Thursday, December 01, 2011


Do we (the US) take this seriously enough to make a hotline a reality?
"China should look at establishing a cyber crisis hotline with the United States, according to a Chinese newspaper seen as a window into official thinking. Discussions about a crisis hotline might seem an obvious first step in improving relations. But if it's a sign the Chinese government is beginning to think about how to coordinate a rapid, unified response to cyber emergencies, then it is an extremely important one."

(Related) Perhaps so...
"Deciding when malware becomes a weapon of war that warrants a response in the physical world – for example, a missile – has become a necessary part of the discussion of military doctrine. The Pentagon recently outlined (PDF) its working definition of what constitutes cyber-war and when subsequent military strikes against physical targets may be justified as result. The main issue is attribution of cyber attacks. The Department of Defense is working to develop new ways to trace the physical source of an attack and the capability to identify an attacker using behavior-based algorithms. 'If a country is going to fire a missile at someone, it better be sure it has the right target,' said one expert. A widely held misconception in the U.S. government is our offensive capabilities provide defensive advantage by identifying attacker toolkits and methods in foreign networks prior to them hitting our networks. So when do malware and cyber attacks become a weapon or act of war that warrant a real-world military response?"


Update: Nifty little app. Where does the data end up?
Did Carrier IQ Violate Wiretap Law in Millions of Cases?
November 30, 2011 by Dissent
The Carrier IQ kerfluffle that came to light after a researcher, Trevor Eckhart, revealed some really spooky snooping took a wicked turn. Andy Greenberg reports:
A piece of keystroke-sniffing software called Carrier IQ has been embedded so deeply in millions of Nokia, Android, and RIM devices that it’s tough to spot and nearly impossible to remove, as 25-year old Connecticut systems administrator Trevor Eckhart revealed in a video Tuesday.
That’s not just creepy, says Paul Ohm, a former Justice Department prosecutor and law professor at the University of Colorado Law School. He thinks it’s also likely grounds for a class action lawsuit based on a federal wiretapping law.
Read more on Forbes. David Kravets had reported on this matter yesterday on Threat Level.
The Mountain View, California-based firm is really getting a lot of bad press since Trevor Eckhart published his findings. First they threatened to sue him – until EFF jumped in to defend him and made them see the errors of their way. Now this. Watch the video and be … appalled… offended… furious:
http://www.youtube.com/watch?feature=player_embedded&v=T17XQI_AYNo#! [Tedious and techie, but interesting! Bob]
Somewhat ironically, Carrier IQ’s most recent tweet, on November 21, was “Understanding the experience of the mobile user.” I guess they meant really, really, really, REALLY understanding the experience.
But not everyone agrees with Professor Ohm’s opinion that Carrier IQ could be facing a criminal wiretap charge or massive class action lawsuit. In a post on Pastebin today, security researcher Dan Rosenberg writes, in part:
After reverse engineering CarrierIQ myself, I have seen no evidence that they are collecting anything more than what they’ve publicly claimed: anonymized metrics data. There’s a big difference between “look, it does something when I press a key” and “it’s sending all my keystrokes to the carrier!”.
In response, Professor Ohm tweeted
Wiretap only if one “acquires” content, so maybe a defense, but “anonymized metrics data” may be content.
I guess we’ll have to wait to see if federal prosecutors charge the firm. What’s more certain is that at least some lawyers will rush to file a civil suit.


Small breach, but a good “bad example” You probably get away with this since your students (and certainly the reporters covering the story) don't know enough to ask the tough questions.
http://www.databreaches.net/?p=21917
The College of New Jersey reports vulnerability might have exposed 12,815 student job applicants’ information
November 30, 2011 by admin
David Karas reports:
Officials at The College of New Jersey this week reported an unintentional data breach in the On-Campus Student Employment System, an in-house system designed to store information about students applying for on-campus jobs.
According to a notice sent to students and faculty Monday, a vulnerability in the system was identified Nov. 2 by a student who applied for a position and accidentally viewed the personal information of 12 other students. The student reported the incident, officials said, and the system flaw was repaired within hours.
“Though there is no indication that any of the additional 12,815 records contained in the system were accessed by any unauthorized individual,” the statement read, “the possibility exists that the database could have been accessed through this vulnerability.”
Read more on NJ.com
“No indication… but the possibility exists?” Do they have logs going back far enough or don’t they? The State Police ”has not found any evidence that data had been extracted from the system” (to date) is reassuring, but only if there are sufficient logs and the data weren’t indexed by a search engine.
So for how long did this vulnerability exist? Since 2002, when the system was built, or is this a more recent vulnerability?
And were these records indexed by Google?
There’s more information that we need to know to assess the risk of this incident, including what kinds of information were in the database.
In April 2010, the college also experienced an exposure breach, but that one involved an alumni database.


