Wednesday, March 30, 2011

A CyberWar technique. Allows the government to offer protestors communications that are “safe from government spies.”

FBI probes Comodo Web security breach

The FBI is investigating how a hacker tricked a New Jersey company into issuing fraudulent digital certificates for Google, Yahoo, Microsoft, and other major Web sites, the firm's chief executive said today.

Comodo CEO Melih Abdulhayoglu told CNET this afternoon that "it is an ongoing investigation" that has drawn in both the FBI and Italian law enforcement.

Abdulhayoglu confirmed that a reseller in Italy called GlobalTrust had its network compromised by a hacker traced to Iran. That person, or multiple people, obtained fake digital certificates for nine Web sites that also included Skype and Mozilla. Those certificates, which have since been revoked, allowed someone to impersonate the secure versions of those Web sites--the ones that are used when encrypted connections are enabled.

(Related) Forewarned is forearmed.

Australian Prime Minister Hacked

Computers belonging to the Australian prime minister and at least nine other federal ministers were recently hacked, according to a news report.

Besides Prime Minister Julia Gillard, Foreign Minister Kevin Rudd and Defense Minister Stephen Smith were also targeted.

Several thousand e-mails were accessed by the intruders beginning in February, before Australian authorities were tipped off to the breach by U.S. intelligence officials at the CIA and FBI, according to the Daily Telegraph.

The attack reportedly targeted the e-mail system for Australia’s Parliament House, which is used for nonsensitive communications among parliament members. Ministers use a more secure departmental network for more sensitive communications, according to the paper.

Hackers also recently struck Canadian government computers. That attack reportedly involved more-sensitive systems, allowing the attackers to access highly classified information, according to the CBC News. The hackers breached systems belonging to the Finance Department and Treasury Board as well as Defence Research and Development Canada, which conducts scientific and technological research for the Department of National Defence.

Just another laptop.

Missing BP laptop had personal data of claimants (updated)

March 29, 2011 by admin

Associated Press reports that a BP employee lost a laptop containing unencrypted personal information on approximately 13,000 people who had filed compensation claims prior to August 2010 stemming from the Gulf oil spill.

Read more on Quad-Cities Online. BP did not provide any details on the types of information for each claimant or any gap between the loss of the laptop and their discovery that it was lost. I’ve sent an inquiry to BP to try to get additional details as there is no press release on their web site, either.

Thanks to @jslarve for the heads-up on this one.

Update: NPR has a more complete version of the AP report that indicates that the laptop, which was lost on March 1, contained a spreadsheet of claimants’ names, Social Security numbers, phone numbers and addresses.

The employee lost the laptop on March 1 during “routine business travel,” said Thomas, who declined to elaborate on the circumstances.

“If it was stolen, we think it was a crime of opportunity, but it was initially lost,” Thomas said.

BP is offering to pay for claimants to have their credit monitored by Equifax, an Atlanta-based credit bureau.

"Ontogeny recapitulates phylogeny" Every new technology (or old technology given a new name by the Marketing Dept.) starts from 'square one' – without security, privacy, backups or and other “Best Practice” learned through bitter experience by earlier technology generations.

No Privacy on Amazon’s Cloud Drive

March 30, 2011 by Dissent

Steven J. Vaughan-Nichols writes:

Who couldn’t love the idea ofthe new Amazon Cloud Drive? You get at least 5GBs of free cloud-based storage, and its trivial to get 20GBs of free storage on Amazon Cloud Drive. Used in concert with theAmazon Cloud Player you get a fine cloud-based music player that can be used either from a Web browser or on Android tablets with the Amazon MP3 App. The newAmazon consumer cloud service also works well. It’s just too bad that you have to give up all privacy to use it.

Don’t believe me? Read the Amazon Cloud Drive Terms of Use for yourself.

Read more on Networking (ZDNet)

I thought everything was fair in Divorce Court...

Lewton v. Divingnzzo: Hidden Audio Recorder in Teddy Bear Violates Federal Privacy Law

March 29, 2011 by Dissent

Gary Juskowiak discusses a court decision reported here last month:

Parents who are concerned about their child’s well being might use hidden electronic monitoring devices such as hidden audio recording devices and nanny cams. Unfortunately, parents who use these devices may unwittingly violate federal and state law. In Lewton v. Divingnzzo (PDF), a mother was convicted of violating the Wiretap Act of The Electronic Communications Privacy Act (ECPA) 18 U.S.C. §§ 2510-2522 after she concealed an audio recording device in her daughter’s teddy bear (“Little Bear”) for the purpose of gathering evidence to sabotage the child custody rights of her ex-husband. Over five months she downloaded the recorded conversations from the audio recording device to her computer, burned CDs of the conversations, and ultimately had transcripts made of the conversations.

Read his analysis of the case and relevant federal law on Berkeley Technology Law Journal.

h/t, @TheCyberLawyer.

Still not sure what happened. If it was a bug, why were Middle Eastern countries impacted and no others? Improbable, at least.

Microsoft Denies HTTPS Shutdown Was Intentional

"Microsoft acknowledged that Hotmail's HTTPS encryption service was shut off for users in some countries, but denied that it was because of an intentional ploy to limit email security in countries that have experienced anti-government protests and limits on freedom of expression. 'We do not intentionally limit support by region or geography and this issue was not restricted to any specific region of the world,' Microsoft said. Syria, Morocco, Bahrain, Iran, Lebanon, Jordan and Algeria were among the affected countries, but the problem is now resolved."

Why would the FTC parrot what the lobbyists tell them?

A Response to Commissioner Rosch on Do Not Track

March 29, 2011 by Dissent

Jonathan Mayer writes:

Late last week FTC Commissioner Rosch penned a column in which he repeated a number of hackneyed criticisms of Do Not Track. Senators McCaskill and Pryor articulated similar concerns at a recent hearing. This piece sequentially deconstructs Rosch’s column and replies to each of his substantive critiques.

Read Jonathan’s counterpoint on CIS. Here’s a snippet:


Consumers may also lose the free content they have taken for granted. Not only could consumers potentially lose access to free content on specific websites, I fear that the aggregate effect of widespread adoption by consumers of overly broad do-not-track mechanisms might be the reduction of free content, free applications and innovation across the entire internet economy.


On the contrary, there is substantial reason to believe Do Not Track is no threat to ad-supported businesses. This conclusion is bolstered by the news that thirty online advertising firms are willing to implement Do Not Track.

Well of course they are...

NASA Vulnerable To Crippling Cyber Attacks

"The computer network NASA relies upon to carry out its billion dollar missions is just like your Mac or PC at home; vulnerable to cyber attacks. NASA's servers contain vulnerabilities that could enable a cyberattack to cripple the entire agency, according to a recent audit report from The Office of the Inspector General. The report was an unflattering look at NASA's internal computer security operations, as the Inspector General recommended the agency expedite the implementation of a new agency-wide program to oversee the network security problem."

Fluff or is DHS preparing to mandate security?

March 28, 2011

DHS - Enabling Distributed Security in Cyberspace

Enabling Distributed Security in Cyberspace - Building a Healthy and Resilient Cyber Ecosystem with Automated Collective Action, March 23, 2011

  • "Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non‐profits, governments, individuals, processes, and cyber devices (computers, software, and communications technologies) – that interact for multiple purposes. Today in cyberspace, intelligent adversaries exploit vulnerabilities and create incidents that propagate at machine speeds to steal identities, resources, and advantage. The rising volume and virulence of these attacks have the potential to degrade our economic capacity and threaten basic services that underpin our modern way of life. This discussion paper explores the idea of a healthy, resilient – and fundamentally more secure – cyber ecosystem of the future, in which cyber participants, including cyber devices, are able to work together in near‐real time to anticipate and prevent cyber attacks, limit the spread of attacks across participating devices, minimize the consequences of attacks, and recover to a trusted state. In this future cyber ecosystem, security capabilities are built into cyber devices in a way that allows preventive and defensive courses of action to be coordinated within and among communities of devices. Power is distributed among participants, and near‐real time coordination is enabled by combining the innate and interoperable capabilities of individual devices with trusted information exchanges and shared, configurable policies."

[From the report:

We know today that users are not routinely complying with cyber best practices and configuration guidelines. Adoption of security standards is decidedly slow, and early indications are that cybersecurity continuous monitoring will face impediments to adoption.

A persistent challenge in today’s ecosystem is the inability to establish level of harm as a result of a cyber incident – be it loss of intellectual property, privacy, consumer confidence, business opportunity, or essential services.

Virtual Court? Might as well sentence them too...

Florida Detectives Use Skype to Obtain Warrants

The Palm Bay Police Department is using Skype -- an online service that allows video conferencing and phone calls -- to help officers in the field obtain warrants to draw blood from suspects in DUI cases. Police spokesman Darin Morgan said Monday that time is of the essence when it comes to impaired driving cases.

Morgan says the system is "like a virtual office and courtroom." He worked with Judge David Silverman and prosecutors to develop the system.

Field officers email document to the judge, then hold conference calls via Skype to obtain necessary warrants.

They say the technology can be expanded to other types of crime.

Evidence in the IBM antitrust lawsuit arrived in semi-trailers. Can you get you head around a discovery request for “all the raw data and all post-algorithmic results delivered for the past 10 years...”

Has Google learned Microsoft's antitrust lessons?

For anyone who followed Microsoft's testy battles with competition regulators 10 years ago, Google's current antitrust problems may provoke more than a little sense of deja vu.

Google dominates the Internet search advertising business and has allegedly used that hegemony to thwart rivals in adjacent markets. Regulators in the United States and Europe are looking into claims by smaller niche search companies, such as 1plusV, which runs the site in France and in Columbus, Ohio, that Google is manually altering search results, [Trillions of them every day? Bob] demoting where rivals show up in its ranking, making it harder for customers to find their services. Google points out that its algorithms naturally push those sites down in rankings because those search engines offer little more than links to other sites, created solely to generate revenue as a middleman.

(Related) Of course we read everyone's mail...

Gmail To Roll Out Ads That Learn From Your Inbox

Gmail is in the process of rolling out a new ad system that could prove to be quite powerful: ads that learn what you’re interested in based on your email habits. The feature first showed up in my Gmail account earlier this afternoon (there’s a prompt informing users about the new ads), and a Google spokesperson has confirmed that they are indeed in the process of rolling this out worldwide. Here’s the full information page describing the feature, found by clicking the ‘Learn More’ button.

Google says that while this notification will be rolling out to users gradually over the coming days, the personalized ads won’t actually go live for around a month. In the mean time, users can opt-out of the new system through Gmail’s settings panel (the default is that you’re opted-in).

[From the Information Page:

For example, if you’ve recently received a lot of messages about photography or cameras, a deal from a local camera store might be interesting. On the other hand if you’ve reported these messages as spam, you probably don’t want to see that deal.

This may be redundant, but I think it's worth a read.

Wall St. J. Covers Tragedy of the Data Commons

March 30, 2011 by Dissent

Derek Bambauer writes:

Today’s Wall Street Journal has an article discussing data privacy that draws on Jane Yakowitz’s great new paper, Tragedy of the Data Commons, which is presently making the rounds of the law reviews in the spring submission cycle. The article examines contemporary attitudes towards privacy and, as Jane’s paper describes, the tradeoffs between enhanced (and perhaps unnecessary) privacy measures and the loss of valuable data for research and innovation.

Read more on Info/Law.

This is news? I have to admit it makes writing articles easier.

Newspaper Plagiarizes Blog, Taunts Real Author

"I've been keeping an eye on this viral marketing campaign called Petite Lap Giraffe — it's the DirecTV ads with the Russian guy and the tiny giraffe. I was pretty quick to debunk the existence of the giraffes, so a lot of people have been visiting my blog as a result. Today, I noticed a New-York area newspaper that was represented my research as their own, so I asked them to link to my blog (i.e. provide attribution). What ended up happening perfectly illustrates that newspapers just don't understand how the Internet works ..."

Poor Facebook

Is there really 'Facebook depression?' (podcast)

Clinical Report: The Impact of Social Media on Children (PDF) starts out with data showing that teen and pre-teen use of social media has "increased dramatically" over the last five years, as has use of cell phones and texting. It also points out that "because of their limited capacity for self-regulation and susceptibility to peer pressure, children and adolescents are at some risk as they navigate and experiment with social media."

For my Computer Security class

Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon

When first discovered in 2010, the Stuxnet computer worm posed a baffling puzzle. Beyond its unusually high level of sophistication loomed a more troubling mystery: its purpose. Ralph Langner and team helped crack the code that revealed this digital warhead's final target -- and its covert origins. In a fascinating look inside cyber-forensics, he explains how.

Geeky stuff

Report: Microsoft sending Windows 8 to PC vendors

No comments: