Wiretapping the Internet - To tech with IT all!

SCHNEIER On Monday, The New York Times reported that President Obama will seek sweeping laws enabling law enforcement to more easily eavesdrop on the internet. Technologies are changing, the administration argues, and modern digital systems aren't as easy to monitor as traditional telephones.

...Formerly reserved for totalitarian countries, this wholesale surveillance of citizens has moved into the democratic world as well. Governments like Sweden, Canada and the United Kingdom are debating or passing laws giving their police new powers of internet surveillance, in many cases requiring communications system providers to redesign products and services they sell. More are passing data retention laws, forcing companies to retain customer data in case they might need to be investigated later.

Obama isn't the first U.S. president to seek expanded digital eavesdropping. The 1994 (CLINTON) CALEA law required phone companies to build ways to better facilitate FBI eavesdropping into their digital phone switches. Since 2001, the National Security Agency has built substantial eavesdropping systems within the United States.

These laws are dangerous, both for citizens of countries like China and citizens of Western democracies. Forcing companies to redesign their communications products and services to facilitate government eavesdropping reduces privacy and liberty; that's obvious. But the laws also make us less safe. Communications systems that have no inherent eavesdropping capabilities are more secure than systems with those capabilities built in.

Any surveillance system invites both criminal appropriation and government abuse. Function creep is the most obvious abuse: New police powers, enacted to fight terrorism, are already used in situations of conventional nonterrorist crime. Internet surveillance and control will be no different.

Please read more from the SCHNEIER

Newbies attack Microsoft between 7000 and 9000 times per second.

"When hackers crash Windows in the course of developing malware, they'll often accidentally agree to send the virus code straight to Microsoft, according to senior security architect Rocky Heckman. 'It's amazing how much stuff we get.' Heckman also said Microsoft was a common target for people testing their attacks. 'The first thing [script kiddies] do is fire off all these attacks at Microsoft.com. On average we get attacked between 7000 and 9000 times per second.'" Read more at /.

40 Critical Windows Bugs used to hijack & infect PC's with malware

ComputerWorld About 40 different Windows applications contain a critical flaw that can be used by attackers to hijack PCs and infect them with malware, a security researcher said Wednesday through iTunes bug...

HD Moore, chief security officer at Rapid7 and creator of the open-source Metasploit penetration-testing toolkit. Moore did not reveal the names of the vulnerable applications or their makers, however. 

"The cat is out of the bag, this issue affects about 40 different apps, including the Windows shell,"

"Solving the flaw requires every affected vendor to produce a patch," he said. "

The bug in Apple in its iTunes... According to Apple, the bug does not affect Mac machines.

Moore confirmed that the flaw "applies to a wide range of Windows applications," and added that he stumbled across it while researching the Windows shortcut vulnerability, a critical bug that Microsoft acknowledged in July and patched on Aug. 2 using one of its rare "out of band" emergency updates.

Moore declined to name the applications that contain the bug or to go into great detail about the vulnerability. But he was willing to share some observations.

"The vector is slightly different between applications, but the end result is an attacker-supplied .dll being loaded after the user opens a 'safe' file type from a network share [either on the local network or the Internet]," Moore said in an e-mail reply to questions. "It is possible to force a user to open a file from the share, either through their Web browser or by abusing other applications, for example, Office documents with embedded content."

Some of what Moore described was reminiscent of the attacks using the Windows shortcut vulnerability. For instance, hackers were able to launch drive-by attacks exploiting the shortcut bug from malicious sites via WebDAV, and could embed their exploits into Office documents, which would presumably be delivered to victims as seemingly innocuous e-mail attachments.

His advice until the vulnerable applications are patched was also taken from Microsoft's shortcut bug playbook.

"Users can block outbound SMB [by blocking TCP ports] 139 and 445, and disable the WebDAV client [in Windows] to prevent these flaws from being exploited from outside of their local network," Moore recommended.

Both work-arounds were among those Microsoft told users they could apply if they were unable to apply the emergency update.

But although Microsoft was able to plug the shortcut hole with a patch for Windows, Moore was pessimistic that the company would be able to do the same with this vulnerability.

Please read full at ComputerWorld

Google Bends Over for China

Washington Post-Google promised to "obey Chinese law" and avoid linking to material deemed a threat to national security or social stability, said Zhang Feng, director of the Ministry of Industry and Information Technology's Telecoms Development Department, at a news conference.

China renewed Google's Internet license after it pledged to obey censorship laws and stop automatically switching mainland users to its unfiltered Hong Kong site, an official said Tuesday.

It was Beijing's first public comment on its decision to allow Google to continue operating a China website following a public clash over censorship. The company closed its China search engine in March but still offers music and other services in China.

Looking for a few good IT

"US security officials say the country's cyberdefenses are not up to the challenge. In part, it's due to a severe shortage of computer security specialists and engineers with the skills and knowledge necessary to do battle against would-be adversaries. The protection of US computer systems essentially requires an army of cyberwarriors, but the recruitment of that force is suffering. 'We don't have sufficiently bright people moving into this field to support those national security objectives as we move forward in time,' says James Gosler

Read more of this story at Slashdot.

Internet 'kill switch' proposed for US

CNET A new US Senate Bill would grant the President far-reaching emergency powers to seize control of, or even shut down, portions of the internet.
The legislation says that companies such as broadband providers, search engines or software firms that the US Government selects "shall immediately comply with any emergency measure or action developed" by the Department of Homeland Security. Anyone failing to comply would be fined.

That emergency authority would allow the Federal Government to "preserve those networks and assets and our country and protect our people," Joe Lieberman, the primary sponsor of the measure and the chairman of the Homeland Security committee, told reporters on Thursday. Lieberman is an independent senator from Connecticut who meets with the Democrats.

Due to there being few limits on the US President's emergency power, which can be renewed indefinitely, the densely worded 197-page Bill (PDF) is likely to encounter stiff opposition.

TechAmerica, probably the largest US technology lobby group, said it was concerned about "unintended consequences that would result from the legislation's regulatory approach" and "the potential for absolute power". And the Center for Democracy and Technology publicly worried that the Lieberman Bill's emergency powers "include authority to shut down or limit internet traffic on private systems."

The idea of an internet "kill switch" that the President could flip is not new. A draft Senate proposal that ZDNet Australia's sister site CNET obtained in August allowed the White House to "declare a cybersecurity emergency", and another from Sens. Jay Rockefeller (D-W.V.) and Olympia Snowe (R-Maine) would have explicitly given the government the power to "order the disconnection" of certain networks or websites.

A new cybersecurity bureaucracy

Lieberman's proposal would form a powerful and extensive new Homeland Security bureaucracy around the NCCC, including "no less" than two deputy directors, and liaison officers to the Defense Department, Justice Department, Commerce Department, and the Director of National Intelligence. (How much the NCCC director's duties would overlap with those of the existing assistant secretary for infrastructure protection is not clear.)
The NCCC also would be granted the power to monitor the "security status" of private sector websites, broadband providers and other internet components. Lieberman's legislation requires the NCCC to provide "situational awareness of the security status" of the portions of the internet that are inside the United States — and also those portions in other countries that, if disrupted, could cause significant harm.

Read full at CNET

Canada Spending $1B on Security for G8/G20 Summit in June

From the Bruce - Think of all the actual security you can buy for that money. 

The Canadian government disclosed Tuesday that the total price tag to police the elite Group of Eight meeting in Muskoka, as well as the bigger-tent Group of 20 summit starting a day later in downtown Toronto, has already climbed to more than $833-million. It said it’s preparing to spend up to $930-million for the three days of meetings that start June 25.

That price tag is more than 20 times the total reported cost for the April, 2009, G20 summit in Britain, with the government estimating a cost of $30-million, and seems much higher than security costs at previous summits ­ the Gleneagles G8 summit in Scotland, 2005, was reported to have spent $110-million on security, while the estimate for the 2008 G8 gathering in Japan was $381-million.

These numbers are crazy. There simply isn't any justification for this kind of spending.

Amazing...

Schneier as the new head of TSA?

A recent opening and hint, gave our nation the hope to have some 'real' improvements in national security.
James Fallows Noted in a interview post with Bruce Schneier "Mr. Sanity about Security" Schneier that there was a high-level job opening at the TSA and he would testify for Schneier as the new head of TSA when he is nominated.
I second that!

Google Responds To Privacy Concerns With Unsettlingly Specific Apology

Onion - "I forgive Google, I forgive Google, I forgive Google," said Ohio resident Darla Mackenzie, sitting on the edge of her bathtub, her head in her hands. "Please, please, don't tell...about the things I have done.

