Thursday, November 9, 2006

US.gov tunes out scathing RFID privacy report. US.gov tunes out scathing RFID privacy report. DHS committee study 'disavowed' An external security advisory committee reporting to the US Department of Homeland Security has produced a highlight critical report (PDF) advising against the use of RFID technology in government documents. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:07:22 PM  PermaLink   / trackback []

Totalitarian threat looms. Totalitarian threat looms. Not just academic, say academics Totalitarian regimes teach us important lessons about the consequences of letting nosy state authorities use surveillance to keep their people in check, delegates were told at the Data Protection and Privacy Commissioner's conference in London yesterday. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:05:09 PM  PermaLink   / trackback []

Patients can't stop medical records upload. Patients can't stop medical records upload. Privacy not a medical necessity in UK Up to 50 million health records will be placed on Britain's new NHS IT system with or without patients' consent, a report has claimed. The Guardian newspaper said that patients will not be allowed to object to information being loaded on to the system. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:56:41 PM  PermaLink   / trackback []

Blair bangs ID card drum Blair bangs ID card drum. PM in biometric hard sell Tony Blair has once again seen fit to toss his prime ministerial two penneth into the ID cards debate. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:53:05 PM  PermaLink   / trackback []

USA to ground all travellers until 'cleared'. USA to ground all travellers until 'cleared'. Security as a blanket presumption of guilt No one will be permitted to board an aircraft or a marine vessel leaving or bound for the United States until cleared by the US Department of Homeland Security (DHS) Bureau of Customs and Border Protection (CBP), under proposed regulations. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:50:39 PM  PermaLink   / trackback []

Some voters saying machines lack privacy With all the privacy of a walk-up ATM, but little of the protocol, electronic voting machines on Tuesday left some people feeling exposed. Many voters said they found the touch-screen machines easy to read and easy to use. But they also complained of a lack of privacy and pined for the seclusion of the old-style voting booth. With the new machines lined up close together in crowded polling places -- and offering bright, readable screens -- some felt as if they were voting for an audience. 9:49:07 PM  PermaLink   / trackback []

Wireless insecurity: do not use the cheerleader defence. Wireless insecurity: do not use the cheerleader defence. Don't try this at home, folks Comment The message boards are alive with misguided advice about wireless networks. Switch off your security, they say: you'll get away with murder. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 9:40:53 PM  PermaLink   / trackback []

'Supercerts' Aim to Highlight Legit Web Sites. 'Supercerts' Aim to Highlight Legit Web Sites. Over the past couple of years, dozens of companies have rolled out technologies designed to help computer users and companies better spot "phishing" scams -- Web sites that try to trick people into giving away financial and personal data. But what about helping users tell for certain that when their browser tells them that they are at, say, BankofAmerica.com, that they're really at the bank's official Web site and not at some scam site? That's precisely the aim of CA/Browserforum, a security effort by the major Web browser makers and certificate authorities, or companies who sell and issue Web site security certificates. Today, pretty much any Web site owner can plunk down between $150 to $400 and purchase a secure sockets layer (SSL) certificate, a technology designed not only to protect the integrity of data submitted by customers but also to give visitors a modicum of assurance that the site takes their security seriously. By clicking on the little padlock icon in the browser that accompanies all SSL certified sites, visitors also can gain more assurances that the SSL holder is a legitimate company and that it at least has been vetted by a certification authority to some degree. The problem is that hardly anyone knows to check the data included in SSL certs, and even then making sense of it all is probably beyond the grasp of the average computer user. In addition, phishers increasingly are buying and incorporating SSL certs to make their scam sites appear more legitimate. Worse still, the checks that the certificate authorities currently do to verify that those seeking SSL certs have a legitimate claim to the Web site name listed on the requested cert are largely automated and not terribly hard to fool. In February, Security Fix wrote about a phishing scam that had applied for and received an SSL cert for an actual credit union in Utah. CA/Browserforum aims to create a market for a kind of "supercert" known as "extended validation" SSL certificates. EVSSL certs would cost quite a bit more but in theory also include more rigorous vetting of the identity and legitimacy of any requesting entity. More importantly, by working with browser makers Microsoft, Mozilla, Opera Software and KDE, the two groups can agree on standardized methods for modifying the display of the visitor's browser Window in more obvious ways to let users know when they are at the legitimate site of a super-cert holder. For example, the browser could be made to turn green around the address bar when the user visits what the browser recognizes as the real Bank of America site. Bruce Schneier, a cryptography expert and chief technology officer for Counterpane Internet Security, applauded the goals of the CA/Browserforum, calling the current SSL cert validation process "laughable." "It's a serious problem that people on the 'Net don't know the difference between a real Web site and a clever fake," Schneier said. "I think laying this infrastructure could be useful along with other things in the browser to make it more obvious," when users are at a legitimate site, he said. "This is a big problem, and this is a piece of the solution, not the solution by itself." [Security Fix] 9:37:54 PM  PermaLink   / trackback []

