Thursday, July 31, 2008

IOC Admits Internet Censorship Deal With China

Slashdot states that some International Olympic Committee officials have cut a deal to let China block sensitive websites despite promises of unrestricted access according to a senior IOC official yesterday.

Although China committed to providing media with the same freedom to report on the Games they'd enjoyed in previous Olympics, journalists claim to find access to sites considered sensitive to its communisit leadership blocked.
"I regret that it now appears BOCOG has announced that there will be limitations on website access during Games time," IOC press chief Kevan Gosper said, referring to Beijing's Olympic organizers.

"I also now understand that some IOC officials negotiated with the Chinese that some sensitive sites would be blocked on the basis they were not considered Games related," he said.
"We are going to do our best to facilitate the foreign media to do their reporting work through the Internet," BOCOG spokesman Sun Weide told a news conference. "I would remind you that Falun Gong is an evil, fake religion which has been banned by the Chinese government."
Paris-based Reporters without Borders said it was becoming increasingly concerned that there would be many cases of censorship during the Olympics.

See more in Reuters.

Wednesday, July 30, 2008

Security Flaws In Online Banking Found to Be Widespread

ACM TechNews writes that a University of Michigan study reveals that more than 75 percent of bank websites have at least one design flaw that could allow cybercriminals to either take money or identities from their customers.

UM Professor and doctoral students Laura Falk and Kevin Borders examined the websites for 214 financial institutions in 2006. Prakash said that some bnks may have taken steps to resolve the problems since then but that overall he still sees much need for improvement.
"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."
The FDIC says that, while relatively rare compared with financial crimes like mortgage fraud and check fraud, computer intrusion is a growing problem for banks and their customers.

See complete article in UNIVERSITY OF MICHIGAN NEWS SERVICE.

Tuesday, July 29, 2008

ISP Embarq Monitors User Traffic

Slashdot references an article in the Washington Post about Sprint-Nextel's spin-off Embarq monitoring Internet activity on close to 26,000 customers in Kansas.

Embarq, a regional internet company, told lawmakers last week that it notified 26,000 Internet customers in Kansas that it was conducting a target advertising test based on their Web-surfing behavior and offered them an opt-out choice. The House of Representatives committee ofn Energy and Commerce is investigating whether any privacy laws were broken.
"I am still troubled by the company's failure to directly inform their consumers of the consumer data gathering test and the notion that an 'opt out' option is a sufficient standard for such sweeping data gathering," said Rep. Edward J. Markey (D-Mass.), chairman of the House subcommittee on telecommunications and the Internet.
The advertising test used deep-packet inspection technology provided by NebuAd, a Silicon Valley company. When installed in an ISP's network, the technology allows a window into potentially all of a consumer's online actions, from Web surfing and search terms to any unencrypted Web communication.

See article in washingtonpost.com.

Monday, July 28, 2008

Google Caught on Private Property

In a Slashdot posting over the weekend, it was noted that Google's new Street View coverage in Sonoma and Mendocino counties seems to trespass on private property.

Google took some heat last year from privacy advocates when it launched Street View in San Francisco, New York, Denver, Las Vegas and Miami. Some critics' concerns were assuaged when Google recently deployed a technology that blurs faces and license plates.

The latest 360-degree photos were taken all across Sonoma County, from the eastern county border to the Pacific Ocean and most all of the cities in between.Google went past a gate with a "no trespassing" sign outside Freestone and captured images on private property. Several residences can be seen , including a close-up of someone's living room window.
"I like my privacy, and this feels like an invasion of that," said Janet Tobin, who lives on the property. "My friends already know how to get here. I don't need the whole world coming to my door."
Google spokeswoman Elaine Filadelfo says that the company tries to avoid photographing on private property and takes images down that are not on public roads. However, once an image is online, it can become impossible for Google to stop their reproduction on other Web sites.
"This is not the first time this incidence has come up," said Kurt Opsahl, senior staff attorney for the Electronic Frontier Foundation, an Internet watchdog group.
So far it's been rare, he said. If Google has trespassed only twice, Opsahl says it's not a huge concern.
"But if this is only the tip of the iceberg, then with each additional incident it becomes more troubling," he aid.
See full article at PressDemocrat.com.

Friday, July 25, 2008

Researchers Face Jail Risk For Snooping Study

An article appeared in Slashdot about a group of researchers from the University of Colorado and the University of Washington who may face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network.

The team of two graduate students and three faculty failed to seek legal review of the project nor did they run it past the Human Subjects Committee at their universities.

