chicksdaddy writes: "Mobile phone use may be a more accurate identifier of individuals than even their own fingerprints, according to research published on the web site of the scientific journal Nature. Scientists at MIT and the Université catholique de Louvain in Belgium analyzed 15 months of mobility data for 1.5 million individuals who the same mobile carrier. Their analysis, “Unique in the Crowd: the privacy bounds of human mobility” showed that data from just four, randomly chosen “spatio-temporal points” (for example, mobile device pings to carrier antennas) was enough to uniquely identify 95% of the individuals, based on their pattern of movement. Even with just two randomly chosen points, the researchers say they could uniquely characterize around half of the 1.5 million mobile phone users. The research has profound implications for privacy, suggesting that the use of mobile devices makes it impossible to remain anonymous – even without the use of tracking software.
For their research, they studied anonymized carrier data from a “significant and representative part of the population of a small European country.” In the study, the researchers used sample data collected between April 2006 and June 2007. Each time a user interacted with their mobile phone operator network by initiating or receiving a call or a text message, the location of the connecting antenna was recorded, providing both a spatial and temporal data point. “We show that the uniqueness of human mobility traces is high, thereby emphasizing the importance of the idiosyncrasy of human movements for individual privacy,” the researchers write. Given the amount of information that can be inferred from mobility data, as well as the potentially large number of simply anonymized mobility datasets available, this is a growing concern.”"
chicksdaddy writes: "So much for privacy settings. In a paper published in the Proceedings of the National Academy of Science (PNAS), researchers from Cambridge University and Microsoft Research demonstrated that it is possible to use knowledge of an individual user’s “Likes” on Facebook to “automatically and accurately predict a range of highly sensitive personal attributes including: your age, and gender, sexual orientation, ethnicity, religious and political views." The list of reliably guessable information goes on to include other less quantifiable characteristics like your personality traits, intelligence, happiness, your preference (or not) for addictive substances and whether your parents split up, according to a report by The Security Ledger.
For their study, the researchers surveyed over 58,000 volunteers who provided their Facebook Likes, demographic proles, and the results of several psychometric tests. The researchers then performed a regression analysis on the Likes and other data to predict details about the individual users. Turns out: the model works quite well. Researchers found they were able to correctly discriminates between homosexual and heterosexual men in 88% of cases, and discern the profiles oof African Americans and Caucasian Americans in 95% of cases. Political affiliation was also reliably predicted: researchers could discern between Democrat and Republican in 85% of cases, the report found.
The report makes for good reading – even if it does tend to reinforce some cultural stereotypes. For example, researchers concluded that “the best predictors of high intelligence include ‘Thunderstorms,’ ‘The Colbert Report,’ ‘Science,’ and ‘Curly Fries,’ whereas low intelligence was indicated by ‘Sephora,’ ‘I Love Being A Mom,’ ‘Harley Davidson,’ and ‘Lady Antebellum.’” Wait – Curly Fries??"
chicksdaddy writes: "A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion, The Security Ledger reports.
Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he discovered the password reset vulnerability while analyzing a Accellion deployment that is used, internally, by Facebook employees. Goldshlager used public knowledge of the Accellion platform to access a hidden account creation page for the Facebook deployment and create a new Facebook/Accellion account linked to his e-mail address.
After analyzing Accellion's password reset feature, he realized that — with that valid account — he could reset the password of any other Facebook/Accellion user with some cutting and pasting and a simple HTTP POST request, provided he knew the user's login e-mail address — effectively hijacking the account.
Goldshlager said he informed Facebook and that the hole has been patched by Facebook and Accellion. However, other Accellion customers using private cloud deployments of the product could still be vulnerable."
chicksdaddy writes: "Social networks like Facebook and mobile devices like the iPhone have fundamentally changed the way children use the Internet, requiring a whole new set of online privacy protections for vulnerable minors. That was the message on Wednesday as the U.S. Federal Trade Commission (FTC) issued new guidelines for implementing the Children’s Online Privacy Protection Act (COPPA).
Among other things, the changes expand the list of information that cannot be collected from children without parental consent to include photographs, videos and audio recordings of children and geo-location information.
“Unless you get parental consent, you may not track children and use their information to build massive profiles of online behavior,” said FTC Chairman Leibowitz.
The new rules are a major revision to the COPPA rule, which was first passed in 1998. The law is a kind of privacy Bill of Rights and applies to children 13 years old and younger.
