- Who should take the lead on cybersecurity ... DHS? NSA?
- Cybots to patrol government networks? Skynet anyone?
- Chinese hackers take down Russian Consulate website
- Ideological hacking more prevalent than financial hacking
- Army, Navy, and Marines. Do we need a cyberwarrriors branch for the military?
- Is Skype uncrackable?
- Cybersecurity gets a boost in Obama's budget.
- Al-Qaeda targets China
Friday, February 27, 2009
Weekly Roundup
Wednesday, February 25, 2009
Hacker Turf War
Wasemann noted that most malware is designed to 'blackhole' updates from anti-virus vendors and patches from operating systems. 'Blackholing' is a term used to described how a cache poisoning attack would re-route traffic to an unreachable location. blackholing anti-virus updates and operating systems patches will prevent a user from detecting an infection or from the computer automatically fixing the underlying vulnerability.
However, this particular piece of Malware that Wasemann analyzed contained "200 or so domains that are reconfigured to point to 127.0.0.1 ... but, surprisingly, not domains of commercial software. Rather, it looks like a turf war is in progress between malwares, and this particular species tries to null out the connections of the competition."
The IP address 127.0.0.1 is the address for your computers loopback adapter. Traffic routed to this destination will effectively disappear. Therefore, the authors of this malware sample are trying to prevent rival malware from gaining control over an infected computer. Infected computers have monetary value in the cyber criminal underworld. As a result, cyber criminals are incented to protect their property.
Discussion for class:
- Does this type of cache poisoning attack affect confidentiality, integrity, or availability? Can it affect all three?
- Who is responsible for addressing vulnerabilities in software and hardware? The end user? The manufacturer? The Internet Service Provider?
Tuesday, February 24, 2009
Chinese IT Firm Accused of Links to Cyberwarfare
According to the article, "in the past 10 years, Beijing-based Venus Info Tech has become the dominant provider of information technology (IT) network security to the Chinese intelligence and military community. It also has been accused of providing hacker services that help the Chinese government penetrate foreign government computer networks."
Further, the article notes that China's operating agreements with Microsoft and other technology vendors gives companies like Venus Info Tech the ability to examine source code in popular software. Having access to source code would allow a hacker to more easily find and exploit vulnerabilities. Specifically the article states,
several Chinese firms and government agencies have deep access to the source code of Microsoft Windows, the operating system that drives most of the world’s computers. In 2003, Microsoft opened the code to the China Information Technology Security Certification Center (CNITSEC), a government agency, under a government security plan that was intended to “provide a trustworthy computing environment,” said Tim Chen, then vice president and CEO, Microsoft Greater China, in 2003. He resigned in 2007. “Depending on the level of access they were provided, it would certainly seem to provide the Chinese with insight into flaws that they could exploit,” Henderson said. “You get enough people poring over the code, and I imagine you could design viruses based on weaknesses you find in the code.”
Discussion for Class:
Why would an adversary be interested in gaining the ability to easily discover and exploit vulnerabilities in popular software applications?
Sunday, February 22, 2009
Friday, February 20, 2009
Weekly Roundup
- No training camps. No Problem. Jihadist training in cyberspace.
- Why are malicious insiders a threat? They know where the vulnerabilities and how to exploit them.
- The Internet is only a little bit broken.
- Are we militarizing cyberspace?
- Do you trust that the websites you visit won't infect you?
- Does al-Qaeda want to bring down the Internet?
Administravia
Sunday, February 15, 2009
Weekly Roundup
- John Markoff asks whether we need a new Internet?
- Is the FTC giving Internet companies one last chance to self-regulate?
- Adm. Blair declares cybersecurity a top national security issue.
- Department of Energy security FAIL.
- Kevin Mitnick outlines theoretical attack on Obama's blackberry.
- Blackhat DC unveils how to hack facial recognition software.
- Jon Stewart pwns Bill O'Reilly on privacy.
Thursday, February 12, 2009
Privacy: A Debate No Longer
Mid-Term Time
Answers will be evaluated based on the following criteria:
- the use of lessons learned from our readings, discussions, and relevant outside sources
- creativity and original thinking
- the clarity and conciseness of your writing
A. Discuss the impact of Moore's Law on privacy. What risks does Moore's Law present to privacy? What are the potential rewards? How has Moore's Law changed definitions of privacy? (750 word limit)
B. How have definitions of privacy changed throughout history? How do you think definitions of privacy will change in the future? (750 word limit)
Section II: You must answer one of the following questions
A. design a comprehensive national privacy law. Explain the fundamental tenants of your privacy law? What legal protections would you include? (500 word limit)
B. How does the eightmaps website impact privacy? Are privacy and transparency mutually exclusive goals in this case? What privacy protections can be implemented to ensure that the reuse of personal information from political donor rolls does not have a chilling effect on participation in the political process? (500 word limit)
Section III: You must answer one of the following questions
A. What is the function of Google's new Latitude Service? Does it harm privacy? If so, how? If not, why not? (250 word limit)
B. Do social networking sites like Facebook or MySpace harm or protect privacy? (250 word limit)
Sunday, February 8, 2009
More on Balancing Transparency and Privacy
First, I'm more interested in credentialing those individuals or organizations that want to repurpose data and less concerned about those that simply want to view data. In the interest of preserving transparency I think individuals or organizations should be able to freely view government data, but I think privacy is eroded when individuals or organizations are able to copy and repurpose government data without any accountability.
In the case of eightmaps, I think the State of California was correct to publish the information on those individuals and organizations that contributed to the passage of Prop 8. Citizens have a right to know who donated to political candidates and ballot initiatives. Without this right there would be no transparency and it would be too easy for the political process to be corrupted. However, I think that the State of California was incorrect in its decision to post the Prop 8 donors online in an excel spreadsheet that anyone could download and reuse in any manner they see fit. In effect, the State allowed anyone to access and repurpose that data with no oversight.
The key here is developing a process that balances the sometimes competing goals of transparency and privacy. Both goals are essential for a healthy democracy and I think what were are currently witnessing, as demonstrated by the eightmaps example, is how the increased accessibility of personal information has disrupted the delicate balance between transparency and privacy. It is true that this data was always available to those individuals willing to spend the time to travel to local courthouse. However, the advent of the Internet has now made this same data increasingly accessible to anyone with a computer and an Internet connection. The Internet, in this case, has disrupted the balance and increased transparency at the expense of privacy.
I therefore think that governments should create a process by which individuals or organizations have to be credentialed in some way before they are able to copy and reuse government data. Specifically, I think the government should validate and track the names and contact information of individuals or organizations that download government data. Ideally, this credentialing system would force a more responsible use of personal information or at least make the creator of websites like eightmaps more accountable for their use of the data.
Saturday, February 7, 2009
All The News That's Fit to Print
Read the piece over and let me know what you think. Have a great weekend!“The key here is developing a process that balances the sometimes competing goals of transparency and privacy,” said the professor, Ned Moran, whose undergraduate class on information privacy spent a day discussing the eightmaps site last month.
“Both goals are essential for a healthy democracy,” he said, “and I think we are currently witnessing, as demonstrated by eightmaps, how the increased accessibility of personal information is disrupting the delicate balance between them.”
Friday, February 6, 2009
Weekly Roundup
- Good coverage on the whether police are legally allowed to search cellphones and other handheld devices without a warrant
- You can run, you can search and email from a public computer, but you cant hide from the police
- Vulnerabilities in Supervisiory Control and Data Acquisition (SCADA) software, like the ones recently found in Areva's e-terrahabitat package, are absolutely frightening
- Want to know how to make $9 million in one day? Ask a hacker.
- Now Google knows what you want and where you are.
- Study says data insecurity on the rise
- Who says hackers dont have a sense of humor.
- In an effort to end on a good note I give you a great link from the FailBlog.
Wednesday, February 4, 2009
Digital Signs and Privacy
Digital signage companies are tracking consumers in a number of ways. The most common method may be itsy-bitsy cameras hidden in the signs that record the age, race, and gender of passersby. Other companies use Bluetooth or radio frequency identification (RFID) tags. Some are also using consumers’ mobile phones to trigger ads; the signage system can then deliver coupons to the phones. All of these technologies have the potential to identify individual consumers and gather personal data about them, without giving consumers any choice in the matter.Discussion for class:
- What, if any, are the privacy issues with how the digital signage industry is using facial recognition cameras and other technologies that can identify consumers?
