Wednesday, April 11, 2018

The Privacy Revolution is the fourth Great Revolution (Part 2)

So, the next interesting thing to happen was that at the end of 2007, I sold my company, Exploit Prevention Labs (XPL) to AVG. XPL watched for exploits coming off the web, because I'd figured out in 2005 that the Web was the next attack surface. (Windows XP Service Pack 2 had been released in 2004, and for the first time, the firewall was on by default, and I knew that this would be an extinction level event for the malware of the day, network worms, like Code Red, but I also knew that the Bad Guys would not give up, and the web was the obvious attack point... but I digress...)

Because of AVGs huge client base, I suddenly had a hundred million pairs of eyes helping to watch what was going on, and one day, I noticed some interesting stuff coming through FaceBook from Russia, and I thought, "I wonder why it's all coming from Russia?", so I tweaked the detection a bit, and did a release, and suddenly the main source shifted to the USA. Still FaceBook, but the USA.

Now, to be perfectly clear, upon further examination, the triggering code was not exploitive, or malicious. It was just obfuscated enough that it looked suspicious at first glance, and it was interesting, because it was coming through FaceBook. And, again, FaceBook was not doing anything wrong... it's just how things worked. People linked to their own websites, outside of FaceBook.

The triggering application turned out to be a Pink Ribbon Breast Cancer Support app. The idea was that you could access the app, and that would show your support for a clearly worthy cause. In using the app, however, you quite clearly said that you allowed the app to access all your contacts, and presumably your information. A couple of hundred thousand women had allowed that at the time I noticed.

Further examination showed that the information was going back to a website called, and this was the website...

No "About us" or "Contact us". Just that block graphic. Searching google a bit, revealed that they made "social applications". For example, they had a "Do it yourself survey" app, that anyone could tweak, and release. Again, I am not suggesting there was anything malicious here, but presumably anyone using any of the apps would provide all their information to that app, and google revealed they had a lot of apps.

Ownership was hidden behind a privacy protector.

Again, this implies no wrongdoing, and it is not uncommon to hide website ownership, but it does mean that we have no idea who was collecting the data, or what they were doing with the data.

By 2010, the site had morphed into a much more normal looking website...

It morphed a few more times, and then seemed to disappear entirely sometime in 2015.

Again, I am not suggesting that they were doing anything malicious. They just collected a whole lot of data, and we don't know who they were, and why they wanted the data. There doesn't seem to be any connection to any of the players in the current Cambridge Analytica saga, so the burning question is ...

Just how many organizations are out there collecting data, and what are they doing with it?

Part 3 tomorrow, folks.

No comments: