TRUST Security and Privacy Blog

DHS: $40M To Research Next Big Thing in Cyber Security

2011-01-31T16:57:00.000-08:00

The U.S. Department of Homeland Security announced a call for proposals this week in a $40 million program to encourage research and development in a wide range of topics related to cyber security. In a Broad Agency Announcement (BAA) dated January 26th, the DHS said it was soliciting papers and proposals centered on 14 different areas, including topics in software assurance, enterprise security metrics, usable security, as well as challenges arising from insider threats.

The Federal government has moved in recent ears to attract top security talent, while organization's like In-Q-Tel, the CIA's venture firm, have funded new, innovative ideas. But, as in the private sector, an overabundance of security products hasn't improved the security position of government networks.

Concurrently, spending on IT security continues to be criticized for waste of resources and a poor track record concerning learning from security incidents, e.g., the Wikileaks issue showcased the startling lack of security with sensitive data. The new DHS Proposal aims to address those issues as well.

See article in threatpost.

Discarded Copiers Hold Sensitive Data on Hard Drives

2010-05-07T15:09:00.000-07:00

SANS Newsbites tells of a CBS news investigation that had found that the hard drives of four digital copy machines purchased second-hand contained vast amounts of personally identifiable information, including police files on domestic violence and sex crimes, copies of pay stubs and checks and sensitive medical information like test results, prescriptions and diagnoses. This would be a major coup for those in the identity theft business.

"You're talking about potentially ruining someone's life," said Ira Winkler, former analyst for the National Security Agency, "where they could suffer serious social repercussions."

While some manufacturers say they offer security or encryption packages on their products, evidence keeps piling up in warehouses that many businesses are not willing to pay for such protection and the average American is oblivious to the dangers posed by digital copiers.

For full story, see CBS Evening News.

Please do not change your password

2010-04-13T09:29:00.000-07:00

Mark Pothier's Boston Globe article, Please do not change your password," covers a paper by Microsoft Researcher Cormac Herley, "So Long, and No Thanks for the Externalities: the Rational Rejection of Security Advice by Users," from the 2009 New Security Paradigms Workshop. Herley argues "that user's rejection of the security advice they receive is entirely rational from an economic perspective." Herley discusses "password rules," "teaching users to recognized phishing sites by reading URLs" and "certificate errors". Users obviously choose bad passwords, but does password aging actually help? There was some discussion on TechRepublic and Slashdot.

"Privacy Protection Needed as Smart Grid Arrives"

2010-03-12T18:05:00.000-08:00

A press release from UC Berkeley's Law School, "Privacy Protection Needed as Smart Grid Arrives" points out privacy concerns with PG&E's Smart Meter project. In particular:

"Smart meters being installed now in California will collect 750 to 3,000 data points a month per household. This detailed energy usage data can indicate whether someone is at home or out, entertaining guests, or using particular appliances."

See "PG&E customer refuses to take smart meter, locks up old meter" for some of the controversy surrounding privacy and the accuracy of the meters.

Judge Hears Arguments on Google Book Settlement

2010-02-24T16:09:00.000-08:00

Federal judge Denny Chin heard more than four hours of testimony in a packed courtroom this week about the hotly contested class-action lawsuit filed against Google.

Supporters of a deal that would allow Google to create an extensive digital library and bookstore included the president of the National Federation of the Blind, a librarian at the University of Michigan, and a lawyer for Sony Electronics stated that the agreement would make millions of hard-to-find books available to an enormous audience.

A much larger group of opponents cited many concerns related to competition, privacy, violation of copyright and abuse of class-action processes. Law Professor at the University of California, Berkeley, Pamela Samuelson says that her academic colleagues would prefer to have their books available via open access, and also supported open access to orphan works. She said "the authors Guild has not fairly represented academic authors."

“We think orphan works is a public policy issue to be decided by Congress,” she said. She mentioned that she had asked for “meaningful constraints” on pricing subscriptions. And, while not responding directly to University of Michigan Librarian Courant, she offered a contrasting perspective: “for plaintiffs, books are commodities. For academics, books are a slow form of social dialog."

See more in The New York Times and a February 12th presentation , "How Fair is the Google Book Search Settlement" by Berkeley law professor Pamela Samuelson.

Adobe Download Manager Installing Software Without Consent

2010-02-19T17:23:00.000-08:00

Slashdot is running an article about a problem in the Adobe Download Manager (ADM) found by Researcher Aviv Raff. The net effect of the problem is that a user can be tricked into downloading and installing software without actual consent.

In a related article in PCMAG.COM, Raff's list of the following software can be downloaded and installed for users that have ADM installed by merely following a link to Adobe's site, including Adobe Flash 10, Adobe Reader 9.3, Adobe Reader 8.2, Google Toolbar6.3, McAfee Security Scan Plus and a half dozen more.

The ADM FAQ explains that ADM is installed when needed and removed when the system reboots. However, this ignores the fact that Adobe downloads don't tyically require a reboot and users might go a long time between them.

Raff also announced that he had found a remote code execution bug in ADM, increasing the danger of remote compromise by an order of magnitude or two.

See more at Security Watch.

NY Times: "Critics Say Google Invades Privacy With New Service"

2010-02-18T15:59:00.000-08:00

TRUST faculty member Deirdre Mulligan is quoted in the Feburary 12, 2010 NY Times article Critics Say Google Invades Privacy With New Service. The article discusses privacy issues in Google's Buzz product where users may unintentionally publicly share the names of their contacts. Apparently, Google has made it difficult to make the contacts list private. Professor Mulligan is quoted as saying “You want to have a simple rollback mechanism, so once things are not what you expected them to be, you can get out quickly and not have to play a game of Whack-a-Mole.”

US preps cyber outfit to protect national electric grid

2010-01-15T15:45:00.000-08:00

The Department of Energy has said it would spend $8.5 million to create a National Energy Sector Cyber Organization that would help protect the nation's electric power grid, incorporating smart grid technology.

The intent is to create an independent national energy sector cyber security organization that would accelerate research, development and deployment priorities, including policies and protocols, according to the DOE.

DOE Acting Assistant Secretary Patricia Hoffman states:

"The scope and nature of security threats and their potential impact on our national security require the ability to act quickly to protect the bulk power system and to protect sensitive information from public disclosure. At the same time, we must continue to build long-term programs that improve information sharing and awareness between the public and private energy sector.

"The electric system is not the Internet. It is a carefully tended and balanced system that is critical to the Nation and the people. We must continue to strive towards an electric system that can survive an intentional cyber assault with no loss of critical functions," she said.

See complete article at NETWORK WORLD.

Nonprofit for collecting info on SCADA & PCS security incidents

2009-09-15T10:45:00.001-07:00

The Risks Digest has an item that refers to Stephanie Neil's article in "Managing Automation", 12 Sep 2009 that discusses the http://www.securityincidents.org, "a newly formed non-profit group that provides public access to its Repository of Industrial Security Incidents (RISI)". This group is targeted towards SCADA and process control security incidents.

How much are you worth on the black market?

2009-09-10T16:52:00.000-07:00

Slashdot reports a new tool being developed by Symantec intended to raise consumer awareness about cybercrime. By answering a few questions about personal Internet use, the tool calculates your net worth on the black market calculations in three areas: how much your online assets are worth, how much your online identity would sell for on the black market, and your risk of becoming a victim of identity theft.

Norton's Online Risk Calculator is not intended to promote software or instill fear but to raise awareness about cybercrime, according to Marian Merritt, Internet security advocate for Symantec. Merritt pointed out that cybercrime is now larger than the international drug trade. Nearly 10 million people have reported identity theft in United States in the past 12 months and one in four households have already been victimized, she said.

Cybercrime is well reported in the IT space, but the message doesn't often reach the general public, according to Merritt. "You turn on the news and they are talking about capturing drug dealers going across the border, but they rarely show a hacker in handcuffs," she said.

See more in IT WORLD.

NIST Releases Security Standards for Federal Systems

2009-08-16T16:24:00.000-07:00

The National Institute of Standards and Technology (NIST) released Special Publication 800-53, titled Recommended Security Controls for Federal Information Systems and Organizations. This document addresses information security standards and guidelines, including minimum requirements for federal information systems. Released as part of NIST’s statutory responsibilities under the Federal Information Security Management Act (FISMA), this publication is geared toward information system and information security professionals who develop, implement, operate, manage, or assess/monitor federal information systems.

Adobe Vulnerability Targeted in Drive-by Attacks

2009-07-23T16:46:00.000-07:00

eWEEK.COM is running a story about a new zero-day vulnerability affecting Adobe's Flash Player software that is being exploited by attackers via drive-by downloads.

Adobe first warned about the vulnerability July 21, then issued an updated advisory the next night. The issue affects current versions of Flash Player on Windows, Mac and Linux platforms.

According to the U.S. Computer Emergency Response Team (US-CERT), an attacker can trigger an overflow by luring a user into opening a malicious Flash (SWF) file that is either hosted or embedded on a Web page or contained in a PDF file. Then the attacker could either trigger a system crash or take full control of a vulnerable system.

“There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows,” according to a post on the Adobe Product Security Incident Response Team blog. “We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009(the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh, and UNIX by July 31, 2009.”

“At the moment there (are) a low number of malicious sites serving the exploit, but we confirmed that the links have been injected in legitimate Websites to create a drive-by attack, as expected,” according to SANS Internet Storm Center.

See full article at eWEEK.COM.

Google Book Search Settlement Inquiry Announced

2009-07-07T17:51:00.000-07:00

ISEDB's article "Google Book Search Settlement Inquiry Announced" includes a link to Pam Samuelson's talk Reflections on the Google Book Search Settlement. See also her 4/17/09 guest blog "Legally Speaking: The Dead Souls of the Google Booksearch Settlement", where she says:

"In the short run, the Google Book Search settlement will unquestionably bring about greater access to books collected by major research libraries over the years. But it is very worrisome that this agreement, which was negotiated in secret by Google and a few lawyers working for the Authors Guild and AAP (who will, by the way, get up to $45.5 million in fees for their work on the settlement—more than all of the authors combined!), will create two complementary monopolies with exclusive rights over a research corpus of this magnitude. Monopolies are prone to engage in many abuses."

"The Book Search agreement is not really a settlement of a dispute over whether scanning books to index them is fair use. It is a major restructuring of the book industry’s future without meaningful government oversight. The market for digitized orphan books could be competitive, but will not be if this settlement is approved as is."

Professor Samuelson points out that "nothing in the settlement agreement speaks about privacy interests of users" and that this is very different than how libraries operate.

Announcement: 2nd Annual Privacy Law Scholar Conference, June 4-5 2009

2009-05-26T16:34:00.001-07:00

The 2nd Annual Privacy Law Scholars Conference (PLSC) will be held at the Claremont Resort in Berkeley, CA, on June 4-5. PLSC is an academic paper workshop, and there are no panels of boring talking heads. Instead, we have two days of intense discussion about privacy issues.

If you have students who are interested in working in the privacy field, I strongly encourage you to pass on info about the event. It's free, and about 100 privacy academics (predominately law, but also econ and some computer science, including Peter Neumann, Chris Soghoian, and Jeff Jonas, the inventor of NORA) participate, as well as 50 leading legal practitioners. It's a wonderful opportunity to network, share ideas,etc.

Schedule and information

The password to all papers is plsc2009.

Send email to choofnagle at law.berkeley.edu if you would like to participate.

Mathematical Advances Strengthen IT Security

2009-05-14T09:23:00.000-07:00

ACM TechNews is running an article about a new cryptography approach based on the mathematical theory of elliptic curves, a leading candidate to replace the widely used RSA public key security system.

Elliptic curves are equasions with two variables, e.g., x and y, including terms where both x and y are raised to powers of two or more. The possibilities for elliptic curves and other modern mathematical techniques were discussed at a recent workshop organized by the European Science Foundation (ESF).