- What privacy protections or policies can the digital signage implement to mitigate any concerns about how it is using technology to improve its efficiency?
Tuesday, February 3, 2009
O'Harrow's Paradox
On the surface this paradox defies resolution. However, I believe that a more nuanced analysis of this contradiction reveals that both contentions are true. In other words, I believe that the data collection industry is capable of both gathering data on our daily movements but also negilent in its approach to validating and protecting our personal information.
The private sector in general and the data collection industry in particular has built an incredibly efficient data collection infrastructure capable of inhaling our personal information. However, I am not convinced that a similarly sophisticated capability exists to properly analyze, store, and secure this mass of personal information.
I welcome your input on this argument.
RFID Tracking
An example of one way that RFID tags can be abused can be found at the RFTracker.com website. According to its website,
RFtracker maintains two databases: a "match" database, which matches RFID tag numbers with the people who possess goods bearing those tag numbers; and a "sightings" database, which holds records of RFID tag sightings by RFID readers located around the world (with time, place, and tag number). If you already have a tag number, you can use the "sightings" database to see where that tag has been sighted. (This service is free, although you'll have to pay if you want "real-time" data, which includes sightings within the past 24 hours; you can choose to have real-time data sent to you via e-mail, pager, or text message.) If all you have is the name of the person that you want to track, you'll want to start with our "match" database, to see if it includes any RFID tags associated with that person.
Check out the demos on the site to get a feel of how RFID can be used to track people's movements.
Monday, February 2, 2009
10 Years Ago Today
Hacking RFIDs
Justice Scalia on Privacy
Justice Scalia seemed to endorse of view of privacy which focuses on the nature of information. In other words, what you buy at the grocery store shouldnt be protected but your perscription medications probably should be.
Daniel Solove takes issue with Scalia's comments and notes that privacy can be invaded even if the information disclosed is not considered to be shameful. Solove writes,
Privacy can be invaded even if the information disclosed isn't shameful. For example, one's Social Security Number isn't shameful, yet we protect it as private because it can affect our data security. In many cases, one's financial information isn't shameful, but many desire to protect it as private -- not to prevent embarrassment, but because they simply don't want others to know about their financial condition.
- Is it sensible to try to define privacy by focusing on the nature of information? If so, how do you avoid creating a long running and ever changing laundry list of what is private?
- Is it problematic to try to define privacy by what is shameful and what is not? How widely would the definition of shameful vary?
- Does Justice Scalia confuse secrecy with privacy?
Sunday, February 1, 2009
Privacy and Health
In Sunday’s edition of the New York Times, an editorial titled “Your E-Health Records”(http://www.nytimes.
While Congress is working on passing bills that would ostensibly prevent such abuses, there is no doubt that the opportunities for misuses of private information are now unlimited. The article mentions some examples that I found especially significant, such as the fact that employers, with the now easily acquired health records, might refuse to hire a potential employee with the information that they might be more expensive to cover with health insurance. Such situations only create a more discriminatory work place, allowing employers to exploit personal health as a money-saving technique.
I think this specific area of privacy encroachment is particularly noteworthy because it involves something an individual has no control over. When the government pulls up credit card records or checks what books one has taken out of the library, it is ultimately reviewing actions that an individual has made a conscious decision to execute. However, an individual has clearly less control regarding their personal health. For example, one’s status of being diabetic and therefore as a potential employee might require a more expensive health insurance is not a role he or she has made a conscious decision to undertake. A person should not suffer any repercussions from a situation outside of their control, especially concerning certain unavoidable health issues.
Weekly Roundup
- Who's responsible for the cyber attacks in Kyrgyzstan - Russia or Kyrgyzstan?
- Oops! Google killed the Internet.
- A disgruntled Fannie Mae engineer plants a logic bomb in revenge for his termination. The dangers of the insider threat are made clear by this story.
- Caution: Zombies Ahead!
- Cops use Google Earth in drug bust.
- 12 tips for protecting your privacy from Compuerworld.
- Will Facebook spark a revolution? Interesting examples from Egypt on how reformers organize online.