November 2010 Archives

The Chairman, Deputy Director of the Bureau of Consumer Protection, and Chief Technologist of the Federal Trade Commission will hold a telephone media availability on Wednesday, December 1, at 1 p.m. to answer reporters' questions about a new FTC report on privacy that outlines a framework for consumers, businesses and policymakers.

WHO: Jon Leibowitz, Chairman
Jessica Rich, Deputy Director, Bureau of Consumer Protection
Edward W. Felten, Chief Technologist
Federal Trade Commission
WHEN: Wednesday, December 1, 2010, 1 p.m. ET

Dial-in: United States: (800) 398-9367
International: (612) 332-0820
Confirmation Number: 182971
Host: Cecelia Prewett
Call-in lines are for press only

CONTACT: FTC Office of Public Affairs
202-326-2180

The official Privacy Advisory can be found here: http://www.ftc.gov/opa/2010/11/privacyadvisory.shtml

It also looks as though there will be a Twitter Chat moderated by @FTCGov using the hash tag #FTCpriv

Alex Howard, over at O'Reilly Media's Radar Online has a great write up: http://gov20.govfresh.com/ftc-to-release-online-privacy-report-host-first-twitter-chat-at-ftcpriv/

Stuxnet Hearing 17 Nov 2010

Don't know why I didn't post this yesterday. Great testimony yesterday from the assembled panel on the threat Stuxnet poses:

  • Sean McGurk
    Acting Director, National Cybersecurity and Communications Integration Center
    U.S. Department of Homeland Security
  • Michael J. Assante
    President and Chief Executive Officer
    National Board of Information Security Examiners
  • Dean Turner
    Director, Global Intelligence Network
    Symantec Corporation
  • Mark W. Gandy
    Global Manager, IT Security and Information Asset Management
    Dow Corning Corporation

Check out Securing Critical Infrastructure in the Age of Stuxnet for more information and archived testimony.


Just the video, no context.  Enjoy.
A friend of PrivacyWonk, Sara Cohen, has authored "Privacy and Security Implications of Geo-Location Social Media Tools" over at The Homeland Security Blog after participating in a joint experiment conducted by Fox News and Corner Alliance. The experiment followed Sara for two weeks as she used geo-location social media tools like Four Square and Facebook Places during her daily life. Without Sara's knowledge, Fox News DC had been surreptitiously filming her during the course of the experiment. "On the final day, I was found by the news crew and reporter, who had been following me all along, filming me without my knowledge."

I was very excited when Sara let it be known she was participating in this experiment. It was a chance to show how these services can be abused and how important it is to protect yourself while using them. While this Fox News and Corner Alliance experiment was conducted with Sara's permission, it is very easy to imagine this being done by people with ill intentions. Here's the video:


Great takeaway quote from Terrence Whitehead, "The value is not in your privacy, the value is in your information, your whereabouts. That's what people want to know.  That's what companies are paying for."

I asked Sara to give a small intro about herself and the experiment:

"For the past three years, I've been working in emergency management and social media. In 2008, I completed my master's thesis, "Using Social Networking for University Emergency Communications" with UCLA. Taking lessons learned from Virginia Tech and Northern Illinois University, I developed a model for universities to leverage social media specifically in emergency communications. Since then, I've worked with several universities, organizations, and government agencies, developing social media programs, policies, standards, and training. I've presented and written on the security and privacy implications web 2.0 technology for several conferences and publications. One thing I am sure of is that as technology advances, so too does the information transmitted via these channels. The more information we share, the greater the risk to our personal privacy and safety. And in a fast-paced and dynamic environment, it is becoming increasingly difficult to manage our online personas.

As someone who uses social media on daily basis, I was interested in participating in this experiment to see just how far my information could go. I pride myself on staying up to date with ever-changing privacy policies and the security implications of new technology. I was surprised to learn, however, just how easy it is to lose track of the bigger picture, when sharing information on a daily basis for the purposes of staying connected. This blog discusses my approach, my findings, and a few lessons learned."


Geo-location has been a frequent topic here on PrivacyWonk. Security researcher and friend Omachonu Ogali developed a great proof of concept called Where's my iPhone, which siphoned GPS coded images from Tumblr to produce Google maps of exactly where the photo was taken. Adam Savage of Myth Busters famously compromised his home address by sharing a picture of his car via twitter. Location-based information came under Congressional inquiry this past summer with security experts like Matt Blaze (UPenn) testifying on ECPA Reform and the Revolution in Location Based Technologies and Services.

When it comes to using Geolocation social media applications, my first piece of advice would be a the most basic one: Don't use them. If you can't do that, never use them from home. Or your office. Use them only when you are out, doing silly stuff. Don't establish patterns that can be exploited. Don't allow other people to check you into places. Make sure your phone's privacy and location settings are also not giving away too much info as well, GPS and "Enhanced Network Location" aka Cell Tower/Wifi Access Point triangulation do not need to be turned on all the time. Most games/applications will not need access to your location information either.

Simply put, don't let your digital exhaust compromise your real, physical, security.

Don't forget to check out Sara's original write up on The Homeland Security Blog: http://www.thehomelandsecurityblog.com/2010/11/12/privacy-and-security-implications-of-geo-location-social-media-tools/

As I was editing this post after publication, I saw a Tweet flash by from the DotRights campaign linking to an ACLU post: Location-Based Services: Time For A Privacy Check-In. This post contains some great information on the topic, go check it out.

Operation Screaming Fist

A story published yesterday by Kim Zetter on Wired.com's Threat Level titled "Clues Suggest Stuxnet Virus Was Built for Subtle Nuclear Sabotage" gave some fantastic insight into the virus.  The story was a recap of a larger report issued by Symantec, which performed in-depth analysis on the Stuxnet virus.  This virus targeted specific supervisory control and data acquisition (SCADA) software and, further, only activated certain chunks of code when those SCADA systems were managing a specific number of sub-systems from specific manufacturers.  

The basic points I took away from the analysis is that: (1) Stuxnet is far more advanced than was previously thought.  (2) Stuxnet was designed to specifically target Iranian nuclear facility(ies).  (3) The level of sophistication most likely meant nation-state backing.

...All I could think about after reading this story was William Gibson's award winning Cyberpunk novel Neuromancer.  The geek in me wants it to come out, in the future, that the Stuxnet project was code named "Operation Screaming Fist" by whatever nation-state sponsored its development.  In Neuromancer, Operation Screaming Fist was an American military operation aimed at introducing a major virus into a Russian military computer though both physical penetration of Russian defenses and logical penetration of Russian Intrusion Countermeasures Electronics.

We've seen some pretty crude "cyberwar" attacks, notably the DDoSing of Estonia off the map a few years back.  Now we have Stuxnet.  Things have come along way in a very short period of time, it will be interesting to see what comes next. 


Report mirrored on PrivacyWonk*: http://www.privacywonk.net/download/w32_stuxnet_dossier.pdf
Report from Symantec*: http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf


* Report downloaded 0833 16 Nov 2010