Thursday, May 29, 2008

Conference Takes on Tech's Future

ACM TechNews posts an article from last weekend's San Jose Mercury News about participants at this year's Computers, Freedom and Privacy Conference. Some of the issues that resurfaced at ACM's 4-day conference concerned government data collection, network neutrality, intellectual property, and patents. The conference also focused on the construction of an open letter to the next president of the United States, calling for more thoughtful attention to technology.

Another area of concern was content filtering by internet service providers.
For details, see MercuryNews.com.

Tuesday, May 27, 2008

Canadian Domain Name Registrants To Get More Privacy

An anonymous reader wrote to Slashdot about the change in Canada's WHOIS policy for better protection of domain name registrants.

The existing WHOIS search system provides the domain owner's name, home address, phone number and e-mail address. The Canada Internet Registration Authority seeks to change such ease of access by June 10th, when new privacy policies are instituted that will protect private information from public eyes.

Michael Geist, law professor at the University of Ottawa and Canada Research Chair of Internet and E-commerce Law says it is a treasure trove for spammers.
"We're talking about one of the largest freely available online directories of personal information in the country," he said.
Those who already own domain names will not enjoy the luxury of privacy immediately, but any edits to information after June 10th will not be publicly available. See complete article in THE CANADIAN PRESS.

Friday, May 23, 2008

US Firms Read Employee E-mail On a Massive Scale

Slashdot posts a link to an article about companies that employ staff to read and/or analyze content in outbound e-mail.

Proofpoint found in its fifth-annual study of outbound e-mail data loss prevention issues, that large companies continue to sustain risks from, and take action against, information leaks in outbound e-mail. In fact, 41% of the largest companies surveyed claim to employ staff to read outbound e-mail and 22% of them employ staff exclusively for that purpose.

Outbound e-mail continues to be a key source of risk for U.S. businesses with a record 44% of surveyed companies reporting an investigation of an e-mail leak of confidential information in the past 12 months.

See complete article at HELP NET SECURITY.

Thursday, May 22, 2008

Inside Lockheed Martin's Wireless Security Lab

ACM Technews ran an article about Lockheed Martin's Wireless Cyber Security Lab, which is racing against hackers to catch flaws and vulnerabilities in wireless security.
"We're trying to ensure that something similar [to 9/11] doesn't happen in the realm of wireless communications," says lab director John Morrison.

Perri Nejib, CTO for Lockheed Martin Information Systems says the biggest emerging wireless security threat is the blurring of the boundary between home and the office, as employees increasingly access company data via corporate VPNs from their homes.

To address this issue, the company has been testing numerous types of consumer technology, including cell phones, which have been moving to enterprise networks. The spread of Wi-Fi hot spots has been of particular concern because of the technology's growing ubiquity in urban areas. Oftentimes users will connect to unsecured networks without realizing that they're at risk.

See complete article at NETWORKWORLD.

Wednesday, May 21, 2008

New 'Phlashing' Attack Sabotages Hardware

Slashdot writes about a new type of denial-of-service attack that damages a system so severely that it must be replaced or the hardware must be reinstalled.

Called 'Phlashing', this permanent denial-of-service (PDOS) attack can be launched remotely.
“We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today,” says Rich Smith, head of research for offensive technologies & threats at HP Systems Security Lab.
Smith will show how network-enabled systems firmware is vulnerable to remote PDOS attacks this week at the EUSecWest security conference in London this week.

See related article in darkREADING.

Wednesday, May 14, 2008

Charter Is Latest ISP To Plan Wiretapping Via DPI

Slashdot points out that Charter Communications has begun sending letters to its customers informing them that, as an "enhanced user experience", it will start spying on their searches and the websites they visit injecting Charter's own targeted ads.

Furthermore, Charter, which serves almost 6 million customers, is requiring users who want to keep their activity private to submit their personal information using an unencrypted form and then download a privacy cookie. The cookie must then be downloaded again each and every time a user clear the web cache or uses a different browser.

Although consumers are already protesting Charter's flawed opt-out clause, there is the more troublesome implementation of "deep packet inspecting" (DPI) to consider. DPI allows an ISP to monitor not only its users searches and visited websites, but also the type of activity (e.g., email) which threatens net neutrality and could be used for traffic shaping.
See more at THE CONSUMERIST.

Tuesday, May 13, 2008

Information Tags Along Everywhere You Go

ACM Technews tells of consumers turning to the Internet to try to find ways to disable or remove the radio frequency identification tags affixed to many producst and consumer items, including passports and credit cards.

While this practice is becoming more prevalent, critics warn the the tags and signals could be abused by individuals attempting to steal identity or find targets for a specific attack.

