI DSS compliance, while 52 percent said their company is not proactive in managing privacy or security risks.
On the positive side, PCI DSS compliance has found a certain measure of success. Around 75 percent of those surveyed said their company has achieved some level of compliance, with 28 percent compliant for most of their applications and databases and 25 percent compliant for some apps and databases. Only 22 percent reported being fully compliant.
(Credit:
Imperva)
Conducted by Ponemon and sponsored by Imperva, the survey questioned 517 U.S. and multinational IT security professionals who work on PCI compliance efforts for their companies.
Over the past few years, data breaches at large organizations such as T.J. Maxx and Marshalls parent company TJX and Maine-based Hannaford Supermarkets have highlighted the need for better security for credit card and customer records.
ICSA Labs, which sets standards for commercial security products, plans to announce on Monday a new program for helping corporations protect themselves from attacks and snooping via Internet-connected devices such as printers, copiers, ATMs, and security cameras.
Under the ICSA Labs Network Attached Peripheral Security Certification and Assessment program, experts will evaluate devices used in corporations and work with vendors to help them understand the inherent security risks to Internet-connected devices, said George Japak, managing director of ICSA Labs, which is an independent division of Verizon Business.
The devices targeted are not those that are part of the computing network infrastructure, like desktops, servers, and routers.
"There is a lot of functionality on those devices being centrally managed and controlled via an Internet connection, and those Internet connections can be compromised," he said. "These unsecured devices are as much of a risk as an unsecured server sitting out on your network."
Remote attackers can exploit weaknesses in software to remotely steal data that sits on the devices, such as sensitive documents that someone has printed or copied. But the devices can also be used to propagate malware across the network, he said.
Albert Gonzalez, the alleged ringleader of one of the largest known identity theft cases in U.S. history, has agreed to plead guilty to all 19 counts of related charges against him, according to court documents filed Friday.
Gonzalez, 28, of Miami, was accused in August 2008 of helping steal millions of credit card and debit card numbers from major U.S. retail chains. Among the retailers hacked were TJX Companies (owner of T.J. Maxx), BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever21, and DSW.
Under the plea agreement filed with the U.S. Attorneys Office in Boston, Gonzalez would serve a sentence of 15 to 25 years after pleading guilty by September 11 to charges of conspiracy, wire fraud, aggravated identity theft, and money laundering (PDF).
Gonzalez, who is already in jail, would also have to forfeit a range of possessions, such as almost $3 million in cash, his Miami condominium, a 2006 BMW, several computers, and three Rolex watches.
The agreement also resolves 2008 charges pending against Gonzalez in federal court in New York for hacking the computer network of Dave & Buster's restaurant chain.
A former federal government informant, Gonzalez was also recently indicted in New Jersey, along with two unnamed Russian men, on charges of hacking into Heartland Payment Systems, as well as systems for 7-Eleven, the Hannaford Brothers supermarket chain, and two unnamed corporate victims. They also allegedly stole data related to more than 130 million credit and debit cards. This is considered to be one of the biggest data breach cases in U.S. history.
Rene Palomino, who is listed as Gonzalez's attorney within Friday's plea agreement, did not immediately return a call seeking comment.
Cisco Systems wireless local area network equipment used by many corporations around the world is at risk of being used in denial-of-service attacks and data theft, according to a company that offers protection for WLANs.
Researchers at AirMagnet, which makes intrusion-detection systems for WLANs, discovered the vulnerability, which affects all lightweight Cisco wireless access points, as well as the exploit that could be used against networks that have the Over-the-Air-Provisioning (OTAP) feature turned on.
"We found it in our labs," Wade Williamson, director of product management at AirMagnet, said on Monday. "We don't know about it being exploited in the wild."
Basically, the Cisco access points generate an unencrypted multicast data frame that is sent over the air and includes unencrypted data like the MAC address and the IP address of the wireless controller, as well as some configuration options, he said. The controller is used to manage the access points.
With that information, someone listening to the network could easily find the internal addresses of the WLAN controllers in the network and potentially target them with a denial-of-service attack, Williamson said.
"Someone out in the parking lot or a neighbor can look at the packets and see information about the controller on the wired side," he said. "This is giving anybody that's listening to the environment some pretty detailed information about the wired network that we want to keep protected."
If an access point has the OTAP enabled, the wireless LAN is also at risk of a "skyjack" exploit, Williamson said. With the OTAP feature enabled, a newly deployed Cisco access point will listen to the multicast data being broadcast to find the address of its nearest controller.
However, the access point could end up connecting to an outside controller if it hears multicast data from that network instead, and thus it would be under someone else's control, he said.
Someone could skyjack a corporation's access point and "use the wireless LAN to create a wired path into your network," Williamson said.
AirMagnet has informed Cisco about the problems and Cisco is working on a solution, Williamson said.
"As a matter of policy, Cisco takes security vulnerabilities very seriously and we continue to take active measures to safeguard the security and reliability of our equipment," a Cisco spokesperson said.