“The impact of the elliptic curve method for integer factorisation (developed by my PhD advisor Hendrik Lenstra) has played a role in introducing elliptic curves to cryptographers, albeit for attacking the underlying problem on which RSA is based (the difficulty of factoring integers),” said David Kohel, convenor of the ESF workshop, from the Institut de Mathematiques de Luminy in Marseille, France.

Kohel describes the advantage of elliptic curve cryptography as its immunity to the specialized attacks that have degraded the strength of RSA (smaller keys can be used to provide the same levels of protection).

"In general, the cryptographer has the benefit over the cryptanalyst (the person attacking the cryptosystem) as he or she can select the key size for any desired level of security, provided everyone has the same base of knowledge of best attacks on the underlying cryptosystem," he says.

See details in European Science Foundation.

Chinese Hackers Targeting NYPD Computers

2009-04-28T09:21:00.000-07:00

Slashdot prints an article about a network of mystery hackers, mostly based in China, making 70,000 attempts a day to break into the NYPD's sytem, according to Commissioner Raymond Kelly. He said he suspects that his department is being targeted by foreign hackers because it has beefed up operations in the international arena since the 9/11 attacks.

"We are constantly studying events worldwide and assessing their implications for New York," said Kelly, adding that the NYPD now has officers stationed in Abu Dhabi, Jordan, Great Britain, France, Spain, Canada and the Dominican Republic.

Kelly also said senior police officers have been attending lectures by foreign affairs and terrorism experts. The Commissioner's surprising revelations closely followed a Canadian report exposing a China-based electronic spy network that has invaded at least 1295 computers in 103 countries.

Dubbed "GhostNet", the group of hackers have targeted embassies, foreign ministries and the Dalai Lama's offices in India, Brussels, London and New York.

Toronto University's 10-month study suggests that the GhostNet is linked to Chinese government espionage agencies, which Chinese government officials deny.

See complete article in the New York Daily News.

Most electronic voting isn't secure, CIA expert says

2009-04-22T17:33:00.000-07:00

The Risks Digest points to an article about a CIA agent testifying before the Election Assistance Commission. His position is that electronic votes are not secure and can be altered and further, are being altered already in some locales.

The CIA agent, a cybersecurity expert, suggested that Venezuelan President Hugo Chavez and his allies fixed a 2004 election recount, a pronouncement that could further agitate U.S. relations with the Latin leader.

In a presentation that could provide foreboding lessons for the United States, where electronic voting is becoming preeminent, Steve Stigall summarized what he described as attempts to use computers to undermine democratic elections in developing nations. Stigall told the Election Assistance Commission that computerized electoral systems can be manipulated at five stages, from altering voter registration lists to posting results.

"You heard the old adage 'follow the money,' " Stigall said, according to a transcript of his hour-long presentation that McClatchy obtained. "I follow the vote. And wherever the vote becomes an electron and touches a computer, that's an opportunity for a malicious actor potentially to . . . make bad things happen."

Stigall said that some countries had taken extraordinary steps that improved security. For example, he said internet systems that encrypt vote results so they're unrecognizable during transmission "greatly complicates malicious corruption."

After reviewing the agent's remarks, director of election reform for the citizens' lobby 'Common Cause, Susannah Goodman says they showed

"we can no longer ignore the fact that all of these risks are present right here at home . . . and must secure our election system by requiring every voter to have his or her vote recorded on a paper ballot."

See complete article in McClatchy Newspapers.

Obama Sides With Bush In Spy Case

2009-01-26T08:43:00.000-08:00

Slashdot picked up a story in Wired about the Obama administration siding with the Bush administration when it urged a federal judge to set aside a ruling in a closely watched case examining whether a U.S. president may bypass Congress and establish warrantless wiretapping programs designed to spy on American citizens.

With just hours left in office, President George W. Bush asked U.S. District Judge Vaughn Walker late Monday to stay enforcement of a Jan.5 ruling admitting key evidence into the case. On Thursday, the Obama administration said in its filing with the court

"The Government's position remains that this case should be stayed"

marking the first time it was clear that the new president was in agreement with the Bush administration's reasoning in this case.

The legal hubbub concerns Walker's decision to admit a classified document as evidence that allegedly shows that two American lawyers for a now-defunct Saudi charity were electronically eavesdropped on without warrants in 2004.

The Obama administration is in agreement with the previous administration in its legal defense of July legislation that immunizes the nation's telecommunications companies from lawsuits accusing them of complicity in Bush's eavesdropping program, according to testimony last week by incoming Attorney General Eric Holder.

A separate case requiring a decision on the constitutionality of the immunity legislation (which Obama voted for as a U.S. Senator from Illinois) brought by the Electronic Frontier Foundation is pending before Judge Walker.

See details in Wired.

Privacy Groups Want Strong Security Measures for Electronic Health Records

2009-01-21T15:50:00.001-08:00

SANS Institute summarizes an article about US privacy rights and civil liberties advocacy groups writing legislators and asking them to ensure that any adoption of electronic health records include substantial security measures. Such letters from the American Civil Liberties Union, the National Association of Social Workers and Patient Privacy rights request that patients have control over how their medical records are used and that they be protected from organizations that share and sell medical information.

"We all want to innovate and improve health care, but without privacy our system will crash as any system with a persistent and chronic virus will," Patient Privacy Rights executive director Ashley Katz said at a Capitol Hill briefing.

Chairman of Senate Health, Education, Labor and Pensions, Edward Kennedy and ranking member Michael Enzi submitted a bill in the 110th Congress and have worked with Judiciary Chairman Patrick Leahy to beef up its privacy provisions. However, Senate Small Business ranking member Olympia Snowe does not believe the measure went far enough, and together with Rep. Edward Markey, D-Mass., and Rep. Lloyd Doggett, D-Texas, offered letters of support for the privacy groups' call to action.

"Without robust safeguards, the health IT systems we are planning for today could turn the dream of integrated, seamless electronic health networks into a nightmare for consumers," Markey said in a statement.

For complete article, see nextgov.

CWE/SANS TOP 25 Most Dangerous Programming Errors

2009-01-13T09:10:00.000-08:00

Yesterday, the SysAdmin, Audit, Network, Security (SANS) Institute announced that in Washington D.C., experts from more than 30 U.S. and international cyber security organizations jointly released a list of the 25 most dangerous programming errors that bring about security bugs permitting cyber espionage and cyber crime. The project is a significant component of an overall national security initiative.

The impact of such errors is extensive, where just two errors led to more than 1.5 million web site security breaches in 2008. Those breaches then cascaded onto the computers of people who visited those websites.

The people and organizations that provided input to the project are among the most respected security experts, coming from an extensive range of leading organizations such as Symantec, Microsoft, DHS's National Cyber Security Division, and NSA's Information Assurance Division to the Japaneses IPA, to the University of California at Davis and Purdue University.

Remarkably, all the experts quickly came to agreement, despite some intense discussion.

"There appears to be broad agreement on the programming errors," says SANS Director, Mason Brown, "Now it is time to fix them. First we need to make sure every programmer knows how to write code that is free of the Top 25 errors, and then we need to make sure every programming team has processes in place to find, fix, or avoid these problems and has the tools needed to verify their code is as free of these errors as automated tools can verify."

See complete Announcement in SANS.

State Secrets Defense Rejected in Wiretapping Case

2009-01-08T16:03:00.000-08:00

Slashdot references a report in Ars Technica of a federal judge ruling that a lawsuit filed by an Islamic charity alleging illegal wiretapping by the National Security Agency may proceed.

The case, Al Haramain v. Bush, stands out in that unlike the Electronic Frontier's more widely publicized suits agains the NSA and cooperating telecoms, the plaintiffs here know that the directors of the charity were specifically subjected to warrantless surveillance, thanks to a government faux pas that put a classified memo in the hands of the charity's lawyers.

Judge Vaughn Walker, who has been handling a raft of suits concerning the NSA's super-secret Stellar Wind program decided that the charity could seek to show they'd been spied upon using public evidence.

"Without a doubt," he wrote, plaintiffs have alleged enough to plead 'aggrieved persons' status so as to proceed to the next step in proceedings."

The Justice Department repeatedly tried to try to block the suit by invoking national security concerns. At one point, Walker described the government's argument "without merit" and characterized another argument as "circular".

See complete report at Ars Technica.

Congress in the Cyber-Crosshairs

2008-12-24T10:58:00.000-08:00

ACM TechNews points out the cover story of National Journal about what it will take to keep the next invader out of Congressional computers.

Two years ago, 15 House panels and members' offices were invaded by malware whose nature suggest the intrusions originated in China. One target, the office of House Representative Frank Wolf (R-Va) argued before the House that the fear of admitting vulnerability might be a reason underlying U.S. intelligence and national security's reluctance ro publicize the breaches sooner.

"I strongly believe that the appropriate officials, including those from the Department of Homeland Security and the FBI, should brief all members of Congress in a closed session regarding threats from China and other countries against the security of House technology, including our computers, BlackBerry devices, and phones," he said.

While it appears that there is little interest from members of Congress in discussing cyber vulnerabilities, it is likely because they have little understanding of them. Former director the DHS' Cyber Security Division Amit Yoran says

"As a member of Congress, you have so many issues competing for your attention and, historically, cyber-security hasn't been one that's won out. It's not an issue that is particularly well tracked by their constituents."

In a recent study prepared by the Center for Strategic and International Studies concluded for President-elect Barack Obama that Congress is unsuited for managing executive-branch cybersecurity due to the inconsistency and fragmentation of its oversight. The study group recommended that Obama take charge of cybersecurity and establish a new office for cyberspace in the Executive Office of the President that would collaborate closely with the National Security Council, "managing the many aspects of securing our national networks while protecting privacy and civil liberties."

See complete article at National Journal Magazine.

U.S. Is Losing Global Cyberwar, Commission Says

2008-12-08T16:11:00.000-08:00

ACM TechNews summarizes an article in Business Week about how ill prepared the United States is for the challenges of 21st century cybersecurity. This woeful conclusion comes from a new report issued by the U.S. Commission on Cybersecurity.

The damage from cyber attack is real," states the cybersecurity group's report, referring to intrusions last year at the departments of Defense, State, Homeland Security, and Commerce as well as at NASA and the Natoinal Defense University in 2007.

The report calls for the creation of a Center for Cybersecurity Operations that would act as a regulator of computer security in both the public and private sectors.

"We're playing a giant game of chess now and we're losing badly," says commission member Tom Kellermann, a former World Bank security official who now is vice-president of Security Awareness at Core Security.

See full story in BusinessWeek.

Who Protects the Internet?

2008-12-05T15:43:00.000-08:00

Slashdot calls attention to an interview with General Kevin Chilton , U.S. STRATCOM commander and the head of all military cyberwarefare appearing in TechCrunch, a technical weblog that profiles and reviews Internet products and companies.

The interview brings to light the critical question: Is the internet actually protected? Who protects us?

"Basically no one", says Jonathan Zittrain, American law professor, researcher and author. "At most, a number of loose confederations of computer scientists and engineers who seek to devise better protocols and practices — unincorporated groups like the Internet Engineering Task Force and the North American Network Operators Group. But the fact remains that no one really owns security online, which leads to gated communities with firewalls — a highly unreliable and wasteful way to try to assure security."

See more in TechCrunch.

You're Leaving a Digital Trail. What About Privacy?

2008-12-03T16:02:00.000-08:00

ACM TechNews picked up an article published in The New York Times on how new technologies and the Internet's incursion into every aspect of life is creating what is coming to be called 'collective intelligence'.

