CNN to go dark 19 April 2008 1200 GMT according to Chinese Hackers | IntelFusionIn case anyone thinks cyber warfare is a myth, this is more evidence of its reality. It appears that a non-governmental group of Chinese hackers were planning to take down CNN as a protest against their perceived western bias in coverage of Chinese issues. Evidently news of the plans spread too far, and it was called off.
This article discusses the risk from "deep packet inspection" by ISPs. The article states that at least 100,000 people in the US are being tracked with this technology right now. If true, the impact of this could be huge. Whereas a website can only track you when you are actually visiting that site, your ISP can see all of your activity on any website or other service you use. The idea is that the information collected could be sold to advertisers to better target marketing messages to you. If you had been looking at car sites, you might see more car ads next time you visit an advertising supported website like CNN.com.This is certainly not the realm of science fiction. The Chinese government is already using this technology on a massive scale as part of their national censorship infrastructure. They use it to detect forbidden words and phrases, "Tibet" being at the top of that list right now.Most of us assume that the bad guys are "out there" on the net, and assume that our ISPs are basically just passing our traffic along without looking at it. If they start this kind of inspection, it opens all kinds of additional risks. Once the equipment is there, a rogue sysadmin could tune it to watch for passwords, personal information, bank information, etc. It opens a whole new set of vulnerabilities.Anonymizer's Total Net Shield, and Private Surfing (with full time SSL enabled) provide significant protection against this threat. Both allow you to tunnel your traffic to Anonymizer without the ISP being able to inspect it, other than to see that it is going to Anonymizer.It is shocking to me that this kind of thing should be possible without explicit user consent. Maybe we need a "truth in labeling" law for Internet service providers. A bottle of Napa Merlot can not be so labeled unless it is from Napa and made from merlot grapes. Similarly, it should not be called an "Internet Connection" if you can't go everywhere (some ISPs are restricting certain perfectly legal protocols). If the ISP is going to spy on you, it should be in big red letters. Maybe I am OK with that, but I certainly have a right to know in advance.
Security guide to customs-proofing your laptop | The Iconoclast - politics, law, and technology - CNET News.comDeclan writes a witty and informative piece on securing a laptop against legals searches without cause at border crossings.
Yahoo and MSN helping to root out Tibetan rioters | The ObserversYahoo China posted pictures of "most wanted" Tibetan protestors on Yahoo! China's home page. Cooperation with lawful process in a repressive country is bad enough, here they are actively collaborating. Yahoo!'s claim that this was done by Yahoo! China, not by the Yahoo! mother-ship, seems disingenuous at best.Active support of censorship and oppression is clearly unethical. If this is not clearly on the wrong side of the line, then what in the world is?
Tool Physically Hacks Windows - Desktop Security News Analysis - Dark ReadingI am not sure how this has been true for years, yet has received so little attention. This article discusses the fact that Firewire connections enable direct read and write to a computer's RAM. In many ways, this is even better than the RAM persistence I blogged about a while back. It appears to be easy to write a script that would run on an iPod or other Firewire device which will allow you to grab passwords from memory, bypass login screens, and gain access to the local drive. The amazing thing about the memory access is that it actually bypasses the CPU entirely. Normal security software will not pick this up at all. PCMCIA and Firewire are designed to work this way. It is a "feature" not a "bug". Never the less, it is a huge security issue. If your computer is under the physical control of another person, you are in trouble. Hard drive encryption is the solution, but only if the computer is OFF. If it is on, then the password can be grabbed from memory. There is really no solution to that problem.There are two actions one can take. First, you can physically disable your Firewire capability if you need to leave your computer running unattended. Second, you can make sure you never leave your computer running unattended in an insecure location, and that the hard drive is encrypted securely. This second suggestion is the same solution as for the RAM persistence attack.
Web Site Criticizing Quran Curbed - WSJ.comA Dutch lawmaker has a website promoting a short film critical of the Quran. It appears that the site and article are extreme and unreasonable, but what is really shocking is the policy of Network Solutions against "objectionable material of any kind or nature." Most of the interesting thought, literature, and art is objectionable to someone. This is clearly a license to remove anything they want. To me, it is a compelling reason to avoid using Network Solutions.
David Brin Rebuts Schneier In Defense of a Transparent Society Here is David's own rebuttal to the Schneier article on the Transparent Society I blogged about earlier.
VoIP: Who Might Be Spying on Your Communications? (Hint — It's Not Just the NSA) - VoIP NewsThis somewhat simplistic article makes the case that one should not consider VoIP to be a secure replacement for land line phones. It too is vulnerable to a number of governmental and criminal interception attacks.
Swiss bank in Wikileaks case abruptly abandons lawsuit | The Iconoclast - politics, law, and technology - CNET News.comIn a follow up to the earlier story, it seems that the judge finally realized the implications of his actions to free speech, and the fact that his injunction was almost completely ineffective. This is a really good thing. If the ruling had stood under appeal and become precedent, it would have significantly changed the Internet landscape.
Bruce Schneier's Security Matters: The Myth of the 'Transparent Society'This is a nice little article arguing against the idea of Brin's Transparent Society as a solution to the privacy problem. I suspect David Brin would object to the characterization of his work as presenting it as a panacea, but many do so argue.Bruce argues that the relative power disparity makes for un-equal results in the two direction of observation. From my perspective, the idea of enabling the public to watch the government surveillance apparatus is completely unrealistic. It would enable our enemies (and as a nation the US does have real enemies) to reverse engineer and avoid our surveillance. The best one can realistically hope for is very rigorous oversight (which has also seemed unrealistic of late).At the same time the spread of cameras, facial recognition, RFID, etc., is rapidly increasing the level of surveillance of the general population. The only place where observation and recording by the people seems to be really effective is in issues of corruption or abuse of power. Rodney King being an obvious (and ambiguous) example.
What Our Top Spy Doesn't Get: Security and Privacy Aren't OppositesWow, I don't know how I missed this one back last month! I wish I had written this essay. The key point is that privacy is not the antithesis of security. Most of the privacy invading "security" solutions we see are what I call "placebo security" and Bruce calls "security theatre" . Things like the "don't fly list" which appears to catch orders of magnitude more innocents than terrorists, and the national ID card when all the terrorists had legally issued valid ID already.In fact, many measures seriously damage security, like putting personal information in the clear on drivers licenses, including Social Security Numbers in many cases! It is an axiom of security that valuable information will leak and people with access will abuse that access. The more control a government demands, the more oversight is required. That was my real problem with warrantless wiretapping. Not the wiretapping, but the warrantless. Surveillance of anyone at any time for any reason is the hallmark of a police state. The key is independent oversight. The debate on how that should be done must be open an honest.The security vs. privacy debate seems to me to be built on dishonest assumptions. It tends to be rhetoric and political point scoring on both sides with little discussion of whether the proposed solutions or changes actually improve security, what the real trade off is, and whether that trade is worth while.We are currently being asked to sacrifice enormous amounts of privacy and freedom to confront a threat that is miniscule compared to smoking or drunk driving, threats about which few would make such arguments.
Finnish government blacklists 'free speech' site | The Iconoclast - politics, law, and technology - CNET News.comHere is another Declan article that deserves more attention. In this case the Finnish government is censoring a website for publishing a list of websites he discovered to be on a secret censorship black list compiled by the Finnish government. Censoring someone for trying to speak out about censorship is almost always a bad idea. As one might expect, free speech advocates around the world have mirrored the black list so many times and in so many places, it will be just about impossible for the Finnish government to contain the spread.
Wikileaks domain name yanked in spat over leaked documents | The Iconoclast - politics, law, and technology - CNET News.comDeclan does a really good job here of discussing a fascinating case. WikiLeaks is a Wiki based website designed to enable completely anonymous posting of tips and leaked documents. It is focused around enabling disclosure of information from repressive countries.A US court recently ordered WikiLeak's domain name registrar to disable their domain name because of some documents on the site about questionable off shore banking activities by a group of Swiss bankers.The real shocker here is the draconian action against WikiLeaks prior to the resolution of the claim. It is also ineffective action because WikiLeaks is openly hosted under a number of domains in a number of different countries.I am very interested to see how this story develops and whether the injunction will stand up once the details of the offending materials become clear.
One of my folks at Anonymizer pointed me towards this site WiebeTech HotPlug as a follow up to my blog post yesterday about recovering data from RAM after it has been removed from power. The HotPlug tool is sold to law enforcement to enable seizure of a computer without ever turning it off. The system has several methods that allow a running computer to be transitioned to a portable UPS system without causing the computer to shut down or react in any way. It can then be transported to a lab with the OS still running.As an additional clever trick, they have a USB dongle called the "Mouse Jiggler" which simulates a mouse making constant small motions, thus preventing a screen saver from ever activating. This allows the attacker to take all the time he needs without worrying about a password protected screen saver, or any other inactivity based security trigger, activating.All this enables the attacker to get the computer back to controlled laboratory conditions before trying to access the machine or pulling the power to capture the RAM image. Yet another argument for not walking away from a running computer with sensitive information.
Here is another article I picked up on the Qui Custodes blog of David Kaufman: Washington City Paper: Cover Story: Desk Job.This article describes a woman, without any special training, who was able to gain access to "secure" government buildings and steal money right from the desks and purses of the employees. Obviously this could have been documents and information if she had been involved with foreign intelligence. Her methods were simple. She was spotted frequently, but very few people were willing to confront her about her actions, choosing to avoid conflict. The moral here is: security is about everyone following up on everything that seems out of place or unusual. Better metal detectors, or bigger guns at the front door won't do it. Security comes from the alert minds of everyone on the inside of the building being willing to ask direct questions.
Center for Information Technology Policy » Lest We Remember: Cold Boot Attacks on Encryption KeysThis paper provides real experimental data on an interesting attack on computer security. Rather than focusing on cracking keys or breaking cryptosystems, it looks at recovering data and keys directly from computer RAM. The authors show that a computer's RAM can be recovered with few errors several seconds after power has been removed, and that can be extended to several minutes if the memory is cooled well below zero.Squirting the chips with a can of compressed "air" can cool it enough to give you minutes of working time. Plenty of time to drop it in liquid nitrogen, which would give you over an hour with almost zero loss of information.The process for recovering the data from the memory chips is simple and requires no special equipment at all.The big threat here would be in situations where your computer is stolen in a sleep state. The password protection will make it very hard for an attacker to get access to the machine without a reboot, but the attacker has all the time in the world to cool the chips before pulling the power. From a behavior point of view, it says that you should take care to actually turn your computer OFF if it is going to be out of your physical possession, or if there is risk of it being seized without notice. Leaving your computer on and sleeping, but protected with a screen lock, is very risky against a aggressive and technical opponent.Thanks to David Kaufman for passing this along to me.
FindLaw's Writ - Colb: Does the Fifth Amendment Protect the Refusal to Reveal Computer Passwords? In a Dubious Ruling, A Vermont Magistrate Judge Says YesThis case raises some interesting questions about using cryptography. Not the usual ones about technical attacks, but about how strong crpyto behaves in court. In general, if someone finds an encrypted volume on your computer, is that prima fascia evidence of illegal materials and thus probable cause? Suppose it was called “my plans to kill the president”? In this particular case the defendant actually showed law enforcement people the contents of the encrypted directory, and the files located therein clearly indicated illegal content. That would seem to be his big mistake. The prosecutors are not guessing about the files in there, they know what is there already, and just want access.At the end of the day, the defendant can always decide if the punishment for contempt for not revealing the password is worse than the punishment for what will be found inside. If the contents are really bad, he is best off resisting. I can’t see anyone doing 20 years in jail to compel production of the password.Of course, in that amount of time, computers may be fast enough that brute forcing the password may be trivial. This is a real concern if the statute of limitations for your crime is very long or there is no limitation.
The Anonymity Experiment | Popular ScienceThis is an interesting article on trying to live in the modern world without leaving any digital footprints. It is nice to see they suggested Anonymizer, unfortunately they got the facts completely wrong. They suggest that anyone could run an Anonymizer proxy, and that those people could be monitoring traffic. That is true of the TOR network, but not of Anonymizer. We own and operate all of our own servers and networks, for exactly that reason.
This page < Bookmark button test page > contains a nice demonstration of the ability to retrieve your surfing history from your browser. In this case, it looks for any social bookmarking sites you many have visited in the past. Obviously this could be extended to look for any other sites you might have visited. For example, this would enable an attacker to target phishing attacks at you based on the bank websites you actually visit. This shows once more the doubled edged sword of browser functionality. The scripting capabilities make possible such things as Google Docs but also enables this kind of attack. They go hand in hand. The more power you give to the scripting language the more opportunity there is to abuse that power.
It looks like the trend towards wide spread retention of traffic analysis data is spreading to Ireland, one of the last holdouts in Europe. If you want to be protected from this kind of data gathering, you need to take proactive precautions. From the SANS institute:To satisfy the requirements of a European Union (EU) directive,Ireland will begin retaining records of its citizens' emails and Internet chats. While the content of the communications will not be retained, records of the IP addresses of the participants, the time and date of the communication, and the physical size of the message would be stored. The plan would take effect within one month through a statutory instrument in lieu of introducing legislation in Parliament because the country has received notice from the EU that it is three months overdue in implementing a data retention plan. A civil liberties organization has voiced its opposition to the plan as well as the way in which it is being implemented.The group maintains that law enforcement officials will be permitted to access the retained data without court orders or warrants.