Saturday, August 07, 2010

Report: RIM May Have Cut Deal With Saudi Arabia

John Ribeiro writes on NetworkWorld:

Research in Motion (RIM) and Saudi Arabia have arrived at a preliminary agreement that will involve the company setting up its server there and providing the government access to the data, according to media reports on Saturday from Saudi Arabia.

An agreement by RIM with Saudi Arabia could set a precedent for similar deals with other countries, including India, Lebanon, the United Arab Emirates (UAE), and Indonesia, which are demanding that RIM locate servers in their country, and provide access to data to their security forces, analysts said.

Saudi Arabia's telecom regulator, the Communications and Information Technology Commission (CITC), and local phone operators have reached a preliminary agreement with RIM over the handling of BlackBerry data that will involve setting up a server in the country, The Wall Street Journal reported, citing a person familiar with the talks.

More here.

U.S. and Canadian Governments Support Chinese-Style Censorship of DNS in ICANN

Milton Mueller writes on the Internet Governance Project (IGP) Blog:

The Chair of ICANN's Governmental Advisory Committee has issued a statement [.pdf] on the censorship of top level domain names. We are sad to report that the alleged GAC position is deeply flawed and outrageously wrong-headed. It is a recipe for global censorship, and although at this point it only applies to the DNS it can lead to the erosion of all internet freedom of expression unless it is stoutly resisted.

The GAC openly states that the goal of its policy is to ensure "the absence of any controversial strings" in the top level domain name space. Why this goal? The statement equates the absence of controversy in the content domain to the "security, stability and universal resolvability" of the domain name system.

The idea that any domain name that is "controversial" constitutes a threat to the security, stability and universal resolvability of the internet is an absurdity that flies in the face of all internationally recognized standards of freedom of expression. We need to protect expression especially when it is controversial. In effect, this principle gives governments a blank check to smother any dissent, any hint of disagreement on the internet because it might lead some government, somewhere, to block a domain.

This position is an outrage to freedom of expression principles. Its appeal to "universal resolvability" implies that the threat of authoritarian governments like China, or totalitarian dictatorships like North Korea or Iran, to block domains they object to is so horrible that all content on the internet should be pre-censored in order to ensure that it doesn't happen. Obviously this puts the most conservative, pro-censorship regimes in the drivers seat. It is the most idiotic position one could imagine. That it is put forward by the U.S. government and a supine Canadian follower is an unspeakable tragedy.

More here.

Friday, August 06, 2010

Terry Childs Gets Four Year Sentence

Bob McMillan:

A City of San Francisco administrator who refused to hand over administrative passwords to the city's network was sentenced to four years in state prison Friday.

Terry Childs was convicted in April of violating California's hacking laws after he refused to hand over administrative control to the city's FiberWAN network back in July 2008.

He was sentenced Friday by Judge Teri Jackson, according to Erica Derryck, a spokeswoman for the San Francisco district attorney's office.

Although the city's network continued to run during the 12 days that Childs refused to hand over control, jurors found that by denying the city the administrative control to its own network, Childs had violated state law.

More here.

UK Child Database Scrapped


The database was established by the Labour administration in the wake of the Victoria Climbie child abuse scandal to improve child protection.

Launched last year, it held the names, ages and addresses of all under-18s on a central computerised database, along with the contact details of their parents, schools and GPs.

Hundreds of thousands of teachers, police officers and social workers had access to the register to help co-ordinate who was working with children.

But as well as the cost, the controversial system was beset by delays, technical problems and fears over security.

The coalition Government pledged to shut the database down, saying it was ''disproportionate and unjustifiable''.

''Ministers do not believe that a database, which holds details of all children in England and which is accessible to hundreds of thousands of people, is the right way to help vulnerable children,'' the new government said.

The database is being destroyed ''using government-approved security standards and processes''.

More here.

RBS WorldPay Hacker Extradicted to Atlanta

Via Office of Inadequate Security.

The U.S. Attorney’s Office for Northern Georgia issued a press release [.pdf] today announcing the extradition of Sergei Tsurikov, one of the alleged leaders of the Eastern European cybercrime group that hacked into RBS WorldPay in Atlanta in 2008. Tsurikov had been indicted in November 2009 on federal charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud, computer fraud, and aggravated identity theft. Also indicted at the time were Viktor Pleschuk, 29, of St. Petersburg, Russia, Oleg Covelin, 29, of Chisinau, Moldova, and an unidentified individual. TIgor Grudijev, 32, Ronald Tsoi, 32, Evelin Tsoi, 21, and Mihhail Jevgenov, 34, each of Tallinn, Estonia, were indicted at the time on charges related to access device fraud.

According to United States Attorney Sally Q. Yates, the charges and other information presented in court, during November 2008, Pleschuk, Tsurikov, and Covelin allegedly obtained unauthorized access into the computer network of RBS WorldPay, the U.S. payment processing division of the Royal Bank of Scotland Group PLC, located in Atlanta. The processor is the fourth largest in the U.S. according to a recent statement by the bank.

The indictment alleges that the group used sophisticated hacking techniques to compromise the data encryption that was used by RBS WorldPay to protect customer data on payroll debit cards. Once the encryption on the card processing system was compromised, the hacking ring allegedly raised the account limits on compromised accounts, and then provided a network of “cashers” with 44 counterfeit payroll debit cards, which were used to withdraw more than $9 million from over 2,100 ATMs in at least 280 cities worldwide, including cities in the United States, Russia, Ukraine, Estonia, Italy, Hong Kong, Japan and Canada. The $9 million loss occurred within a span of less than 12 hours.

More here.

Court Rejects Warrantless GPS Tracking


The U.S. Court of Appeals for the District of Columbia Circuit today firmly rejected government claims that federal agents have an unfettered right to install Global Positioning System (GPS) location-tracking devices on anyone's car without a search warrant.

In United States v. Maynard, FBI agents planted a GPS device on a car while it was on private property and then used it to track the position of the automobile every ten seconds for a full month, all without securing a search warrant. In an amicus brief filed in the case, EFF and the ACLU of the Nation's Capital argued that unsupervised use of such tactics would open the door for police to abuse their power and continuously track anyone's physical location for any reason, without ever having to go to a judge to prove the surveillance is justified.

The court agreed that such round-the-clock surveillance required a search warrant based on probable cause. The court expressly rejected the government's argument that such extended, 24-hours-per-day surveillance without warrants was constitutional based on previous rulings about limited, point-to-point surveillance of public activities using radio-based tracking beepers. Recognizing that the Supreme Court had never considered location tracking of such length and scope, the court noted: "When it comes to privacy...the whole may be more revealing than its parts."

The court continued: "It is one thing for a passerby to observe or even to follow someone during a single journey as he goes to the market or returns home from work. It is another thing entirely for that stranger to pick up the scent again the next day and the day after that, week in and week out, dogging his prey until he has identified all the places, people, amusements, and chores that make up that person's hitherto private routine."

More here.

Thursday, August 05, 2010

Researchers: Cloud-Based Denial Of Service Attacks Looming

Robert Lemos writes on Dark Reading:

DEFCON 2010 -- With the help of the cloud, taking down small and midsize companies' networks is easy, two consultants told attendees here last week.

With a credit card and e-mail address, security consultants David Bryan of Trustwave and Michael Anderson of NetSPI created a handful of virtual server instances on Amazon's EC2 and used a homemade program to attack the network of a client -- a small business that wanted its connectivity tested.

With only three servers -- although they eventually scaled up to 10 -- the consultants took the company off the Internet. The price? Six dollars.

"A threat agent could potentially run extortion schemes against a company by attacking for a couple of hours -- and then telling the company that, if you don't pay me, then I will attack you again," Bryan said.

More here.

FCC Stops Closed-Door Internet Policy Meetings as Google, Verizon Strike Side Deal

Cecelia Kang writes on The Washington Post:

Under criticism for its handing of closed-door discussions with certain companies on broadband policy, the Federal Communications Commission announced Thursday the meetings with Verizon, AT&T, Google and Skype were unsuccessful and that it would stop holding them.

