Thursday, December 7, 2006

ModSecurity v2.0 Webcast. ModSecurity v2.0 Webcast. In response to many of the common questions and issues posted to the mail-list, we at Breach Security decided to host a webcast to help provide answers and shed some light on the new v2.0 features  - http://www.modsecurity.org/training/. This is the first of many training programs to support and enhance your use of ModSecurity and its dynamic web application security protection. If you are interested in free training on: The latest news on ModSecurity Overview of he new features and rule sets in ModSecurity 2.0 How to install/deploy ModSecurity v2.0 How to migrate ModSecurity configuration and rules to the ModSecurity 2.0 format Tips and tricks on using ModSecurity v2.0 The webcast is scheduled for Thursday, December 14th 2006 at 1:00pm EST. To register please click here. [Web Security Blog] 5:22:25 PM  PermaLink   / trackback []

Ten Best, Worst, and Craziest Uses of RFID. Ten Best, Worst, and Craziest Uses of RFID. An anonymous reader writes "This top 10 rounds up what it calls 'the best, worst and craziest' uses of RFID out there [~] including chipped kids at Legoland, smart pub tables that let you order drinks, smartcards for sports fans, and chipped airline passengers. The craziest use of the tech surely has to be RFID chips for Marks & Spencer suits [~] you couldn't pay most people to wear one of them." [Slashdot: Your Rights Online] 5:10:13 PM  PermaLink   / trackback []

High court takes 'Bong Hits for Jesus' case - CNN.com The Supreme Court entered into a free-speech dispute Friday involving a high school student suspended over a "Bong Hits 4 Jesus" banner. The justices accepted an appeal from a school board in Juneau, Alaska, after a federal appeals court allowed a lawsuit by the family of Joseph Frederick to proceed. Frederick was suspended in 2002 after he unfurled the 14-foot-long banner -- a reference to marijuana use -- just outside school grounds as the Olympic torch relay moved through the Alaskan capital headed for the Winter Games in Salt Lake City, Utah. "Bong," as noted in the appeal filed with the justices, "is a slang term for drug paraphernalia." Even though Frederick was standing on a public sidewalk, school officials argue that he and other students were participating in a school-sponsored event. They had been let out of classes and were accompanied by their teachers. Principal Deborah Morse ordered the 18-year-old senior to take down the sign, but he refused. That led to a 10-day suspension for violating a school policy by promoting illegal drug use. 5:00:49 PM  PermaLink   / trackback []

Clinton Prosecutor Now Targeting Free Speech. Clinton Prosecutor Now Targeting Free Speech. Virchull tells us about a case the Supreme Court has agreed to hear, in which former special prosecutor Kenneth Starr will take the side of an Alaska school board against a student who displayed a rude banner off school property. The banner read "Bong Hits 4 Jesus" and it got the student suspended. He and his parents sued the school board for violating his First Amendment rights. The case is nuanced: while the student did not display the banner on school property, he did do so during a school function. Starr is said to be arguing the case for free. [Slashdot: Your Rights Online] 4:54:51 PM  PermaLink   / trackback []

Washington uses new spyware law, gets $1 million settlement The Washington State Attorney General's office has announced a $1 million settlement in the state's first anti-spyware case. Using a new spyware law, Attorney General Rob McKenna went after Secure Computer earlier this year, charging that their "Spyware Cleaner" product had, well, a couple of flaws: it didn't work well, it deleted a user's Hosts file after installation, and it tried to convince users to "upgrade" to another program that did essentially the same thing. But it was the way that Spyware Cleaner was marketed that attracted the Attorney General's attention in the first place. The company allegedly spammed users to advertise its product, included deceptive subject lines, failed to include an opt-out mechanism, and suggested that the product was "discounted" for a "limited time," when in reality it was always available for the same price. 4:51:31 PM  PermaLink   / trackback []

Anti-Spyware Law Snags Anti-Spyware Vendor. Anti-Spyware Law Snags Anti-Spyware Vendor. Country Lawyer writes "Washington state's anti-spyware law has just resulted in a $1 million victory for the state, the first successful prosecution under the new law. The weird thing? They sued an anti-spyware vendor." From the article: "Washington State went after the company after 1,145 state residents purchased the software and the complaints began rolling in. Secure Computer president Paul Burke will now pay $200,000 in penalties, make $75,000 worth of restitution to Washington residents, and pay another $725,000 to cover the state's attorneys' fees. The irony of an anti-spyware law being used against an anti-spyware vendor was not commented upon." [Slashdot: Your Rights Online] 4:46:58 PM  PermaLink   / trackback []

