Friday, April 16, 2010

Yahoo! Beats Feds in e-Mail Privacy Battle

David Kravets writes on Threat Level:

Yahoo prevailed Friday over Colorado federal prosecutors in a legal battle testing whether the Constitution’s warrant requirements apply to Americans’ e-mail.

According to the Electronic Frontier Foundation, the government withdrew its demands for e-mail in a pending criminal case, a move ending litigation over the hotly contested issue concerning when a warrant under the Fourth Amendment is required for Yahoo and other e-mail providers to release consumer communications to the authorities.

“The government has withdrawn its application, claiming that it no longer needs the information for its investigation,” Kevin Bankston, an EFF attorney, said by e-mail.

The brouhaha concerned a 1986 law that already allows the government to obtain a suspect’s e-mail from an internet service provider or webmail provider without a probable-cause warrant, once it’s been stored for 180 days or more. The government contended, and then backed off Friday, that it could get e-mail under 180-days old if that e-mail has been read by the owner, and the Constitution’s Fourth Amendment protections don’t apply.

More here.

Thursday, April 15, 2010

Final Conspirator in Credit Card Hacking Ring Gets 5 Years

Kim Zetter writes on Threat Level:

Damon Patrick Toey, the “trusted subordinate” to TJX hacker Albert Gonzalez, was sentenced in Boston on Thursday to 5 years in prison.

He also received a $100,000 fine and three year’s supervised release, according to the Justice Department.

Toey, 25, helped Gonzalez breach the networks of numerous companies through SQL injection attacks in 2007 and 2008 and also served as a vendor selling stolen card data. Upon his arrest in May 2008, he provided information that investigators say likely helped persuade Gonzalez to plead guilty last year to what prosecutors are calling the most serious and largest identity-theft crimes ever prosecuted.

Toey was the last of six U.S. defendants sentenced for the crimes. In all, federal judges have handed out nearly 38 years against Gonzalez and his crew, with Gonzalez getting the stiffest sentence by far.

More here.

In Passing: Dr. Benjamin Hooks

Benjamin Hooks
January 31, 1925 - April 15, 2010

Wednesday, April 14, 2010

SCADA Watch: Security Incidents Rise In Industrial Control Systems

Kelly Jackson Higgins writes on Dark Reading:

While only about 10 percent of industrial control systems are actually connected to the Internet, these systems that run water, wastewater, and utility power plants have suffered an increase in cybersecurity incidents over the past five years.

A new report based on data gathered by the Repository of Industrial Security Incidents (RISI) database provides a rare look at trends in malware infections, hacks, and insider attacks within these traditionally cloistered operations. Cybersecurity incidents in petroleum and petrochemical control systems have declined significantly over the past five years--down more than 80 percent-- but water and wastewater have increased 300 percent, and power/utilities by 30 percent, according to the 2009 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.

The database logs security incidents in process control, SCADA, and manufacturing systems, and gathers voluntary submissions from victim companies as well as from news or other reports.

Nearly half of all security incidents were due to malware infections -- viruses, worms, and Trojans, according to the report. With only a fraction of control systems connected to the Internet, these infections are occurring in other ways: "A lot of control systems are connected to their business networks which in turn may be connected to the Internet. It's several layers removed, but once there's a virus [on the business network], it finds its way into the control systems," says John Cusimano, executive director of the Security Incidents Organization, which runs the RISI database. "And you see USB keys bringing in malware" to the SCADA systems, for instance, or via an employee's infected laptop, he says.

More here.

Mark Fiore: On The Mark

Congratulations, Mark Fiore, on your Pulitzer Prize for Editorial Cartooning.

Via The San Francisco Chronicle.

You definitely deserve it!

- ferg

Documents Reveal Al Qaeda Cyber Attacks

Alex Kingsbury writes on U.S. News & World Report:

Buried inside hundreds of pages of heavily redacted court documents from the case of a man accused of being one of al Qaeda's chief recruiters, is evidence that the terrorist group has launched successful cyberattacks, including one against government computers in Israel. This was the first public confirmation that the terrorist group has mounted an offensive cyberattack. The attacks were relatively unsophisticated and likely occurred before November 2001, when the prisoner who described them was arrested.

The terrorism suspect, Mohamedou Ould Slahi, was ordered freed from the prison at Guantánamo Bay last month by a federal judge who found that the government had insufficient evidence to continue detaining him. The Justice Department has appealed that decision. Military investigators concluded several years ago that Slahi had been both physically and psychologically tortured at Gitmo, which could have tainted evidence and likely prompted the judge's release order. The court records do not specify when and under what circumstances Slahi discussed al Qaeda's venture into cyberwar.

Though the vast majority of the court records dealing with the case remain classified, some details escaped redaction. For instance, Slahi told interrogators that al Qaeda "used the Internet to launch relatively low-level computer attacks." Al Qaeda "also sabotaged other websites by launching denial-of-service attacks, such as one targeting the Israeli prime minister's computer server," court records show. The Israeli embassy in Washington had no comment on the information published in the court records.

Denial of service attacks are common and relatively easy and cheap to coordinate. They aim to overload and temporarily disable websites for the duration of the attack. Al Qaeda's interest in the tactic, however, has received little discussion and attention.

More here.

U.S. Military Asserts Right to Return Cyber Attacks

An AP newswire article by Lolita C. Baldor, via The Washington Post, reports:

The U.S. should counter computer-based attacks swiftly and strongly and act to thwart or disable a threat even when the attacker's identity is unknown, the director of the National Security Agency told Congress.

Lt. Gen. Keith Alexander, who is the Obama administration's nominee to take on additional duties as head of the new Cyber Command, also said the U.S. should not be deterred from taking action against countries such as Iran and North Korea just because they might launch cyber attacks.

"Even with the clear understanding that we could experience damage to our infrastructure, we must be prepared to fight through in the worst case scenario," Alexander said in a Senate document obtained by The Associated Press.

Alexander's answers reflect the murky nature of the Internet and the escalating threat of cyber terrorism, which defies borders, operates at the speed of light and can provide deep cover for assailants who can launch disruptive attacks from continents away, using networks of innocent computers.

More here.

U.S. Cyber Security Chief Slams Security Efforts

Amber Corrin writes on

Although agencies are improving cybersecurity at the national level, the federal approach to securing U.S. interests online still leaves much to be desired, a high-ranking Obama administration official said.

Howard Schmidt, the White House's cybersecurity coordinator, called for enterprisewide network intrusion detection and math and science training in U.S. schools. He also cited a lack of coordination in the government's cyber research and development.

“As far as enterprisewide intrusion detection goes, it falls under the category of, ‘Why haven’t we done that already?' " Schmidt said at the Interagency Resources Management Conference in Cambridge, Md., April 13. “It’s a big point of discussion.”

The commercial sector is deploying intrusion detection technology on private networks, but the federal government is lagging, dogged by bureaucracy and disputes over privacy and how best to implement such a strategy, he said.

More here.

EFF Backs Yahoo! to Protect User from Warrantless e-Mail Search


The Electronic Frontier Foundation (EFF) along with Google and numerous other public interest organizations and Internet industry associations joined with Yahoo! in asking a federal court Tuesday to block a government attempt to access the contents of a Yahoo! email account without a search warrant based on probable cause.

The Department of Justice is seeking the emails as part of a case that is under seal, and the account holder has apparently not been notified of the request. Government investigators maintain that because the Yahoo! email has been accessed by the user, it is no longer in "electronic storage" under the Stored Communications Act (SCA) and therefore does not require a warrant, even though that same legal theory has been flatly rejected by the one Circuit Court to address it.

Yahoo! is challenging the government request before a federal magistrate judge in Denver, arguing that the SCA and Fourth Amendment require the government to get a search warrant before compelling Yahoo! to disclose the email. In an amicus brief filed in support of Yahoo! Tuesday, EFF says that the company is simply following the law and protecting the constitutional privacy rights of its customers.

"The government is trying to evade federal privacy law and the Constitution," said EFF Senior Staff Attorney Kevin Bankston. "The Fourth Amendment protects these stored emails, just like it does our private papers. We all have a reasonable expectation of privacy in the contents of our email accounts, and the government should have to make a showing of probable cause to a judge before it rifles through our private communications."

More here.

Tuesday, April 13, 2010

U.S. Senate Set to Consider NSA Chief as Head of Cyber Command

Bob Brewin writes on

The Senate plans to hold a hearing on Thursday to consider the long-delayed nomination of Army Lt. Gen. Keith Alexander, director of the National Security Agency, as commander of the new U.S. Cyber Command.

The command was scheduled to start operations on Oct. 1, 2009. But the Senate held up Alexander's nomination, which includes a promotion to a four-star general, and the command's formal establishment because of concerns about its relationship with the NSA and the militarization of cyberspace.

No senator on the Armed Services Committee strongly opposes Alexander serving as both head of NSA and the Cyber Command, but they plan to ask tough questions during the hearing, the Associated Press reported on Tuesday.

The Electronic Privacy Information Center, an advocacy group that tracks the security and use of citizens' personal information stored in computer networks, charged in a bulletin released on April 9 that the Cyber Command will "give the Defense Department broad new authority over the Internet."

More here.

Sunday, April 11, 2010

Toon of The Day: Magic Mushrooms

We love Mr. Fish.

- ferg