Sunday, June 03, 2012
Learn this lesson: If you are going to assert an understanding of a security breach, provide enough evidence to convince us you know what you are talking about or be prepared to look like a fool or a liar.
CloudFare breach cause for concern
June 2, 2012 by admin
Given the number of hacks revealed on a daily basis, I long ago gave up on trying to mention them all on this blog, but this one merits its own entry.
Eduard Kovacs reports that although CloudFare has acknowledged it was compromised, the co-founder and CEO may not be correct in his understanding of the breach:
“This morning a hacker was able to access a customer’s account on CloudFlare and change that customer’s DNS records. The attack was the result a compromise of Google’s account security procedures that allowed the hacker to eventually access to my CloudFlare.com email addresses, which runs on Google Apps,” Prince explained.
He believes that the attackers somehow “convinced” Google’s account recovery process to add an arbitrary recovery email address to his personal Gmail account.
“The password used on my personal Gmail account was 20+ characters long, highly random, and not used by me on any other services so it’s unlikely it was dictionary attacked or guessed,” he added.
The most interesting fact, according to Prince, is that his account had been protected with a two-factor authentication system.
After analyzing the incident, Google’s security team has determined that “a subtle flaw in the recovery flow” of certain accounts allowed the hackers to compromise the account.
But the hackers involved claim that that’s not what happened:
“Nah. There’s no way you can social engineer a Google App. I don’t know what he was talking about. We did get in his emails though: firstname.lastname@example.org and email@example.com,” Cosmo told Softpedia.
“We got into their main server. We could see all customer account information, name, IP address, payment method, paid with, user ID, etc. and had access to reset any account on CloudFlare,” he said.
Furthermore, the hackers plan on selling all the information they obtained on Darkode.
This type of hack – where the hackers intend to sell the data they acquired – takes things to a whole other level. If you’ve used Cloudfare, you should probably be taking steps immediately to protect your accounts. And if the hackers are truthful – that this had nothing to do with Google’s two-factor authentication – then it may mean that CloudFare is still insecure or vulnerable to a repeat compromise, which could affect the company’s ability to earn existing and potentially new customers’ trust.
Hopefully, CloudFare will respond to the hackers’ assertions with an update to their blog.
Ubiquitous surveillance Several articles for the Constitutional Law experts.
Instructions and More Background
The opinion in U.S. v. Jones is one of the biggest privacy cases in recent Supreme Court history, holding that the government’s placing a GPS device on a car and using it to track the car’s location for 28 days was a search. We are inviting your participation in an effort by legal experts to help define Fourth Amendment doctrine in the wake of Jones.
(Related) Apparently they can tell it's a real gun and not just a loud TV.
Shots Fired and Pinpointed: Is There a Privacy Concern?
June 3, 2012 by Dissent
Impressive technology raises privacy concerns. Erica Goode reports:
MOUNTAIN VIEW, Calif. —
At 7:22:07 p.m. on a recent Thursday evening, an electronic alarm went off in the soundproofed control room of a suburban office building here.
A technician quickly focused on the computer screen, where the words “multiple gunshots” appeared in large type. She listened to a recording of the shots — the tat-tat-tat-tat-tat of five rounds from a small caliber weapon — and zoomed in on a satellite map to see where the gun had been fired: North 23rd Street in Milwaukee, 2,200 miles away.
At 7:23:48, the technician, satisfied that the sounds were gunshots, sent an alert to the Milwaukee Police Department. Less than two minutes later — or 9:25:02 p.m. Wisconsin time — a tactical team arrived at the address to find five .22-caliber shell casings and a bleeding 15-year-old boy who had been shot in the arm.
While much of the news story notes the benefits and cost issues, it also raises a privacy concern:
In at least one city, New Bedford, Mass., where sensors recorded a loud street argument that accompanied a fatal shooting last December, the system has raised questions about privacy and the reach of police surveillance, even in the service of reducing gun violence.
I had linked to that New Bedford case back in January because the technology does raise privacy and surveillance issues. The notion that we have absolutely no expectation of privacy in public spaces is – thankfully – undergoing some re-examination after the Supreme Court’s decision in the GPS tracking case, United States v. Jones. I think that taken to its logical extreme, the no expectation standard would imply that law enforcement could put boom mics on every other building and capture all of our private conversations on the street.