The DOJ's New Spin on Blocking Software. The DOJ's New Spin on Blocking Software. Bennett Haselton has writes "In recent arguments over the constitutionality of the Child Online Protection Act, both sides have argued over the efficiency of Internet blocking software. While COPA would prohibit commercial U.S. websites from publishing freely available material that is "harmful to minors", the ACLU has argued that blocking software is a far more effective alternative, since among other things it can block porn sites located overseas, non-commercial websites, and p2p programs, all of which are beyond the reach of COPA. On the other hand, we had the surreal experience of watching the Department of Justice lawyer arguing in favor of a censorship law by saying that the blocking software alternative was unfair to children -- because it blocked too much legitimate material." The rest of Bennett's essay follows. [Slashdot: Your Rights Online] 1:59:11 PM  PermaLink   / trackback []

RFID Guardian Project ( Faculty of Science : Vrije Universiteit ) Our paper at USENIX Lisa 2006 just won theBest Paper Award! The RFID Guardian Project is a collaborative project focused upon providing security and privacy in Radio Frequency Identification (RFID) systems. The goals of our project are to: Investigate the security and privacy threats faced by RFID systems Design and implement real solutions against these threats Investigate the associated technological and legal issues The namesake of our project is the RFID Guardian: a mobile battery-powered device that offers personal RFID security and privacy management. One the focuses of our project is to build an RFID Guardian prototype. 1:53:03 PM  PermaLink   / trackback []

RFID Personal Firewall. RFID Personal Firewall.  JanMark writes  "Prof. Andrew Tanenbaum and his student Melanie Rieback (who published the RFID virus paper in March) and 3 coauthors have now published a paper on a personal RFID firewall called the RFID Guardian. This device protects its owner from hostile RFID tags and scans in his or her vicinity, while letting friendly ones through. Their work has won the Best Paper award at the USENIX LISA Conference."  [Slashdot: Your Rights Online] 1:46:09 PM  PermaLink   / trackback []

CDT, StopBadware.org File Joint Spyware Complaint. CDT, StopBadware.org File Joint Spyware Complaint. CDT this week joined with StopBadware.org in urging the Federal Trade Commission (FTC) to shut down a dangerous spyware scam site. In a joint complaint, CDT and StopBadware.org describe how FastMP3Search.com.ar self-executes the installation of adware and Trojan horse applications, disables security software, sabotages valid web addresses for legitimate security companies, changes homepage settings, and severely impairs computer speed and performance, all without user consent. The complaint is the first filed jointly by the two organizations. [Center for Democracy and Technology] 1:40:33 PM  PermaLink   / trackback []

Yahoo Music Continues DRM-Free Download Experiment. Yahoo Music Continues DRM-Free Download Experiment. Yahoo selling a second song in the more flexible MP3 format. [PC World: Latest Technology News] 1:39:05 PM  PermaLink   / trackback []

Background check basics. Background check basics. Background checks mitigate risks in the hiring of workers. Yet doing them effectively can be difficult. Laws in the US relating to background checks and criminal records vary by state, and no comprehensive source of national information exists. And while the number of background check vendors has grown in recent years, many are ill-equipped. Share these ideas with HR and legal: [CSO Online Data Security Briefing] 1:36:40 PM  PermaLink   / trackback []

Privacy groups rip terrorist risk-rating plan. Privacy groups rip terrorist risk-rating plan. Privacy groups assailed a federal data mining program that assigns secret terrorist ratings to millions of U.S. citizens and foreigners traveling to and from the U.S. [Computerworld Data Mining News] 1:33:15 PM  PermaLink   / trackback []

Music industry will take copyright battle to Europe. Music industry will take copyright battle to Europe. Damning the evidence The recording industry's continuing bid to exploit works for an extra 45 years should be disregarded by government as not in the public interest. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 1:30:02 PM  PermaLink   / trackback []