While collective intelligence offers powerful capabilities, such as improving the efficiency of advertising or giving community groups new organizational capabilities, it is clear to all that, if misused, collective intelligence tools could create an Orwellian future on an unprecedented scale. Collective intelligence could be used by insurance companies, for example, to covertly identify people suffering from a particular disease and then deny them insurance coverage. Or the government or law enforcement could identify members of a protest group by monitoring social networks.

“There are so many uses for this technology — from marketing to war fighting — that I can’t imagine it not pervading our lives in just the next few years,” says Steve Steinberg, a computer scientist who works for an investment firm in New York.

Steinberg argues in a well-known Web posting that there were significant chances it would be misused, "This is one of the most significant technology trends I have seen in years; it may also be one of the most pernicious.”

See more in The New York Times.

Obama Administration to Inherit Tough Cybersecurity Challenges

2008-11-24T15:36:00.000-08:00

ACM TechNews remarks on the status of the initiatives launched in the current administration and what U.S. President-elect Barack Obama will need to take on to improve cybersecurity. Many of the current initiatives are still works in progress, including the Homeland Security Presidential Directive-12 (HSPD-12) which aspires to improve the security of government facilities and computer networks by requiring federal agencies to issue new smart card identity credentials to all employees and contractors by the end of October. Meeting that goal is at least two years away however.

The need is critical for the Obama administration to stop tying federal cybersecurity responses so closely to the post-9/11 war against terror, says analyst at Gartner Inc., John Pescatore.

"The terrorist attacks of 2001 sent the Bush administration in the wrong direction" on the cybersecurity front, Pescatore said. There's been too much of tendency to view cyberthreats in the same light as physical terrorism threats and to respond to them in the same manner. In the process, some of the more immediate threats to government data and networks have been somewhat overlooked, he said

.
See full story in COMPUTERWORLD.

Minnesota Senate Race Could Hinge on Scanning Machine Mistakes

2008-11-21T14:26:00.001-08:00

ACM TechNews notes that according to an article in cnet news, the U.S. Senate race in Minnesota is yet undecided and that a hand recount could reveal that several thousand votes were mistakenly rejected by optical-scan voting machines. The outcome of the Senate race may depend on whether scanning machines made mistakes two weeks ago when tabulating ballots. Republican Senator Norm Coleman holds only a 200 vote lead over his opponent, Democrat Al Franken. With Coleman's lead being under a margin of 0.5 percent of the more than 2.9 million votes cast in the race on November 4th, the state automatically starts a hand recount of every ballot.

Director of governmental affairs for the Minnesota secretary of state's office Beth Fraser says the optical scanning machines used to read paper ballots could have mistakenly rejected enough ballots to affect the outcome of the race.

Although the optical scanning machines may have rejected some crucial votes, Fraser said the machines are still the best option for counting votes.

"It speeds up the counting but gives us the paper ballots to count on, so the results are fully auditable," she said.

See entire article in cnet news.

Feds Can Locate Cell Phones Without Telcos

2008-11-17T16:01:00.000-08:00

Slashdot flags on Ars Technica report about the release of documents obtained under the Freedom of Information Act suggesting that "triggerfish" technology can be used to pinpoint cell phones without involving the cell phone providers at all. Triggerfish are cell-tower spoofing devices that can trick cell phones into giving up their location and other identifying information without notifying the carrier or the user. This may be significant because the legal rulings requiring law enforcement to meet a high "probable cause" standard before acquiring cell location records have so far pertained to requests for information from providers.

The Justice Department's electronic surveillance manual explicitly suggests that triggerfish may be used to avoid restrictions in statutes like CALEA (Communications Assistance for Law Enforcement Act) that bar the use of pen register or trap-and-trace devices...

It is therefore somewhat surprising that it is only with the passage of the USA PATRIOT Act in 2001 that the government has needed any kind of court order to use triggerfish. Although previously the statutory language governing pen register and trap-and-trace orders did not appear to include location tracking technology, the updated definition explicitly includes any "device or process which records or decodes dialing, routing, addressing, and signaling information."

See full story in Ars Technica.

Why Veins Could Replace Fingerprints and Retinas as Most Secure Form of ID

2008-11-14T16:16:00.000-08:00

ACM TechNews mentions the fact that finger vein authentication is starting to gain traction in Europe. Widely introduced by Japanese banks in the past two years, it is claimed to be the fastest and most biometric method of authentication. Companies in Europe have also begun to roll out this advanced biometric system from Japan, which identifies people from the unique patterns of veins inside their fingers.

Hitachi developed the technology, which captures the pattern of blood vessels by transmitting near-infrared light at different angles through the finger, then turning it into a digital code to match it against preregistered profiles. Unlike fingerprints that can be "lifted" and retinas scanned without an individual realizing it, its is extremely unlikely that people's finger vein profiles can be taken withouth them being aware of it.

Easydentic Group in France says it will use finger vein security for door access systems in the United Kingdom and other European markets.

For full story, see London Times Online.

Obama, McCain Campaigns Both Hacked, FIles Compromised

2008-11-05T16:05:00.001-08:00

Slashdot writes of post-election news coming out of both campaigns on what transpired behind closed doors. Apparently both Obama's and McCain's campaigns had their systems hacked over the summer -- and not by each other.

Technology experts detected what they initially thought was a case of "phishing" at the Obama headquarters in midsummer. However, by the next day both the FBI and Secret Service came to the campaign with an ominous warning:

"You have a problem way bigger than what you understand," an agent told Obama's team. "You have been compromised, and a serious amount of files have been loaded off your system."

Obama's aides were told by the Feds in late August that the McCain campaign's computer system and been similarly infiltrated.The campaign's computer system had been hacked and the FBI had become involved, as per the confirmation of a top McCain official to NEWSWEEK.

White House and FBI officials told the Obama campaign that they believed a foreign entity or organization had been seeking information on the evolution of both camps policy positions-information that might prove useful in negotiations with a future administration. Obama technical experts later speculated that the hackers were Russian or Chinese.

See Newsweek.

E-Voting Groups Are Watching a Handful of States

2008-11-03T15:36:00.000-08:00

ACM TechNews summarizes an article on potential problems with electronic voting in several states. Pamela Smith, president of Verified Voting and long a critic of electronic voting machines, is more worried about the long lines on election day. Any sort of equipment failure in places like Pennsylvania and Virginia will create additional problems because they do not have polls open for early voting despite the record number of new voter registrations, particularly among Democrats.

Further, Pennsylvania and Virginia do not mandate paper-trail backups for their touch-screen electronic voting machines. Critics of e-voting say that without that paper trail, there is no way to audit the results of a touch-screen machine.

Several states do not have adequate numbers of voting machines in place to back up malfunctioning equipment.

As Smith points out

"This is an election that will sort of stress-test the [election] systems," she says. "Any problem that's going to come up is going to be amplified."

See full article in PCWorld.

A Really Secret Ballot

2008-10-24T15:25:00.000-07:00

ACM TechNews highlights a voting and encryption article in The Economist about the search for a way of voting that is both reliable and trustworthy. Encrypting people's votes might achieve some trustworthiness.

Dr. Peter Ryan, computer scientist at the University of Newcastle upon Tyne in England may have found one way of doing this. Ryan calls his development "Pret a Voter". The gist of his approach is that paper ballots are used that are in two halves. The candidates' names are on one side and the the tick boxes are on the other. The voter ticks the boxes he wants and divides the paper, putting only the half with the tick boxes on it in the ballot box. The ballots are then scanned by optical reader. The 'trick' part is that the candidates are listed in random order on each ballot paper.

While anyone looking at the deposited half of the ballot paper cannot determine in whose interest the votes were cast, the machine can because each deposited half also carries a cryptographic cipher containing the candidate order on that particular ballot.

A second approach elaborates on Ryan's system. Ben Adida and Ron Rivest, of the Massachusetts Institute of Technology, have created what they call "Scratch & Vote". The ballot paper looks the same as that used in Ryan's 'Pret a Voter', but with an additional scratch-off area that acts as an extra level of security.

David Chaum, a computer scientist and cryptographer who, among other things, invented the idea of digital cash, has created a third idea called Scantegrity II. In this approach, a voter fills in an oval-shaped space instead marking an 'x' next to a candidate's name. With Scantegrity however, the voter uses a special pen whose "ink" reacts with a pattern of two chemicals that has been printed inside the oval-shaped space.

While none of these solutions has been widely tested yet meaning American voters will not see them in process for this election, there is a good chance they will be offered in the next election, especially if scandals emerge in the coming election.

For details on the 3 approaches, see full write-up in The Economist.

US's First Internet Votes To Be Cast This Friday

2008-10-22T15:10:00.000-07:00

Slashdot is running an article today about the nation's first Internet-based voting system, which goes online this Friday.

Between Oct. 24 and Nov. 2, an estimated six to seven hundred U.S. citizens will use PCs with no hard drive and other disabled components (hardened laptops to remove security risks) located at specific kiosks in Germany, Japan and the U.K. to cast their votes for president. The Okaloosa Distance Ballot Piloting (ODBP) test program could help change the current bureaucratic obstacle course now affecting roughly 6 million overseas residents who must register earlier than other voters and whose mail-in absentee ballots could be mishandled.

Despite the favorable results of Director of the Security and Assurance in Information Technology (SAIT) Laboratory Alec Yasinac's security analysis, the mere fact that a wider computer security community has not been asked to evaluate the ODBP program has resulted in a multitude of unanswered questions.

"We should not go ahead until full details of the system have been disclosed," says David Dill, a professor of computer science at Stanford University, who has testified before Congress about electronic voting. Dill praises Okaloosa County's program for attempting to create a secure, verifiable system that includes the use of paper Voter Choice Records (VCRs) to allow for a 100 percent audit against the electronic votes. Other locations have adopted less secure alternatives for overseas voters, allowing them to send ballots in by fax or e-mail. Still, he believes the pitfalls outnumber the benefits. "If not for the VCRs, this entire proposal would be completely unacceptable," Dill says. "But if the goal is to hand count every one of them, that seems like a lot of overhead for what amounts to a complicated way to fill out paper absentee ballots. The way I look at it, the entire Internet voting part of this scheme is confusing and possibly harmful."

See more in Popular Mechanics.

Ohio Secretary of State's Web Site Hacked; voter suppression tactics

2008-10-21T14:35:00.000-07:00

The Risks Digest reports today that the office of the Ohio Secretary of State Jennifer Brunner has cut back on the accessible functionality of its website after an apparent security breach was detected by technical staff. A statement from the office noted that "this is not the first instance of direct assault on the operations of the Secretary of State's office." It has been bombarded with phone calls and email "with menacing messages and even threats of harm or death," according to the statement.

"What we know is our IT department detected a situation with our Web site where there was somehow suspicious activity where someone could have gotten into our site and tried to move things around," a spokesman told The Cleveland Plain Dealer Monday afternoon.

Brunner and her office are in the midst of a bitter dispute with the state Republican Party which demanded that her office release a list of new voter registrations that don't match state and federal database records.

Ohio has 20 electoral votes and is a battleground state. Voter registration records this year in Ohio show record levels of registrations.

See article in wired.com.

Thousands Face Mix-Ups in Voter Registrations

2008-10-20T15:45:00.000-07:00

ACM TechNews reports that new state voter registration systems throughout the United States are mistakenly rejecting voters and thus potentially disrupting the entire election process.

The problems are originating from the change from locally managed lists to statewide databases, a change required by the Help America Vote Act, passed in 2002 in the aftermath of the deadlocked presidential race 2 years earlier. While the switch is supposed to be a more efficient and accurate way to keep lists updated, the transition to the new state registration systems are incorrectly rejecting thousands of voters across the country. It is impossible to know how many voters are affected nationwide.

In Alabama, scores of voters are being labeled convicted felons based on erroneous lists. Michigan must restore thousands of names it illegally removed from voter rolls over residency questions. Tens of thousands of voters could be affected in Wisconsin since officials there admit that their database is wrong in one out of five times that it flags voters.

The electronic lists have been coming online gradually and for 31 states this will be the first time they are used in a presidential election. It is

"this season's big issue," said Wendy R. Weiser, who directs voting rights projects for the Brennan Center for Justice at New York University's School of Law, noting that efforts to keep names off the lists are "a new trend, not in the majority of states but in the battleground states."

See full article at washingtonpost.com.

E-Voting Report: Several States Still Vulnerable

2008-10-17T16:08:00.000-07:00

ACM TechNews flagged an article in PCWorld about the inadequate assurance of the accuracy of electronic-voting machines, as per a report from three voting security advocacy groups. The report, released by Common Cause, Verified Voting, and the Brennan Center for Justice at the New York University School of Law, predicts that some voting systems will fail on election day.

Pamela Smith, president of Verified Voting said that state protections against voting fraud and e-voting machine failure have improved greatly since the last U.S. presidential election in 2004. Still, several states refuse to take basic precautions to protect the integrity of voting systems, she added.

"There are some folks who still don't get it," said Smith.

Colorado, Delaware, Kentucky, Louisiana, New Jersey, South Carolina, Tennessee, Texas, Utah, and Virginia all received failing grades in three of four voting security areas. Of the 24 states using direct-recording electronic machines, only California, Indiana, and Ohio received satisfactory grades in all four categories.

David Beirne, executive director of the Election Technology Council, a trade group representing e-voting machine vendors, says the report came too late for changes to be made this year.

For details, see PCWorld.

Tool To Allow ISPs To Scan Every File You Transmit

2008-10-16T15:57:00.000-07:00

Slashdot posts a story about a tool developed by Brilliant Digital Entertainment, an Australian software company, that can scan every file that passes between an ISP and its customers. The new monitoring technology appearing simultaneously with changes in U.S. law are adding pressure to turn Internet service providers into cops examining all Internet traffic for child pornography.

Privacy advocates are objecting to such tools and say that monitoring all traffic would be an unconstitutional invasion.However, such monitoring just became easier with a law approved unanimously by Congress and signed on Monday by President Bush.

A PowerPoint slide show from Brilliant Digital Entertainment describing the technology was passed on to AOL last month by two powerful forces in the fight against child porn, the office of New York Attorney General Andrew M. Cuomo and Ernest E. Allen, president and CEO of the National Center for Missing and Exploited Children.

"This would be plainly illegal in the United States, whether or not a governmental official imposed this on an ISP or the ISP did this voluntarily," John Morris of the Center for Democracy and Technology said after viewing Brilliant Digital's slide show. "If I were the general counsel of an ISP, I wouldn't touch this with a 10-foot pole."

For more information, see MSNBC.

International Spam Ring Shut Down

2008-10-15T15:41:00.000-07:00

Slashdot features a New York Times story about the imminent shutdown of an international spam ring with ties to Australia, New Zealand, China, India and the U.S. Using the CAN-SPAM Act of 2004, finances of the members in the U.S. are being frozen while the FBI pursues criminal charges.

The group, using several names but was known among spam-fighting organizations as HerbalKing, sent billions of unsolicited messages to Internet users of the last 20 months, promoting replica watches and an assortment of pharmaceuticals, including weight-loss drugs and herbal pills that supposedly provide enhancement of male anatomy. Officials and investigators say this spam operation was perhaps the most extensive encountered.

“They were sending extraordinary amounts of spam,” said Jon Leibowitz, an F.T.C. commissioner. “We are hoping at some level that this will help make a small dent in the amount of spam coming into consumers’ in-boxes.”

For full article, see the New York Times, as well as a press release from the Federal Trade Commission.

E-voting security result 'awful,' says Ohio secretary of state

2008-10-10T16:04:00.000-07:00

ACM TechNews excerpted an article describing how Ohio voters who do not trust touch-screen systems will be given the option of a paper ballot. This action follows largely from the results of Ohio Secretary of State Jennifer Brunner's Evaluation & Validation of Election-Related Equipment, Standards, & Testing (EVEREST) analysis. The analysis uncovered "critical security failures" in every system evaluated by teams of both corporate and academic computer scientists and security specialists.

Brunner said that the results of the test exceeded her worst expectations.

"When I finally saw the results of our [EVEREST] tests, I thought I was going to throw up," she says. "I didn't think it would be that bad. And it was--it was awful."

See full article in COMPUTERWORLD.

New Bill To Rein in DHS Laptop Seizures

2008-10-09T14:54:00.001-07:00

Slashdot writes of a proposed new bill that would limit the searches of laptops or other electronic devices to cases where customs agents have reasonable suspicion of illegal activity. In addition, the legislation would limit the length of time a device could be removed from its owner's possession, after which the search becomes a seizure, requiring probable cause.

The Travelers Privacy Protection Act, written by U.S. Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Representative Adam Smith, D-Wash., was introduced in response to a Department of Homeland Security policy, released on July 16th that allows customs agents to detain laptops for an indefinite period of time to "review and analyze" their contents, "absent individualized suspicion". That policy was released after reports emerged of U.S. customs agents requiring American citizens and legal residents to turn over their laptops or cell phones and wait for hours while the devices were searched. In some cases, the contents of the devices were copied. In other cases, the devices were confiscated and returned weeks or even months later with no explanation.

“Most Americans would be shocked to learn that upon their return to the U.S. from traveling abroad, the government could demand the password to their laptop, hold it for as long as it wants, pore over their documents, emails, and photographs, and examine which websites they visited – all without any suggestion of wrong-doing,” Feingold said. "Focusing our limited law enforcement resources on law-abiding Americans who present no basis for suspicion does not make us any safer and is a gross violation of privacy. This bill will bring the government’s practices at the border back in line with the reasonable expectations of law-abiding Americans.”

See more at Security Focus.

Data-Mining for Terrorists Not 'Feasible,' DHS-Funded Study Finds

2008-10-08T16:16:00.000-07:00

Yesterday, Wired Magazine's online network blog covered a report by a privacy and terrorism commission funded by the Department of Homeland Security that found that the technology designed to decide from afar whether a person had terrorist intent would not work. The committee, created by the National Research Council in 2005, says that false positives could quickly lead to privacy invasions.

"Automated identification of terrorists through data mining (or any other known methodology) is neither feasible as an objective nor desirable as a goal of technology development efforts," the report found. "Even in well-managed programs, such tools are likely to return significant rates of false positives, especially if the tools are highly automated."

Committee co-chair Charles Vest made it clear at the unveiling of the report in Washington yesterday that the committee was not dismissing the threat of terrorism to us physically and as a nation.

"Terrorists can damage our country and way of life in two ways: through physical, psychological damage and through our own inappropriate response to that threat," Vest said in opening remarks (.mp3).

The committee emphasized that the government should have useful tools to fight terrorism, but that they must respect Americans' privacy.

See article in Wired Blog Network.

Computer Hardware 'Guardians' Protect Users From Undiscovered Bugs

2008-10-07T15:58:00.000-07:00

ACM TechNews relates how researchers at the University of Michigan developed a system that allows microprocessors to work around functional bugs, including those yet undetected.

Intel and other chipmakers uncover bugs by simulating different scenarios, commands, and configurations a processor might encounter. However, not all bugs are found since it is practically impossible to simulate every possibility. The researchers' system builds a virtual fence that prevents chips from operating in untested configurations. The system tracks all configurations that a company tested and then stores that information on a tiny monitor that is added to each processor. The miniscule monitor, called a "semantic guardian", works by keeping the processor inside its virtual fence. When the chip encounters an untested configuration, it switches the processor to a slower safe mode.

"Users wouldn't even notice when their processor switched to safe mode," said Valeria Bertacco, assistant professor in the Department of Electrical Engineering and Computer Science. "It would happen infrequently, and it would only last momentarily, to get the computer through the uncharted territory. Then the chip would flip back to its regular mode."

See details at UNIVERSITY OF MICHIGAN NEWS SERVICE.

DHS To Proceed With Spy-Satellite Surveillance Program Despite Privacy Concerns

2008-10-06T16:24:00.000-07:00

SANS Institute brings to light the story of a Department of Homeland Security program called the National Applications Office (NAO) proceeding with the first phase of a highly controversial satellite-surveillance program, despite not ensuring that the program will comply with privacy laws.

The Government Accountability Office (GAO) issued a non-classified but highly sensitive 60-page report that, according to one source says that the department

"lacks assurance that NAO operations will comply with applicable laws and privacy and civil liberties standards."

Through NAO, US government officials at the federal, state and local levels gain access to data gathered by spy satellites to help them with emergency response and domestic security concerns.

House Homeland Security Committee Chairman Bennie G. Thompson of Mississippi and other Democrats asked Congress to freeze the money for the program until after the November election. However, the bill Congress approved and which President Bush signed into law Tuesday, allows the department to launch a limited version now.

See complete article in the Wall Street Journal.

Tracking Laptop Thieves Safely

2008-10-03T16:28:00.000-07:00

ACM TechNews reports on free laptop-tracking software developed by researchers at the University of Washington (UW) and the University of California, San Diego. The software is called Adeona and it transmits the location of a device back to a central server.

However, some experts worry that, without additional security measures, this type of tracking technology could inadvertently make users more vulnerable to spying.

"If you lose your laptop, a commercial service can tell you where it is right now," says Tadayoshi Kohno, an assistant professor of computer science at the University of Washington, in Seattle. "The issue, from a privacy perspective, is that this also means that someone who might break into or have access to the commercial service's database might be able to track you even before the laptop leaves your possession."

For details, see Technology Review.

CSRF Flaws Found On Major Websites, Including a Bank

2008-10-01T16:39:00.000-07:00

Slashbook reports on a recent announcement by Princeton researchers about four major Web sites on which they found exploitable cross-site request forgery (CSRF) vulnerabilities. The sites are NYTimes, YouTube, Metafilter and INGDirect.

YouTube, Metafilter and INGDirect have since patched the vulnerabilities after having been alerted to them, but the NYTimes has yet to fix theirs.

In a CSRF attack, the attacker can force a user's browser to request a page or an action without the user knowing. CSRF is not well understood in the Web development community, making it a common vulnerability on websites.

“CSRF is extremely pervasive. It’s basically wherever you look,” says Jeremiah Grossman, CTO of WhiteHat Security.

Princeton's discovery of CSRF bugs on well-known websites is only the tip of the iceburg.

“We're starting to see more and more of these attacks, and I believe this will continue until developers become more educated about CSRF" says Bill Zeller, a PhD candidate at Princeton.

See darkREADING for more information.

Spoofing GPS Receivers

2008-09-30T16:24:00.000-07:00

ACM Technews picked up an article on research at Cornell University showing that global positioning system (GPS) technology is vulnerable to transmitting fake signals that receivers believe are authentic (spoofing).

The Cornell researchers presented a paper on their findings at a meeting of the Institute of Navigation on September 19th in Savannah, GA. Paper co-authors Brent Ledvina, Cornell Ph.D. '07 and now assistant professor of electrical computer engineering at Virginia Tech and Todd Humphreys, Cornell Ph.D. '07 described how a "phony" receiver could be placed in the proximity of a navigation device where it would track, modify, and retransmit signals being transmitted from the GPS satellite constellation. Eventually the "victim" navigation device would misinterpret the counterfeit navigation signals for the real signals.

"GPS is woven into our technology infrastructure, just like the power grid or the water system," said Kintner, Cornell professor of electrical and computer engineering and director of the Cornell GPS Laboratory. "If it were attacked, there would be a serious impact."

See full article in Cornell University's CHRONICALONLINE.

CA Sec. State Bowen promotes Open Source in Voting Computers

2008-09-29T08:29:00.000-07:00

In a 9/29/08 San Jose Mercury News article, "Magid: Panel calls for use of open source software on voting machines," describes a panel at MITs Emerging Technology conference.