The surveillance state that would result would rightfully be rejected by most Americans, but unless the courts catch up with technology, what really prevents such surveillance? State wiretap laws often prohibit recording unless both parties consent to recording, but if the Department of Justice is sticking to its position that it can record us in public with no warrant or court oversight, then we should expect to see more cases wind their way up to the Supreme Court until the court goes beyond its narrow ruling in Jones to establish a standard for cases involving government surveillance where they are not attaching devices at all. Boom mics or sensors do not implicate property trespass (the basis on which Justice Scalia held that a “search” had occurred in Jones). While not all justices agreed with basing the decision on property trespass, the narrow ruling leaves many important questions unanswered. And given that the drones are coming, the drones are coming! such issues are timely.
On some level, the New Bedford case strikes me as more akin to Florida v. Jardines, which the Supreme Court has yet to rule on. In Jardines, the court considers the question of whether a drug-sniffing dog on the suspect’s porch constitutes a “search.” But even that case won’t get us to the broader situations of technology deployed in large public spaces where there is no reasonable suspicion or probable cause to collect information on a citizen and a sensor happens to capture something incriminating. Or what would happen if an overhead drone deployed by law enforcement just passing by happens to capture evidence of a crime. Would the courts allow the prosecution to use such data or would the evidence have to be suppressed on Fourth Amendment grounds? Criminal and constitutional lawyers may know the answer to that one, but I don’t.
So… is it “Citizen Beware” where if we speak in public, courts will hold we had no reasonable expectation in our conversations because we should have known that sensors could record us, or will some respect for privacy prevail? I hope the latter, but I don’t think it will be easy for the Supreme Court to undo years of rulings based on Katz and to acknowledge that while it seemed appropriate at the time, “reasonable expectation of privacy” – and “third party doctrine” may need significant upgrades for a digital world.
(Related) Why does this need to be secret? It's more like “double secret probation” than I like. This is near the boarder with Canada but don't they already know who has crossed into the US?
"License-plate reading cameras are popping up on utility poles all over St. Lawrence County in upstate New York, but no one is willing to say who they belong to. One camera was found by a utility crew, removed from the pole, and given to the local police. 'Massena Police Chief Timmy Currier said he returned it to the owner, but wouldn't say how he knew who the owner was, nor would he say who he gave it to.... (Andrew) McMahon, the superintendent at Massena Electric Department, said one of his crews found a box on one of their poles and took it down because "it was in the electric space," the top tier of wires on the pole above the telephone and cable TV wires, and whoever put it there had taken a chance with electrocution. He said they had never received a request or been informed about its placement.'"
[From the article:
Law enforcement officials at local, state and federal agencies agree the boxes contain license plate readers that take snapshots, and are not video cameras that send live feeds. But none of them are willing to identify what agency the cameras belong to and who is operating them.
The cameras appear to be identical to license plate readers advertised on web sites as containing a visible light camera, infrared camera and an infrared light source. The cameras can read plates on passing vehicles, record the plate number, date, time and location, send it to a database for storage, and alert law enforcement if it detects a vehicle or driver being sought.
… National Grid’s Virginia Limmiatis, a senior media relations representative in Syracuse, said their policy “authorizes the user to plug into our system. Under the agreement they are required to install and maintain their own equipment.” The user will get a bill for a usage fee. But she couldn’t say whose cameras these are.
… After discussing it at a periodic meeting of police chiefs from around the county this morning, Wells said, “none of the local chiefs were ever contacted about the existence of these cameras.”
(Related) I don't see a problem, given the few facts in the article. (You'd think a “first” would merit better reporting.)
First Arrest by Pilotless Drone Raises Fourth Amendment Questions
June 2, 2012 by Dissent
From the law firm of James E. Crawford, Jr. & Associates, as seen on FindLaw:
Today’s citizens, including those in Maryland, have adopted as an integral part of their lives the new technology: the Web, mobile phones, tablets, etc. Much of this technology includes applications like GPS positioning. To a certain extent, we allow social networking platforms like Facebook and the GPS in our mobile phones to change the landscape of what we once thought of as “private.”
