Saturday, August 13, 2011

Lessons learned from Arab Spring? You may have to put up with peaceful protest, but you don't have to provide their organizational tools...

BART Disables Cell Service To Disrupt Protests

"Yesterday, in an effort to disrupt rumored protests at Bay Area Rapid Transit stations, BART officials disabled cell phone and internet access within most of the BART system by shutting down the antennas that enable reception in the underground stations."

Real progress – some lawyers may even know what the term means!

Open Source For Lawyers?

"Law Technology News is reporting that FOSS for large law firms and corporate counsel is starting to gain traction. There's a project called FreeEed, for the electronic discovery step in lawsuits, and there's software for the document page numbering process known as Bates stamping — affectionately called 'Bates Master' by the programmers. Are big law firms ready to accept open-source code?"

(Related) Access to raw data is good. Finding the needle in the haystack is better. Lexus and Westlaw still have value.

August 12, 2011

Members of the Free Access to Law Movement (FALM)

"There is now a website listing the 40 members of the Free Access to Law Movement, with links to their websites and links to the Declaration on Free Access to Law in 17 languages or scripts." [Graham Greenleaf AM, Professor of Law & Information Systems, University of New South Wales (UNSW)]

For my Ethical Hackers: Calculate how long it will take to crack any password...

August 12, 2011

Writing and Maintaining Secure Online Passwords

Haystack Logo...and how well hidden is YOUR needle?

"Every password you use can be thought of as a needle hiding in a haystack. After all searches of common passwords and dictionaries have failed, an attacker must resort to a “brute force” search – ultimately trying every possible combination of letters, numbers and then symbols until the combination you chose, is discovered.

If every possible password is tried, sooner or later yours will be found. The question is: Will that be too soon...or enough later? This interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search. Please see the discussion below for additional information."

Information wants to be free?

Peer review in scientific publications

August 12, 2011 16:58 Source: UK House of Commons (Science and Technology Committee)

From the website:

The Science and Technology Committee today concludes that in order to allow others to repeat and build on experiments, researchers should aim for the gold standard of making their data fully disclosed and made publicly available.

+ Direct link to the report (HTML)

For all my students (although I disagree with rule 6)

7 Netiquette Guidelines For Writing Emails & Forum Posts

Netiquette is short for network or internet etiquette. It encompasses the special set of social conventions found in online interactions. While netiquette rules are very similar to good behavior or etiquette in offline encounters, there are subtle differences that can easily make or break a good impression.

(Related) On the other hand, perhaps I can use this to ensure I am sufficiently rude?

Use Tone Check To Keep Your Emails Friendly & Free of Rudeness

Friday, August 12, 2011

Looks like some organizations are getting the message! Note that once the payment information had been processed it was “purged” (I assume that means, “taken offline”) – why do so many companies keep in connected to the Internet forever?

Energy Federation Incorporated detects malware, notifies customers

A breach notification by Energy Federation Incorporated to the New Hampshire Attorney General’s Office indicates that on July 12, they discovered two pieces of malware on their server that had been inserted on July 7 and July 10. The malware “was designed to allow a third part to remotely search and collect” information on the server, which included customers’ names, contact information, and credit card numbers and expiration dates. EFI notes that names were stored in a separate database from the credit card data and payment-related information was “purged on an hourly basis.”

Twenty New Hampshire residents were to be notified on July 30; the total number was not indicated.

Nothing startling...

August 10, 2011

Data-Enabled Government: How Well Is Our Personal Information Used and Protected?

HP Business White Paper

  • "This is a summary of a longer report written in co-operation with the Economist Intelligence Unit. It examines the key issues surrounding the use and protection of personal data and draws on in-depth interviews with experts working on the front lines of public sector data management in the UK, Germany, France and Sweden, as well as academics and other authorities... Governments are continually expanding the breadth and depth of data they hold about their citizens, from the provision of public health and welfare services, to law enforcement and public security. In the pursuit of greater efficiency and improved public services, many are digitising operations and sharing information. However, the issues surrounding how to both deliver better service and safeguard private citizen data are becoming increasingly complex."

[From the report:

Key findings include:

Many doubt the need for government to collect more detailed data on citizens

Sharing information across departments will be a leading concern

A lack of transparency about data usage will be a barrier to gaining citizen trust


DRM for Privacy: Part 1

posted by Ryan Calo

Online privacy has been getting quite a bit of attention of late. But the problem seems as intractable as ever. In a pair of posts, I will explore one aspect of the online privacy debate and, drawing from a controversial corner of copyright law, suggest a modest fix. This first post discusses the problem of consumer tracking and the lack of any good solutions.

...and you wonder why governments can't manage to purchase/develop software applications that work.

Obama Administration Closing Recently Opened Datacenters

"After quadrupling the number of government datacenters over his first three years, Obama's Administration is reversing course and closing the most recently opened datacenters. With one datacenter reportedly the size of three football fields, my question is what happens to all those recently purchased servers? Will the government hold a server fire sale? Count me in!"

For my Ethical Hackers...

SpyEye source code leaked to the Web

One of the most infamous Malware kits in the world, SpyEye, is now available to anyone after a French security researcher published the source code for version 1.3.45 on Thursday. One of the things that has made the Malware kit so popular is that it incorporates features and code from its predecessor, Zeus.

According to reports, Xyliton, a French researcher with the Reverse Engineers Dream Crew, located a copy of the source and created a tutorial on how to crack SpyEye’s hardware identification (HWID) which has been secured using VMProtect (a licensing tool that locks an installation of software to a particular physical device).

This leak is important as it illustrates the coding techniques of Gribo-Demon’s team (the authors of SpyEye) and also deals another blow to the underground criminal ecosystem,” commented Sean Bodmer, Senior Threat Intelligence Analyst at Damballa.

At the same time, this leak also puts the rest of us on notice, he added. As once the builder is in hand, the aspiring criminal can begin tearing apart SpyEye.


GPRS Can Be Hacked Easily, Claims German Researcher

"A German technology researcher on Wednesday showed global mobile makers and technology firms how General Packet Radio Servicecan easily be tapped, intercepted, and decrypted with an average mobile phone and a few applications. According to the New York Times, Karsten Nohl, a computer engineer and mobile security researcher, demonstrated to fellow researchers gathered to attend Chaos Communication Camp, a Berlin-based hackers event, how to intercept the voice or data messages sent between mobile devicesover GPRS easily, owing to weak protection provided by mobile network carriers for data information. Nohl, in collaboration with his colleague Luca Melette, tapped the information within a radius of five kilometers using a seven-year-old inexpensive mobile phone from Motorola." Computerworld also has an informative, link-laden account. If you are attending this year's CCC (only every four years, sadly), feel free to drop a line (with the submissions form) about cool projects you encounter there.

Thursday, August 11, 2011

An interesting time for the bad guys (China? North Korea? My students?) to demonstrate that they can inject their own “news” into the system.

Hong Kong stock exchange halts trading after hack attack

Hackers broke into the Hong Kong stock exchange news Web site today, forcing the exchange to suspend trading of seven companies, according to The Wall Street Journal.

The affected companies, which included HSBC, Cathay Pacific Airways and the Hong Kong Exchanges & Clearing, which runs the bourse, had all released price-sensitive information earlier in the day.

"Our current assessment that this is a result of a malicious attack by outside hacking," Charlies Li, chief executive of Hong Kong Exchanges & Clearing, told reporters.


Eye Safety Systems notifies customers that credit card database may have been hacked and decryption key may have been acquired

Attorneys for Eye Safety Systems have notified the New Hampshire Attorney General’s Office that they believe that a compromise of their web site, hosted by an unnamed third party vendor, may have compromised customers’ credit card transaction data.

The firm reports that although the database “used a method of encryption,” the hackers may have acquired the decryption key. [Which means the key was available online or so trivial it was “obvious” Bob] As a result, customers’ names, addresses, phone numbers, e-mail addresses, and credit card data may have been acquired in the May 2011 incident.

ESS learned of the incident on May 27 and sent out e-mail notifications to customers on May 28. They also moved their database to a dedicated server and improved security measures, including the method of encryption.

Customers were notified by postal mail on July 29 and offered free credit monitoring services. There was no indication in the notification that there had been any reports of misuse of data, and the total number of customers affected was not reported.

It only took South Korea 35 million to wake up. We have had several over 100 million and still wonder if we should do something...

S. Korea plans to scrap online real-name system

It appears that a massive data breach affecting 35 million South Koreans who use popular portal and social networking sites Nate and Cyworld has served as a wake-up call for the government:

The South Korea government will push ahead with plans to scrap the current real-name system for Internet users in the wake of the country’s worst online security breach, local media reported Thursday.

The Ministry of Public Administration and Security is set to report to ruling party lawmakers about comprehensive measures to protect personal information online, including abolishing the real- name registration system, Yonhap news agency said.


Well, it's kind of a “business contact”

LinkedIn slammed for opt-out setting which could erode user privacy

LinkedIn users are being urged to contact the company to complain after it was revealed that a change in privacy policy now allows third-party advertisers to harvest users’ profile information and pictures in their ads by default.

Blogger Steve Woodruff appears to have been the first to notice the changes to LinkedIn’s Terms of Use, which force users to manually untick a box in the Manage Social Advertising section of their privacy controls.

Paul Ducklin, Sophos head of technology in Asia Pacific, suggested that LinkedIn is making the same mistake as Facebook with its much-maligned decision to make face recognition functionality opt-out.


Dean Wilson of The Inquirer (UK) also piles on:

It’s a clever approach to advertising, but an absolutely abyssmal approach to privacy, as Linkedin has decided to automatically opt-in all of its users without informing them of the change.

Users can opt out if they want, but the option is buried in the Settings page, a ploy similar to that used by Facebook to hide its privacy settings. The big problem here is that if users don’t know that their name and photo are being used in this way, then how can they opt out of it?

Linkedin could face legal trouble for this decision. Digital Trends reports it is likely that Linkedin broke Dutch privacy law, which requires user consent for employing user images with advertisements. It could also be brought up before the European Commission and the UK Information Commissioner’s Office (ICO).

Read more on The Inquirer.

(Related) Of course Facebook didn't “steal” them, you gave them to Facebook!

Facebook: We Aren’t Stealing Your Phone Numbers And Posting Them So Everyone Can See

Facebook has responded to a privacy scare meme likely deriving from a recent HackerNews thread called Facebook has your complete phonebook” both with an official post onFacebook’s Wall and a personal message from a Facebook Messenger engineer Ben Gertzfield on HackerNews.

In its efforts to dominate all modes of human communication (yay Messenger!), Facebook has chosen to match up and de-dupe numbers both on your Facebook Friends List and your mobile Contacts to form one Contacts coherent list, that only you can see. For those of you that didn’t realize that Facebook now has the contact information of sundry aunts, bosses, dry cleaners, etc this may come as a shock.

How did Facebook get those numbers in the first place? With your permission of course!

They are no longer actors in the “Security Theater”

Airline Pilots Allowed to Dodge Security Screening

Federal authorities are tacitly acknowledging that, despite their best efforts, it’s impossible to keep domestic aircraft safe from all evildoers. That’s because if a pilot wants to crash a plane, the pilot can crash a plane.

With that in mind, the Transportation Security Administration began a program Tuesday allowing pilots to skirt the security-screening process. The TSA has deployed approximately 500 body scanners to airports nationwide in a bid to prevent terrorists from boarding domestic flights, but pilots don’t have to go through the controversial nude body scanners or other forms of screening. They don’t have to be patted down or go through metal detectors. Their carry-on bags are not searched.

Pilots at O’Hare International Airport are now allowed to bypass the screening process altogether and instead show authorities their credentials in a program called Known Crewmember.

And later this year, the TSA intends to reduce screening for so-called “trusted travelers” or “elite-level” frequent fliers of American Airlines and Delta Airlines. Those passengers may not have to remove their shoes or take their computers out of their cases during the screening process.

There are no announced plans to reduce screening for rank-and-file fliers. [i.e. They're not “SCUM” like the rest of us... Bob]

More like Egypt and Lybia every day...

UK To Shut Down Social Networks?

"In a move worthy of China's communist regime, UK PM David Cameron wants to shut down social networks whenever civil unrest rears its head in Britain's towns and cities. Speaking in the House of Commons, Cameron said, 'Everyone watching these horrific actions will be struck by how they were, organised via social media. Free flow of information can be used for good. But it can also be used for ill. So we are working with the police, the intelligence services and industry to look at whether it would be right to stop people communicating via these websites and services when we know they are plotting violence, disorder and criminality.'"

So far I haven't heard anyone blame the Rock 'n Roll music, but if social networks aren't a good enough culprit, you could also try blaming video games.


Absolute Explosion” — How BlackBerry BBM Fed The London Riots

(Related) “We ain't gonna have no “Arab Spring” or “London Summer” here!”

NYPD creates Twitter-sniffing, Facebook-frisking unit

Why pay snitches when you have some of the finest snitches of all in Facebook and Twitter? Not the companies themselves, you understand. Just the people on their sites.

That seems to be the spirit of a new unit created by the New York Police Department.

Conscious of the realities of virtual communication, the department has, so the New York Daily News tells me, decided bad deeds can be anticipated or corralled on Twitter and Facebook. So it has set up a social media unit to establish juvenile justice for all.

This is interesting and has potential for more than architectural amusement. Forensic tool?

Video: Free-Moving Kinect Used To Map Room And Objects In Detailed 3D

For my Computer Forensics students...

A Geeks Guide to Digital Forensics – video now online

The nice folks over at Google Chicago have posted my “A Geek’s Guide to Digital Forensics” (video / presentation) on their GoogleTechTalk channel. It was posted about a week ago and has had 1,079 views…which is impressive only because the thing weighs in at nearly 56 minutes. If you suffer through the whole thing, maybe leave a comment or click that little like button.

Yeah there's an app for that, but what else is it doing?

August 10, 2011

Mobile App Security Study: appWatchdog Findings

"Data (in)security is rapidly gaining consumer attention in major media. In 2011 major breaches at Sony, Epsilon and others have highlighted the risk consumers face from their data being compromised. Major corporations are now recognizing the urgency to implement strong and innovative security measures to ensure the security of their customers’ data. At the same time, both Apple and Google have seen stunning growth in the past few years and now dominate the smartphone market. Companies and app developers have leveraged these platforms to provide new mobile services, often bringing them to market very quickly. But what steps have the smartphone OS providers and app developers taken to secure the data on their customers’ smartphones? At viaForensics we believe in proactive forensics – applying the power of forensic methods proactively to improve digital security. With appWatchdog we utilize forensic techniques to investigate consumer mobile apps and understand what user data is stored and could be at risk. This white paper summarizes our findings for the first 100 tests, from November 2010 through June 2011."

For all my students

DOWNLOAD Operation Cleanup: Complete Malware Removal Guide

Think your Windows computer might be infected? Clean it up yourself with a variety of free tools, using “Operation Cleanup: Complete Malware Removal Guide”, the latest free PDF manual from Written by Brian Meyer ofYourRealSecurity, this guide outlines not only how to remove a virus from your computer but also how to clean up the mess they leave behind.

DOWNLOAD Operation Cleanup: Complete Malware Removal Guide

(the download password: makeuseof)

Nmap – Wi-Fi Security Auditing Software to Check Your Home Network [Windows]

One of the simplest Wi-Fi security software apps you can use to keep an eye on your Wi-Fi security and network is Nmap. Nmap is actually short for “Zenmap”, which is the title of the app that you’ll see once you install it. This program is a fast and efficient way to scan your entire network. It can be used to conduct a security analysis on one device that you know is on your network, or it can scan an entire range of IP addresses to search for security vulnerabilities on any device.

Wednesday, August 10, 2011

We've been saying for some time that Anonymous goes for the low hanging fruit. Facebook likely qualifies, so this threat is credible...

Anonymous hacker group plans to kill Facebook on November 5, Guy Fawkes Day, for the sake of privacy

Jennifer Bergen reports:

Anonymous, the collective group known for its politically-charged hackers, has announced its next victim: Facebook. In a YouTube video from account “FacebookOp,” Anonymous speaks to the “citizens of the world” in a slightly-terrifying robotic voice, explaining its plans to destroy Facebook.

The video encourages viewers to “join the cause” and “kill Facebook for the sake of your own privacy.” The video claims that Facebook has been selling our information to clandestine agencies and giving it to security firms so they can spy on us. According to Anonymous, even if we’ve protected our information with the various Facebook privacy settings, nothing is private.

Read more on The You Tube video was uploaded July 16, but is first getting noticed/reported today, it seems.

The show is canceled? Probably not. Too many (political appointee) jobs at stake.

Bruce Schneier’s Telepathic Takeover of the TSA

Bruce Schneier is a telepath of unimaginable power. That’s the only possible explanation for the stunning reversal at the top of the Transportation Security Administration.

For years, Schneier, the well-known security gadfly, has blasted the TSA for its brain dead approach to passenger screening: the “security theater” of naked scanners and slipped-off shoes; the focus on terrorist weapons instead of the terrorists themselves; the one-size-fits-all security protocols, instead of measures driven by the latest intelligence. For years, the TSA ignored his critiques.

But late last month, at the Aspen Security Forum, TSA chief John Pistole opened his mouth — and Schneier’s words came tumbling out. Pistole said it was high time to “recognize that the vast majority of people traveling every day are not terrorists.” To “try to apply some more common sense to the process,” even.

The changes won’t come quickly, as I note in my op-ed in today’s Wall Street Journal. At four select airports beginning this fall, “trusted travelers” — elite-level members of American and Delta Airlines’ frequent flier programs — will be able this fall to skip some of the sillier security protocols. The airlines know who they are, the thinking goes, and they travel constantly. So the chances that one of them is carrying a bomb are vanishingly small. Some travelers may keep their shoes on; others may not have to remove their laptops from their cases. If it goes well, the pilot project will expand beyond Atlanta, Detroit, Miami and Dallas-Fort Worth, and include more airlines.

(On the other hand...)

DHS Creating Database of Secret Watchlists

"Homeland Security plans to operate a massive new database of names, photos, birthdays and biometrics called Watchlist Service, duplicated from the FBI's Terrorist Screening Database, which has proven not to be accurate many times in the past. DHS wants to exempt the Watchlist Service from Privacy Act provisions, meaning you will never know if you are wrongfully listed. Privacy groups worried about inaccurate info and mission creep have filed a protest, arguing the Privacy Act says DHS must notify subject of government surveillance. DHS has admitted that it 'does not control the accuracy of the information in system of records' and that 'individuals do not have an opportunity to decline to provide information.' Additionally, the DHS Watchlist Service attempts to circumvent privacy protections established by the Privacy Act. Who's watching the watchers?"

Another “politicians should not be the ones to specify technology” story...

Security flaw found in feds' digital radios

Expensive high-tech digital radios used by the FBI, Secret Service, and Homeland Security are designed so poorly that they can be jammed by a $30 children's toy, CNET has learned.

A GirlTech IMME, Mattel's pink instant-messaging device with a miniature keyboard that's marketed to pre-teen girls, can be used to disrupt sensitive radio communications used by every major federal law enforcement agency, a team of security researchers from the University of Pennsylvania is planning to announce tomorrow.

Why are inmates granted access to computers/smart phones in the first place (and why isn't that stopped?)

Facebook to delete prison inmates' active accounts

Facebook is working with prison officials to delete accounts that belong to inmates that are found to be updated while they are incarcerated.

The California Department of Corrections and Rehabilitation said the cooperative effort is designed to crackdown on inmates using social networking or cell phones to deliver threats or unwanted sexual advances.

"Access to social media allows inmates to circumvent our monitoring process and continue to engage in criminal activity," CDCR Secretary Matthew Cate said in a statement. "This new cooperation between law enforcement and Facebook will help protect the community and potentially avoid future victims."

Inmates are allowed to have accounts if they were created before being imprisoned, but Facebook user policies prohibit the accounts passwords from being shared.

"If a state has decided that prisoners have forfeited their right to use the Internet, the most effective way to prevent access is to ensure prisons have the resources to keep smart phones and other devices out," Facebook spokesman Andrew Noyes said in a statement.

From the “We are not amused” school of debate? He really said that?

Al Gore: Climate Skeptics Are Peddling 'Bulls—t'

The climate change movement is bigger than any one man or woman, but like it or not, no one is more associated with global warming than Al Gore. He's spoken with a prophetic voice for decades about the importance of action, but the country has yet to heed his advice. Climate skeptics and deniers often take shots at Gore, but it was he who shot back this past week at an event hosted by the Aspen Institute's Forum on Communications and Society.

Real Aspen reported Gore's comments, in which he compared the climate denier machine to that employed to trick the American public about the safety of cigarettes: