Tuesday, March 6, 2007

Your Wi-Fi can tell people a lot about you | CNET News.com ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you. Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.  "You're leaking all kinds of information that an attacker can use," David Maynor, chief technology officer at Errata Security, said Thursday in a presentation at the Black Hat DC event here. "If the government was taking this information from you, people would be up in arms. Yet you're leaking this voluntarily using your laptop at the airport." There are many tools that let anyone listen in on wireless network traffic. These tools can capture information such as usernames and passwords for e-mail accounts and instant message tools as well as data entered into unsecured Web sites. At the annual Defcon hacker gathering, a "wall of sheep" always lists captured log-in credentials. Errata has developed another network sniffer that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 10:20:57 PM  PermaLink   / trackback []

A Network Sniffer On Steroids. A Network Sniffer On Steroids.   QuantumCrypto writes  "Errata has developed a new network sniffer, dubbed 'Ferret,' that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 'You don't realize how much you're making public, so I wrote a tool that tells you,' said Robert Graham, Errata's chief executive. Errata has released the source code to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone with a wireless card will be able to run it, Graham said."  [Slashdot: Your Rights Online] 10:14:20 PM  PermaLink   / trackback []

Macworld: News: France bans citizen journalists from reporting violence The French Constitutional Council has approved a law that criminalizes the filming or broadcasting of acts of violence by people other than professional journalists. The law could lead to the imprisonment of eyewitnesses who film acts of police violence, or operators of Web sites publishing the images, one French civil liberties group warned on Tuesday. The council chose an unfortunate anniversary to publish its decision approving the law, which came exactly 16 years after Los Angeles police officers beating Rodney King were filmed by amateur videographer George Holliday on the night of March 3, 1991. The officers' acquittal at the end on April 29, 1992 sparked riots in Los Angeles. If Holliday were to film a similar scene of violence in France today, he could end up in prison as a result of the new law, said Pascal Cohet, a spokesman for French online civil liberties group Odebi. And anyone publishing such images could face up to five years in prison and a fine of â[not equal]¬75,000 (US$98,537), potentially a harsher sentence than that for committing the violent act. 10:10:30 PM  PermaLink   / trackback []

In France, Only Journalists Can Film Violence. In France, Only Journalists Can Film Violence.   BostonBTS sends word that the French Constitutional Council has just made it illegal to film violence unless you are a professional journalist (or to distribute a video containing violence). The law was approved exactly 16 years after amateur videographer George Holliday filmed Los Angeles police officers beating Rodney King. The Council was tidying up a body of law about offenses against the public order, and wanted to ban "happy slapping." A charitable reading would be that the lawmakers stumbled into unintended consequences. Not according to Pascal Cohet, a spokesman for French online civil liberties group Odebi:  --- "The broad drafting of the law so as to criminalize the activities of citizen journalists unrelated to the perpetrators of violent acts is no accident, but rather a deliberate decision by the authorities, said [Cohet]. He is concerned that the law, and others still being debated, will lead to the creation of a parallel judicial system controlling the publication of information on the Internet." a href="http://yro.slashdot.org/">Slashdot: Your Rights Online] 10:07:13 PM  PermaLink   / trackback []

Cybercrime Treaty: What it Means to You In that vein, in August the Senate ratified the Convention on Cybercrime, drafted by the Council of Europe with considerable input from the United States. So far, 43 nations have signed on. The Convention includes many sensible provisions aimed at unifying global computer-crime laws, and closes loopholes that make it possible for criminals to escape prosecution by locating their activities offshore. But civil libertarians, along with leading telecommunications companies, strongly oppose the treaty. Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located. If France is investigating a sale of Nazi memorabilia on eBay, the U.S. must cooperate, even though such transactions are not illegal in the U.S. Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind. These are potentially serious problems, especially given that the Convention is open to any country that wants to join. But there are more practical reasons U.S. businesses should be concerned. The provisions for data retention and production apply to any operator of a computer network, not just telecoms. Worse, Article 12 attaches liability to businesses for "lack of supervision or control" of employees who commit criminal offenses covered by the Convention. Businesses must worry about employee activities that may be legal here, but illegal elsewhere, risking administrative, civil, or even criminal penalties. These investigative and supervision costs will invariably be imposed on businesses without any real controls. Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you. 9:53:57 PM  PermaLink   / trackback []

Cybercrime Treaty ó Hidden Costs For All. Cybercrime Treaty [~] Hidden Costs For All. linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you." [Slashdot: Your Rights Online] 9:48:08 PM  PermaLink   / trackback []

Bagle Worm Still Swarming over the Net. Bagle Worm Still Swarming over the Net. Three years after it first appeared, the Bagle is still in business, with many anti-virus engines unable to keep up, a security vendor claims [PC World: Latest Technology News] 9:36:02 PM  PermaLink   / trackback []

