Learn this lesson: If you are going to
assert an understanding of a security breach, provide enough evidence
to convince us you know what you are talking about or be prepared to
look like a fool or a liar.
CloudFare
breach cause for concern
June 2, 2012 by admin
Given the number of hacks revealed on a
daily basis, I long ago gave up on trying to mention them all on this
blog, but this one merits its own entry.
Eduard Kovacs reports
that although CloudFare has acknowledged it was compromised, the
co-founder and CEO may not be correct in his understanding of the
breach:
“This morning a
hacker was able to access a customer’s account on CloudFlare and
change that customer’s DNS records. The attack was the result a
compromise of Google’s account security procedures that allowed the
hacker to eventually access to my CloudFlare.com email addresses,
which runs on Google Apps,” Prince explained.
He believes that
the attackers somehow “convinced” Google’s account recovery
process to add an arbitrary recovery email address to his personal
Gmail account.
“The password
used on my personal Gmail account was 20+ characters long, highly
random, and not used by me on any other services so it’s unlikely
it was dictionary attacked or guessed,” he added.
The most
interesting fact, according to Prince, is that his account had been
protected with a two-factor authentication system.
After analyzing
the incident, Google’s security team has determined that “a
subtle flaw in the recovery flow” of certain accounts allowed the
hackers to compromise the account.
But the hackers involved claim that
that’s not what happened:
“Nah. There’s
no way you can social engineer a Google App. I don’t know what he
was talking about. We did get in his emails though:
matthew@cloudflare.com and mprince@gmail.com,”
Cosmo
told Softpedia.
“We got into
their main server. We could see all customer account information,
name, IP address, payment method, paid with, user ID, etc. and had
access to reset any account on CloudFlare,” he said.
Furthermore, the
hackers plan on selling all the information they obtained on Darkode.
This type of hack – where the hackers
intend to sell the data they acquired – takes things to a whole
other level. If you’ve used Cloudfare, you should probably be
taking steps immediately to protect your accounts. And if the
hackers are truthful – that this had nothing to do with Google’s
two-factor authentication – then it may mean that
CloudFare is still insecure or vulnerable to a repeat compromise,
which could affect the company’s ability to earn existing and
potentially new customers’ trust.
Hopefully, CloudFare will respond to
the hackers’ assertions with an update to their blog.
Ubiquitous surveillance Several
articles for the Constitutional Law experts.
Instructions and More Background
The opinion in U.S. v. Jones
is one of the biggest privacy cases in recent Supreme Court history,
holding that the government’s placing a GPS device on a car and
using it to track the car’s location for 28 days was a search. We
are inviting your participation in an effort by legal experts to help
define Fourth Amendment doctrine in the wake of Jones.
(Related) Apparently they can tell
it's a real gun and not just a loud TV.
Shots
Fired and Pinpointed: Is There a Privacy Concern?
June 3, 2012 by Dissent
Impressive technology raises privacy
concerns. Erica Goode reports:
MOUNTAIN VIEW,
Calif. —
At 7:22:07 p.m. on
a recent Thursday evening, an electronic alarm went off in the
soundproofed control room of a suburban office building here.
A technician
quickly focused on the computer screen, where the words “multiple
gunshots” appeared in large type. She listened to a recording of
the shots — the tat-tat-tat-tat-tat of five rounds from a small
caliber weapon — and zoomed in on a satellite map to see where the
gun had been fired: North 23rd Street in Milwaukee, 2,200 miles
away.
At 7:23:48, the
technician, satisfied that the sounds were gunshots, sent an alert to
the Milwaukee Police Department. Less than two minutes later — or
9:25:02 p.m. Wisconsin time — a tactical team arrived at the
address to find five .22-caliber shell casings and a bleeding
15-year-old boy who had been shot in the arm.
While much of the news story notes the
benefits and cost issues, it also raises a privacy concern:
In at least one
city, New Bedford, Mass., where sensors recorded a loud street
argument that accompanied a fatal shooting last December, the system
has raised questions about privacy and the reach of police
surveillance, even in the service of reducing gun violence.
I had linked to that New
Bedford case back in January because the technology does
raise privacy and surveillance issues. The notion that we have
absolutely no expectation of privacy in public spaces is –
thankfully – undergoing some re-examination after the Supreme
Court’s decision in the GPS tracking case, United States v.
Jones. I think that taken to its logical extreme, the no
expectation standard would imply that law enforcement could put boom
mics on every other building and capture all of our private
conversations on the street.
The surveillance state that would
result would rightfully be rejected by most Americans, but unless the
courts catch up with technology, what really prevents such
surveillance? State wiretap laws often prohibit recording unless
both parties consent to recording, but if the Department of Justice
is sticking to its position that it can record us in public with no
warrant or court oversight, then we should expect to see more cases
wind their way up to the Supreme Court until the court goes beyond
its narrow ruling in Jones to establish a standard for cases
involving government surveillance where they are not attaching
devices at all. Boom mics or sensors do not
implicate property trespass (the basis on which Justice
Scalia held that a “search” had occurred in Jones).
While not all justices agreed with basing the decision on property
trespass, the narrow ruling leaves many important questions
unanswered. And given that the drones are coming, the drones are
coming! such issues are timely.
On some level, the New Bedford case
strikes me as more akin to Florida v. Jardines, which the
Supreme Court has yet to rule on. In Jardines, the court
considers the question of whether a drug-sniffing dog on the
suspect’s porch constitutes a “search.” But
even that case won’t get us to the broader situations of technology
deployed in large public spaces where there is no reasonable
suspicion or probable cause to collect information on a citizen and a
sensor happens to capture something incriminating. Or
what would happen if an overhead drone deployed by law enforcement
just passing by happens to capture evidence of a crime. Would the
courts allow the prosecution to use such data or would the evidence
have to be suppressed on Fourth Amendment grounds? Criminal and
constitutional lawyers may know the answer to that one, but I don’t.
So… is it “Citizen Beware” where
if we speak in public, courts will hold we had no reasonable
expectation in our conversations because we should have known that
sensors could record us, or will some respect for privacy prevail? I
hope the latter, but I don’t think it will be easy for the Supreme
Court to undo years of rulings based on Katz and to
acknowledge that while it seemed appropriate at the time, “reasonable
expectation of privacy” – and “third party doctrine” may need
significant upgrades for a digital world.
(Related) Why does this need to be
secret? It's more like “double secret probation” than I like.
This is near the boarder with Canada but don't they already know who
has crossed into the US?
"License-plate reading cameras
are popping up on utility poles all over St. Lawrence County in
upstate New York, but no
one is willing to say who they belong to. One camera was found
by a utility crew, removed from the pole, and given to the local
police. 'Massena Police Chief Timmy Currier said he returned it to
the owner, but wouldn't say how he knew who the owner was, nor would
he say who he gave it to.... (Andrew) McMahon, the superintendent at
Massena Electric Department, said one of his crews found a box on one
of their poles and took it down because "it was in the electric
space," the top tier of wires on the pole above the telephone
and cable TV wires, and whoever put it there had taken a chance with
electrocution. He said they had never received a request or been
informed about its placement.'"
[From the article:
Law enforcement officials at local,
state and federal agencies agree the boxes contain license plate
readers that take snapshots, and are not video cameras that send live
feeds. But none of them are willing to identify what agency the
cameras belong to and who is operating them.
The cameras appear to be identical to
license plate readers advertised on web sites as containing a visible
light camera, infrared camera and an infrared light source. The
cameras can read plates on passing vehicles, record the plate number,
date, time and location, send it to a database for storage, and alert
law enforcement if it detects a vehicle or driver being sought.
… National Grid’s Virginia
Limmiatis, a senior media relations representative in Syracuse, said
their policy “authorizes the user to plug into our system. Under
the agreement they are required to install and maintain their own
equipment.” The user will get a bill for a usage fee. But she
couldn’t say whose cameras these are.
… After discussing it at a periodic
meeting of police chiefs from around the county this morning, Wells
said, “none of the local chiefs were ever contacted about the
existence of these cameras.”
(Related) I don't see a problem, given
the few facts in the article. (You'd think a “first” would merit
better reporting.)
First
Arrest by Pilotless Drone Raises Fourth Amendment Questions
June 2, 2012 by Dissent
From the law firm of James E. Crawford,
Jr. & Associates, as seen on FindLaw:
Today’s
citizens, including those in Maryland, have adopted as an integral
part of their lives the new technology: the Web, mobile phones,
tablets, etc. Much of this technology includes applications like GPS
positioning. To a certain extent, we allow social networking
platforms like Facebook and the GPS in our mobile phones to change
the landscape of what we once thought of as “private.”
