PRISMBREAK The value of online identities Frank Ackermann, November - - PowerPoint PPT Presentation

PRISMBREAK

The value of online identities

Frank Ackermann, November 2013

2 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

disclaimer

• This talk is focused on security awareness.

This talk does not contain proof of concepts, shell code, scripts or other in-depth technical details.

• The content of this talk does not reflect the opinion or

security safety measures of current or former employers.

• The talk is not related to websites or toys.

3 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

who am i

• My heraldic motto:

“Security is not my job – it is my passion!”

• Working as an IT- and Information Security

Specialist over a decade, focused on Security Management, Consulting and Architecture

• Living and working in Düsseldorf, Germany
• Contact: prism.break@gmx.de

4 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

agenda

• The “PrismBreak”:

Data gathering is becoming surveillance

• The “Value”:

Identities are becoming one of the future currencies

• Conclusion

5 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

spin doctors & motivators

• Identify theft and related fraud has increased
• #winebloggers
• Edward Snowden's awareness activity in

June 2013 (→ 'Prism' Break)

6 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

thesis I

PRISMBREAK

Data gathering is becoming surveillance The

7 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

Prism

Source: [2]

8 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

Prism II

Source: [2]

9 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

• FBI decided to merge data to protect against

and identify criminals

• Program name: Next Generation Identification
• Project submitted: June 2004
• Merger of biometric- and classic data resources
• Details:

–

fbi.gov/news/stories/2009/january/ngi_012609

–

fbi.gov/about-us/cjis/fingerprints_biometrics/ngi/ngi2/

not only Prism ...

10 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

• “Glimmerglass develops and integrates fast and

agile cyber solutions to derive actionable information from optical and electronic signals.”

commercial products

Source: [4]

11 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

surveillance society

• Prism, Tempora, Xkeyscore, localization of

mobile-users, automatic envelope-scanning, flight bookings, analyzing money-transactions... These are indicators of a surveillance society!

• Google Picasa offers user-tagging and face-

recognition (→ face move → picture tagging)

• Giga-tagging (tagging and face-recognition) of

large groups (e.g. football match) is widely used

• Facebook's photo tagging

12 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

situation

• "We know what you're going to do tomorrow,"

Mark Greene, Fair Isaac's chief executive, told investors earlier this year

• "Data is good," Mr. Greene said in an interview.

"The more data we have access to, the more insight we have."

• → Rating system based on predictive analysis

and decision management

13 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

history – isolated silos

• Data used to be in silos
• Private data, mostly non-electronic, was only

shared in private forums

• Some data was transferred to companies

Private data Military/Intelligence Private enterprise

14 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

breakup of boundaries

• Data is shared and used for several purposes
• Companies get involved managing data

(big data, platforms, cloud, ...)

Private data Private enterprise Military / Intelligence

15 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

affected future I

• Historical and present data affect future

reactions

• Behavior and reactions are predicted
• "We know what you're going to do tomorrow"

Private data Private enterprise Military / Intelligence

16 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

affected future II

• Leigh Van Bryan, Jan 2012

'I'm going to destroy America and dig up Marilyn Monroe': British pair arrested in U.S. on terror charges over Twitter jokes

• Algorithms support analysis
• n potential future behavior

17 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

conclusion thesis I

• Data gathering is supporting surveillance
• Indicators for a surveillance society are given
• Enterprises and agencies are verifying

mechanisms to analyze and predict behavior

18 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

thesis II

VALU

Identities are becoming

• ne of the future currencies

The

E

19 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

the value of an identity

• Information / Internet content stands on its own
• The content's value is influenced by the platform
• The value of this data can be enriched by the

publishers-, producers or developers identity

– e.g. news- and market-feed (financial) – e.g. product reviewer in a shopping-platform – e.g. political blogs or opinion-makers

20 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

blog and identity

• *1997 weblog → *1999 we blog
• Log = leave track
• Examples:

– Micro-blogging (e.g. Twitter, Facebook) – Online Journalism (e.g. news, weather) – Consumer generated advertising (e.g. Amazon-

reviews, George Masters iPod adds, CokeLight/Mentos → www.eepybird.com)

– Video- and audio blogging (e.g. YouTube)

21 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

making money with blogs

• Spice up your income by adding

– Affiliate marketing (per print/print-out, per lead, …) – Pay per click – Link-selling – Advertisement / banner to your blogs.

• Is it worth doing this?

22 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

• Examples

– selbstaendig-im-netz.de stated 4-5K€ / month – blog.rankseller.de stated in their research that 13%

• f 2344 responders earned more then 1K€ / month

– mongabay.com makes $15-18K / month – problogger.net made $250K in 2007

$$$

23 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

value of Facebook fan$

• Syncape, April 2013:

– 1 fan of a product ≥ $150 for product owner. – Value (of each products fan to a product) is

reflected in the actions and interactions of each fan.

– Social (and social networking) is a core

marketing strategy

24 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

interactions and values

• The value of an identity is linked to interaction

with others

• Online interactions become more significant

and visible/traceable – therefore interactions themselves become more valuable

+ A B

• A

B A B vs

25 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

Amazon reviewer

Total Reviews Helpful Votes Percent Helpful Hall of fame!

26 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

Platform Tool

content and usage I

• To produce value, content is created, shared

and rated by other users

User A User B

Content

Like Follow Rate

27 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

Platform Tool Rate

content and usage II

• Platforms are supporting the rating, evaluation

and analyzation of identities, behavior, content

Identity user A User B

Content

Vendor User A Employees Analyze identity and content of e.g. user A

28 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

chances for business

• The golden years of digital processing and big

data analysis have only just begun

Source: [1]

29 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

challenges for business I

• Breach of Sony's Network in April 2011 cost
• ver EUR 120 million
• Some trends business is following

– data driven R&D (involve customers in dev. & test) – selling and trading data as a new revenue stream – process automation (e.g. Oyster Card, London) – enhanced data analyzing of shared sources

30 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

challenges for business II

• What is missing?

– increase privacy control for users – display how the data is used (transparency) – build data-driven organizations, not IT

• Better security of data increases protection of

identities and supports the sustainability and accuracy of data!

31 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

attack surface I

• We still have a ton of vulnerabilities in our

platforms and tools & issues with the basics!

– Java → affects all web-platforms and tools like

Tumblr, Twitter, Facebook

– browser and browser-plugins – bloggers: WordPress & WordPress Plugins – web-content, links, XSS → advertising, fraud – internet and IPv4/v6 – local applications and installations including OS

32 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

attack surface II

user knowledge & activity tools & techniques vulnerabilities & attackers … growing … reaching

• ut for new

features #1 #2

33 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

twitter-hacks

• In 04/2013 the “Syrian Electronic Army”

hacking-group attacked the twitter-accounts of #FIFA and FIFA-president #Joseph Blatter

• Example of identity-theft for opinion making
• Twitter was founded in 2006
• Twitter introduced “login verification”

(OTP via SMS, 2FA) in 2013 … but is not a default setting!

34 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

f8ke acc0unts

• Platforms do not verify identities
• Authenticity of accounts are untested
• Fake-accounts can easily be set-up.

This enables social engineering

• IDs and messages can not be taken as serious

→ This all affects the plausibility of content and platform

35 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

data might be wrong

• Sometimes data is incorrect because of

religious or political bias, misquoting, inaccuracy gathering or reporting ...

• This is why we have to be skeptical until the

motivation of the source is discovered

• → Why are things free (of charge)?
• → Would I sell my data to brands?
• → Is the source trustworthy and reliable?

36 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

there ain't no such thing as a free lunch

• Data, especially personal data, is becoming the

future currency

• Users trade information in exchange of

perceived benefits (e.g. freemail services)

• Who benefits from the input?

37 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

conclusion thesis II

• Business is working hard to make money out of

customers data

• Data, especially verified and qualified data, is

highly valuable and can be taken as currency

• Customers trade their data in exchange to

functionalities and benefits

38 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

• As always: First think, then act!

→ Do not leave your brain unattended!

• The Internet does not forget
• Read through term & conditions, privacy policy,

company's terms of use, cookie usage +++

• When asking for customer / user-information:

Offer control possibilities; allow less details

• Eliminate unnecessary data; keep tabs on

what's left [5]

summed up

39 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

Thank you. Contact prism.break@gmx.de

40 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

references

• references / data / sources

–

Online news and feeds (e.g. Wall Street journal, FAZ, BBC, Mail, ...)

–

'The nature of the future', Marina Gorbis

–

The value of a facebook fan 2013, Syncapse

–

[1] The value of our digital identity, 2012, BCG Group

–

Official sites (e.g. NSA, FBI, …)

–

[2] http://en.wikipedia.org/wiki/PRISM_(surveillance_program)

–

[3] http://www.hd-gbpics.de/blog/contentbilder/neuland-2.jpg http://newsfromneuland.tumblr.com/post/53360376853

–

[4] http://www.glimmerglass.com

–

[5] 2013 Data breach investigation report, Verizon

• recommended

–

YouTube: Richard French: Surveillance Nation: Your Identity Exposed

–

YouTube: Homegrown Radicalization -- How Data Analytics Can Help Prevent Terrorism

–

faz.net/aktuell/feuilleton/debatten/ueberwachung/im-zeitalter-von-big-data-wir-wollen-nicht- 12545592.html

41 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

backup

42 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

identity-value

• With the growth in the value of identities,

surveillance and control are increasing

value $$$ popularity surveillance 3? 1 2 value $$$ amount of meta-data 3? 1 2

43 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

meme I

• Wikipedia: A meme (/ mi m/; meem) is "an idea,

ˈ ː behavior, or style that spreads from person to person within a culture."

• Examples: #Neuland, rage-comics

→ viral marketing

• Can have a large effect on real- or
• nline identity

44 PrismBreak, Frank Ackermann, prism.break@gmx.de, November 2013

meme II

• Example #Neuland, Ms. Merkel, 19.06.2013 -

'Das Internet ist für uns alle Neuland'

• Expressions, when tied together with the

significance of an individual may transform into uncontrollable content

Source: [3]