The announcement comes amid an apparent agreement between Verizon and Google on so-called net neutrality ground rules that would allow certain prioritization of Web sites on fixed wire networks and no rules on wireless networks. Sources familiar with the discussions at the FCC said reports Wednesday of a deal between Verizon and Google on net neutrality upset participants in the meeting, who were moving closer to agreement on stronger rules against blocking and slowing traffic on wireless and fixed-wire networks.

“We have called off this round of stakeholder discussions," said Eddie Lazarus, the chief of staff to the chairman of the FCC. "It has been productive on several fronts, but has not generated a robust framework to preserve the openness and freedom of the Internet – one that drives innovation, investment, free speech, and consumer choice. All options remain on the table as we continue to seek broad input on this vital issue.”

The agency has been holding the meetings to reach a consensus among giant telecom, cable, and Internet content firms on how carriers can manage traffic in a way that doesn't unfairly squash competition by slowing access to some Web sites over others.

More here.

Wednesday, August 04, 2010

FCC Draws Fire Over Talks With Internet, Telecom Giants on 'Net Neutrality'

Cecelia Kang writes on The Washington Post:

Thwarted in his campaign to set government control over consumer access to the Internet, Federal Communications Commission Chairman Julius Genachowski has been trying to salvage his efforts by negotiating directly with a handful of the biggest Web firms and network service providers.

His goal is for those firms to put aside their differences on how Internet service providers control content on their networks and agree on legislation that Genachowski can present to Congress.

But critics say that by handpicking Google, AT&T, Verizon and Skype for seven closed-door meetings that continue this week at the FCC, Genachowski could be determining the future of how consumers access the Web in a manner more favorable to those businesses.

Massive corporate interests are at stake as the firms and the agency discuss so-called net neutrality provisions, or regulations that would prevent Internet providers from blocking or slowing access to Web sites. The talks could determine, for instance, whether Verizon could provide YouTube online video with better resolution than competitor Netflix, or whether Google and Skype have to pay extra to get their online voice services onto AT&T broadband networks.

"These big companies can make deals for themselves, but they are leaving out the rest of us," said Susan Crawford, a communications law professor at Benjamin N. Cardozo School of Law.

More here.

Mark Fiore: Lincolngate

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

Feds Admit Storing Security Checkpoint Body Scan Images

Declan McCullagh writes on C|Net News:

For the last few years, federal agencies have defended body scanning by insisting that all images will be discarded as soon as they're viewed. The Transportation Security Administration claimed last summer, for instance, that "scanned images cannot be stored or recorded."

Now it turns out that some police agencies are storing the controversial images after all. The U.S. Marshals Service admitted this week that it had surreptitiously saved tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse.

This follows an earlier disclosure [.pdf] by the TSA that it requires all airport body scanners it purchases to be able to store and transmit images for "testing, training, and evaluation purposes." The agency says, however, that those capabilities are not normally activated when the devices are installed at airports.

More here.

Tuesday, August 03, 2010

Vulnerability Broker Draws Line in Disclosure Sand

Ryan Naraine writes on

Looking to put pressure on software vendors who procrastinate of fixing security flaws, the world's biggest broker of vulnerability data is drawing a line in the sand.

Starting tomorrow (August 4, 2010), TippingPoint's Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

Tippingpoint, a program that purchases the rights to vulnerability information in exchange for exclusivity to broker fixes with affected vendors, says the new six-month deadline will apply to all currently outstanding issues.

"We have about 31 outstanding issues that are more than a year old. We believe that's an unacceptable window of exposure [to risk]," says Aaron Portnoy, manager of the security research team at TippingPoint Technologies.

For example, according to ZDI's public upcoming advisories listing, there are at least a half-dozen high-risk vulnerabilities affecting IBM software that are more than 600 days outstanding. Microsoft, RealNetworks, Symantec, CA and Novell are also among the most tardy vendors, according to ZDI's list.

More here.

