Federal Government Reportedly Vastly Expands Big Data Spying, Includes Innocent Citizens
posted by Keito
2012-12-29 11:29:22'After fierce internal controversy, the White House has reportedly authorized a vast expansion of spying capabilities, including the ability to investigate innocent citizens and mine previously separated databases.
“This is a sea change in the way that the government interacts with the general public,” said chief privacy officer of the Department of Homeland Security Mary Ellen Callahan, whose concerns were steamrolled, according to an investigatory report by The Wall Street Journal. One senior official called the expanded powers “breathtaking” in scope.
In part prompted by the frightening near success of the Christmas Day underwear bomber, President Obama demanded more sophisticated resources to prevent future terrorist attacks. “This was not a failure to collect or share intelligence,” said the president’s chief counterterrorism adviser, John Brennan, in January 2010. “It was a failure to connect and integrate and understand the intelligence we had.”
Prior to the updated guidelines, the National Counterterrorism Center (NCTC) maintained the Terrorist Identities Datamart Environment database (TIDE), a digital warehouse of half a million terror suspects and their friends and family. Under new rules, the NCTC now has access to many other government databases so long as it is “reasonably believed” to contain “terrorism information.”
The NCTC can now copy whole datastores on information, such as flight records, the names of Americans hosting foreign exchange students, and many others. The Federal Privacy Act of 1974 sought to stifle indiscriminate sharing of datasets on Americans, but the law contains a skyscraper-size loophole that exempts an agency from the rules if they notify the Federal Register. “All you have to do is publish a notice in the Federal Register and you can do whatever you want,” security consultant Robert Gellman told the Journal.
A supplementary blog post to the report notes a few key differences between an updated 2008 memo from the Bush Administration and the 2012 guidelines:
Dropping the requirement to remove innocent U.S. people: In 2008, the NCTC was to remove U.S. individuals “not reasonably believed to be terrorism information.” Now, they can keep tabs on U.S. persons for up to five years.
“Pattern-based queries”: Previously, analysts were prohibited from conducting certain sophisticated matching queries that “are not based on known terrorism datapoints,” explains the Journal. Now, its explicitly allowed.
Added oversight: 2012 guideliens added “periodic reviews” to review egregious violations and whether keeping some information “remains appropriate.”
Sharing information with foreign governments: 2012 added guidelines for data sharing with “any appropriate entity.”
Read the full report here
Breach a 'security disaster' for IEEE
posted by Keito
2012-09-29 19:21:01'The IEEE (Institute of Electrical and Electronics Engineers) describes itself on its website as "the world's largest professional association for the advancement of technology."
But after a data breach that left the usernames and passwords of 100,000 of its members exposed in plain text for a month, some security experts said it is clear both the organization and at least some of its members should also be in the business of the advancement of common sense security.
The breach discovered by an independent security researcher, demonstrates an almost inexplicable lack of basic security protocols, including some of the most vulnerable passwords possible.
Torsten George, vice president of worldwide marketing and products for Agiliance, a security risk management firm, called it "plain stupid."
Paul Ducklin, writing at Sophos' Naked Security blog, called it, "a veritable security disaster for the IEEE."
The IEEE announced the breach earlier this week. Redo Dragusin, a Romanian researcher and now a teaching assistant in the Department of Computer Science at the University of Copenhagen, said he discovered it on Sept. 18, and notified IEEE on Monday, Sept. 24.
"The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery," Dragusin wrote. "Among the almost 100,000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places."
He said the unencrypted passwords were the most "troublesome" element of the breach, but also said, "the simplest and most important mistake on the part of the IEEE web administrators was that they failed to restrict access to their webserver logs ..." which included more than 100GB of data containing detailed information on more than 376 million HTTP requests made by IEEE members.
A number of IEEE members were also failing to use basic security. Dragusin found that seven of the top-10 most popular passwords were combinations of the number string "1234567890," in order. Others in the top 20 included "password" and "admin."
IEEE sent a letter to its members the next day, acknowledging the breach, but saying, "This matter has been addressed and resolved. None of your financial information was made accessible in this situation. However, it was theoretically possible for an unauthorized third party, using your ID and password, to have accessed your IEEE account."
Because of that, the organization said it had terminated the access of its members under their current passwords, and would have to, "authenticate through a series of personal security questions you set up at the time you opened the account and to change your password."
The IEEE was unresponsive to questions from CSO Online about why the passwords were in plain text, how access to the weblogs was unrestricted and why the group did not discover the breach itself.
Adrienne McGarr, a public relations spokeswoman, emailed a copy of the statement IEEE had already posted on its website, saying the issue was addressed and resolved and members were being notified.
"IEEE takes safeguarding the private information of our members and customers very seriously. We regret the occurrence of this incident and any inconvenience it may have caused," the statement said.
George said the group has not taken the privacy of member information seriously, adding that the IEEE is not alone -- that this is somewhat typical of too many organizations.
"This illustrates a check-box mentality of compliance," he said. "It is looking at security as a necessary evil, but only to fulfill a regulatory mandate."
The failure to encrypt the data is especially mystifying, he said, "especially after the LinkedIn breach," a reference to the breach in June of the professional networking site that led to the posting of 6.5 million member passwords on a Russian hacking site. At the time LinkedIn was not using the preferred encryption method called salted hashing.
Following the breach, LinkedIn was hit with a $5 million class-action lawsuit.
George said it looks like the failure to restrict access to the webserver logs at IEEE was human error. "Somebody must have changed the access and forgot to change it back," he said. "It's a human mistake that's made very easily. But if they had done continuous monitoring, they would have noticed the restriction was not in place.
"You can't rely on humans," he said. "You have to automate the process."
Dragusin made it clear in his post that he did not intend to use the information for malicious means. Besides notifying IEEE, "I did not, and plan not to release the raw log data to anyone else," he wrote.
But that does not make him a hero to Paul Ducklin's, who mocked Dragusin's professed "uncertainty" about what to do with the information. Ducklin noted that Dragusin waited a week from the time he discovered the breach to notify IEEE, but still found time to "register his vanity name-and-shame domain, ieeelog.com, on 19 September 2012.
"Nor did it prevent him grabbing and processing 100GB of log data he knew wasn't supposed to be accessible," he wrote. "How is this bad? It probably isn't. But it's more of a 'don't be evil' outlook than one of 'actually be good.'"
George said that the IEEE, in addition to improving its own security standards, should force its members to have more rigorous passwords.
"You can mandate password policies," he said. "You can require that they include a combination of characters and digits. You can require that they be changed every 30 days. There is a lot of room for improvement."'
Hackers Breached Adobe Server in Order to Sign Their Malware
posted by Keito
2012-09-29 17:01:17'The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe.
Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability to get code approved from the company’s code-signing system.
Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post.
“This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.”
The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services.
The company said it had good reason to believe the signed malware wasn’t a threat to the general population, and that the two malicious programs signed with the certificate are generally used for targeted, rather than broad-based, attacks.
Arkin identified the two pieces of malware signed with the Adobe certificate as “pwdump7 v7.1″ and “myGeeksmail.dll.” He said that the company passed them on to anti-virus companies and other security firms so that they could write signatures to detect the malware and protect their customers, according to the post.
Adobe didn’t say when the breach occurred, but noted that it was re-issuing certificates for code that was signed with the compromised signing key after July 10, 2012. Also, a security advisory the company released with its announcement showed that the two malicious programs were signed on July 26 of this year. Adobe spokeswoman Liebke Lips told Wired that the company first learned of the issue when it received samples of the two malicious programs from an unnamed party on the evening of Sept. 12. The company then immediately began the process of deactivating and revoking the certificate.
The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.
Digital certificates are a core part of the trust that exists between software makers and their users. Software vendors sign their code with digital certificates so that computers recognize a program as legitimate code from a trusted source. An attacker who can sign their malware with a valid certificate can slip past protective barriers that prevent unsigned software from installing automatically on a machine.
Revoking the certificate should prevent the signed rogue code from installing without a warning.
Stuxnet, a sophisticated piece of malware that was designed to sabotage Iran’s nuclear program, was the first malicious code discovered in the wild to be using a valid digital certificate. In that case the attackers – believed to have been working for the U.S. and Israel – stole digital certificates from two companies in Taiwan to sign part of their code.
Adobe said that it stored its private keys for signing certificates in a hardware security module and had strict procedures in place for signing code. The intruders breached a build server that had access to the signing system and were able to sign their malicious programs in that way.
In addition to concerns about the compromised certificate, the breach of the build server raises concerns about the security of Adobe’s source code, which might have been accessible to the attackers. But Arkin wrote that the compromised build server had access to source code for only one Adobe product. The company did not identify the product but said that it was not the Flash Player, Adobe Reader, Shockwave Player or Adobe AIR. Arkin wrote that investigators found no evidence that the intruders had changed source code and that “there is no evidence to date that any source code was stolen.”
Questions about the security of Adobe’s source code came up earlier this month after Symantec released a report about a group of hackers who broke into servers belonging to Google and 33 other companies in 2010. The attackers were after source code for the companies. Adobe was hacked around the same time, but has never indicated if the same attackers that hit Google were responsible for hacking them.
Symantec found evidence that the attackers who struck Google had developed and used an unusually large number of zero-day exploits in subsequent attacks against other companies. The attackers used eight zero-day exploits, five of which were for Adobe’s Flash Player. Symantec said in its report that such a large number of zero-days suggested that the attackers might have gained access to Adobe’s source code. But Arkin insisted at the time that no Adobe software had been stolen.
“We are not aware of any evidence (direct or circumstantial) indicating bad guys have [source code],” he told Wired at the time.'
Robotic tuna is built by Homeland Security
posted by Keito
2012-09-22 21:23:45'No question about it...they're very good at what they do. But they don't take well to orders, especially those to carry out inspection work in oily or dangerous environments, or in any kind of harsh environment, for that matter. Still, they're one of the fastest and most maneuverable creatures on the planet, having extraordinary abilities at both high and low speeds due to their streamlined bodies and a finely tuned muscular/sensory/control system.
This impressive creature is the humble tuna fish.
The Department of Homeland Security's (DHS) Science and Technology Directorate (S&T) is funding the development of an unmanned underwater vehicle designed to resemble a tuna, called the BIOSwimmer. Why the tuna? Because the tuna has a natural body framework ideal for unmanned underwater vehicles (UUVs), solving some of the propulsion and maneuverability problems that plague conventional UUVs.
Inspired by the real tuna, BIOSwimmer is a UUV designed for high maneuverability in harsh environments, with a flexible aft section and appropriately placed sets of pectoral and other fins. For those cluttered and hard-to-reach underwater places where inspection is necessary, the tuna-inspired frame is an optimal design. It can inspect the interior voids of ships such as flooded bilges and tanks, and hard to reach external areas such as steerage, propulsion and sea chests. It can also inspect and protect harbors and piers, perform area searches and carry out other security missions.
Boston Engineering Corporation's Advanced Systems Group (ASG) in Waltham, Massachusetts, is developing the BIOSwimmer for S&T. "It's designed to support a variety of tactical missions and with its interchangeable sensor payloads and reconfigurable Operator Controls, can be optimized on a per-mission basis" says the Director of ASG, Mike Rufo.
BIOSwimmer is battery-powered and designed for long-duration operation. Like other unmanned underwater vehicles, it uses an onboard computer suite for navigation, sensor processing, and communications. Its Operator Control Unit is laptop-based and provides intuitive control and simple, mission-defined versatility for the user. A unique aspect of this system is the internal components and external sensing which are designed for the challenging environment of constricted spaces and high viscosity fluids
"It's all about distilling the science," says David Taylor, program manager for the BIOSwimmer in S&T's Borders and Maritime Security Division. "It's called 'biomimetics.' We're using nature as a basis for design and engineering a system that works exceedingly well.*
Tuna have had millions of years to develop their ability to move in the water with astounding efficiency. Hopefully we won't take that long."'
Noam Chomsky: Why America and Israel Are the Greatest Threats to Peace
posted by Keito
2012-09-11 14:42:17'Imagine if Iran -- or any other country -- did a fraction of what American and Israel do at will.
It is not easy to escape from one’s skin, to see the world differently from the way it is presented to us day after day. But it is useful to try. Let’s take a few examples.
The war drums are beating ever more loudly over Iran. Imagine the situation to be reversed.
Iran is carrying out a murderous and destructive low-level war against Israel with great-power participation. Its leaders announce that negotiations are going nowhere. Israel refuses to sign the Non-Proliferation Treaty and allow inspections, as Iran has done. Israel continues to defy the overwhelming international call for a nuclear-weapons-free zone in the region. Throughout, Iran enjoys the support of its superpower patron.
Iranian leaders are therefore announcing their intention to bomb Israel, and prominent Iranian military analysts report that the attack may happen before the U.S. elections.
Iran can use its powerful air force and new submarines sent by Germany, armed with nuclear missiles and stationed off the coast of Israel. Whatever the timetable, Iran is counting on its superpower backer to join if not lead the assault. U.S. defense secretary Leon Panetta says that while we do not favor such an attack, as a sovereign country Iran will act in its best interests.
All unimaginable, of course, though it is actually happening, with the cast of characters reversed. True, analogies are never exact, and this one is unfair – to Iran.
Like its patron, Israel resorts to violence at will. It persists in illegal settlement in occupied territory, some annexed, all in brazen defiance of international law and the U.N. Security Council. It has repeatedly carried out brutal attacks against Lebanon and the imprisoned people of Gaza, killing tens of thousands without credible pretext.
Thirty years ago Israel destroyed an Iraqi nuclear reactor, an act that has recently been praised, avoiding the strong evidence, even from U.S. intelligence, that the bombing did not end Saddam Hussein’s nuclear weapons program but rather initiated it. Bombing of Iran might have the same effect.
Iran too has carried out aggression – but during the past several hundred years, only under the U.S.-backed regime of the shah, when it conquered Arab islands in the Persian Gulf.
Iran engaged in nuclear development programs under the shah, with the strong support of official Washington. The Iranian government is brutal and repressive, as are Washington’s allies in the region. The most important ally, Saudi Arabia, is the most extreme Islamic fundamentalist regime, and spends enormous funds spreading its radical Wahhabist doctrines elsewhere. The gulf dictatorships, also favored U.S. allies, have harshly repressed any popular effort to join the Arab Spring.
The Nonaligned Movement – the governments of most of the world’s population – is now meeting in Teheran. The group has vigorously endorsed Iran’s right to enrich uranium, and some members – India, for example – adhere to the harsh U.S. sanctions program only partially and reluctantly.
The NAM delegates doubtless recognize the threat that dominates discussion in the West, lucidly articulated by Gen. Lee Butler, former head of the U.S. Strategic Command: “It is dangerous in the extreme that in the cauldron of animosities that we call the Middle East,” one nation should arm itself with nuclear weapons, which “inspires other nations to do so.”
Butler is not referring to Iran, but to Israel, which is regarded in the Arab countries and in Europe as posing the greatest threat to peace In the Arab world, the United States is ranked second as a threat, while Iran, though disliked, is far less feared. Indeed in many polls majorities hold that the region would be more secure if Iran had nuclear weapons to balance the threats they perceive.
If Iran is indeed moving toward nuclear-weapons capability – this is still unknown to U.S. intelligence – that may be because it is “inspired to do so” by the U.S.-Israeli threats, regularly issued in explicit violation of the U.N. Charter.
Why then is Iran the greatest threat to world peace, as seen in official Western discourse? The primary reason is acknowledged by U.S. military and intelligence and their Israeli counterparts: Iran might deter the resort to force by the United States and Israel.
Furthermore Iran must be punished for its “successful defiance,” which was Washington’s charge against Cuba half a century ago, and still the driving force for the U.S. assault against Cuba that continues despite international condemnation.
Other events featured on the front pages might also benefit from a different perspective. Suppose that Julian Assange had leaked Russian documents revealing important information that Moscow wanted to conceal from the public, and that circumstances were otherwise identical.
Sweden would not hesitate to pursue its sole announced concern, accepting the offer to interrogate Assange in London. It would declare that if Assange returned to Sweden (as he has agreed to do), he would not be extradited to Russia, where chances of a fair trial would be slight.
Sweden would be honored for this principled stand. Assange would be praised for performing a public service – which, of course, would not obviate the need to take the accusations against him as seriously as in all such cases.
The most prominent news story of the day here is the U.S. election. An appropriate perspective was provided by U.S. Supreme Court Justice Louis Brandeis, who held that “We may have democracy in this country, or we may have wealth concentrated in the hands of a few, but we cannot have both.”
Guided by that insight, coverage of the election should focus on the impact of wealth on policy, extensively analyzed in the recent study “Affluence and Influence: Economic Inequality and Political Power in America” by Martin Gilens. He found that the vast majority are “powerless to shape government policy” when their preferences diverge from the affluent, who pretty much get what they want when it matters to them.
Small wonder, then, that in a recent ranking of the 31 members of the Organization for Economic Cooperation and Development in terms of social justice, the United States placed 27th, despite its extraordinary advantages.
Or that rational treatment of issues tends to evaporate in the electoral campaign, in ways sometimes verging on comedy.
To take one case, Paul Krugman reports that the much-admired Big Thinker of the Republican Party, Paul Ryan, declares that he derives his ideas about the financial system from a character in a fantasy novel – “Atlas Shrugged” – who calls for the use of gold coins instead of paper currency.
It only remains to draw from a really distinguished writer, Jonathan Swift. In “Gulliver’s Travels,” his sages of Lagado carry all their goods with them in packs on their backs, and thus could use them for barter without the encumbrance of gold. Then the economy and democracy could truly flourish – and best of all, inequality would sharply decline, a gift to the spirit of Justice Brandeis.'