STE WILLIAMS

If the Obama administration wins a crucial case testing when police may use GPS devices to track American’s whereabouts, investigators would be free to attach them to all nine members of the nation’s highest court without a warrant.

That blunt assessment came not from one of the many critics blasting the controversial practice, but rather from Michael Dreeben, the deputy US solicitor general who argued the case on Tuesday before the Supreme Court. According to legal scholar and blogger Orin Kerr, who attended the hearing, the justices had mixed reactions to that specter, with some comparing the continuous monitoring to a chapter out of George Orwell’s 1984 and others struggling to find a way to deem it reasonable.

The hearing comes in the case of a man indicted for cocaine trafficking in the Washington, DC area. FBI agents secretly planted the device on his Jeep Cherokee while it was parked on private property without ever securing a warrant based on probable cause. The device, which allowed agents to track the suspect’s whereabouts 24 hours a day for a full month, was accurate to within 100 feet and yielded more than 3,100 pages worth of data, according to court filings.

Attorneys for the defendant challenged the surveillance as a violation of constitutional guarantees against unreasonable searches and seizures. Last year, a three-judge appeals panel unanimously agreed and threw out the conviction.

Federal prosecutors challenged that ruling and earlier this year the Supreme Court agreed to hear the case.

According to Kerr, even justices who appeared troubled by the surveillance labored to find a clear rationale for prohibiting it.

“Merely watching a suspect in a city street was obviously not a search or seizure,” he wrote. “Does that change if you switch to video cameras? Lots of cameras? Beepers? GPS devices? Where do you draw the line?”

A PDF transcript of the hearing is here.

The hearing came the same day that Wired.com reported that a California man has come forward after finding two GPS devices secretly attached to his SUV. While a reporter and photographer met with the man in public places, police cars monitored the meetings from afar but never identified themselves.

A decision in the case of United States v. Jones is likely by the end of June, when the justices usually recess for the summer. In the meantime, readers looking for a way to thwart overzealous investigators might consider self-help remedies. This £25 Anti-Tracker GPS Signal Jammer, for instance, is advertised as coming with a range of 10 meters. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/supreme_court_mulls_gps_tracking/

An internet-based advertising network has agreed to settle Federal Trade Commission charges stemming from its use of Adobe Flash cookies to track internet users’ browsing history, even when they took steps to evade monitoring.

Boston-based ScanScout agreed to make it easier for web users to opt out of tracking, as part of a settlement of charges that it deceptively claimed the tracking could be stopped simply by changing browser settings to block cookies. Because the firm used LSOs, or local shared objects based on Flash Player, to track people’s online behavior, the recommended browser settings had no effect on the the monitoring.

The settlement comes after a host of companies – including Facebook , Microsoft, McDonalds, the CBS Network, and a Walt Disney subsidiary – have faced legal actions for using cookies and other techniques to track the browsing histories of web visitors, even when they took pains to keep that information private. In many cases the tracking technologies used were extremely hard for the average person to detect and stop and were able to recover tracking cookies users had already deleted, a term referred to as cookie respawning.

Under the privacy policy challenged by the FTC, ScanScout said: “You can opt out of receiving a cookie by changing your browser settings to prevent the receipt of cookies.”

Under the settlement announced on late Monday, ScanScout agreed to replace that section with the following:

“We collect information about your activities on certain websites to send you targeted ads. To opt out of our targeted advertisements, click here.” The hyperlink will take visitors to a screen that allows them to opt out of any future tracking by the company. The company will also embed the hyperlink within or immediately next to targeted display ads when it is possible to do so.

In the course of the FTC’s investigation of ScanScout, the advertising network joined forces with Tremor Video, which is also subject to the settlement order. PDFs of the complaint and agreement are here and here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/flash_cookie_privacy_settlement/

The government of El Salvador’s websites were taken out on Saturday in what was a weekend of big hacks by the Anonymous collective.

The website of El Salvador’s president was taken offline by authorities after it was swamped by 30 million visits in one day. The legislative assembly, the national police force and the ministries of justice and labour were also at the sharp end of a DDoS attack.

Presidential spokesman David Rivas pegged blame for the attacks on Anonymous’s Operation Justice El Salvador. The hackivist outfit “tried to attack our website to publicize the private information of internal and external users,” said economy minister Hector Dada Hirezi, reports AFP.

The weekend of Guy Fawkes Night saw a flurry of activity from Anonymous worldwide. Threats to Mexican drug cartel Los Zetas were quickly retracted, but Israeli government sites went down. Meanwhile, there was a call to occupy the Iowa caucus office where the first leg of the 2012 US presidential run-off will be held, and the private data of 16,000 Finnish adults was leaked.

It’s El Salvador’s record on human rights that has attracted the attention of Anonymous, says security biz Sophos, citing Amnesty International’s report on the tiny Central American nation. El Salvador’s sketchy human rights record includes death threats against journalists, the murder of two environmental activists and unsolved killings from the country’s civil war. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/anonymous_hack_el_salvador_govt/

Improved safeguards and greater resources for law enforcement are needed to tackle the related problems of cyber-bullying and online grooming, according to a report by an EU security agency published on Tuesday.

ENISA (the European Network and Information Security Agency) warned that the mishandling of personal information gathered using data-mining or profiling harms young people. It said private data exposed on the web might be subsequently seized upon and misused by bullies, online predators or crooks. This is obviously detrimental to anyone’s well-being and the development of children’s social skills.

Many parents lose control of their children’s online environment as they lack the knowledge and tools to support their offspring, ENISA notes.

Prof Udo Helmbrecht, executive director of ENISA, commented: “Our children run the risk of becoming victims of online grooming and cyber-bullying; therefore actions are needed to protect teenagers’ cyber activities.”

ENISA Expert Group on internet risks has come up with a list of 18 recommendations on how to tackle the twin problems of online bullying and grooming. The key recommendations include the need to strengthen law enforcement agencies in member states. Greater resources and manpower are needed to “properly cover regulatory issues, statistical data collection of misuse cases, and follow up on privacy breaches”, the group said. How to pay for increased manpower and resources for police at a time of Europe-wide economic crisis is not tackled by the report, however.

The EU agency would also like to sponsored online campaigns to prevent grooming and cyber-torment on social networks. It would also like to see specialised security settings and user account profiles for teenagers to cover their particular needs, plus better privacy and age-related controls for applications that have access to teenagers.

In addition, ENISA would like to see improved efforts to educate parents about cyber-threats. The full report, including an assessment of risks and recommendations to different target audiences, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/eu_study_cyber_bullying_grooming/

Privacy tools that offer a means to prevent advertisers from tracking the activity of surfers online are largely ineffective, according to a study by computer scientists.

Boffins at Carnegie Mellon University’s CyLab ran a series of lab tests involving 45 participants that revealed all nine privacy tools had usability and configuration problems that made them difficult to use correctly, at least in the hands of an average web surfer. The study poked tools that block access to advertising websites, widgets that set cookies indicating a user’s preference to opt out of online behavioural advertising, and privacy functions built directly into IE9 and Firefox 5 web browsers.

We found serious usability flaws in all nine tools we examined. The online opt-out tools were challenging for users to understand and configure. Users tend to be unfamiliar with most advertising companies, and therefore are unable to make meaningful choices. Users liked the fact that the browsers we tested had built-in Do Not Track features, but were wary of whether advertising companies would respect this preference. Users struggled to install and configure blocking lists to make effective use of blocking tools. They often erroneously concluded the tool they were using was blocking OBA when they had not properly configured it to do so.

For example, TACO, one of the nine tools CyLab’s hapless guinea pigs grappled with was so complex that accessing the configuration interface for the tool’s blocking and opt-out features took four steps. The configuration screen presented users with three tracking categories: “Targeted Ad Networks”, “Web Trackers”, and “Cookies”. There was no explanation of what the different categories meant. To enable blocking, a user has to click on three separate “Not Blocked” tabs that appear as clickable.

That’s a whole lot of fail and the other tested tools didn’t really fair that much better.

CyLab’s study looked at three opt-out tools (DAA Consumer Choice, Evidon Global Opt-Out and PrivacyMark) and three blocking tools (Ghostery 2.5, TACO 4.0 and Adblock Plus 1.3) as well as privacy functions hard-baked into web browsers). Problems encountered included inappropriate default, confusing interface and tools that broke functionality on websites.

The report concludes that the “status quo is insufficient for empowering users to protect their privacy”.

“Although we recognise the efforts of the advertising industry, browser providers and third-parties for contributing an assortment of tools to this ecosystem, we encourage a greater emphasis on usability moving forward,” the boffins note.

“Our results suggest that the current approach for advertising industry self-regulation through opt-out mechanisms is fundamentally flawed. Users’ expectations and abilities are not supported by existing approaches that limit OBA [online behavioural advertising] by selecting particular companies or specifying tracking mechanisms to block. There are [also] significant challenges in providing easy-to-use tools that give users meaningful control without interfering with their use of the web,” the report authors add.

The CyLab report – Why Johnny Can’t Opt Out: A Usability Evaluation of Tools to Limit Online Behavioural Advertising – can be found here [PDF].

Previous studies from Carnegie Mellon suggested that, given a choice, surfers would prefer it if they were not tracked online by advertisers even if their online activities remained anonymous. Two in three respondents (64 per cent) to a 2009 study by the American university said targeted ads were invasive.

Chester Wisniewski, a security consultant at Sophos, said advertisers tracking surfing habits is similar to supermarkets using loyalty cards find out which products you prefer to buy so that they “can tailor their marketing and their placement of products in the store to their customer base”.

Some of those who happily use shoppers’ cards baulk at the idea of online tracking, which Wisniewski controversially implies is not worth worrying about (a contention anti-Phorm activists and other privacy conscious netizens would doubtless dispute).

“The worst that could happen is that advertisers are able to sell a profile of your information to one another in a way that you lose control of your private information,” Wisniewski said during an interview with American Public Media radio on the Carnegie Mellon study. ®

Bootnote

In an on-going series documenting the lengths some advertisers will go to track netizens, Trevor Pott highlights the scourge of the dreaded and hard-to-kill evercookie and some tools that may (or may not) be useful when eradicating it.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/online_privacy_tool_fail/

A senior lawmaker has called on the UK government to ban the export of British-made surveillance software to repressive regimes.

“I’m hoping for an open debate on whether or not the UK should be involved … [and] what the implications of previous sales are,” Lord David Alton of Liverpool told The Register.

Lord Alton has tabled six questions in the House of Lords for the UK government, which are due to be answered by 21 November.

He has asked why there is no existing export ban on UK-made software and equipment that “has been used to track down protesters and democracy activists in Iran”. He has also asked the government if it has investigated “the alleged use of intercepts by mobile telephone monitoring devices manufactured in the UK in the interrogation and torture of Iranian democracy activists”.

Lord Alton specifically names a company called Creativity Software in his questions, claiming that the firm has sold intercept software to Irancell, an Iranian telco. He wants the UK government to find out what has been sold to Irancell so far, what the value of those deals was and what other sales are pending. He also asked if “they intend to permit Creativity Software to continue providing British-made intercept software and equipment to Irancell”.

Creativity Software was unavailable for comment at the time of publication.

The company has allegedly sold their “lawful intercept” gear to Irancell, which, according to their website, “can provide an end-to-end or bespoke solution to enable exposure of location information to authorised agencies”.

Foreign Secretary William Hague has been linked to Creativity Software, which would be particularly embarrassing for him given his stance on both Iran and internet freedoms.

According to a report in the Daily Telegraph, two executives from MMC Ventures, a shareholder in the software company, have funded Hague’s private office.

The CEO Bruce Macfarlane and the chairman Alan Morgan – the report alleges – paid part of the salary of Chloe Dalton, a researcher for Hague between 2006 and 2009, before he became Foreign Secretary. They also allegedly contributed £25,000 to his private office.

Back in September, when a UK firm was accused of selling “cyber-spy” software to Egypt, Hague told the BBC that “any export of goods that could be used for internal repression is something we would want to stop”.

More recently, Hague chaired the London Conference on Cyberspace, where he emphasised plenty of times that the UK believed in a free and open internet, and that countries who tried to impede access were infringing on human rights.

The Foreign Secretary is also well-known as a critic of Iran.

Today, the Foreign Office told The Register any questions on exports and licensing should be referred to the Department for Business, Innovation and Skills. A BIS spokesperson said in an emailed statement that “the government actively discourages all trade with Iran”.

“We take any reports of exports being misused overseas seriously,” they added.

Specifically in reference to Creativity Software, they said that “the type of software in question is not covered by an export control, and therefore it does not appear that the exporter has broken the law”.

“However all export controls are kept under constant review and we will ensure that they are adequate in this area in line with international standards,” they said.

More generally, Lord Alton, who is a member of the British Parliamentary Committee for Iran Freedom, also asked the government what assessment it had made of whether British intercept equipment or surveillance tools was being used in political repression across the Middle East and North Africa. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/uk_govt_iran_software_ban/

DARPA is upping its cyber game in order to protect the internet it came up with, increasing its research budget from $120m (£74.6m) to $188m (£117m) for the fiscal year 2012.

“DARPA’s role in the creation of the internet means we were party to the intense opportunities it created and share in the intense responsibility of protecting it. Our responsibility is to acknowledge and prepare to protect the Nation in this new environment,” Regina E Dugan, DARPA director, said in a canned statement.

“We need more and better options. We will not prevail by throwing bodies or buildings at the challenges of cyberspace. Our assessment argues that we are capability limited, both offensively and defensively. We need to fix that.”

Dugan was speaking at DARPA’s Colloquium on Future Directions in Cyber Security, where the agency also announced an elite cyber team of experts to combat online threats. The cyber-defence crack team come from the white hat hacker community, academia, labs and non-profits, major companies, and of course, the defence and intelligence communities.

“I should emphasise that national policymakers, not DARPA, will determine how cyber capabilities will be employed to protect and defend the national security interests of the United States,” Dugan said. “But the Agency has a special responsibility to explore the outer bounds of such capabilities so that our Nation is well prepared for future challenges.”

According to DARPA’s Cyber Analytic Framework – a detailed investigation into the current state of US cybersecurity – the current strategy isn’t going to work out in the long term.

Over the last 20 years, information security software packages have grown from thousands of lines of code to nearly 10 million lines, while malicious software tends to be around 125 lines. This strategy needs to continue for the moment because it gives the country “tactical breathing space”.

“But if we continue only down the current path, we will not converge with the threat,” Dugan said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/darpa_cyber_security/

Charlie Miller, the serial hacker who has exposed more than a dozen critical vulnerabilities in Apple’s Mac and mobile platforms, was kicked out of the company’s iOS developer program after publishing an application that demonstrated a serious new bug in iPhones and iPads.

Miller’s InstaStock app, which was accepted into the iTunes App Store in September, bills itself as a program that tracks stock prices in real time. On Monday, Miller announced that the app contained a secret hack that bypassed protections built into iOS devices that prevent code from running on them unless it has been signed by Apple’s official cryptographic seal.

As a result, Miller was able to endow InstaStock with powerful capabilities that were never approved during the app store application process, including the ability to remotely download pictures and contacts stored on an iPhone or iPad that has the app installed.

A few hours after Miller disclosed the hidden payload, he received an email informing him that Apple was terminating him from the iOS Developer Program for violation of a clause in the program’s license in which he agreed he wouldn’t “hide, misrepresent or obscure any features, content, services or functionality” of applications he submitted.

“They had every legal reason to do it, but i still think it’s rude,” Miller told The Reg. “It’s going to hinder my ability to help them secure their products.”

Miller’s code-signing bypass exploits a change introduced in iOS 4.3 that for the first time created a small region in iPhones and iPads where unsigned code downloaded from the internet could be executed. The exception was designed to improve the performance of Safari by allowing it to do just-in-time compiling. To prevent the exception from being abused, Apple tightly restricted it to Safari, and even then only in certain cases.

Miller discovered a flaw in the way iOS performs those checks. As a result, he can easily include code in any App Store submission that tricks the mobile OS into dropping the code-signing requirement, allowing his app to perform a variety of undisclosed attacks, including giving him remote shell access as demonstrated in the following video.

“It’s a payload that shouldn’t be allowed to run on the iPhone,” he said. “It shows that malware can run on the iPhone with this flaw.”

Miller was the first researcher to disclose a remotely exploitable vulnerability in the iPhone. It allowed attackers to steal text messages, contact information, call history, and voice mail. In the past four years, he estimates, he’s exposed more than a dozen similar vulnerabilities in the iOS and Mac OS X platforms, and has never received a dime in compensation from the company. This is the second code-signing bypass he’s found in iOS.

Miller said he’s concerned that his excommunication will hinder his ability to find security bugs in Apple software until it has become publicly available. A case in point is iOS version 5.01, which is currently in beta testing.

“Normally, I can download that and check to see if they fixed [a flaw I discovered], but now I can’t do that,” he said. “Now I have to wait until it comes out and if they screwed it up no one will know until it’s too late.”

The code-signing bypass bug is similar to a weakness in Google’s rival Android platform that allows attackers to surreptitiously install malware on users’ handsets. Almost a year after that weakness came to light, similar exploits were still possible in Android.

So as unfortunate as the iOS vulnerability is, it’s worth remembering that what Miller is able to achieve with InstaStock is essentially what has been possible on Android handsets for more than a year. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/08/apple_excommunicates_charlie_miller/

Home Secretary Theresa May fought for her political life in Parliament on Monday after it was revealed that immigration border guards were told to ignore biometric chips on the passports of non-eurozone citizens.

The head of the UK border force, Brodie Clark, “authorised the wider relaxation of border controls without ministerial sanction”, May told the House of Commons, ahead of delivering an emergency statement about the matter.

She said: “I did not give my authorisation or consent … as a result of these actions we will never know how many people passed through.”

Hundreds of thousands of people were able to enter the UK without proper checks, following Clark’s instructions to border officials to relax controls at busy times in the summer. They were told to stop cross-checking personal information and fingerprints against a Home Office database of terror suspects and illegal immigrants.

May, flanked by Prime Minister David Cameron, said in her statement to MPs that she agreed to a limited pilot in July this year. Border officials were given “discretion” about when to “open the biometric chip”, the Home Secretary said.

“Biometric checks were thought to have been abandoned on occasion” and she added that Clark confirmed this happened without prior ministerial approval.

Shadow Home Secretary Yvette Cooper fired back: “This is her watch, her decision and her government’s mistake.”

“I am very happy to stand here and take responsibility for the decisions I have taken,” May told MPs.

Cooper asked May to provide an estimate of the number of people who had “passed through under the reduced regime”.

May declined to respond ahead of her statement to the House. Instead she pointed to the failures of the previous Labour government to secure the border when guards were under immense strain and that “checks were lifted”.

Labour backbencher Tom Watson retorted that “18 months in, [the] decisions taken [were] her decisions and her decisions alone”.

May said an independent inquiry would determine why controls were relaxed. The independent Chief Inspector of the UK Border Agency John Vine will publish a report on his findings in January 2012.

Number 10 said Cameron had full confidence in May, who, despite the controversy, failed to offer her resignation. According to officials, Cameron didn’t know that border controls had been relaxed over the summer. Downing Street said such an operational decision would have been determined within the Home Office.

Immigration minister Damian Green said that 5,200 UK Border Agency staff would be cut, with the total number of guards reduced to 18,000 by 2015. He said the move would not affect the frontline.

He said: “It’s important to have intelligent border controls using technology, putting the right people in the right places, so we can keep our border secure.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/theresa_may_border_control/

An attack on several Brazilian ISPs has exposed large numbers of their subscribers to malware attacks when they attempt to visit Hotmail, Gmail, and other trusted websites, security researchers have warned.

The attacks work by poisoning the domain name system cache that the service providers use to translate domain names such as google.com into internet protocol numbers such as 74.125.224.144. By replacing legitimate IP addresses with ones leading to servers controlled by attackers, the hack is causing end users to be surreptitiously directed to sites that exploit software vulnerabilities on their computers or trick them into installing malware.

“Last week, Brazil’s web forums were alive with desperate cries for help from users who faced malicious redirections when trying to access websites such as YouTube, Gmail and Hotmail, as well as local market leaders including Uol, Terra and Globo,” Fabio Assolini, a researcher with antivirus provider Kaspersky Labs, wrote in a blog post published on Monday. “In all cases, users were asked to run a malicious file as soon as the website opened.”

Assolini said the browser of one machine Kaspersky researchers tested displayed a warning when opening www.google.com.br instructing them to install a program called Google Defence.

A display encountered by a Kaspersky researcher reads: “To access the new Google.com, you need to install Google Defence”

DNS cache poisoning is frequently carried out by exploiting long-standing security vulnerabilities in the DNS, but at least some of the recent attacks in Brazil appear to be the result of a rogue insider at one of the targeted ISPs.

According to Assolini, a 27-year-old employee of a medium-sized provider in the south of the country has been arrested and accused of participating in the malicious scheme. The researcher provided no other details, except to say that over a 10-month period the unnamed employee had changed the DNS cache of the ISP, redirecting all users to phishing websites.

Assolini also said companies are reporting attacks that are changing the DNS configurations of their routers and modems. As a result, when employees try to visit websites, they encounter displays that instruct them to install a malicious Java applet.

“As described by my colleague Marta in this analysis, several routers and modems have security flaws that enable an external attacker to access and change the configuration of the device,” Assolini wrote. “They are able to exploit security failures and vulnerable configurations such as default passwords.”

In many cases, the malware being pushed on victims is a trojan that steals online banking credentials. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/07/brazilian_dns_cache_poisoing_attacks/