"Our standard practice is to issue public Security Advisories or other appropriate communications that include corrective measures so customers can address any issues," he said. "For that reason we do not provide comment on specific vulnerabilities until they have been publicly reported, consistent with our well-established disclosure process."
Cisco has 65 percent to 70 percent of the install base for wireless LANs, according to Stan Schatt, security practice director at ABI Research.
"What this really shows is that more and more companies have to have 7/24 monitoring of their LANs," he said. "They can't just periodically walk around the facility with a laptop and check to see if there's a problem."
An attack on a wireless LAN would be particularly dangerous for hospitals, which are increasingly moving critical apps onto the network for use by doctors and nurses with Wi-Fi-enabled handhelds, Schatt said. "A denial-of-service attack could impact mission critical phone systems," he said.
To mitigate against any attacks, Cisco customers should disable the OTAP feature and use a separate intrusion detection system that can detect whether someone is snooping on the network, as well as monitor that all access points on a network are authorized, AirMagnet said.
Updated 11:02 a.m. PDT August 25: Cisco released an alert on Tuesday that describes the finding as a low-risk vulnerability that could allow unauthorized control of a wireless access point and which could allow an unauthenticated, remote attacker to cause a denial of service condition.
"Any clients attempting to register to the AP (access point) will be unable to access network resources, but the AP is still unable to authenticate wireless clients," the company said in a statement. "There is no risk of data loss or interception. Cisco believes the vulnerability is easily avoided or mitigated and has provided techniques for this purpose."
Software updates and patches were not yet available, Cisco said.
Two Russians and a Florida man were charged on Monday with hacking into Heartland Payment Systems, 7-Eleven, and the Hannaford Brothers supermarket chain, and stealing data related to more than 130 million credit and debit cards.
The indictment names 28-year-old Albert Gonzalez of Miami, who already has been charged with stealing data related to 40 million credit cards from eight major retailers, including TJ Maxx, and two unnamed co-conspirators based in Russia.
The breach involving Heartland and the others is believed to be the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice. In addition to Heartland, 7-Eleven, and Hannaford Brothers, it involves two unnamed corporate victims, according to a statement from the U.S. Attorney's office.
The three men were indicted on charges of conspiring to hack into computer networks and stealing data as far back as October 2006. Gonzalez, whose aliases include "segvec" and "soupnazi," and the others allegedly found victims on a list of Fortune 500 companies and visited retail locations to see what type of checkout systems they used.
They used an SQL injection attack to steal the data and used computers in California, Illinois, New Jersey, Latvia, Ukraine, and the Netherlands for storing malware and stolen data and launching attacks, according to the indictment. In an SQL injection attack, a small malicious script is inserted, exploiting a vulnerability in the database layer of an application that feeds information to the Web site.
They also allegedly installed backdoors and sniffers to intercept data in real time as it was processed by the victims and tried to hide their actions by accessing the victim networks through proxy computers, modifying their software so as to evade detection by antivirus programs and programming it to delete traces of the malware from victim networks, according to the indictment.
The men also tried to sell the stolen data to others, the indictment alleges. They are charged with conspiracy to gain unauthorized access to computers, commit fraud in connection with computers and damage computers, as well as conspiracy to commit wire fraud. They face up to 35 years in prison as well as a fine of $1.25 million.
Gonzalez, who is in federal custody, was charged in May 2008 in New York with hacking the computer network of Dave & Buster's restaurant chain and was named in an indictment in Massachusetts in August 2008 related to the TJX breach. Other alleged victims in those cases include BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW. He faces trial on the New York charges next month.
Heartland reported the breach on presidential Inauguration Day in January and said that although it occurred last year, it found evidence of the intrusion just the week prior.
Formerly a federal government informant, Gonzalez also was arrested in New Jersey in 2003 on charges related to ATM and debit card fraud.
Editors' note: This is a guest column. See Ari Juels' bio below.
Internet denizens and urban dwellers alike need to recognize that an era of anonymity is ending.
The population of the world stands at about 7 billion. So it takes only 10 digits to label each human being on the planet uniquely.
This simple arithmetic observation offers powerful insight into the limits of privacy. It dictates something we might call the 10-Digit Rule: just 10 digits or so of distinctive personal information are enough to identify you uniquely. They're enough to strip away your anonymity on the Internet or call out your name as you walk down the street. The 10-Digit Rule means that as our electronic gadgets grow chattier, and databases swell, we must accept that in most walks of life, we'll soon be wearing our names on our foreheads.
A study of 1990 U.S. Census data revealed that 87 percent of the people in the United States were uniquely identifiable with just three pieces of information (PDF): five-digit ZIP code, gender, and date of birth. Internet surfers today spew considerably more information than that. Web sites can pinpoint our geographical locations, computer models, and browser types, and they can silently track us using cookies. Banking sites even confirm our identities by verifying that our log-ins take place at consistent times of day.