Other new rules bar advertisers from collecting geo-location information from kids, strengthen security requirements for kids’ data and close a loophole that allowed third parties to collect personal information from kids using plug-ins to kid directed mobile- applications and web sites. The update also extend COPPA to clearly cover persistent cookies that can track users across multiple web sites and third parties that contract with website operators.
Not covered under COPPA: mobile app stores, which have a broad audience and aren't targeted explicitly at the under-13 set. Stay tuned for more legislation to expand the protections afforded by COPPA to teenagers, the lawmakers said."
chicksdaddy writes: "The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners' social media credentials and even to spy on those watching the TV using built-in video cameras and microphones.
In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown ("zero day") hole affects Samsung Smart TVs running the latest version of the company's Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing a compromised set.
However, Samsung might have a hard time fixing the hole. ReVuln, in keeping with company policy, is refusing to disclose any details of the vulnerability outside of its paying customer base."
chicksdaddy writes: "Google and Facebook already know everything about you – your interests, friends, tastes and even your movements. That’s a privacy nightmare. But researchers at the Georgia Institute of Technology’s Information Security Center (GTISC) think it could soon be a security nightmare, also.
According to Georgia Tech's “Emerging Cyber Threats Reports 2013, automated information systems could soon become a powerful tool in the hands of sophisticated attackers, who will look for ways to manipulate victims’ online profile — a kind of super SEO poisoning attack — that will steer them to certain (malicious) sites.
“If you compromise a computer, the victim can always switch to a clean machine and your attack is over,” said Wenke Lee, a professor at Georgia Tech’s College of Computing and director of the GTISC in the report. “If you compromise a user’s search history and hence his online profile, the victim gets the malicious search results no matter where he logs in from.""
chicksdaddy writes: "Google could tell you about its privacy practices except, well....they're private. That's the conclusion privacy advocates are drawing after the Federal Trade Commission took a black marker to an independent audit of the company's privacy practices before releasing it to the group EPIC in response to a Freedom of Information Act (FOIA) request.
Security Ledger is reporting that the FTC released a copy of a Price Waterhouse Coopers audit of Google that was mandated as part of a settlement with the FTC over complaints following a 2010 complaint by EPIC over privacy violations in Google Buzz, a now-defunct social networking experiment. However, the agency acceded to Google requests to redact descriptions of the search giant’s internal procedures and the design of its privacy program."
chicksdaddy writes: "File this one under "proof of the obvious," but researchers at the recent 4th International Workshop on Location Based Social Networks presented a paper proving that your activity on Foursquare can be used to reliably determine your hometown. A study of data on 13 million Foursquare accounts showed that researchers could infer “with high accuracy” where a particular user lives based on their accumulation of mayorships, check-ins and tips. Specifically: the researchers could correctly infer the home town of the Foursquare users 78% of the time, within an accuracy of about 50 kilometers. Security Ledger has the story."
chicksdaddy writes: "The U.S. Federal Communications Commission (FCC) and other government agencies should be doing much more to guarantee U.S. consumers that their mobile devices are safe from attack and malicious software, according to a report from The Government Accountability Office (GAO).
The GAO, which is the U.S. Government’s watchdog agency, found that mobile devices in its report that consumer mobile devices face an “array of threats” that take advantage of vulnerabilities that are common in mobile devices, but most consumers remain uninformed about the threats or proper mobile security hygiene, GAO said. It called on the FCC to “encourage” wireless carriers and handset makers to “implement a baseline of mobile security safeguards.”
The GAO also criticized the government for failing to monitor whether its current efforts to educate the public about cyber security, such as the DHS-led National Initiative for Cybersecurity Education (NICE) are working."
chicksdaddy writes: "The cloud-based hosting firm MediaFire has reversed a decision to suspend the account of virus researcher Mila Parkour after Naked Security raised questions about copyright violation complaints made against her by the mysterious firm LeakID.
In an email to Parkour on Friday, MediaFire's director of customer support, Daniel Goebel, said that the company was restoring Parkour’s access to her MediaFire account and apologized for the interruption in service.