Acknowledging that Google hasn't always been open about how it mines the roughly 800 terabytes of personal data it has gathered since 1998, Schmidt apologized to users— particularly the 1,237,948 who take daily medication to combat anxiety—for causing any unnecessary distress, and he expressed regret—especially to Patricia Fort, a single mother taking care of Jordan, Sam, and Rebecca, ages 3, 7, and 9—for not doing more to ensure that private information remains private.

Monday's apology comes after the controversial launch of Google Buzz, a social networking platform that publicly linked Gmail users to their most e-mailed contacts by default.

"I'd like nothing more than to apologize in person to everyone we've let down, but as you can see, many of our users are rarely home at this hour," said Google cofounder and president Sergey Brin, pointing to several Google Map street-view shots of empty bedroom and living room windows on a projection screen behind him. "And, if last night's searches are any indication, Boston's Robert Hornick is probably out shopping right now for the spaghetti and clam sauce he'll be cooking tonight."

"Either that, or hunting down that blond coworker of his, Samantha, whose Picasa photos he stares at every night," Brin added.

While admitting that security measures need to improve, Google officials also claimed that everyone makes mistakes, be it storing confidential data indefinitely or, say, "having a few too many drinks on the evening of Jan. 23, driving home in a haze, striking a pedestrian on the corner of Mercer and Cavendish, speeding off, and then desperately searching online for hit and run laws, right, Karen?"

"Americans have every right to be angry at us," Google spokesperson Janet Kemper told reporters. "Though perhaps Dale Gilbert should just take a few deep breaths and go sit in his car and relax, like they tell him to do at the anger management classes he attends over at St. Francis Church every Tuesday night."

"Breathe in, breathe out," Kemper added. "We wouldn't want you to have another incident, Dale. Not when you've been doing so well." ;-) Read full at The Onion

95% of User-Generated Content Is BS

SlashDot - "The HoneyGrid scans 40 million Web sites and 10 million emails, so it was bound to find something interesting. Among the things it found was that a staggering 95% of User Generated Content is either malicious in nature or spam." Here is the report's front door; to read the actual report you'll have to give up name, rank, and serial number.

Here are the key findings: (via daniweb.com)
    * 13.7% of searches for trending news/buzz words (as defined by Yahoo Buzz & Google Trends) led to malware.
    * The second half of 2009 revealed a 3.3% decline in the growth of malicious Web sites compared to the first half of the year. Websense Security Labs believes this is due to the increased focus on Web 2.0 properties with higher traffic and multiple pages.
    * However, comparing the second half of 2009 with the same period in 2008, Websense Security labs saw an average of 225% growth in malicious Web sites.
    * 71% of Web sites with malicious code are legitimate sites that have been compromised.
    * 95% of user-generated posts on Web sites are spam or malicious.
    * Consistent with previous years, 51% of malware still connects to host Web sites registered in the United States.
    * China remains second most popular malware hosting country with 17%, but during the last six months Spain jumped into the third place with 15.7% despite never having been in the top 5 countries before.
    * 81% of emails during the second half of the year contained a malicious link.
    * Websense Security Labs identified that 85.8% of all emails were spam.
    * Statistics for the second half of 2009 show spam emails broke down as 72% (HTML), 11.2% (image), 14.4% (plain text with URL) and 2.4% (plain text with no URL).
    * 35% of malicious Web-based attacks included data-stealing code.
    * 58% of all data-stealing attacks are conducted over the Web.

Schneier points out the difference between “greed sales” and “fear sales”,

PaperJam
As well as being Chief Security Technology Officer at BT, Bruce Schneier is also the author of several books on the topics of security and cryptography with a particular, if not exclusive, focus on the IT industry, which has led The Economist to describe him as a "security guru". And when discussing security he is refreshingly candid and forthright, not dissimilar in tone to Freakonomics author Steven Levitt, while sharing with Levitt the ability to view his chosen field from an angle less ordinary.

"Security is hard to sell for two reasons, economic and psychological," he says. The industry is not necessarily logical: it is by nature complex, and as a consequence easy to get wrong. The average buyer doesn't necessarily understand the products on offer, while the industry player often cannot explain them adequately, meaning that "new companies with good ideas often end up floundering because they cannot communicate those ideas." Psychologically, security is also complicated: Schneier points out the difference between "greed sales" and "fear sales", where the former is a simple question of wanting something, while the latter is being afraid of the consequences of not having that thing.