Report: Phishers Hooking Fewer (But Fatter) Victims. Report: Phishers Hooking Fewer (But Fatter) Victims. First the good news: While the number of phishing attacks continues to increase, fewer victims report falling for the scams than a year ago. The bad news: Those who did get hooked by a phishing e-mail lost a lot more than the average 2005 phishing victim, and had a harder time recovering that money to boot. The findings come from a study released today by Gartner Inc., a report that includes data from some 5,000 adults who took the company's online survey in August. According to Gartner, the average loss per phishing victim nearly quintupled from $257 in 2005 to $1,244 in 2006. Perhaps more importantly from the victims' perspective, the average percentage that victims were able to recover dropped from 80 percent in 2005 to about 54 percent in 2006. Gartner estimates that at least part of that shift is due to a change in tactics by the scam artists. While financial institutions remain the top targets of phishing attacks, fraudsters are using less-conventional or fictitious brands -- such as made up sweepstakes contests -- that have weaker or non-existent fraud controls, the report posits. The top two targeted institutions from the Gartner survey results were eBay and PayPal, echoing similar findings this week in a study released by Phishtank, a community-based anti-phishing network. Gartner said that bank and credit card company refunds to consumers who lose money because of phishing attacks are declining as a percentage of total refunds, while reimbursements from non-financial services companies such as PayPal and retailers, are growing. According to Phishtank, some 1,493 distinct scam sites impersonated PayPal in the month of October alone, with another 1,210 phishing sites targeting eBay. As major financial institutions have embraced a variety of commercial anti-phishing technologies -- from site take-down services to back-end fraud detection -- many phishers have found it more expedient to expand the scam playing field. According to a recent report from the Anti-Phishing Working Group, phishing e-mails and Web sites targeted at least 148 different brands in August, up from just 84 in January. "When we first started seeing phishing attacks a few years back people kept saying this was a problem that was going to die down, go away," said Gartner analyst Avivah Litan. "Instead what they're doing is becoming more elusive. Instead of just saying here, come give us your credit card number, they try to lure people with $250 gift cards at Target if they sign up for a sweepstakes right away. The problem is that unlike with the banks, victims have a much harder time getting their money back when they fall for these types of scams." Anyone interested can check out the Gartner report here. [Security Fix] 9:34:37 PM  PermaLink   / trackback []

Consumers to Lose $2.8 Billion to Phishers in 2006. Consumers to Lose $2.8 Billion to Phishers in 2006. Experts say phishing attacks continue to rise, getting more costly. [PC World: Latest Technology News] 9:30:35 PM  PermaLink   / trackback []

Microsoft Releases Sony Rootkit Hunter's Tools. Microsoft Releases Sony Rootkit Hunter's Tools. New software will assist Windows users in detecting hidden system hacks and malware. [PC World: Latest Technology News] 9:28:45 PM  PermaLink   / trackback []

Microsoft to Release Six Windows Security Updates. Microsoft to Release Six Windows Security Updates. Monthly update will patch Windows flaws but not Visual Studio bug. [PC World: Latest Technology News] 9:26:53 PM  PermaLink   / trackback []

Intel Drafts Privacy License for Location-Aware Cell Phones. Intel Drafts Privacy License for Location-Aware Cell Phones. Newly written addendum would prevent mobile electronics from becoming tracking devices by allowing consumers to opt-out. [PC World: Latest Technology News] 9:25:01 PM  PermaLink   / trackback []

Government Wants Stay in AT&T Case. Government Wants Stay in AT&T Case. The U.S. government has asked for a stay in our case against AT&T for collaborating with the NSA in illegal spying on its customers. The government also wants to halt proceedings in the other class action cases against other telecommunication companies until the U.S. 9th Circuit hears an appeal of Judge Vaughn Walkers order denying the motions to dismiss. The government's proposed stay would not be in the interests of justice in this very important case about ongoing illegal spying on millions of ordinary Americans. Many elements of our suit can and should go forward while the 9th Circuit considers the state secrets issues. Judge Walker will consider how the case should proceed in a case management conference on November 17th in District Court in San Francisco. [EFF: Deep Links] 9:22:06 PM  PermaLink   / trackback []

EFF and Landmark: Cards on the Table. EFF and Landmark: Cards on the Table. Last week, EFF announced that it was fighting against Landmark Education's campaign to identify individuals who posted a French documentary, entitled Voyage Au Pays Des Nouveaux Gourous (Voyage to the Land of the New Gurus), that was critical of the Landmark program, and included hidden camera footage from inside a Landmark Forum event in France. EFF is currently talking with Landmark in an attempt to reach an amicable resolution about Landmark's DMCA subpoena to Google. In the hope that we can resolve this without need of litigation, EFF has held off on filing its motion to quash that subpoena. In the mean time, Landmark responded to our press release, according to Red Herring magazine: "While we appreciate the work of the EFF, the allegation that our copyright claim is bogus is entirely inaccurate," [Art Schreiber, general counsel for Landmark Education] said. "The facts are clear that the Landmark Forum program has for many years been copyrighted. Materials covered by this copyright registration were included throughout the video." While we appreciate the kind words, we disagree with Mr. Schreiber's copyright analysis. To the extent that the documentary includes any materials copyrighted by Landmark, that use is clearly for purposes of criticism and commentary, i.e., a non-infringing fair use. Yesterday we released a draft of our motion to quash, which explains in detail (see pages 11-16) why Landmark's copyright claim does not hold water. Indeed, it's not even a close call. Sorry, Landmark, but your claim is still bogus. [EFF: Deep Links] 9:20:18 PM  PermaLink   / trackback []