Action Alert: Repeal the REAL ID Act! Action Alert: Repeal the REAL ID Act! The federal government has taken another step towards forcing you to carry a national ID in order to get on airplanes, open a bank account, enter federal buildings, and much more. But with state legislatures and Congressional representatives increasingly turning against the REAL ID Act, you can help stop this costly, privacy-invasive mandate -- voice your opposition now. On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information. REAL ID won't just cost you your privacy. The states and individual taxpayers bear the estimated 23 billion dollar burden of implementing the law, and that figure is probably low given that the necessary verification systems don't exist yet. And what will you get in return? Not improved national security, because IDs do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents. REAL ID is fundamentally flawed, and DHS' proposed regulations do nothing to change that. Thankfully, the tide is turning against REAL ID in a big way -- state legislatures around the country are passing or considering legislation rejecting its implementation, and Congress is considering repealing it. The DHS regulations mean that states must have an implementation plan ready by October 2007. Make sure your Congressional representatives support the repeal of REAL ID before it's too late. For more information, check out San Jose Mercury News' recent editorial opposing REAL ID as well as the ACLU's Realnightmare.org. [EFF: Deep Links] 9:24:48 PM  PermaLink   / trackback []

WH Privacy Board OKs Eavesdropping. Privacy Board OKs Eavesdropping. A secretive White House privacy board says two Bush surveillance programs -- electronic eavesdropping and financial tracking -- do not violate citizens' civil liberties. By the Associated Press. [Wired News: Top Stories] 12:44:09 PM  PermaLink   / trackback []

Blue Box #52: Skype spyware? Cisco SIP issue again, secure call recording, Phil Zimmermann on VON Magazine, US Congress and Caller ID, ringjacking, Skype security, VoIP security, listener comments and more. Blue Box #52: Skype spyware? Cisco SIP issue again, secure call recording, Phil Zimmermann on VON Magazine, US Congress and Caller ID, ringjacking, Skype security, VoIP security, listener comments and more. Synopsis: Skype spyware? Cisco SIP issue again, secure call recording, Phil Zimmermann on VON Magazine, US Congress and Caller ID, ringjacking, Skype security, VoIP security, listener comments and more [Blue Box: The VoIP Security Podcast] 12:25:11 PM  PermaLink   / trackback []

China Blocks LiveJournal. China Blocks LiveJournal. Beijing cuts its people off from 1.8 million blogs with the push of a button. By Quinn Norton. [Wired News: Security Blanket] 12:20:10 PM  PermaLink   / trackback []

Wal-Mart fires technician who recorded phone calls. Wal-Mart fires technician who recorded phone calls. Wal-Mart Stores Inc. said it fired a systems technician for intercepting text messages of people who were not Wal-Mart employees and for recording telephone conversations with a New York Times reporter without authorization. [Computerworld Privacy News] 12:18:41 PM  PermaLink   / trackback []

Good shoppers may find their info sold ( New Zealand and Australia ) Credit information companies will have the power to sell detailed records about responsible borrowers, not just those in serious debt, as part of a current review of privacy laws in New Zealand and Australia. Veda Advantage chief executive Andrew Want says a sweeping review of privacy laws could see the company introduce a service by 2009 providing information about consumers who are a good credit risk. Currently, it is illegal to sell such information. But work by the Privacy Commission in Australia to streamline privacy rules between federal and state governments, and to bring them in line with the current developments with technology, could change that. 12:15:46 PM  PermaLink   / trackback []

Anti-terror tests broke law, says watchdog - 03/01/07 - Tennessean.com The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations. The new program, similar to a Pentagon program that Congress killed in 2003 over concerns about civil liberties, could take effect as soon as next year. But system testers probably already have violated privacy laws by reviewing real information, instead of fake data, a source familiar with a congressional investigation into the $42.5 million program told The Washington Post. The program, called Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information and extract suspicious people, places and other elements based on their links and behavioral patterns. The privacy violation is described in a Government Accountability Office report due out soon. "Undoubtedly there are likely to be more," GAO Comptroller David Walker said recently. 12:13:09 PM  PermaLink   / trackback []

Apple Patches QuickTime Holes. Apple Patches QuickTime Holes. Apple on Monday issued security patches to plug multiple security holes in its QuickTime media player software. The new version of the player -- QuickTime 7.1.5 -- fixes at least eight separate and serious vulnerabilities. Updates are available for Mac OS X, Windows 2000, Windows XP and Windows Vista versions. Mac users can get the latest version either from Apple's site or via the built-in Software Update feature. Windows users with recent versions of QuickTime installed will already have Apple's Software Update program and should use that to get this latest version. Alternatively, Windows users can download it by following this link. [Security Fix] 12:04:12 PM  PermaLink   / trackback []

Month of PHP Bugs Gets Rolling. Month of PHP Bugs Gets Rolling. Developer launches a Month of PHP Bugs project with 11 bugs in five days. [PC World: Latest Technology News] 11:58:44 AM  PermaLink   / trackback []

Rootkits Evade Hardware Detection. Rootkits Evade Hardware Detection. Sophisticated rootkits can hide from even the most reliable detection method currently available--hardware-based products, security researchers say.  [PC World: Latest Technology News] 11:57:14 AM  PermaLink   / trackback []

Tonight(Tuesday) on Nightline - The NSA at AT&T Tonight(Tuesday) on Nightline is an episode on the NSA having a monitoring station in the AT&T wire room. They have the guy who originally broke the story being interviewed tonight. 11:55:07 AM  PermaLink   / trackback []