In Passing: Tony Snow
June 1, 1955 – July 12, 2008
Evan Schuman writes on StorefrontBacktalk:
Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."More here.
But Homa's key point is that most retailers handle security backwards: Don't pour everything in protecting the frontdoor. Assume they'll get through and have a plan to control them once they're inside.
One of the most frustrating IT security realities in retail today is the quintessential oxymoron: the more serious the CIO is about keeping data secure and the more sophisticated a defense is deployed, the more points of vulnerability emerge.
"Even if you believe the entertainment industry, broadband providers and the government have both the best of intentions and the absolute right to do these kinds of monitoring activity, the fact that encryption will make it so those who don't want to monitored can hide means that it's only going to become more popular."
"And, at that point, it only makes the efforts by the entertainment industry, the broadband providers and the government that much more useless -- because all that monitoring they've pushed to do will not only be nearly impossible, but they've also lost the trust and respect of all those users/customers/constituents."
- Mike Masnick, writing over at techdirt.com.
An AP newswire article by John Dunbar, via WTOP.com, reports that:
The chairman of the Federal Communications Commission will recommend that the nation's largest cable company be punished for violating agency principles that guarantee customers open access to the Internet.More here.
The potentially precedent-setting move stems from a complaint against Comcast Corp. that the company had blocked Internet traffic among users of a certain type of software that allowed them to exchange large amounts of data.
Martin told The Associated Press late Thursday that "the commission has adopted a set of principles that protects consumers' access to the Internet." He said the commission "found that Comcast's actions in this instance violated our principles."
Alice Lipowicz writes on Washington Technology:
Unisys Corp. has filed a protest with the Government Accountability Office objecting to being left off the list of finalist bidders for the estimated $2 billion contract for the Transportation Security Administration's Information Technology Infrastructure Program.More here.
The company, based in Blue Bell, Pa., has been lead contractor on the project since its inception in 2002. The new contract is a follow-on to the original work.
Ryan Singel writes on Threat Level:
The American Civil Liberties Union filed suit Thursday over a controversial wiretapping law, challenging the constitutionality of the expanded spy powers Congress granted to the president on Wednesday.More here.
The federal lawsuit was filed with the court just hours after Bush signed the bill into law.
The ACLU is suing on behalf of journalist and human rights groups, asking the court put a halt to Congress's legalization of Bush's formerly secret warrantless wiretapping program. The ACLU contends [.pdf] the expanded spying power violates the Constitution's prohibition on unreasonable searches and seizures.
Brian Krebs writes on Security Fix:
Sun Microsystems has issued updates for its ubiquitous Java software to plug multiple security holes. Of particular interest in this bundle is a fix that prevents attackers from exploiting vulnerabilities in older versions of the software.More here.
Why is this a big deal, you ask? Aren't patches designed to fix vulnerabilities in older versions of the software? Well, yes, but as Security Fix has lamented time and again, Sun's updates are notorious for leaving older versions of the software lying all over the user's machine.
William Jackson writes on GCN.com:
The National Institute of Standards and Technology has released draft versions of three publications for public comment.More here.
They include new publications on hash algorithms and Bluetooth security and a revised version of firewall guidelines.
Wyatt Kash writes on GCN.com:
The vision of adapting next-generation Internet technologies in the Defense Department is gaining new urgency as businesses, and employees, increasingly embrace Web-based social networking applications. But the horizon for what some call the Defense 2.0 era appears a long way off as culture, inertia, and IT security concerns that grow only more complicated in a Web 2.0 world, continue to challenge military IT leaders.More here.
The gap between vision and reality was plainly evident as senior DOD officials and industry experts debated the implications of Web 2.0 technologies yesterday at a conference held by the Information Technology Association of America.
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
"Fifty years from now, American history students will apparently have no problem obtaining priceless documents like Elvis Presley's handwritten letter to President Nixon. But anybody doing research on White House emails from the past few years might reasonably conclude that David Copperfield was in charge of our nation's electronic record-keeping."
- Michael Smallberg, writing on The Project On Government Oversight (POGO) Blog.
Martin H. Bosworth writes on ConsumerAffairs.com:
In the wake of revelations that Comcast regularly shaped and blocked customer access to Internet services, the company announced today that it was partnering with Internet phone company Vonage to "address reasonable network management" and prevent Vonage customers from being knocked offline by Comcast.More here.
"This agreement helps Vonage to ensure that customers have the best possible Internet experience," said Vonage chief technology officer Louis Mamakos.
Natalie Everett writes in The Gilroy Dispatch:
Morgan Hill's official city Web site has been hacked three times in the past three months, most recently this weekend.More here.