But are we ready for drones over our heads?
The first American citizen to be arrested with the help of a pilotless drone in the U.S. is claiming his legal rights were violated when a drone flew overhead during a stand-off with police.
The Lakota, North Dakota, resident held police off for nearly 16 hours as he threatened to kill anyone who came on his property. (The stand-off took place over the ownership of six cows that had made their way onto the man’s property.)
The Department of Homeland Security eventually got involved. It used a drone to accurately pinpoint the man’s location on his farm. Then the arrest was made.
The novel facts of the case seem settled, but the outcome is not.
Read more on FindLaw.
Perhaps I'll put one of those free totally online classes together: Waging CyberWar for Fun and Profit Warning: The class project will be... interesting!
Flame: A glimpse into the future of war
… This week brought news of not the first, nor the second, but the third known piece of advanced malware that appears to be government or nation-state sponsored. We have Stuxnet, its simpler cousin Duqu, and now we have "Flame." These three pieces of malware are hard evidence of cyberspying and, in the case of Stuxnet, sabotage of Iran's nuclear program with malware to preempt a military strike, according to a New York Times article based on reporter David Sanger's new book.
The article, which relies on information from unnamed U.S. government sources, confirms long-held speculation that Stuxnet (and likely Duqu) was developed by the U.S., probably in collaboration with Israel. (Israel has denied involvement in both Stuxnet and Flame, while the U.S. has not outright distanced itself from either. Meanwhile, the U.S. Cyber Emergency Response Team says there's no evidence that Flame is related to Stuxnet or Duqu or that it targets industrial control systems. (PDF) And the Department of Homeland Security declined to answer questions about Flame beyond providing this statement: "DHS was notified of the malware and has been working with our federal partners to determine and analyze its potential impact on the U.S.")
… "For most intelligence agencies and governments what is interesting is the specifics of the techniques that are being used. I'm sure there are agencies that are learning a lot from them," Baker warned. "This is bad for sophisticated countries that have secrets to protect, like the U.S. and Western Europe, and for the Chinese and Russians too. And it's probably good for countries like North Korea and Iran that are going to go to school with this tool."
"Stuxnet, Conficker, and Duqu and now with Flame added to that, it suggests we're in a new era here," agreed Scott Borg, director of the nonprofit research institute U.S. Cyber Consequences Unit. "I'm not at all surprised by Flame."
… "Cyber can be a much better alternative," Borg said, noting that the Russian cybercampaign against Georgia in 2008 targeted communication and media sites with Distributed Denial of Service attacks and spared them from air strikes. "That's an example where a cyberstrike was less destructive and a more humane way to carry out a mission," he said.
… One big problem with Flame is that the malware authors didn't use code obfuscation, which means it can easily be dissected and re-used by any organization with some advanced programming skills and experience, which would include a large number of nation-states and terrorist groups, according to Borg.
… "Do the same rules (of war) apply in cyberspace?" Columbia University computer science professor Steven Bellovin wonders in a blog post. "One crucial difference is the difficulty of attribution: It's very hard to tell who launched a particular effort. That in turn means that deterrence doesn't work every well."
When you absolutely, positively want to delete everything... “I vant total control of das machine.”
If you are a Windows user, then you have probably encountered situations in the past where you are unable to delete a file from your computer. There are many reasons why you may not be able to delete a file; it might be used by another process, it might have too long a path, the name may be invalid, etc. To solve this problem, give FilExile a try.
Useful for the “Fully connected?”
Your pictures are probably scattered across various online services that you use. These services can include Facebook, Flickr, Picasa, and many others, along with the images that are stored offline on your computer. If you had to make a picture slideshow of all these images, you would have to jump from one online account to another and spend considerable time trying to gather your photos before you passed them through an offline app to make your slideshow. Fortunately there is a far more convenient option available in the form of a service called Slidely.
… Slideshows you view on the site can also be embedded on your own blog / site. Click on the Embed button and then select the player size to get the appropriate code.