Should federal prosecutors pursue this, they could face up to 5 years in jail for violating the Wiretap Act. This is the same law that groups like the ACLU and EFF sued AT&T for violating when they shared customer communications with the US National Security Agency.. AT&T succeeded in obtaining retroactive immunity from Congress, but only after spending tens of millions of dollars on lobbyists.

Regarding the legal issues at play here, Kevin Bankston, the EFF lawyer who wrote the Legal guide for Tor server operators and who also lead the EFF's lawsuit against AT&T said
"I agree that their logging the content exiting their nodes would appear to constitute interceptions of those electronic (not wire) communications under the Wiretap Act, and I don't think they qualify for the narrow provider exceptions [18 USC 2511, 2 (a) I], so I still see the same potential civil and criminal liability that was noted in our FAQ."
See full story at cnetNEWS.com.

Thursday, July 24, 2008

Google Blogger "hosts 2% of world's malware"

Slashdot mentions a report from the security firm Sophos stating that Google's Blogger service is responsible for 2% of the world's malware hosted on the web. The firm claims hackers are building pages on the free blogging service to host malicious code or else just post links to infected websites in other bloggers' comments.

Sophos' senior technology consultant, Graham Cluley, says Blogger is worse than other blogging services because of its close ties with the search giant.
"The attraction for the bad guys in targeting Blogger is that things pretty much get spidered instantly into Google, because it [Blogger] is part of Google," he says.

See PCPRO for details.

Wednesday, July 23, 2008

E-gold Owners Plead Guilty To Money Laundering

Slashdot announces that the three owners of the Internet currency service called 'e-gold' pleaded guilty to money laundering in the U.S. District Court for the D.C.

Principal Director of E-Gold Douglas Jackson announced changes to the E-Gold user agreement, including a temporary suspension of new accounts. He called E-Gold more successful than most of its competitors, but also acknowledges problems with the service.

One problem is E-Gold's
"failure to transition from a marginal player for early adopters to a respected institution integrated into the global financial mainstream," he wrote. "E-gold's failure to emerge so far is a result of many factors but the root causes were design flaws in the account creation and provisioning logic that led to the unfortunate consequence of vulnerability to criminal abuse. Criminal abuse of the e-gold system, in turn, led to a self-reinforcing negative reputation."
E-Gold and its affiliate 'Gold & Silver Reserve' could be fined $3.7 million at sentencing and Jackson could be sentenced 20 years in prison and a fine of $500,000.

Although the E-Gold operation was required by law to be licensed and registered as a money transmitting business, it had not done so. The resulting lack of required procedures fostered an atmosphere where criminals could use "e-gold" (digital currencry) anonymously to further their illegal activities, the Department of Justice said.

See The Industry Standard for more information.

Tuesday, July 22, 2008

Google Is Watching, Perhaps Soon in Your Home

ACM TechNews observes that regardless of the continual worries of privacy advocates and government officials that it knows too much, Google is after even more user data.

In a recent paper written by Google researcher Bill N. Schilit and computer scientists Jeonghwa Yang of Georgia Tech and David W. McDonald, of the University of Washington, propose "home activity recognition," or tracking people's activities at home through network interactions.
"Activity recognition is a key feature of many ubiquitous computing applications ranging from office worker tracking to home health care," the paper explains. "In general, activity recognition systems unobtrusively observe the behavior of people and characteristics of their environments, and, when necessary, take actions in response -- ideally with little explicit user direction."
When applied in certain circumstances, as with the elderly, such action might be beneficial. On the other hand, others might perceive it as positively Orwellian.

See details at InformationWeek.

Monday, July 21, 2008

FBI Fights Testing For False DNA Matches

Slashdot notes an article in the Los Angeles Times about the 2001 discovery by Arizona crime lab technician Kathryn Troyer of two felons with remarkably similar genetic profiles, so similar that they would be accepted in court as a match. However, one of the two was white and the other was black.

Although the FBI estimates the odds of unrelated people sharing those genetic markers as 1 in 113 billion, Troyer found dozens of similar matches.

Several scientists and legal experts want to test the accuracy of official statistics using the nearly 6 million profiles in CODIS, the national system that incorporates most state and local databases.
"DNA is terrific and nobody doubts it, but because it is so powerful, any chinks in its armor ought to be made as salient and clear as possible so jurors will not be overwhelmed by the seeming certainty of it," said David Faigman, a professor at UC Hastings College of the Law, who specializes in scientific evidence.

FBI officials argue that critics exaggerate or misunderstand the implications of Troyer's discoveries.
"I can appreciate why the FBI is worried about this," said David Kaye, an expert on science and the law at Arizona State University and former member of a national committee that studied forensic DNA. But "people's lives do ride on this evidence," he said. "It has got to be explained."

See the full story in the Los Angeles Times.

Friday, July 18, 2008

Schneier, UW Team Show Flaw In TrueCrypt Deniability

Slashdot relates how noted cryptographer Bruce Schneier and a group of researchers at the University of Washington have hacked the ultra-paranoid feature in the TrueCrypt disk encryption tool.

The DFS (Deniability of File System) feature in TrueCrypt is a fairly extreme file-protection function that first encrypts the file, then hides it in an area on the disk drive that is also encrypted, sort of like a 'cloaking device'. However, Schneier, chief security technology officer with British Telecom, and colleagues have found that Microsoft Vista, Word, and Google Desktop can each blow the cover for these files that use the DFS feature.

Schneier says that DFS is actually easier to hack than encryption and that there may be no way to really make files undetectable on a hard drive.
“Deniability is a much harder security feature to enable than secrecy,” he says
The researchers discovered that Windows Vista shortcuts can give away the existence of a hidden file, Google Desktop exposes hidden files in TrueCrypt versions below 6.0 and the auto-save feature of Word saves versions of hidden files.

See more at Dark Reading.

Wednesday, July 16, 2008

Cybercrime Organizational Structures Evolve

Slashdot writes of the latest findings in a report by Finjan's Malicious Code Research Center (MCRC)about the structural change in cybercrime organization. Loosely organized groups of hackers trading stolen data have been replaced by hierarchical cybercrime operations that deploy sophisticated pricing models and Crimeware business models.

These organizations are comprised of strict hierarchies where each cybercriminal is rewarded according his position and task.



For more info, see HELP NET SECURITY.

Tuesday, July 15, 2008

When the Phone Goes With You, Everyone Else Can Tag Along

ACM TechNews says that while the launch of the 3G iPhone emphasizes the increasing sophistication of the cellphone and mobile device industries, it also generates some privacy concerns.

The iPhone blends GPS functions with the Internet to create a capability that not only pinpoints location, but displays nearby attractions. This feature could help merchants target ads, insurance adjusters calibrate premiums, or parents keep track of children. What also results from this features is that the consumer is sharing that information with network providers, social Web sites, law enforcement and/or others that have the potential of tracking everywhere they have been.
"There's a disconnect between our expectations of when we will be observed and who will be observing us and how that information will be used and what the technology is allowing companies to do," says University of Southern California law professor Jennifer Urban.
The big issues are transparency and user control, said James X. Dempsey of the Center for Democracy and Technology.
"How easy is it for the user to turn the location function on and off, and how easy it is for the user to delete past location information?" he said. "What are the companies collecting? Who are they sharing it with? How long do they store it? And what control does the consumer have over the information? These are the fundamental questions."
See full article at washingtonpost.com.

Monday, July 14, 2008

ACLU Files Lawsuit Challenging FISA

Slashdot posts links to coverage of the federal lawsuit the American Civil Liberties Union filed just hours after Bush signed the expansion of the Foreign Intelligence Surveillance Act into law.

By passing the FISA Amendments Act, Congress has given the executive branch of the U.S. government the power to order Google, AT&T and Yahoo to forward all email, phone calls and text messages to them where one party to any conversation is thought to be overseas.

The ACLU is suing on behalf of journalist and human rights groups. While longtime foreign correspondent Christopher Hedges admits that surveillance is nothing to to journalists, he also says
"There is a lot of monitoring that goes on especially when you are overseas. But this creates a further erosion in my ability to work as a journalist."
The Electronic Frontier Foundation, at the forefront of yet continuing lawsuits agains the nation's telecoms, will challenge the provision in the bill that gives retroactive amnesty to telecoms that are currently being sued for helping the government spy on Americans without having warrants.
"We are also preparing a new case against the government for its warrantless wiretapping, past, present and future," said EFF senior staff attorney Kevin Bankston, who said the details were being withheld to keep the element of surprise.

See details in Wired.

Wednesday, July 09, 2008

Telecom Immunity Bill Hides Spying Provisions

Slashdot mentions an analysis in ars technica of the new FISA bill that has been receiving much attention of late, with the particularly alarming realization that the bill loosens current protections on domestic wiretapping.

