Enterprise Security Blog

July 29, 2009

Theft at Goldman Sachs and Opinion in New York Times

This is a tale of the hole in Goldman’s Socks as told by Warren Axelrod.

The New York Times and the Wall Street Journal (July 7, 2009) reported the recent insider theft of key intellectual property from Goldman Sachs in the form of 32-megabytes of program code. Goldman Sachs is a company with a reputation on the Street for its tight security. The alleged perpetrator of the crime is a former Goldman employee Sergey Aleynikov.

Apart from the realization that protecting against insider threats is a challenge for even the most talented and capable of information security departments, there seemed nothing much different in this case from many others. Then I read an Op-Ed piece written by oyster farmer Michael Osinski in the July 17, 2009 issue of the New York Times. The title of the article is “Steal This Code,” which is clearly a play of words on the title of Abbie Hoffman’s book “Steal This Book.”

Mr. Osinski , by his account a successful computer programmer for 20 years, claims to have written some of the programs that he believes contributed to the mortgage meltdown of 2008. Mr. Osinski declares that “it [stealing code] is done all the time”. Regardless of whether his opinion is accurate or pervasive, it is exactly this attitude that makes it difficult to enforce security policy and procedures.

He also contends that a programmer “bonds” with his code. Well, putting the bonding aside, the programmer shouldn’t be deluded into thinking that he/she owns the code. Unfortunately, there are many insiders, such as Mr. Osinski, who just don’t get it. Intellectual property, which you develop on the job, belongs to your employer - period! In many companies, including Goldman, you sign agreements, stipulating you understand and accept this policy as a condition for continued employment. Employees are often able to technically copy computer-based intellectual property with relative ease, but that doesn’t mean that they have a protected right to do so.

Mr. Osinski gives the impression that he condones such behavior and suggests, as in some of the original newspaper reports, that the program code actually stolen was probably of little use in and of itself. The obvious question is: How do they know that potential buyers of the program code would not have the capability of using it? Are we to believe that Mr. Aleynikov would be so ignorant or naïve as to steal useless program code. Secondarily, why would Goldman have gone to the trouble of having him tracked down and arrested, knowing full well that the exploit, once made public, would have a considerable negative impact on their reputation?

While controls are in place in most large modern companies, everything cannot be completely locked down, otherwise nobody could do any work. You have to be able to copy software and data from one place to another, but it should be done in compliance with the policy and procedures mandated by the company, and also required by legislation and regulations.

What's the moral to this tale - should Goldman have mended the hole in the sock? The issue for security professionals is that Goldman appeared to have detected the unauthorized transfer of the computer programs after the fact and had to engage in a forensics exercise that took about a month to complete. Wouldn't it have been better if the theft had been detected in near real-time and even prevented at the outset? Goldman could have avoided the adverse publicity and we would have been spared the misguided comments from those who reject the fact that it was wrong in the first place.

Intellitactics helps companies prevent data loss with real time correlation of security events with a state of the art security information and event management (SIEM) solutions. Collecting logs from anything located anywhere and transforming them into actionable reports and just in time alerts is easy and affordable with Intellitactics.

Posted by Sunil Bhargava at 12:34 PM in current affairs | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: employee agreements, Goldman Sachs, intellectual property, intellectual property theft, Intellitactics, Warren Axelrod

July 02, 2009

Intellitactics on Medical ID Theft and Health Reform

Sunil Bhargava: The White House is kicking up the volume on health care reform and several plans are under consideration. While the overriding goal of healthcare reform is to ensure the right to healthcare for a larger segment of the US population, it will require a close look at taking the cost out of healthcare by providing streamlined, secure management of health information. Everyone knows that the collection of and access to patient information represents a major portion of the cost of healthcare. Overall, the prevalence of legacy systems, processes requiring redundant data collection and incompatible data bases create lots of cost in delivering patient care. The In the following post, guest author, Warren Axelrod, suggests that forethought can minimize the exposure to unavoidable costs resulting from medical ID theft.