TracFone Sues to Block Cellphone Unlocking Exemption. TracFone Sues to Block Cellphone Unlocking Exemption. As we reported just before Thanksgiving, the Copyright Office and Library of Congress recently announced a set of new DMCA exemptions, including one that entitles a person to unlock a cellphone without worrying about DMCA liability. Now prepaid wireless vendor TracFone has sued the Library of Congress to block the new exemption. According to the complaint, filed in federal court in Florida, the grant of the unlocking exemption (1) violates the Administrative Procedures Act (APA) because the Copyright Office refused to accept TracFone's late submissions; (2) violates due process; and (3) violates separation of powers because "the DMCA's delegation of rulemaking authority to the Library of Congress and the Copyright Office is an unconstitutional intra-branch delegation of Congress' legislative responsibilities." I'll admit I'm intrigued by the third argument, but I imagine people at the Copyright Office are muttering "no good deed goes unpunished" over all this. [EFF: Deep Links] 1:28:31 PM  PermaLink   / trackback []

URGENT: Spying Bill Could Let AT&T Off The Hook. URGENT: Spying Bill Could Let AT&T Off The Hook. The president and telephone companies are desperate to avoid accountability for the massive and illegal NSA program. Their latest trick: sneaking through a bill that could threaten cases like EFF's lawsuit against AT&T and let corporations off the hook for illegally assisting the government. We're now hearing credible rumors that the lame duck Congress could take up this proposal in the next three days. Call your Senators now and tell them to stop the illegal spying. When the newly-elected Congress takes office in January, key legislators may hold hearings to investigate the illegal spying program, and three federal courts have already rejected the government's bogus arguments shielding it. This latest proposal is a last-ditch effort to subvert such vigorous oversight. And if you don't take action now, the Bush Administration and telephone companies might get away with it. Don't let that happen -- use our Action Center to find your Senators' phone numbers and take action now. [EFF: Deep Links] 1:26:55 PM  PermaLink   / trackback []

Bug Opens Word to Attack. Bug Opens Word to Attack. Microsoft describes unpatched flaw that could corrupt PC memory and allow intruders. [PC World: Latest Technology News] 1:24:56 PM  PermaLink   / trackback []

How Not to Distribute Security Patches. How Not to Distribute Security Patches. Over the weekend MySpace was hit by a password-stealing computer worm that took advantage of a weakness in Apple's QuickTime media player to spread rapidly among the online community's users. On Tuesday, MySpace administrators sent around a memo urging millions of users to download and install a new Apple patch to prevent future copycat attacks. I think MySpace and Apple deserve credit for a prompt response to an obvious and serious security problem. That said, it appears as though both sides completely fumbled this patch rollout. The memo, from MySpace's ubiquitous employee "Tom," says: "Hey, you're seeing this message because we detected that you have Quicktime on your system. Quicktime lets you watch movies on your computer. There's been a security problem with Quicktime this weekend and bad guys have been trying to phish accounts exploiting the security hole. You can protect yourself by downloading this patch to your Quicktime--it only takes 30 seconds. - Tom" This was a genuine message sent by MySpace admins urging certain users to apply a patch that was just released (well, sort of...more on that later). But you could almost see the blank stares from the wary MySpace users who were puzzled and understandably paranoid. Check out some of the questions and comments on just one of several MySpace user forum threads from puzzled users. According to this CNet.com story, Apple was expected on Tuesday to release a patch (as requested by the folks at MySpace), but that MySpace would be responsible for distributing the update. Come again? To put this in perspective, when was the last time you saw Microsoft letting anyone else distribute its patches? The simple answer is that you do not. Why is that? Because the bad guys are constantly trying to get people to install all kinds of nasty and malicious software by disguising it as an official-looking "security update." Likewise, Apple should not let social-networking sites distribute its patches, even if it turns out to be some kind of custom-made-for-MySpace-users patch, which I seriously doubt. Apple should host its own software fixes on its own servers, period. And MySpace should simply suck it up and disable QuickTime videos until Apple is ready to host an update; people still running the older version of QuickTime could be prompted to fetch the patch directly from Apple's site. Another issue is that the MySpace worm either exploited a security flaw in QuickTime or it took advantage of an ill-advised feature deliberately built into the software. If it is a flaw, when can the rest of the planet expect a QuickTime patch? And if it is indeed a feature intentionally built into the media player, can non-MySpace users get a copy of QuickTime without said feature? I put a query in to Apple, and will update this blog when I receive more information. Finally, the MySpace memo urged users to click on an exceptionally long link that appears to have several layers of encoding in it -- making it unclear where the user will end up after clicking (hover over the link included in Tom's message above to see what I mean). MySpace admins grooming the masses to install patches by clicking on seemingly random links in messages is an unfortunate kind of conditioning that may well encourage further attacks against MySpace users. [Security Fix] 1:23:25 PM  PermaLink   / trackback []