Critical Flaws Discovered in Widely Used Embedded OS

Angela Moscaritolo writes on SC Magazine:

Two critical vulnerabilities have been discovered in mission-critical systems used in 500 million devices, including VoIP phones, telecom equipment, military routing devices, automobile controls and spacecraft.

Last week at the Security B-Sides and DEFCON conferences in Las Vegas, HD Moore, chief security officer at Rapid7 and founder and chief architect of Metasploit, disclosed two critical vulnerabilities in VxWorks, which is used to power Apple Airport Extreme access points, Mars rovers and C-130 Hercules aircrafts, in addition to microwaves, switches, sensors, telecom equipment and industrial control monitors.

VxWorks has a service enabled by default that provides read or write access to a device's memory and allows functions to be called, Moore told on Tuesday. The vulnerable service, called WDB agent, is a “debugger” for the VxWorks operating system that is used to diagnose problems and ensure code is working properly when a product is being developed.

The debugging service, a selectable component in the VxWorks configuration enabled by default, is not secured and represents a security hole in a deployed system, according to an advisory issued by the US-CERT on Monday.

More here.

DOE: Common Security Holes Leave Energy Grid Vulnerable

Martin LaMonica writes on C|Net News:

The U.S. is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices, according to a report prepared by the Department of Energy.

Researchers at the Idaho National Laboratory tested 24 industrial control systems (ICSs) between 2003 and 2009 and published the results in a report [.pdf] completed in May and publicly released last month. Steven Aftergood, secrecy expert at the Federation of American Scientists, blogged about the report on Monday.

The report comes on the heels of a discovery of malware written specifically for systems used for controlling industrial manufacturing and utility systems. That worm, written for a Siemens Windows application, has been a wake-up call to the security community that focuses on industrial control systems because it marked a shift from theory to reality, according to experts.

Although the national labs researchers tested actual control systems used in running the energy infrastructure, such as the electricity grid, they did not disclose the names of any companies. By publishing the results, the DOE hopes energy companies can better assess and secure their computer systems.

The government-funded tests confirm that there are security holes in the energy infrastructure that are due in part by industry's growing reliance on the public Internet. Improving the security of these systems can be accomplished through well-understood security practices, but requires more work on the part of energy professionals and software providers, according to the report.

More here.

In Criticizing UAE's Plans to Block BlackBerry Service, U.S. Government is Walking a Fine Line

Cecilia King writes in The Washington Post:

With the State Department’s criticism of the United Arab Emirates for blocking BlackBerry services, the U.S. government is left walking a fine line -– preaching for global Internet freedom at the same time that federal authorities are seeking greater powers to monitor Web users, privacy advocates say.

In a media briefing Monday, State Department spokesman P.J. Crowley said the UAE’s move to block instant messaging, e-mail and Web browsing on BlackBerry devices starting Oct. 11 would set a “dangerous precedent” for other nations to also block the flow of information to their citizens.

The UAE responded by defending its actions and pointing to similar actions by the United States and Britain to suspend certain communications services for national security purposes.

“In fact, the UAE is asking for exactly the same regulatory compliance -- and with the same principles of judicial and regulatory oversight -- that BlackBerry grants the U.S. and other governments and nothing more,” Ambassador Yousef Al Otaiba said in a statement. “Importantly, the UAE requires the same compliance as the U.S. for the very same reasons: to protect national security and to assist in law enforcement.”

U.S. authorities have increasingly sought greater ability to wiretap and access e-mail and possibly browser history of users on the grounds of law enforcement and national security concerns, privacy advocates say.

More here.

Monday, August 02, 2010

GAO: U.S. Approach to Global Cyber Security Falls Short

Ben Bain writes on

The Obama administration should take steps to improve and better coordinate the United States’ approach to international cyberspace policy, the Government Accountability Office has said.

According to a report [.pdf] released today by GAO, global aspects of cyberspace “present key challenges to U.S. policy.” GAO said U.S. involvement in the many organizations that are involved in developing international agreements and standards “is essential to promoting our national and economic security to the rest of the world.”

U.S. law enforcement attempts to prosecute cyber crime have been complicated by differing legal systems and the United States has been unable to define cyberspace-related norms that may be necessary for guiding incident response, the auditors found. GAO said “challenges in U.S. leadership, strategy, and coordination have hampered the nation’s ability to promote cyberspace-related technical standards and policies and establish global cyber incident response capabilities consistent with our national economic and national security interests.”

GAO identified 19 organizations considered by experts as key for global cyberspace policy. The organizations that are identified vary in scope and purpose, and include the European Union, the United Nations, the Internet Engineering Task Force, and the North Atlantic Treaty Organization.

More here.

RIM Helps Russia, China Monitor BlackBerry Users' e-Mails

Jeff Carr writes on

Research In Motion executives are fond of saying that their platform is more secure than other mobile providers. For example, Scott Tzoke, RIM's VP of Security was recently quoted as saying that BlackBerrys are “secure right out of the box” (meaning that no additional mobile security protection is needed) and that RIM offers enterprises with the most secure mobile computing option thanks to the ability to create security settings for all enterprise users via its BlackBerry Enterprise Server (BES).

This official position is not without its critics, particularly among some mobile security researchers such as Tyler Shields whose presentation at ShmooCon 2010 showed how standard BlackBerry settings could “access and leak sensitive information using only RIM-provided APIs and no trickery or exploits at all.”

All of these security questions are moot, however, if you're using your BlackBerry to send its highly touted encrypted emails to or from the Russian Federation, the Peoples Republic of China; or, shortly, India, Saudi Arabia and the UAE.

More here.

Sunday, August 01, 2010

Microsoft Quashed Effort to Boost Online Privacy

Nick Wingfield writes in The Wall Street Journal:

The online habits of most people who use the world's dominant Web browser are an open book to advertisers. That wasn't the plan at first.

In early 2008, Microsoft Corp.'s product planners for the Internet Explorer 8.0 browser intended to give users a simple, effective way to avoid being tracked online. They wanted to design the software to automatically thwart common tracking tools, unless a user deliberately switched to settings affording less privacy.

That triggered heated debate inside Microsoft. As the leading maker of Web browsers, the gateway software to the Internet, Microsoft must balance conflicting interests: helping people surf the Web with its browser to keep their mouse clicks private, and helping advertisers who want to see those clicks.

In the end, the product planners lost a key part of the debate. The winners: executives who argued that giving automatic privacy to consumers would make it tougher for Microsoft to profit from selling online ads. Microsoft built its browser so that users must deliberately turn on privacy settings every time they start up the software.

More here.

Stealthy Government Contractor Monitors U.S. Internet Providers, Says It Employed Wikileaks Informant

Andy Greenberg writes on

A semi-secret government contractor that calls itself Project Vigilant surfaced at the Defcon security conference Sunday with a series of revelations: that it monitors the traffic of 12 regional Internet service providers, hands much of that information to federal agencies, and encouraged one of its "volunteers", researcher Adrian Lamo, to inform the federal government about the alleged source of a controversial video of civilian deaths in Iraq leaked to whistle-blower site Wikileaks in April.

Chet Uber, the director of Fort Pierce, Fl.-based Project Vigilant, says that he personally asked Lamo to meet with federal authorities to out the source of a video published by Wikileaks showing a U.S. Apache helicopter killing several civilians and two journalists in a suburb of Baghdad, a clip that Wikileaks labelled "Collateral Murder." Lamo, who Uber said worked as an "Adversary Characterization" analyst for Project Vigilant, had struck up an online friendship with Bradley Manning, a former U.S. Army intelligence analyst who currently faces charges of releasing the classified video.

In June, Uber said he learned from Lamo's father that the young researcher had identified Manning as the video's source, and pressured him to meet with federal agencies to name Manning as Wikileaks' source. He then arranged a meeting with employees of "three letter" agencies and Lamo, who Uber said had mixed feelings about informing on Manning.

"I'm the one who called the U.S. government," Uber said. "All the people who say that Adrian is a narc, he did a patriotic thing. He sees all kinds of hacks, and he was seriously worried about people dying."

More here.