12 total posts
US civil rights organisation prepares for new 'crypto war'
The Electronic Frontier Foundation (EFF) reports that it has filed lawsuits against three agencies of the US Department of Justice demanding the release of documents justifying the need for stronger internet surveillance measures. The civil rights organisation justifies its action by citing the head of the FBI, who has publicly claimed that it is necessary to install back doors in electronic communication systems in order to preserve the ability of the security services to intercept information. The FBI is now being called on to provide evidence of the posited gaps in protection. The EFF is also using the Freedom of Information Act to demand examples from the Drug Enforcement Administration (DEA) and the Department of Justice Criminal Division that show their staff have been impeded in performing surveillance of online communications by the lack of these requested measures.
The EFF has been prompted to take action by reports that the government is working on a law to make it easier to eavesdrop on internet telephony, encrypted email and instant messaging (IM). The legislation would require developers of peer-to-peer (P2P) communications solutions, such as instant messaging or internet telephony applications, to design their applications to be susceptible to surveillance. The FBI wants suppliers and ISPs to ensure that investigators can be provided with plain text versions of all messages. The EFF sees echoes of the 'crypto war' in the 1990s, when government agencies spent several years demanding either, the integration of deliberate vulnerabilities into, or the provision of spare keys for, cryptographic products. The EFF has reiterated its arguments from the debate held at that time ? that the plans create security risks, will not stop criminals and will harm law-abiding businesses and citizens.
Facebook discovers and "punishes" UID-selling developers
The recent discovery that some Facebook application were inadvertently forwarding users' UIDs to advertising agencies and data collection companies has spurred the social network to investigate the matter thoroughly and to try to think of a platform-wide solution that would prevent that from happening ever again.
But, the investigation uncovered a surprising fact - some developers were sharing the UIDs with data brokers for a fee. "While we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data, this violation of our policy is something we take seriously," said Facebook engineer Mike Vernal.
"As such, we are taking action against these developers by instituting a 6-month full moratorium on their access to Facebook communication channels, and we will require these developers to submit their data practices to an audit in the future to confirm that they are in compliance with our policies."
According to him, less than a dozen developers have been found guilty of sharing the UIDs. Most are small developers and their applications can't be found in the list of the top 10 most popular applications on Facebook.
RIAA and Anonymous sites both downed by DDoS assaults
Hacktivists briefly took out the two main Recording Industry Association of America (RIAA) websites on Friday afternoon as revenge for the organisation's long-running legal offensive against Limewire, which led to the closure of the controversial P2P service earlier in the week.
Denizens from the loosely-affiliated Anonymous collective used its Low-Orbit Ion Cannon (LOIC) tool to swamp the websites of RIAA.org and RIAA.com with spurious traffic. The assault began an hour later than originally planned at around 5pm EST on Friday, instead of at 4pm as the organisers originally planned, Slyck.com reports.
Is it legal to use Firesheep at Starbucks?
"Legal experts debate legality of Firefox add-on that steals Facebook, Twitter account access at public hotspots"
People using the Firesheep add-on may be breaking federal wiretapping laws, legal experts said today.
Or maybe not.
"I honestly don't know the answer," said Phil Malone, a clinical professor of law at Harvard Law School as well as the director of the school's Cyberlaw Clinic at the Berkman Center for Internet & Society. Malone also served for more than 20 years as a federal prosecutor with the U.S. Department of Justice.
Firesheep, which was released just over a week ago and has been downloaded nearly half a million times since, is an add-on to Mozilla's Firefox browser that identifies users on an open network - such as a coffee shop's public Wi-Fi hotspot - who are visiting an insecure Web site. A double-click in Firesheep gives its handler instant access to the accounts of others accessing Twitter and Facebook, among numerous other popular Web destinations.
But while the tool itself is not illegal, using it may be a violation of federal wiretapping laws and an invasion of privacy, experts said.
"There are two schools of thought," said Jonathan Gordon, a partner in the Los Angeles office of law firm Aston + Bird. "The first is that there's no reasonable expectation of privacy in a public insecure Wi-Fi connection."
Gordon, who regularly counsels clients on their Internet business practices, cited the U.S. statute pertaining to wiretapping , which states that it's not a violation of the law "to intercept or access an electronic communication made through an electronic communication system that is configured to that such electronic communication is readily accessible to the general public."
Search engine Blekko launches; eliminates spam
The result is an improved search experience that delivers results from high quality sites, leaving behind spammers, aggregators and content farms.
Blekko bases its technology on a simple tool called a slashtag. Slashtags are curated sets of web sites organized around a particular topic. These cover topics as broad as health, money, and autos, and as narrow as gluten-free and neurotechnology. Slashtags are added to search queries and limit search results to only the curated sets of sites.
With the launch of the public beta, Blekko is also automatically applying slashtags to improve results in seven initial search categories: health, colleges, autos, personal finance, lyrics, recipes and hotels. For example, searching "cure for headaches" on Blekko will provide results only from the top quality sites in the health category.
For searches that don't fall within one of Blekko's pre-defined categories, Blekko uses its proprietary ranking algorithms to deliver relevant results from its 3 billion page web crawl. As users create and refine more slashtags, Blekko plans to expand "auto-slashing" to improve results in more categories.
Also : Blekko launches the biased search engine
Spamhaus blocks fellow antispam outfit
The owner of a spam-prevention website says it has been taken down following unfounded complaints from fellow anti-junkmail organization Spamhaus.
Spamwise.org owner Ian W. Rudge said the site and an unrelated property for his IT consultancy were taken down after their IP address was added to the Spamhaus Block List on October 24. He said US-based SiteGround.com, which had been hosting the sites, ultimately restored the business site but has refused to bring Spamwise back online because, it said in an email, it has been reported for "sending unsolicited email messages to a large number of recipients."
Rudge said Spamwise aimed to alert webmasters who oversee the large number of sites that leak employee and member email addresses. Spammers routinely harvest the addresses for use in phishing and junkmail campaigns. A page on Spamwise allowed visitors to test whether a given site needlessly revealed addresses. The tool was set up to email the results only once to the webmaster.
Rudge said Spamhaus representatives told him his site was being blacklisted because the emails it generated were unsolicited. He said he explained that the emails were designed to raise awareness about a widespread practice that results in spam and that a website owner would never receive more than one. He went on to say that Spamhaus, in sending unsolicited notices to admins of unsecured SMTP email servers, does much the same thing.
Google Extends Bug Bounty to Web Properties
Google is extending its nascent bug-bounty program to the Web applications that the company owns, including its flagship search service, YouTube and Blogger. The program will pay researchers rewards of up to $3133.7 for bugs that they find in Google Web services and report directly to the company.
Google announced the new bounty program Monday, about 10 months after it launched its initial reward program for vulnerabilities identified in Chromium. That program has been quite successful, drawing a lot of interest from security researchers who have identified some interesting bugs in the open-source software.
Now, Google is hoping that those same researchers will take their talents to the company's Web properties.
"Today, we are announcing an experimental new vulnerability reward program that applies to Google web properties. We already enjoy working with an array of researchers to improve Google security, and some individuals who have provided high caliber reports are listed on our credits page. As well as enabling us to thank regular contributors in a new way, we hope our new program will attract new researchers and the types of reports that help make our users safer," the company said in a blog post attributed to several of Google's security team members, including Chris Evans, Neel Mehta and Michal Zalewski.
Internet Explorer info leak festers for 2 years
For almost two years, Microsoft's Internet Explorer browser has been vulnerable to attacks that steal digital security tokens and other sensitive data, a security researcher said recently.
Researcher Chris Evans said he alerted Microsoft to the information disclosure vulnerability in IE in December 2008. As of October 21, it remained unfixed, making his disclosure a "600-day" vulnerability, he quipped.
"There are a varied number of text structures which can be stolen (iteratively if necessary) with this trick," Evans warned.
Antivirus scanning becoming inadequate, says Webroot CEO
"Buys Prevx to provide alternative"
US antivirus vendor Webroot has bought UK-based Prevx in an acquisition that looks like the latest symptom of the growing dissatisfaction among security companies with the current signature-based scanning model for detecting malware.
On the face of it a 20-person software security company based in Derby is an unlikely bride for an ambitious US outfit looking to grow. But since its founding as long ago as 2001, Prevx has been a pioneer of the application fingerprinting technology that in the cloud services era has suddenly become ultra-fashionable.
Webroot will now spend the next six months integrating Prevx's cloud-oriented application profiling into its own development program. The Derby employees will be retained and the technical effort spread to engineers based in the US and Austria.
Webroot Buys Prevx for Cloud Security
Webroot Acquires Prevx
Rogue AV rides the US Midterm Elections wave
On the eve of the 2010 US Midterm Elections, Websense Security Labs? ThreatSeeker? Network has discovered that some search terms related to the ongoing event return sites employing black hat SEO. Websense customers are protected against this attack through our Advanced Classification Engine. [Screenshot]
As you can see, some of the infected sites already come with a warning. However, there are still a handful of Web sites that do not have warning messages attached to them. Search terms used in this attack include:
2010 midterm election
midterm election results
midterm election 2010
midterm election latest polls
midterm election 2010
midterm election season
midterm election latest polls gallup
At the time of writing, the black hat SEO'd sites appear benign, only redirecting users to what appears to be a blank page. A closer look at the code reveals that the page contains a URL to a rogue AV site. [Screenshot]
If you copy and paste this URL in your browser, it will redirect you to the rogue AV download page which prompts the user to download inst.exe, identified by 10 of 43 VirusTotal engines.