Spoofing GPS Receivers

ACM Technews picked up an article on research at Cornell University showing that global positioning system (GPS) technology is vulnerable to transmitting fake signals that receivers believe are authentic (spoofing).

The Cornell researchers presented a paper on their findings at a meeting of the Institute of Navigation on September 19th in Savannah, GA. Paper co-authors Brent Ledvina, Cornell Ph.D. '07 and now assistant professor of electrical computer engineering at Virginia Tech and Todd Humphreys, Cornell Ph.D. '07 described how a "phony" receiver could be placed in the proximity of a navigation device where it would track, modify, and retransmit signals being transmitted from the GPS satellite constellation. Eventually the "victim" navigation device would misinterpret the counterfeit navigation signals for the real signals.

"GPS is woven into our technology infrastructure, just like the power grid or the water system," said Kintner, Cornell professor of electrical and computer engineering and director of the Cornell GPS Laboratory. "If it were attacked, there would be a serious impact."

See full article in Cornell University's CHRONICALONLINE.

CA Sec. State Bowen promotes Open Source in Voting Computers

In a 9/29/08 San Jose Mercury News article, "Magid: Panel calls for use of open source software on voting machines," describes a panel at MITs Emerging Technology conference.

On the MIT panel, Bowen called for the use of open source software that is transparent to anyone with the technical skills to understand it. That may not include the average voter or election office, but with open source code, at least some software engineers have the ability to inspect and even improve code.

See also Lucas Mearian's 9/25 ComputerWorld blog, "Prevent unwanted presidencies with paper ballots."

AT&T, Verizon To Require Opt-In For User Tracking

Slashdot picked up a Washington Post report that yesterday AT&T and Verizon have pledged not to track customers' internet behavior unless given explicit, opt-in permission.

"Verizon believes that before a company captures certain Internet-usage data . . . it should obtain meaningful, affirmative consent from consumers," said Thomas J. Tauke, Verizon executive vice president.

AT&T's chief privacy officer Dorothy Attwood made a similar pledge to legislators.

Meanwhile, Google, Microsoft and many other Web companies have adopted the "opt out" model, which they say is enough to give consumers "control" over whether their activities are tracked. Some critics viewed the announcements yesterday with skepticism, inferring that the stricter "opt in" scheme could pose problems. Weakly worded warnings could entice many people to "opt in", despite the risks, they waid.

"What they should be saying is, 'We are going to be collecting every move of your mouse on every Web site on a second-by-second basis.' But that would scare too many people away," said Jeff Chester, of the Center for Digital Democracy. "They're going to craft some kind of proposal that claims to be informed consent but simply gives them political cover while they engage in full frontal behavioral targeting."

See more at washingtonpost.com.

Alarm Raised For "Clickjacking" Browser Exploit

Slashdot picked up a story in ZDNet about what seems to be a treacherous new browser exploit affecting all major desktop platforms, including Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

This threat, called "Clickjacking", was to be a topic at the OWASP NYC AppSec 2008 conference but was postponed in consideration of vulnerable vendors until a professional fix is developed.

The two researchers that made the discovery - Robert Hansen and Jeremiah Grossman, have released some information to emphasize the severity of this threat. According to someone who attended the semi-restricted OWASP presentation:

"In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening."

See more at ZDNet.

Feds Tighten DNS Security On .Gov

Slashdot quotes a lengthy article in NETWORKWORLD that claims the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain. DNSSEC prevents hackers from diverting web traffic from legitimate sites and redirecting it to sham sites. The Internet standard prevents spoofing attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Chief Internet Technology Officer for the Internet Society Leslie Daigle says that with DNSSEC deployed, federal Web sites “are less prone to be hacked into, and it means they can offer their services with greater assurances to the public."

The U.S. government DNSSEC mandate is "significant" according to Olaf Kolkman, DNSSEC expert and director NLnet Labs, a nonprofit R&D foundation in the Netherlands who says:

"First, the tool developers will jump in because there is the U.S. government as a market….Second, there is suddenly a significant infrastructure to validate against.’’

See complete article at NETWORKWORLD.

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

Slashdot notes an article about a looming deadline on e-mail encryption in the state of Nevada. All transmissions, i.e. e-mail, for all businesses that send personal, identifiable information over the Internet must be encrypted starting October 1st of this year.

The statute was signed into law in 2005 and reads as follows:

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

Bryce K. Earl, a Las Vegas-based attorney, has been following the issue closely and believes there are some problems with the statute as it is currently written, including opening up all kinds of unintentional liability issues.

For full write-up, see Baseline.

Cyber Attack Data-Sharing Is Lacking, Congress Told

ACM TechNews presented an article in the Washington Post about the first open hearing on cyber security held by the House Permanent Select Committee on Intelligence. The concern is U.S. intelligence agencies' inability to share information about foreign cyber attacks against companies out of fear of putting intelligence-gathering sources in jeopardy, according to cyber-security expert Paul B. Kurtz.

Kurtz, who has served on the National Security Council in the Clinton and Bush administrations, is concerned about the breadth of the cyber attacks.

"American industry and government are spending billions of dollars to develop new products and technology that are being stolen at little to no cost by our adversaries," he said. "Nothing is off limits -- pharmaceuticals, biotech, IT, engine design . . . weapons design."

A key issue for policymakers is how the government can effectively monitor private networks for intrustions without infringing on the privacy rights of Americans whose data flows through those networks.

See complete article in washingtonpost.com

Public, Private Sectors at Odds Over Cyber Security

ACM TechNews reported an article in the Los Angeles Times on the rift between corporate America and the federal government over who should make the repairs to the Internet, given focus by three recent, significant computer security breaches. To wit, over the past few months law enforcement officials busted an international ring that accessed customer databases and trafficked tens of millions of credit card numbers. a researcher discovered a serious flaw in the Domain Name System that could allow hackers to redirect users to fake versions of popular Web sites, and computer attacks have been used to cripple the country of Georgia's internet capabilities.

That said, little has been done to make cybersecurity a more dominant issue.

"Nothing is happening," said Jerry Dixon, the former director of the National Cyber Security Division at the Department of Homeland Security. "This has got to be in the top five national security priorities."

While the government has argued that the private sector is better suited to tackle the broader problem, big corporations say it's too big for them to handle.

See full article in the Los Angeles Times.

FBI ISP Letters May Have Violated Free Speech

Slashdot mentions a Reuters account of an appeals court hearing in which an unnamed ISP is challenging a Patriot Act provision that allows the FBI to produce secret letters to ISPs and telecoms demanding customer records.

A panel of three judges form the U.S. Second Circuit Court of Appeals heard arguments on whether a provision of the Patriot Act requiring people formally contacted by the FBI for information to keep it a secret, is constitutional.

The American Civil Liberties Union filed a similar suit in 2004 against the U.S. government challenging the so-called National Security Letters (NSL) as well as gag orders placed on the recipients.

You can't tell me that any terrorist is going to make anything out of the fact you issued NSLs to AT&T and Verizon," said Circuit Judge Sonia Sotomayor, using a hypothetical example.

Nearly 200,000 national security letters were sent out between 2003 and 2006. Of those, approximately 97 percent also received gag orders.

The judges will rule on the issue in the next few months.

For more information, see Reuters.