I’m not a Gmail user, but recently on another discussion list it was brought to my attention that Google serves ads (of course) via that service. I had no idea, but it’s not at all surprising. Another contact told me that Google earns 97% of its revenue based on online advertising. That’s a lot of money.

One of the points that Google makes is that this is how it “pays” for the service. “Gmail users can’t opt out of receiving ads because these sponsored links help Google support the cost of providing Gmail for free to our users. Instead of serving pop-ups and untargeted banner ads, Gmail displays text ads using our contextual advertising technology. These ads should be relevant to the content of your messages and we hope you’ll find them useful.” Italics mine.

The bad thing about this is that sometimes there are unintended consequences. According to one colleague, “a large proportion of my email is from people with questions about abusive teen boot camps: I get ads for them alongside the emails detailing horrible abuse at the places.” The whole thing is handled via Google’s ‘AdSense’ program, which is the same engine that generates all those context-sensitive ads on other web pages.

Now, you can remove these ads if you want. There is, for example, a Firefox Add-in called CustomizeGoogle that will remove the ads from view (or most of them). However, this just means you’re not seeing the ads. Google is still, for all intents and purposes, “reading your mail.” This doesn’t mean real, live humans are parsing your messages and clucking disapprovingly about your taste in friends or clothing. It means Google’s systems are scanning your emails in order to decide which ads are “relevant” to your experience.

Exactly how much of this information is stored and retained by Google is unknown. The company is very tight-lipped about its data retention policies. Maybe they know that John Smith of 123 Main St. in Wakita Oklahoma regularly exchanges mail about drug addiction clinics or gambling services. Or maybe it’s all just aggregated together, de-identified (i.e. all personally identifying data removed), and used to improve ad statistics.

Who knows. But be careful what you send over email. It’s likely someone is able to see it.

Everyone knows the Internet isn’t secure, and that a significant amount of traffic consists of (a) malware of some type embedded in spam or (b) hacking attempts from non-email sources. The former is fairly obvious. The latter consists of probe attacks against potentially unguarded ports, password-cracking attempts, and other hacking.

One of the big problems is finding a way to capture and eliminate that traffic before it actually reaches vulnerable systems. It’s like any other security effort — stopping thieves before they get through your door is far more efficient than laying traps around the house or locking everything you own inside a safe. Hence, the US government is deploying the “Einstein” system, which is an IDS (Intrusion Detection System) that’s designed to monitor and provide early warnings about suspicious traffic flowing into or out of Federal computers.

IDS systems are nothing new, and have been around for some time now. They’re in regular use throughout government, university, and corporate sites and are basically designed to inform personnel of suspicious activity (e.g. “there were 300 failed login attempts on system X in the last 5 minutes”). They look for patterns, known attack styles, and generally suspicious activity. The issue here is that these boxes are also being deployed on commercial ISP systems — AT&T, Qwest and Sprint to name a few. That’s raised some eyebrows.

The effort is part of the US government’s “Trusted Internet Connections Initiative, which aims to reduce the number of Internet access points operated by federal agencies and to protect the remaining Internet access points with a standard suite of managed security services.” This makes sense, since the current infrastructure certainly involves everything from home-grown IDS software to various commercial applications. Having a unified set of tools in place means each access point is secured identically by software with known characteristics.

Of course, that’s a potential problem as well. If a hacker cracks one site secured by this software, it means they’re all vulnerable to the same hack. That’s not good.

Privacy analysts are also concerned that Einstein will be used to monitor non-Federal traffic. There’s no indication that’s happening, but it’s definitely a concern. There’s enough horsepower out there to dissect and analyze every packet that traverses the Internet. The question is whether the Feds are interested, and whether they’ll follow the law. Given warrant-less wiretaps and other legally debatable actions under the Bush administration, it’s one that needs asking.

Loss of privacy is one of the consequences of our increasingly digital lives. We lose a bit more of our privacy very time we add our data to another social networking site, bank, or email account. Our purchases are tracked and monitored by marketing companies whenever we use a credit or debit card. Consumer loyalty programs (like those that give you cash back or better discounts at the grocery) are used to further track what we buy, when, and so forth.

If you’re worried about privacy, pay with cash.

As I’ve noted before, other areas of our privacy are also threatened. Advertisers online track our location based on IP address, and send “targeted advertising” commissioned by local retailers to our browsers when we visit certain websites. And obviously the government looks for patterns or habits that might indicate someone’s association with crime or terrorism.

Now it turns out another aspect of our privacy is under attack: broadcasters now want to send ads to your TV based on exact knowledge of your habits and personal finances. Under this program, you might suddenly “see a commercial for the Mustang convertible you’ve been eyeing — with a special promotion from Ford, which knows you just ended your car lease.”

While there’s nothing wrong with advertising, there is something wrong with the basic model that’s in use today. In the past, a great deal of advertising was of the “opt in” variety. You signed up to receive a catalog from Sears or some other retailer you found interesting. Or you opened a newspaper and thumbed through the Sunday advertising sections. The consumer made the decision to view ads they found interesting. That’s all well and good.

Today, however, the model is moving more toward an “opt out” scheme. Consumers have to tell retailers specifically not to send ads, catalogs, or other promotional materials. In the US they’re allowed to track consumer habits and share information almost at will. For every company that swears it’ll never sell your data to someone else, there are probably a hundred that will.

If this concerns you, and it probably should, write your elected officials. At the very least, look for all those opt-out buttons and check boxes that allow you to opt out of advertising gimmicks.

Saving a few bucks is a fine thing. Sacrificing your privacy to do so may be too high a price.

Recently a friend sent me a panicked email. Seems she’d received an email from a known friend’s account containing the following (email addresses and sender name altered, but the message allegedly originated from a common ISP).

From: xxx xxxxx
Subject: Hello
To: xxxxxxxxxxxxxxxxx@yyyyyyyy.com
Date: Friday, March 6, 2009, 2:46 AM

I hope this message finds you in best of health. I had traveled to the UK for official purposes, Unfortunately for me all my money was stolen at the hotel where I lodged, I am so confused right now, I don't know what to do or where to go,I didn't bring my phone here, I have access to only emails, Please can you send me $3500 today so I can return home, As soon as I get home I would refund it immediately. Write me so I can let you know how to send it. Keep this to your self only please!!. Thanks

Regards,

My friend responded to the email — big mistake — only to receive another from the same friend stating that her account had been hacked and the first message was forged. Happily, my friend’s personal details weren’t compromised. As far as we know.

Let’s review the message. The first suspicious aspect is that the subject is simply “hello.” Would that be an appropriate greeting from someone in trouble and in need of emergency aid? Then there’s the total lack of any personalization — there’s no “Dear Jane” or any other indication the sender knows the recipient. It’s also unsigned, which is suspicious.

The tone and grammar are also all wrong. It looks like it was written by someone whose first language wasn’t English. And last, the “From” and “To” addresses were identical. This last detail in and of itself is enough to arouse suspicion in most people who have used email for a while.

Such phishing expeditions are common, and many people are hooked by them. My friend might have compromised at least her email account details. Happily, her friend caught the problem early and (I hope) has changed all her passwords.

Be aware. Don’t get hooked.

A fairly significant percentage of users who frequent the Web have at least registered for a social networking site of some type. Millions of people (even, possibly, your grandparents!) have Facebook accounts, and don’t forget about Digg, LinkedIn, Plaxo, Twitter, and dozens of others. While most sites take significant steps to protect your account from online hacking, I suspect few users bother to think about the information on their public profile.

Consider this scenario: you register on Facebook using your real name, and have listed your full date of birth along with your home town and age. That amount of information is probably enough for someone to steal your identity by obtaining a copy of your Social Security number. Or maybe they’ll decide to register for a driver’s license under your name, claiming you’ve just moved into a new area.

Now, let’s say you’ve also mentioned the town you’re presently living in. Full name + your town + a quick visit to Switchboard.com or another address-lookup site probably means a stalker or ID thief can find your current address and phone number. Try it sometime. As a test, I randomly picked a Facebook friend who had her name and current location listed. I obtained her full address and phone number in under 30 seconds.

Don’t laugh — incidents like these are by no means rare. And while I don’t want you to abandon social networking sites, I do suggest you take certain steps to keep unwanted individuals away from your contact or personal details. On Facebook, for instance, you can set your personal (profile) information to be accessible only by acknowledged friends. Other sites almost certainly have similar options available.

If they don’t, then you should either avoid them or provide only a bare minimum of personally identifying information. I also recommend obtaining a “sacrificial” email account, maybe on Yahoo or Gmail, and using it when registering for social networking sites. Such accounts can be abandoned easily, and using them can also help identify where spam is originating. If you suddenly start getting spammed on an account you’ve only ever used when registering on LinkedIn, you can be reasonably certain it was the source of the leak.

