About Me

Bay Area, CA, United States
I'm a computer security professional, most interested in cybercrime and computer forensics. I'm also on Twitter @bond_alexander All opinions are my own unless explicitly stated.

Tuesday, October 19, 2010

Facebook's most recent privacy controversy

I was listening to the radio this morning and heard an interesting discussion of Facebook's most recent privacy issue (first reported by the Wall Street Journal).  I follow Graham Cluley's blog so I was completely not surprised to learn that the source of this privacy leak (it's nowhere near big enough to be a "breach") was Facebook applications.  However, I was surprised to learn that they weren't talking about the genuinely malicious applications out there.  Instead, this is what the WSJ was concerned about:
The information being transmitted is one of Facebook's basic building blocks: the unique "Facebook ID" number assigned to every user on the site. Since a Facebook user ID is a public part of any Facebook profile, anyone can use an ID number to look up a person's name, using a standard Web browser, even if that person has set all of his or her Facebook information to be private
Ok, so what's the concern here?  It's just the number that uniquely identifies your Facebook profile, plus the information you've marked Public and the information that you specifically authorize the application to collect.  If you don't read that page that comes up every time you try and add an app, you should.

This is really nothing new.  It's amazing to me that people look at these free apps and don't bother thinking about what what the app developer stands to gain from this.  It all goes back to what our parents should have taught us back in elementary school, nothing in life is free.  The best modern phrasing I've seen about this is "If you are not paying for it, you're not the customer; you're the product being sold." - Blue Beetle.  Facebook (and their apps) and Google both buy our personal information with fun toys and features.  They purchase our information because it's valuable to advertisers.

If you're aware of this, you can make an intelligent decision about whether or not you really want to play MafiaWars or FarmVille.  Is that toy adequate payment for the information they're asking for in exchange?  If so, go right ahead and play that game knowing what you're exchanging.  If not, then don't.

The much bigger issue, in my opinion, are the genuinely malicious Facebook apps, the ones that post spam to your wall, or persuade you to fill out surveys for them.  They're fundamentally dishonest about what they're doing, and impersonating the user to spread their spam.

Thursday, October 7, 2010

Computer security is everyone's responsibility

Computer security is like physical security.  If any of us create a vulnerability, we're all vulnerable.  It's like the college dorms, if you prop the door open or leave a window open, someone can use that vulnerability to steal from me.  The same is true with computers, although the situation is massively amplified because someone can use your computer plus several thousand or million others in a botnet to attack my computer or company.  As a result, we're all in the security game together.  I may have better security than you, and the NSA may have much better security than me, but you can help keep us all a little safer by improving your computer's security.

There are lots of sites out there that have good advice for aspects of computer security.  Many of them are targeted for techies or highly computer-savvy people.  However, I've just found a site called Securing Our eCity which provides advice and presentations for both families and businesses about computer security basics and current topics like some of the recent social networking viruses and online bullying.  If you have an interest in computer security (and if you're reading this blog, you probably do), take a look and see what you think.  Share it with your friends to let them know how they can stay safe online.  If we all help each other, we can make the internet a safer place.

Tuesday, October 5, 2010

Cybercrime and law enforcement priorities

With all of the stories in the news these days about Stuxnet, the ZeuS botnet, spam, identity theft, cyberwar, the US Cyber Command, and hackers, it's easy to believe that cybercrime and computer security is a high priority for the US government.

However, a new analysis from Gary Warner with the CyberCrime & Doing Time blog claims that although cyber crime should be a high priority for US law enforcement, it's not.  He points out that despite the fact that cyber crimes are escalating dramatically, the FBI's budget is only increasing by 4%, creating only 347 new agent positions over the 2010 fiscal year.  There's only a 5.5% increase for the US Attorney's offices, which would of course be responsible for prosecuting the criminals that the FBI catches.

Officially, cyber crime is the FBI's third priority, behind terrorism and counterintelligence.  However, Mr. Warner points out that 51% of the FBI's budget is for counterterrorism.  Coming in at a distant second is major thefts/violent crime at 14.8% and third is "combat public and corporate corruption, fraud, economic crime, and cybercrime".  Obviously, the FBI's budgetary priorities don't match their stated goals.

The 2011 FY budget (October 2010-September 2011) shows some steps in the right direction.  They requested an increase of 163 positions for Computer Intrusions (63 agents and 46 analysts) and only 90 new positions for National Security Threats.  This isn't to say that national security issues are unimportant ... far from it!  It's that cybercrime isn't given a big enough balance of the FBI's attention, and this will work towards correcting that imbalance.  After all, the FBI claims that in Fiscal Year 2008 (2009 was not complete when the report came out), out of 3,974 computer intrusion cases received, there were only 31 "priority" investigations successfully "satisfied" (the FBI's term, I don't know how they define them), resulting in 126 convictions/pre-trial diversion.  Granted, some of these cases will be unable to result in convictions because many hackers reside outside the country, but this week's arrests of computer fraudsters in the US, Russia, the UK and Ukraine show that with good international cooperation these thieves can be brought to justice.

Although these arrests are excellent progress, it's sobering to note that the 2010 Verizon/Secret Service Data Breach Investigations report shows that in 2009, the Secret Service added another 84 cases from 2009, for a total of 4,058 computer intrusion cases that got the attention of federal law enforcement (although it's possible that some of the FBI's cases are also in the Secret Service's report, I'm being optimistic).  Also in 2009, the Internet Crime Complaint Center reported that 336,655 internet crime complaints and only half of them were referred to law enforcement for action.  Obviously, we have no way of knowing how many breaches there were total, as many are never reported or even discovered.  Also, the FBI statistic refers to only computer intrusions and the Secret Service statistic refers only to data breaches, so they're not equivalent figures.  Still, it seems clear that the FBI is under-equipped to deal with the vast amount of cybercrime out there today.

The FBI's cyber division and other federal cyber law enforcement agencies do excellent work fighting cybercrime, but without better support and budgets, they can't really cut down the amount of theft going on out there.  Far more people are victims of cyber crime than terrorism, yet terrorism always gets the media and political attention and the budgets that go along with it.  I feel we need to better support the FBI's cyber division to fight back against these hackers.  What do you say, readers?  What's your opinion on the topic?

Full disclosure: I have applied for the FBI and would like to work in their cyber division.