Friday, April 14, 2006

Wired News: Border Security System Left Open A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News. The documents raise new questions about the $400 million US-VISIT program, a 2-year-old system aimed at securing the border from terrorists by gathering biometric information from visiting foreign nationals and comparing it against government watch lists. [...] Publicly, officials initially attributed the failure to a virus, but later reversed themselves and claimed the incident was a routine system failure. 10:12:44 AM  PermaLink   / trackback []

Border Security System Left Open. Border Security System Left Open. 7x7 writes "Wired News is running an article on documents they recovered via the Freedom of Information Act and a lawsuit. From the article:" A computer failure that hobbled border-screening systems at airports across the country last August occurred after Homeland Security officials deliberately held back a security patch that would have protected the sensitive computers from a virus then sweeping the internet, according to documents obtained by Wired News." It looks like Zotob made it in to the supposedly protected network." [Slashdot] 10:10:51 AM  PermaLink   / trackback []

InformationWeek | Web Application Security | Web App Hack Incidents Are Up As Businesses Take Cover | April 12, 2006 As companies rush to take advantage of the increasing amount of time users spend on the Web to sell them everything from cars to carpeting, malicious hackers are likewise rushing to take advantage of the flawed Web applications that deliver these online services. Web site hacks are on the rise and pose a greater threat than the broad-based network attacks that have been giving IT departments fits. Whereas attacks against networks disrupt Internet service and negatively impact companies trying to do business over the Web or private networks, attacks against Web applications threaten to steal critical customer, employee, and business partner information stored in applications and databases linked to the Web. Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003, according to the Web Application Security Consortium. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet. Why is this happening? Several reasons. One is the prevalence of hacking tools online that can be found simply by using the Google search engine. Another reason is that Web applications aren't typically designed with security in mind, which leaves them open to SQL injections and cross-site scripting attacks that manipulate input entered into an application field in order to get the application to cough up more information than the user has the right to see. Generally, "people who build Web applications are optimistic people," says Gary McGraw, chief technology officer with Cigital Inc., a maker of risk management software. "They don't consider that someone would try to break their programs." This trend is particularly disturbing to financial services companies, which are looking to make online banking and investing less expensive and more convenient. Bank of America reported on Tuesday that sales of products via the bank's Web site totaled 3.8 million accounts in 2005, an increase of 69% over the previous year. This included 2.3 million online activations, 380,000 new savings accounts, 375,000 new credit card accounts, and 298,000 new checking accounts. Of course, Bank of America, Washington Mutual, Wells Fargo, and some smaller banks and credit unions earlier this year were forced to shut down PIN-based transactions and re-issue debit cards after customer PIN information stored in a retailer's point-of-sale application was stolen. And don't count on banking customers to fend for themselves. A TD Canada Trust survey of more than 700 consumers found that less than 30% of Web banking users were aware of the terms "phishing" and "Web site spoofing." Most customers believe their bank should be primarily responsible for security measures with respect to online banking. 10:05:19 AM  PermaLink   / trackback []

Number of Web Application Hacks Up. Number of Web Application Hacks Up. An anonymous reader writes  "According to an article at Information Week, 'Web site hacks are on the rise and pose a greater threat than the broad-based network attacks...' Citing statistics from the Web Hacking Incidents Database, 'Web hacking attacks numbered 58 in 2005, up from 16 in 2004 and 9 in 2003. Another 20 attacks have been reported this year against sites including open-source repository Sourceforge.net and social network MySpace.com, putting 2006 on pace to be the worst year yet.'" [Slashdot] 10:01:30 AM  PermaLink   / trackback []

Microsoft's Security Disclosures Come Under Fire Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of "misleading" customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11. That bulletin, rated "critical," contained patches for a remote code execution hole in Windows Explorer, the embedded file manager that lets Windows users view and manage drives, folders and files. However, as Murphy found out when scouring through the fine print in the bulletin, the update also addressed what Microsoft described as a "publicly disclosed variation" of a flaw that was reported in May 2004 (CVE-2004-2289.) In an entry posted to the SecuriTeam blog, Murphy noted that the vulnerability that is documented was privately reported, but the "variation" that was also patched has been publicly known for 700+ days. "In that case, the issue that is truly the 'variation' is the issue that was discovered and reported privately after the public disclosure," he said. "[The] information as published is extremely misleading and Microsoft's choice not to document a publicly reported vulnerability is not one that will be for the benefit of its customers' security," Murphy said. In an interview with eWEEK, Murphy said another "throwaway line" in the bulletin also raised questions about whether a flaw he reported in August 2005 was silently fixed. 9:58:17 AM  PermaLink   / trackback []