Warren Axelrod: In an article by Walecia Konrad, (6/13/09 New York Times, “A New Ailment: Medical ID Theft: Treatment at Your Expense, Or at Least Your Insurer’s”) I read that medical ID theft is on the rise. Medical ID theft is when someone hijacks your health card account and charges all manner of services without your knowledge. Usually you only become aware of it when a red flag is raised, in the form of you exceeding your limit or you being notified of charges that you did not make. So how is credit card account ID theft and medical account ID theft different?

For one, if “Joe” (the thief) steals your medical ID and charges various services to your account, the information relating to Joe’s medical condition is protected personal information under HIPAA (Health Insurance Portability and Accountability Act). The implications are somewhat ridiculous but are surely unintended consequences of HIPAA. The article states that if and when your medical information is intermingled with Joe’s, you may have trouble accessing your files since HIPAA apparently requires that Joe’s medical information, which may be intertwined amongst your records, must be kept confidential. The article goes on to state that the discovery of “erroneous information in … medical files … may pose a bigger danger than the financial risks.” These risks include the possibility that a doctor will make an incorrect diagnosis or prescribe the wrong treatment because he/she is distracted by Joe’s information in your file.

As President Obama pushes for the massive automation of medical records, we must take into account the risks that medical account hijacking imposes. As more information is converted to electronic form, the security of those records becomes increasingly at risk. Yes, automation will likely yield greater efficiencies and lower direct costs. However, the cost of ID theft and its consequences to the health and financial wellbeing of the patient must be taken into account. While there is money to be saved by automating health records there is money to be spent building the requisite levels of security. Measuring the indirect costs resulting from misdiagnosis and rectifying damaged credit ratings are less easily measured than direct out-of-pocket costs, and therefore much more likely to be ignored. Positive results from reform could likely be diminished by the impact of lax security.

Pam Dixon, executive director of the World Privacy Forum, is quoted as saying, “Without aggressive safeguards, we could be building an infrastructure for massive medical fraud.” Agreed. So the mission is clear: design and implement the requisite security measures before the system is developed; rather than afterwards when the costs will be orders of magnitude greater.

Want to know more about securing patient information? Go to www.intellitactics.com to learn about HIPAA compliance.

Posted by Sunil Bhargava at 12:00 AM in compliance, current affairs, enterprise security management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: HIPAA, Intellitactics, medical account ID theft

June 30, 2009

Intellitactics - NEW Book Review

Sunil Bhargava: It might appear that the security industry isn’t making as much progress as we might expect against increasingly sophisticated and damaging exploits. When we step back to assess the reasons there doesn’t appear to be more progress we have to consider if we’re doing anything different today than we were doing five years ago. We reviewed a new book – Enterprise Information Security and Privacy (Artech House, 2009) – and interviewed one of the editors, Warren Axelrod, in our First Person Series podcast “Busting Security Myths”. This book focuses on new thinking and has many stellar contributors, subject matter experts from several verticals like financial, telecommunications, energy and transportation. Here’s Warren Axelrod, one of the editors, giving a preview of what new information the book provides.

From the desk of Warren Axelrod: In the new book Enterprise Information Security and Privacy, edited by Jennifer Bayuk, Dan Schutzer and me, we quoted Marshal McLuhan, who stated:

Our Age of Anxiety is, in great part, the result of trying to do today’s job with yesterday’s tools and yesterday’s concepts.

We editors went to great lengths to persuade those in the information security field, who are forward-looking, to write for the book and come up with innovative and effective approaches to improving the security and privacy of our systems and processes. We didn’t confine ourselves to “Young Turks” who might question everything but not have any useful solutions. We found that even someone, such as Donn Parker, who has been in the field for more than 35 years, can question “hand-me-down” security myths and suggest better ways of tackling security risk, for example.

But there are many in our profession who are not as imaginative and follow the well-trod paths. We still hear the mantra of “complex passwords” in response to phishing and session hijacking which allow the bad guys to gain access regardless of how complex passwords might be. We are regularly admonished about “data leakage prevention” when most organizations, as Jennifer Bayuk describes in her chapter, haven’t even classified their data or even knows where the data might be at every point in time. Many practitioners are not familiar with the security and privacy laws and regulations that impact their every day decision and will benefit greatly from Tom Smedinghoff’s chapter. What about the energy industry? Peter Curtis gives us an insider’s view of the security issues confronted in that sector.

