Tuesday, June 25, 2013

Surveillance Society: 7 ways you're being watched, and didn't know it





Los Angeles,Transportation, remote camera
A remote camera for the Los Angeles Department of Transportation is seen on Jan. 8, 1997. (AP / Michael Caulfield)



Andy Johnson, CTVNews.ca
Published Saturday, June 22, 2013 7:56AM EDT Last Updated Saturday, June 22, 2013 8:11AM EDT
 
We are being watched. That much we know.

This realization has hit home in recent weeks, after the National Security Agency in the U.S. admitted it tracks the metadata surrounding the billions of digital messages Americans send every day, searching for links that point to potential terrorist activities.

Then it emerged that Canada's NSA equivalent -- the Communications Security Establishment Canada -- also mines the metadata associated with the calls, texts and instant message Canadians exchange, with similar goals.


But many Canadians don't realize that the way we spend our money, the things we look at online or share via email, even the stuff we "like" is being tracked, compiled and catalogued by private companies.

And we give them our approval to do so every time we log onto our favourite social media service or download the latest app for our smartphone.

Here are seven everyday ways you probably never even suspected you were being tracked, according to Keith Murphy, CEO of Ottawa-based Internet security firm Defence Intelligence.

The pictures you take every day without thinking twice

"When people take pictures, by default just about any smart phone will tag the geo-location information, the GPS co-ordinates of where and when that picture was taken, everything about your phone and potentially even your actual user data, every time you take a picture," Murphy tells CTVNews.ca.

"Even digital cameras do the same thing in a lot of cases."

And if it isn't your phone or camera sending out your private data, the social media services you use will generally oblige. Whether it's Instagram, Google's Picassa, Tumblr, Snapchat, almost all photo services also upload location and user information by default, along with the photo itself.

They're tracking you through your phone!

If this sounds scary - it is.

In 2011, security researchers revealed that the daily movements of Apple iPhone owners were being tracked, and that the information was saved on the device along with GPS co-ordinates and time stamps. If your phone was obtained by the wrong person, they would theoretically have access to a ton of information about your life.

Apple scaled back after the story broke, but it serves as a reminder that your phone uses information about where you are all the time, Murphy says.

"By default, most of the programs on your phone use location services, Google for example, to give you better search results. If you want to find a pizza place, it's using GPS to tell them: 'OK, you're in Ottawa or Toronto, let's only search for places close to that location.' "

Third-party companies also know your business

It's not just the company that made your phone that knows what you're up to. Theoretically, any third-party company that designs apps for Apple or Android phones, for example, also has access to the data stream your phone is collecting, as soon as you download their application.

"Even though you're not thinking about it, you're walking around, all those different programs, all those different companies, know where you're at, at all times," Murphy says.

"It's one thing if you want to trust Google or Apple -- though it's probably not the best idea -- but all the third-party vendors making applications for Apple and for Google are privy to that information as well."

I don't have a Facebook account. So I'm good, right? 

Wrong.

Say you don't have a Facebook account, but you check out the vacation pics your friend posted to his timeline. Murphy says Facebook will then install a cookie on your computer or mobile device, which will in turn send the company data about your web habits every time you visit a page with a Facebook "like" button, for as long as that cookie remains on your computer.

"A lot of people will say 'I don't use Facebook so what do I care? If you've ever looked at someone's Facebook posts or the pictures they've posted to Facebook, you're being tracked too," Murphy says.

The sites you use every day can 'see' what else you're looking at

We've all been creeped out by the appearance of seemingly tailor-made ads popping up in our Facebook feeds. Perhaps you're planning a camping trip, and suddenly outdoor gear retailers are blasting you with ads.

It's not shocking. At this point, we pretty much expect it. But every once in a while, an ad pops up that seems to take the creepiness to another level. An engagement ring store, just before you pop the question, for example -- something you know you haven't blabbed about on Facebook.

Murphy says that's because Facebook or Gmail can track the other sites we visit elsewhere on the web, so long as we're still logged in to their service in a different browser tab.

Gmail even admits to scanning our emails for keywords and content it can use to target ads.

"It's not anonymous anymore. They know your name, your birthday, they know you're going to this site, staying for that long, and so on and so forth," Murphy says.

Are rewards cards worth the risk?

It's hard to resist the allure of a good rewards card. Whether it's a Home Depot credit card, a Shoppers Drug Mart Optimum card or Air Miles, we use them all the time to get discounts, member benefits or to accrue points towards free stuff.

What most of us don't realize, Murphy says, is that those reward services are keeping a detailed record of what we buy, and when and where we buy it - valuable information that is typically being collected by third-party marketing or advertising firms, and can be sold to other retailers.

Facial recognition software means anyone can find you

Is your picture Google-able? Has a friend ever posted your photo to their unprotected Facebook page? Has your image been sent to Twitter or Flickr? Chances are you answered 'yes' to one or all of those options. And if so, anyone who really wants to can probably find out your name, and a lot more.

"You can take a picture of someone on the street and within a few minutes on the Internet, chances are good you can find out exactly who that person is, exactly who their friends are, exactly what they like and don't like, where they shop and so on. And that's just through commercially available facial recognition software," Murphy says.

Monday, June 17, 2013

Establishing Rapport with a Suspect

We all know someone whom we respect and admire. It may be a teacher, coach, pastor, scout master, friend or parent. Assume that we committed a crime of some sort and this admired individual sat down and said:

"We both know you made a mistake and we also both know that the right thing to do is to tell the truth. For everyone concerned let people know why this thing happened. Did you plan this out, or did it just happen on the spur of the moment? I don't' think that you would ever plan something like this out, it was just the spur of the moment, wasn't it?"

Because of the established trust and respect felt toward this individual, we would very likely listen to his statements, nod our head in agreement, and confess that what we did happened on the spur of the moment.

On the other hand, if the person who said these words was a stranger whom we believed was just out to punish us and did not care about our well being, reputation or self-image, we would likely challenge the individual to prove our guilt and continue to deny involvement in the offense. The difference between these two situations is that in the first the communicator has an established rapport with the suspect.

In most professional interactions (physician, attorney, therapists, investigator) rapport is defined as "a relationship marked by trust and conformity." In other words, if my doctor recommends that I get a particular medical test I will schedule the test because I trust the advice of my physician and perceive her/him as looking out for my best interests and acting as an advocate for me.

For obvious legal reasons, an investigator should not make statements designed to convince a suspect that he or she is acting as an advocate for the suspect. However, to be effective the investigator must try to legally convince the suspect that he is someone who can be trusted and is a fair and objective person.

First Impression is Critical

Research has shown that within seconds after meeting a stranger a strong and lasting impression of the stranger is formed. The investigator needs to be very aware of this first impression effect. Upon entering the interview room the investigator should appear businesslike but not authoritative or threatening. For this reason, it is recommended that the investigator avoid introductions containing an authoritative title such as "Detective" or "Captain." For the same reason the investigator should not use emotionally charged language when referring to the purpose of the interview, e,g, "murder", "rape", "molest."

In a non-custodial case the initial introduction may be something like this: "Good morning, my name is Brian Jayne. Thank you for coming in to talk to me."


If the suspect is in custody, the introduction may be:

"Good morning Mr. Johnson. Last night someone took money from Jake's Liquor Store at gunpoint. I would like to ask you questions about that but before I can ask any questions I have to let you know that you do have the right to remain silent, any statement you make can be used against you in a court of law, that you have a right to an attorney and if you cannot afford an attorney one will be provided. Do you mind talking to me about this?"

Establish a Relationship with Suspect

After the initial introduction comes the relationship-building phase of rapport. The investigator's goals are to establish his objectivity by asking non-accusatory questions and, second, that the interview consists of a question / answer format. In addition, at this early stage of the interview, the investigator wants to establish the suspect's baseline behaviors (eye contact, communication style, emotional state, etc.) and make preliminary assessments of the suspect's intelligence, ability to understand the English language, mental health, etc.

The investigator may choose to initially engage in casual conversation with the suspect at the outset of an interview:

"Did you have any problems finding our office?"
"Did you come in on the Eisenhower?" "How bad was the traffic?
"Do you think that we are ever going to see Spring this year?"

An especially effective technique to establish rapport with a suspect is to express sincere interest in some aspect of his life. For example, the investigator may notice a Marine tattoo on the suspect's forearm and ask when and where he served. Perhaps the investigator can comment that he attended the same high school as the suspect or lived in the same part of town. This personal attention or common experience provides valuable material to establish trust.

At some point the investigator will spend a minute or two asking the suspect non-threatening background questions under the pretense of gathering or confirming biographical information:

"Could you spell your last name for me?"
"What is your first name?"
"What is your marital status?"
"Do you have any children?"
"What is your current address?"
"How long have you lived there?"
"Does anyone else live there with you?"
"Are you presently employed?"
"Where do you work?"
"What school do you attend?"
"Have you declared a major?"
"Do you participate in any extra curricular activities?"

Establishing rapport with most suspects only takes a few minutes. If the suspect is extremely nervous or has been mistreated by a previous investigator and is therefore resentful, several minutes of non-threatening background questions may be required. What should be avoided, however, is a very lengthy (30-45 minute) rapport building session. Under this circumstance, referred to as "forced rapport," suspects may feel that the investigator is trying to manipulate them by delving into personal areas such as their childhood, personal values or hobbies that have nothing whatsoever to do with the issue under investigation.

An exception to this guideline is when establishing rapport with someone who is incarcerated. The incarcerated individual's daily routine is boring and a lengthy, non-threatening conversation with the investigator may be welcomed. Under this circumstance it is not unusual for the investigator to conduct dozens of interviews with the inmate over a period of several months.

Another consideration for an extended rapport-building period is the suspect's culture. Some cultures consider it rude to only have a peripheral social exchange before getting down to business. Under this circumstance it may be appropriate to spend an extended time with the suspect sharing personal information about each other's families or country before addressing the issue under investigation.

Establishing Structure to the Interview

The investigative interview is not an informal chat with a suspect. It is structured and purposeful. This means the investigator will ask prepared questions and document the suspect's responses with a written note following each response.

There are many benefits to taking active written notes during an interview. One of them is that active note taking slows down the pace of questioning. This creates a period of silence following each verbal response. It is during this period of 3-5 seconds that most significant nonverbal behaviors occur. This period of silence also allows the investigator time to analyze the suspect's response and make a decision to ask either a follow-up question or move to the next area of inquiry.

Conversely, if the investigator takes sporadic notes or only starts taking written notes when the suspect answers questions about the crime, the suspect will attach special significance to the fact that the investigator decided to take a written note. This may cause the suspect to be more guarded and less forthright in volunteering information, which is obviously undesirable.

In conclusion, establishing rapport with a suspect at the outset of an interview will be an important factor in determining the success of the interview. Rapport begins with a non-threatening and business-like introduction. The investigator then needs to establish the suspect's trust. This can be accomplished by asking non-threatening questions that appear to establish the suspect's identity or other important background information. It is also important that the investigator establish a pattern of taking written notes right at the outset of the interview.


--------------------------------------------------------------------------------------

This Investigator Tip was developed by John E. Reid and Associates Inc. Permission is hereby granted to those who wish to share or copy the article. For additional 'tips' visit www.reid.com; select 'Educational Information' and 'Investigator Tip'. Inquiries regarding Investigator Tips should be directed to Janet Finnerty johnreid@htc.net. For more information regarding Reid seminars and training products, contact John E. Reid and Associates, Inc. at 800-255-5747 or www.reid.com.

 Members of CPIRC.com receive special discounts on John E. Reid course registration fees and training materials.  The reduced seminar fee for the Reid open registration seminars is $395 U.S. (a savings of $155 from the standard $550 per person fee). The discounts are 10% or better on our products.

Monday, June 3, 2013

Yahoo to Users: Let Us Read Your Emails or -- Goodbye!

May 30, 2013 


NEW YORK - As of June 1, all Yahoo email users are required to upgrade to the company's newest platform, which allows Yahoo to scan and analyze every email they write or receive. According to Yahoo's help page, all users who make the transition agree to let the company perform "content scanning and analyzing of your communications content" to target ads, offer products, and perform "abuse protection."

