| |
|
Friday, August 4, 2006
|
|
Hackers Clone E-Passports. The United States swears RFID tags can secure travelers' documents against forgery. But German experts clone the chips at will, while another group shows how terrorists might build a passport-triggered roadside bomb. Kim Zetter reports from the Black Hat conference in Las Vegas.. [Wired News: Security Blanket]
6:12:26 PM 
|
|
Senate approves cybercrime treaty. The Senate has ratified the long-neglected Council of Europe's Convention on Cybercrime, a cybercrime treaty that supporters say would allow greater international cooperation in cybercrime investigations. Opponents, however, question its protections for privacy and human rights. [Computerworld Privacy News]
6:03:59 PM
|
|
Voting Security Attacked In Court Again. Here we go again. Despite all of our efforts to dispel the false dichotomy between secure voting and accessible voting, a shrinking but vocal minority of the disability rights community continues to take steps to prevent more secure voting by claiming that it will violate the rights of the disabled. They've now filed a federal lawsuit in San Francisco, called PVA v. McPherson, to try to turn back the clock -- and force Californians back into insecure, inauditable voting systems. This argument was wrong when it was rejected by a federal judge in 2004 and it's still wrong now. [EFF: Deep Links]
5:55:55 PM
|
|
NSA Suit Temporarily Halted.
The Electronic Frontier Foundation's lawsuit against AT&T for its alleged complicity in the government's warrantless wiretapping program came to a sharp, though possibly temporary halt Wednesday.
Judge Vaughn Walker, who allowed the suit to go forward despite the government's claim that the lawsuit would endanger national security, called a temporary halt to the proceedings.
AT&T, which had until Thursday to answer the allegations in the EFF's original complaint, told the judge it could not do so without revealing state secrets -- so the company wants not to have to answer until an appeals court hears the government's appeal (and possibly its own as well).
Walker granted the stay (.pdf), at least until the planned August 8 hearing, when the government and AT&T can argue to have the whole casestayedwhileboth attempt to get the Ninth Circuit to hear their appeal of Walker's decision not to toss the case.
For its part, the EFF wants the case to proceed while the appeals are pending. The civil liberties group argues that there is an ongoing and massive violation of AT&T's customers' rights and that there are portions of the case that don't involve "state secrets."
The case is Hepting vs. ATT Corp.
Photo: CarbonNYC  [27B Stroke 6]
5:43:28 PM
|
|
Last Chance for a Chipless Passport?
The e-passport is coming. The e-passport is coming. After much ado, the United States has begun or will begin issuing passports with RFID chips in them. The passports now have some anti-skimming features, including Basic Access Control and some sort of internal tin-foil hat. But the chips are readily clonable, and some security experts still aren't sure they are a good idea. Also, it's just plain creepy to be on the same level as a pallet from WalMart. You might still be able to get a passport without the chip and that passport will be good for 10 years -- long enough to get you to the point where new passports will be RFID chips implanted in your neck. Travel privacy guru Edward Hasbrouckhad a good post up in May about how to maximize your chances of getting a chip-less passport, which involves a little extra money anda refundable ticket. The trick still might work. You can also make sure your passport lasts longer by including with your application a written letter that says you need extra pages. The government's page on getting a new passport is here, and renewals are here, but so far, the State Department hasn't returned my call asking if they are actually issuing the passports, though the last report I read was that they were starting with the Denver office. Photo: Jesse Edwards  [27B Stroke 6]
5:35:07 PM
|
|
Javascript Attacks on Steroids. LAS VEGAS -- Just sat through a rather disturbing presentation here at Black Hat on how bad guys can use Javascript to circumvent hardware and software firewalls and wreak havoc on a target's internal network.
Jeremiah Grossman and T.C. Niedzialkowski, both of Santa Clara, Calif.-based WhiteHat Security, showed Javascript tricks that could allow attackers to monitor which sites users have visited, change the configuration of their firewalls, and even record victims' keyboard strokes.
Javascript is a powerful programming language that works seamlessly across multiple Web browsers and operating systems, but online criminals can tap into that power to effectively force browsers that visit malicious sites to do their bidding.
Using a Web server he and Niedzialkowski had seeded with invisible code, Grossman demonstrated how he could view which sites a test browser had recently visited. The code also divulged the user's internal network address -- information that is supposed to be hidden by the firewall. Later in the demo, he showed a Javascript attack that altered the test victim's firewall settings to allow attackers to punch through directly into the internal network.
Javascript attacks have become more prevalent over the past year. Many sites that cater to people searching for "cracks" -- copy-protection hacks that make it easier to use pirated software -- routinely use scripts to silently install malware.
Grossman said an attacker who managed to compromise a large number of computers using Javascript would have no trouble forcing those victims to unknowingly participate in all kinds of illegal activities, from click fraud to downloading illegal content, or using the combined power of the affected machines to conduct denial-of-service attacks capable of knocking a targeted Web site offline.
There are free tools available to help users block certain types of Javascript attacks. The NoScript extension for Firefox blocks all scripts by default, allowing the user to turn Javascript back on if they visit a trusted site and want to view content that requires it. But NoScript also remembers which sites the user has selected, and Javascript attacks are increasingly showing up on social-networking sites like Myspace.com and other places that many users implicitly trust.
Another tool I use on most of my machines is the Netcraft Toolbar, which does a pretty decent job of warning you before the browser loads sites that attempt to use known javascript attack code.
But Grossman cautioned that these tools are not a comprehensive antiscript shield. "These are all designed to spot the bad sites, not necessarily good sites doing bad things," he said. [Security Fix]
5:29:09 PM
|
|
Audit & Remove Yourself from Data-Collection Databases. Wired[base ']s 27B Stoke 6 blog has posted some helpful info on how to audit and remove yourself from of some common data-collection databases (and annoying mailing lists):
- If you have ever applied for health, life or disability insurance on your own, it[base ']s likely the information about your health and lifestyle that you had to provide ended up in a database run by the MIB Group. The easiest way to check your record is by phone at 866.692.6901. The group will then mail you your report if they have one.
- ChoicePoint, the folks who sold 145,000 data reports to Nigerian identity theft scammers in 2004, sells auto and home-insurance risk scores (among other things) and you can check your file for free once a year via their web page
- ChexSystems keeps tabs individual[base ']s banking habits and sells that data to banks vetting new customers. Give them a call at 800.428.9623. They also run a system that keeps track of people who have reportedly passed a bad check. Track down that report here or make their phone jingle with this number: 800.262.7771.
- Acxiom, another big data broker, will let you opt-out of their marketing database for free if you call 501-342-2722 and press 5. You can also ask them to send you a form that lets you check the non-marketing information they have on you. They won[base ']t let you opt-out of this, and they will charge you $5 for the privilege. Be aware it could take them months to send out the report.
- Stop some direct mail via the Direct Marketing Association[base ']s web page. It[base ']s free if you print it out and mail it in to them for hand processing, but costs $5 if you just want to do it online. That[base ']s how much they like this opt-out list. DO NOT join the DMA[base ']s phone or email opt-out list. That[base ']s just begging for spam and telemarketing calls.
- Stop almost all credit card and life insurance direct mail solicitations (this won[base ']t stop ones from your own bank) by calling 1-888-5-OPTOUT.
- And of course, the ever handy Do Not Call list is here.
[michaelzimmer.org]
12:22:14 PM
|
|
Others Online: Opt-In Web Surveillance. A new service called Others Online makes obvious what Google Toolbar and other browser tools do in the background: track users web browsing activities. From their site:
Others Online is a free toolbar that shows you people relevant to your Web browsing and other interests, on every page you visit. We show you the interests you have in common, their Web pages (blog, MySpace profile, Web site, etc.) and online status, all on their terms. We[base ']ll even connect you by IM or email.
[sigma]Every time you search the Web, you[base ']ll see people that have associated themselves to those keywords, plus you[base ']ll see any other interests you share. It[base ']s like [base "]Google for people[per thou]!
In a nutshell, users sign up, create a profile like most other social networking site, download the toolbar, and then start browsing the web like usual. Others Online then collects information about the websites visited (including the URL and relevant content keywords embedded in the URL), and then shows other users who share a similar profile and browsing habits.
Sorta cool to be able to find other people searching for the same stuff I am, such as [base "]web surfing surveillance[per thou]. But my concern is that products like this, even though opt-in, work to normalize web surveillance, playing into the [base "]I[base ']ve got nothing to hide[per thou] meme that justifies wholesale surveillance of our daily activities. The more users become comfortable with the surveillance of their online activities, the less likely they will be able to identify abuses of that surveillance.
A couple of other points on this particular service:
- Their privacy policy states that [base "]When you sign up for an Others Online Account, we ask you for personal information (such as your birth date, gender, email address, country, post code and an account password)[sigma].[per thou] But that the [base "]service is anonymous [base ']Äì we do not request your name or your physical address.[per thou] This isn[base ']t entirely true, since research (such as Latanya Sweeney[base ']s amazing work) has shown that 87 percent of Americans can be personally identified by records listing only their birth date, gender and ZIP code. Anonymity is not guaranteed simply by not collecting one[base ']s name and address.
- Another note in the privacy policy states that [base "]We may combine the information you submit under your account with information from third parties in order to provide you with a better experience and to improve the quality of our services.[per thou] Who knows what kind of [base "]information from third parties[per thou] they[base ']re talking about, but this is just the kind of data mining and data aggregation practices that Sweeney (and folks like Dan Solove) warn us about.
- While you can clear your entire search history, it doesn[base ']t seem to be possible to selectively delete certain searches or browsing activities from their database. Users must remember to logoff the service is they don[base ']t want others to know they[base ']ve been watching Pat Benetar videos on YouTube.
[via John Battelle]
[michaelzimmer.org]
12:20:12 PM
|
|
A Flash based cartoon :-)
12:17:31 PM
|
|
The spy suit wars. A nation divided
Valley Justice Two United States District Court judges recently handed down decisions in high-profile cases involving wiretapping and alleged records aggregation on behalf of the National Security Agency (NSA). The suits were brought against AT&T by plaintiffs in the Northern District of California with the legal 'expertise'� of the Electronic Frontier Foundation (EFF), and in the Northern District of Illinois with the help of the American Civil Liberties Union (ACLU.) The suits allege that AT&T violated constitutional and statutory protections against the disclosure of private information by providing telephone communications and subscriber information to the federal government. [The Register - Internet and Law: Digital Rights/Digital Wrongs]
12:15:09 PM
|
|
|
© Copyright 2006 Paul Hardwick.
Last update: 9/2/06; 4:20:37 AM.
|
|
|
