Google executives faced tough questions Thursday, in a meeting with members of Congress, about changes to the company’s privacy policy scheduled to go into effect March 1.

However, the search giant failed to assuage lawmakers’ privacy concerns stemming from the company’s controversial plans to step up the cross-referencing of data generated by consumers who use its popular online services, says Rep. Mary Bono Mack, R-Calif., who arranged the closed-door briefing.

Pablo Chavez, Google’s public policy director, and Michael Yang, its deputy general counsel, outlined how the company supplies consumers with a number of tools to protect their privacy. Lawmakers questioned whether tools that Google makes available to help consumers control their privacy were user-friendly and effective.

Rep. Joe Barton, R-Texas, says Chavez and Yang “danced around actual details, and instead spoke in generalities, highlighting their efforts to ‘enhance the user experience’ — but at what cost?”

Bono Mack said she expects Google to proceed with its planned March 1 change.

“I don’t know that I got any more clarity than what I’ve been reading in the press,” says Bono Mack. “There’s a big concern in Congress about privacy, on both sides of the aisle.”

Public hearings on Internet privacy are planned for this spring, she says. And Google spokesman Chris Gaither says: “We’re happy to discuss our updated privacy policy with Congress.”

On Thursday, the Google officials were pressed on whether the company’s new policy enables a consumer to easily and completely delete a Gmail message or a record of a search for sensitive information, such as on a medical website.

“Consumers want to know if they hit the delete button, that something truly is deleted,” says Bono Mack.

Gaither made reference to Google’s stated privacy policy. The company aims to ” maintain our services in a manner that protects information from accidental or malicious destruction,” the policy states. “”Because of this, after you delete information from our services, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.”

He added that the new privacy policy “does not change our archiving or deletion practices.”

Google deputy general counsel Mike Yang and public policy director Pablo Chavez are preparing to deliver a closed-door briefing on Thursday, says Ken Johnson, Mack’s senior adviser. The audience will be restricted to members of the House Subcommittee on Commerce, Manufacturing and Trade, which Mack chairs. Rep. G.K. Butterfield, D-NC, is the ranking subcommittee member.

Google announced last week that it will consolidate dozens of user agreements for its most popular services into one privacy agreement encompassing them all. Starting March 1, the company will have the ability, policy wise, to correlate what a user does across most of its online services, whether a user accesses them on PC web browser or via any Internet-connected mobile device using the Google Android operating system.

“These changes might not otherwise be troubling but for one significant change to your terms of service: Google will not permit users to opt out of this information collection and sharing across platforms and devices,” Mack says.

All or nothing proposition

Critics object to the all or nothing proposition. Any user of Google search, who also registers to use Gmail, Google Apps, YouTube, Google+, Picasa and other popular Google services, will be covered by the new, over-arching user agreement, says Jeffrey Chester, executive director of the non-profit Center for Digital Democracy.

Chester

“This will make it harder for a user to opt out,” Chester says. “If you like even one of Google’s services, you’ll likely forgo the extra work and knowledge it takes to do more granular privacy control. This decision was designed to help Google boost revenues and avoid a clash with privacy cops in Europe.”

Google asserts that users will maintain “choice and control,” that Google is not collecting any more data than it already does and that its intent is to improve user experience.

Google and Facebook are in a race to actualize — and attempt to dominate — what some prognosticators believe is a mega- billion  online advertising market on the verge of mushrooming.  Each is seeking to compile and leverage behavioral targeting data to woo advertisers. They are redoubling their efforts at indexing and profiling the activities and preferences of users of their free services. But that drive also plays right into the hands of cybercriminals and parties motivated to use profiling data unfairly against individual consumers.

“Google is not being  honest with consumers about why it has made these changes,” says Chester. “The new policy is designed to blunt the impact of Europe’s ePrivacy law requiring forms of opt-in consent for cookies. Google understands European users will likely proactively say yes to all collection.”

Europe’s unease

Meanwhile, The Financial Times reports here that Norwegian public sector agencies will be banned from using Google Apps due to concerns that the service could put citizens’ personal data at risk. That would seem to cut off a toehold in Europe Google achieved by getting the city council of Narvik to use Google Apps for their e-mail.

Last year the town of Odense in Denmark banned use of Google Apps in its schools due to concerns about leaving personal data at risk. The German government is also working on stricter data protection rules  and France  has set up a patriotic venture with France Telecom and Thales to promote French cloud services over US rivals, the Financial Times reports.

“All these moves show that there is still a deep level of concern in Europe about the security of using US-based cloud computing providers, especially if there is any lack of clarity about whether the data is physically being stored,” writes FT correspondent  Maija Palmer. “Unease is exacerbated by the Patriot Act, which requires US companies to hand data over to US authorities, when asked, even if that data is stored in Europe.”

By Byron Acohido

Starting March 1, Google will be capable, policy-wise, of cross-referencing Internet user activity data compiled from its most popular services, including search, Google Apps, Gmail and YouTube.

And it will be able, policy-wise, to do this across all PC web browsers and any mobile device using the Google Android operating system.

The Congressional letter, which was also signed by Rep. G.K. Butterfield, D- N C, asserts that the policy changes “give rise to important questions regarding the impact on Google users.” Bono Mack invites Page to appear before the House Subcommittee on Commerce, Manufacturing and Trade to explain the ramifications of the changes.

“These changes might not otherwise be troubling but for one significant change to your terms of service: Google will not permit users to opt out of this information collection and sharing across platforms and devices,” she says.”Denying users an option to opt out of sharing their information across platforms and devices that they may otherwise strive to keep separate . . . appears to significantly reduce the spirit and substance of ‘meaningful choice.’ ”

Google spokeswoman Samantha Smith declined to say whether Page is inclined to accept the invitation. Smith referred USA TODAY to a blog post put up last Thursday — a day before the date of Bono Mack’s invitation to Page — by Google policy manager Betsy Masiello, titled “Setting the record straight about our privacy policy changes.”

Google asserts that users of its ubiquitous online services, including Google’s crown jewel search service, will maintain “choice and control,” that Google is not collecting any more data than it already does and that its intent is to improve user experience.

Security analysts and privacy advocates worry that Google’s moves to boost advertising revenue could play into the hands of cybercriminals, as well as groups motivated to use data about how people behave online unfairly against them; for instance, to deny insurance coverage, decline to hire someone, or to manipulate voters.

Bono Mack and Butterfield respectfully request that Page appear before Congress no later than Feb. 3.

On Wednesday, the European Union formally proposed strict rules that could restrict much of the systematic tracking and profiling Google and Facebook routinely do of Internet users, as part of delivering targeted ads to them.

If Europe’s new rules are implemented as expected in 2013, the tech rivals could face hefty fines, up to 2% of annual revenue, for any violations. In Google’s case that translates into a maximum penalty of $800 million.

On Tuesday, Facebook Chief Operating Officer Sheryl Sandberg delivered a statistics-filled speech at a tech conference in Munich outlining how Europe’s proposed rules are very likely to stymie the global economy. She reiterated those themes on Wednesday and Thursday while participating in the World Economic Forum in Davos, Switzerland.

Sandberg called for a “regulatory environment that promotes innovation and economic growth.”

Google spokesman Chris Gaither echoed Sandberg’s argument. He says the search giant “supports simplifying privacy rules in Europe to both protect consumers online and stimulate economic growth.”

Cross-device tracking

Meanwhile, refinements announced this week by Google and Facebook, about how each tracks and profiles Internet users, added heat to the domestic debate over the need for new data privacy rules here in the U.S.

Google signaled that it will begin cross-referencing user data compiled from its most popular services, including search, Google Apps, Gmail and YouTube, as well as across all browser PCs and any device using Google Android operating system.

The stickler: Users won’t be permitted to “opt out” of having their Google activities correlated.

Pociask

“The reports of Google’s privacy changes, which will allow no opt out, raises grave concerns for consumers who are growing increasingly concerned about their privacy online,” Steve Pociask, the president of the American Consumer Institute. “Google’s dominance of online search and its history of disdain for privacy protections and consumer transparency makes these changes even more worrisome.

“Whether it’s illegally collecting user data through its Street View product, hiding its privacy policy or settling with the FTC for violating its own privacy policy with Google Buzz, the company has proven that it has little regard for the privacy rights of consumers.”

Both Google and Facebook  are moving to extend intelligence gathering and behavior profiling to mobile devices. Google’s Android operating system runs the popular Droid series of smartphones, and Facebook Timeline features a digital GPS system, says Alisdair Faulkner, CEO of computer-security firm ThreatMetrix.

Meanwhile, the non-profit group SafeGov, which monitors security issues for federal, state and local government agencies, is alarmed that Google’s new policy could put workers who use Google Applications for Government, a paid service, at heightened risk.

“Google should not be data-mining information in e-mails, text messages, searches and documents that workers are putting into Google services,” says Jeff Gould, SafeGov security analyst. “It’s a matter of not making government workers unnecessarily exposed to hackers and to inadvertent disclosures of information.”

Not thinking it through

Google Vice President Amit Singh says Google’s new privacy policy for consumer data is superceded by data privacy provisions in contracts with government agencies and other organization who use the paid version of Google Apps.

“As always, Google will maintain our enterprise customers’ data in compliance with the confidentiality and security obligations provided to their domain,” says Singh.

Gould

But Gould checked the city of Los Angeles’ contract with Google and found that the data-privacy provision referred back to Google’s policy for consumers. “They didn’t think through the consequences for government users,” Gould says.

Meanwhile, Google is busy fielding inquiries from a handful of politicians who’ve proposed legislation that would restrict online tracking and establish rules for data privacy.

“Amazingly, we still don’t have a law that sets the rules of the road for fair information practices that everyone collecting, using, and distributing people’s personal information must adhere to,” says John Kerry, D- Mass.

Kerry and Sen John McCain, R-Ariz., continue to work for passage of the Commercial Privacy Bill of Rights. “Until Congress acts, Google and the rest of its competitors will continue to set that standard themselves. ”

Rep. Ed Markey, D-Mass., notes that “Googling is like breathing for millions of kids and teens – they can’t live without it.” Markey, who has also been critical of Facebook’s tracking practices, is calling on the Federal Trade Commison to review Google’s new no-opt-out policy.

“Consumers – not corporations – should have control over their own personal information, especially for children and teens,” says Markey.

Timeline risks

Facebook is drawing more scrutiny too. It is making mandatory a new, glitzier user interface, called Timeline, that chronologically displays a member’s preferences, contacts and online activities. And its new Open Graph services promotes more and richer preference data to move across  third-party applications to ultimately get integrated into Timeline.  Facebook insists that Timeline does not present any new information nor alter any current privacy settings.

Evans

But Karen Evans, National Director for the US Cyber Challenge, a nationwide program focused specifically on the cyber workforce, says Google and Facebook’s latest advances in the science of indexing and profiling Internet users  could make richer information more readily accessible to ID thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers.

Online profiles, for instance, are already being used to deny insurance coverage and as a basis for not hiring someone. And political campaigners would love to get their hands on the richest data available to help sway voters during the upcoming presidential elections.

“The consumer should know exactly how the information is to be used and the potential impact it could have them especially younger Americans,” says Evans. “ Many of them play games, watch videos and search on the internet for class projects. The collection and use of the information could have adverse impact on their daily lives. For example, they could be conducting a search because this is an election year for a classroom project. The data could be later used to assume there is a political affiliation when in fact they were preparing for class.”