This means any message that Yahoo's algorithms find disturbing could flag a user as a bully, a threat, or worse. At the same time, Yahoo can now openly troll through email for personal information that it can share or hold onto indefinitely. See: http://help.yahoo.com/kb/index?page=content&y=PROD_MAIL_ML&locale=en_US&id=SLN3254
Archived at: Yahoo mail upgrade.

Gay and haven't come out yet? Yahoo knows. Having an affair? Your spouse may not know — but Yahoo does. Any interests, ailments or projects you'd rather not share? You're sharing them with Yahoo, perhaps forever.

The new tracking policy affects more than just Yahoo account holders. Everyone who corresponds with a Yahoo email account holder will also have their own message content scanned, analyzed, and stored by Yahoo, even if they themselves have not agreed to Yahoo's new terms of service.

"Emailing through Yahoo means surrendering your privacy, whether it's your own account or your friend's," says Harvard-trained privacy expert Katherine Albrecht, who is helping to develop StartMail, an upcoming email service that will not scan its users' correspondence. "It's time we start paying attention to these policies, because they're growing more shockingly abusive every day," she added.

Where prior versions of Yahoo had tracking policies buried in the fine print, the company's tracking agenda is now openly stated in paragraph 2: "When you upgrade you will be accepting our ...Privacy Policy." That is, its anti-privacy policy.

Concerned Yahoo users are invited to check out StartMail, a completely private email program slated for release this Fall. Anyone who would like to be a beta tester can visit StartMail (www.StartMail.com) and sign up for the upcoming release.

Rest assured: That information will not be shared with anyone at all.

Especially not Yahoo.

For further details, please contact:

Katherine Albrecht, Ed.D.
U.S. Media Relations
StartMail Private Email // StartPage & Ixquick Private Search
www.StartMail.com // www.StartPage.com // www.Ixquick.com
+1 877-434-3100 ext. 5 [toll free]
+1 973-273-2125 [International]

E.U. Contact Person:
Alex van Eesteren
Sales & Business Development
StartMail Private Email // StartPage & Ixquick Private Search
www.StartMail.com // www.StartPage.com // www.Ixquick.com
+31-30-6971778

Thursday, May 9, 2013

Inadvertent Disclosure: Knowing The Risk

Things to consider when an employee releases sensitive data -- intentionally or not

 


By Christopher Burgess

May 07, 2013CSO

"I'm sorry, it appears the information was inadvertently released."

"He was acting in a rogue manner. How were we to know?"

With those words, the security crisis management team red lines are identified as having been crossed.

Data which was expected to be protected is discovered to not have been afforded that appropriate protection. Or an employee is actively breaking internal processes and procedures and placing the enterprise at risk.

In either case, the subsequent damage assessment will either evolve into a productive introspective review or the age-old cover-your-backside exercise. Do these types of events really happen? You bet they do, and with great frequency. Let's take a walk through some recent instances.


On 10 April 2013, the US Department of Defense was afforded a surprise during a hearing on 10 April 2013 of the House Armed Service Committee when Representative Doug Lamborn (Republican-CO) began quoting from an "unclassified" Defense Intelligence Agency (DIA) report on the nuclear capabilities of North Korea. Chairman of the Joint Chiefs of Staff, General Martin Dempsey appeared to be surprised and even though Lamborn read from the document, and asked Dempsey if he agreed with the assessment, Dempsey demurred with "I can't touch that one" and they sparred over the "unclassified" findings of a classified DIA analysis and whether or not it can be made public. The DIA apparently neglected to place appropriate classifications on the North Korea assessment (Lamborn/Dempsey exchange).

What are the ramifications? This inadvertent disclosure put in the hands of a potential adversary (North Korea) the findings of the US Department of Defense re: their nuclear capabilities. If this happened to the DIA, could it happen to entities which fall under the National Industrial Security Programs of the DOD? Absolutely, the annual training requirement contained in NISPOM section 3 requires a minimum of one annual training event for each cleared individual is important to know what you have in your NISPOM security training deck.