We could go on and on about areas in which security and privacy professionals are backward-facing and are missing the demands and complexities of the evolving computer and network environments. It is shameful since there are many tools and practices that can reduce security risk and lead to more trustworthy environments; they are just not being used. A number of security officers, with whom I have spoken, have their heads in the sand. They seem to think that if they are not aware of a vulnerability or exploit, then they won’t be held accountable when things go awry. Experience has shown that this is not the case. It behooves security and privacy managers to install monitoring probes wherever feasible and work through the logs using automated methods in order to reveal improper behavior. They need to be thinking ahead as technologies like virtualization and cloud computing burst into the IT world.

You can’t steer a car by looking at the rear-view mirror, and you can’t manage security by relying solely on methods and approaches that have been successful in the past. Some of these techniques don’t have the impact they once had. There is a growing recognition that a huge research and development effort is needed to address the rapidly increasing number, complexity and sophistication of threats. However, if we were to use the many tools and good practices, which are already available to us, in meaningful ways, we could achieve a significantly higher level of security, privacy, trustworthiness and safety. This is a pragmatic course of action that can be taken while we wait for the silver bullet that may never come.

Posted by Sunil Bhargava at 12:00 AM in current affairs, enterprise security management | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: best practices, Ed Amoroso, information security, Intellitactics, privacy

June 25, 2009

Obama’s CyberSecurity Policy

Sunil Bhargava: Cyber attacks are typically silent, stealth in nature and don’t command the attention of the general public. President Obama’s announced cyberspace policy didn’t get the attention it deserved – given that cyber attacks have the potential to close down critical infrastructure – effectively closing down the markets, strategic defenses, disease control infrastructure or the core communications networks. So why isn’t the cyberspace policy getting the attention it may deserve? This is what we asked Warren Axelrod, security expert, author and speaker. Here’s Warren’s response.

From the desk of Warren Axelrod: Why is the cyberspace policy boring? The answer I’m giving is one that security professionals will be able to identify with – to an outsider it’s boring. Virginia Heffernan in a recent New York Times Magazine article entitled “Lights! Camera! Inaction! People Using the Internet are Boring”. Ms. Heffernan discusses the various, mostly unsuccessful, attempts by filmmakers to create excitement when something, which would cause all sorts of reactions in the physical world, happens in cyberspace. The flashing of messages of doom and destruction on a screen does little to raise one’s pulse. It is only when the messages are linked to visuals of bad physical things happening, as in the Terminator or Batman movies or Die Hard and Live Free that anxiety increases in the audience.

The people tuned into the President’s announcement are the professionals at Homeland Security, the Pentagon and the utility officials protecting the three main electric grids. These are people who know that attacks are up year over year and the attackers are getting smarter and more devious every day. There were a couple of articles on the cyber speech the next day but not as many as one would expect – given the gravity of the situation. The news aggregation magazine, The Week, provided Cyber Security 101 in the article “The Rise of the Cyberspy”. This article focused on the Pentagon’s “near constant” cyber attacks by foreign hackers primarily from Russia and China.

So again, the general public, who depend so heavily on the Internet and computer systems and networks in general for their well being and economic progress, can’t seem to get excited about a President who actually uses technology and knowing the dangers is setting policy, making cyber security a priority. We can only hope that the steps we need to take to defend ourselves in the dangerous realm of cyber space won’t be delayed and prioritized out of existence as it was eight years ago. The new “cyber czar” may be greeted with some fanfare, but will likely find it as difficult as his or her predecessors to implement effective measures. If only cyber criminals had two heads and long tails that could decapitate an innocent bystander.

Postscript: Intellitactics is the chosen SIEM by intelligence and defense organizations on the front line of cyber attacks. Join Intellitactics every Tuesday to see what it takes to defend against cyberspys and hackers.

Posted by Sunil Bhargava at 12:00 AM in current affairs, enterprise security management, threat detection | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Barack Obama, cyber attacks, Cyber Security, US Cyber Policy

June 23, 2009

Picture this - Intellitactics NEW EnterpriseVue

Jeff Vince, Director of Solution Services with Intellitactics, spends more time in Fortune 100 SOCs than anyone else at Intellitactics. He relates that the job of enforcing security policy is hard and thankless. "While the security team is accountable for prevention and defense, they need every employee to be on board with the rules and regulations. Training is the obvious answer, but reminding people every day to DO what they learn in training requires continuous awareness."

