Facebook forced into privacy business

computer FRAUD & SECURITY ISSN 1361-3723 March 2010

www.computerfraudandsecurity.com

Featured this month:

Contents

Sending the right messages

I

f it is to be truly successful, security requires engagement right across an organisation. It needs to be embedded in everyday operations and championed from both the top of an organisation and at a local level. It also needs effort and consideration to ensure that messages are appropriate to the likely audience, as well as shaped and communicated in a way that suits the different, but equally important range of stakeholders. This article considers the challenge of promoting security policy by ensuring the message is appropriate and effective for the many different individuals likely to be involved and/or affected. The discussion draws upon theories

of leadership, communication within organisations and ways of influencing organisational change, emphasising the importance of framing the message in the right way in order to maximise support from the different constituents of the target audience. A range of approaches are consequently identified that could form part of an overall promotion portfolio, based upon a combination of push and pull style mechanisms that are likely to appeal to different people in relation to different aspects of the overall message. Caroline Chipperfield and Steven Furnell explore this intricate subject.

See page 13...

Facebook forced into privacy business

F

acebook is to set up a non-profit foundation to promote and develop the online privacy movement under a legal settlement reached this week.

The settlement is a result of a federal class-action lawsuit originally bought against Facebook over alleged privacy violations. Filed in August 2008, it focused on Facebook’s Beacon system, which when originally introduced, posted information about users online without their permission. Facebook, which removed Beacon last November without admitting any wrongdoing, agreed to a $9.5 million settlement that was approved this week by a US district court judge. $6 million of that money will be used to set up a “digital trust fund” that will issue grants to organisations studying online privacy.

Facebook will occupy one of the three seats on the non-profit foundation’s board. The others will be taken by writer Larry Magid, and Chris Jay Hoofnagle, who heads the Berkeley Center for Law and Technology “We’re pleased that [U.S. District Court Judge Richard] Seeborg has approved the settlement after carefully considering all opinions,” said a spokesperson for Facebook. “The independent foundation will fund worthy projects helping protect and improve internet users’ privacy, safety and security. We look forward to providing additional details on the foundation in the weeks and months ahead.” The fund was created largely because the payout under the settlement would Continued on page 2...

NEWS Facebook forced into privacy business

1

Auto dealership employee bricks car fleet 2 Netflix cancels contest sequel

2

Online crime effects getting worse

3

Lifelock accepts settlement

3

US lawmakers stymie proposed presidential internet powers FEATURES Underground credentials

20

5

Why would a Twitter account cost $1000 on criminal underground forums, whereas credit card information fetches only six cents per record? Amichai Shulman, CTO of Imperva, explores the strange, self-governing rationality of the market for illicitly-gained personal credentials. Proving the negative

8

How can staff demonstrate that they aren’t acting insecurely: how do you prove that your staff have more secure habits now you have made them aware? 4 Buyer beware?

10

With the threat of POS tampering and other high-profile scams now a regular fixture in the news headlines, is it really possible to protect against fraud in electronic payment systems? David Birch, managing director of IT consultancy Consult Hyperion, explains. From security policy to best practice: Sending the right messages 13 Successful security requires support and engagement right across the organisation. However, it is extremely unlikely that effective promotion will occur via generic approaches that attempt to target a diverse audience as a single group. This article considers theories of leadership, organisational communication, and ways of influencing change in order to identify a range of approaches that could form part of a portfolio of security promotion. REGULARS News in brief Calendar

4 20

ISSN 1361-3723/10 © 2010 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.

