Facebook pwns Firesheep

From Facebook.com,

Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page.

There are a few things you should keep in mind before deciding to enable HTTPS. Encrypted pages take longer to load, so you may notice that Facebook is slower using HTTPS. In addition, some Facebook features, including many third-party applications, are not currently supported in HTTPS. We'll be working hard to resolve these remaining issues. We are rolling this out slowly over the next few weeks, but you will be able to turn this feature on in your Account Settings soon. We hope to offer HTTPS as a default whenever you are using Facebook sometime in the future

.

House Considers Mandating Internet Data Retention For Crime Solving

ABC News' Mary Bruce reports:

Criminal investigations are “being frustrated” because internet providers are not required by law to retain information on what their customers are doing online, the Department of Justice testified before a House hearing today.

“The gap between providers retention practices and the needs of law enforcement can be extremely harmful to investigations that are critical to protecting the public from predators,” Justice Department Deputy Assistant Attorney General Jason Weinstein told a House Justice Committee hearing on “data retention as a tool for investigating internet child pornography and other internet crimes.”

“The lack of adequate, uniform and consistent data retention policies threatens our ability to use the legal tools Congress has provided to law enforcement to protect public safety,” he said.

While some internet providers voluntarily retain user data for months or years, others do not retain data at all. Under current law, officers can issue subpoenas, court orders and search warrants to require an internet service provider to hand over user data. The problem, Weinstein testified, is that “those authorities are only useful if the data is still in existence at the time the government seeks to obtain it.”

Judiciary Committee Chair Rep. Lamar Smith, R-Texas, agreed. “When law enforcement officers do develop leads that might ultimately result in saving a child or apprehending a pornographer, their efforts should not be frustrated because vital records were destroyed simply because there was no requirement to retain them. Every piece of discarded information could be the footprint of a child predator,” he said.

Other committee members and the Internet Service Provider Association expressed concern, however, that retaining internet data could infringe on users’ privacy.

“A data retention mandate would raise a number of serious privacy and free speech concerns… Congress should be very hesitant to require service providers to create databases to track the internet activities of 230 million innocent Americans,” said John Morris, General Counsel for the Center for Democracy and Technology.

Florida Democrat Rep. Debbie Wasserman Schultz reiterated “this is not about watching or tracking people’s behavior online… it’s about helping law enforcement connect the dots.”

Beyond privacy concerns, Morris argued that requiring internet providers to extend their data retention for longer periods would be so cost prohibitive that it would harm competition, innovation and ultimately internet users.

Kate Dean, the Executive Director of the Internet Service Provider Association, questioned how companies would keep track of a growing amount of personal user data.

“We’re dealing with people’s lives and liberty here and out of all of this data we have to make sure that, say 18 months down the road, that tiny particular piece of information is exactly the right information linking that exact target,” she said.

Looking ahead, Rep. Jim Sensenbrenner, R-Wis., asked Dean if, in place of a Congressional mandate, her member companies would be willing to come together and develop their own voluntary compliance order.

“I am a firm believer in carrots and sticks and I am tossing you a carrot now… If you aren’t a good rabbit and don’t start eating the carrot, I’m afraid that we’re all going to be throwing the stick at you. So this is an opportunity for you to come up with some kind of a solution,” Sensenbrenner said.

Dean said the Association would be willing to sit down with all parties involved and take an active role in a larger dialogue.

Egypt Disconnected

Image courtesy of Craig Labovitz - the chief scientist at Arbor Networks.



Egypt's ability to cut itself of from the Internet helps demonstrates that nation-states still do have some ability to control the free flow of information in the digital age.

Internet ‘Kill Switch’ Legislation Back in Play

From David Kravets at Wired's Threat Level Blog,

The resurgence of the so-called “kill switch” legislation came the same day Egyptians faced an internet blackout designed to counter massive demonstrations in that country.

The bill, which has bipartisan support, is being floated by Sen. Susan Collins, the Republican ranking member on the Homeland Security and Governmental Affairs Committee. The proposed legislation, which Collins said would not give the president the same power Egypt’s Hosni Mubarak is exercising to quell dissent, sailed through the Homeland Security Committee in December but expired with the new Congress weeks later.

The bill is designed to protect against “significant” cyber threats before they cause damage, Collins said.

“My legislation would provide a mechanism for the government to work with the private sector in the event of a true cyber emergency,” Collins said in an e-mail Friday. “It would give our nation the best tools available to swiftly respond to a significant threat.”

The timing of when the legislation would be re-introduced was not immediately clear, as kinks to it are being worked out.


An aide to the Homeland Security committee described the bill as one that does not mandate the shuttering of the entire internet. Instead, it would authorize the president to demand turning off access to so-called “critical infrastructure” where necessary.

An example, the aide said, would require infrastructure connected to “the system that controls the floodgates to the Hoover dam” to cut its connection to the net if the government detected an imminent cyber attack.

What’s unclear, however, is how the government would have any idea when a cyber attack was imminent or why the operator wouldn’t shutter itself if it detected a looming attack.

About two dozen groups, including the American Civil Liberties Union, the American Library Association, Electronic Frontier Foundation and Center for Democracy & Technology, were skeptical enough to file an open letter opposing the idea. They are concerned that the measure, if it became law, might be used to censor the internet.

“It is imperative that cyber-security legislation not erode our rights,” (.pdf) the groups wrote last year to Congress.

A congressional white paper (.pdf) on the measure said the proposal prohibits the government from targeting websites for censorship “based solely on activities protected by the First Amendment of the United States Constitution.”

Oddly, that’s exactly the same language in the Patriot Act used to test whether the government can wiretap or investigate a person based on their political beliefs or statements.

A couple thoughts on this bill:

- what are the implications for our digital privacy? in order to detect cyber threats is intrusive monitoring of the internet required?
- and why the *#$! would the hoover dam need to be connected to the Internet?

Cybergang infects all ATMs in Russian city

from help net security ...

A group of fraudsters has been arrested in Yakutsk and Moscow for allegedly compromising all the ATMs in the city of Yakutsk - population: around 210,000 - in the Republic of Yakutia in the Russian Federation.

Three of the men formed the actual criminal group, and the fourth - a Moscow-based malware developer - was "subcontracted" by them and received 100,000 rubles (some $3200) to develop a a custom ATM virus with which they would infect the devices.

Every man had his role in the operation: one who used to work as a head of an IT department obtained access to the ATMs, the second one - a system administrator - infected them, and the third one was supposedly intended to be the money mule.

According to the press release (Google translation) issued by the Ministry of Internal Affairs' cybercrime division, a coordinated raid of the three's apartments led to their arrest and the confiscation of copies of the malware and credit card information that - according to the investigators - they didn't have time to take advantage of.

The malware author was arrested in Moscow a week after. All four have been detained and will likely be charged for creation, use and distribution of malicious computer programs, and hopefully fraud.

this is not good .....

Cyber Experts Have Proof That China Has Hijacked U.S.-Based Internet Traffic

From the National Defense Magazine ...

For 18 minutes in April, China’s state-controlled telecommunications company hijacked 15 percent of the world’s Internet traffic, including data from U.S. military, civilian organizations and those of other U.S. allies.

This massive redirection of data has received scant attention in the mainstream media because the mechanics of how the hijacking was carried out and the implications of the incident are difficult for those outside the cybersecurity community to grasp, said a top security expert at McAfee, the world’s largest dedicated Internet security company.

In short, the Chinese could have carried out eavesdropping on unprotected communications — including emails and instant messaging — manipulated data passing through their country or decrypted messages, Dmitri Alperovitch, vice president of threat research at McAfee said.

Nobody outside of China can say, at least publicly, what happened to the terabytes of data after the traffic entered China.

The incident may receive more attention when the U.S.-China Economic and Security Review Commission, a congressional committee, releases its annual report on the bilateral relationship Nov. 17. A commission press release said the 2010 report will address “the increasingly sophisticated nature of malicious computer activity associated with China.”

Said Alperovitch: “This is one of the biggest — if not the biggest hijacks — we have ever seen.” And it could happen again, anywhere and anytime. It’s just the way the Internet works, he explained. “What happened to the traffic while it was in China? No one knows.”

The telephone giants of the world work on a system based on trust, he explained. Machine-to-machine interfaces send out messages to the Internet informing other service providers that they are the fastest and most efficient way for data packets to travel. For 18 minutes April 8, China Telecom Corp. told many ISPs of the world that its routes were the best paths to send traffic.