That's what EnterpriseVue for ISM is designed to do. Using state of the art dashboard technology, EntepriseVue transforms gigabytes of data into graphical and tabular reports arranged on a role appropriate dashboard. The dashboard is dynamic with protected access to specific roles and responsibilities. ISM or Intellitactics Security Manager is a fully featured security information and event management (SIEM) solution that transforms millions of logs into actionable security events, automates alerting and accelerates investigation and incident response. "You can configure dashboards for the NOC, the application managers, the business line managers and other stakeholders. Everyone benefits from the ISM repository of security information, while the SOC works with security events to actively monitor control violations and attacks," explains Vince.

“Training end users on behaviors they can watch out for amongst their peers and then reinforcing that training with frequent reporting may deter the activity of a malicious insider,” is an example offered by Jeff Vince, Director of Solution Services for Intellitactics. “We encourage the SOC to run reports that keep security front of mind. We also suggest they involve other IT functions like network operations, database managers, application managers and others by providing reports they can use to make decisions and take actions to comply with policies.”

Read more about EnterpriseVue for ISM. Looking for a SIEM appliance? Intellitactics SAFE offers the same powerful, dynamic dashboard powered by the Intellitactics Security Data Warehouse - the only fully integrated repository that doesn't limit capacity to maintain performance.

Posted by Sunil Bhargava at 12:00 AM in compliance, enterprise security management, IT Security ROI | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: dashboard, Intellitactics, Security awareness, Security Manager, SIEM

June 16, 2009

Intellitactics and Quest - security as a service

Now, QUEST- a California based service provider - is offering a NEW Managed Security Service. They'll be implementing Intellitactics SAFE appliances on the customer's premise and remotely managing logging, compliance reporting and event analysis. Their clients get all the control of ownership without the overhead.

Everyday we talk to companies that want and need to automate log reviews, threat detection and reporting requirements for multiple regulatory standards. They are all doing something, but they all want to do more. Unfortunately, the economic turmoil has created obstacles for these companies to move forward. Staffing is an issue, deploying and implementing the solution takes time, even the evaluation process required for a capitol investment requires more energy than they have. These are all good reasons to consider security as a service.

QUEST CEO Tim Burke and I were talking about what they're clients say are good reasons to engage with a security service provider. More companies are considering security as a service and by implementing Intellitactics SAFE on the Client premise - they get the best of both worlds. Quest offers redundant operation centers and SAS 70 Type II certification; the staff is highly qualified. This new security offering, featuring Intellitactics SAFE may be just the ticket for companies that need a fast start - whether they're prepping for audtis, augmenting staff or defending against cyber criminals that stalk mid-size companies. Quest's unique service offering is a short term fix for lots of companies which will offer long term benefits.

Posted by Sunil Bhargava at 12:00 AM in enterprise security management, IT Security ROI, partners, security as a service, threat detection | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Intelllitactics, managed security services, PCI compliance, Quest, security as a service, SIEM

June 09, 2009

Intellitactics is the Number One Choice for MSSPs

Intellitactics ClientVue MSSP is a business enabler for the MSSP to improve customer satisfaction and increase effectiveness. More and more organizations are choosing managed security services for both security information management and security event management. Intellitactics products are used by leading MSSPs in North America and Europe: ATT, Perimeter Security, Alcatel Lucent and Telus to name a few. ClientVue is a dashboard specially designed to benefit Managed Security Service Providers (MSSP) and their Clients.

MSSPs use the Intellitactics portfolio that includes both software and security appliances to provide a fully capable SIEM (security information and event management). The Intellitactics products enable centralized services or co-opted services that place appliances on the Client premise complementing centralized alerting and incident response management at the MSSP SOC. ClientVue, an easy to configure and privately branded dashboard, can be offered as an essential part of managed security service (MSS). ClientVue easily integrates to an existing portal and authentication. Intellitactics is the only SIEM to offer the MSSP this flexible communication and collaboration tool.

ClientVue offers your Client a window into the results you provide and simplifies the dialogue between you and your Client during incident resolution.

· ClientVue is extensible: This intuitive dashboard displays in tabular or graphical format hundreds of summary reports. ClientVue uses Intellitactics’ fast and reliable Security Data Warehouse (SDW) which includes any and all data collected from the security infrastructure. ClientVue can also be configured to import data from external repositories as well.

· ClientVue is flexible: The MSSP has great flexibility in designing the dashboards. While most Clients may need to see similar summaries, the MSSP can easily accommodate unique differences.

· ClientVue is affordable: Pricing for ClientVue adapts to the MSSP business model. Not only do the Clients benefit, but the MSSP’s operators and analysts get a great boost of productivity.

Get more on ClientVue and security services offered by Intellitactics partners.

Posted by Sunil Bhargava at 06:00 AM | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: dashboard, Intellitactics, managed security services, SIEM

June 03, 2009

Intellitactics Poised for Mid Market Success

This week Gartner published their annual research on security information and event management (SIEM)vendors. The research covers the high number of vendors (21) in this space and it also underscores the many different ways companies are building, packaging and selling SIM and SEM and a combined solution for companies that want and can handle both.

So what about Intellitactics? Well, we have two distinct product lines that we've developed. The first is a software solution, Intellitactics Security Manager, that in Gartner's estimation is "optimal for large enterprises" with the need to customize and configure their SIEM to adapt to sophisticated and complex requirements.the second is Intellitactics SAFE - a fully capable SIEM appliance that is uniquely designed for mid market companies. SAFE is simple to deploy and easy to use. So if a company just wants to do better during an audit or is large enough to face complex security threats but too small for dedicated security operations centers then SAFE is perfect. Lots of capability on ONE appliance - the ultimate in simple and a fast path to value.

Our packaging is simple. Buy what you need now from Intellitactics or from a select number of VARs that all have unique capabilties and areas of expertise. We're also proud of the MSSPs that offer security services in the traditional way or co-opt SIEM with a SAFE appliance on premise with remote management by the MSSP. No matter what your budget, there is an affordable way to get the benefits of SAFE: improved understanding of logs and events and accelerated investigation of security incidents. We aren't bundled with your storage solution or your NOC solution or thrown into your maintenance bill. Everyone of our customers conducted a thorough investigation and selection process and chose Intellitactics.

Finally, we like what we do. Everyone in the company takes a lot of pride in the success our customers in 21 countries and many industries are having with our product. We are just as excited today after 11 years of providing security solutions as we were when we the first customer bought a product that in those days was an elaborate toolkit.

So if you're an independent thinker and you're looking for a vendor partner highly invested in your success - we're the company you're looking for! Take a look - any Tuesday and see for yourself how simple SIEM can be.

Posted by Sunil Bhargava at 06:00 AM in compliance, enterprise security management, log management, partners, threat detection | Permalink | Comments (0) | TrackBack (0)

Technorati Tags: Gartner, Intellitactics, SIEM

June 02, 2009

Intellitactics Detects Insider Threats

The most dangerous insider threat is the employee who knowingly breaks security policy to achieve a selfish or malicious end. According to CERT, 68 percent of theft for competitive advantage takes place within three weeks of an employee leaving his/her job. These threats are deliberate and involve financial gain, revenge or an attempt to gain competitive advantage – sometimes called espionage. Unfortunately, many organizations report that they don’t have anyone focused on insider threats – malicious or otherwise. If you can identify a risk you try to prevent it. Many organizations develop sophisticated policies but don’t implement the technology required to enforce it. Following the reliable maxim "If on the other hand you can’t prevent it, you must detect it" suggests that policy enforcement requires monitoring of security events, or minimally reports on logs. Simply put, if you identify a risk, then you should attempt to prevent it and monitoring is a recommended mitigation for risk.

Detection, in fact, plays a critical role in all risk controls; network and operating system logging is vital. You can use logs to detect out of norm behavior, especially if you can aggregate logs by source, target or user id and set thresholds using time or number of instances that will create an automatic notification. SIM solutions, known for logging, that offer security event management can have a major impact on the productivity and capability of your security team. There are never enough eyeballs to review logs. Log searching, no matter how sophisticated the technology, is effective when you specifically know what you are looking for. Automated event management transforms logs into more useful and actionable information.

