Search
Data security: What the law requires of IT - Via InfoWorld | Analysis | 2008-08-18 | By Thomas J. Smedinghoff :
IT's legal duty to secure sensitive data is complex and continuously evolving. Here's how to avoid the legal ramifications of a data breach
For most IT organizations, securing corporate data against compromise is priority No. 1. Girding the enterprise against breaches is a constant, thankless task requiring foresight, vigilance, and much in the way of IT expenditures. Keep up with the latest threats, or find your company in the headlines -- and your job on the line.
Such is the shift in attitude toward security in IT. In the Wild West, when Jesse James and Butch Cassidy robbed banks, we felt sorry for the banks and hunted down the outlaws. Today, when someone breaks into a company's computer system, our response is totally different: We blame the company for failing to provide adequate security.
Codifying this shift is a complex blend of laws and regulations enacted to protect the confidentiality and integrity of valuable personal data and the individuals who might be harmed by a breach. Not complying with these mandates can result in grave legal consequences should your organization suffer a breach. read more »
Revealed: The Internet's Biggest Security Hole - Via Threat Level:
Two security researchers have demonstrated a new technique to stealthily intercept internet traffic on a scale previously presumed to be unavailable to anyone outside of intelligence agencies like the National Security Agency.
The tactic exploits the internet routing protocol BGP (Border Gateway Protocol) to let an attacker surreptitiously monitor unencrypted internet traffic anywhere in the world, and even modify it before it reaches its destination.
The demonstration is only the latest attack to highlight fundamental security weaknesses in some of the internet's core protocols. Those protocols were largely developed in the 1970s with the assumption that every node on the then-nascent network would be trustworthy. The world was reminded of the quaintness of that assumption in July, when researcher Dan Kaminsky disclosed a serious vulnerability in the DNS system. Experts say the new demonstration targets a potentially larger weakness. read more »
More on BGP Attacks -- Updated - Via Threat Level:
There was a lot of additional information I wanted to include in my article about intercepting internet traffic through the Border Gateway Protocol (BGP), but there wasn't space to include it. So I'll put it in this separate post.
First of all, you can read how Anton Kapela and Alex Pilosov conducted their interception of the DefCon network traffic in the slides from their talk (.ppt). Their DefCon presentation, by the way, was an unscheduled, last-minute talk that occurred at the end of the last day of the DefCon conference, so it hadn't appeared on the conference schedule. I asked Kapela to read any comments that readers post to these two BGP posts so he can respond to any questions readers may have about how he and Pilosov conducted their attack.
As I mention in my article, BGP hijacking isn't new. It happens frequently, though generally the hijack is unintentional and it results in a denial-of-service attack or outage, as was the case earlier this year when Pakistan Telecom inadvertently hijacked YouTube traffic. read more »
OneWebDay 2008: An E-Democracy Time Capsule - Via CDT - PolicyBeta:
We’re just under a month away from OneWebDay 2008, and the Washington, DC OneWebDay planning committee would like to invite you to participate. Susan Crawford started OneWebDay four years ago to promote the Internet and keep it vibrant, in the same way that Earth Day promotes taking care of the environment. The Internet is under a lot of pressure, from inadequate connectivity and the digital divide to censorship. When the Internet is in the news, it is usually to highlight one of the feared aspects of the Internet, rather than the positive transformative power of the Internet. OneWebDay is intended to create a town square of sorts where people far and wide can come together to celebrate and protect the Internet- keeping it innovative, open and free. read more »
Adobe Flash ads launching clipboard hijack attack - Via ZDNet.com :
Malicious hackers are using booby-trapped Flash banner ads to hijack clipboards for use in rogue security software attacks.
In the Web attacks, which target Mac, Windows and Linux users running Firefox, IE and Safari, hackers are seizing control of the machine’s clipboard and using a hard-to-delete URL that points to a fake anti-virus program.
According to victims on several Web forums, the attack is coming from Adobe Flash-based advertising on legitimate sites — including Newsweek, Digg and MSNBC.com. read more »
Visual Search Engine Tracks Stolen Images - Via Slashdot :
Barence writes "A new visual search engine could help photographers keep track of their photographs whenever, and wherever, they appear on the internet. The TinEye search engine allows users to search by uploading a picture rather than typing in a keyword. It then conducts a pixel by pixel search across the internet, flagging up all instances of that image even if it's been cropped, merged or digitally altered in some way. It's not just for copyright enforcement though, "it's being used by researchers who need to find where an image came from to provide attribution, even people who are trying to find out who people are in old photos." It's currently in beta, but you can try it out."
(Read Original Article - Via Slashdot.)
E-Passports Signed, Sealed, Delivered -- But Not Like You May Think - Via Threat Level:
LAS VEGAS -- Two years ago security researcher Lukas Grunwald showed how the chips in new electronic passports could easily be cloned.
Grunwald's attack, however, was limited in that he hadn't found a way to alter data on the tag in a manner that could not be detected. Data on passport chips is hashed and digitally signed by the issuing country. Changing data on the passport chip would change the hash, indicating that the chip had been manipulated and thus invalidating it.
Dutch security researcher Jeroen van Beek, from the University of Amsterdam, recently made headlines when The Times in London reported that he could get a "cloned and manipulated" passport chip to be recognized as legitimate by passport readers. read more »
The Last HOPE - July 18-20, 2008 - Hotel Pennsylvania - New York City :
For those of us who couldn't make the conference or could only listen in(On their radio station) to some of the seminars. Here is a whole bunch of recordings of many(maybe even most or all) of the seminars.
They have 16kbps for low fidelity audio, 64kbps for high fidelity audio. So no matter what your connection speed there is something for you.
Something tells me that their bandwidth is going to be busy for a while, since this was also mentioned on SlashDot today.
EFF Releases "Switzerland" ISP Testing Tool - Via EFF.org Updates:
San Francisco - Hours before the Federal Communications Commission (FCC) is expected to take action against Comcast for violating the FCC's net neutrality principles, the Electronic Frontier Foundation (EFF) is releasing "Switzerland," a software tool for customers to test the integrity of their Internet communications.
The FCC action, expected later today, is a response to formal complaints regarding efforts by Comcast to interfere with its subscribers' use of BitTorrent to share files over the Internet. These interference efforts were first documented and disclosed in October 2007 by EFF, the Associated Press, and a concerned Internet user, Robb Topolski. EFF subsequently urged the FCC to declare Comcast's efforts inconsistent with the Commission's 2005 "Internet Policy Statement," which sets a benchmark for neutral treatment of Internet traffic.
"The sad truth is that the FCC is ill-equipped to detect ISPs interfering with your Internet connection," said Fred von Lohmann, EFF Senior Intellectual Property Attorney. "It's up to concerned Internet users to investigate possible network neutrality violations, and EFF's Switzerland software is designed to help with that effort. Comcast isn't the first, and certainly won't be the last, ISP to meddle surreptitiously with its subscribers' Internet communications for its own benefit." read more »
Cold Boot Attack Utilities Released At HOPE Conference - Via Slashdot:
An anonymous reader writes "Jacob Appelbaum, one of the security researchers who worked on the cold boot attacks to recover encryption keys from memory even after reboot, has announced the release of the complete source code for the utilities at The Last HOPE in New York City. The hope (obligatory pun) is that the release of these tools will help to improve awareness of this attack vector and enable the development of countermeasures and mitigation techniques in both software and hardware. The full research paper (PDF) is also available."
(Read Original Article - Via Slashdot.)
WikiScanner Creator Releases New Tools to Uncover Anonymous Edits - Via Threat Level:
Virgil Griffith, creator of the popular WikiScanner that exposed edits that Diebold and CIA employees were making to Wikipedia pages, is releasing a suite of new tools at the HOPE (Hackers on Planet Earth) conference in New York today.
One of the tools is an update to WikiScanner that will help people identify interesting edits more quickly; the other tool is new and is designed to uncover Wiki wars that occur between opposing factions -- such as dueling edits between Israel and Iran factions over the Holocaust.
WikiScanner, which made headlines when Griffith debuted it last year and even landed him on the Colbert Report, allows users to automatically track anonymous edits that people make to Wikipedia entries and trace them to their source. It does so by taking the IP address of the anonymous person who made the Wikipedia changes and identifying who owns the computer network from which the person made the edits. read more »
Listen Online To Last HOPE Conference - Via Slashdot:
Radio Statler! writes "This weekend marks 2600's last Hackers on Planet Earth (HOPE) conference at the Hotel Pennsylvania in New York City. For those of you that can't make it this weekend, Radio Statler! will be streaming live from the event the whole weekend. There will be simulcasted talks, interviews with speakers and important guests, and music 24 hours a day for the duration of the con. Listeners can request music or submit questions by phone or IRC."
The conference schedule (PDF) is available if you're curious about a particular seminar, though not all of them will be broadcast. CNet will be running some related stories about presentations from the conference. So far, they've written about a hacking how-to presentation. We briefly discussed the seventh and final HOPE conference last month.
(Read Original Article - Via Slashdot.)
Transit Card Maker Sues Dutch University to Block Paper - Via Freedom to Tinker:
NXP, which makes the Mifare transit cards used in several countries, has sued Radboud University Nijmegen (in the Netherlands), to block publication of a research paper, “A Practical Attack on the MIFARE Classic,” that is scheduled for publication at the ESORICS security conference in October. The new paper reportedly shows fatal security flaws in NXP’s Mifare Classic, which appears to be the world’s most commonly used contactless smartcard.
I wrote back in January about the flaws found by previous studies of Mifare. After the previous studies, there wasn’t much left to attack in Mifare Classic. The new paper, if its claims are correct, shows that it’s fairly easy to defeat MIFARE Classic completely.
It’s not clear what legal argument NXP is giving for trying to suppress the paper. There was a court hearing last week in Arnheim, but I haven’t seen any reports in the English-language press. Perhaps a Dutch-speaking reader can fill in more details. An NXP spokesman has called the paper “irresponsible” but that assertion is hardly a legal justification for censoring the paper. read more »
Legal Filesharing on Campus? - Via EFF.org Updates:
As EFF has been saying for years, the best way forward in the wars over illegal filesharing is the creation of a Voluntary Collective Licensing system. It sounds simple enough: Music fans would pay a small fee each month in exchange for a blanket license to share and download whatever they like. Collecting societies would collect the money and divvy it up between rights-holders based on which files are shared the most.
But how would such a system get started? One way to get a system like this up and running would be to start up in a university setting. As the RIAA well knows, students are already sharing files with increasing regularity over university P2P networks -- and increasingly getting sued for it. And, since universities are already charging fees to their students, it would theoretically be possible for universities to add a voluntary option to charge for such a service.
Recent UC Berkeley School of Information graduates Matt Earp and Andrew McDiarmid have produced an excellent masters thesis on how such a university-based VCL system might work. Their report, Investigating Voluntary Collective Licensing for Music File-Sharing at UC Berkeley, starts with the following questions: read more »
How to Fight Name Scraping Scammers? - Via Ask Slashdot:
CurtMonash writes "I was ego-surfing the other day, and was surprised to discover that I was listed as a member of the an on-line dating service. It turns out these scamsters generate web pages for lots of (FirstName, LastName) combos, each claiming that the named individual is a member of their service. I posted about this, and discovered other people were upset, at least one had lost interest in a guy because he appeared to be a member, and so on. I've since followed up with lessons learned, a big one being that everybody should have a visible web presence. But frankly, the ideas I've come up with for fighting this kind of reputation scam seem fairly weak. Do Slashdotters have any better ideas?"
(Read Original Article - Via Ask Slashdot.)
Slashdot | Wikileaks Gets Hold of Counterinsurgency Manual - Via Slashdot:
HeavensBlade23 writes in to let us know that Wikileaks has published a US Special Forces counterinsurgency manual, titled Foreign Internal Defense Tactics Techniques and Procedures for Special Forces (1994, 2004).
"The document, which has been verified, is official US Special Forces doctrine. It directly advocates training paramilitaries, pervasive surveillance, censorship, press control and restrictions on labor unions & political parties. It directly advocates warrantless searches, detainment without charge and the suspension of habeas corpus. It directly advocates bribery, employing terrorists, false flag operations and concealing human rights abuses from journalists. And it directly advocates the extensive use of 'psychological operations' (propaganda) to make these and other 'population & resource control' measures more palatable."
(Read Original Article - Via Slashdot .)
Delicious
Digg
Reddit
Google
Yahoo
Technorati