STE WILLIAMS

Web 2.0 Summit Thomas Drake, the whistleblower who exposed the NSA’s failings on digital surveillance, has said that the US is behind the curve on internet monitoring and has been playing fast and loose with privacy rules.

The NSA came later than many think to internet monitoring, Drake told delegates at the Web 2.0 Summit in San Francisco. Even in the 1990s he was told by a senior manager that there were no secrets worth collecting on the internet.

However, that view changed and the NSA began building a system internally called ThinThread, which would extract intelligence from emails, web pages, and online activity, while staying within existing privacy laws for US citizens.

“We looked at the largest single database at the NSA about five months after 9/11,” he said. “Management shut it down. You know why? Because it found intelligence that had not been discovered by traditional systems, both prior to 9/11 and after 9/11, and they shut it down.”

The intelligence ThinThread found could have disrupted the 9/11 attacks, or even stopped them, he claimed, but the NSA shut down the project in favor of a commercially developed system called Trailblazer.

Trailblazer was commissioned from the Science Applications International Corporation at a cost of $280 million and never worked as intended, while violating the laws on privacy. The final bill for the project, which was cancelled in 2003, is estimated to be over a billion dollars.

NSA whistleblower Thomas Drake faced 35 years in prison for espionage

Drake and other NSA staffers were concerned that the project was both operating illegally and didn’t work, and raised their fears in a 2002 complaint to the Department of Defense (DoD) Inspector General’s office. The DoD’s report is classified still, but is thought to have been damning in its review of Trailblazer.

In 2005, Drake spoke to a reporter about the issue, and after her articles were published, an investigation into the leak was ordered by then-President Bush. The homes of the three former NSA staffers who filed the DoD complaint were raided by armed FBI agents (no charges were ever brought against them) and Drake was also raided, with agents taking books, documents, and the family’s computers.

Drake was eventually indicted in 2010 under the Espionage Act (one of only four Americans to be charged) along with several other counts, which could have sent him to prison for 35 years. The government attempted to get him to sign a plea bargain, but he consistently refused.

The case was set to go to trial, with the government insisting that much of the evidence be closed, but in June of this year – just before the trial was due to start –the government dropped all charges, and Drake pled guilty to one misdemeanor count of misusing the NSA’s computer system, for which he received a year’s probation. The judge in the case castigated the government for dropping almost all charges at the last minute, saying such tactics were “unconscionable.”

But Drake warned that the NSA has not learned its lesson from the incident, and that it was one of the NSA’s deepest, darkest secrets that it had effectively turned online America into a foreign country for legal purposes. More worrying, similar lax attitudes are now pervasive in the corporate world.

“Industry self-regulation is not working, contrary to what you have seen or heard,” he warned. “Let’s not kid ourselves. It’s also patently disingenuous to say that no names are collected, only a computer number, when the technology is out there to discover everything about you electronically.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/19/nsa_whistleblower_intelligence_thinthread/

Organizations involved in the making of systems that control oil pipelines and other critical infrastructure have been infected with malware directly derived from the Stuxnet worm that targeted Iran’s nuclear program, security researchers said.

Parts of newly discovered malware are almost identical to Stuxnet, and were written by the same authors or by those with access to the Stuxnet source code, researchers from antivirus provider Symantec blogged on Tuesday. Dubbed Duqu, the remote access trojan has been detected in a handful of organizations, where it installed additional components that gathered keystrokes and system information that can be used to attack a third party.

One Duqu variant was developed as recently as this month, and another may have been surreptitiously infecting targets since December, Kevin Haley, Symantec’s director of product management, told The Register. Researchers are still analyzing the complex trojan for clues about its precise mission and targets, but its discovery is significant given its targeting of groups involved in the making of industrial control systems and its reuse of code that was available only to those who authored Stuxnet.

“The people behind Stuxnet are not done,” he said. “They’ve continued to do different things. This was not a one-shot deal.”

Haley declined to name any of the targets, but according to the Symantec blog, the Duqu sample was recovered from computer systems located in Europe, from a limited number of organizations, including those involved in making industrial control systems. Such SCADA, or supervisory control and data acquisition, systems are used to open and shut valves and control machinery and other physical functions at factories, gasoline refineries, and other industrial facilities, many of which are considered critical to the national security of the countries where they’re located.

The discovery comes a little more than a year after the discovery that Stuxnet, a worm that burrowed into thousands of industrial systems across the world, was programmed to behave as a search and destroy weapon to sabotage Iran’s nuclear program. Over a 10-month period, the highly sophisticated program penetrated multiple uranium-enrichment plants and caused centrifuges to malfunction.

Researchers are still analyzing the precise behavior of Duqu, but so far, they have detected nothing that causes it to disrupt the operations of its target. Instead, it appears to be on a stealthy reconnaissance mission that sends intelligence data and assets to a server using encrypted and plain-text web protocols. The data being gathered appears to be designed to allow the operators to more easily conduct a future attack against a third-party target that Symantec didn’t name.

Parts of Duqu contain source code from the last known Stuxnet sample, which was recovered in March, Haley said. The recording of one of the binaries was on September 1, and evidence shows attacks using the variants may have commenced as long ago as December. If correct, those events would suggest the development and use of Duqu has been active and ongoing for close to a year and possibly longer.

Unlike Stuxnet, which proved adept at spreading from target to target, Duqu has no self-replication engine. The threat is configured to run for 36 days and then automatically remove itself from the infected system.

Symantec researchers have publised a detailed technical description of Duqu here. Researchers from other F-Secure and McAfee published their own reports here and here that largely echoed Symantec’s findings.

“The code similarities between Duqu and Stuxnet are obvious,” F-Secure’s Mikko Hypponen wrote. “Duqu’s kernel driver (JMINET7.SYS) is actually so similar to Stuxnet’s driver (MRXCLS.SYS) that our back-end systems actually thought it’s Stuxnet.”

Another clue linking Duqu to Stuxnet is its use of a stolen digital certificate from Taiwanese company called C-Media Electronics to sign an accompanying driver. Stuxnet attackers also used pilfered digital keys belonging to two companies from Taiwan, which operated in the same business district as C-Media, McAfee researchers said.

While anecdotal evidence has linked the US and Israel to Stuxnet, the worm’s precise origins are still a mystery. The discovery of a Stuxnet derivative that’s actively attacking fresh targets will only add to the intrigue. Count on hearing much more about Duqu in the days and weeks to come. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/18/son_of_stuxnet_disclovered/

Ah, another day, another government initiative designed to educate users about cyber risk.

The Canadian government has declared October “Get Cyber Safe” month. It has a web site, too, which advises users on how to avoid getting pwned. The advice list includes updating your malware signatures and not giving out your password.

How effective are these nationwide cyber awareness campaigns? And, by inference, how effective might a cyber security campaign for corporate employees be?

After all, technology is never enough to secure an organisation. Smart, alert staff are important too. And unless you can measure how successful a campaign is, it is difficult to justify investing in one.

Unfortunately, it is difficult to know how effective these things are. In May, the Australian Communications and Media Authority published an overview of international cyber security awareness-raising initiatives. It found that there are not many evaluations and no one seems to know whether they work or not.

Just a phase

In its draft National Initiative for Cybersecurity Education, published in August, the US National Institute of Science and Technology divides cyber security awareness into several broad phases: creating awareness, understanding the technical and social aspects, and accepting personal responsibility (security is not simply someone else’s problem).

Organisations evolve from there into acquiring protection tools and knowledge, implementing tools and techniques, and finally maintaining what they have already done through constant knowledge updates.

The Australian report too provides some useful guidelines. It advises cyber security awareness organisers to provide training in specific skills and to include interactive instructional techniques.

Users should be given practical activities and tasks to hammer home the lessons, rather than being taught dry theory that will quickly be forgotten.

The best campaigns also include a reporting function that allows users to report cyber security risks, says the report. And it advises organisers to offer a mix of long-term education and short, specific micro-campaigns.

Culture clash

What might these things look like in practice? We are going to have to use the C-word: culture. If I hear a vendor talk about the “culture of security” one more time, I’ll spit – but it has become a cliché because it is true.

It is hard enough to get people to agree on where to go for lunch

Building cultures is a tricky thing to do because it involves getting everyone behind a single vision. It is hard enough to get people to agree on where to go for lunch, let alone on something as yawn-worthy as a security awareness campaign.

But recent developments in the IT economy might provide the answer.

“Gamification” applies gaming elements to a corporate environment. The point where games and social networks meet turns out to be a pivotal one.

When a company like Zynga (of Farmville fame) files for a $1bn IPO on $850m in annual revenue after three years’ existence, you know that the concept that it is touting has legs.

The social gaming concepts that companies like Zynga promote could tie practical elements, reporting and monitoring into security awareness campaigns.

All play and no work

Gaming elements such as rewards badges, leader boards and progress bars could all be linked to security campaigns. Completing small tasks such as changing your password (and keeping it strong) could earn you points.

How committed are you to avoiding social engineering? Maybe a stooge caller trying to get employees to circumvent company procedures could earn them badges if they stick to the plan. Or mobile workers could be rewarded for connecting their managed laptops to the virtual private network for scheduled patching and maintenance.

Gamification can help keep security at the forefront of employees’ minds and encourage a cultural shift. How effective it can be depends on how imaginative you are, but capitalising on employees’ willingness to play and compete has to be a more effective way to encourage responsible behaviour among employees than simply waving a handbook and finger wagging.

In the second world war, we had posters proclaiming that “Careless talk costs lives” and radio broadcasts warning people of security dangers. Now we have social media and computer games that would have amazed our grandparents to perform the same task. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/18/security_awareness/

Hacktivists have published a dossier of personal information on the head of Citigroup in retaliation for the cuffing of protesters at an Occupy Wall Street demo.

Members of a group called CabinCr3w, a hacking gang affiliated with Anonymous, revealed phone numbers, an address, email address and financial information on Vikram Pandit, Citigroup’s chief executive officer.

The exposé follows the arrest of a group of anti-capitalist protesters who allegedly sparked a ruckus inside a Citibank branch while withdrawing funds and closing their accounts. About 24 people were detained and charged with criminal trespass on Saturday afternoon, The Wall Street Journal reports.

In a statement, Citibank said only one of the protesters was actually trying to close an account, a request that it said was accommodated. The rest of the group were causing a nuisance and were repeatedly asked to leave before the New York City plod were called.

Last week Citigroup supremo Pandit offered to meet protesters, telling Businessweek that their sentiments were “completely understandable”.

CabinCr3w previously published the personal information on the chief executives of JP Morgan Chase and Goldman Sachs. It also published the details of an NYPD officer accused of pepper-spraying Occupy Wall Street protesters.

The Citibank branch hubbub, whatever the rights and wrongs of what actually happened, has spawned a new campaign within the Occupy Wall Street umbrella. Op Take Back is encouraging people to close their accounts at high street banks and deposit their money with credit unions instead. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/18/citibank_boss_doxed/

Dumfries and Galloway council mistakenly disclosed personal information on about 900 current and former staff as part of a response to an enquiry made under the Freedom of Information Act.

The Information Commissioner’s Office (ICO) said the council accidentally published a spreadsheet which contained the names, salaries and dates of birth of nearly 900 people. The information was then available online for more than two months between March and June.

Ken Macdonald, assistant information commissioner for Scotland, said: “Being open about council pay is a fundamental way that citizens can hold local authorities to account, but that should never be at the expense of upholding individuals’ privacy rights.

“Procedures clearly went wrong in this case and I’m pleased that the council is reviewing its practices in light of the lessons that have been learned.”

According to the ICO, Dumfries and Galloway has since commissioned an external audit of its procedures for responding to information requests.

The council said it will address any weaknesses uncovered during the audit by January 2012. It will also introduce checks to ensure the handling of personal data complies with the Data Protection Act.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/18/ico_censures_dumfries_and_galloway_for_foi_accident/

Members of the Anonymous hacking collective are increasingly interested in attacking industrial control systems used to automate machinery used by factories, power stations, water treatment plants, and other facilities critical to national security, the Department of Homeland Security warned last month.

In a memorandum (PDF) sent to partners involved in security and critical infrastructure operations, members of a DHS arm known as the National Cybersecurity and Communications Integration Center cited several internet postings that indicate Anonymous’ growing interest in targeting the remotely accessible computers used to open valves and control other gear in industrial facilities. The four-page document went on to say Anonymous members faced significant challenges, including their limited ability in hacking the gear.

“However, experienced and skilled members of Anonymous in hacking could be able to develop capabilities to gain access and trespass on control system networks very quickly,” the memo stated. “Free educational opportunities (conferences, classes), presentations at hacker conferences, and other high profile events/media coverage have raised awareness to ICS vulnerabilities, and likely shortened the time needed to develop sufficient tactics, techniques, and procedures to disrupt ICS.”

Events over the past 18 months have brought new urgency to the security of so-called SCADA, or supervisory control and data acquisition, systems used in factories, power plants, and elsewhere. Topping the list is evidence that the Stuxnet computer worm, which penetrated thousands of systems across the globe, was built as a “search and destroy weapon” by the US, Israel, or another country to sabotage Iran’s fledgling nuclear program. The sophisticated piece of malware repeatedly attacked five industrial plants inside Iran over a 10-month period and caused centrifuges for uranium enrichment to malfunction.

Also significant was research unveiled earlier this year by Dillon Beresford of NSS Labs that defects in SCADA software sold by Siemens affected “every industrialized nation across the globe.” Beresford ended up postponing a previously scheduled talk about the vulnerabilities following concerns it could make attacks easier.

According to last month’s DHS memo, people claiming affiliation to Anonymous in July posted code that makes queries to SIMATIC, the automation system used to issue commands to industrial control systems.

“The posted xml and html code reveals that the individual understands the content of the code in relation to common hacking techniques to obtain elevated privileges,” the document stated. “It does not indicate knowledge of ICS; rather, it indicates that the individual has interest in the application software used in control systems.

The memo went on to note that recent updates to Metasploit and other tools used by blackhat and whitehat hackers may allow even novices to penetrate SCADA systems.

The memo also referred to the “green energy” agenda touted by some members of Anonymous who are opposed to a proposed Keystone oil pipeline that would extend from Canada to Texas. Targeting of energy companies could extend beyond the ranks of Anonymous to other hacking groups, the authors said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/18/anonymous_threatens_scada/

US operator Verizon Wireless is to log, and sell, customers’ browsing and location history, unless the customers specifically opt out of being tracked at every turn.

Only anonymised data will be sold, according to an email sent out to customers and an update of the telco’s privacy policy, but internally Verizon will use profiles of its customers based on the URLs visited, the handset and features they use, as well as their physical location. Personal data will be used for accurate delivery of advertisements, while anonymous statistics will be sold to analysts and other interested parties.

Click for close-up look at the TCs…

That means a website that discovers it is receiving significant traffic from Verizon customers (based on the originating IP address) could ask the operator for a breakdown by age, or gender, for a fee. Meanwhile an advertiser could ask Verizon to target customers of a specific demographic, using a specific model of phone, within a specific location, unless the customers have manually opted out of the system.

Profiling customers is something many operators do, but generally with the permission of those customers and in exchange for a bribe of some sort. In the UK, O2 More and Orange Shots both promise exclusive offers and tokens, and the popularity of both services proves customers will exchange privacy for cheap stuff, but Verizon is taking that stage further by assuming consent and failing to offer a bribe.

Customers may decide to opt out, but the operator warns that “You will receive mobile ads whether you participate or not, but under the advertising program, ads may be more relevant to you”.

All mobile operators are sitting on mountains of information, in fact the pure volume of data often intimidates operators into shying away from making use of it. Five years ago Malaysian operators were mining call records to identify popular teenagers, to discover who’s worth advertising to, in one example of just how far operators could go.

In Europe the operators have moved very cautiously, with opt-in schemes such as O2 More and Orange Shots, as legislators stand ready to knock them back at the first sign of customer backlash.

In the USA privacy hasn’t been such a big deal, and Verizon is taking a significant step forwards in assuming consent for targeted advertising and reselling of demographic data, it will be up to the customers to decide if they’re prepared to let that happen. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/17/verizon_privacy/

The Obama administration intensely debated whether to hack the computer networks that run Libya’s air-defense system in the days leading up to the US-led strikes against Qaddafi forces, The New York Times reports.

Administration officials and some military officers ultimately rejected the idea, citing the precedent it might set for other nations, including Russia and China, the paper says. They were also unsure if the president had the authority to approve a hack attack without informing Congress. Once the March raids on forces loyal to Qaddafi were unleashed in March, US forces used conventional aircraft, cruise missiles, and drones to strike Libya’s air-defense missiles and radar.

“These cybercapabilities are still like the Ferrari that you keep in the garage and only take out for the big race and not just for a run around town, unless nothing else can get you there,” one Obama administration official told the NYT.

A senior Defense Department official said: “They were seriously considered because they could cripple Libya’s air defense and lower the risk to pilots, but it just didn’t pan out.”

The NYT article is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/17/libyan_air_defense_hack_mulled/

Deviant hackers broke into the Sesame Street channel on YouTube on Sunday to replace child-friendly movies of fluffy puppets with hardcore porn.

Click to, er, enlarge

The filthy flicks were only available for about 20 minutes before YouTube realised the error – that Kermit and Miss Piggy had not finally taken their relationship to its logical conclusion nor had the Cookie Monster changed his brief.

The title of the kids’ TV show on YouTube was also changed to “Sesame Street, it’s where porn lives”, supposedly by user Mredxwx – a gamer who uploads gameplay footage and has denied any involvement in the hack.

“WHO DOESN’T LOVE PORN KIDS? RIGHT! EVERYONE LOVES IT! I’M MREDXWX AND MY PARTNER MRSUICIDER91 ARE HERE TO BRING YOU MANY NICE CONTENT! PLEASE DON’T LET SESAME STEET TO GET THIS ACCOUNT BACK KIDS,” the channel’s updated profile stated.

Sadly the kids haven’t got Sesame Street back as the channel was suspended for “repeated and severe violations of our Community Guidelines” yesterday and is still not available now.

It is unlikely that Mredxwx was foolish enough to upload porn moves via his own account – it was hardly in the style of Anonymous – and he has denied all responsibility.

“I did not hack Sesame Street. I am an honest youtuber. I work hard to make quality gameplay videos AND MOST IMPORTANT I RESPECT THE COMMUNITY GUIDELINES,” said Mredxwx on his YouTube page.

Graham Cluley, senior technology consultant at Sophos, said on his blog today that the way the channel was hacked is “presently a mystery – but it’s natural to assume that they were sloppy with their password security”.

It seems nothing in life is sacred.

Both YouTube and Sesame Street were unavailable to comment at the time of going to press. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/17/sesame_street_pron/

A US congressman is pushing Amazon for details of its cloud-based browsing, Silk, specifically asking what data the company is gathering and how it intends to make use of it.

In an open letter (2-page PDF/263KB, short and to the point) Congressman Edward Markey asks Amazon’s CEO Jeff Bezos specifically what information is being collected by Silk, how Amazon intends to make use of it, and how the company will go about ensuring users have given explicit permission to have their behaviour monitored in this way.

That last point intimates that such permission should be explicitly requested, while Amazon was probably hoping that the usual user assent to unread Terms Conditions would suffice.

Amazon’s new Kindle Fire is an Android tablet that relies on Amazon’s cloud to pre-process web content, a facility Amazon has titled “Silk”. Users can opt out of Silk, but by default every click will be routed through Amazon’s servers.

This is nothing new: mobile browsers such as Opera, Skyfire and Bolt all do the same thing – grabbing web content and pre-processing to optimise and compress the content prior to delivery – and all three have access to the same kind of information that Amazon Fire users will be sharing.

But none of the above have the reach, or ambition, of Amazon, which has made it clear that user profiling is very much part of its business plan. Our own Andrew Orlowski recently compared Amazon Silk to Phorm, the intercept-and-track service trialled in the UK by BT and still being deployed elsewhere, pointing out how both have the potential to invade users’ privacy pretty equally.

When Phorm started collecting data, there was uproar. When Amazon announced the same thing, it seemed as if no one cared.

But at least one US congressman does, it seems, and he is expecting Jeff Bezos to explain himself by 4 November. We’ll keep an eye on the matter, and look forward to sharing what comes back. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/17/amazon_silk_privacy/