got privacy?  Musings on the state of Privacy in a connected world.
January 28th is Data Privacy Day.  In a single generation, privacy concerns have shifted from worrying about who can see through your windows to who might be able to see your medical records on the Internet.  Data Privacy Day gives us a chance to reflect on these changes, and to think about what steps we can take to better control personal information and manage our privacy.

The fact is that information, from where you live to how you live, is now available to many companies that you do business with, or in some cases to everyone with an Internet connection.    This disclosure can provide many benefits, from customized offers based on purchase history to a free cup of coffee on your birthday.  Disclosure also carries risks.  Many of us have received notices telling us that our personal information has been lost or stolen, and although most of these instances do not lead to direct harm to us individually, they often cause concern.

Interestingly, the number one privacy concern that most people have is not related to the information that they share. Given the proliferation of social networking and other online activities, people are often comfortable (sometimes too comfortable) when it comes to sharing information in the public (or semi-private) domain.  The real concern for many is how information that has been shared with trusted people or organizations will be managed and protected once is out of our direct control.  Individuals can reduce this risk by limiting what they share, but we also need to take responsibility for holding organizations to their privacy policies and agreements; they are stewards of your information.

So to mark Data Privacy Day, here are 4 simple things that you can do to improve your own privacy:

1.       Think before sharing your personal information.  For example, when a shop asks for your phone number at the checkout ask why they need it.  Usually the request is because they want a number that uniquely identifies you, rather than because they plan to call you.  So, consider declining or just choose a generic number that you can remember.  Similarly, if someone asks for your birthday, then January 1st will often suffice.

2.       Always opt-out.  Unlike Europe, where you need to opt-in to consent to your data being shared, we in the U.S. have to ensure that we opt-out whenever we have the opportunity to restrict companies from sharing information with other companies or partners.  It only takes a few seconds, and restricts what can be done with your information.  Find those boxes, and tick them.

3.       Treat Social Networks like coffee shops.  If you wouldn’t talk about it in a coffee shop, don’t talk about it on Facebook or Myspace.  If you wouldn’t shout it on a street corner, don’t share it on Twitter!  Once you have shared something electronically, it is out of your control, even if you think that only your friends will be able to see it.

4.       Maintain Healthy Skepticism.  Be suspicious about any requests for personal information, even if they look like they come from a person or organization that you know.  Many people continue to be fooled by these requests.  It’s easy to take a couple of minutes to make a call and confirm that a request is genuine before providing information that could be used to commit identity theft, or cause you other problems.
If a tree falls in a virtual forest, does it make a virtual sound?  These days, a lot of trees are falling in a lot of virtual forests and the noise is becoming louder in the real world.  There are now university classes taught virtually, simulators replicate situations that are expensive or dangerous in real life and surgeons practice techniques virtually before they attempt the real thing.

As Virtual Worlds (VW’s) have become more complex and functional, they have become more valuable, both to their users and to attackers.  Nearly half a million users spent money in Second Life, one of the most popular VWs, in August 2009.  Interestingly, over 1000 of these transactions exceeded $4000.  The total GDP of Second Life was estimated at around $500m in 2007 – larger than some small countries. 

This increase in functionality and usage has also led to an increase in the number of people attacking the system or the people using it.  While some early attacks focused on gaining control of in-world resources or disrupting the experience of other users, more recent attacks try to gain access to real world resources and bank accounts.

While few corporations currently use VWs, it is likely that this will change over the next decade as they become more ubiquitous and gain Enterprise Class features to encourage their adoption.  This will increase the urgency to develop a system of controls to protect both users and the environments themselves.

So, as information security professionals, how can we help to make Virtual Worlds a better place to live and work?

To help secure VWs from attack, it helps to think about them as a connected system with a number of components which can each be modeled.  This helps us to understand what the attack surface looks like, and understand the key vulnerabilities and how they might be able to be defended against.

The major vulnerability points are:

·         Client Software.  Once you have installed code on a client machine, that code is vulnerable to being manipulated, either by changing the code itself or changing the way that it interacts with the VW server.  This technique was used successfully to hack many online games and resulted in the development of programs such as PunkBuster which control which other programs can be running at the same time as the game client and performing checksums on key files to ensure their integrity.

 ·         The Virtual Environment.  Whether it’s performing a certain sequence of events that always produces game currency, or manipulating certain aspects of the VW to operate outside the rules (basically what the character Neo does in the film The Matrix), designers of the VWs are not able to predict every single way that a user might interact with the world, so they have to design safeguards that will work whatever the interaction is. 

 ·         The Users.  One of the most common attack vectors seen to date is to exploit trust between users to the benefit of an attacker.  Most users tend to assume that if they have been interacting with another character in a virtual world for some time, that they can trust them.  In reality, many of the cues that we get when interacting in person are masked when interacting with their avatar.  Both the appearance and actions of an avatar may be designed to elicit certain responses in the same way that con artists may take on a certain persona to achieve their goals.

Gaming VWs (e.g. World of Warcraft) are by their nature used by very competitive people who would be tempted by anything that might give them an advantage.  This has enabled recent attacks to be successful by promising to show how to achieve or obtain certain things within the game world and then downloading malware which is used to steal credentials or set up backdoors on the user’s machine.

While not a new phenomenon, attacks against VWs have been getting more attention as the technology becomes more mainstream and blended attacks result in real-world losses.  As security practitioners, we need to understand the benefits and risks related to the use of VWs in our environments and set boundaries appropriately.  It is likely that the use of VWs for business purposes will expand in the future, just as social networks have done.  Humans are social animals and these technologies provide new and fun ways to interact with our colleagues and clients.  We just need to be aware that a virtual bear could be hiding behind every virtual tree and act accordingly.
Twitter has recently rolled-out a new feature - the ability to create sub-groupings of people that you follow, and share them with other users.  This has a number of useful benefits, including the ability to be able to group people into certain subject areas (for example, you might have a list of people that you work with, and another one for friends outside work).

Let's start with the good privacy feature that has been build into the current version of lists - the ability to mark lists private or public.  This is a sensible idea and has been implemented in a way that is easy to use (although we would prefer it if the default was for lists to be private rather than public - but this does seem a little like splitting hairs!)

Unfortuntely - the way that the lists have been set up currently are open to a number of forms of abuse.  The primary reason for this is because a user does not have to authorize being added to a list.  i expect that this is a useful (and necessary) feature for the top-ranked users, who could be added to hundreds or thousands of lists and would not want to have to accept every single request to add them.

On the other hand - this does mean that people can add you to lists without your permissions - and some of the following could occur:

1.  You are added to a list that gives away some information which you didn't want shared (e.g. parents of XYZ Middle School) - this could be significant information leakage, dependent on which lists you are added to.
2.  You are added to a list that isn't relevant to you (not so bad)
3.  You are added to a list maliciously or acciedentally that is damaging to your reputation (e.g. Registered Sex Offenders)

There needs to be a trade-off here.  On one hand, we could subject everyone to "list spam" and render the feature next to useless.  On the other hand, there could / should be some better tools to manage what lists you are on, and to remove yourself.

Although lists "follow" you in the same way as people do - you can't seem to block the list, just the person who created the list.

It's a brave new world out there.  Would be interested to hear others experiences and thoughts on this.
Interesting article this week in the IAPPs Privacy Advisor which talks about the ethics of Googling someone, which got me to thinking.

Even a couple of years ago - before social networks really caught on - this question wouldn't really have been asked.  Unless you were a celebrity or information about you was available through other channels such as magazines - Google wouldn't have had a great deal of additional information to add.  That has certainly changed over a relatively short period of time, particularly since Social Networks like Facebook started exposing more of the data that they had collected about people outside of their own network so that search engines could see it.  Anyone who has tried to manage their Facebook privacy settings will know that these are far from being easy to use and it is easy to see how people unintentionally expose information to the world that they intended to keep just within a network of a few friends.
Which brings us back to the Ethics of Googling someone.  While this blog thinks that things that are posted onto the public Internet, such as this blog, are fair game for anyone to stumble upon or find, there are some types of information that people have an expectation to be kept private, which unfortunately is not always met.  And then, there are to our mind the practices that are completely unreasonable invasions of privacy. 

The worst example that I've seen of this to date (although I'm sure there are others) was brought to our attention viaTwitter (thanks @ChristianVW for the heads-up).  The City of Bozeman, Montana has decided that just doing a Google search on a potential employee is not enough.  They have been asking for usernames and passwords to prospective employee's Facebook and other social networking accounts.

The quote that I thought best summed up this sorry affair was prompted by a local radio station.  "One thing that's important for folks to understand about what we look for is none of the things that the federal constitution lists as protected things, we don't use those," said attorney Greg Sullivan.  Basically - give us access to everything and trust us to use it properly.

Sorry - that doesn't cut it with us, and I suspect with a lot of readers of this Blog feel the same way.  At a minimum, Bozeman should engage someone who actually does understand Internet and Privacy law and rethink how they run their background check process.  Beyond that - anyone who has handed over any passwords should change them immediately.

We'd be interested to hear of any other employers who are trying similar tactics.  Please comment and let us know.
How many of us use Social Networks such as Facebook or LinkedIn and never think about what information we are sharing or who we might be sharing it with?  Hopefully no-one reading this Blog would admit to that, but the majority of users of these applications are only slowly becoming aware of some of the implications of using these technologies.

As I heard someone say recently.  "What happens in Vegas, stays on Facebook" - which is a very simple way of explaining the risks to people who may not normally think about how the photos and other information that they are sharing may come back to bite them one day.

Which leads me on to an interesting presentation that Julien Freudiger ( posted a link to.  Called "Towards Privacy-aware OpenSocial applications" it discusses what benefits might be realized from social networking applications being able to be much more aware of how sensitive information is and advise users when they are trying to do something that would decrease their overall privacy.  The math in this presentation isn't for everyone - but the conclusions are interesting - particularly the comparison to FICO credit scores, which have gone from obscure to well known and actively managed by many people. 

Wouldn't it be great if we had the same level of visibility over our privacy preferences?  Hopefully if this kind of framework is supported by the big players in the space, it will just become part of the infrastructure that we don't have to think about.