Database dossiers, too, carry surprising amounts of identifying information, even when specifically anonymized for privacy. Researchers at the University of Texas at Austin last year studied a set of movie-rating profiles from about 500,000 unnamed Netflix subscribers (PDF).
Knowing just a little about a subscriber--say, six to eight movie preferences, the type of thing you might post on a social-networking site--the researchers found that they could pick out your anonymous Netflix profile, if you had one in the set. The Netflix study shows that those 10 deanonymizing digits can hide in surprising places.
Our physical belongings also betray our anonymity by silently calling out identity-betraying digits. Small wireless microchips--often called radio frequency identification, or RFID, tags--reside in car keys, credit cards, passports, building entrance badges, and transit passes. They emit unique serial numbers.
Once linked to our names--when we make credit card purchases, for instance--these microchips enable us to be tracked without our realizing it. One popular book inflames imaginations with the lurid title, "Spychips: How Major Corporations and Government Plan to Track your Every Move with RFID."
But wireless microchips also highlight the futility of anonymity protections. To begin with, concerns about RFID tracking miss the forest for the trees. After all, mobile phones are ubiquitous and can be tracked at much longer ranges than standalone chips. Many people have GPS receivers in their phones and are signing up for location-based services, voluntarily (if selectively) disclosing their movements. There's little point in hiding the serial numbers of chips when your mobile phone squeals on you.
Many scientists (including me) have developed antitracking techniques for mobile phones and microchips. Instead of fixed serial numbers, wireless devices can call out changing pseudonyms, such as the rotating license plate numbers on spies' cars in the movies. The problem is that the plates may change, but the car always looks the same. In this regard, chips are like cars.
... Read more
Network Solutions is investigating a breach on its servers that may have led to the theft of credit card data of 573,928 people who made purchases on Web sites hosted by the company.
Networks Solutions notified 4,343 of its nearly 10,000 e-commerce merchant customers on Friday about the breach. It affects 573,928 cardholders whose name, address, and credit card number were exposed between March 12 and June 8, said Susan Wade, a spokeswoman for Network Solutions.
(Credit:
Network Solutions)
Mysterious code was discovered in early June on servers hosting e-commerce customer sites during routine maintenance, she said. The company called in a third-party forensics team to help with the investigation, and the team was able to crack some of the code on July 13, determining that it could be related to credit card data, she added.
Credit card transactions were intentionally diverted by an unknown source from certain Network Solutions servers to servers outside, Network Solutions wrote in an e-mail to merchant customers.
"So we notified law enforcement and began the process of notifying our customers," Wade said. "At this point, we don't have a reason to believe that (the data) has been used, but we are working with the credit card companies," nonetheless.
Network Solutions also is paying to have credit-monitoring specialist TransUnion help the merchants notify their customers according to data breach notification laws in effect in certain states. Affected consumers will get 12 months of free credit-monitoring services.
It's unknown how the malicious code got onto the system and where it came from, Wade said.
Merchants and consumers can get more information on the Care and Protect Web site Network Solutions has set up. "We really feel terribly about this," Wade said.
"We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion," the company said on a blog post on the customer information Web site. "In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems."
The breach does not affect Network Solutions' other businesses, which include domain registration, e-mail hosting, and online marketing.
CEOs and their senior executives don't see eye to eye on key security issues, according to a new survey.
Many CEOs don't consider their own companies vulnerable to security attacks and are confident in their ability to combat those attacks, says a survey released Wednesday. However, those findings contrast with the opinions of senior executives who report to the CEO. They see their companies as more vulnerable and are not confident they can stop data theft. The survey was sponsored by security company Ounce Labs and conducted by security researcher Ponemon Institute.
The survey sought to determine how aware CEOs and other senior executives are of their own data projection efforts--how effective they are, how they justify the cost of security, and whether they support the goals of the organization.
The survey found that 82 percent of senior executives said their organization has experienced a data breach, with 94 percent saying they've been hit in the last six months. About 53 percent say they're attacked on a daily or even hourly basis.
Only 58 percent of the senior execs are confident in their company's ability to identify and respond to breaches that result in the theft of information. And just 32 percent think their company is rarely attacked.
Among CEOs, 93 percent are confident in their organization's ability to identify and thwart security breaches. And 48 percent said they believe their organizations are rarely attacked.
(Credit:
Ounce Labs)
The responsibility for securing a company's data was also a question mark. Among CEOs, 53 percent felt the chief information officer is accountable for data protection, while only 25 percent of other senior executives felt the same way. And whoever is responsible, that person's job is seen as safe. Around 85 percent of executives questioned believe a failure to stop a security attack under their watch would not jeopardize their job.
(Credit:
Ounce Labs)
To gather the data, Ponemon Institute questioned 30 CEOs and 183 other top-level executives who report to CEOs, including chief operating officers, division presidents, and chief information officers, over a six-month period ending in June.
