Wednesday, April 20, 2011

For my Intro to Computer Security students.

Top Federal Lab Hacked in Spear-Phishing Attack

The Oak Ridge National Laboratory was forced to disconnect internet access for workers on Friday after the federal facility was hacked, and administrators discovered data being siphoned from a server.

Only a “few megabytes” of data were stolen before the lab discovered the breach and cut internet access to prevent further exfiltration from the sensitive government facility, according to Thomas Zacharia, deputy director of the lab.

… Zacharia called the attack against the lab “sophisticated” and compared it to so-called “advanced persistent threat” attacks that hit security firm RSA last month and Google last year. [So, our friends in China again? Bob]

The attacker used an Internet Explorer zero-day vulnerability that Microsoft patched on April 12 to breach the lab’s network. The vulnerability, described as a critical remote-code execution vulnerability, allows an attacker to install malware on a user’s machine if he or she visits a malicious web site.

According to Zacharia, the intrusion came in the form of a spear-phishing email sent to lab employees on April 7. The e-mail, purportedly sent from the human resources department, discussed employee benefits and included a link to a malicious web page, where malware exploited the IE vulnerability to download additional code to users’ machines.

It’s not the first time the lab has been breached through spear phishing. In 2007, a similar attack allowed hackers to access a nonclassified database at the lab and gain access to thousands of names, Social Security numbers and birth dates belonging to anyone who had visited the lab between 1990 and 2004.


Hackers may have accessed more than 25,000 South Carolina students’ personal info

April 20, 2011 by admin

The identity of thousands of students and teachers has potentially been compromised after officials with the Lancaster County School District say a hacker was able to access their system.

According to school officials, the hackers were able to hack into the district’s system by monitoring district computers and capturing keystrokes to get passwords. Those passwords gave the hackers access into the records on the state system of more than 25,000 students and more than 2,500 school district employees.

While it’s still not clear exactly what information the hackers were able to access, the database houses information on current and former students and employees including names, birth dates, social security numbers, addresses and phone numbers.

School officials say the hacking occurred in March and were discovered by the U.S. Computer Emergency Readiness Team, which notified the S.C. Information Sharing & Analysis Center who notified the school district of the incidents last week.


Related: Notification Letter Dated April 12

[From the article:

"We are doing everything we can to prevent this from happening again, and we have put new measures in place to better assure that our computers are protected from such attempts."

[From the letter:

This kind of hacking is not something a person could find just surfing on the internet.[Actually, keylogging software can be found on the Internet. Try a Google search. Bob] It could be done only by skilled computer technicians who were purposely trying to capture this information.

Although we have no way of verifying which information was compromised, [Translation: i.e. “We don't keep logs” Bob]

Don't worry! We promise not to access your data, unless we want to...

Dropbox Can't See Your Dat– Er, Never Mind

"Dropbox, the online backup and file sharing service claims to have hit 25 million users in a single year. But a change in terms, noting that Dropbox will give up data to law enforcement under a legal request, showed that the company's security claims couldn't be possible. It turns out that Dropbox claims in one place that encrypted data makes it impossible for employees to see into user files, but in another says that they're only 'prohibited' from doing so."

This is one of those “If we had enough people, we would have had a cop follow this guy around, but we don't so we relied on technology.” If they had relied on flesh & blood, this wouldn't be an issue in the appeal.

Virginia Court of Appeals affirms conviction in warrantless GPS case

April 19, 2011 by Dissent

Back in September 2010, I noted that the Court of Appeals in Virginia had agreed to hear a case involving the use of GPS to track a man suspected of sexually assaulting women. The GPS device had been place in the bumper of his work van.

Thanks to Bob Gelman for letting me know that the court issued its opinion on April 5 in Foltz v. Commonwealth of Virginia. After rehearing the case en banc, the court upheld the conviction.

As background, after first having some suspicion as to the defendant’s role in a series of crimes based on modus operandi and matching up his probation meetings with the times and locations of assaults, on February 1, 2008, the officers attached a GPS system to the bumper of appellant’s assigned work van while it was parked on the public street in front of his residence. They did not obtain a search warrant prior to doing so nor did they obtain his employer’s permission.

Based on their ongoing review of the GPS data as well as assault data, their suspicion of him increased and they decided to follow him in real-time visual surveillance. As a result, they apprehended him in the act of assaulting a woman.

Foltz moved to have all of the evidence suppressed, arguing that the lack of a warrant violated his Fourth Amendment rights. The court ruled it admissible, and Foltz appealed on a number of grounds, including that the police officers’ eyewitness testimony was the “fruit of the poisonous tree” as there had been no warrant.

The Court of Appeals did not really get to the issue of the warrant in their opinion. They write:

From our review of the record on appeal, we conclude that the trial court did not err in denying appellant’s motion to suppress the eyewitness testimony of the police officers. We reach this conclusion without addressing whether the use of the GPS device, attached to employer’s van assigned to appellant, without first obtaining a search warrant, violated appellant’s rights under the Fourth Amendment of the United States Constitution and Article I, Section 10 of the Virginia Constitution.

Two of the justices, in their concurring opinion, however, noted that they felt the court should have addressed the Fourth Amendment issue as it had been raised and briefed. They indicated that in their opinion, there had been no violation of Foltz’s Fourth Amendment rights and that should have been the basis for affirming the trial court’s ruling. In their analysis, they note that although the use of warrantless GPS surveillance could raise Fourth Amendment issues, as applied to the facts of this specific case:

This case does not involve appellant’s home or even appellant’s own property. Especially as this case concerns a van owned and regulated by appellant’s employer, the circumstances in this case certainly did not violate appellant’s own privacy protections under the Fourth Amendment.

Justices Beales and Haley offer other arguments and analysis as to why the use of warrantless GPS as used in this specific case did not violate the Fourth Amendment. Their opinion makes for interesting reading, as does Justice Humphrey’s response to them.


April 19, 2011

EPIC - Solicitor General to Supreme Court: Review GPS Tracking Cases

"The Solicitor General filed a petition with the Supreme Court about the growing dispute in the federal courts over warrantless locational tracking. There is a split among the appellate court about GPS tracking by police agencies. The petition appeals a decision from the DC Circuit which held that the warrantless tracking of a motor vehicle violates the Constitutional right against unlawful searches. Earlier, EPIC filed an amicus brief in the Massachusetts Supreme Judicial Court case that also held that a warrant is required for the use of a GPS tracking device. For more information, see EPIC - Commonwealth v. Connolly and EPIC - Locational Privacy."

(Related) On the other hand...

Feds to Supreme Court: Allow Warrantless GPS Monitoring

The Obama administration is urging the Supreme Court to allow the government, without a court warrant, to affix GPS devices on suspects’ vehicles to track their every move.

The Justice Department, saying “a person has no reasonable expectation of privacy in his movements (.pdf) from one place to another,” is demanding the justices undo a lower court decision that reversed the conviction and life sentence of a cocaine dealer whose vehicle was tracked via GPS for a month without a court warrant.

Interesting indeed...

Article: From Facebook to Mug Shot: How the Dearth of Social Networking Privacy Rights Revolutionized Online Government Surveillance

April 19, 2011 by Dissent

Interesting law review article by Junichi P. Semitsu: From Facebook to Mug Shot: How the Dearth of Social Networking Privacy Rights Revolutionized Online Government Surveillance, 31 Pace L. Rev. 291 (2011).


Each month, Facebook’s half billion active users disseminate over 30 billion pieces of content. In this complex digital ecosystem, they live a parallel life that, for many, involves more frequent, fulfilling, and compelling communication than any other offline or online forum. But even though Facebook users have privacy options to control who sees what content, this Article concludes that every single one of Facebook’s 133 million active users in the United States lack a reasonable expectation of privacy from government surveillance of virtually all of their online activity.

Based on Facebook’s own interpretations of federal privacy laws, a warrant is only necessary to compel disclosure of inbox and outbox messages less than 181 days old. Everything else can be obtained with subpoenas that do not even require reasonable suspicion. Accordingly, over the last six years, government agents have worked the beat by mining the treasure trove of personal and confidential information on Facebook.

But while Facebook has been justifiably criticized for its weak and shifting privacy rules, this Article demonstrates that even if it adopted the strongest and clearest policies possible, its users would still lack reasonable expectations of privacy under federal law. First, federal courts have failed to properly adapt Fourth Amendment law to the realities of Internet architecture. Since all Facebook content has been knowingly exposed to at least one third party, the Supreme Court’s current Fourth Amendment jurisprudence does not clearly stop investigators from being allowed carte blanche to fish through the entire site for incriminating evidence. Second, Congress has failed to meaningfully revise the Electronic Communications Privacy Act (ECPA) for over a quarter century. Even if the ECPA were amended to cover all Facebook content, its lack of a suppression remedy would be one of several things that would keep Facebook a permanent open book. Thus, even when the government lacks reasonable suspicion of criminal activity and the user opts for the strictest privacy controls, Facebook users still cannot expect federal law to stop their private content and communications from being used against them.

This Article seeks to bring attention to this problem and rectify it. It examines Facebook’s architecture, reveals the ways in which government agencies have investigated crimes on social networking sites, and analyzes how courts have interpreted the Fourth Amendment and the ECPA. The Article concludes with an urgent proposal to revise the ECPA and reinterpret Katz before the Facebook generation accepts the Hobson’s choice it currently faces: either live life off the grid or accept that using modern communications technologies means the possibility of unwarranted government surveillance.


(Related) Is this a model for “Consent?” Will “Opt In” become mandatory in the UK?

RIPA to be changed to demand full consent to monitoring

April 19, 2011 by Dissent

It will no longer be enough to have “reasonable grounds” to believe that someone had consented to monitoring of their communications under changes to the Regulation of Investigatory Powers Act (RIPA) proposed by the Government.

Putting notice of monitoring in terms and conditions will not be enough to count as consent to that monitoring, the Home Office said. Its plans to change RIPA will mean that it will only be legal to intrude on private communications if you have a warrant or both the sender and recipient of information agree that it is acceptable, even if it is done unintentionally.


Tools for the “Cut & Paste” generation...

The 3 Best Clipboard Managers For Windows

The Windows clipboard is where information is stored temporarily when you copy something, for example a link, an image, or a piece of text. The clipboard can only hold one single item, so whenever you copy something else, the previous item will be discarded. If you didn’t mean to lose what you had copied earlier that can be a real bummer.

A Windows clipboard manager can fill in the void and add much needed capacity and functionality to the Windows clipboard. Not only can it maintain a history of items you copied during your current or even multiple Windows sessions, it can also save text snippets you frequently use and make them easily accessible.


Yankee Clipper III

xNeat Clipboard Manager

For my Disaster Recovery students (and all the others...) The download link is broken, so wait a bit.

DOWNLOAD Stuff Happens: The Backup & Restore Guide

Disasters happen. Unless you’re okay with losing all of your data, you need a good backup system. If you know this but haven’t got around to setting up backup on your PC, this is the guide to read.

Stuff Happens: The Backup and Restore Guide” or Read now on Scribd

I'm told that Twitter is now the biggest Job Search engine...

5 Twitter Job Services For Some Real-Time Job Search

You can bet that when Twitter increasingly has the power to spread revolutions, it can be a vital ally of your job hunting campaign.

In its overreaching popularity lies its job hunting prowess. Companies are increasingly using it spread their updates. Vacancies and recruitment’s are just one of them.

Even if you do a simple search for a job lead on Twitter, you will be surprised at the number of links that total up. I am not even telling you to do an advanced Twitter search or develop industry specific social strategy. We are talking here of Twitter services that do the job of distilling relevant job tweets for you so that you can find jobs on Twitter.

Here are five of them.

Tweet My Jobs


Job Shouts


Twitter JobCast

No comments: