February 2011 Archives



I saw the above Virgin Mobile commercial last night. My initial reaction was laughter followed immediately by "wait a second...that's a creepy selling point." I had no problem with the commercial except the following line, "I can even watch his foursquare check-ins for patterns."

That is strange to use in an advertisement, which begs the question why would they use it. Is it simply a humorous selling point riffing on a current hot topic or are they trying to mitigate the fear through humor? There is a lot of legislation and judicial activity aimed at mobile data, which could impact carriers through regulatory compliance costs, etc. Is this a very subtle lobbying effort?

PrivacyWonk has covered geolocation privacy issues numerous times. To highlight two previous posts: we have the story of Sara Cohen being tracked by the local Fox news station via geolocation data and a general discussion about how prevalent this data is becoming and how easily it leaks out.
Congresswoman Jackie Speier (D-CA) introduced two pieces of legislation on Friday, February 11th, 2011, aimed at protecting personal information.  The Do Not Track Me Online Act of 2011 (H.R. 654) would give consumers the ability to prevent the collection and use of data on their online activities. The Financial Information Privacy Act of 2011 (H.R. 653) would give consumers control of their own financial information.

Congressman Bobby L. Rush (D-IL) reintroduced his privacy focused legislation from last year on Thursday, February 10th, 2011.  Building Effective Strategies To Promote Responsibility Accountability Choice Transparency Innovation Consumer Expectations and Safeguards Act. (H.R. 611).

On Monday, February 14th, Senator Al Franken (D-MN) was named chairman of a new Judiciary subcommittee for Privacy, Technology and the Law.  The Committee's jurisdiction and membership goes to a vote on February 17th, 2011.  Until then all details below should be considered pending.

The Committee's jurisdiction will include: (1) Oversight of laws and policies governing the collection, protection, use and dissemination of commercial information by the private sector, including online behavioral advertising, privacy within social networking websites and other online privacy issues; (2) Enforcement and implementation of commercial information privacy laws and policies; (3) Use of technology by the private sector to protect privacy, enhance transparency and encourage innovation; (4) Privacy standards for the collection, retention, use and dissemination of personally identifiable commercial information; and (5) Privacy implications of new or emerging technologies.

Committee Membership includes:
Democratic Members
Al Franken, Minnesota (Chairman)
Chuck Schumer, New York
Sheldon Whitehouse, Rhode Island
Richard Blumenthal, Connecticut

Republican Members
Tom Coburn, Oklahoma (Ranking Member)
Orrin Hatch, Utah
Lindsey Graham, South Carolina
On January 28th, Google hosted a panel discussion titled "When Geeks meet Wonks" in their DC offices for international Data Privacy Day.  Google's Director of Privacy for Product Engineering, Alma Whitten, announced that two-factor authentication will be rolling out to all of Google's apps shortly.  See http://www.privacywonk.net/2011/01/the-technology-of-privacy-when-geeks-meet-wonks.php for more info but in short: Google is rolling out two-factor authentication by using mobile and land-line telephones to send one-time pass-codes.  Remember those RSA SecurID tokens we've all had to carry around at one time or another?  This is the same concept, except Google handles the pass-code generation (vs. dedicate device) on their end and uses existing telecommunications infrastructure (channels) to transmit it to a device you enrolled in the service. This improves the security of your account by forcing an attacker to require access to both your password (what you know) and your enrolled device (what you have). 

Ryan Single (Wired) and Brian Krebs (Krebs on Security) have posts covering the details.  Please check them out for more info.

From security point of view, this is fantastic.  I believe many more companies will follow in Google's footsteps, just as Google has been following in the footsteps of others to implement this service.  For example, Chase and Bank of America have been using two-factor authentication for years.  However, as more and more companies begin using this method it will start to be exploited more frequently.  There have already been reports of phishing attempts via SMS message.  Bruce Schneier, back in 2004, said this was a fantastic development in the banking sector: http://www.schneier.com/blog/archives/2004/11/twofactor_authe.html.  Less than a year later, he was very cold on the subject: http://www.schneier.com/blog/archives/2005/03/the_failure_of.html

I am very much excited that Google is doing this.  Google accounts are quickly becoming just as valuable to us as our bank accounts.  As I mentioned above, I believe more and more sites will begin to implement this type of technology.  As this technology becomes more pervasive, new risks will be introduced aside those illustrated by Mr. Schneier above.

  • Large collections of cell phone and land-line phone numbers held by many companies that we previously would not have given such information to: Our online world doesn't always need to touch our real world. I am comfortable giving my cell phone to my bank because those worlds overlap.  To Facebook?  To Google?  To Twitter? To ABC start-up company? I am bit more hesitant there.
  • Will this authentication-focused information be included in information sold to advertisers?  Will it's use be explicitly detailed in privacy policies and/or terms of service agreements?  
  • We have seen recently some very high-profile cases of database intrusions and thefts (Heartland, Lush, etc).  If someone gets hold of these numbers, SMS spam will greatly increase.  Imagine a database of 200 million phone numbers being compromised? 
  • Hopefully Google, and all others using this technology, will keep this column of data encrypted to combat theft and potential fraud. 
  • It is incredibly easy to spoof SMS, which could limit the amount of trust a user has in the authenticity of the SMS message.
  • We can still trick users to a fake site. Fake site communicates to the legitimate site, induces legitimate site to send an access code via SMS while the user is still on the fake site.  Then we have user name and password as well as valid authentication token.  It might be a stretch but it's possible.

To combat some of the risks above, I have two solutions:

  1. Use Google Voice or similar service to forward SMS messages to your phone, giving yourself a layer of abstraction from your primary mobile/land-line phone number.  However, this introduces more risks. For example: SMS message archives.
  2. If you're ultra-paranoid, get yourself a burn phone to use only for these purposes.  It's not your primary phone.  You can leave it turned off for 99% of its life and it still gives you the exact same level of security as using your primary mobile.  If it gets spammed, who cares?  This is just like a throw-away e-mail address used on compulsory registration services.

Again, good job to Google for implementing this.  The risks explained above are not meant to be detractors but knowledge.  As always, be aware of everything you do online.  If something seems suspicious, trust your gut.  As more and more companies start using this two-factor method, keep the above risks in mind. 

I would also look toward organizations like OpenID and OAuth to help tackle some of these issues.  Perhaps we will see clearing houses for security services such as this pop up.

What are your thoughts, readers?  Drop them in the comment box.
NIST has released a new draft Special Publication (SP) 800-144 on cloud security and privacy topics.  Wayne Jansen and Timothy Grance authored the 60 page document that reviews cloud technology, details security positives and negatives, and dives deeply into privacy issues associated with cloud.

The paper's abstract states:
"Cloud computing can and does mean different things to different people. The common characteristics most share are on-demand scalability of highly available and reliable pooled computing resources, secure access to metered services from nearly anywhere, and dislocation of data from inside to outside the organization. While aspects of these characteristics have been realized to a certain extent, cloud computing remains a work in progress. This publication provides an overview of the security and privacy challenges pertinent to public cloud computing and points out considerations organizations should take when outsourcing data, applications, and infrastructure to a public cloud environment."

NIST is defining cloud computing as:

"Cloud computing has been defined by NIST as a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction [Mel09]. Cloud computing can be considered a new computing paradigm insofar as it allows the utilization of a computing infrastructure at one or more levels of abstraction, as an on-demand service made available over the Internet or other computer network. Because of the implications for greater flexibility and availability at lower cost, cloud computing is a subject that has been receiving a good deal of attention lately."

Cloud privacy topics covered include:
  • Governance
  • Compliance
    • Data location
    • Laws and Regulations
    • e-Discovery
  • Trust
    • Insider Access
    • Data Ownership
    • Composite Services
    • Visibility
    • Risk Management
  • Architecture
    • Attack Surface
    • Virtual Network Protection
    • Ancillary Data
    • Client-Side Protection
    • Server-Side Protection
  • Identity and Access Management
    • Authentication
    • Access Control
  • Software Isolation
    • Hypervisor Complexity
    • Attack Vectors
  • Data Protection
    • Data Isolation
    • Data Sanitization

The paper can be download directly from NIST at http://csrc.nist.gov/publications/drafts/800-144/Draft-SP-800-144_cloud-computing.pdf.

PrivacyWonk's hosted copy: http://www.privacywonk.net/download/Draft-SP-800-144_cloud-computing.pdf