| |
|
Tuesday, March 6, 2007
|
|
ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell
people sniffing wireless network traffic a lot about your computer--and
about you.
Soon after a computer powers up, it starts looking for wireless
networks and network services. Even if the wireless hardware is then
shut-off, a snoop may already have caught interesting data. Much more
information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security. "You're leaking all kinds of information that an attacker can use,"
David Maynor, chief technology officer at Errata Security, said
Thursday in a presentation at the Black Hat DC event here. "If the
government was taking this information from you, people would be up in
arms. Yet you're leaking this voluntarily using your laptop at the
airport."
There are many tools that let anyone listen in on wireless network traffic.
These tools can capture information such as usernames and passwords for
e-mail accounts and instant message tools as well as data entered into
unsecured Web sites. At the annual Defcon hacker gathering, a "wall of
sheep" always lists captured log-in credentials.
Errata has developed another network sniffer that looks for
traffic using 25 protocols, including those for the popular instant
message clients as well as DHCP, SNMP, DNS and HTTP. This means the
sniffer will capture requests for network addresses, network management
tools, Web sites queries, Web traffic and more.
10:20:57 PM 
|
|
A Network Sniffer On Steroids.
QuantumCrypto writes "Errata has developed a new network sniffer,
dubbed 'Ferret,' that looks for traffic using 25 protocols, including
those for the popular instant message clients as well as DHCP, SNMP,
DNS and HTTP. This means the sniffer will capture requests for network
addresses, network management tools, Web sites queries, Web traffic and
more. 'You don't realize how much you're making public, so I wrote a
tool that tells you,' said Robert Graham, Errata's chief executive.
Errata has released the source code
to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone
with a wireless card will be able to run it, Graham said." [Slashdot: Your Rights Online]
10:14:20 PM
|
|
The French Constitutional Council has approved a law that
criminalizes the filming or broadcasting of acts of violence by people
other than professional journalists. The law could lead to the
imprisonment of eyewitnesses who film acts of police violence, or
operators of Web sites publishing the images, one French civil
liberties group warned on Tuesday.
The council chose an unfortunate anniversary to publish its decision
approving the law, which came exactly 16 years after Los Angeles police
officers beating Rodney King were filmed by amateur videographer George
Holliday on the night of March 3, 1991. The officers' acquittal at the
end on April 29, 1992 sparked riots in Los Angeles.
If Holliday were to film a similar scene of violence in France
today, he could end up in prison as a result of the new law, said
Pascal Cohet, a spokesman for French online civil liberties group
Odebi. And anyone publishing such images could face up to five years in
prison and a fine of â[not equal]¬75,000 (US$98,537), potentially a harsher
sentence than that for committing the violent act.
10:10:30 PM
|
|
In France, Only Journalists Can Film Violence.
BostonBTS sends word that the French Constitutional Council has just made it illegal to film violence unless you are a professional journalist
(or to distribute a video containing violence). The law was approved
exactly 16 years after amateur videographer George Holliday filmed Los
Angeles police officers beating Rodney King. The Council was tidying up a body of law about offenses against the public order, and wanted to ban "happy slapping."
A charitable reading would be that the lawmakers stumbled into
unintended consequences. Not according to Pascal Cohet, a spokesman for
French online civil liberties group Odebi: --- "The broad drafting of
the law so as to criminalize the activities of citizen journalists
unrelated to the perpetrators of violent acts is no accident, but
rather a deliberate decision by the authorities, said [Cohet]. He is
concerned that the law, and others still being debated, will lead to
the creation of a parallel judicial system controlling the publication
of information on the Internet." a href="http://yro.slashdot.org/">Slashdot: Your Rights Online]
10:07:13 PM
|
|
In that vein, in August the Senate ratified the Convention on
Cybercrime, drafted by the Council of Europe with considerable input
from the United States. So far, 43 nations have signed on. The
Convention includes many sensible provisions aimed at unifying global
computer-crime laws, and closes loopholes that make it possible for
criminals to escape prosecution by locating their activities offshore.
But civil libertarians, along with leading telecommunications
companies, strongly oppose the treaty. Civil libertarians are
especially concerned about the sweeping authority given to
participating countries to seize information from private parties as
they investigate cybercrimes, even when the activity being investigated
isn't a crime in the country where the data is located. If France is
investigating a sale of Nazi memorabilia on eBay, the U.S. must
cooperate, even though such transactions are not illegal in the U.S.
Telecommunications companies object to provisions that require member
countries to establish and enforce potent data-retention policies for
network traffic, and require any operator of a computer network to
respond to requests for information from any participating country
without compensation of any kind.
These are potentially serious problems, especially given that the
Convention is open to any country that wants to join. But there are
more practical reasons U.S. businesses should be concerned. The
provisions for data retention and production apply to any operator of a
computer network, not just telecoms. Worse, Article 12 attaches
liability to businesses for "lack of supervision or control" of
employees who commit criminal offenses covered by the Convention.
Businesses must worry about employee activities that may be legal here,
but illegal elsewhere, risking administrative, civil, or even criminal
penalties.
These investigative and supervision costs will invariably be
imposed on businesses without any real controls. Worldwide
law-enforcement agencies, in other words, may now avail themselves of
the opportunity to outsource their most expensive problems to you.
9:53:57 PM
|
|
Cybercrime Treaty [~] Hidden Costs For All. linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you." [Slashdot: Your Rights Online]
9:48:08 PM
|
|
Action Alert: Repeal the REAL ID Act! The federal government has taken another step towards forcing you to carry a national ID in order to get on airplanes, open a bank account, enter federal buildings, and much more. But with state legislatures and Congressional representatives increasingly turning against the REAL ID Act, you can help stop this costly, privacy-invasive mandate -- voice your opposition now.
On March 1, the Department of Homeland Security (DHS) released draft regulations [PDF] for implementing REAL ID, which makes states standardize drivers licenses and create a vast national database linking all of the ID records together. Once in place, uses of the IDs and database will inevitably expand to facilitate a wide range of tracking and surveillance activities. Remember, the Social Security number started innocuously enough, but it has become a prerequisite for a host of government services and been co-opted by private companies to create massive databases of personal information.
REAL ID won't just cost you your privacy. The states and individual taxpayers bear the estimated 23 billion dollar burden of implementing the law, and that figure is probably low given that the necessary verification systems don't exist yet.
And what will you get in return? Not improved national security, because IDs do little to stop those who haven't already been identified as threats, and wrongdoers will still be able to create fake documents.
REAL ID is fundamentally flawed, and DHS' proposed regulations do nothing to change that. Thankfully, the tide is turning against REAL ID in a big way -- state legislatures around the country are passing or considering legislation rejecting its implementation, and Congress is considering repealing it.
The DHS regulations mean that states must have an implementation plan ready by October 2007. Make sure your Congressional representatives support the repeal of REAL ID before it's too late.
For more information, check out San Jose Mercury News' recent editorial opposing REAL ID as well as the ACLU's Realnightmare.org. [EFF: Deep Links]
9:24:48 PM
|
|
Blue Box #52: Skype spyware? Cisco SIP issue again, secure call recording, Phil Zimmermann on VON Magazine, US Congress and Caller ID, ringjacking, Skype security, VoIP security, listener comments and more.
Synopsis: Skype spyware? Cisco SIP issue again, secure call recording, Phil Zimmermann on VON Magazine, US Congress and Caller ID, ringjacking, Skype security, VoIP security, listener comments and more
12:25:11 PM
|
|
The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations.The new program, similar to a Pentagon program that Congress killed in 2003 over concerns about civil liberties, could take effect as soon as next year. But system testers probably already have violated privacy laws by reviewing real information, instead of fake data, a source familiar with a congressional investigation into the $42.5 million program told The Washington Post. The program, called Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information and extract suspicious people, places and other elements based on their links and behavioral patterns. The privacy violation is described in a Government Accountability Office report due out soon. "Undoubtedly there are likely to be more," GAO Comptroller David Walker said recently.
12:13:09 PM
|
|
Tonight(Tuesday) on Nightline is an episode on the NSA having a monitoring station in the AT&T wire room. They have the guy who originally broke the story being interviewed tonight.
11:55:07 AM
|
|
|
© Copyright 2007 Paul Hardwick.
Last update: 3/18/07; 6:27:33 PM.
|
|
|