Over the course of the last several years, the US Department of Justice has been collecting some very notable fines from companies which from any optic should have had controls and processes in place to detect the inadvertent disclosure, illegal business practices, Foreign Corrupt Practices Act (FCPA) violations, Security and Exchange Commissions (SEC) violations,Export Administration Regulation (EAR),International Arms Control Act (ITAR) and Arms Export Control Act (AECA) violations, all of which constitute a violation of various US federal laws and regulations.


Add to the mix the number of times which employees compromise their employer's business ethics, be it motivated by greed, ego or simply inattentiveness, the size of the issue becomes staggering.
Examples of the fallout:
  • US$800 million fine to Siemens AG under the FCPA and ¬395 million fine from the Munich Public Prosecutors Office was levied against Siemens AG for activity which occurred from 1997-2007. What was the end result following admissions of guilt, wholesale clearing of the C-suite at Siemens.
  • US$400 million to BAE PLC for attempting to defraud the United States; US$79 million for violating the AECA and ITAR and ¬30 million to the United Kingdom's Serious Fraud Office.
  • US$75 million to United Technologies Corporation for ITAR and AECA violations.
As of February 2013, the US DOJ has more than 100 active major cases open which fall under the rubric of US Export Enforcement, Economic Espionage, Trade Secret and Embargo-Related crimes:
  • Feb 2013 - Thermal imaging scopes and cameras to Belarus
  • Feb 2013 - Ammunition to Jordan
  • Feb 2013 - Ammunition and Night Vision Goggles to Mexico
  • Jan 2013 - Trade Secrets to China
  • Jan 2013 - Sensitive Microwave Amplifiers to China and India
  • Jan 2013 - Hawk Air Defense Missile Batteries to Iran
  • Dec 2012 - Missiles, Aviation Equipment & Submarine Design Information to Terrorist Organization
  • Dec 2012 - Computer Components to Iran
  • Dec 2012 - Dual-Use Programmable Logic Devices to China
  • Dec 2012 - Information Technology Services and Support to Iran
  • Dec 2012 - Coatings for Rocket Nozzles and other goods to China and Taiwan
  • Dec 2012 - Carbon Fiber and Other materials to Iran and China
  • Dec 2012 - Prohibited Exports to Iran
  • Dec 2012 - Aircraft and Aircraft Components to Iran
  • Dec 2012 - Specialty Coatings to Pakistani Nuclear Facility
  • Nov 2012 - Inertial Navigational Units to UAE and Turkey
  • Nov 2012 - Military Antennas to Iran
  • Nov 2012 - Military Aircraft Parts to Iran
  • Oct 2012 - Restricted Microwave Amplifier Technology to China
  • Oct 2012 - Stolen Tactical Laser Illuminators Overseas
  • Oct 2012 - Military Aircraft Engines to Venezuela
The list goes on and on, 85 pages worth of such cases. As my co-author Richard Power and I wrote in "Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century," "Intellectual Property is your enterprise's lifeblood; is it safe or are you in danger of being put out of business because a predator has shed that lifeblood? We found two profound but common misconceptions about intellectual property theft and economic espionage. One & the threat of economic espionage or trade secret theft is of limited concern; the other & the nature of the threat is sufficiently understood and adequately addressed"


The sheer number of such instances demands a new look at how data is classified, tagged and handled internally within an enterprise. If not to protect trade secrets and intellectual property, to ensure your ability to conduct commerce and stay out of DOJ prosecutors' target sights should be enough incentive.

Clearly we can no longer rely on government "classifying" officers to manually review every document for appropriate classification, nor should we simply drop a high level "Top Secret" classification on a document not requiring such. Similarly within enterprises, inadvertent sharing of protected data internally with international colleagues may be as damaging for a company as placing it in the hands of a foreign government. Again, data custodians and originators are expected to classify appropriately within their infrastructure to ensure the information is only available to those with a need and authority for access.

Many would say this is a data loss prevention (DLP) problem and there are a plethora of solutions available to thwart data from exiting via email, downloads, or such. How many of the aforementioned instances would appropriately configured DLP been able to thwart? Some. Maybe none? What we need is to think about the solution from a different angle, and think of the issue from an assurance, compliance, privacy and data protection goal, within the company infrastructure.