On the MIT panel, Bowen called for the use of open source software that is transparent to anyone with the technical skills to understand it. That may not include the average voter or election office, but with open source code, at least some software engineers have the ability to inspect and even improve code.

See also Lucas Mearian's 9/25 ComputerWorld blog, "Prevent unwanted presidencies with paper ballots."

AT&T, Verizon To Require Opt-In For User Tracking

2008-09-26T16:08:00.000-07:00

Slashdot picked up a Washington Post report that yesterday AT&T and Verizon have pledged not to track customers' internet behavior unless given explicit, opt-in permission.

"Verizon believes that before a company captures certain Internet-usage data . . . it should obtain meaningful, affirmative consent from consumers," said Thomas J. Tauke, Verizon executive vice president.

AT&T's chief privacy officer Dorothy Attwood made a similar pledge to legislators.

Meanwhile, Google, Microsoft and many other Web companies have adopted the "opt out" model, which they say is enough to give consumers "control" over whether their activities are tracked. Some critics viewed the announcements yesterday with skepticism, inferring that the stricter "opt in" scheme could pose problems. Weakly worded warnings could entice many people to "opt in", despite the risks, they waid.

"What they should be saying is, 'We are going to be collecting every move of your mouse on every Web site on a second-by-second basis.' But that would scare too many people away," said Jeff Chester, of the Center for Digital Democracy. "They're going to craft some kind of proposal that claims to be informed consent but simply gives them political cover while they engage in full frontal behavioral targeting."

See more at washingtonpost.com.

Alarm Raised For "Clickjacking" Browser Exploit

2008-09-25T16:14:00.000-07:00

Slashdot picked up a story in ZDNet about what seems to be a treacherous new browser exploit affecting all major desktop platforms, including Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, Opera and Adobe Flash.

This threat, called "Clickjacking", was to be a topic at the OWASP NYC AppSec 2008 conference but was postponed in consideration of vulnerable vendors until a professional fix is developed.

The two researchers that made the discovery - Robert Hansen and Jeremiah Grossman, have released some information to emphasize the severity of this threat. According to someone who attended the semi-restricted OWASP presentation:

"In a nutshell, it’s when you visit a malicious website and the attacker is able to take control of the links that your browser visits. The problem affects all of the different browsers except something like lynx. The issue has nothing to do with JavaScript so turning JavaScript off in your browser will not help you. It’s a fundamental flaw with the way your browser works and cannot be fixed with a simple patch. With this exploit, once you’re on the malicious web page, the bad guy can make you click on any link, any button, or anything on the page without you even seeing it happening."

See more at ZDNet.

Feds Tighten DNS Security On .Gov

2008-09-23T16:20:00.000-07:00

Slashdot quotes a lengthy article in NETWORKWORLD that claims the feds have launched the largest-ever rollout of a new authentication mechanism for the Internet's DNS. All federal agencies are deploying DNS Security Extensions (DNSSEC) on the .gov top-level domain. DNSSEC prevents hackers from diverting web traffic from legitimate sites and redirecting it to sham sites. The Internet standard prevents spoofing attacks by allowing websites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Chief Internet Technology Officer for the Internet Society Leslie Daigle says that with DNSSEC deployed, federal Web sites “are less prone to be hacked into, and it means they can offer their services with greater assurances to the public."

The U.S. government DNSSEC mandate is "significant" according to Olaf Kolkman, DNSSEC expert and director NLnet Labs, a nonprofit R&D foundation in the Netherlands who says:

"First, the tool developers will jump in because there is the U.S. government as a market….Second, there is suddenly a significant infrastructure to validate against.’’

See complete article at NETWORKWORLD.

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

2008-09-22T15:25:00.000-07:00

Slashdot notes an article about a looming deadline on e-mail encryption in the state of Nevada. All transmissions, i.e. e-mail, for all businesses that send personal, identifiable information over the Internet must be encrypted starting October 1st of this year.

The statute was signed into law in 2005 and reads as follows:

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

Bryce K. Earl, a Las Vegas-based attorney, has been following the issue closely and believes there are some problems with the statute as it is currently written, including opening up all kinds of unintentional liability issues.

For full write-up, see Baseline.

Cyber Attack Data-Sharing Is Lacking, Congress Told

2008-09-19T16:12:00.000-07:00

ACM TechNews presented an article in the Washington Post about the first open hearing on cyber security held by the House Permanent Select Committee on Intelligence. The concern is U.S. intelligence agencies' inability to share information about foreign cyber attacks against companies out of fear of putting intelligence-gathering sources in jeopardy, according to cyber-security expert Paul B. Kurtz.

Kurtz, who has served on the National Security Council in the Clinton and Bush administrations, is concerned about the breadth of the cyber attacks.

"American industry and government are spending billions of dollars to develop new products and technology that are being stolen at little to no cost by our adversaries," he said. "Nothing is off limits -- pharmaceuticals, biotech, IT, engine design . . . weapons design."

A key issue for policymakers is how the government can effectively monitor private networks for intrustions without infringing on the privacy rights of Americans whose data flows through those networks.

See complete article in washingtonpost.com

Public, Private Sectors at Odds Over Cyber Security

2008-09-03T15:41:00.000-07:00

ACM TechNews reported an article in the Los Angeles Times on the rift between corporate America and the federal government over who should make the repairs to the Internet, given focus by three recent, significant computer security breaches. To wit, over the past few months law enforcement officials busted an international ring that accessed customer databases and trafficked tens of millions of credit card numbers. a researcher discovered a serious flaw in the Domain Name System that could allow hackers to redirect users to fake versions of popular Web sites, and computer attacks have been used to cripple the country of Georgia's internet capabilities.

That said, little has been done to make cybersecurity a more dominant issue.

"Nothing is happening," said Jerry Dixon, the former director of the National Cyber Security Division at the Department of Homeland Security. "This has got to be in the top five national security priorities."

While the government has argued that the private sector is better suited to tackle the broader problem, big corporations say it's too big for them to handle.

See full article in the Los Angeles Times.

FBI ISP Letters May Have Violated Free Speech

2008-09-02T16:33:00.000-07:00

Slashdot mentions a Reuters account of an appeals court hearing in which an unnamed ISP is challenging a Patriot Act provision that allows the FBI to produce secret letters to ISPs and telecoms demanding customer records.

A panel of three judges form the U.S. Second Circuit Court of Appeals heard arguments on whether a provision of the Patriot Act requiring people formally contacted by the FBI for information to keep it a secret, is constitutional.

The American Civil Liberties Union filed a similar suit in 2004 against the U.S. government challenging the so-called National Security Letters (NSL) as well as gag orders placed on the recipients.

You can't tell me that any terrorist is going to make anything out of the fact you issued NSLs to AT&T and Verizon," said Circuit Judge Sonia Sotomayor, using a hypothetical example.

Nearly 200,000 national security letters were sent out between 2003 and 2006. Of those, approximately 97 percent also received gag orders.

The judges will rule on the issue in the next few months.

For more information, see Reuters.

State Cannot Force Removal of SSNs From Privacy Advocate's Site

2008-08-28T16:16:00.000-07:00

Slashdot notes a story about privacy advocate Betty Ostergren, who runs a website that highlights privacy problems that result from posting of unredacted public documents such as land and tax-lien records posted on government web sites. Her site posts Social Security numbers obtained from public records and are part of her campaign to show how easy it is to access personal information on the web.

Although legistlation was introduced in Virginia to combat her website, Judge Robert Payne of the U.S. District Court for the East District of Virginia last Friday shot down the attempt to censure her, writing

"It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

See complete article in COMPUTERWORLD Security.

California's Wireless Road Tolls Easily Hackable

2008-08-26T16:27:00.000-07:00

Slashdot posts a story about researcher Nate Lawson of Root Labs that has figured out how to clone the wireless transponders used by the automated FasTrak toll system on roads and bridges in the Bay Area of California.

Lawson says that fraud could be easily committed by cloning a transponder's unique identity number and copying that Id of another driver onto their own device. The ID number thief could then travel for free while other drivers unwittingly foot the bill.

"It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson also raised the poissilibity of using the FasTrak system to create false alibis by overwriting one's own ID onto another driver's device before committing a crime The logs for the toll system would appear to show the perpetrator driving at another location when the crime was being commited, he says.

See more at Technology Review.

Microsoft Applies For Patent On Private Browsing

2008-08-22T15:57:00.000-07:00

Slashdot picked up a story in BBC News about Microsoft's plan to use a "privacy mode" in the next release of its web browser, Internet Explorer. With the click of a button, users of IE8 will be able to limit how much information is recorded about their online activity. Two applications by Microsoft have been spotted for covering trademarks for managing the amount of information a browser logs.

Although many browsers already have menu options that let users alter security settings and clear history files, it typically must be done on a per use basis. Microsoft's approach will allow users to turn on a privacy mode that will erase data that browsing programs log and turns off features that record sites visited.

Apple's Safari browser already has a privacy mode and the creators of Mozilla's Firefox are apparently working on a similar feature as well.
For details see: BBC NEWS.

U.S. At Risk of cyberattacks, experts say

2008-08-21T16:20:00.000-07:00

ACM TechNews states that the next large-scale military or terrorist attack against the United States could be launched by hackers half a world away through cyberspace, which internet security experts claim could be just as devastating to the U.S. eonomy and infrastructure as a bombing attack.

Last week's attack on the former Soviet republic of Georgia last week wherein a Russian military offensive was preceded by an internet assault that overwhelmed Georgia's governmental websites indicates a new kind of cyberwar, one for which the U.S. is not prepared.

"Nobody's come up with a way to prevent this from happening, even here in the U.S.," said Tom Burling, acting chief executive of Tulip Systems, an Atlanta, Georgia, Web-hosting firm that volunteered its Internet servers to protect the nation of Georgia's Web sites from malicious traffic.

"The U.S. is probably more Internet-dependent than any place in the world. So to that extent, we're more vulnerable than any place in the world to this kind of attack," Burling added. "So much of what we're doing [in the United States] is out there on the Internet, and all of that can be taken down at once."

For details, see CNN.com/technology.

Fighting Identity Theft with Analytics

2008-08-20T13:13:00.000-07:00

eWEEK.COM is running an article about security vendor Guardian Analytics, whose recent technological developments use behavioral modeling to prevent online identity theft and bank fraud.

The small company has launched its FraudMAP 2.0 product, which models an individual account holder's activity from session to session in an attempt to detect suspicious activity inconsistent with predicted behavior.

"We have more behavioral kinds of things, like do you access your account during the week or during the weekends,” said Tom Miltonberger, CEO of Guardian Analytics. “All those things go into the model for you so that we can predict what you might do next. There’s no single profile, there’s no single indicator, there’s no rule, if you will. It’s all very complex, multi-dimensional prediction of things that you might do, and then we’re comparing the new activity to how likely we think that would be you versus how likely we think that activity might be someone else.”

See full article for more information.

Officials Say Flaws at Polls Will Remain in November

2008-08-18T16:03:00.000-07:00

ACM TechNews relays information in an article in the New York Times regarding the apparent failure of a federal agency to fix the flaws in voting machines used by millions of people in time for the presidential election.

The Election Assistance Commission, the federal agency that oversees voting, says they will not be able to certify that flawed machines are repaired by November nor provide software fixes or upgrades given the backlog at the laboratories the commission uses.

“We simply are not going to sacrifice the integrity of the certification process for expediency,” said Rosemary E. Rodriguez, the chairwoman of the commission.

The certification process was previously performed by a volunteer program managed by the National Association of State Election Directors. The slowdown began in February 2007 when the federal commission took over.

“The problem is that the pace of innovation is outstripping the pace of regulation,” said Doug Chapin, director of the Web site set up by Pew Center on the States, electionline.org. “Federal certification is intended to help election officials manage voting technology, but right now it’s getting in the way instead.”