MediaFire also said it was asking LeakID, the Paris-based firm that accused Parkour of sharing copyrighted material, to “confirm the status of the counterclaim [Parkour] submitted.” However, the firm is still blocking access to files that LeakID alleged were violating the US Digital Millennium Copyright Act (DMCA), a strict copyright enforcement law in the U.S."
chicksdaddy writes: "You can read about Zappos’ CEO Tony Hsieh on the company’s Web site-- about how he sold his first company, LinkExchange to Microsoft in 1999, at the age of 24, and joined Zappos as an advisor and investor, eventually rising to the company’s top post. What you might not learn is that Tony is an exercise enthusiast who gets his gear from Nikeplus.com, watches his favorite shows on the Internet streaming site Hulu, keeps up with his friends on Facebook and checks the value of his Amazon.com stock (Amazon bought Zappos in 2009) at Marketwatch.com. That lesser known information about Hsieh – a treasure trove for hackers — is public, all the same: leaked from e-commerce and social networking sites linked to the CEO’s @zappos.com e-mail address.
Hsieh is hardly alone. A newly released analysis by security researcher Cesar Cerrudo and reported by ITWorld.com found that executives like Hsieh, including many at Fortune 500 firms, frequently use their business e-mail addresses to access a wide range of prominent social media web sites. Cerrudo, the Chief Technology Officer of security firm IOActive Labs, scanned 30 prominent Web sites, uncovering 840 unique e-mail addresses of C-level corporate executives linked to 930 online accounts. They include 42 Facebook accounts linked to e-mail accounts for executives of firms such as oil giant Chevron, blue chip firm GE and financial services firms Chase.com and Morgan Stanley. Robert Iger, the CEO of Disney, uses his corporate e-mail to log in and watch movies on Netflix. Denise Morrison of Campbell’s Soup used hers to connect with friends on Facebook and make travel plans with United Airlines. Despite their deep rivalry, Steve Ballmer of Microsoft and Tim Cook of Apple both have accounts at the cloud-based file sharing service Dropbox.com linked to their corporate e-mail address, Cerrudo’s data suggests."
chicksdaddy writes: "With Wikileaks founder Julian Assange anxiously awaiting word from the government of Ecuador on his request for political asylum, a security researcher warns that the country's Ministry of Foreign Affairs, which is handling the Assange asylum request, is using a video conferencing system that is vulnerable to online snooping.
Ecuador's Ministry of Foreign Affairs (MFA) relies on a video conferencing system that is accessible from the public Internet and doesn't require a password to use, according to security researcher Dillon Beresford, who said he discovered the vulnerable conferencing system when searching online."
chicksdaddy writes: "In an 11-page bulletin, the Department of Homeland Security (DHS) is warning healthcare organizations about the threat posed by insecure, network attached medical devices and the proliferation of Internet -connected smart phones and tablet PCs in medical settings.
DHS's National Cybersecurity and Communications Integration Center (NCCIC) issued the unclassfied bulletin, "Attack Surface: Healthcare and Public Health Sector" on May 4. In it, DHS warns of a wide range of security risks, including that could expose patient data to malicious attackers, or make hospital networks and first responders subject to disruptive cyber attack. DHS recommends hospitals and health care organizations establish policies to manage the security of mobile devices within their organization."
chicksdaddy writes: "Threatpost has a write-up of a study by researchers at Carnegie Mellon University that provides the first conclusive evidence that Chinese government censorship extends to social media sites like Sina Weibo, the popular micro blogging Web site that many have likened to a Chinese Twitter.
The study, published in First Monday, an online publication of the University of Illinois, Chicago, found that censors in China delete around 16 percent of the messages submitted to Sina Weibo, the popular micro blogging Web site that many have likened to a Chinese version of Twitter.
The study, released in March, concludes that "soft censorship" in China — the removal of controversial subject matter from blogs and Web pages — is at least as popular as hard censorship, like the blocking of offensive sites. The result is suppression of news about events or individuals that are deemed threatening to the ruling Communist party."
chicksdaddy writes: "The security firm Alienvault reports that its own research on phishing attacks against non governmental organizations supporting the Tibetan Government in Exile is now being used as bait in a new round of phishing attacks on those same NGOs.
The firm warned the public on Monday about a round of spear phishing e-mails being sent to NGOs related to Tibet. The e-mails mentioned previous research by the company on targeted attacks against Tibetan organizations. The phishing e-mails contain malicious links and attachments, including a new variant of a malicious program that can infect systems running Apple's Mac OS X operating system, Alien Vault warned."