Lots of data, insufficient analysis? A few conclusions jumped to... Probably correct to sound the alarm. Still, it should have been detected and resolved months earlier...
Exclusive: Comedy of Errors Led to False ‘Water-Pump Hack’ Report
It was the broken water pump heard ’round the world.
Cyberwar watchers took notice this month when a leaked intelligence memo claimed Russian hackers had remotely destroyed a water pump at an Illinois utility. The report spawned dozens of sensational stories characterizing it as the first-ever reported destruction of U.S. infrastructure by a hacker. Some described it as America’s very own Stuxnet attack.
Except, it turns out, it wasn’t. Within a week of the report’s release, DHS bluntly contradicted the memo, saying that it could find no evidence that a hack occurred. In truth, the water pump simply burned out, as pumps are wont to do, and a government-funded intelligence center incorrectly linked the failure to an internet connection from a Russian IP address months earlier.
… Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.
Mimlitz, who didn’t mention to Curran Gardner that he was on vacation in Russia, used his credentials to remotely log in to the system and check the data. He also logged in during a layover in Germany, using his mobile phone.
“I wasn’t manipulating the system or making any changes or turning anything on or off,” Mimlitz told Threat Level.
… On Nov. 8, a water district employee investigating the pump failure called in a contract computer repairman to check it out. The repairman examined the logs on the SCADA system and saw the Russian IP address connecting to the system in June. Mimlitz’s username appeared in the logs next to the IP address.
The water district passed the information to the Environmental Protection Agency,
… But from there, the information made its way to the Illinois Statewide Terrorism and Intelligence Center, a so-called fusion center composed of Illinois State Police and representatives from the FBI, DHS and other government agencies.
Even though Mimlitz’s username was connected to the Russian IP address in the SCADA log, no one from the fusion center bothered to call him to ask if he had logged in to the system from Russia.


Lots more data?
"President Obama this week issued a directive to all federal agencies to upgrade records management processes from paper-based systems that have been around since President Truman's administration [Surely records go back a bit farther than that? Bob] to electronic records systems with Web 2.0 capabilities. Agencies have four months to come up with plans to improve their records keeping. Part of the directive is to have the National Archives and Records Administration store all long-term records and oversee electronic records management efforts in other agencies. Unfortunately, NARA doesn't have a stellar record itself (PDF) in rolling out electronic records projects. Earlier this year, due to cost overruns and project mismanagement, NARA announced it was ending a 10-year effort to create an electronic records archive."


How influential?
Mark Zuckerberg Invents Two New Chief Privacy Officer Roles At Facebook
In a blog post today on Facebook's website, CEO and founder Mark Zuckerberg announced two new roles within the company's executive team: Chief Privacy Officer (Policy) and Chief Privacy Officer (Products).
Erin Egan, who recently joined Facebook from law firm Covington & Burling, will become Chief Privacy Officer (Policy).
Michael Richter, who has been Facebook's Chief Privacy Counsel on the company's legal team, will become Chief Privacy Officer (Products).

(Related)
Facebook's FTC settlement won't change much, if anything
Federal Trade Commission officials spent the day touting a new settlement with Facebook, with FTC Chairman Jon Leibowitz saying the company now will be "obligated" to keep its privacy promises.
But in reality, the agreement is likely to have little, if any, actual impact on Facebook users.
One reason is that Facebook won't have to roll back any changes to its default privacy settings, which have grown more permissive over the last few years.


Since there is no agreement, Dr Cirka doesn't co-own this “online commentary” What does this indicate? Fear that an occasional angry patient might harm his practice? Fear that angry patients aren't that occasional? Apparently he never considered angry potential patients who are also professional writers with privacy concerns.
By Dissent, November 30, 2011
This may be more of a free speech than a privacy issues, but because a provider presented it as a “mutual privacy” issue, I’m posting this eyebrow-raising report by Nate Anderson:
When our own Timothy B. Lee stepped into a Philadelphia dentist’s office earlier this year, he had an unpleasant experience: the dentist required him to sign over control of all copyright in future online commentary related to that dentist. Here’s how Tim described the visit:
When I walked into the offices of Dr. Ken Cirka, I was looking for cleaner teeth, not material for an Ars Technica story. I needed a new dentist, and Yelp says Dr. Cirka is one of the best in the Philadelphia area. The receptionist handed me a clipboard with forms to fill out. After the usual patient information form, there was a “mutual privacy agreement” that asked me to transfer ownership of any public commentary I might write in the future to Dr. Cirka. Surprised and a little outraged by this, I got into a lengthy discussion with Dr. Cirka’s office manager that ended in me refusing to sign and her showing me the door.
Read more on Ars Technica.


