Blog

  • Breach a 'security disaster' for IEEE

    posted by Keito
    2012-09-29 19:21:01
    'The IEEE (Institute of Electrical and Electronics Engineers) describes itself on its website as "the world's largest professional association for the advancement of technology."

    But after a data breach that left the usernames and passwords of 100,000 of its members exposed in plain text for a month, some security experts said it is clear both the organization and at least some of its members should also be in the business of the advancement of common sense security.

    The breach discovered by an independent security researcher, demonstrates an almost inexplicable lack of basic security protocols, including some of the most vulnerable passwords possible.

    Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it "plain stupid."

    Paul Ducklin, writing at Sophos' Naked Security blog, called it, "a veritable security disaster for the IEEE."

    The IEEE announced the breach earlier this week. Redo Dragusin, a Romanian researcher and now a teaching assistant in the Department of Computer Science at the University of Copenhagen, said he discovered it on Sept. 18, and notified IEEE on Monday, Sept. 24.

    "The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery," Dragusin wrote. "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places."

    He said the unencrypted passwords were the most "troublesome" element of the breach, but also said, "the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs ..." which included more than 100GB of data containing detailed information on more than 376 million HTTP requests made by IEEE members.

    A number of IEEE members were also failing to use basic security. Dragusin found that seven of the top-10 most popular passwords were combinations of the number string "1234567890," in order. Others in the top 20 included "password" and "admin."

    IEEE sent a letter to its members the next day, acknowledging the breach, but saying, "This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account."

    Because of that, the organization said it had terminated the access of its members under their current passwords, and would have to, "authenticate through a series of personal security questions you set up at the time you opened the account and to change your password."

    The IEEE was unresponsive to questions from CSO Online about why the passwords were in plain text, how access to the weblogs was unrestricted and why the group did not discover the breach itself.

    Adrienne McGarr, a public relations spokeswoman, emailed a copy of the statement IEEE had already posted on its website, saying the issue was addressed and resolved and members were being notified.

    "IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused," the statement said.

    George said the group has not taken the privacy of member information seriously, adding that the IEEE is not alone -- that this is somewhat typical of too many organizations.

    "This illustrates a check-box mentality of compliance," he said. "It is looking at security as a necessary evil, but only to fulfill a regulatory mandate."

    The failure to encrypt the data is especially mystifying, he said, "especially after the LinkedIn breach," a reference to the breach in June of the professional networking site that led to the posting of 6.5 million member passwords on a Russian hacking site. At the time LinkedIn was not using the preferred encryption method called salted hashing.

    Following the breach, LinkedIn was hit with a $5 million class-action lawsuit.

    George said it looks like the failure to restrict access to the webserver logs at IEEE was human error. "Somebody must have changed the access and forgot to change it back," he said. "It's a human mistake that's made very easily. But if they had done continuous monitoring, they would have noticed the restriction was not in place.

    "You can't rely on humans," he said. "You have to automate the process."

    Dragusin made it clear in his post that he did not intend to use the information for malicious means. Besides notifying IEEE, "I did not, and plan not to release the raw log data to anyone else," he wrote.

    But that does not make him a hero to Paul Ducklin's, who mocked Dragusin's professed "uncertainty" about what to do with the information. Ducklin noted that Dragusin waited a week from the time he discovered the breach to notify IEEE, but still found time to "register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.

    "Nor did it prevent him grabbing and processing 100GB of log data he knew wasn't supposed to be accessible," he wrote. "How is this bad? It probably isn't. But it's more of a 'don't be evil' outlook than one of 'actually be good.'"

    George said that the IEEE, in addition to improving its own security standards, should force its members to have more rigorous passwords.

    "You can mandate password policies," he said. "You can require that they include a combination of characters and digits. You can require that they be changed every 30 days. There is a lot of room for improvement."'

    http://www.cso.com.au/article/437770/breach_security_disaster_ieee/
  • EFF: The Secrecy Must Be Stopped... Congress Members Probe USTR on the Confidential TPP Negotiations

    posted by Keito
    2012-09-28 10:39:15
    'The Trans-Pacific Partnership agreement (TPP) threatens to regulate and restrict the Internet in the name of enforcing intellectual property (IP) rights around the world, yet the public and civil society continue to be denied meaningful access to the official text and are even kept in the dark about what proposals countries are pushing in this powerful multilateral trade agreement. With users having sent over 80,000 messages to Congress asking them to demand transparency in the TPP using EFF's Action Center, Congress members have been urged into action to uncover the secrecy.

    On September 20th, Representative Zoe Lofgren sent an additional follow-up letter to USTR, which EFF applauds. According to the letter, Rep. Lofgren, who has long been a strong advocate for digital rights and was a vocal opponent of SOPA, met with Ambassador Ron Kirk directly to discuss the TPP and her concerns over the lack of transparency in the process. The letter, which mentions that Ambassador Kirk told her he welcomed feedback on how to address the concerns, asks USTR to: balance TPP IP enforcement provisions with user privileges; diversify the policy perspectives on their Industry Trade Advisory Committee for IP; and be more transparent in its TPP negotiations overall.

    Rep. Lofgren stated in her press release for the letter:

    “TPP's IP provisions must not undermine the free expression of Internet users, the ability to share and create content online, the free and open character of the Internet, or the freedom of digital service providers to innovate. Lack of transparency and overbroad IP enforcement requirements have held back other international trade agreements in the recent past – these same issues are now undermining the results [USTR seeks] to achieve with TPP."

    They have yet to hear back with a response from the USTR.

    This is not Congress' first attempt to unveil TPP. As we have reported, Senator Ron Wyden and Representative Darrell Issa are currently working on gathering signatures from their colleagues in Congress to ask the US Trade Representative Ron Kirk to reveal what they are seeking in the TPP's IP chapter, specifically in relation to provisions that would impact the Internet and access to pharmaceutical drugs. And in June of this year, 130 Members of the House of Representatives sent a detailed letter to the USTR asserting Congress' required role in the trade negotiations, making specific requests as to how they could make the process democratic and transparent while emphasizing the ways in which it fails to be neither of those things. Two months later, the USTR responded [PDF] in a letter that did not address any of the specific issues raised by Congress members.

    Confidentiality Agreement

    The USTR claims that at the outset of the TPP negotiations in 2009, the participating countries signed a confidentiality agreement. In the June letter from 130 US Representatives, they explicitly asked for "a copy of the confidentiality agreement and an explanation as to what role USTR or other governments played in crafting it." In the USTR's response letter they completely ignored this request.

    However, the model confidentiality agreement that served as a base for the TPP negotiators is a public document, available at a page on the New Zealand Ministry of Foreign Affairs and Trade website. The model agreement lays out the rules of confidentiality for signatory countries over TPP draft texts, proposals, communications, and other documents relating to the negotiations over the agreement. It is not clear, however, whether the model mirrors the exact agreement USTR signed, and USTR is likely subject to internal confidentiality policies in addition to the agreement.

    While the confidentiality “model letter" itself is extremely vague, it does contain some interesting parts:

    It states that the negotiating texts, government proposals, emails, and other related documents can be "provided" to government officials.
    It states that documents can be accessed by "persons outside government who participate in that government's domestic consultation process and who have a need to review or be advised of the information in these documents."
    It holds that "all participants plan to hold these documents in confidence for four years after entry into force of the Trans-Pacific Partnership Agreement, or if no agreement enters into force, for four years after the last round of negotiations."
    It lays out the level of security needed to protect the confidentiality of the agreement, including that it may be kept in a "locked filing cabinet" or within a "secured building". Amusingly, the letter also assures that the documents "do not need to be stored in safes."

    If in fact this letter parallels the provisions in the confidentiality agreement, these terms may be flexible enough to allow all government officials to have regular, easy access to the text. As of now however, elected members have not had access to view or comment on the text. Senator Wyden is a member of the Senate Finance Committee (which has jurisdiction over "reciprocal trade agreements; tariff and import quotas, and related matters thereto") and is Chair of its subcommittee on International Trade, Customs and Global Competitiveness. Neither he nor his staff, who have obtained proper security clearance, have been able to get access to material related to the TPP negotiations from the USTR.

    Also unclear is how they make the determination as to whether "persons outside government" should be authorized to review the documents. Trade Advisory Committees (TACs) constitute 100's of individuals who are able to log in from their own computer to a platform to view and comment on the text of the official drafts of the agreement. If the language of the confidentiality agreement is as flexible as it is written in this model letter, it is questionable as to why all nations are bound to the level of confidentiality that is being enacted.

    Ultimately, the USTR has an obligation to uphold the public interest. While they keep asserting that they are being as inclusive and transparent as possible in these negotiations, civil society and the public at large recognize that the process is far from embodying any principles of democratic rulemaking. We applaud Rep. Lofgren, Rep. Issa, and Senator Wyden for taking the lead as public representatives in standing up to demand an end to these secretive trade talks. Congress people need to know that breaking open the unnecessary confidentiality around the TPP is a priority, and that users are fed up with closed door tactics to restrict and regulate the Internet in the name of IP enforcement.

    Even if you have already taken our Action Alert, please help us continue to send messages to our public representatives to make TPP transparency a political priority:'

    TAKE ACTION!


    https://www.eff.org/deeplinks/2012/09/TPP-secrecy-must-be-stopped
  • 9 Overlooked Technologies That Could Transform The World

    posted by Keito
    2012-09-18 20:29:25
    'We live in an era of accelerating change. Technology is changing and innovating faster than most of us can keep up. And at the same time, it's easy to get so caught up in shiny visions of the future, and not notice the astounding things that are happening in science and technology today. So the next time people ask you where the future went, tell them it's already here.

    Here are nine underrated or overlooked technologies that could transform the world before you know it.

    1. Cheap and fast DNA sequencing

    Most of us know about DNA sequencing — but you probably don't realize just how fast and cheap it's getting. In fact, some experts suggest that it's following along a Moore's Law of its own. As Adrienne Burke has pointed out, the speed of genome sequencing has better than doubled every two years since 2003 — back at a time when it cost $3.8 billion (i.e. the Human Genome Project). Today, thanks to advances in such things as nucleic acid chemistry and detection, a company like Life Technologies can process DNA on a semiconductor chip at a cost of $1,000 per genome. Other companies can sequence an entire genome in one single day. And the implications are significant, including the advent of highly personalized medicine in which drugs can be developed to treat your specific genome. Say goodbye to one-size-fits-all medicine.

    2. Digital currency

    The idea of digital currency is slowing starting to make the rounds, including the potential for Bitcoin, but what many of us don't realize is that's it's here to stay. Sure, it's had a rough start, but once established and disseminated, electronic cash will allow for efficient and convenient online exchanges — and all without the need for those pesky banks. Despite the obvious need for a distributed digital currency protocol, the adoption rate has been relatively slow. Barriers to entry include availability (it's in limited supply), the cryptography problem (the public still needs to be assured that it's secure), the establishment of a recognized and trustworthy dispute system (sensing some opportunities here), and user confidence (a problem similar to the one that emerged when paper money first emerged).

    3. Memristors

    Back in 1971, University of California at Berkeley professor Leon Chua predicted a revolution in electrical circuits — and his vision has finally come true. Traditionally, circuits are constructed with capacitors, resistors, and inductors. But Chua speculated that there could be a fourth component, what he called the memristor (short for memory resistor). What sets this technological innovation apart is that, unlike a resistor, it can "remember" charges even after power is lost. As a result, this would allow the memristor to store information. This has given rise to the suggestion that it could eventually become a part of computer memory — including non-volatile solid-state memory with significantly greater densities than traditional hard drives (as much as one petabit per cm3). The first memristor was developed in May 2008 by HP, who plan on having a commercial version available by the end of 2014. And aside from memory storage, memristors could prove useful in signal processing, neural networks, and brain-computer interfaces.

    4. Robots that can do crazy futuristic stuff

    Today we have robots that can self-replicate, re-assemble after being kicked apart, shape-shift, swarm, create emergent effects, build other robots, slither like a snake, jump to the tops of buildings, walk like a pack mule, and run faster than a human. They even have their own internet. Put it all together and you realize that we're in the midst of a robotic revolution that's poised to change virtually everything.

    5. Waste to biofuels

    Imagine being able to turn all our garbage into something useful like fuel. Oh wait, we can do that. It's called "energy recovery from waste" — a process that typically involves the production of electricity or biofuels (like methane, methanol, ethanol or synthetic fuels) by burning it. Cities like Edmonton, Alberta are already doing it — and they're scaling up. By next year, Edmonton's Waste-to-Biofuels Facility will convert more than 100,000 tons of municipal solid waste into 38 million litres of biofuels annually. Moreover, their waste-based biofuels can reduce greenhouse gas emissions by more than 60% compared to gasoline. This largely overlooked revolution is turning garbage (including plastic) into a precious resource. Already today, Sweden is importing waste from its European neighbors to fuel its garbage-to-energy program.

    6. Gene therapy

    Though we're in the midst of the biotechnology revolution, our attention tends to get focused on such things as stem cells, tissue engineering, genome mapping, and new pharmaceuticals. What's often lost in the discussion is the fact that we already have the ability to go directly into our DNA and swap genes at will. We can essentially trade bad genes for good, allowing us to treat or prevent diseases (such as muscular dystrophy and cystic fibrosis) — interventions that don't require drugs or surgery. And just as significantly, gene therapy could eventually give rise genetic enhancements (like increased memory or intelligence) and life extension therapies. Gattaca is already here, it just hasn't been distributed yet.

    7. RNA interference

    The discovery of RNA interference (RNAi) was considered so monumental that it won Andrew Fire and Craig C. Mello the Nobel Prize back in 2006. Similar to gene therapy, RNA interference allows biologists to manipulate the functions of genes. It works by using cells to shut-off or turn down the activity of specific genes, and it does this by destroying or disrupting messenger molecules (for example by preventing mRNA from producing a protein). Today, RNAi is being used in thousands of labs. It's becoming an indispensable research tool (to create novel cell cultures), it has inspired the creation of algorithms in computational biology studies, and it holds tremendous potential for the treatment of diseases like cancer and Lou Gehrig's disease.

    8. Organic electronics

    Traditionally, our visions of cybernetics and the cyborg is one in which natural, organic parts have been replaced with mechanical devices or prostheses. The notion of a half-human, half-machine has very much become ingrained in our thinking — but it's likely wrong. Thanks to the rise of the nascent field of organic electronics, it's more likely that we'll rework the body's biological systems and introduce new organic components altogether. Already today, scientists have engineered cyborg tissue that can sense its environment. Other researchers have invented chemical circuits that can channel neurotransmitters instead of electric voltages. And as Mark Changizi has suggested, future humans will continue to harness the powers of their biological constitutions and engage in what Stanislas Dehaene calls neuronal recycling.

    9. Concentrated solar power

    A recent innovation in solar power technology is starting to take the world by storm, though few talk about it. It's called concentrated solar power (CSP), and it's a massively distributed system for extracting solar energy with mirrors and lenses. It works by focusing the incoming sunlight into a highly concentrated area. The result is a highly scalable and efficient energy source that is allowing for gigawatt sized solar power plants. Another similar technology, what's called concentrated photovoltaics, results in concentrated sunlight being converted to heat, which in turn gets converted to electricity. CPV plants will not only solve much of the world's energy needs, it will also double as a desalination station.

    http://io9.com/5942574/9-overlooked-technologies-that-could-transform-the-world
  • Scann-Tec - ASD

    posted by Keito
    2012-09-16 12:25:04
  • Secret Ruling Against The NSA For Spying On Americans

    posted by Keito
    2012-09-11 16:04:53
    'The Electronic Frontier Foundation (EFF) is suing the Justice Department for details of last month's ruling by a secretive U.S. court that National Security Agency's domestic spying program violated the U.S. Constitution, Jon Brodkin of arstechnica reports.

    The Foreign Intelligence Surveillance Court (FISC) found that "on at least one occasion" the NSA had violated the Fourth Amendment’s restriction against unreasonable searches and seizures.

    The decision is classified “because of the sensitive intelligence matters" it concerns, according to a letter from Seb. Ron Wyden (D-OR) to Congress that was acquired by Wired.

    The EFF wants the information because of its current lawsuit against the NSA (i.e. Jewel vs. NSA) that alleges the U.S. government operates an illegal mass domestic surveillance program. Three NSA whistleblowers—including William Binney—agreed to provide evidence that the NSA has been running a domestic spying program since 2001.

    The kicker is that there is ample evidence that the NSA has gone above and beyond the powers granted through the 2008 FISA Amendment Act by actively spying on the electronic communications of American citizens within the U.S. and by coercing service providers to feed it any and all information it wants.

    That is what FISC found and what the government does not want to admit.'

    http://www.businessinsider.com/nsa-spying-4th-amendment-2012-8