Every company knows what is important, be it the cutting edge technological development or the customer/partner data that is entrusted to them, But do they know where it is? What is their degree of confidence they know all locations where this highly valuable data is stored? Some absolutely do a "keyword" search through the entire corpus of an enterprise and highlight, tag and reclassify all documents containing the keyword. In the inadvertent disclosure of the DIA assessments findings on North Korea, it appears the classification markings were the keyword of choice, when in reality, the content of the entire document should have been the arbiter. Keywords work great as long as everyone uses them.

What is required is recognition of concepts and rules generation surrounding such concepts, across all documents within the corporate data set at creation or edit. In this manner, the originator is availed the strength of the enterprise's compliance rule set and with such recommendations on appropriate classification, tagging, and storage can be made to the originator. With such a system, integrated into one's DLP solution, you have your data protected from creation through edit to dissemination.

Thus the inadvertent disclosure becomes less likely to occur. In those instances where a rogue employee adjusts the content or otherwise games the system, detection is early in the edit cycle. In all cases it is a win for the enterprise, a win for the customers and a win for the enforcement entities. We all would prefer the enforcement entities expend their limited resources ensuring compliance against those entities that are created specifically to conduct criminal activity vice those highly ethical enterprises which have stumbled in the past or lacked sufficient oversight.

Christopher Burgess is president and principal analyst of Prevendra LLC, a safety, security, intelligence and privacy focused enterprise.

Monday, April 22, 2013

Siri Still A Privacy Worry Despite Apple Spelling Out Policy

Apple came clean that it keeps anonymous Siri data for two years, but that has not quelled fears about corporate data privacy

 

By Antone Gonsalves
April 22, 2013CSO — Apple's Siri personal assistant in the iPhone and iPad remains a risk to businesses, despite the company's disclosure that it anonymizes voice clips and deletes the data within two years, experts say.

Without advocating a ban on the use of Siri for employees who bring their own mobile devices to work, experts say companies have to weigh the risks carefully.

"Organizations need to consider Siri within the broader context of their corporate security and compliance guidelines," said Tyler Lessard, chief marketing officer for mobile security company Fixmo. "In short, there is no simple answer to suggest whether a company should, or should not, ban Siri."

Apple told Wired last week that it keeps Siri voice clips for up to two years. In addition, a random number is attached to the user, so the information is anonymized. The disclosure stemmed from an interview that followed an article in which Wired reported that parts of Siri's privacy policy were "fuzzy," and did not say how long the company kept the data.

Apple did not respond to CSO's request for comment.

Siri has always been a concern for organizations, because voice clips from employees using the service in business-related tasks would be stored on Apple's servers. Organizations have no way on their own to track or archive the data or to ensure it remains private.

In 2012, IBM banned employees from using Siri as part of a new set of bring-your-own-device (BYOD) policies. The company feared that conversations with Siri could include confidential information that should not be forwarded to Apple.

While draconian, Dimitri Sirota, co-founder and chief strategy officer for Layer 7, said IBM's approach was the right one, once the company decided that Siri was out. "In an age of BYOD, the only sure fire way companies will be able to prevent leakage of confidential information is through policy and some kind of liability in case of deliberate leakage," Sirota said.

In some ways, Siri is similar to other cloud services that people use for work, oftentimes without the knowledge of their employers. Such services would include Web mail, social networks, such as LinkedIn, and document-sharing services, including Box, Dropbox and SugarSync.

 
While mobile device management software can limit how corporate applications use cloud services, including Siri, a clever employee can always find workarounds.

"For integrated services like Siri, the best policy is to verify the security policies of the cloud provider, but there will be no way around some level of trust," Sirota said.

The number of companies that allow employees to use their own devices has jumped from 10% in 2008 to 80% last year, according to a survey by Aberdeen. Companies like the productivity benefits of mobile technology and the reduced cost of not having to buy the hardware.

However, organizations today are increasingly placing limits on their use on corporate networks, and are deploying technology to separate business data from personal information.

Read more about data privacy in CSOonline's Data Privacy section.