While hacking is by no means a new phenomenon, the volume of data criminals are able to obtain as a result of such attacks is increasing exponentially.  For those who live their lives online and provide a constant stream of personal data to the social networking companies such as Facebook, Myspace and Twitter, they are placing their trust in these firms to protect their personal information.  Even though nearly all social media companies have implemented to one extent or another privacy policies and settings for their users, such steps only protect against voluntary disclosure of information.  That is to say, establishing privacy settings to only allow friends and family in your network to see your activities is a useful to to prevent the social networking site itself from disclosing your data to uninvited parties.

While much has been written and said about the limited nature of privacy protection in Web 2.0 services, it is important to note that all of these policies only protect you against people who follow the law and the terms of service of the social networking firm with whom you have shared your data.  As illustrated below, however, they do nothing to prevent hackers from obtaining unauthorized access to your personal data–all your personal data.

While many might be comforted by a particular site’s privacy policy/user settings, it is important to remember that when turning over all of one’s deepest personal thoughts, pictures and tweets to the “cloud,” this information is only as secure as the cloud itself.  As demonstrated in the story below, when the cloud is insecure, so is all your data.  In this case, a hacker was able to obtain extensive personal information on hundreds of thousands of children in Germany.  While the primary motivation appears to have been financial gain via extortion, the involved criminal could have just as readily sold the data to international child abuse networks for a significant fee.  Imagine the damage the data might have done in the hands of convicted child abuse offenders.  They would have photos, addresses, names and date of birth details of any child they might be interested in.  How long before somebody predisposed to sexual abuse of a minor might act upon this data and begin stalking and then contacting a potential child victim.  What if the child him/herself had posted an embarassing photo online and might now be subject to blackmail by a child abuser to engage in unwanted sexual activity to prevent disclosure and release of the photos to a wider audience (as happened here in this case).

This case underscores the need to carefully weigh the risk versus gain in opting to share personal data in social networking sites.  Of course it goes without saying that poor site security, insecure software, wide propagation of malware and the common use of social engineering also are also a big part of the problem.  While the great benefit and convenience of Web 2.0 services can prove almost addicting, it may be time for a more rational and reasoned approach to the massive push to use these services.  At a minimum, users should understand the risks in participating in such activities.

Up to 1 Million German School Children Affected by Data Security Breach

by Markus Goebel, October 21, 2009

Police in Berlin, Germany have arrested a man who apparently tried to blackmail VZ-Netzwerke, the holding company for the successful Facebook clone StudiVZ

and other German social networks.

The man had used crawler software to harvest detailed user information (residence, date of birth, relationship status, hobbies, favourite music, favourite movie, …) not only only from the group’s networks for adult people, StudiVZ and MeinVZ, but also from Germany’s biggest social network for pupils, SchülerVZ. The 20 year old man asked for €80,000. Kind of a pathetic amount, don’t you think?

If the company had refused to pay, he threatened to sell the information to gangs in Eastern Europe. The true number of the stolen records remains unclear. But in a blog post from May he had already bragged how his bot could copy 48,000 profiles in just four hours and even posted a video on Youtube.

The case developed very fast since last weekend, as you can see in the post at the StudiVZ company blog which is full of strike-throughs and updates. What started as a white hat attack on SchülerVZ, a network with 5m members from 12 to 21 years, turned into a crime story.

At Friday the whistleblower blog Netzpolitik.org received data of more than 1m minors from another anonymous source that only wanted to point at a security hole in SchülerVZ. He had no intentions to sell the records and also has used a crawer software to obtain these data. No hacker skills were necessary, although IP number checks and the website’s Captchas should have prevented the harvest.

The Netzpolitik.org post about this leak drew out the other hacker, known only as Mathias L., who obviously had less noble intentions. He bragged in his now defunct blog that his bot “sVZ Crawler”, based on PHP, JS, Ajax and different shell scripts, was better and that he could download much more detailed user information. As a proof, he uploaded some of the data to a Hacker and Cracker internet forum where at least 17 other users downloaded it.

On Sunday he paid a visit to the social networks’ office in Berlin upon invitation by VZ-Netzwerke, and was welcomed by the waiting police. He has already admitted the attempted extortion, the public prosecutor’s office declared on Tuesday.

Source: Techcrunch