Privacy Digest

Google backs open-source CERT group - Via Network World :

Google has thrown its weight behind a fledgling security reporting group for the open-source community.

The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team.

Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products, keeping open-source distributors on top of flaws and helping small software projects ensure that users of their code are aware of any issues.  read more »

Google Backs Open-Source CERT Group - Via Slashdot :

alphadogg points to a Network World story, excerpting
"Google has thrown its weight behind a fledgling security reporting group for the open-source community. The search engine giant, long a proponent of open-source software, is now one of three sponsors of oCERT, the Open Source Computer Emergency Response Team. Launched in late March, oCERT aims to be a clearinghouse for data on security vulnerabilities in open-source products.

(Read Original Article - Via Slashdot.)

Couple Sues Google for Posting House Pix - Via Wired News: Security Blanket:

PITTSBURGH (AP) -- A western Pennsylvania couple has sued Google Inc., saying pictures of their home on its Web site violate their privacy and devalued their property.

Images of the home Aaron and Christine Boring bought in the Pittsburgh suburb of Franklin Park in October 2006 appeared on Google's "Street View" feature, which allows users to find street-level photos by clicking on a map.

"A major component of their purchase decision was a desire for privacy," according to their complaint, filed Wednesday in state court, which also says the couple suffered mental distress.

The images must have been taken from the couple's long driveway, which is labeled "Private Road," and that violated their privacy, according to the complaint.  read more »

Gmail CAPTCHA Cracked - Via Slashdot:

I Don't Believe in Imaginary Property writes "Websense is reporting that Gmail's CAPTCHA has been broken, and that bots are beginning to sign up with a one in five success rate. More interestingly, they have a lot of technical details about how the botnet members coordinate with two different computers during the process. They believe that the second host is either trying to learn to crack the CAPTCHA or that it's a quality check of some sort. Curiously, the bots pretend to read the help information while breaking the CAPTCHA, probably to prevent Google from giving them a timeout message."

(Read Original Article - Via Slashdot.)

Google: Spam, Virus Attacks to Get More Clever - Via eWEEK :

Google's Postini team recommends enterprises guard against socially generated spam and virus attacks in 2008.

Spam and virus threats to enterprise messaging security and compliance may level off this year compared to 2007, but social engineering techniques are evolving to challenge businesses and security software providers, according to a new report released by Google's Postini team.

The report, released March 6 after Google's Postini team commissioned the study to survey 575 IT professionals, found that Postini data centers recorded 57 percent more spam and virus attacks in 2007 compared to 2006.  read more »

Google Seals DoubleClick Deal, Learns More About You - Via Threat Level:

Google finalized its $3.1 billion purchase of ad delivery giant DoubleClick Tuesday after European Union regulators ruled that the purchase does not violate anti-monopoly rules in Europe which removed the last legal hurdle for the hotly contested acquisition.

Microsoft hoped that regulators in Europe and the United States would block or attach conditions to the purchase as a way to slow Google's growing lead in online advertising and search. Privacy groups opposed the sale on the grounds it would give Google too much information about what individuals do on the internet and thus much power to shape what content is created online.  read more »

How Google Earth Ate Our Town - Via TIME magazine:

When they hear the telltale sirens of a fire truck bursting out of the station in Nanaimo, the locals don't need to look out of the window or tune in to newscasts to find out where the action is. Instead, they can simply log on to Google Maps or Google Earth and track the firefighters in real time as they tear down the streets of this Vancouver Island port community. The Google-enabling of Nanaimo's fire service, launched just weeks ago, is the latest venture in a British Columbia town that has been dubbed the capital of Google Earth.

"With Nanaimo, they have mapped nearly every conceivable thing using Google Earth and Google Maps," Michael Jones, Google Earth's chief technology officer, said last August at a conference in Vancouver. "Their citizens have more information about their city than the people of San Francisco."  read more »

Nanaimo, The Google Capital of the World - Via Slashdot: Your Rights Online:

eldavojohn writes "Time.com has up a story on Nanaimo, a British Columbia coal mining town of about 78,000 that has had everything conceivable mapped into a Google database. Citizens can track fire trucks real time. The results also include Google Earth data for Nanaimo. 'The Google fire service allows people to avoid accident sites by tuning electronic devices to automatic updates from the city's RSS news feed, says fire captain Dean Ford.  read more »

Google Puts Your Data in a Corner - Via The Nation:

Facebook is still feeling the heat over its Hotel California data policy, which hordes users' private information even after they try to desert the site. The Times' Maria Aspan has been all over this story, and her latest article reports that media and user pressure is forcing Facebook to finally let people completely extract themselves from the site. The company says this is a "technical" challenge, talking up codes and glitches. But the real motivator is money, of course, since social networking sites are in the business of monetizing the social graph. That means people are traffic and personal information is content. As Adam Cohen explains in The Times editorial section, Facebook has not exactly friended "privacy rights":  read more »

Security Holes In Google's Android SDK - Via Slashdot:

Redon Buckeye writes "Google's Android software development kit is using several outdated and vulnerable open-source image processing libraries, some of which can be exploited to take complete control of mobile devices running the Android platform.  read more »

Google Pulls Map Images At Pentagon's Request - Via Slashdot:

Stony Stevenson alerts us to a little mixup in which a Google Street View crew requested and was granted access to a US military base. Images from inside the base (which was not identified in press reports) showed up online, and the Pentagon requested that they be pulled. Google complied within 24 hours. The military has now issued a blanket order to deny such photography requests in the future; for its part Google says the filming crew should never have asked.

(Read Original Article - Via Slashdot.)

EFF Lawsuit Demands Records of Contacts Between Former Justice Department Official and Google - Via EFF: Breaking News:

Washington, D.C. - The Electronic Frontier Foundation (EFF) filed suit against the Department of Justice (DOJ) today, demanding information about communications between the DOJ's former top privacy official and Google, the official's current employer.

Jane C. Horvath was named the DOJ's first Chief Privacy and Civil Liberties Officer in February of 2006. At that time, Google was fighting a massive DOJ subpoena asking for the text of every query entered into the search engine over a one-week period. The DOJ request -- part of a court battle over the constitutionality of a law regulating adult materials on the Internet -- ignited a national debate about Internet privacy.  read more »

Google Gets Healthy - Via EFF: Deep Links:

In its endless quest to wring value from users’ personal data, Google is branching out into health records. The Internet search giant has just announced a pilot project that would allow users to combine all their personal health records (PHRs) -- information about prescriptions, allergies, injuries, health history etc -- into a single new service that would be as accessible as a Gmail account.

The convenience factor is clear -- the new service would make it easier for people who may have multiple health providers to make sure their doctors all have the same information. And for people who seek medical attention while traveling, the ability to bypass their HMO's byzantine bureaucracy in order to have a prescription filled might be welcome.

Google isn't the only business interested in helping people manage their health records. Microsoft launched HealthVault last year, and WebMD and Revolution Health are also competing in this area. These services are all part of a trend towards storing PHRs online, where they can be served up to the consumer, or to the consumer's health care professionals, instantly.

But how sure can you be that your PHRs remain private and secure once Google or some other company has them in its vast and constantly growing database? Who has access to that data, and what laws exist to protect it?

It isn't that there aren't privacy standards that seek to protect your health information. The Health Insurance Portability and Accountability Act (HIPAA) provides minimum privacy standards for records kept by health care providers and insurance companies -- standards that privacy advocates say don't go far enough. But as the World Privacy Forum recently pointed out, HIPAA’s limited protections won't necessarily cover records that are handed over to a third party such as Google:  read more »

Pakistan's Accidental YouTube Re-Routing Exposes Trust Flaw in Net - Via Threat Level:

A Pakistan ISP that was ordered to censor YouTube accidentally managed to take down the video site around the world for several hours Sunday.

The Pakistani government ordered ISPs to censor YouTube to prevent Pakistanis from seeing a trailer to an anti-Islamic film by Dutch politician Geert Wilders. YouTube has since removed the clip for violating its terms of service, but a screenshot of the film, available via Google, shows a crude drawing of a pig defecating with the word Allah underneath it.

Pakistan Telecom complied by changing the BGP entry for YouTube -- essentially updating its local internet address book for where YouTube's section of the internet is. The idea was to direct its internet users to a page that said YouTube was blocked.  read more »

Google to Test Medical-Record Service - Via washingtonpost.com - Business:

Google will begin storing the medical records of a few thousand people in a test of a health service that is likely to raise more concerns about the volume of sensitive information entrusted to the Internet search leader.

The pilot project announced yesterday will involve 1,500 to 10,000 patients at the Cleveland Clinic who agreed to an electronic transfer of their personal health records so they can be retrieved through Google's service, which will not be open to the general public.

Each health profile, including information about prescriptions, allergies and medical histories, will be protected by a password.  read more »

Google's Research on Malware Distribution - Via Slashdot:

GSGKT writes "Google's Anti-Malware Team has made available some of their research data on malware distribution mechanisms while the research paper[PDF] is under peer review. Among their conclusions are that the majority of malware distribution sites are hosted in China, and that 1.3% of Google searches return at least one link to a malicious site.  read more »

All Your iFrame Are Point to Us - Via Google Online Security Blog:

It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed. Our research paper is currently under peer review, but we are making a technical report [PDF] available now. Although our technical report contains a lot more detail, we present some high-level findings here:  read more »

SSL Gmail Not As Safe As You Thought - Via Threat Level:

One of the big stories at DefCon last year was a security researcher's demonstration of wirelessly sniffing users' session cookies while they accessed their e-mail accounts or conducted e-commerce transactions via wireless networks. The attack allowed a hacker access to the victim's Gmail or Hotmail account without needing to decipher the user's password.

Now the security researcher who presented that info has found that even using SSL HTTPS to access your Gmail account -- which was touted at the time as a surefire way to protect Gmail users against such an attack -- is vulnerable to this hack.  read more »