It also goes without saying (though I’ll say it anyway) that you should never post SSN, credit card, or other sensitive data on social networking sites. Remember: the more information someone can find, the easier it is for them to hijack your identity. An address here, a birth date there, a maiden name somewhere else, and pretty soon a thief has amassed a lot of background data. Be wary, be private, and keep your information safe.

One of the consequences of the Internet revolution is social networking sites like Facebook and MySpace, where users can share huge amounts of (often highly personal) data. Unlike old-style “personal web sites” where users were in complete control of their own content, social networking sites are hosted by third parties who deal with things like backups, archiving of data, and so forth. One of the most obvious questions about such sites is: do you still own the data after you’ve posted it, or does it become the property of the site?

In general, the first question is answered by the Terms of Service (ToS) agreement you probably ignored when you signed up for the site. Most social networking sites state pretty explicitly that users continue to own data they’ve posted and don’t surrender any rights by making the information public. Thus it was interesting last week when a storm of outrage erupted over Facebook’s recent change to its ToS agreement.

The problem appears to have been the legalese phrasing of the new terms, which seemed to indicate that Facebook was taking ownership of any data posted to the site. As you can imagine, users took serious exception to this and apparently bombarded the site with complaints. No one apparently noticed the change (does anyone ever read ToS agreements that are more than 10 words long?) until a blog called The Consumerist broke the story with a posting entitled “Facebook’s New Terms Of Service: ‘We Can Do Anything We Want With Your Content. Forever.’”

Needless to say, Facebook has since backtracked on its position and is reverting to its older (and apparently less legalese-infected) ToS.

Personally, I doubt the company ever intended to claim ownership of user data. Given today’s intellectual property rights debates, attempting to do so probably would have driven away a huge percentage of its user base. And just why would any company want to assert ownership over users’ vacation photos, personal musings, and diary entries? What would be the point?

This said, it might be a good idea to read those ToS agreements before signing up blindly for access to any site. Unless you do, you’ve no idea what rights you might be signing away.

If you have a newer US passport, you probably know it’s been embedded with an RFID (Radio Frequency ID) chip containing a unique identifier keyed to your personal data. Many credit cards, drivers’ licenses, and other ID paraphernalia also contain RFID chips to speed identification and (allegedly) lower the possibility of fraud or unauthorized duplication. Like the old “hologram on credit cards” idea, it was thought too difficult for fraudsters to obtain equipment capable of overcoming these measures.

As usual, the experts (and the governments) were wrong. A researcher has managed to sniff and clone RFID data from passports, drivers’ licenses, and other cards using off-the-shelf equipment that costs less than $250. And he did it in his spare time. As a test, he managed to grab 2 passports with the device while cruising the streets of San Francisco for 20 minutes.

Mind, these aren’t the standard-sized US passports most travelers are used to seeing. Instead, they’re special use alternatives and “about 750,000 people have applied for the passport cards, which are credit card-sized alternatives to passports for travel between the US and Mexico, Canada, the Caribbean, and Bermuda.” Plus, only 2 states are using the “EDL” or Enhanced Drivers’ License units at present.

To show how easy the process was, the researcher’s device is just a laptop, RFID scanner and antenna. To this he added easy-to-write software that he developed. This application “continuously prompts the RFID reader to look for tags and logs the serial number each time one is detected.” Adding insult to injury, “he bought most of the gear via auctions listed on eBay.” It “a range of about 30 feet, making it ideal for discretely skimming the EDL and passport card tags of people who pass by his vehicle.” There’s little difference between this and skimming credit card data from a hacked ATM.

I really don’t know when governments will figure out that they need better technologists and solid peer review of new systems prior to deployment. As it is, they’ve exposed 750,000 unwitting citizens (at least) to identity theft because officials didn’t want to believe the new system could be hacked. But any system can be hacked, as any hacker can tell you. All it takes is talent, will, and a willingness to challenge assumptions.

In a further sign that spam and phishing attacks against social networking sites are on the rise, a recent attack on the popular Twitter service resulted in fake “tweets” being published on the accounts of multiple celebrities. The attacked accounts included that of President-elect Obama (who’d have thought he’d have an account?).

According to an announcement by Twitter executives, the attack was accomplished by “an individual who hacked into some of the tools our support team uses to help people do things like edit the email address associated with their Twitter account when they can’t remember or get stuck.” Very clever. Basically the hacker gained administrative access to the Twitter user-management system and used this to compromise multiple accounts. That’s a lot more efficient than compromising individual user accounts, since it’s almost guaranteed to result in a higher level of damage and disruption.

Further, the attacker apparently has been identified. It was reported that “an alleged 18-year-old prankster admitted to running a dictionary attack against what he assumed was a popular user, but who turned out to be a Twitter administrator.” Hacking an administrative account is more or less akin to finding the Administrator password to a Windows machine, or gaining root access to a Linux box.

What’s worrisome is that a dictionary attack against an administrative user succeeded in the first place. Doesn’t Twitter have any password-strength monitoring in place? One would think they’d have password checkers to prevent the use of dictionary words, especially by users with enhanced security credentials. If they don’t, and you’re a Twitter user, you should definitely check your own password to make sure it’s strong enough to resist an attack.

The same paranoia should be used on other social networking sites, since phishing attacks are definitely on the rise. While email spamming is still immensely popular, social network sites tend to be a bit more loose in terms of security (as this incident shows). This will change over time as these sites beef up their access requirements. In the meantime, be vigilant and careful. Don’t click on suspicious messages or applications. Keep your password strong and secure. Watch for bogus messages asking you to “log back in” to social networking sites.

Many of us use public machines, whether in Internet cafes, schools, or other locations. Few think about the danger involved, and I’d bet most users just presume the systems are kept fastidiously clean of malware. Sadly, that’s not always the case. A recent study conducted on 300 machines located in wire-transfer shops in the LA area found 60% were infected with malware of various types.

That’s just bad. Here you have machines that are used daily by people conducting financial transactions of all types, and over half are infested with viruses that include (of all things) keyloggers. That means that criminals in various locations are receiving personally identifying information from hundreds, if not thousands of unsuspecting users every business day. An audit of these machines found that “some infected machines held troves of private data, from Social Security numbers to credit card numbers to tax documents.” Is it any wonder that identity theft is on the rise, given this pathetic situation?

According to a representative of the wire transfer agencies that run these shops, “most transactions are for less than $300, which makes the hassle of intercepting a transfer and forging an ID and getting someone in place to steal the delivery potentially more costly than the crime is worth.” It’s still a problem, and $300 is a lot of money for most people. The amount isn’t really the issue, though. If SSN and credit card numbers, not to mention tax information, is being stolen, it means criminals have enough information to steal an individual’s identity. That spells a whole lot more trouble than $300, if someone decides to act on that information.

The lesson is clear: don’t trust any public machine, since you have no idea how well it’s maintained or protected. Assume the worst, i.e. that the last user probably surfed to unsafe locations and the machine is filled with malware. Don’t enter private data, since a keylogger could be waiting to snare your password or other sensitive information.

Some public machines are well maintained and can be reloaded at will using a known good OS image that’s free of viruses, but you should presume otherwise unless you’re certain you’re the first user since the last rebuild.

As if infected files and malware weren’t enough of a problem on their own, a recent incident showed it’s possible for a whole domain to be hijacked via what may have been DNS poisoning. The popular CheckFree site was hijacked by a known criminal gang recently, and an unknown number of users were redirected to the bogus site.

The misdirection was discovered by a CheckFree user, who reported it to security staff. The user had noticed the site’s SSL certificate was bogus, so he checked the IP address and found it led back to a notorious IP (91.203.92.63) well known to be inhabited by criminals.

Not only was it the source of the DNS hijack effort, but the same IP has been used for a whole list of serious infractions. This is a list “that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them.”

If you’re a CheckFree user, you’ll probably be receiving a message from the legitimate administrators informing you of this serious event. While it’s currently unknown how many users’ personal information was compromised, investigators believe the DNS redirection was active for “about five hours” before being shut down.

While “security experts say DNS poisoning wasn’t out of the question, the more likely explanation is malicious transfer of the domains through their registrar. Indeed, whois records for both the addresses indicate they were updated sometime Tuesday.” What this means is that someone hacked into the registrar database for this particular domain, and changed the registered CheckFree IP address to that of the criminal gang’s server.

The lesson is clear. When you visit any site involving personally identifying data, be sure it’s the real site and not an imposter. If you see a suspicious-looking SSL certificate alert or other odd event, stop. Check with someone you trust to see if the site is legitimate. Don’t just “OK” the alert and move on, or you could become an identity theft victim.