Advocates for better election systems say one reason for the slowdown is that the machines are fraught with problems that should have been detected earlier and, had those problems been addressed the current level of scrutiny would not be necessary.

“The E.A.C., to its credit, has decided to dig their collective heels in and insist that the software and hardware be rigorously tested by professional testing labs,” said Warren Stewart, a technology expert with Vote Trust USA, a voting rights watchdog group.

See full article in The New York Times

Georgia Under Online Assault

2008-08-12T16:13:00.000-07:00

The WIRED BLOG NETWORK covers the story of the denial of service attacks that have been occurring on the websites of the government of Georgia for several weeks now, where it is apparent that Russia is behind the digital assault and which intensified significantly once the shooting between Russia and Georgia began.

The Associated Press meanwhile reports that the Georgian President's Web site along with a Georgian television station's site have been moved to a US web hosting service in Atlanta, Georgia, although the attacks (traced to Moscow and St. Petersburg) are continuing now on the U.S. server.

The RBNExploit blog, referenced as an authoritative source on this subject, is in the forefront of reporting on what Intelfusion is calling a "full scale cyberware being conducted by Russia against Georgia."

The Georgian news site, Civil.ge is under permanent attack and has swtiched their operations to one of Google's Blogspot domains to keep information flowing about what is going on in their country.

"Another interesting aspect is seeing how certain countries are what I call 'cyberlocked,'" cybersecurity veteran Richard Bejtlich tells Danger Room. "We know a land-locked country has no access to the sea. Countries like .ge [Georgia] might rely too heavily on one or a handful of connections, potentially through hostile countries (eg, .ru [Russia]), for their physical connectivity. As a result, an adversary can control their network access to the outside world. "

Estonia, once victimized by Russian hackers is itself hosting Georgia's Ministry of Foreign Affairs website. To add to the mix, NPR's Ivan Watson reports that Russian planes are continually bombing cell phone towers in an efforts to knock out telecomunications networks as well.

See Aid Worker Daily and washingtonpost.com for more coverage.

Hacking Ring Nabbed by US Authorities

2008-08-08T16:14:00.000-07:00

Slashdot notes the story of catching the members of a hacking ring that stole more than 40 million credit card and debit card numbers from retail organizations in the U.S.

Now charged by a Boston court with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, the group of eleven perpetrators allegedly hacked into nine major U.S. retailers. The ring is also said to have sold the customer information to criminals in the U.S. and Eastern Europe, who in turn, encoded numbers on the magnetic strips of bank cards and withdrew tens of thousands of dollars from ATMs.

Mike Maddison, head of security for consultancy Deloitte, said

"We have seen so many data breaches recently and they all compromised large amounts of data".

Maddison said consumers need to take more responsibility for their data, adding:

"They need to analyse their bank statements and call up credit check companies so they are aware of fraudsters trying to take up loan agreements."

See YAHOONews .

Faux-CNN Spam Blitz Delivers Malicious Flash

2008-08-07T16:28:00.000-07:00

Slashdot points to a story appearing yesterday about the serving up of fake Flash Player software to users by more than 1000 hacked Web sites. Users are duped into clicking on links in mail that is part of a massive spam attack masquerading as CNN.com news notifications.

The bogus messages, purportedly from the CNN.com news Web site, include links to what are claimed to be the day's top 10 news stories and top 10 news video clips. Clicking on such a link, however, brings up a dialog box that claims that an incorrect version of Flash Player has been detected and that the user needs to update to a newer version, according to Sam Masiello, vice president of MX Logic Inc.

People who approved the download of the fake flash executable file instead received a Trojan horse that in turn "phones home" to a malicious server to grab and install additional malware, said Adobe product security manager David Lenoe.

See full article at COMPUTERWORLD Security.

Where To Draw the Line When Punishing Email Snooping?

2008-08-04T16:49:00.000-07:00

Slashdot recounts a recent case of a Philadelphia TV news anchor charged with breaking into his co-anchor's email accounts.

Lawrence Mendte was charged with one felony count of 'intentionally accessing a protected computer without authorization and obtaining information in furtherance of a tortious act.'

News anchor Mendte, of CBS affiliate KYW-TV is accused of secretly accessing one work and two personal email accounts for co-anchor Alycia Lane between March 2007 and May 2008.

"People expect that e-mail in a password-protected, personal e-mail account is private," said acting U.S. Attorney Laurie Magid. "If you think of it in the context of another era, it's no different than someone stealing your locked briefcase containing confidential information from your lawyer, prying it open and helping themselves to the contents. The mere accessing and reading of privileged information is criminal. This case, however, went well beyond just reading someone's e-mail."

Mendte allegedly shared private and legal information from stolen email documents with a reporter from the Philadelphia Daily News.

See COMPUTERWORLD Security for details.

IOC Admits Internet Censorship Deal With China

2008-07-31T16:20:00.000-07:00

Slashdot states that some International Olympic Committee officials have cut a deal to let China block sensitive websites despite promises of unrestricted access according to a senior IOC official yesterday.

Although China committed to providing media with the same freedom to report on the Games they'd enjoyed in previous Olympics, journalists claim to find access to sites considered sensitive to its communisit leadership blocked.

"I regret that it now appears BOCOG has announced that there will be limitations on website access during Games time," IOC press chief Kevan Gosper said, referring to Beijing's Olympic organizers.

"I also now understand that some IOC officials negotiated with the Chinese that some sensitive sites would be blocked on the basis they were not considered Games related," he said.

"We are going to do our best to facilitate the foreign media to do their reporting work through the Internet," BOCOG spokesman Sun Weide told a news conference. "I would remind you that Falun Gong is an evil, fake religion which has been banned by the Chinese government."

Paris-based Reporters without Borders said it was becoming increasingly concerned that there would be many cases of censorship during the Olympics.

See more in Reuters.

Security Flaws In Online Banking Found to Be Widespread

2008-07-30T15:23:00.000-07:00

ACM TechNews writes that a University of Michigan study reveals that more than 75 percent of bank websites have at least one design flaw that could allow cybercriminals to either take money or identities from their customers.

UM Professor and doctoral students Laura Falk and Kevin Borders examined the websites for 214 financial institutions in 2006. Prakash said that some bnks may have taken steps to resolve the problems since then but that overall he still sees much need for improvement.

"To our surprise, design flaws that could compromise security were widespread and included some of the largest banks in the country," Prakash said. "Our focus was on users who try to be careful, but unfortunately some bank sites make it hard for customers to make the right security decisions when doing online banking."

The FDIC says that, while relatively rare compared with financial crimes like mortgage fraud and check fraud, computer intrusion is a growing problem for banks and their customers.

See complete article in UNIVERSITY OF MICHIGAN NEWS SERVICE.

ISP Embarq Monitors User Traffic

2008-07-29T16:05:00.000-07:00

Slashdot references an article in the Washington Post about Sprint-Nextel's spin-off Embarq monitoring Internet activity on close to 26,000 customers in Kansas.

Embarq, a regional internet company, told lawmakers last week that it notified 26,000 Internet customers in Kansas that it was conducting a target advertising test based on their Web-surfing behavior and offered them an opt-out choice. The House of Representatives committee ofn Energy and Commerce is investigating whether any privacy laws were broken.

"I am still troubled by the company's failure to directly inform their consumers of the consumer data gathering test and the notion that an 'opt out' option is a sufficient standard for such sweeping data gathering," said Rep. Edward J. Markey (D-Mass.), chairman of the House subcommittee on telecommunications and the Internet.

The advertising test used deep-packet inspection technology provided by NebuAd, a Silicon Valley company. When installed in an ISP's network, the technology allows a window into potentially all of a consumer's online actions, from Web surfing and search terms to any unencrypted Web communication.

See article in washingtonpost.com.

Google Caught on Private Property

2008-07-28T15:04:00.000-07:00

In a Slashdot posting over the weekend, it was noted that Google's new Street View coverage in Sonoma and Mendocino counties seems to trespass on private property.

Google took some heat last year from privacy advocates when it launched Street View in San Francisco, New York, Denver, Las Vegas and Miami. Some critics' concerns were assuaged when Google recently deployed a technology that blurs faces and license plates.

The latest 360-degree photos were taken all across Sonoma County, from the eastern county border to the Pacific Ocean and most all of the cities in between.Google went past a gate with a "no trespassing" sign outside Freestone and captured images on private property. Several residences can be seen , including a close-up of someone's living room window.

"I like my privacy, and this feels like an invasion of that," said Janet Tobin, who lives on the property. "My friends already know how to get here. I don't need the whole world coming to my door."

Google spokeswoman Elaine Filadelfo says that the company tries to avoid photographing on private property and takes images down that are not on public roads. However, once an image is online, it can become impossible for Google to stop their reproduction on other Web sites.

"This is not the first time this incidence has come up," said Kurt Opsahl, senior staff attorney for the Electronic Frontier Foundation, an Internet watchdog group.

So far it's been rare, he said. If Google has trespassed only twice, Opsahl says it's not a huge concern.

"But if this is only the tip of the iceberg, then with each additional incident it becomes more troubling," he aid.

See full article at PressDemocrat.com.

Researchers Face Jail Risk For Snooping Study

2008-07-25T16:31:00.000-07:00

An article appeared in Slashdot about a group of researchers from the University of Colorado and the University of Washington who may face both civil and criminal penalties for a research project in which they snooped on users of the Tor anonymous proxy network.

The team of two graduate students and three faculty failed to seek legal review of the project nor did they run it past the Human Subjects Committee at their universities.

Should federal prosecutors pursue this, they could face up to 5 years in jail for violating the Wiretap Act. This is the same law that groups like the ACLU and EFF sued AT&T for violating when they shared customer communications with the US National Security Agency.. AT&T succeeded in obtaining retroactive immunity from Congress, but only after spending tens of millions of dollars on lobbyists.

Regarding the legal issues at play here, Kevin Bankston, the EFF lawyer who wrote the Legal guide for Tor server operators and who also lead the EFF's lawsuit against AT&T said

"I agree that their logging the content exiting their nodes would appear to constitute interceptions of those electronic (not wire) communications under the Wiretap Act, and I don't think they qualify for the narrow provider exceptions [18 USC 2511, 2 (a) I], so I still see the same potential civil and criminal liability that was noted in our FAQ."

See full story at cnetNEWS.com.

Google Blogger "hosts 2% of world's malware"

2008-07-24T15:56:00.000-07:00

Slashdot mentions a report from the security firm Sophos stating that Google's Blogger service is responsible for 2% of the world's malware hosted on the web. The firm claims hackers are building pages on the free blogging service to host malicious code or else just post links to infected websites in other bloggers' comments.

Sophos' senior technology consultant, Graham Cluley, says Blogger is worse than other blogging services because of its close ties with the search giant.

"The attraction for the bad guys in targeting Blogger is that things pretty much get spidered instantly into Google, because it [Blogger] is part of Google," he says.

See PCPRO for details.

E-gold Owners Plead Guilty To Money Laundering

2008-07-23T16:41:00.001-07:00

Slashdot announces that the three owners of the Internet currency service called 'e-gold' pleaded guilty to money laundering in the U.S. District Court for the D.C.

Principal Director of E-Gold Douglas Jackson announced changes to the E-Gold user agreement, including a temporary suspension of new accounts. He called E-Gold more successful than most of its competitors, but also acknowledges problems with the service.

One problem is E-Gold's

"failure to transition from a marginal player for early adopters to a respected institution integrated into the global financial mainstream," he wrote. "E-gold's failure to emerge so far is a result of many factors but the root causes were design flaws in the account creation and provisioning logic that led to the unfortunate consequence of vulnerability to criminal abuse. Criminal abuse of the e-gold system, in turn, led to a self-reinforcing negative reputation."