As a result of one such attack, a link in the site's What's New section took users to a blank page with the single word: "hacker."
Aside from this signature, the hacking of the city's web site has mostly consisted of information removed, or even replaced with gibberish. The hardest-hit parts of the site are the more frequently updated sections, like What's New and council and redevelopment agency agendas.
City officials have had enough.
So what's the city doing to remedy the problem? They're changing web hosts, from San Martin-based South Valley Internet to Manhattan, Kansas-based Civic Plus, a server specializing in municipal Web sites, and will unveil a $33,000 new site with upgraded security features on the new host in August.
An AP newswire article by Joelle Tessler, via SFGate.com, reports that:
Microsoft Corp. and Google Inc. told lawmakers Wednesday that Congress should pass basic privacy legislation to protect information about consumers, such as the data being gathered about people's Web surfing habits in order to pinpoint Internet advertising.More here.
At a Senate Commerce Committee hearing on online advertising, representatives of the two technology rivals said meaningful privacy rules should be based on three core principles: Consumers should be clearly notified what information is being collected about them; people should control how that information is used; and such data should be secured to ensure it does not fall into the wrong hands.
Bruce Kelly writes on Investment News:
For the second time in a year, LPL Financial has experienced a major technology snafu, this time reporting that hackers "compromised" the logon passwords of 14 financial advisers and four assistants.More here.
The hackers’ goal was to use the passwords to gain access to customer accounts in order to "pump and dump" penny stocks.
The incidents, which began last July, affected 10,219 clients, Boston-based LPL said in a letter dated May 6 to Maryland Attorney General Douglas F. Gansler.
Valuable private client information was at stake, Keith H. Fine, senior vice president and associate counsel of LPL wrote in the letter, as the hackers potentially could get their hands on clients’ unencrypted names, addresses and Social Security numbers.
Michael Isikoff and Mark Hosenball write on Newsweek.com:
The White House has rejected House Speaker Nancy Pelosi's pick for a newly created U.S. government civil liberties board--a move that may doom efforts to get the panel up and running while President Bush remains in office.More here.
Without any public announcement, the White House recently sent a letter to Capitol Hill stating it would nominate only one of two names recommended by congressional leaders to sit on the five-member civil liberties panel. The candidate whose name it would not forward: Morton Halperin, a veteran and sometimes controversial civil liberties advocate who has a famous role in the history of modern debates over government wiretapping. While serving on the National Security Council during the early days of the Nixon administration, Halperin's phone was secretly wiretapped by the FBI because his then boss, Henry Kissinger, suspected he was leaking to the press.
Roy Mark writes on eWeek:
After a morning of fiery debate, the U.S. Senate voted July 9 to grant retroactive immunity to telephone companies that participated in the White House's warrantless domestic spying program. The 69-28 vote came after the Senate defeated three amendments all aimed at either removing or modifying the immunity provision in the Foreign Intelligence Surveillance Act.More here.
Democratic presidential hopeful Barrack Obama voted for the three amendments to let civil lawsuits proceed against the carriers but voted for the overall bill. Presumptive Republican presidential nominee John McCain was not present for the vote.
The U.S. House approved the legislation June 20. The bill now heads to President Bush, who is expected to sign it.
The bill essentially provides the telephone companies legal protection from more than 40 civil lawsuits claiming the carriers provided customer telephone and e-mail records of millions of U.S. citizens -- often without a warrant or subpoena -- to the government.
Hundreds of police, firefighters, paramedics and even utility workers have been trained and recently dispatched as "Terrorism Liaison Officers" in Colorado and a handful of other states to hunt for "suspicious activity" — and are reporting their findings into secret government databases.More here.
It's a tactic intended to feed better data into terrorism early-warning systems and uncover intelligence that could help fight anti-U.S. forces. But the vague nature of the TLOs' mission, and their focus on reporting both legal and illegal activity, has generated objections from privacy advocates and civil libertarians.
"Suspicious activity" is broadly defined in TLO training as behavior that could lead to terrorism: taking photos of no apparent aesthetic value, making measurements or notes, espousing extremist beliefs or conversing in code, according to a draft Department of Justice/Major Cities Chiefs Association document.
All this is anathema to opponents of domestic surveillance.
Ellen Nakashima writes in The Washington Post:
The United States is negotiating deals with European countries to exchange fingerprint and DNA data in criminal and terrorist cases, and in some circumstances to transfer data on race or ethnic origin, political and religious beliefs, or sexual orientation.More here.
Such agreements are a condition for granting citizens of newer European Union member states the right to enter the United States without visas, and for maintaining that right for older E.U. members. U.S. citizens already enjoy such a right when traveling to Europe.