Proposed Solution For Google's "Click-to-Call" Caller-ID Problem. Proposed Solution For Google's "Click-to-Call" Caller-ID Problem. Greetings. In a recent blog entry, I discussed my concerns about Google's new "Click-to-Call" service, especially key issues regarding Google's handling of caller-ID in this service. Now I'd like to propose a specific solution. [Lauren Weinstein's Blog] 1:21:41 PM  PermaLink   / trackback []

NIST Recommends Not Certifying Paperless Voting Machines. NIST Recommends Not Certifying Paperless Voting Machines. In an important development in e-voting policy, NIST has issued a report recommending that the next-generation federal voting-machine standards be written to prevent (re-)certification of today[base ']s paperless e-voting systems. (NIST is the National Institute of Standards and Technology, a government agency, previously called the National Bureau of Standards, that is a leading source of independent technology expertise in the U.S. government.) The report is a recommendation to another government body, the Technical Guidelines Development Committee (TGDC), which is drafting the 2007 federal voting-machine standards. The new report is notable for its direct tone and unequivocal recommendation against unverifiable paperless voting systems, and for being a recommendation of NIST itself and not just of the report[base ']s individual authors. [UPDATE (Dec. 2): NIST has now modified the document[base ']s text, for example by removing the [base "]NIST recommends[sigma][per thou] language in some places and adding a preface saying it is only a discussion draft.] The key concept in the report is software independence. A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. In other words, it can be positively determined whether the voting system[base ']s (typically, electronic) CVRs [cast-vote records] are accurate as cast by the voter or in error. This gets to the heart of the problem with paperless voting: we can[base ']t be sure the software in the machines on election day will work as expected. It[base ']s difficult to tell for sure which software is present, and even if we do know which software is there we cannot be sure it will behave correctly. Today[base ']s paperless e-voting systems (known as DREs) are not software-independent. NIST does not known how to write testable requirements to make DREs secure, and NIST[base ']s recommendation to the STS [a subcommittee of the TGDC] is that the DRE in practical terms cannot be made secure. Consequently, NIST and the STS recommend that [the 2007 federal voting standard] should require voting systems to be [software independent]. In other words, NIST recommends that the 2007 standard should be written to exclude DREs. Though the software-independence requirement and condemnation of DREs as unsecureable will rightly get most of the attention, the report makes three other good recommendations. First, attention should be paid to improving the usability and accessibility of voting systems that use paper. Second, the 2007 standard should include high-level discussion of new approaches to software independence, such as fancy cryptographic methods. Third, more research is needed to develop new kinds of voting technologies, with special attention paid to improving usability. Years from now, when we look back on the recent DRE fad with what-were-we-thinking hindsight, we[base ']ll see this NIST report as a turning point. [Freedom to Tinker] 1:18:38 PM  PermaLink   / trackback []

Spam is Back. Spam is Back. A quiet trend broke into the open today, when the New York Times ran a story by Brad Stone on the recent increase in email spam. The story claims that the volume of spam has doubled in recent months, which seems about right. Many spam filters have been overloaded, sending system administrators scrambling to buy more filtering capacity. Six months ago, the conventional wisdom was that we had gotten the upper hand on spammers by using more advanced filters that relied on textual analysis, and by identifying and blocking the sources of spam. >akismet), but that could change. If the blog spammers get as clever as the email spammers, we[base ']ll be in big trouble. [Freedom to Tinker] 1:17:32 PM  PermaLink   / trackback []

Spam Doubles, Finding New Ways to Deliver Itself - New York Times Hearing from a lot of new friends lately? You know, the ones that write "It's me, Esmeralda," and tip you off to an obscure stock that is "poised to explode" or a great deal on prescription drugs. You're not the only one. Spam is back -- in e-mail in-boxes and on everyone's minds. In the last six months, the problem has gotten measurably worse. Worldwide spam volumes have doubled from last year, according to Ironport, a spam filtering firm, and unsolicited junk mail now accounts for more than 9 of every 10 e-mail messages sent over the Internet. Much of that flood is made up of a nettlesome new breed of junk e-mail called image spam, in which the words of the advertisement are part of a picture, often fooling traditional spam detectors that look for telltale phrases. Image spam increased fourfold from last year and now represents 25 to 45 percent of all junk e-mail, depending on the day, Ironport says. The antispam industry is struggling to keep up with the surge. It is adding computer power and developing new techniques in an effort to avoid losing the battle with the most sophisticated spammers. It wasn't supposed to turn out this way. Three years ago, Bill Gates, Microsoft's chairman, made an audacious prediction: the problem of junk e-mail, he said, "will be solved by 2006." And for a time, there were signs that he was going to be proved right. 1:16:18 PM  PermaLink   / trackback []