E-Gold and its affiliate 'Gold & Silver Reserve' could be fined $3.7 million at sentencing and Jackson could be sentenced 20 years in prison and a fine of $500,000.

Although the E-Gold operation was required by law to be licensed and registered as a money transmitting business, it had not done so. The resulting lack of required procedures fostered an atmosphere where criminals could use "e-gold" (digital currencry) anonymously to further their illegal activities, the Department of Justice said.

See The Industry Standard for more information.

Google Is Watching, Perhaps Soon in Your Home

2008-07-22T14:34:00.000-07:00

ACM TechNews observes that regardless of the continual worries of privacy advocates and government officials that it knows too much, Google is after even more user data.

In a recent paper written by Google researcher Bill N. Schilit and computer scientists Jeonghwa Yang of Georgia Tech and David W. McDonald, of the University of Washington, propose "home activity recognition," or tracking people's activities at home through network interactions.

"Activity recognition is a key feature of many ubiquitous computing applications ranging from office worker tracking to home health care," the paper explains. "In general, activity recognition systems unobtrusively observe the behavior of people and characteristics of their environments, and, when necessary, take actions in response -- ideally with little explicit user direction."

When applied in certain circumstances, as with the elderly, such action might be beneficial. On the other hand, others might perceive it as positively Orwellian.

See details at InformationWeek.

FBI Fights Testing For False DNA Matches

2008-07-21T16:40:00.000-07:00

Slashdot notes an article in the Los Angeles Times about the 2001 discovery by Arizona crime lab technician Kathryn Troyer of two felons with remarkably similar genetic profiles, so similar that they would be accepted in court as a match. However, one of the two was white and the other was black.

Although the FBI estimates the odds of unrelated people sharing those genetic markers as 1 in 113 billion, Troyer found dozens of similar matches.

Several scientists and legal experts want to test the accuracy of official statistics using the nearly 6 million profiles in CODIS, the national system that incorporates most state and local databases.

"DNA is terrific and nobody doubts it, but because it is so powerful, any chinks in its armor ought to be made as salient and clear as possible so jurors will not be overwhelmed by the seeming certainty of it," said David Faigman, a professor at UC Hastings College of the Law, who specializes in scientific evidence.

FBI officials argue that critics exaggerate or misunderstand the implications of Troyer's discoveries.

"I can appreciate why the FBI is worried about this," said David Kaye, an expert on science and the law at Arizona State University and former member of a national committee that studied forensic DNA. But "people's lives do ride on this evidence," he said. "It has got to be explained."

See the full story in the Los Angeles Times.

Schneier, UW Team Show Flaw In TrueCrypt Deniability

2008-07-18T11:42:00.000-07:00

Slashdot relates how noted cryptographer Bruce Schneier and a group of researchers at the University of Washington have hacked the ultra-paranoid feature in the TrueCrypt disk encryption tool.

The DFS (Deniability of File System) feature in TrueCrypt is a fairly extreme file-protection function that first encrypts the file, then hides it in an area on the disk drive that is also encrypted, sort of like a 'cloaking device'. However, Schneier, chief security technology officer with British Telecom, and colleagues have found that Microsoft Vista, Word, and Google Desktop can each blow the cover for these files that use the DFS feature.

Schneier says that DFS is actually easier to hack than encryption and that there may be no way to really make files undetectable on a hard drive.

“Deniability is a much harder security feature to enable than secrecy,” he says

The researchers discovered that Windows Vista shortcuts can give away the existence of a hidden file, Google Desktop exposes hidden files in TrueCrypt versions below 6.0 and the auto-save feature of Word saves versions of hidden files.

See more at Dark Reading.

Cybercrime Organizational Structures Evolve

2008-07-16T16:09:00.000-07:00

Slashdot writes of the latest findings in a report by Finjan's Malicious Code Research Center (MCRC)about the structural change in cybercrime organization. Loosely organized groups of hackers trading stolen data have been replaced by hierarchical cybercrime operations that deploy sophisticated pricing models and Crimeware business models.

These organizations are comprised of strict hierarchies where each cybercriminal is rewarded according his position and task.

For more info, see HELP NET SECURITY.

When the Phone Goes With You, Everyone Else Can Tag Along

2008-07-15T15:50:00.000-07:00

ACM TechNews says that while the launch of the 3G iPhone emphasizes the increasing sophistication of the cellphone and mobile device industries, it also generates some privacy concerns.

The iPhone blends GPS functions with the Internet to create a capability that not only pinpoints location, but displays nearby attractions. This feature could help merchants target ads, insurance adjusters calibrate premiums, or parents keep track of children. What also results from this features is that the consumer is sharing that information with network providers, social Web sites, law enforcement and/or others that have the potential of tracking everywhere they have been.

"There's a disconnect between our expectations of when we will be observed and who will be observing us and how that information will be used and what the technology is allowing companies to do," says University of Southern California law professor Jennifer Urban.

The big issues are transparency and user control, said James X. Dempsey of the Center for Democracy and Technology.

"How easy is it for the user to turn the location function on and off, and how easy it is for the user to delete past location information?" he said. "What are the companies collecting? Who are they sharing it with? How long do they store it? And what control does the consumer have over the information? These are the fundamental questions."

See full article at washingtonpost.com.

ACLU Files Lawsuit Challenging FISA

2008-07-14T14:28:00.000-07:00

Slashdot posts links to coverage of the federal lawsuit the American Civil Liberties Union filed just hours after Bush signed the expansion of the Foreign Intelligence Surveillance Act into law.

By passing the FISA Amendments Act, Congress has given the executive branch of the U.S. government the power to order Google, AT&T and Yahoo to forward all email, phone calls and text messages to them where one party to any conversation is thought to be overseas.

The ACLU is suing on behalf of journalist and human rights groups. While longtime foreign correspondent Christopher Hedges admits that surveillance is nothing to to journalists, he also says

"There is a lot of monitoring that goes on especially when you are overseas. But this creates a further erosion in my ability to work as a journalist."

The Electronic Frontier Foundation, at the forefront of yet continuing lawsuits agains the nation's telecoms, will challenge the provision in the bill that gives retroactive amnesty to telecoms that are currently being sued for helping the government spy on Americans without having warrants.

"We are also preparing a new case against the government for its warrantless wiretapping, past, present and future," said EFF senior staff attorney Kevin Bankston, who said the details were being withheld to keep the element of surprise.

See details in Wired.

Telecom Immunity Bill Hides Spying Provisions

2008-07-09T16:39:00.000-07:00

Slashdot mentions an analysis in ars technica of the new FISA bill that has been receiving much attention of late, with the particularly alarming realization that the bill loosens current protections on domestic wiretapping.

The ars technica article expounds on the dramatic expansion of the government's ability to wiretap without any real judicial oversight while also giving the fed unprecedented additional latitude in choosing eavesdropping targets on anything, not just terrorist-related activities. Basically, the FISA Amendments Act of 2008 opens up such huge loopholes to the feds that the telecom immunity issues are somewhat trivialized by comparison. The new legislation stretches the judicial process out so much that in many cases, the federal government would be able to finish its surveillance activities before the courts have even decided whether they're legal.

To date so far, the only determined opposition is a small group of Senators led by Chris Dodd and Russ Feingold, who have managed to stall the legislation for a couple of weeks.

"By blocking a vote on the Foreign Intelligence Surveillance Act (FISA), the fight to stop retroactive immunity goes on -- for another week anyway" said Dodd. "The Senate will take the bill up again this week as it returns from the July 4th recess."

For complete article see, ars technica.

Firefox Users Most Secure on Internet, Study Shows

2008-07-08T16:15:00.000-07:00

Slashdot links to an article about the study "Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg", whose aim was to analyze web browser preferences and behavior by people using the Internet. The study is a collaboration among researchers at The Swiss Federal Institute of Technology, Google and IBM Internet Security Services which offers a comprehensive analysis of Web browsers, particular with regard to the area of security.

Firefox users were by far the most likely to use the latest version at an overwhelming rate of 83.3 percent running an updated browser on any given day. The study also revealed that 65.3 percent of Safari users were likely to be running the latest version and that Microsoft Internet Explorer users ranked dead last in terms of safe browsing.

"With today's hostile Intent and drive-by download attack vectors, failure to apply patches promptly or missing them entirely is a recipe for disaster; exposing the host to infection and possibly subsequent data disclosure or loss," said researchers.

See Channel Web for details.

ICANN Loses Control of Its Own Domain Names

2008-07-07T15:37:00.000-07:00

Slashdot notes an AP story picked up by CBCNEWS.ca about ICANN losing control over two of their own domain names on June 26th. Apparently a domain registrar in an internet registration company overseen by ICANN (Internet Corporation for Assigned Names and Numbers) transferred the domains to somebody else. While the attack was noticed very quickly and ICANN's domain names were restored within 20 minutes, many internet directories retain information for a day or two and visitors may have been redirected to an unauthorized site for longer.

The ICANN press release about the incident states that:

'The DNS redirect was a result of an attack on ICANN's registrar's systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.'

For further information, see CBCnews.ca.

More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008)

2008-07-03T14:57:00.000-07:00

SANS reports that a study commissioned by Dell reveals the loss of nearly 637,000 laptops at some of the largest and medium-sized U.S. airports every year.

According to the Ponemon Institute, chosen to conduct the survey, laptops are most commonly lost at security checkpoints. The chaos in going through security checkpoints can make it easy for travelers to lose track of their laptops, making it "fertile ground for theft," the FTC said.

Dell is launching a suite of data protection and asset recovery services, including GPS. The data protection services include an ability to remotely delete data data on a hard drive as well as services for recovering data from failed hard drives.

See the complete study for more information.

Cisco, IBM, Intel, Juniper and Microsoft Fight Cyber Terror Together

2008-07-02T16:49:00.001-07:00

ACM TechNews flags a NetworkWorld article about the formation of the Industry Consortium for Advancement of Security on the Internet (ICASI) by Cisco, IBM, Intel, Juniper, and Microsoft.

The intent is to respond faster to multi-product security threats which pose problems for both the vendor and the end user.

“To date there has not been a trusted vendor environment that allows companies to identify, assess, and mitigate multi-product, global security challenges together on the customers' behalf,” the group says in a statement. “ICASI aims to fill this void.”

See complete article in Network World.

FBI's New Eye Scan Database Raising Eyebrows

2008-07-01T16:19:00.000-07:00

Slashdot writes that the FBI has confirmed to Popular Mechanics that it isn't just palm prints they're adding to criminal records. The agency is also preparing to expand its repository of photos as part of a new biometric software system that stores millions of iris scans and could be the basis of facial recognition.

The FBI's Next Generation Identification (NGI) system, contracted with Lockheed Martin for $1 billion over 10 years, would create an unparalleled database of biometric markers, as with facial images and iris scans. NGI could be as useful as DNA some day. To privacy advocates, this represents a dual threat, one as advancing toward a police state and the other as a most attractive collection of personal data to be pillaged by cybercriminals.

See full article in Popular Mechanics.

Crooks Nab Citibank ATM Codes, Steal Millions

2008-06-27T14:59:00.000-07:00

Slashdot recounts how Citibank is reissuing ATM cards on the heels of a server breach where hackers stole customer PIN codes. Wired magazine published two related articles about the FBI's arrest of 10 people allegedly involved in stealing over $2 million from Citibank checking and savings accounts, two of which were Ukrainian immigrants each caught with $800,000 in cash stashed in boxes in their homes.

The ATM crime caper is apparently the first to be publicly linked to the breach of a major US Bank's systems, say experts.

"We've never heard of PINs coming out of the bank environment," says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.

See complete details at WIRED ThreatLevel on June 18th and WIRED ThreatLevel on June 24th.

Senate Hearing On Laptop Seizures At US Border

2008-06-26T16:29:00.000-07:00

Slashdot notes that at a senate hearing, privacy advocates and industry groups will press lawmakers to take action to protect the privacy of Americans returning home to the United States.