Senior Bush administration officials said the data exchange is crucial for spotting dangerous people before they enter the United States and for furthering criminal and terrorist investigations.
Sometime late last year, an employee of a McLean investment firm decided to trade some music, or maybe a movie, with like-minded users of the online file-sharing network LimeWire while using a company computer. In doing so, he inadvertently opened the private files of his firm, Wagner Resource Group, to the public.More here.
That exposed the names, dates of birth and Social Security numbers of about 2,000 of the firm's clients, including a number of high-powered lawyers and Supreme Court Justice Stephen G. Breyer.
The breach was not discovered for nearly six months. A reader of washingtonpost.com's Security Fix blog found the information while searching LimeWire in June.
Some of the government's top scientists were forced by Vice President Cheney's office to downplay the health dangers of global warming when testifying before Congress, a former senior EPA official said Tuesday.More here.
The White House denies any coverup and the agencies involved say they still got their message across.
Jason Burnett, 31, who resigned last month as the Environmental Protection Agency's associate deputy administrator, refused to name who forced the deletion of health concerns.
The testimony was part of an October Senate hearing on the impact of global warming.
Kevin Lackey writes on Digital Bond:
The classic definition of the cornerstones of information security are:More here.
- Confidentiality, meaning that the data that you send or receive can not be read by others.
- Integrity, the data is valid, has not been tampered with and originates from the authenticate source.
- Availability, the data is available when it is needed.
When we apply these criteria to control system environments we see that only one of these elements, availability, is present. Control systems were designed with availability as the overriding criteria to such an extent, because of the nature of the environments in which they existed in the past, they seemingly ignore the other two criteria.
The majority of control systems do a very poor job with data confidentiality and integrity. This is especially true when these criteria are applied to the huge legacy system install base.
Ben Bain writes on FCW.com:
The National Archives and Records Administration hasn't been sufficiently overseeing agencies’ records management programs, according to government auditors. Meanwhile, a bill that would revamp federal records laws to focus on electronic messages and expand NARA’s oversight powers faces resistance from the Bush administration.More here.
The House is expected on July 9 to consider legislation that would create mandatory minimum requirements for electronic records management systems to be used by federal agencies and require agencies to preserve electronic communications in an electronic format. The measure would also have NARA set standards for the management of presidential records, including specific standards for managing electronic messages.
Ryan Singel writes on Threat Level:
The Bush administration's and the Senate's push to free the nation's telecoms from anti-wiretapping lawsuits has grown increasingly important as a the judge controlling all the cases made it clear in a ruling last week that he found the administration's secret eavesdropping program was unconstitutional.More here.
The ruling from federal district court chief Judge Vaughn Walker colored the debate Tuesday morning as the Senate began a day of talking about expanding the government's blanket wiretapping powers and granting retroactive amnesty to phone and internet companies that helped the government warrantlessly spy on Americans for five years.
Wilson P. Dizard III writes on GCN.com:
Upgrading a data center is a big job under any circumstances, but managers at the FBI’s Criminal Justice Information Services (CJIS) division have a real challenge — overhauling a 100,000-square-foot data center while the facility continues to provide around-the-clock data services to police agencies, civil organizations and private companies.More here.
The data center, part of a bucolic campus on almost 1,000 acres of hills and hollows near Clarksburg, W.Va., uses a fleet of mainframes and servers and thousands of miles of cabling. Its upgrade might be likened to replacing the engines of a jumbo jet while in flight, so careful planning and precise execution is essential.
The makeover, known as the realignment project, is designed to accommodate ever-increasing demands for processing and data storage driven partly by unfolding efforts to combat terrorism. Biometric services required by legislation that mandates background checks for teachers, bank employees and other workers are one source of the increased demand.
Thomas Bush, the bureau’s assistant director in charge of CJIS, said another of the most pressing new processing demands arises from work to mesh so-called flat fingerprint records held by the Homeland Security Department with rolled-fingerprint data.
Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:
A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.More here.
Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with them first. Without disclosing any technical details, he said, "the severity is shown by the number of people who've gotten onboard with this patch."
He declined to name the flaw as that would give away details.
More Mark Fiore brilliance.
Via The San Francisco Chronicle.
Timothy B. Lee writes on ARS Technica:
Last month, the House of Representatives passed the FISA Amendments Act of 2008, Congress's latest response to President Bush's demands for expanded eavesdropping authority. The Democratic leadership, seemingly intent on avoiding real debate on the proposal, scheduled the final vote just a day after the bill was introduced in the House. Touted by Democratic leaders as a "compromise," it was supported almost unanimously by House Republicans and opposed by a majority of Democrats.More here.
The 114-page bill was pushed through the House so quickly that there was no real time to debate its many complex provisions. This may explain why the telecom immunity provision has received so much attention in the media: it is much easier to explain to readers not familiar with the intricacies of surveillance law than the other provisions. But as important as the immunity issue is, the legislation also makes many prospective changes to surveillance law that will profoundly impact our privacy rights for years to come.
Specifically, the new legislation dramatically expands the government's ability to wiretap without meaningful judicial oversight, by redefining "oversight" so that the feds can drag their feet on getting authorization almost indefinitely. It also gives the feds unprecedented new latitude in selecting eavesdropping targets, latitude that could be used to collect information on non-terrorist-related activities like P2P copyright infringement and online gambling. In short, the FISA Amendments Act of 2008 opens up loopholes so large that the feds could drive a truck loaded down with purloined civil liberties through it. So the telecom immunity stuff is just the smoke; let's take a look at the fire.
As of Monday, July 7, 2008, at least 4,114 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.More here and here.
The figure includes eight military civilians killed in action. At least 3,353 died as a result of hostile action, according to the military's numbers.
As of Monday, July 7, 2008, at least 468 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures June 28 at 10 a.m. EDT.
Of those, the military reports 331 were killed by hostile action.
An AP newswire article, via USA Today, reports that:
The Justice Department is considering letting the FBI investigate Americans without any evidence of wrongdoing, relying instead on a terrorist profile that could single out Muslims, Arabs or other racial or ethnic groups.More here.
Law enforcement officials say the proposed policy would help them do what Congress demanded after the Sept. 11, 2001, attacks: root out terrorists before they strike.
Although President George W. Bush has disavowed targeting suspects based on race or ethnicity, the new rules would allow the FBI to consider those factors among a number of traits that could trigger national security investigations.
Currently, FBI agents need specific reasons, such as evidence or allegations that a law probably has been violated, to investigate U.S. citizens and legal residents. The new policy, law enforcement officials told The Associated Press, would let agents open preliminary terror investigations after mining public records and intelligence to build a profile of traits that, taken together, could be deemed suspicious.
Among the factors that could make someone subject to investigation is travel to regions of the world known for terrorist activity or access to weapons or military training, along with the person's race or ethnicity.
Bradley Olson writes in The Baltimore Sun:
With Congress on the verge of outlining new parameters for National Security Agency eavesdropping between suspicious foreigners and Americans, lawmakers are leaving largely untouched a host of government programs that critics say involves far more domestic surveillance than the wiretaps they sought to remedy.More here.
These programs - most of them highly classified - are run by an alphabet soup of federal intelligence and law enforcement agencies. They sift, store and analyze the communications, spending habits and travel patterns of U.S. citizens, searching for suspicious activity.
The surveillance includes data-mining programs that allow the NSA and the FBI to sift through large databanks of e-mails, phone calls and other communications, not for selective information, but in search of suspicious patterns.
Other information, like routine bank transactions, is kept in databases similarly monitored by the Central Intelligence Agency.
Deborah Gage writes in The San Francisco Chronicle:
A Colorado woman logged on to her computer in April, voted on a CNN poll, shopped for airline tickets and calculated payments for a $25,000 car loan from Wells Fargo.More here.
She didn't suspect that a malicious software program was recording every keystroke - frequent-flier numbers and passwords, her home address and phone number, an online conversation she was having with some friends.
But it was, and months after authorities were alerted to the breach and disabled the server in Malaysia where her data were being stored, the information was still available online - in a Google search.
The woman, who asked not to be named, was shocked to receive a call from a Chronicle reporter asking if she recognized the personal information, which had been crawled and stored by Google as Google caches all unprotected data it finds on the Web.
Noah Shachtman writes on Danger Room:
The FBI has had all sorts of embarrassing infrastructure issues, in recent years: G-men without e-mail, computers gone missing, crook-catching database projects falling apart. The latest insult comes from a Senate Appropriations Committee report, which notes that the Bureau's headquarters "does not meet the... criteria for a secure Federal facility capable of handling intelligence and other sensitive information."More here.
The FBI "has the lead responsibility for domestic surveillance of foreign intelligence and suspected terrorist targets. So it seems like a rather crippling defect that the J. Edgar Hoover Building... cannot satisfy government standards for storage and use of classified intelligence records," Secrecy News' Steven Aftergood observes, ever-so-dryly.
Gregg Keizer writes on ComputerWorld:
The international organization that oversees the Web's top-level domain naming system said that the hijacking last month of several of its domains was the result of a security breach at the registrar that manages those URLs.More here.
Although it did not name the registrar explicitly, according to WHOIS searches, New York-based Register.com manages the domains that were redirected, as well as the primary ICANN.org and IANA.org domains.
Two weeks ago, Turkish hackers rerouted traffic to some of the domains used by the Internet Corporation for Assigned Names and Numbers (ICANN) and one of its subsidiary organizations, the Internet Assigned Numbers Authority (IANA).
Kevin Poulsen writes on Threat Level:
We've all seen companies duck questions about a data breach by claiming that they'd love to talk, but they're cooperating with an ongoing criminal investigation, and thus are sworn to secrecy.More here.
But Cardtronics, which owns the 7-Eleven ATMs implicated in a massive leak of PIN codes and millions of dollars in lost Citibank cash, treads new ground with this press release, which wields the exact opposite logic: they aren't cooperating in a criminal investigation, and therefore have nothing to say.
Sarah Lai Stirland writes on Threat Level:
Netroots activists who helped Barack Obama to become the Democratic party's presumptive presidential nominee are unmoved by the senator's explanation of his change of heart on a pending bill regarding warrantless wiretapping. The Obama campaign posted the senator's thoughts on the legislation on the eve of Independence Day, and members of his policy team answered questions for an hour and a half.More here.
"My biggest disappointment is the intellectual disappointment over the shoddiness of the legal analysis that's coming from these statements," says Jon Pincus, a Seattle-area technology strategist and civil liberties activist. Pincus has helped round up 20,000 people using the Obama campaign's social networking tool my.BarackObama.com to ask the senator to reconsider his position. (The group was started just 11 days ago.)
An AP newswire article, via CNN.com, reports that:
Rant all you want in a public park. A police officer generally won't eject you for your remarks alone, however unpopular or provocative.More here.
Say it on the Internet, and you'll find that free speech and other constitutional rights are anything but guaranteed.
Companies in charge of seemingly public spaces online wipe out content that's controversial but otherwise legal. Service providers write their own rules for users worldwide and set foreign policy when they cooperate with regimes like China. They serve as prosecutor, judge and jury in handling disputes behind closed doors.
The governmental role that companies play online is taking on greater importance as their services -- from online hangouts to virtual repositories of photos and video -- become more central to public discourse around the world. It's a fallout of the Internet's market-driven growth, but possible remedies, including government regulation, can be worse than the symptoms.
Brian Krebs writes on Security Fix:
Microsoft today issued stopgap instructions for plugging a previously unknown security hole that hackers are currently using to break into Windows computers via the Internet Explorer (IE) Web browser.More here.
The problem, once again, is with a faulty ActiveX control. ActiveX is a Windows technology that works through IE and allows Web sites to add software to the user's computer or interact with components in the Windows operating system. In this case, the insecure component is an ActiveX control called "Snapshot Viewer," which ships with all versions of Microsoft Office 2000, Office 2002, and Office 2003. The flawed ActiveX control also is also shipped with the standalone Snapshot Viewer.
Microsoft warns that merely browsing with IE to a malicious (or hacked) Web site that exploits this vulnerability could be enough to compromise your system.
The German state of Bavaria has approved laws that allow the police to plant spyware on the computers of suspected terrorists. While German federal laws restrict the government to infecting computers with email, Bavarian laws allow police to enter a suspect’s home to physically infect the machine. According to The Register, Bavarian interior minister Joachim Herrmann “gave short shrift to [privacy] objections, stating that Bavaria is leading the field in ‘internal security’ in becoming the first German state to approve the plan.”More here.
This step taken by the Bavarian government counters a ruling earlier this year by Judge Hans-Juergen Papier in North Rhine-Westphalia. He opined that under regular circumstances spying on individuals was unconstitutional, and that permission of a judge would be required prior to implementing this type of surveillance during extreme situations.
Tim Wilson writes on Dark Reading:
Last week's attacks on more than 300 Lithuanian government Websites were the product of a coordinated effort by a group of politically motivated Russian hackers who hope to work together on other exploits in the future, a researcher says.More here.
According to a report in Thursday's Washington Post, researchers at iDefense have spotted hacker groups using Internet forums and blasting spam emails to spotlight a manifesto called "Hackers United Against External Threats to Russia," which calls for an expansion of the targets to include Ukraine, the rest of the Baltic states, and "flagrant" Western nations for supporting the expansion of NATO.
One hacker Website, hack-wars.ru, appeared to take a central role in organizing the attacks, iDefense told The Post. "They said they wanted to offer training and coordination so that whenever they want to attack someone online they have a force of soldiers ready to go," iDefense analyst Kimberly Zenz. "They want to unite Russian hackers into an organized political hack force."