But are we ready
for drones over our heads?
The
Stand-off
The first American
citizen to be arrested with the help of a pilotless drone in the U.S.
is claiming his legal rights were violated when a drone flew overhead
during a stand-off with police.
The Lakota, North
Dakota, resident held police off for nearly 16 hours as he threatened
to kill anyone who came on his property. (The stand-off took place
over the ownership of six cows that had made their way onto the man’s
property.)
The Department of
Homeland Security eventually got involved. It used a drone to
accurately pinpoint the man’s location on his farm. Then the
arrest was made.
The novel facts of
the case seem settled, but the outcome is not.
Read more on FindLaw.
Perhaps I'll put one of those free
totally online classes together: Waging
CyberWar for Fun and Profit Warning: The class project
will be... interesting!
Flame:
A glimpse into the future of war
… This week brought news of not the
first, nor the second, but the third known piece of advanced
malware that appears to be government or nation-state sponsored. We
have Stuxnet, its simpler cousin Duqu,
and now we have "Flame." These three pieces of malware are
hard evidence of cyberspying and, in the case of Stuxnet, sabotage
of Iran's nuclear program with malware to preempt a military
strike, according to a New
York Times article based on reporter David Sanger's new book.
The article, which relies on
information from unnamed U.S. government sources, confirms long-held
speculation that Stuxnet (and likely Duqu) was developed by the U.S.,
probably in collaboration with Israel. (Israel has denied
involvement in both Stuxnet and Flame, while the U.S. has not
outright distanced itself from either. Meanwhile, the U.S. Cyber
Emergency Response Team says there's no evidence that Flame is
related to Stuxnet or Duqu or that it targets industrial control
systems. (PDF)
And the Department of Homeland Security declined to answer questions
about Flame beyond providing this statement: "DHS was notified
of the malware and has been working with our federal partners to
determine and analyze its potential impact on the U.S.")
… "For most intelligence
agencies and governments what is interesting is the specifics of the
techniques that are being used. I'm sure there are agencies that are
learning a lot from them," Baker warned. "This is bad for
sophisticated countries that have secrets to protect, like the U.S.
and Western Europe, and for the Chinese and Russians too. And
it's probably good for countries like North Korea and Iran that are
going to go to school with this tool."
"Stuxnet, Conficker,
and Duqu and now with Flame added to that, it suggests we're in a new
era here," agreed Scott Borg, director of the nonprofit research
institute U.S.
Cyber Consequences Unit. "I'm not at all surprised by
Flame."
… "Cyber can be a much better
alternative," Borg said, noting that the Russian cybercampaign
against Georgia in 2008 targeted communication and media sites with
Distributed Denial of Service attacks and spared them from air
strikes. "That's an example where a cyberstrike was less
destructive and a more humane way to carry out a mission," he
said.
… One big problem with Flame is
that the malware authors didn't use code obfuscation, which means it
can easily be dissected and re-used by any organization with some
advanced programming skills and experience, which would include a
large number of nation-states and terrorist groups, according to
Borg.
… "Do
the same rules (of war) apply in cyberspace?"
Columbia University computer science professor Steven Bellovin
wonders in a blog
post. "One crucial difference is the difficulty of
attribution: It's very hard to tell who launched a particular
effort. That in turn means that deterrence doesn't work every well."
When you absolutely, positively want to
delete everything... “I vant total control of das machine.”
If you are a Windows user, then you
have probably encountered situations in the past where you are unable
to delete a file from your computer. There are many reasons why you
may not be able to delete a file; it might be used by another
process, it might have too long a path, the name may be invalid, etc.
To solve this problem, give FilExile a try.
Useful for the “Fully connected?”
Your pictures are probably scattered
across various online services that you use. These services can
include Facebook, Flickr, Picasa, and many others, along with the
images that are stored offline on your computer. If you had to make
a picture slideshow of all these images, you would have to jump from
one online account to another and spend considerable time trying to
gather your photos before you passed them through an offline app to
make your slideshow. Fortunately there is a far more convenient
option available in the form of a service called Slidely.
… Slideshows you view on the site
can also be embedded on your own blog / site. Click on the Embed
button and then select the player size to get the appropriate code.
No comments:
Post a Comment