Gould puts it this way: “If you take the new Google policy and combine it with Facebook Timeline, the danger of hacking attacks for government users is multiplied by ten.”

Gould worries about the all-too-common scenario where an intruder e-mails a government worker pretending to be an acquaintance. “They can put information in an e-mail which they can get from your Facebook Timeline, and trick you into downloading a piece of spyware,” he says.

Heightened cross-referencing of an individual worker’s Google search, Gmail and YouTube activities poses similar risks, he says.

“If you have Facebook Timeline and you have tens of thousands of people using Google apps in government you’re going to get a lot more of these cases accidently disclosing their password, or downloading some kind of spyware, because they got an e-mail they thought was from a friend or acquaintance, and the e-mail seems to know about their past life or interests or concerns, “ Gould says

–By Byron Acohido

For the past two years, each company has experimented with different ways to divine more and more about how people live their lives on the Internet, without sparking a revolt.

But the plans the rivals announced on Tuesday, which critics say could dramatically rev up their respective abilities to gather intelligence on individual Internet users, seem to have struck a chord. An informal and unscientific survey of Web users by USA TODAY found a majority speaking out against the new business practices announced by Google and Facebook.

“It’s dangerous for two companies to have so much personal data, regardless of whether the specific threats of that data consolidation are immediately clear,” says Sarah Downey, a privacy analyst at software maker Abine.

Compelled to tap what many experts predict will be the next big Internet mother lode — online advertising — Google and Facebook laid down very big bets, during a week when European regulators are hashing out strict new rules that could prevent much of what the tech giants seek to do.

Google signaled its intent to begin correlating data about its users’ activities across all of its most popular services and across multiple devices. The goal: to deliver those richer behavior profiles to advertisers.

Likewise, Facebook announced it will soon make Timeline the new, more glitzy user interface for its service, mandatory.

Timeline is designed to chronologically assemble, automatically display and make globally accessible the preferences, acquaintances and activities for most of Facebook’s 800 million members.

Google and Facebook have repeatedly insisted that the changes are intended strictly to improve users’ experiences.

“Facebook works the way it always has,” says spokeswoman Meredith Chin. “There is no new information on Facebook as a result of Timeline, and no privacy settings have been changed with the introduction of it. It’s simply an updated version of the profile.”

But the changes have stirred anger from many consumers. Some, such as Joyce Norman, a writing consultant from Birmingham, Ala., are considering ways to limit their exposure to Google’s and Facebook’s new business practices. “Mine is not a lone voice crying in the wilderness,” says Norman.

Benjammin Gaultney of Montague, Mich., sees it differently, looking forward to the possibility of more appropriate ads coming to his screen. “You have to deal with ads all over the Internet either way,” he wrote on USA TODAY’s Facebook page. “Advertisers could at least try to sell me something I’m actually interested in rather than life insurance.”

Meanwhile, a high-stakes lobbying effort is unfolding in Washington aimed at shaping policies favorable to U.S. tech companies and blunting any potential move to follow Europe’s more conservative proposals to limiting online tracking by companies.

The tech giants sharply increased their lobbying spending last year. Google spent $9.7 million in lobbying in 2011, up from $5.2 million in 2010, says the Center for Responsive Politics. Facebook spent $1.4 million in 2011 vs. $351,000 in 2010.

The driver: advertising revenue. The global online advertising market is expected to swell to $132 billion by 2015, up from $80 billion this year, according to eMarketer. Google and Facebook are putting their abilities to index individuals’ online activity and behaviors into high gear to tap into this market, analysts say.

“If they can make the ads more relevant, the logic goes, they can increase the number of advertisers and the price they can charge per click (on each ad),” says Alex Daley, chief investment strategist at Casey Research. “Because the click will be from more qualified leads — customers who are more interested in the product — they can grow the revenue base.”

But security analysts, privacy advocates and technologists say consumers probably should be very concerned. While making richer behavioral data more readily available to advertisers, Google’s new data-correlating practices and Facebook’s new Timeline and Open Graph, a more powerful way to express preferences on third-party websites, also tend to aid and abet more unsavory uses.

Beware of cybercrooks

Richer personal details are very beneficial to identity thieves and cyberspies, as well as to parties motivated to use such data unfairly against consumers, such as insurance companies, prospective employers, political campaigners and, lately, hacktivists, security analysts say.

“What these unilateral decisions by Google and Facebook demonstrate is a complete disregard for their users’ interests and concerns,” says John Simpson, spokesman for Consumer Watchdog. “It’s an uncommonly arrogant approach not usually seen in business, where these companies believe they can do whatever they want with our data, whenever and however they want to do it.”

Google has a long history of running into privacy problems.

Its Gmail raised hackles early on when the search giant decided to mingle advertising alongside users’ e-mail. The move initially concerned people because the ads’ relevancy was linked to e-mails inside users’ accounts. For example, if a person was writing about buying a car, ads for cars could appear alongside that individual’s e-mail. To many, that felt like a privacy intrusion.

The search giant maintains that such contextual ads, where advertisers can bid on keywords that relate to a users’ content, don’t reveal personal identities. Gmail users can turn some of the ads off, but adjusting the feature requires some work.

Much of this type of product development is the result of Google taking a very engineer-focused approach to mining data rather than serving consumer interests, say industry experts. Google engineers want to play with technology first, but they think about how the product plays with consumers and privacy second, says IDC analyst Karsten Weide.

When Google tried to build its Buzz social network in 2010 from Gmail contacts, it ran into privacy problems. It began publicizing users’ contacts without asking. The Federal Trade Commission last year charged Google with “deceptive privacy practices” in the handling of Buzz.

Google “did not respect” consumers’ expectations of privacy, says Helen Nissenbaum, a professor of media, culture and communication at New York University. “They (Google) seem to be doing the same thing here” with the privacy update.

Under terms of the FTC consent order, Google agreed to a 20-year independent review of its privacy practices.

But the changes announced Tuesday may again set it on a collision course with the FTC.

“We do believe the proposed changes . . .  violate the FTC consent order,” says Marc Rotenberg, executive director of the Washington, D.C.-based Electronic Privacy Information Center. Those changes could subject Google to monetary damages under Google’s agreement with the FTC, says Rotenberg.

But Rachel Whetstone, Google’s senior vice president for public policy and communications, says the company would not have proposed privacy updates that run afoul of the FTC settlement.

“We try to be transparent about the data we collect and give meaningful controls about how data is used,” says Whetstone.

There are also concerns about Google’s recent move to roll activities on its Google+ social network into users’ search results. The opt-in integration of those two Google products mingles profiles, photos and posts of people a user follows on Google+ into the user’s search results if they choose.

Whetstone says it doesn’t raise privacy issues because the information is viewed only by the user.

Facebook’s issues

Facebook has had its own issues, most recently in November when the FTC announced a broad settlement that requires the company to respect the privacy wishes of its users and subjects it to audits for the next 20 years.

The order, which claimed Facebook engaged in “unfair and deceptive” practices in December 2009, stems largely from the way Facebook handled information its users deemed to be private information.

On Tuesday it announced that Timeline will become the default user interface for all members over the next few weeks.

Combined with the addition last week of some 60 apps specifically written for Timeline, consumers can provide a detailed account, often in real time, of the music they listen to, what they eat, where they shop — even where they jog.

The deeper personal data of Timeline — which Facebook users willfully share — are potentially online advertising gold for marketers and advertisers. This is especially crucial, analysts say, as Facebook steamrolls toward an initial public stock offering this year.

The company is under pressure to increase sales and profits to meet the lofty expectations of shareholders, and online advertising is the most logical place to do that. Facebook gleaned 89% of its estimated $4.3 billion in revenue last year, or about $3.8 billion, from online ads, according to eMarketer.

“If Facebook has richer behavioral targeting data than Google, then it has an edge up in relevance,” says Casey Research’s Daley. “And an edge up in relevance is an edge up in revenue.”

Some Wall Streeters believe the changes made by Google and Facebook will have only an “incremental” effect on the battle between the two giants in going after online advertising dollars.

Both companies continue to be dominant in their markets, which “tend to be winner-takes-all markets,” says Ryan Jacob of the Jacob Internet fund. Google continues to hold strength in online search and is a strong player in online video with YouTube and in mobile with its Android operating system, he says.

But “Google has a long way to go before it can be considered a credible competitor to Facebook,” he says.

Google’s moves, if anything, are “somewhat defensive,” he says. “For them (Google) to maintain their position in search, it’s important for them to be players in other areas,” he says.

Channing Smith of money management firm Capital Advisors, which owns shares of Google, is more optimistic. “If it continues to put up numbers for Google+, it can be a competitor to Facebook,” he says.

Rep. Ed Markey, D-Mass., who has already been pressing Facebook to explain its tracking systems, said on Wednesday that he would ask the FTC to take a close look at Google’s new privacy policies.

“Google’s privacy policy changes mean consumers can’t say no to sharing their personal information across Google’s websites,” Markey said. “Consumers, not Google, should be able to make these decisions.”

By Byron Acohido, Scott Martin and Jon Swartz

Contributing: Mike Snider, Roger Yu, Matt Krantz

Orginally published 26 Jan. 2012, USA TODAY print editions. P1B

The popular online shoe retailer, a division of Amazon, disclosed on Sunday that hackers cracked its customer database to steal records for some 24 million customers.

The data thieves did not get any payment card numbers, because that data was encrypted, as required under the Payment Card Industry Data Security Standard.

But as is a common practice with many online retailers, Zappos did not encrypt its customers’ e-mail and shipping addresses, phone numbers, the last four digits of the payment card numbers and the account passwords.

Feinman

Retailers do not typically encrypt any data beyond what is required under PCI-DSS rules, which is enforced by VISA and Mastercard, because doing so can degrade a website’s performance, says Todd Feinman, CEO of database security firm Identity Finder.

Feinman says it’s technically trivial for corporations to extend encryption beyond payment card numbers to other consumer data known to hold value in the Internet underground. “Visa and Mastercard fight to protect credit card numbers, but there’s no one fighting for the individual consumer whose e-mail address falls into the possession of hackers,” says Feinman.

E-commerce has come to revolve around account usernames based on a valid e-mail address, and most consumers aren’t aware of the inherent risk that arrangement engenders. Many use the same e-mail address and password to create financial transaction accounts across multiple websites. Cybercriminals know this and are expert at taking full advantage.

Zappos customers should be on high alert for “phishing” e-mail crafted to lure them into divulging sensitive information, such as a Social Security number, or to clicking on a seemingly trustworthy weblink that actually installs a virus.

And they should be aware that the hackers are likely to attempt to use their Zappos account e-mail and password to attempt to find and  access their other online accounts. “The hackers will be crunching the password data to identify where weak passwords have been used – as those users often re-use passwords,” says Stina Ehrensvard, CEO of authentication hardware maker Yubico. “We’re highly likely to see the data being used elsewhere on the Internet in the coming days.”

(UPDATE 17 Jan 2012: Zappos did not store any clear text passwords. What the thieves took were password hashes, alphanumeric strings  substituted for the actual passwords. Free tools, called hash tables, can display password hashes as the associated password. Hash tables are widely available for free use, and particularly effective deciphering hashes for passwords that use simplistic combinations of letters and number.)

The crooks can also make productive use of the last four digits of a victim’s payment card numbers. “It’s one more piece of information to make the consumer think the phishing message is authentic,” says Feinman.

Zappos itself is sending e-mails to its customers asking them to create new passwords for their Zappos accounts. The company recommends users change passwords on any other website where they use the same or similar passwords.

Hsieh

“We’ve spent over 12 years building our reputation, brand, and trust with our customers,” CEO Tony Hsieh said in a blog statement. “It’s painful to see us take so many steps back due to a single incident.”

Notice of the Zappos breach follows the disclosure of the Christmas Eve break-in of Strafor.com, in which hacktivists stole, then posted online, credit card numbers and account logons for more than 50,000 of the online publications’ subscribers.

And 2011 proved to be an unprecedented year for headlines about major database break-ins at Sony, Google, Bank of America, RSA, Lockheed, Epsilon, Nasdaq Directors Desk and the U.S. Chamber of Commerce, among many others.

Security experts and technologists point to several developments that suggest the pattern is likely to continue in 2012.

Example of a hash table

Many corporate system break-ins begin by tricking one employee to click on a corrupted web link or open a poisoned attachment.

Such poisoned messages arrive by e-mail, seemingly from a trusted associate, or, increasingly, circulate in Facebook and Twitter. The increasing use of sharing applications — on workplace computers and mobile devices — multiplies opportunities for clever hackers. Even the largest, most sophisticated corporations are vulnerable.

“This is a harbinger for 2012” says Feinman. “This is the type of thing were going to see all year round.”

Ehrensvard

Yubico’s Ehrensvard agrees. “Until CEOs realize the cost of doing nothing, and ask difficult questions of their teams, we expect to see regular reports of breaches,” she says. “It’s no longer acceptable for a CEO to leave the security of their customers data to others. It is their responsibility when it’s stolen.”

The Zappos breach underscores a need for corporations, especially online retailers, to reassess the risks associated with routinely amassing mountains of customer data, and to consider beefing up database defenses, security experts say.

“As more consumers choose to shop online, it becomes even more critical for retailers to monitor for malicious activity and protect their customer information,” says Mandeep Khera, chief marketing officer at data monitoring firm LogLogic. “This diligence helps protect their brands, and helps avoid compliance penalties.”

Cenzic CEO John Weinschenk at least gives Zappos credit for  transparency.  “Zappos’ response to their loss of customer data should be emulated by other organizations,” he says. “They outlined for their customers exactly what happened, what was stolen, and what it meant for them.

“Zappos took the first step by making this attack and data losses transparent. Now they need to prove to their customers they can be trusted in the future and protect personal information. That will be an ongoing process.”

Hacking technology has become so accessible, and social network-based rabble rousing so prevalent, that hacktivists espousing confused motives can lash out indiscriminately — and cause crushing damage.

That’s the upshot of the Christmas Eve Stratfor.com escapade widely attributed to members of the Anonymous hacking collective. The online global affairs publication relaunched its website today, three weeks after hacktivists posted sensitive data for 50,000 Stratfor subscribers, then shut out the lights. The company has had to hire teams of forensics experts and security consultants to restore operations, including moving its entire e-commerce process to a third-party system, and eliminating the storing of credit information.

Stratfor CEO George Friedman acknowledged that the company had not encrypted customer information. “This was our failure,” Friedman said in a statement. “I take responsibility. I deeply regret that this occurred and created hardship for our customers and friends.”

Friedman believes the attack serves notice about a troublesome new strain of unpredictable censorship arising on the Internet. He elaborates on that notion in this exclusive LastWatchdog interview:

Friedman

LW: What exactly happened?

Friedman: What happened to us was the credit card information was stolen earlier. We knew about that from the FBI. What they did on the 24th was nuked our servers. . . they went into the servers and rooted them, which meant that they destroyed the file structure, which normally means you can’t reover the information. They did that  not only to our primary data bases, they did that to our backups too. They were trying to make it impossible for us to re-emerge.

LW: Why did you become a target?

Friedman: If we’re to believe (the hackers), the reason was that we were the hub of a government-corporate complex, getting information from these people and, I gather, propogandizing. They had built a fantasy image of us as being part of a very powerful group. From our mailing list  they selected all the corporate subscribers, and created this image of us as being an incredibly connected, powerful entity, and that was their justification.

LW: How valid is that profile of you?

Friedman: Not very valid at all. We certainly know people in Washington and all over the world. We have sources. That’s our job. But we have no access to classified or corporate information. That’s simply not what we do. We’re a publishing company.

LW: You’ve been doing this a while.

Friedman: We started Stratfor as a consultancy in 1996. After the Kosovo War we started moving into publishing because we found there was an appetite for international news. At this point, we’re almost entirely a publishing company. There is an audience that wants to understand international affairs more deeply from a non-ideological standpoint, and that’s who we serve. We’re careful and militant about not having an ideology, nor recommending any policy.

LW: What’s a recent representative article?

Friedman: A recent story predicted that there would be a major crisis in U.S. – Iranian relationships because of the vacuum created by the U.S. withdrawing from Iraq and how Iran was in the process of filling the vacuum. . .The point is we do pretty complex stories. We try to do the play-by-play of global affairs without rooting for any team.

LW: Bradley Manning allegedly  leaked a specific set of documents, presumably for deeply-held reasons of conscience. How was this leak any different?

Friedman: It was an attempt to undermine our capacity to do our work. And it has a technical basis, they destroyed our servers and our back ups. One part is the (leaked) credit card information, which were very sorry about because it affected our customers. Another part is the (leaked) e-mails, which will not show much. But the most serious thing is the attempt to destroy our digital capacities.

Individuals now have the ability, with full anonymity, to decide who they like and dislike, and if they dislike them, use their technology to destroy them. We’re lucky in that we have the financial and staff resources to recover. But there are other organizations that can be completely silenced, and never know who silenced them or why they did it.

LW: So we’ve turned a corner?

Friedman: If you want the definition of a new fascism it is faceless people, setting the rules, not forgetting, not forgiving and promising that they’re coming. That’s really a frightening vision of what’s going on. Imagine if this becomes a general activity.

We are entering a very dangerous space now. Anyone can have the skill and knowledge to do this. Any ideology can to it. It’s not as if this is a particular threat from the left or from Wall Street. It can come from anywhere, and anyone who disapproves of you can wreak havoc.

LW: Was spear phishing a contributing factor in the initial breach?

Friedman: I actually can’t talk about that because of the FBI investigation. As soon the lid is off this, I’d love to talk to you about it.

LW: You were offline for three weeks. To what degree have you been able recover?

Friedman: With a great deal of effort we have managed to recover enough to go live today, but without the entire archives. We’re functioning, and the archives will be built back in over the coming weeks. We’re spending a substantial amount of money both on our customer support and recovery. I can’t give you the number because we don’t know what it’s going to be. We’ve got three or four sets of consultants in here. It is going to cost us.

LW: Have many of your subscribers lost faith in you?

Friedman: When I looked at the e-mails we’ve received, and even looking at Twitter today, there was overwhelming support from our subscribers. In one narrative, we’re the saps for letting this happen. In the other, we’re the victims. And it’s interesting that our subscribers are the ones who regard us as the victims. My sense is we have the same relationship with our readers as we had before, regardless.

LW: Anything else you’d like to add?

Friedman: Implicit in the First Amendment is the idea that we all owe each other the right to be heard, and what Anonymous has done is to try to deny us that ability. There used to be a village commons , where everybody gathered to do business and talk. Everyone knew each other. There was no anonymity.

Now we have this global commons. And in the global commons, there is this element of anonymity, which I support. I think it’s a good thing. But it carries with it a responsibility, without which, there’s no accountability.

The attack on Strategic Forecasting — which supplies its subscribers with independent analysis on global affairs — capped an unprecedented year for online shenanigans fueled by ideological ire.

Crippled website

Much like the Occupy Wall Street protesters, members of the loose-knit Anonymous and LulzSec hacking co-ops — so-called hacktivists — were motivated by political and personal beliefs, and sought no financial gain.

And their hacking escapades seemed to spontaneously combust in private online chat rooms and on Facebook and Twitter.

“We saw groups of like-minded individuals banding together to make their voices heard,” says Michael Sutton, research vice president at security firm Zscaler. “Technology played a critical role in allowing hacktivist groups to communicate, share ideas and quickly act – something that was not always possible.”

News of the Stratfor caper broke on pastebin.com, an open website where programmers store and share code. (Interestingly, pastebin last week had to defend itself against a denial of service attack.) In what has become a familiar pattern, the Stratfor hackers posted a breezy “press release,” claiming to be from Anonymous.

As proof of the hack, the culprits disclosed credit card details for thousands of subscribers to Stratfor’s daily newsletters. Three separate lists contained payment card data for 3,956, 13,191 and 30,726 customers, respectively, says Mikko Hypponen, senior research and antivirus firm F-Secure.

Digital Robin Hood

Next, the hackers used stolen card numbers to make large donations to Red Cross, CARE, Save The Children, the African Child Foundation and other charity groups, posting screenshots of the transactions. However, the credit card companies in most cases retrieved the cash and hit the charities with chargeback fees.

“At first this looked a bit like the actions of Robin Hood,” Hypponen says. “In this case, the poor didn’t get a dime.”

The hackers’ sole whimsical demand: a “delicious” Christmas meal for Bradley Manning, the army solider being held since May 2010 on suspicion of supplying the WikiLeaks website with classified material.

“While the rich and powerful are enjoying themselves with all their bourgeois gifts and lavish meals, our comrade Bradley Manning is not having that great of a time in federal custody,” the press release states. “We want him out on the streets at a fancy restaurant of his choosing, and we want this to happen in less than five hours.”

Manning has emerged as a hacktivist touchstone. In December 2010, Anonymous temporarily crippled the websites of Visa, MasterCard, PostFinace,and PayPal in retaliation for those companies refusing to process payments from Wikileaks. Those refusals stemmed from Manning’s arrest and the detention of Wikileaks founder Julian Assange.

Hacktivists gone wild

In the 12 months since then hacktivists have gone wild. A wise-cracking splinter group, LulzSec, emerged in early 2011. After Sony sued a young man for hacking the programming in his PlayStation gaming console both collectives jumped into action.

Anonymous pilfered and posted payment card data for 77 million PlayStation Network and 25 million Sony Online Entertainment subscribers. LulzSec and others disrupted Sony websites in Canada, Japan, Europe and the Middle East.

Attacks followed against Bank of America, the U.S. Chamber of Commerce, government and law enforcement agencies, financial institutions, media companies and even a Mexican drug cartel. During the summer, Anonymous and LulzSec merged into a co-op referred to as AntiSec.

“In-your-face arrogance backed up by stunning success made Anonymous and Lulzsec big tech news stories all year long,” says Josh Shaul, chief technology officer at Application Security. “Recruits were lining up, and hackers were teaching classes to get more people in on the action.”

Harms

And hacktivists’ level of skill advanced apace, says Kris Harms principal consultant at network security firm Mandiant.

“Hacktivists today are as capable as organized crime groups and nation states were in years past,” says Harms. “In 2011, we saw organized crime groups using malware than was historically used by nation state sponsored attack groups, and we’ve seen hacktivists using techniques more common to organized crime.”

Lessons learned

Harms says the lesson for corporations and governments is obvious: “Today’s hacking groups will only get better, and most likely at a rate that exceeds most organizations’ defensive improvements. This is because they are learning from each other. Corporations and governments need to recognize break-ins are inevitable. 2012 will be the year of detect-and- respond for organizations desiring to stay out of the spotlight.”

Sutton

Zscaler’s Sutton opines: “Arrests will be made and hacktivists will be outed, but it will have limited impact on the movements going forward. We’re not dealing with a structured entity where it is possible to cut the head off and slay the beast.

“Each subsequent attack discussed in the media inspires another wave of hactivists to conduct their own efforts. Whether the attacks are carried out in an ‘official’ capacity or by a rogue entity acting in the name of another, is of little consequence – the outcome is the same. Enterprises and government organizations are having the networks breached and confidential data that they were entrusted with, displayed for the world to see

“These attacks should serve as a wake up call to enterprises everywhere to revisit what they are doing to secure their data. Anonymous should be the least of their worries – at least Anonymous is letting them know about the breach once it is discovered. For every Anonymous, how many criminal enterprises are out their stealing data for profit and it is going undetected for years?”

Shaul

AppSec’s Shaul agrees: “All the success the hacktivists had using low-tech attack techniques in 2011 makes it clear just how vulnerable our sensitive data is. Attackers have turned their focus directly on to the databases, where the vast caches of information are stored.

“Information security teams need to shift their efforts to protect databases directly instead of the endless pursuit to seal off every endpoint and port on the network perimeter. While we’re all far more aware of the presence of hacktivists and the threat they represent, by and large, organizations continue to be far from ready to protect themselves in case of an attack. Anonymous is on everyone’s mind, but the it-won’t- happen-to-me attitude remains prevalent.”

The confluence of more employees using personally-owned smartphones for work duties — and those same folks  using those same devices to shop this holiday season — adds up to a profound new security concern. The increasing sophistication of Droid exploits and the jailbreaking of iOS has caught the attention of ISACA, the prestigious global association of 90,000 IT administrators and execs. After due deliberation, ISACA has officially adopted an “embrace and educate” posture when it comes to the bring-your-own-device, or BYOD, trend.

ISACA is championing the notion that BYOD is a security problem on the fast track to get much worse, and that companies generally should embrace wider employee-owned devices in the workplace. That said, ISACA advises establishing security policies that aren’t too onerous, with a focus on educating employees about best practices. Employers should point out  how much the employee, individually,  can be harmed, as well as how much the company could lose, due to failure to use mobile devices wisely.

ISACA advisor John Pironti, Webroot mobile threat analyst Armando Orozco, Bit9 CTO Harry Sverdlove and CloudFlare CEO Matthew Prince shared these thoughts on the rising BYOD threat:

LW: With regard to smartphone attacks aimed at corporate intrusions, what stage are we at today?

Prince

Prince: The device at work problem really began on June 29, 2007 with the launch of the iPhone. It was an expensive device, but quickly became a status symbol among C-level executives who could insist the device would be allowed behind the corporate firewall. IT managers resisted at first but eventually relented in part because the original iPhone was locked down. At the time only Apple’s software was allowed on the devices and Steve Jobs was insisting they would never allow third-party apps.

The iPhone wasn’t really a phone, it was a mini-computer. As such, when Apple reversed course and allowed third party apps, all that needed to happen was the software on the phone needed to be updated. Since the iPhones were typically owned by the employees, they upgraded them at will. Since they were already trusted on the network now not only were Apple’s small universe of apps running on the corporate network, but now so to were third party apps.

IT managers took some solace at least in the fact that Apple carefully policed the app store. Then along came Android. Google positioned a more flexible app environment as a feature. While IT managers looked on in horror, suddenly completely unvetted code was running on devices on their networks.

Orozco

Orozco: Corporate intrusions are in the early stages, but this is the right time to begin planning for them. This holiday season, we could potentially see attackers targeting outdated operating systems — most devices out there are running older OSs.

One attack vector could be to target a vulnerability in a mobile browser. Take for instance Android’s WebView feature: Some of its API’s could be used to break out of browsers “sandbox” and give the attacker access to other functionality of a device.

However, the majority of attacks we have seen are the result of malicious apps positioned as legitimate apps like games, music and ringtones that, when installed, do things like get root access and gain control of your device in order to take control of your apps, transmit personal information from your device, control search results, or send texts and SMS messages to premium numbers.

Pironti

Pironti: We are in the early stages of attacks on corporate environments leveraging smartphones.  This is new technology that requires a fair amount of sophistication to leverage successfully, so a limited number of highly skilled attackers are able to effectively leverage them today.

Given the sheer number of devices that are currently or will soon be in use, it is likely this will become a highly leveraged attack vector by a broad spectrum of adversaries.  As the knowledge of how to use them for attacks becomes more available and tools are developed to lower the bar of entry for less sophisticated attackers to use them, the attacks will increase exponentially.

Sverdlove: While I do not know of any sophisticated and targeted attacks on smartphones, it is only a matter of when, not if, this will happen.  Smartphones are just smaller computers with similar capabilities. In many ways, they are even more of a security risk because a smartphone has more ways to exfiltrate data, completely outside of the ability of a company to monitor. For example, when a targeted virus hits a desktop computer, it has to somehow communicate its stolen data back to the attacker.

In the case of a smart phone, it has access to Edge, 3G, and 4G cellular networks that cannot be monitored by a company. It also has access to Bluetooth and WiFi for local transmissions. It is constantly leaving the company premises and connecting to less secure WiFi networks where it can communicate free from IT security’s prying eyes.

LW: Let’s say I’m using my own smartphone to access corporate email, and for personal use. I use my device for holiday shopping. I see a cool app, that’s actually malware. I install the cool app. What happens next?

Sverdlove: The majority of mobile malware, most notably Android malware, comes in the form of malicious apps.  Users are choosing, or are being tricked into choosing, to install the app. Once installed, the app may exploit operating system vulnerabilities to gain root, or system-level, access. The DroidDream malware apps that were pulled from the Google Android app store back in March, 2011, took advantage of two operating system exploits to install remote control code.

Other malware apps do not rely on exploits. For example, SMS Trojans are a common type of mobile malware. They either send SMS messages to premium rate numbers or automatically sign the phone up for SMS premium subscription services, racking up charges on the user’s phone bill. If you download a app and give it permission to access messaging, you’re basically inviting the criminal into your house and saying “take whatever you want.” The criminal does not need a lockpick or fancy tools.

Pironti: The malware can exploit a vulnerability in the browser, but this does not have to be its only vector of attack.  The malware can also collect data from the phone by using tools such as key logging to capture passwords and personal messaging such as SMS and texts.

The malware may somehow exploit the device’s OS to then enable other attack capabilities such as the use of the device as a jump point for other attacks, carry out malicious activities such as sending text messages to pay for service sites that the attacker has set up without the user knowing this is occurring, capture the user’s personal information, and other fairly typical attack methods.   This commonly occurs on devices that have been “jailbroken,” which often removes or limits protections provided by vendors.

Prince: Most of the attacks directed at mobile today have focused on stealing information from the user’s own phone, or surreptitiously signing them up for auto-billed services without their permission. The real concern going forward is that once connected to a corporate network, there is a risk the phones could steal information previously secured behind a firewall.

Phones today are mini-computers, so any exploit that hackers in the past have launched against PCs may now be revived and redeployed running as a rogue app on a phone. For example, a rogue app could quietly sniff for unencrypted data on a corporate wifi network and then send it out over the mobile carrier’s network — never once passing through the corporate firewall.

LW: What do you expect to happen in the next year or two?

Sverdlove

Sverdlove: More and more consumers are shopping on their smartphone – downloading coupon apps, price comparison apps, and entering their credit card information on web sites. All from their smartphone. This makes the smartphone a rich target for financially motivated attackers.

Looking forward, into 2012 and beyond, I think we will see the same pattern emerge that has already occurred on the personal computer, where individuals are targeted for their access to intellectual property. We are approaching a half billion smartphones worldwide, with the majority of these devices being used for both personal and business data. This is a target rich environment with poorly understand security risks. Nation states looking to steal corporate IP will start taking advantage of this landscape, if they have not already.

Orozco: Attacks are financially-motivated and in search of sensitive data.  In the next couple of years we expect IT departments getting more secure with things like custom ROMs and tighter security policies. Malware authors will always be a step ahead, planning targeted attacks that begin on a smartphone and can spread to the PC network. Stealing data will be top on their list either for spreading confidential information or stealing customer data.

Pironti: We are in the early stages of attacks on corporate environments leveraging smartphones.  This is a new technology that requires a fair amount of sophistication to leverage successfully, so a limited number of highly skilled attackers are able to effectively leverage them today.  Given the sheer number of devices that are currently or will soon be in use, it is likely this will become a highly leveraged attack vector by a broad spectrum of adversaries.  As the knowledge of how to use them for attacks becomes more available and tools are developed to lower the bar of entry for less sophisticated attackers to use them, the attacks will increase exponentially.

–By Byron Acohido

The images included doctored photos of pop singer Justin Bieber and other celebrities in demeaning poses. Other images depicted extreme violence and abused animals.

Facebook members complained and described the images in Twitter posts all morning. By mid-afternoon Eastern time, Facebook indicated it had the attack under control.

“We experienced a coordinated spam attack that exploited a browser vulnerability,” says Facebook spokesman Andrew Noyes. “Our efforts have drastically limited the damage caused by this attack, and we are now in the process of investigating to identify those responsible.”

Noyes says Facebook users were “tricked into pasting and executing malicious javascript in their browser URL bar causing them to unknowingly share this offensive content.”

Second coming of Storm

These type of social network sharing attacks replace the viral email spamming worms of a few years ago. Back in 2007, the “Storm” e-mail worm used ruses about weather events to similarly spread e-mail spam on a massive scale.

The best and brightest spam gangs lately have been focused on finding innovative ways to leverage what they learned from the e-mail world in the social network universe.

In a sense, the spammers get a boost from Facebook’s sophisticated sharing technologies; such systems automate sharing and assume trust  is built in, says Mike Geide, senior security researcher at Zscaler ThreatLabZ, research arm of cloud security company Zscaler.

Geide

“You can think of it as the social network version of e-mail spam,” says Geide. “With traditional spam, you needed to harvest e-mail addresses and then have a  network to send spam. It was very active and noisy, and the e-mail provider could easily detect you and shut you down.

“Social messaging spam is  much more passive and can be much more viral,” Geide continues. “The bad guys need only to seed  a few hundred or maybe a thousand Facebook accounts, and then it spreads to friends and groups and automatically propagates. It becomes viral  and takes on a shape of its own within a social networking infrastructure.”

Such attacks use Facebook systems to rapidly push malicious content all across the social network.  Similar trickery occurred when Osama bin Laden was killed; hackers distributed messages to Facebook members luring them to cut and paste coding into their browser address bar to see a video of bin Laden’s body.

The bad guys in that case tapped into Facebook’s sharing systems to push spam advertisements virally to the victim’s friends and friends of friends. The spammers got paid every time someone clicked on the ad.

Motive: embarrass Facebook

Wisniewski

Clever criminals can push whatever content they desire through Facebook’s automated sharing system. Often attackers virally share corrupted weblinks; anyone who clicks on such a link gives over control of his or her PC to the attacker.

“In this case there doesn’t seem to be any motive other than to embarrass Facebook,” says Chet Wisniewski, senior researcher at antivirus firm Sophos.

Speculation circulated that the hackers associated with the renowned hacktivist group, Anonymous, were behind Tuesday’s Facebook attack.

Last August, Anonymous issued a decree that a major Facebook hack — dubbed the “Fawkes” virus in honor of the anti-hero Guy Fawkes from the dystopian thriller  V for Vendetta — would come in November. Anonymous posted a video last week repeating the threat.