NEWS

Editorial Office: Elsevier Ltd The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 E-mail: [email protected] Web: www.computerfraudandsecurity.com Publisher: Laurence Zipson E-mail: [email protected] Editor: Danny Bradbury E-mail: [email protected] Editorial Advisors: Silvano Ongetta, Italy; Chris Amery, UK; Jan Eloff, South Africa; Hans Gliss, Germany; David Herson, UK; P. Kraaibeek, Germany; Wayne Madsen, Virginia, USA; Belden Menkus, Tennessee, USA; Bill Murray, Connecticut, USA; Donn B. Parker, California, USA; Peter Sommer, UK; Mark Tantam, UK; Peter Thingsted, Denmark; Hank Wolfe, New Zealand; Charles Cresson Wood, USA; Bill J. Caelli, Australia Production Support Manager: Lin Lucas E-mail: [email protected] Subscription Information An annual subscription to Computer Fraud & Security includes 12 printed issues and online access for up to 5 users. Prices: 1085 for all European countries & Iran US$1178 for all countries except Europe and Japan ¥144 400 for Japan (Prices valid until 31 December 2010) To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 Email: [email protected], or via www.computerfraudandsecurity.com. Subscriptions run for 12 months, from the date payment is received. Periodicals postage is paid at Rahway, NJ 07065, USA. Postmaster send all USA address corrections to: Computer Fraud & Security, 365 Blair Road, Avenel, NJ 07001, USA Permissions may be sought directly from Elsevier Global Rights Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 843830, fax: +44 1865 853333, email: [email protected]. You may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright & permission’. In the USA, users may clear permissions and make payments through the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P 0LP, UK; phone: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other countries may have a local reprographic rights agency for payments. Derivative Works Subscribers may reproduce tables of contents or prepare lists of articles including abstracts for internal circulation within their institutions. Permission of the Publisher is required for resale or distribution outside the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, at the mail, fax and email addresses noted above. Notice No responsibility is assumed by the Publisher for any injury and/ or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein. Because of rapid advances in the medical sciences, in particular, independent verification of diagnoses and drug dosages should be made. Although all advertising material is expected to conform to ethical (medical) standards, inclusion in this publication does not constitute a guarantee or endorsement of the quality or value of such product or of the claims made of it by its manufacturer.

02065 Pre-press/Printed by: Mayfield Press (Oxford) Limited

2

Computer Fraud & Security

...Continued from page 1 be divided among too many people (3.5 million plaintiffs) to be worthwhile. However, privacy groups protested the mechanics of the settlement, arguing that Facebook shouldn’t be on the board of the trust fund, and also complaining that consumers should have received direct relief as a result of the settlement.

Auto dealership employee bricks car fleet

Y

According to Texas Auto Center manager Martin Garcia, Ramos-Lopez was “pretty good with computers”, although the alleged hacker couldn’t have been that good; investigators tracked him down by finding an IP address for offending Webtech sessions in system logs. You’d have thought that someone going to those lengths to gain revenge on a former automative employer would have taken the road less travelled, and perhaps researched something like Tor before sparking up their browser.

ou’ve heard about Apple potentially bricking iPhones, but that’s small potatoes, compared to remotely disabling whole fleets of cars using centrally controlled computer systems. That’s just what a 20-yearold employee for a Texas auto dealership is being accused of doing after he was laid off last month.

Netflix cancels contest sequel

According to a report by Wired, Omar Ramos-Lopez, a former employee at the Texas Auto Center, was arrested after allegedly using a web-based vehicle immobilisation system to stop cars sold by the dealership from working. The Auto Center reportedly used a system from Pay Technologies called Webtech Plus. Designed to remotely disable cars whose owners are behind on their payments, the system can be made to remotely honk a car’s horn, or to prevent it from being started up. Ramos-Lopez is said to have had his account on the system closed when he left, but commentators close to the situation said that he gained access using another employee’s password. He was then allegedly able to set up a database of 1100 customers who had purchased vehicles from the Center’s four dealership lots, said the Wired story. He was able to disable the cars and set off their horns. Customers were calling the dealership in a confused state, asking why their horns were honking, and were forced to disconnect their batteries, said reports. Cars controlled by the Webtech Plus system are manipulated using a hardware device installed behind the dashboard, which is sent instructions via a wireless pager network. Cars cannot be stopped while they are in motion.

After a Federal Trade Commission investigation, and a lawsuit attempting to block the sequel, Netflix’ chief product officer Neil Hunt posted a message on the Netflix blog announcing that the second contest had been cancelled. Netflix had used anonymous movie rental data, pulled from its large database of customer information, and invited contest participants to refine the movie recommendation algorithm using the data. However, researchers at the University of Texas managed to deanonymise some of the data in the list of 10 million movie rankings by 500 000 customers. They compared rankings and timestamps with public information in the Internet Movie Database. “We have reached an understanding with the FTC and [have] settled a lawsuit with plaintiffs,” Netflix said in a statement. “The resolution to both matters involves certain parameters for how we use Netflix data in any future research programs. In light of all this, we have decided to not pursue the Netflix Prize sequel that we announced on August 6, 2009.” Most of the comments on the company’s blog reacted negatively to the move, supporting the idea of a contest. “Trending towards the lowest common denominator just isn’t progress,” said one angry participant in the discussion.

D

VD rental company Netflix has quietly cancelled a sequel to its Netflix Prize, a contest to enhance its movie recommendation technology using anonymous user data.

March 2010