Microsoft's Security Disclosures Come Under Fire. Microsoft's Security Disclosures Come Under Fire. Old Banana writes "Is Microsoft silently fixing security vulnerabilities and deliberately obfuscating details about patches in its monthly security bulletins? Matthew Murphy, a security researcher who has worked closely with the MSRC (Microsoft Security Response Center) in the past, is accusing the software maker of 'misleading' customers by not clearly spelling out exactly what is being patched in the MS06-015 bulletin released on April 11." [Slashdot] 9:54:50 AM  PermaLink   / trackback []

NewsForge | FOSS closes patient privacy gap for researchers  Two new open source software projects are ready to wipe patient histories clean of personal information so researchers can learn from medical cases without endangering privacy.   One of the GPLed software programs, HMS Scrubber version 1.0, was recently able to remove more than 98 percent of identifiers -- such as name, address, and Social Security number -- from 1,254 pathology reports processed from three hospitals. Developed by a team from the Beth Israel Deaconess Medical Center in Boston and other American institutions, the software holds promise beyond pathology in nearly all medical records, which are integral to research, but are full of privacy pitfalls, says Bruce Beckwith, a Beth Israel doctor and developer of the new software. Recently featured on the Web journal BMC Medical Informatics and Decision Making, the software may also be important to hospitals and researchers adhering to information handling requirements of the Health Insurance Portability and Accountability Act (HIPAA). It's currently being used in an approved system at Harvard Medical School to allow researchers to search de-identified pathology reports for tissue that might be useful. "While we developed and tested this with pathology reports in mind, we made it simple for others to modify the code to suit their own needs," Beckwith says. "In our article, we demonstrated that the software needs to be tested and adapted to local styles of reporting. Many of the regular expressions that we use are general purpose, but there are some that are specifically designed for the content present in pathology reports. The regular expressions are contained in a separate file and can be edited easily." 9:48:13 AM  PermaLink   / trackback []

Insurers Pleased with Privacy Terms of Maine's New 'Black Box' Law A new Maine law (LD 1885) aimed at protecting the privacy of motorists with event data recorders (EDRs), or "black boxes," in their vehicles, contains important safeguards for insurers supported by the insurance industry. "This new law protects the legitimate privacy rights of motorists while preserving access for insurers to necessary and pertinent information," said John Murphy, American Insurance Association, vice president, Northeast Region. 9:42:09 AM  PermaLink   / trackback []

Law Librarian Blog: Noteworthy Scholarship on SSRN The following SSRN papers caught my eye: Solove & Hoofnagle, A Model Regime of Privacy Protection (Version 3.0) Timofeeva, Establishing Legal Order in the Digital World: Local Laws and Internet Content Regulation Taipale, Whispering Wires and Warrantless Wiretaps: Data Mining and Foreign Intelligence Surveillance Barros, Home as a Legal Concept 9:39:43 AM  PermaLink   / trackback []

Privacy-Invasive Software in File-Sharing Tools. Privacy-Invasive Software in File-Sharing Tools. Personal privacy is affected by the occurrence of adware and spyware in peer-to-peer tools. In an experiment presented in this paper, five file-sharing tools are investigated and found that they all contained ad-/spyware programs, and, that these hidden components communicated with several servers on the Internet. Although there was no exchange of files by way of the file-sharing tools, they generated a significant amount of network traffic. Amongst the retrieved ad-/spyware programs that communicated with the Internet, it was discovered that privacy-invasive information such as, e.g., user data and Internet browsing history was transmitted. In conclusion, ad-/spyware activity in file-sharing tools creates serious problems not only to user privacy and security, but also to network and system performance. [ITPapers.com - Recent Privacy Issues White Papers] 9:36:56 AM  PermaLink   / trackback []

China vs. Germany: Comparing Google's Censorship Practices. China vs. Germany: Comparing Google's Censorship Practices. Part of Google CEO Eric Schmidt's justification for being complicit with China's censorship of search engine results is that Google does the same thing in Germany and France, so what's the big deal with time around. Consider this recent statement: Asked whether Google might try to persuade Beijing to change its restrictions, Schmidt said he didn't rule anything out, but said it hasn't tried to change such limits elsewhere. He noted that Google's site in Germany is barred from linking to Nazi-oriented material. "There are many cases where certain information is not available due to local law or local custom," he said. I've been meaning to write a response to this flawed argument, pointing out that while Germany's attempt to restrict access to hate-speech and other Nazi-related information does constitute censorship, it is mean to prevent the return of a dark moment in the nation's history. (Note, I don't agree with this German policy.) Meanwhile, China wants to block access to information that might give its citizens glimpses of democracy and freedom - its censorship is meant to protect the monopolization of power by the state. Both forms of censorship are "evil," but if we were to make comparisons, the Chinese version is perhaps a greater violation of a citizen's rights than the German form. Philipp Lenssen, the German owner of the blog Google Blogoscoped, provides a much more articulate description of this distinction: I think it's a fuzzy issue. Censoring nazi sites is a little less evil than censoring human rights sites, and censoring human right sites is a little less evil than handing over email account information, and handing over email account information is a little less evil than jailing the dissident yourself. However, they're all acts of the same line of thought, and often set precedents for each other, and I oppose all of them. [[sigma]] Don't burn books even if you think you burn the right books. And digital censorship is modern book burning. Google in Germany is "only" censoring the results to these sites, not the sites itself, but that's like saying they're only securing the area while someone else burns the books. Often, these acts of cooperating with the gov't ruin more trust than any number like "only 2 dissidents" or "only 5% of searches" could express. If I know Yahoo Mail is cooperating with the Chinese gov't, I can't use it to voice my human rights concern over the Chinese gov't anymore, period 'Äì and that affects all mails. If I know some of the Yahoo search results are censored, I have reason to mistrust *any* Yahoo search results (and also be careful about what I'm searching for). If only 1 person is in jail for unjustified reasons, then everyone must be afraid to live and work in China and confront the Chinese gov't (or use western online tools whose leaders cooperate with the Chinese gov't). If I know that *some* morals don't need to be respected *some* of the time by *some* people[sigma] what keeps me from disrespecting all kinds of moral rules? That's the broken window phenomenon. Google, Yahoo and others, by exposing their line of thought, also show us that they could do basically anything. E.g. their line of thought allows them to cooperate with Nazis. Their line of thought allows an image search to stop showing black people just because a segregationist gov't would ask them to ("we follow local laws" [sigma] "we think showing at least some images helps spread the information better"). In the end it's always the same: such "evil" gov'ts need people to build their tools. The Nazis relied on IBM for parts of their work. If Einstein would have just followed local laws, instead of making sure he's preventing the Nazis from getting his technological inventions by going to the US, then this might be a different world today. Now I don't believe Google is that bad 'Äì I just believe their arguments are logically flawed, and pretty much useless. But they might have become deaf to outside criticism[sigma] they've survived every kind of criticism so far (copyright issues with Google Books, Google News China omitting several sources, Gmail "privacy invasion" through ads, the acquisition of the Deja News usenet archive). But the results seem to prove them right, pragmatically speaking; everyone is still using Google, no law so far is making their decisions illegal, and news coverage of their China move dies down over time. As we can see, Eric Schmidt is now getting more and more self-assured over the decision. [via Don't Be Evil] [michaelzimmer.org] 9:29:58 AM  PermaLink   / trackback []

Security Podcasts CSO - The Resource for Security Executives - CSO Magazine Welcome to CSOonline.com's executive podcasts suitable for downloading to your MP3 player or streaming at your desk. 9:22:25 AM  PermaLink   / trackback []

The Enemy Inside - CSOonline.com - April 2006 For many years external security threats received more attention than internal security threats, but the focus has changed. While viruses, worms, Trojans and DoS are serious, attacks perpetrated by people with trusted insider status--employees, ex-employees, contractors and business partners--pose a far greater threat to organizations in terms of potential cost per occurrence and total potential cost than attacks mounted from outside. The reason insider attacks "hurt" disproportionately is that insiders can and will take advantage of two important rights: trust and physical access. In general, users and computers accessing resources on the local area network (LAN) of the company are deemed trusted. Practically, we do not draconically restrict their activities--revoke trust--because an attempt to control these trusted users too closely will impede the free flow of business. And, obviously, once an attacker has physical control of an asset, that asset can no longer be protected from the attacker. 9:18:38 AM  PermaLink   / trackback []

IRS Can Ask for PayPal Account Info, Court Rules. IRS Can Ask for PayPal Account Info, Court Rules. Decision prompted by ongoing tax evasion probe. [PCWorld.com - Latest News Stories] 9:15:42 AM  PermaLink   / trackback []

AOL Censors Email Tax Opponents. AOL Censors Email Tax Opponents. Won't Deliver Emails Mentioning www.DearAOL.com San Francisco - AOL is blocking delivery to AOL customers of all emails that include a link to www.DearAOL.com. Today, over 100 people who signed a petition to AOL tried sending messages to their AOL-using friends, and received a bounce-back message informing them that their email "failed permanently." "The fact is, ISPs like AOL commonly make these kinds of arbitrary decisions [^] silently banning huge swathes of legitimate mail on the flimsiest of reasons [^] every day, and no one hears about it," said Danny O'Brien, Activism Coordinator of the Electronic Frontier Foundation (EFF). "AOL's planned CertifiedEmail system would let them profit from this power by offering to charge legitimate mailers to bypass these malfunctioning filters." After reports of undelivered email started rolling in to the DearAOL.com Coalition, MoveOn co-founder Wes Boyd decided to see for himself if it was true. "I tried to email my brother-in-law about DearAOL.com and AOL sent me a response as if he had disappeared," said Boyd. "But when I sent him an email without the DearAOL.com link, it went right through." While AOL may imply that censoring www.DearAOL.com is part of some anti-spam effort, their own customers are witnessing how faulty AOL's spam measures would be if that were the case. "I forwarded www.DearAOL.com to my own AOL account and it was censored. Apparently I can't even tell myself about it," said Kelly Tessitore from Framingham, Massachusetts. "This proves the DearAOL.com Coalition's point entirely: left to their own devices, AOL will always put its own self-interest ahead of the public interest in a free and open Internet," said Timothy Karr, campaign director of Free Press, a national, nonpartisan organization working on media reform and Internet policy issues. "AOL wants us to believe they won't hurt free email when their pay-to-send system is up and running. But if AOL is willing to censor the flow of information now to silence their critics, how could anyone trust that they will preserve the free and open Internet down the road? Their days of saying 'trust us' are over [^] their credibility is zero, zip, nada." The DearAOL.com Coalition represents over 15 million people combined [^] and has grown from 50 member organizations to 600 in a month. Since the beginning of the DearAOL.com campaign, more than 350,000 Internet users have signed letters to AOL opposing its pay to send proposal. Coalition members include craigslist founder Craig Newmark, the Association of Cancer Online Resources, EFF, Free Press, the AFL-CIO, MoveOn.org Civic Action, Gun Owners of America, and others. For more on the issues surrounding pay-to-send email, join EFF for a debate on April 20 in San Francisco. EFF's O'Brien and tech expert Esther Dyson will face off over the question "Email - Should the Sender Pay?" Entrepreneur Mitch Kaptor will moderate. More information about the DearAOL.com Coalition: http://www.dearaol.com More information on next week's debate: http://www.eff.org/bayff/aolmail_debate.php Contacts: Danny O'Brien Activism Coordinator Electronic Frontier Foundation danny@eff.org Rebecca Jeschke Media Coordinator Electronic Frontier Foundation press@eff.org [EFF: Breaking News] 9:13:45 AM  PermaLink   / trackback []