Interesting recognition of reality?
"Internet freedom got a boost Wednesday when Italy's highest court ruled that the editors of online publications can't be held legally responsible for defamatory comments posted by their readers. The judges said online publications could not be treated in the same way as traditional print media and could not be expected to exercise preventative editorial control over readers' comments."


Not everyone gets it. Is there any conceivable way to save the printed book industry?
"Sci-fi author Charlie Stross has written a post about how the Big Six book publishing companies have painted themselves into a corner in the rapidly growing ebook industry. Between user-unfriendly DRM and the Amazon juggernaut, they're slowly pushing themselves out of business. Quoting:
'Until 2008, ebooks were a tiny market segment, under 1% and easily overlooked; but in 2009 ebook sales began to rise exponentially, and ebooks now account for over 20% of all fiction sales. In some areas ebooks are up to 40% of the market and rising rapidly. (I am not making that last figure up: I'm speaking from my own sales figures.) And Amazon have got 80% of the ebook retail market. ... the Big Six's pig-headed insistence on DRM on ebooks is handing Amazon a stick with which to beat them harder. DRM on ebooks gives Amazon a great tool for locking ebook customers into the Kindle platform.'"


Have I mentioned this business model before? If there is ONLY a proprietary solution, the more unique the better, reverse engineer it and sell your services to everyone when the rest of the industry catches up.
Google, VMware, and Cisco Throw Money at Puppet
Three giants of the IT game have invested big money in Puppet Labs, an outfit that develops open source software for automatically configuring and managing machines inside the data center.
… Kaines actually built Puppet Labs with Google in mind. Back in 2005, web giants such as Google and Amazon were using software that did automated IT tasks in their data centers, but these tools were completely proprietary. Kaines sought to bring this sort of IT automation to the masses, building an open source platform as well as an for-pay offering designed specifically for enterprises. “Our open source product solves most problems of every enterprise,” he says. “And our commercial product solves every problem of most enterprises.”


Well duh! Who do you think has been training these guys?
SPYFILES: Revelations of a Billion-Dollar Mass Surveillance Industry
December 1, 2011 by Dissent
Today Wikileaks releases nearly 1,100 internal documents, sales brochures and manuals for products sold by the manufacturers of systems for surveillance and the interception of telecommunications.
These new leaks reveal a mass surveillance industry that’s now worth $5 billion a year, with technologies capable of spying on every telephone and Internet network on a national scale. The flagships of this market are called Nokia-Siemens, Qosmos, Nice, Verint, Hacking Team, Bluecoat and Amesys. The documents detailing their interception capabilities will be progressively released online by Wikileaks.
OWNI, who worked in partnership with the Washington Post, The Hindu, L’Espresso, the German channel ARD and The Bureau of Investigative Journalism in this operation which has been dubbed the Spy Files, has attempted to present an overview of this new type of industry, by creating an interactive map and a dedicated site, SpyFiles.org. Andy Mueller-Maguhn, former spokesman for the German Chaos Computer Club (the most influential group of hackers in the world), is also associated with this investigation, to which he has devoted a site, BuggedPlanet.info.
To date, we have documented a total of 133 of these surveillance weapons dealers, including 36 in the United States, 18 in the United Kingdom, 15 in Germany, 11 in Israel and eight in Italy. As with “traditional” arms dealers, most of them are located in rich and democratic countries. 12 of the 26 countries documented are also part of the European Union, which accounts for 62 of these companies.
Read more on OWNI.eu.


Attention Ethical Hackers! Welcome to the University Flight Center! Please do not buzz the Professors or harass the geese.
An anonymous reader sends this excerpt from the Seattle Times:
"Drone aircraft, best known for their role in hunting and destroying terrorist hideouts in Afghanistan and Pakistan, may be coming soon to the skies near you. Police agencies want drones for air support to find runaway criminals. Utility companies expect they can help monitor oil, gas and water pipelines. Farmers believe drones could aid in spraying crops with pesticides. 'It's going to happen,' said Dan Elwell, vice president of civil aviation at the Aerospace Industries Association. 'Now it's about figuring out how to safely assimilate the technology into national airspace.' That's the job of the Federal Aviation Administration, which plans to propose new rules for using small drones in January, a first

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)