For example, a person sending information from Arlington, Va., to the White House in Washington, D.C. — only a few miles away — could have had his data routed through China. Since traffic moves around the world in milliseconds, the computer user would not have noticed the delay.

This happens accidentally a few times per year, Alperovitch said. What set this incident apart from other such mishaps was the fact that China Telecom could manage to absorb this large amount of data and send it back out again without anyone noticing a disruption in service. In previous incidents, the data would have reached a dead end, and users would not have been able to connect.

Also, the list of hijacked data just happened to include preselected destinations around the world that encompassed military, intelligence and many civilian networks in the United States and other allies such as Japan and Australia, he said. “Why would you keep that list?” Alperovitch asked.

The incident involved 15 percent of Internet traffic, he stressed. The amount of data included in all these packets is difficult to calculate. The data could have been stored so it could be examined later, he added. “Imagine the capability and capacity that is built into their networks. I’m not sure there was anyone else in the world who could have taken on that much traffic without breaking a sweat,” Alperovitch said.

McAfee has briefed U.S. government officials on the incident, but they were not alarmed. They said their Internet communications are encrypted. However, encryption also works on a basis of trust, McAfee experts pointed out. And that trust can be exploited.

Internet encryption depends on two keys. One key is private and not shared, and the other is public, and is embedded in most computer operating systems. Unknown to most computer users, Microsoft, Apple and other software makers embed the public certificates in their operating systems. They also trust that this system won’t be abused.

Among the certificates is one from the China Internet Information Center, an arm of the China’s Ministry of Information and Industry.

“If China telecom intercepts that [encrypted message] and they are sitting on the middle of that, they can send you their public key with their public certificate and you will not know any better,” he said. The holder of this certificate has the capability to decrypt encrypted communication links, whether it’s web traffic, emails or instant messaging, Alperovitch said. “It is a flaw in the way the Internet operates,” said Yoris Evers, director of worldwide public relations at McAfee.

No one outside of China can say whether any of these potentially nefarious events occurred, Alperovitch noted. “It did not make mainstream news because it is so esoteric and hard to understand,” he added. It is not defined as a cyberattack because no sites were hacked or shut down. “But it is pretty disconcerting.”

And the hijacking took advantage of the way the Internet operates. “It can happen again. They can do it tomorrow or they can do it in an hour. And the same problem will occur again.”

The Plan To Quarantine Infected Computers

From Bruce Schneier's column at Forbes Magazine ...

Last month Scott Charney of Microsoft proposed that infected computers be quarantined from the Internet. Using a public health model for Internet security, the idea is that infected computers spreading worms and viruses are a risk to the greater community and thus need to be isolated. Internet service providers would administer the quarantine, and would also clean up and update users' computers so they could rejoin the greater Internet.

This isn't a new idea. Already there are products that test computers trying to join private networks, and only allow them access if their security patches are up-to-date and their antivirus software certifies them as clean. Computers denied access are sometimes shunned to a limited-capability sub-network where all they can do is download and install the updates they need to regain access. This sort of system has been used with great success at universities and end-user-device-friendly corporate networks. They're happy to let you log in with any device you want--this is the consumerization trend in action--as long as your security is up to snuff.

Charney's idea is to do that on a larger scale. To implement it we have to deal with two problems. There's the technical problem--making the quarantine work in the face of malware designed to evade it, and the social problem--ensuring that people don't have their computers unduly quarantined. Understanding the problems requires us to understand quarantines in general.

Quarantines have been used to contain disease for millennia. In general several things need to be true for them to work. One, the thing being quarantined needs to be easily recognized. It's easier to quarantine a disease if it has obvious physical characteristics: fever, boils, etc. If there aren't any obvious physical effects, or if those effects don't show up while the disease is contagious, a quarantine is much less effective.

Similarly, it's easier to quarantine an infected computer if that infection is detectable. As Charney points out, his plan is only effective against worms and viruses that our security products recognize, not against those that are new and still undetectable.

Two, the separation has to be effective. The leper colonies on Molokai and Spinalonga both worked because it was hard for the quarantined to leave. Quarantined medieval cities worked less well because it was too easy to leave, or--when the diseases spread via rats or mosquitoes--because the quarantine was targeted at the wrong thing.

Computer quarantines have been generally effective because the users whose computers are being quarantined aren't sophisticated enough to break out of the quarantine, and find it easier to update their software and rejoin the network legitimately.

Three, only a small section of the population must need to be quarantined. The solution works only if it's a minority of the population that's affected, either with physical diseases or computer diseases. If most people are infected, overall infection rates aren't going to be slowed much by quarantining. Similarly, a quarantine that tries to isolate most of the Internet simply won't work.

Fourth, the benefits must outweigh the costs. Medical quarantines are expensive to maintain, especially if people are being quarantined against their will. Determining who to quarantine is either expensive (if it's done correctly) or arbitrary, authoritative and abuse-prone (if it's done badly). It could even be both. The value to society must be worth it.

It's the last point that Charney and others emphasize. If Internet worms were only damaging to the infected, we wouldn't need a societally imposed quarantine like this. But they're damaging to everyone else on the Internet, spreading and infecting others. At the same time, we can implement systems that quarantine cheaply. The value to society far outweighs the cost.

That makes sense, but once you move quarantines from isolated private networks to the general Internet, the nature of the threat changes. Imagine an intelligent and malicious infectious disease: That's what malware is. The current crop of malware ignores quarantines; they're few and far enough between not to affect their effectiveness.

If we tried to implement Internet-wide--or even countrywide--quarantining, worm-writers would start building in ways to break the quarantine. So instead of nontechnical users not bothering to break quarantines because they don't know how, we'd have technically sophisticated virus-writers trying to break quarantines. Implementing the quarantine at the ISP level would help, and if the ISP monitored computer behavior, not just specific virus signatures, it would be somewhat effective even in the face of evasion tactics. But evasion would be possible, and we'd be stuck in another computer security arms race. This isn't a reason to dismiss the proposal outright, but it is something we need to think about when weighing its potential effectiveness.

Additionally, there's the problem of who gets to decide which computers to quarantine. It's easy on a corporate or university network: the owners of the network get to decide. But the Internet doesn't have that sort of hierarchical control, and denying people access without due process is fraught with danger. What are the appeal mechanisms? The audit mechanisms? Charney proposes that ISPs administer the quarantines, but there would have to be some central authority that decided what degree of infection would be sufficient to impose the quarantine. Although this is being presented as a wholly technical solution, it's these social and political ramifications that are the most difficult to determine and the easiest to abuse.

Once we implement a mechanism for quarantining infected computers, we create the possibility of quarantining them in all sorts of other circumstances. Should we quarantine computers that don't have their patches up to date, even if they're uninfected? Might there be a legitimate reason for someone to avoid patching his computer? Should the government be able to quarantine someone for something he said in a chat room, or a series of search queries he made? I'm sure we don't think it should, but what if that chat and those queries revolved around terrorism? Where's the line?

Microsoft would certainly like to quarantine any computers it feels are not running legal copies of its operating system or applications software.The music and movie industry will want to quarantine anyone it decides is downloading or sharing pirated media files--they're already pushing similar proposals.

A security measure designed to keep malicious worms from spreading over the Internet can quickly become an enforcement tool for corporate business models. Charney addresses the need to limit this kind of function creep, but I don't think it will be easy to prevent; it's an enforcement mechanism just begging to be used.

Once you start thinking about implementation of quarantine, all sorts of other social issues emerge. What do we do about people who need the Internet? Maybe VoIP is their only phone service. Maybe they have an Internet-enabled medical device. Maybe their business requires the Internet to run. The effects of quarantining these people would be considerable, even potentially life-threatening. Again, where's the line?

What do we do if people feel they are quarantined unjustly? Or if they are using nonstandard software unfamiliar to the ISP? Is there an appeals process? Who administers it? Surely not a for-profit company.

Public health is the right way to look at this problem. This conversation--between the rights of the individual and the rights of society--is a valid one to have, and this solution is a good possibility to consider.

There are some applicable parallels. We require drivers to be licensed and cars to be inspected not because we worry about the danger of unlicensed drivers and uninspected cars to themselves, but because we worry about their danger to other drivers and pedestrians. The small number of parents who don't vaccinate their kids have already caused minor outbreaks of whooping cough and measles among the greater population. We all suffer when someone on the Internet allows his computer to get infected. How we balance that with individuals' rights to maintain their own computers as they see fit is a discussion we need to start having.