Disgruntled employees often act out of the norm by creating unknown accounts, setting up backdoor connections and other behaviors that proper logging, and ideally security event management, can detect. Several best practices exist, but they all have one common bond: Someone must review the reports your systems generate! Better yet – choose a system that generates alerts. Many insider attacks go unnoticed because attackers develop tools and innovations while no one else is watching.

Another complimentary approach is security awareness training. In the case of malicious insiders, the education is not targeted at the user -- who clearly doesn't care about security policy and is bent on breaking it -- but on the insider's potential colleagues, who might recognize the warning signs that a co-worker is about to be bad and with training will know what to do about it.

See how simple logging and event management on one appliance can be, join our Intellitactics SAFE open house every Tuesday.

Posted by Sunil Bhargava at 11:32 AM in enterprise security management, threat detection | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: insider threat, Intellitactics, threat detection

May 21, 2009

Facebook Privacy – Are You Feeling Lucky Today?

From the desk of Warren Axelrod: Researchers at the Helsinki Institute for Information Technology (HIIT) determined that there are a number of ways in which users manage privacy on Facebook and other social networking sites.

Are you following these best practices?

· Avoid updating your status with information that you don’t want everybody to see

· Choose to exchange private messages rather than writing on public walls

· Keep messages within closed groups

· Approve only a limited number of people as friends

· Define groups of friends more precisely

· Avoid publishing information that others might find negative or troublesome

But what about Facebook and the others – what should they be doing to provide privacy management systems that are easy to use? What problems aren’t addressed?

One problem is that it can take an extraordinary amount of effort to manage all the various groups and members of groups that you have assigned and then remember all the participants and their relationships. Inevitably memory will fail and mistakes will be made.

Second, you can’t be sure that when you share, the person you intend to share with won’t share with someone that you would not choose to have your pictures or stories. You could avoid sharing information that, in the wrong hands, could have a negative impact. While you may choose to avoid publishing certain information it does not preclude revealing information that may, over time, become important to protect. This dynamic aspect of information privacy is extremely difficult, if not impossible, to anticipate.

The dynamic aspect of privacy is further emphasized in a New York Times article “Career Couch: The Online Divide Between Work and Play,” by Matt Villano. He discusses, in a Q & A format, a number of privacy issues pertaining to social networking sites, such as LinkedIn, Facebook, MySpace and Twitter. Mr. Villano reports on his discussion with Nick O’Neill of “All Facebook” blog fame. Mr. O’Neill has recently posted a guide to mastering Facebook’s new privacy settings. O’Neill reports that “Most Facebook users don’t even know these [privacy] features are options. I can’t tell you how many people sign up and don’t ever think about privacy again.”

Security professionals know that privacy protection is not static and is therefore more difficult to manage. I wrote about this in ISACA’s IS Control Journal in an article “The Dynamics of Privacy Risk”. Facebook and Twitter are new – privacy concerns are not. Consideration of how to avoid and protect against disclosure of private information is very similar to designing for and using secure Web 2.0 applications. When combining applications and data, one may not be fully aware of their “pedigrees” and in fact may be confronted with systems and data from highly questionable sources.

The tradeoff in managing privacy is between trust and avoidance. If you aren’t absolutely sure about origin, source and destination, then avoidance might be a better strategy, even if it results in many fewer capabilities. Trust is a two-edged sword. By establishing trusted relationships, one can share more information and benefit from that sharing. However, if a trusted relationship is subsequently compromised, then the losses can be that much greater.

Since it is so difficult to determine current trustworthiness and forecast future trustworthiness, it is perhaps better to stick to the avoidance strategy or, in security jargon, “default deny.” You should only relax privacy when you are very sure of the trustworthiness of the applications and individuals. You need to maintain constant vigilance in keeping such knowledge current. Once a system breach occurs, or information is inadvertently disclosed over a social network, it is too late to reel the data back in – there are no “re-do’s”. While avoidance is a viable alternative, it can put critical processes in jeopardy. A prudent approach is gradual, controlled increase in access and use; evaluating at every step along the way.

See you on Facebook – maybe!

Posted by Sunil Bhargava at 01:48 PM | Permalink | Comments (1) | TrackBack (0)

Technorati Tags: Facebook, Nick O'Neill, Privacy