CDT, Other Privacy Advocates Oppose Traveler Profiling System. CDT, Other Privacy Advocates Oppose Traveler Profiling System. CDT joined other privacy groups and experts in urging the Department of Homeland Security to curtail a program that has been assigning "risk assessments" to American citizens traveling abroad and compiling detailed itinerary information on all persons, including citizens, entering and leaving the country. The government is seeking to retroactively exempt from key Privacy Act protections the "Automated Targeting System," launched secretly sometime in the past several years. Earlier this week, CDT and other privacy advocates joined comments drafted by the Electronic Privacy information Center opposing the system. [Center for Democracy and Technology] 1:13:39 PM  PermaLink   / trackback []

Microsoft: Attacks Targeting Unpatched Word Flaw. Microsoft: Attacks Targeting Unpatched Word Flaw. Microsoft warned on Tuesday that has received reports of online criminals attacking a previously undocumented (and unpatched) security hole in various versions of its Microsoft Word application. In an advisory, Microsoft said the problem is present in Microsoft Word 2000, Microsoft Word 2002, Microsoft Office Word 2003, Microsoft Word Viewer 2003, Microsoft Word 2004 for Mac, and Microsoft Word 2004 v. X for Mac, as well as Microsoft Works 2004, 2005 and 2006. Microsoft said it is working on a patch to fix the problem, but the earliest that users are likely to see it would be Dec. 12, the company's next regularly scheduled patch release date. That's probably expecting too much too soon, however. So far this year, according to my tally, Microsoft has taken roughly 26 days on average to issue patches for critical Word or other Office related flaws that were being actively exploited in the wild. That data comes from another time-to-patch analysis that I'm working on that examines how quickly Microsoft responded to security flaws either reported to them directly or discovered being exploited in the wild in 2006. In the meantime, Microsoft urged users to avoid opening or saving "Word files that you receive from un-trusted sources or that you receive unexpectedly from trusted sources." But you've already adopted that security posture, haven't you? Of course you have. [Security Fix] 1:11:33 PM  PermaLink   / trackback []

Federal voting-machine standards - Paper Trail Standard Advances. Paper Trail Standard Advances. On Tuesday, the Technical Guidelines Development Committee (TGDC), the group drafting the next-generation Federal voting-machine standards, voted unanimously to have the standards require that new voting machines be software-independent, which in practice requires them to have some kind of paper trail. (Officially, TGDC is drafting [base "]guidelines[per thou], but the states generally require compliance with the guidelines, so they are de facto standards. For brevity, I[base ']ll call them standards.) The first attempt to pass such a requirement failed on Monday, on a 6-6 vote; but a modified version passed unanimously on Tuesday. The most interesting modification was an exception for existing machines: new machines will have to be software-independent but already existing machines won[base ']Äôt. There[base ']Äôs no scientific or security rationale for treating new and old machines differently, so this is clearly a political compromise designed to lower the cost of compliance by sacrificing some security. If you believe, as almost all computer scientists do, that paper trails are necessary today for security, you[base ']Äôll be happy to see the requirement for new machines, but disappointed that existing paperless voting machines will be allowed to persist. Whether you see the glass as half full or half empty depends on whether you see the quest for paper trails as mainly legal or mainly political, that is, whether you look to courts or legislatures for progress. In court, the exception for existing machines will be strong, assuming it[base ']Äôs written clearly into the standard. It will be hard to get rid of the old machines by filing lawsuits, or at least the new standards won[base ']Äôt be useful in court. If anything, the new standards may be seen as ratifying the decision to stick with old, insecure machines. In legislatures, on the other hand, the standard will be an official ratification of the fact that paper trails are preferable. The latest, greatest technology will use paper trails, and paperless designs will look old-fashioned. The exception for old machines will look like a money-saving compromise, and few legislators will want to be seen as risking democracy to save money. As for me, I see legislatures more than courts, and politics more than lawyering, as driving the trend toward paper trails. Thirty-five states either have a paper trail statewide or require one to be adopted by 2008. The glass is already 70% full, and the new standards will help fill it the rest of the way. [Freedom to Tinker] 1:08:10 PM  PermaLink   / trackback []