California legislators enacted a law last year prohibiting employers from forcing their employees to implant RFID tags in their bodies. But the real problem, say critics, is that RFID tracking is virtually invisible and undetectable by its subjects.
"You can look at this at two different levels: whether it's worthwhile for you as an individual to fuss with wrapping your cards in some sort of sleeve, or looking at the systemic issue: how we got to a point where these cards do make this information available remotely," said Edward W. Felton, a professor of computer science and public affairs at Princeton University, whose graduate students became famous for penetrating the security of electronic voting machines.
See today's article about the problem at baltimoresun.com.

Monday, May 12, 2008

Security Flaw turns Gmail into open-relay server

A reference to an article in ars technica by Slashdot focuses on a problem Google is having where its Gmail email service can be used as an extremely effective spam machine.

The Information Security Research Team (INSERT) says that Gmail is susceptible to a man-in-the middle attack that allows spammers to send thousands of bulk email messages through Google's SMTP service without detection. This particular attack circumvents Google's identity fraud protection mechanisms as well as the 500-address limit on bulk e-mail.

See Ars Technica for the full report and INSERT for today's update on the Gmail flaw from the Information Security Research Team.

Thursday, May 08, 2008

US State Dept. Loses Anti-Terrorist Program Laptops

Slashdot's report for today contains a post about the US State Department's inability to account for up to about 1,000 laptops where as many as 400 of them belonged to the department's Anti-Terrorism Assistance Program.

The department' deputy CFO Christopher Flaggs said the issue of the missing laptops could develop into a "material weakness", auditor-speak for "really bad news."

John Naland, president of the American Foreign Service Association said
"If the missing ones might have contained classified data, this could be serious."
See the full story in iTnews.

Wednesday, May 07, 2008

USACM Urges Contress to Build in Safeguards for Automated Employment Checks

ACM Technews points to an article regarding Chair of their U.S. Public Policy Committee Eugene H. Spafford's testimony at a Congressional hearing yesterday on employment verification systems and their impact on the Social Security Administration. Spafford recounted several potential problems in a pilot system run by the Department of Homeland Security to electronically check on employee work eligibility.

Dr.Spafford urged Congress to include safeguards to ensure that both employers and employees are sufficiently protected from technical failures and/or abuses of the system.
"As technologists, we are acutely aware of the limitations and failure modes of current information technology," Dr. Spafford noted. "What makes this especially serious is that some of those failures may result in unemployment for unfortunate and innocent victims. Any system must take the extreme failure modes into account and provide appropriate safeguards to avoid injury to the blameless seeking gainful employment to better themselves."
Dr. Spafford identified three major concerns regarding the automated employment verification system known as E-Verify about which he testified before the Subcommittee on Social Security of the U.S. House of Representatives Committee on Ways and Means.

See complete article in Ascribe.

Friday, May 02, 2008

DARPA Sponsors a Hunt For Malware in Microchips

Slashdot has a link to an IEEE Spectrum story regarding an interesting DARPA project with some alarming implications about just what we don't know about what chips are actually doing beneath the surface.

When Israeli jets bombed a suspected nuclear installation in Syria last September, the failure of supposedly superior radar to warn of incoming assault made it easy to see that this was an incident of atypical electronic warfare. Such incidents are increasing in number and not only in the Middle East.

The additional realization by the Pentagon that it no longer controls who manufactures components in its increasingly complex systems is further cause for concern.

The story, entitled The Hunt for the Kill Switch, describes the DOD's launch of a very ambition program to verify the integrity of electronic components underpinning its arsenal.

See full story.

Thursday, May 01, 2008

Lawyers Would Rather Fly Than Download PGP

Slashdot recounts an anonymous post about a NY Times front-page story about lawyers representing suspects in terrorism-related cases. Apparently lawyers in such cases will fly long-distances to meet with their clients rather than pursue a technological solution.

Oregon attorney Thomas Nelson flies to the Middle East to meet with his high-profile Saudi client, currently barred from entering the U.S. given charges here against him of financing terrorism.

Lawyers throughout the country representing suspects in terrorism-related investigations state that their ability to do their jobs is being thwarted by suspicion that the government is listening in, using eavesdropping authority it granted itself after the 9/11 terrorist attacks. A Portland lawyer involved in several terrorism cases says he has told clients to assume that everything they say to him is being secretly monitored,

The Justice Department doesn't deny that the government has monitored phone calls and e-mail between lawyers and clients as part of its terrorism investigations here and overseas.

To see details, see Lawyers Fear Monitoring in Cases on Terrorism in Tuesday's New York Times.