The federal government's plan to expand computer security protections into critical parts of private industry is raising concerns that the move will threaten Americans' civil liberties.
In a report for release Friday, The Constitution Project warns that as the Obama administration partners more with the energy, financial, communications and health care industries to monitor and protect networks, sensitive personal information of people who work for or communicate with those companies could be improperly or inadvertently disclosed.
While the government may have good intentions, it "runs the risk of establishing a program akin to wiretapping all network users' communications," the nonpartisan legal think tank says. The Associated Press obtained a copy of the report in advance.
Cybersecurity has become a rapidly expanding priority for the government as federal agencies, private companies and everyday people come under persistent and increasingly sophisticated computer attacks. The threat is diverse, ranging from computer hackers going after banking and financial accounts to terrorists or other nations breaching government networks to steal sensitive data or sabotage critical systems such as the electrical grid, nuclear plants or Wall Street.
Privacy has been a hotly debated issue, particularly as the Pentagon broadens its pilot program to help defense contractors protect their networks and systems. Several companies, including critical jet fighter and drone programs, have been attacked, although the Pentagon has said that no classified information was lost.
And there are plans for the Homeland Security Department to use the defense program as a model to prevent hackers and hostile nations from breaching critical infrastructure. Officials have suggested that Congress needs to craft legislation that would protect companies from certain privacy and other laws in order to share information with the government for cybersecurity purposes.
DHS spokesman Matt Chandler said the legislative proposals reflect the administration's commitment to privacy protections and contain standards to minimize contact with personal information while dealing with cybersecurity threats. "DHS builds strong privacy protections into the core of all cybersecurity programs and initiatives," Chandler said, adding that the agency realizes that providing assistance to private companies is a sensitive task that requires "trust and strict confidentiality."
The Constitution Project report recommends that officials limit the amount and nature of personal information shared between the public and private sectors. And it calls for strict oversight of the cyber programs by Congress and independent audits, to ensure that privacy rights have not been violated.
"The government should not be permitted to conduct an end-run around Fourth Amendment safeguards by relying upon private companies to monitor networks," it said.
In addition, the report raised concerns about the ongoing development of the Einstein 3 program, a government network monitoring system that would both detect and take action against cyberattacks on federal systems. DHS officials have said that extensive privacy protections are in place.
But the report expressed concerns that as DHS and the secretive National Security Agency share information about potential computer-based threats, the NSA could review communications from U.S. individuals without setting up privacy safeguards.
"With more and more people needing to share sensitive personal and financial data over the Internet, it is absolutely vital that, while we are looking to protect our networks against cyberattack, we also preserve our constitutionally guaranteed rights to privacy," said Constitution Project committee member Asa Hutchinson, a former DHS undersecretary who also served as a GOP congressman from Arkansas.
Lawmakers who have been wrestling with these issues over the past several years have several bills in the works, and most include some privacy provisions.
Source: Fox News
Saturday, January 28, 2012
Twitter refines technology to censor tweets in individual countries
Twitter has refined its technology so it can censor messages on a country-by-country basis.
The additional flexibility announced Thursday is likely to raise fears that Twitter's commitment to free speech may be weakening as the short-messaging company expands into new countries in an attempt to broaden its audience and make more money.
But Twitter sees the censorship tool as a way to ensure individual messages, or tweets, remain available to as many people as possible while it navigates a gauntlet of different laws around the world.
Before, when Twitter erased a tweet it disappeared throughout the world. Now, a tweet containing content breaking a law in one country can be taken down there and still be seen elsewhere.
Twitter will post a censorship notice whenever a tweet is removed. That's similar to what Internet search leader Google Inc. has been doing for years when a law in a country where its service operates requires a search result to be removed.
Like Google, Twitter also plans to the share the removal requests it receives from governments, companies and individuals at the chillingeffects.org website.
The similarity to Google's policy isn't coincidental. Twitter's general counsel is Alexander Macgillivray, who helped Google draw up its censorship policies while he was working at that company.
"One of our core values as a company is to defend and respect each user's voice," Twitter wrote in a blog post. "We try to keep content up wherever and whenever we can, and we will be transparent with users when we can't. The tweets must continue to flow."
Source: Fox News
The additional flexibility announced Thursday is likely to raise fears that Twitter's commitment to free speech may be weakening as the short-messaging company expands into new countries in an attempt to broaden its audience and make more money.
But Twitter sees the censorship tool as a way to ensure individual messages, or tweets, remain available to as many people as possible while it navigates a gauntlet of different laws around the world.
Before, when Twitter erased a tweet it disappeared throughout the world. Now, a tweet containing content breaking a law in one country can be taken down there and still be seen elsewhere.
Twitter will post a censorship notice whenever a tweet is removed. That's similar to what Internet search leader Google Inc. has been doing for years when a law in a country where its service operates requires a search result to be removed.
Like Google, Twitter also plans to the share the removal requests it receives from governments, companies and individuals at the chillingeffects.org website.
The similarity to Google's policy isn't coincidental. Twitter's general counsel is Alexander Macgillivray, who helped Google draw up its censorship policies while he was working at that company.
"One of our core values as a company is to defend and respect each user's voice," Twitter wrote in a blog post. "We try to keep content up wherever and whenever we can, and we will be transparent with users when we can't. The tweets must continue to flow."
Source: Fox News
Thursday, January 26, 2012
Google's privacy policy raises hackles
The Web giant says the new privacy policy will allow it to offer better services, including more relevant search results.
Have you ever used Google to search for a restaurant while you were logged in its network using your Google id? Or shared information about your trip to Goa with your friends on Google +? Or watched belly dance on YouTube? Or looked for Sunny Leone pictures on Google images? If yes, Google knows about it. And according to its new privacy policy it is going to put this information to some use.
The Web giant says the new privacy policy will allow it to offer better services, including more relevant search results. But web experts have raised concerns over potential misuse of data and breach of privacy. According to Google's new privacy policy that will come into effect from March 1, the company is "getting rid of over 60 different privacy policies across Google services and replacing them with one that's shorter, easier to read" and something that will enable it to "create intuitive experience across Google" . Unlike in the past when Google had allowed users to choose personalized services, this time there is no option to opt out.
For an end-user this means that whatever information he shares through Google searches, Gmail, Google +, Picassa etc will be used to customize Google services for him. That the move is significant can be gauged from the fact that Google has provided a link to the new policy directly under its search engine on main page, something that the company rarely does. Google users will also be notified about the policy change through an email.
"Our new privacy policy makes clear that, if you're signed in, we may combine information you've provided from one service with information from other services. In short, we'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, Google's director of privacy, in a post on the company's official blog.
Whitten gave some example of how this information will be used. "We can make search better - figuring out what you really mean when you type in Apple, Jaguar or Pink. We can provide more relevant ads too," she wrote. "We can provide reminders that you're going to be late for a meeting based on your location , your calendar and an understanding of what the traffic is like that day. Or ensure that our spelling suggestions, even for your friends' names, are accurate because you've typed them before."
The privacy policy from Google is at the heart of its new business strategy as it works to keep the search engine relevant and its services fresh in the face of social networking websites like Twitter and Facebook. It is also prompted by the proliferation of devices like smartphones and tablets. However, privacy experts are not amused. Sunil Abraham, director of Centre for Internet and Society, said the new changes are not good for a consumer's privacy.
"I understand that Google collects the data so that it can build a 360 degree profile of a user and based on the information serve relevant advertisements . But there is no reason for them to store this data for long. Storing data makes it prone to misuse by authorities as well as corporations," said Abraham. Another, problem, he said is that different services are used for different purposes. "I don't want my bakery shop owner to know what kind of medicines Ibuy from the nearby medical store," said Abraham.
Source: TOI
New Zealand judge bails two of Megaupload accused
New Zealand judge bails two of Megaupload accused
Site owner Kim Dotcom remains in jail
Two of the four people arrested in New Zealand on the Megaupload case have been released on bail, according to Stuff.
Finn Batato, chief marketing officer at Megaupload, and Bram van der Kolk, programmer, have been granted bail at the North Shore District Court after their hearing yesterday. Judge David McNaughton's bail decision can be read here in the case of van der Kolk, and here for Batato.
Both men remain in custody until their homes have been determined suitable for electronic monitoring.
Due to late submissions the bail hearing for the third man, Mathias Ortmann, chief technical officer at Megaupload, will continue this afternoon. Judge McNaughton's registrar says he does not expect a written decision until tomorrow.
Yesterday Kim Dotcom was remanded in custody until February 22, the judge denying him his application for bail. It is expected that an extradition hearing will be held at that time.
Judge McNaughton had reserved his decision since Monday afternoon, when Dotcom's bail hearing was held. At the hearing, Crown prosecutor Anne Toohey claimed Dotcom posed a "significant" flight risk because of the sums of money available to him.
This was disputed by Dotcom's lawyer, who told the court his client's funds had all been seized, and that the media and US government had been 'misrepresenting' his client's business.
Finn Batato, Mathias Ortmann, and Bram van der Kolk face similar charges of copyright infringement, racketeering and money laundering. All four men were arrested on Friday by police who executed provisional arrest warrants requested by the US Department of Justice.
By Sim Ahmed | Computerworld New Zealand
Attacks resume against US Department of Justice
The United States Department of Justice appears to be under attack for the second time since the popular Megaupload file sharing site was taken down. The group Anonymous appears to be carrying out this latest attack in protest against the Anti-Counterfeiting Trade Agreement (ACTA) In its Mega Song music video, which was released last month, Megaupload claimed the site had 1 billion users and accounted for 4% of all traffic on the internet.
www.megaupload.com was the 77th busiest site according to the Netcraft Toolbar. The company's main website was hosted by Carpathia Hosting, but now displays an FBI anti-piracy warning hosted by Amazon. The warning explains, "This domain name associated with the website Megaupload.com has been seized pursuant to an order issued by a U.S. District Court." Despite the static nature of the warning page, it appears to have struggled with the amount of traffic it was receiving over the weekend:
www.megaupload.com was the 77th busiest site according to the Netcraft Toolbar. The company's main website was hosted by Carpathia Hosting, but now displays an FBI anti-piracy warning hosted by Amazon. The warning explains, "This domain name associated with the website Megaupload.com has been seized pursuant to an order issued by a U.S. District Court." Despite the static nature of the warning page, it appears to have struggled with the amount of traffic it was receiving over the weekend:
Tuesday, January 24, 2012
Saturday, January 7, 2012
Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack
Wi-Fi Protected Setup (WPS) Vulnerable to Brute-Force Attack
Systems Affected
Most Wi-Fi access points that support Wi-Fi Protected Setup (WPS) are affected.
Overview
Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure secure wireless networks. The external registrar PIN exchange mechanism is susceptible to brute force attacks that could allow an attacker to gain access to an encrypted Wi-Fi network.
I. Description
WPS uses a PIN as a shared secret to authenticate an access point and a client and provide connection information such as WEP and WPA passwords and keys. In the external registrar exchange method, a client needs to provide the correct PIN to the access point.
An attacking client can try to guess the correct PIN. A design vulnerability reduces the effective PIN space sufficiently to allow practical brute force attacks. Freely available attack tools can recover a WPS PIN in 4-10 hours.
For further details, please see Vulnerability Note VU#723755 and further documentation by Stefan Viehbock and Tactical Network Solutions.
II. Impact
An attacker within radio range can brute-force the WPS PIN for a vulnerable access point. The attacker can then obtain WEP or WPA passwords and likely gain access to the Wi-Fi network. Once on the network, the attacker can monitor traffic and mount further attacks.
III. Solution
Update Firmware
Check your access point vendor's support website for updated firmware that addresses this vulnerability. Further information may be available in the Vendor Information section of VU#723755 and in a Google spreadsheet called WPS Vulnerability Testing.
Disable WPS
Depending on the access point, it may be possible to disable WPS. Note that some access points may not actually disable WPS when the web management interface indicates that WPS is disabled.
IV. References
- Vulnerability Note VU#723755
- Wi-Fi Protected Setup PIN brute force vulnerability
- Cracking WiFi Protected Setup with Reaver
- WPS Vulnerability Testing
Source: US-CERT
Subscribe to:
Posts (Atom)