The ars technica article expounds on the dramatic expansion of the government's ability to wiretap without any real judicial oversight while also giving the fed unprecedented additional latitude in choosing eavesdropping targets on anything, not just terrorist-related activities. Basically, the FISA Amendments Act of 2008 opens up such huge loopholes to the feds that the telecom immunity issues are somewhat trivialized by comparison. The new legislation stretches the judicial process out so much that in many cases, the federal government would be able to finish its surveillance activities before the courts have even decided whether they're legal.

To date so far, the only determined opposition is a small group of Senators led by Chris Dodd and Russ Feingold, who have managed to stall the legislation for a couple of weeks.
"By blocking a vote on the Foreign Intelligence Surveillance Act (FISA), the fight to stop retroactive immunity goes on -- for another week anyway" said Dodd. "The Senate will take the bill up again this week as it returns from the July 4th recess."

For complete article see, ars technica.

Tuesday, July 08, 2008

Firefox Users Most Secure on Internet, Study Shows

Slashdot links to an article about the study "Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg", whose aim was to analyze web browser preferences and behavior by people using the Internet. The study is a collaboration among researchers at The Swiss Federal Institute of Technology, Google and IBM Internet Security Services which offers a comprehensive analysis of Web browsers, particular with regard to the area of security.

Firefox users were by far the most likely to use the latest version at an overwhelming rate of 83.3 percent running an updated browser on any given day. The study also revealed that 65.3 percent of Safari users were likely to be running the latest version and that Microsoft Internet Explorer users ranked dead last in terms of safe browsing.
"With today's hostile Intent and drive-by download attack vectors, failure to apply patches promptly or missing them entirely is a recipe for disaster; exposing the host to infection and possibly subsequent data disclosure or loss," said researchers.

See Channel Web for details.

Monday, July 07, 2008

ICANN Loses Control of Its Own Domain Names

Slashdot notes an AP story picked up by CBCNEWS.ca about ICANN losing control over two of their own domain names on June 26th. Apparently a domain registrar in an internet registration company overseen by ICANN (Internet Corporation for Assigned Names and Numbers) transferred the domains to somebody else. While the attack was noticed very quickly and ICANN's domain names were restored within 20 minutes, many internet directories retain information for a day or two and visitors may have been redirected to an unauthorized site for longer.

The ICANN press release about the incident states that:
'The DNS redirect was a result of an attack on ICANN's registrar's systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.'

For further information, see CBCnews.ca.

Thursday, July 03, 2008

More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008)

SANS reports that a study commissioned by Dell reveals the loss of nearly 637,000 laptops at some of the largest and medium-sized U.S. airports every year.

According to the Ponemon Institute, chosen to conduct the survey, laptops are most commonly lost at security checkpoints. The chaos in going through security checkpoints can make it easy for travelers to lose track of their laptops, making it "fertile ground for theft," the FTC said.

Dell is launching a suite of data protection and asset recovery services, including GPS. The data protection services include an ability to remotely delete data data on a hard drive as well as services for recovering data from failed hard drives.

See the complete study for more information.

Wednesday, July 02, 2008

Cisco, IBM, Intel, Juniper and Microsoft Fight Cyber Terror Together

ACM TechNews flags a NetworkWorld article about the formation of the Industry Consortium for Advancement of Security on the Internet (ICASI) by Cisco, IBM, Intel, Juniper, and Microsoft.

The intent is to respond faster to multi-product security threats which pose problems for both the vendor and the end user.
“To date there has not been a trusted vendor environment that allows companies to identify, assess, and mitigate multi-product, global security challenges together on the customers' behalf,” the group says in a statement. “ICASI aims to fill this void.”

See complete article in Network World.

Tuesday, July 01, 2008

FBI's New Eye Scan Database Raising Eyebrows

Slashdot writes that the FBI has confirmed to Popular Mechanics that it isn't just palm prints they're adding to criminal records. The agency is also preparing to expand its repository of photos as part of a new biometric software system that stores millions of iris scans and could be the basis of facial recognition.

The FBI's Next Generation Identification (NGI) system, contracted with Lockheed Martin for $1 billion over 10 years, would create an unparalleled database of biometric markers, as with facial images and iris scans. NGI could be as useful as DNA some day. To privacy advocates, this represents a dual threat, one as advancing toward a police state and the other as a most attractive collection of personal data to be pillaged by cybercriminals.

See full article in Popular Mechanics.