Electronic Voting Machine Headaches Shut Out Citizens. Electronic Voting Machine Headaches Shut Out Citizens. Delays Mean Long Lines for Voters in Florida, Utah, and Other States San Francisco - Problems with electronic voting machine failures kept some polls from opening, created long lines, and left many voters puzzled about whether their votes were counted in Tuesday's high stakes election. The Electronic Frontier Foundation (EFF) joined a nationwide team of technology lawyers and other experts staffing nationwide call centers and legal command posts on Election Day. The volunteers chronicled election problems, assisted voters, and worked with election officials to pull malfunctioning machines wherever possible. By 8:00 pm ET on Tuesday, over 17,000 incidents, including machine-related problems, had been reported to the Election Protection Coalition's 866-OUR-VOTE hotline. The types of machine problems reported to EFF volunteers were wide-ranging in both size and scope. Polls opened late for machine-related reasons in polling places throughout the country, including Ohio, Florida, Georgia, Virginia, Utah, Indiana, Illinois, Tennessee, and California. In Broward County, Florida, voting machines failed to start up at one polling place, leaving some citizens unable to cast votes for hours. EFF and the Election Protection Coalition sought to keep the polling place open late to accommodate voters frustrated by the delays, but the officials refused. In Utah County, Utah, more than 100 precincts opened one to two hours late on Tuesday due to problems with machines. Both county and state election officials refused to keep polling stations open longer to make up for the lost time, and a judge also turned down a voter's plea for extended hours brought by EFF. "If election officials insist on depending on this unreliable technology, they should be prepared to react appropriately when things go wrong," said EFF Legal Director Cindy Cohn. "Voters should not have to bear the brunt of this poor planning. We are very disappointed that the court did not recognize that." "Jumping vote" problems -- touchscreen machines displaying selections not intended by voters -- once again appeared across the country and across machine models. Some voters again encountered difficulty making or changing selections on touchscreen machines, resulting in long lines and frustrated voters leaving polling places. Optical scan machines also broke down in many places, most prominently in Cook County, Illinois, but also in Los Angeles, California, also leading to long delays for voters. The national monitoring campaign was developed after many states hastily implemented flawed electronic voting machines and related election procedures. Twenty-three states still do not require a paper record of all votes, despite the demonstrated technical failures of e-voting machines in the 2004 presidential election. Without a record, voters cannot verify that the e-voting machines are recording their votes as intended, and election officials cannot conduct recounts. In addition, most of these machines use "black box" software that hasn't been publicly reviewed for security. But poorly designed systems are not the only problem. Most election workers remain woefully under-trained regarding potential e-voting problems. Vendor technicians frequently have unsupervised access to voting equipment, and local election officials routinely deny attempts to examine e-voting audit data. Along with supporting local election reform, EFF has helped Congressional Rep. Rush Holt's Voter Confidence and Increased Accessibility Act garner immense, bipartisan support. The bill contains several critically important election reforms, including the requirement of a paper trail for all electronic voting machines, random audits, and public availability of all code used in elections. "Voters deserve these practical election reforms -- not long lines and unverifiable results," said EFF Staff Attorney Matt Zimmerman. For the latest election news: http://www.eff.org/deeplinks/ For more on EFF's e-voting efforts: http://www.eff.org/Activism/E-voting/ Contacts: Cindy Cohn Legal Director Electronic Frontier Foundation cindy@eff.org Matt Zimmerman Staff Attorney Electronic Frontier Foundation mattz@eff.org [EFF: Breaking News] 1:46:56 AM  PermaLink   / trackback []

Privacy chiefs vow to fight surveillance together. Privacy chiefs vow to fight surveillance together. Call for global cooperation A group of international data and privacy protection commissioners has decided to act together to challenge the surveillance society which they claim is developing. Commissioners from the UK, France, Germany and New Zealand will adopt common policies. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:43:45 AM  PermaLink   / trackback []

IPv6 Security Issues. IPv6 Security Issues. This paper, written by Samuel Sotillo, reviews some of the improvements associated with the new Internet Protocol version 6, with an emphasis on its security-related functionality. At the end, it concludes summarizing some of the most common security concerns the new suite of protocols creates. By Samuel Sotillo. [Infosec Writers Latest Security Papers] 1:40:07 AM  PermaLink   / trackback []