According to travel and privacy analysts scheduled to testify before a Senate panel today, U.S. Customs and Border Patrols' routine of seizing laptop computers and other electronic devices from American travelers returning to the United States without notifying them of what will happen to the data could negatively affect the U.S. economy.

Peter Swire, chief counselor for privacy under President Bill Clinton, said he plans to tell the subcommittee how laptop searches are similar to the failed encryption policies of the 1990s.

“The government policy violates good security practices,” he said. “It asks for password and encryption keys, which people are trained to never reveal. It violates privacy, chills free speech and compromises business secrets."

See details at nextgov.

US Court Disconnects Canadian Domain Name Scammers

2008-06-23T15:11:00.000-07:00

A post ran in Slashdot about an order by a US District judge to halt the illegal practices of Canadian operators posing as domain name registrars who, according to the Federal Trade Commission send bogus bills to thousands of U.S. small businesses and nonprofit organizations for the annual "Website Address Listing". Many businesses, believing that they would lose their website addresses, pay the invoice.

The FTC says that the Toronto-based Internet Listing Service has been sending fake invoices since 2004 and that most consumers have not received any domain name registration services.

For the complete story, see article by the Federal Trade Commission.

New Intrusion Tolerance Software Fortifies Server Security

2008-06-20T16:12:00.000-07:00

ACM TechNews reports that researchers at George Mason University have developed a nonreactive approach for dealing with intrusion detection and prevention.

Arun Sood, professor of computer science and director of the Laboratory of Interdisciplinary Computer Science and Yin Huang, senior research scientist in the Center for Secure Information Systems, make the assumption that someone is trespassing on computers servers. They believe that by limiting the time of continuous connectivity to the Internet and using virtualization technology to create duplicate servers, an online server is periodically cleansed and restored to a known clean state, regardless of whether an intrusion has actually occurred or been detected.

In creating Self Cleansing Intrusion Tolerance (SCIT), Sood and Huang achieve the goal of limiting the exposure time of the server to the Internet.

“This approach of regular cleansings, when coupled with existing intrusion prevention and detection systems, leads to increased overall security,” says Sood. “We know that intrusion detection systems can detect sudden increases in data throughput from a server, so to avoid detection, hackers steal data at low rates. SCIT interrupts the flow of data regularly and automatically, and the data ex-filtration process is interrupted every cleansing cycle. Thus, SCIT, in partnership with intrusion detection systems, limits the volume of data that can be stolen.”

See George Mason University News for further information.

Can Computer Scientist Dream Team Clean Up E-Voting?

2008-06-19T14:45:00.000-07:00

An entry in ACM TechNews states that the Center for Correct, Usable, Reliable, Auditable, and Transparent Elections (ACCURATE) has received a $7.5 million National Science Foundation award to bring the latest research, insight, and innovation from the lab to the voting booth making e-voting systems mores secure.

The organization of computer experts from across the country and academic disciplines find areas that need additional research and determine how to apply existing technology and research findings to voting systems.

One such tool is the open source AttackDog, a threat modeling system developed by David Dill, Co-PI and Professor at Stanford University. According to Dill, AttackDog is a good example of how the ACCURATE project uses computer science tools and techniques to to help local officials improve the security of their elections.

"It's using computers to get a grip on problems that are too complex for the mind to understand unaided," Dill says.

See full article at NETWORKWORLD.

Nuclear Warhead Blueprints On Smuggler's Computers

2008-06-18T15:58:00.000-07:00

Slashdot reports that, according to leading US researcher David Albright, blueprints for a sophisticated and compact nuclear warhead have been found in computers belonging to the nuclear smuggling network run by rogue Pakistani nuclear scientist Abdul Qadeer Khan. The designs, found in heavily encrypted computer files in Switzerland, are supposed to be in the possession of U.S. authorities and the International Atomic Energy Agency in Vienna. Investigators fear, however, that they could have been extensively and copied to "rogue" states within the nuclear black market

Albright, a physicist, former UN weapons inspector and authority on the nuclear smuggling ring run by Khan, said that the "construction plans" included previously undisclosed designs for a compact warhead that could fit Iran's medium-range ballistic missiles.

"These advanced nuclear weapons designs may have long ago been sold off to some of the most treacherous regimes in the world," wrote Albright.

For more information see this article in the New York Times, as well as another report in guardian.co.uk .

EFF To Fight Border Agent Laptop Searches

2008-06-16T16:38:00.000-07:00

Slashdot notes that the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives have filed an amicus brief requesting that the 9th Circuit Court of Appeals rehear and reverse a three-judge ruling that permits border agents to routinely search files on laptops and mobile devices.

The random searching of laptops is "widespread," said Lee Tien, senior staff attorney with the EFF. The U.S. Department of Justice "claims that U.S. border agents have the power to do so, no suspicion needed, and there are plenty of reported incidents," he added.

Tien noted that there have been multiple media reports in recent months of laptops or other electronic devices being searched or seized at U.S. borders. In some cases, customs officials have not returned the electronic devices to travelers.

See details at InfoWorld.

Data Breach Study Spanning 500 Break-Ins Released

2008-06-13T15:57:00.000-07:00

Slashdot presents a link to a report from Verizon Business that is a summary of what they found in 500 forensic investigations involving 230 million records, with an analysis of hundreds of corporate breaches including 3 of the 5 largest ever reported.

The 2008 Data Breach Investigations Report covers four years and as the first-of-its-kind study, found that 73 per cent of breaches came from external sources versus 18 per cent from insider threats.

“Security breaches and the compromise of sensitive information are very real and growing concerns for organizations worldwide,” said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. “This report can help companies better understand data breaches – how they occur and the commonalities that exist. Most importantly, it urges organizations to be proactive in their approach to security -- the absolute key to safeguarding data.”

See complete article at verizonbusiness.com.

Chinese Government Accused of Hacking Congress

2008-06-12T16:32:00.000-07:00

A Slashdot post from yesterday says that Chinese hacking is getting serious Congressional attention.

Two House members said that their Capitol Hill computers, which have information about political dissidents from all over the world, had been hacked by parties apparently working out of China. Both lawmakers have been longtime critics of China's record on human rights. One of them, Virginia Rep. Frank Wolf, says the hacking of computers in his Capitol Hill office started in August 2006.

Wolf suggested the problem is probably even larger.

"If it's been done in the House, don't you think that they're doing the same thing in the Senate?"

See full article at Yahoo News.

TSA Bans Flight If You Refuse To Show ID

2008-06-11T16:54:00.000-07:00

Slashdot notes CNET's article regarding a press release issued recently by the Transportation Security Administration announcing that passengers refusing to show ID will no longer be able to fly.

"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."

However, passengers claiming to have lost or forgotten their proof of identity will still be able to fly. To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.

In other words, TSA's new rules only protect us from a non-existent breed of terrorist who is unable to tell a lie...

See more at cnet NEWS.com.

ID Theft In US Continues Apace Despite Data Breach Laws

2008-06-09T19:43:00.001-07:00

A Slashdot posting from yesterday points to an article in TechWorld about Carnegie Mellon researchers' published analysis of the ineffectiveness of data breach notification laws adopted by 43 US states.

"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.

Nevertheless, they did find that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.

Gartner analyst Avivah Litan points out that it is hard to draw conclusions from the data because FTC reports are incomplete. She notes that while breach laws have made front-page news out of lost laptops, most companies respond to tighter laws and regulations by concentrating on compliance rather than on security.

Often, that's not good enough to protect customers from ID theft, she said.

"If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."

See Techworld for more information.

China's Cyber-Militia

2008-06-03T15:21:00.000-07:00

Slashdot posted an article about the cover story in the current issue of National Journal that is an in-depth report on China's cyber-aggression toward US government, military, and business networks.

While China's cyber-warfare actions have been discussed on numerous occasions in the past, this report suggests that Chinese cyber-attackers may have been involved in major power outages in the US.

To wit, computer hackers in China, including those working on behalf of the Chinese government and military, have gained access to electric power plants in the United States, possibly triggering two recent widespread blackouts in Florida and the Northeast.

For a discussion of China's People's Liberation Army's likely involvement in the outages, see National Journal Magazine.

Conference Takes on Tech's Future

2008-05-29T16:41:00.000-07:00

ACM TechNews posts an article from last weekend's San Jose Mercury News about participants at this year's Computers, Freedom and Privacy Conference. Some of the issues that resurfaced at ACM's 4-day conference concerned government data collection, network neutrality, intellectual property, and patents. The conference also focused on the construction of an open letter to the next president of the United States, calling for more thoughtful attention to technology.

Another area of concern was content filtering by internet service providers.
For details, see MercuryNews.com.

Canadian Domain Name Registrants To Get More Privacy

2008-05-27T15:49:00.000-07:00

An anonymous reader wrote to Slashdot about the change in Canada's WHOIS policy for better protection of domain name registrants.

The existing WHOIS search system provides the domain owner's name, home address, phone number and e-mail address. The Canada Internet Registration Authority seeks to change such ease of access by June 10th, when new privacy policies are instituted that will protect private information from public eyes.

Michael Geist, law professor at the University of Ottawa and Canada Research Chair of Internet and E-commerce Law says it is a treasure trove for spammers.

"We're talking about one of the largest freely available online directories of personal information in the country," he said.

Those who already own domain names will not enjoy the luxury of privacy immediately, but any edits to information after June 10th will not be publicly available. See complete article in THE CANADIAN PRESS.

US Firms Read Employee E-mail On a Massive Scale

2008-05-23T10:45:00.000-07:00

Slashdot posts a link to an article about companies that employ staff to read and/or analyze content in outbound e-mail.

Proofpoint found in its fifth-annual study of outbound e-mail data loss prevention issues, that large companies continue to sustain risks from, and take action against, information leaks in outbound e-mail. In fact, 41% of the largest companies surveyed claim to employ staff to read outbound e-mail and 22% of them employ staff exclusively for that purpose.

Outbound e-mail continues to be a key source of risk for U.S. businesses with a record 44% of surveyed companies reporting an investigation of an e-mail leak of confidential information in the past 12 months.

See complete article at HELP NET SECURITY.

Inside Lockheed Martin's Wireless Security Lab

2008-05-22T15:53:00.000-07:00

ACM Technews ran an article about Lockheed Martin's Wireless Cyber Security Lab, which is racing against hackers to catch flaws and vulnerabilities in wireless security.

"We're trying to ensure that something similar [to 9/11] doesn't happen in the realm of wireless communications," says lab director John Morrison.

Perri Nejib, CTO for Lockheed Martin Information Systems says the biggest emerging wireless security threat is the blurring of the boundary between home and the office, as employees increasingly access company data via corporate VPNs from their homes.

To address this issue, the company has been testing numerous types of consumer technology, including cell phones, which have been moving to enterprise networks. The spread of Wi-Fi hot spots has been of particular concern because of the technology's growing ubiquity in urban areas. Oftentimes users will connect to unsecured networks without realizing that they're at risk.

See complete article at NETWORKWORLD.

New 'Phlashing' Attack Sabotages Hardware

2008-05-21T16:12:00.000-07:00

Slashdot writes about a new type of denial-of-service attack that damages a system so severely that it must be replaced or the hardware must be reinstalled.

Called 'Phlashing', this permanent denial-of-service (PDOS) attack can be launched remotely.

“We aren't seeing the PDOS attack as a way to mask another attack, such as malware insertion, but [as] a logical and highly destructive extension of the DDOS criminal extortion tactics seen in use today,” says Rich Smith, head of research for offensive technologies & threats at HP Systems Security Lab.

Smith will show how network-enabled systems firmware is vulnerable to remote PDOS attacks this week at the EUSecWest security conference in London this week.

See related article in darkREADING.