He highlights the concepts of loss aversion and prospect theory and applies them to security, whereby people are much more amenable to avoiding losses than acquiring gains, and are risk-averse for gains, but risk-seeking for losses. As an example, when asked if they would prefer a guaranteed gain of 500 euros or to toss a coin for a gain of 1,000, the vast majority will choose the former. A similar choice, slightly adjusted, shows an interesting contrast regarding risk: faced with a straight loss of 500 euros or a coin toss for the loss of 1,000, people will nearly always choose the latter. This is where the problem for "selling" IT security lies. It is sold through fear of loss, and yet some companies attempt to turn it into a greed sale. As Schneier states, this is somewhat nonsensical: security keeps things as they are if it works properly. It brings no actual value in itself, and thus advertising campaigns portraying a return on investment by a security product are a complete fiction.

Schneier believes that "IT security takes advantage of a rare after-market for making things better." Usually, a consumer will buy a product because it is already "good", yet the IT industry seems fundamentally flawed in that the applications we buy are ostensibly not good. If they were, we wouldn't need the additional security, it would be a standard feature like, as Schneier says "brakes or airbags on a car. You don't buy a car without brakes and then get told you need to fit them afterwards." So why is security in IT like this, when it is not in other industries? Schneier does not blame the IT industry, stating that "this is an effect of how new the IT industry is: it has developed very quickly, and security was ignored in the beginning."

"Computing is becoming infrastructure. It is something taken for granted in the work place, like a desk or electricity," says Schneier. So how can the problem of security sales be addressed? Schneier believes it should not be sold as a separate entity, but included in an overall computing package. He once again brings up the example of cars, which are sold with airbags and brakes included, or houses which are sold with lockable doors. These features are expected on those products, and it should be the same with IT products. Furthermore, it seems the IT industry as a whole is coming around to this way of thinking: "now we are seeing non-security companies buying or taking over security companies. These companies are recognising that security needs to be part of what they do. Users do not necessarily have to understand what the security features do, but at the same time they like to know they are there. Thus, security should become embedded into a greed sell."

Please read full at PaperJam

Chrome to be virus-free "It's an idiotic claim,"

Making an Operating System Virus Free

Google's claim that Chrome was designed to be virus-free, I said:

Bruce Schneier, the chief security technology officer at BT, scoffed at Google's promise. "It's an idiotic claim," Schneier wrote in an e-mail. "It was mathematically proved decades ago that it is impossible -- not an engineering impossibility, not technologically impossible, but the 2+2=3 kind of impossible -- to create an operating system that is immune to viruses."

What I was referring to, although I couldn't think of his name at the time, was Fred Cohen's 1986 Ph.D. thesis where he proved that it was impossible to create a virus-checking program that was perfect. That is, it is always possible to write a virus that any virus-checking program will not detect.

This reaction to my comment is accurate:

That seems to us like he's picking on the semantics of Google's statement just a bit. Google says that users "won't have to deal with viruses," and Schneier is noting that it's simply not possible to create an OS that can't be taken down by malware. While that may be the case, it's likely that Chrome OS is going to be arguably more secure than the other consumer operating systems currently in use today. In fact, we didn't take Google's statement to mean that Chrome OS couldn't get a virus EVER; we just figured they meant it was a lot harder to get one on their new OS - didn't you?

Read more of Schneier comments

How is WEP hacking not a national security issue?

Lifehacker today (and 1000's of others) posted how to break into my house???

While I appreciate them giving me job security in the IT front .... I do not know why posting these kinds of threats are not a national security issue?

Yes we should report it and discuss, but giving 'how to' editorials is a threat.

From Lifehacker How to Crack a Wi-Fi Network's WEP Password

You already know that if you want to lock down your Wi-Fi network, you should opt for WPA encryption because WEP is easy to crack. But did you know how easy? Take a look.

Today we're going to run down, step-by-step, how to crack a Wi-Fi network with WEP security turned on. But first, a word: Knowledge is power, but power doesn't mean you should be a jerk, or do anything illegal. Knowing how to pick a lock doesn't make you a thief. Consider this post educational, or a proof-of-concept intellectual exercise.

Dozens of tutorials on how to crack WEP are already all over the internet using this method. Seriously—Google it. This ain't what you'd call "news." But what is surprising is that someone like me, with minimal networking experience, can get this done with free software and a cheap Wi-Fi adapter. Here's how it goes.

China Dominates NSA-Backed Computer Coding Contest

"With about 4,200 people participating in a US National Security Agency-supported international competition on everything from writing algorithms to designing components, 20 of the 70 finalists were from China, 10 from Russia, and 2 from the US. China's showing in the finals was helped by its large number of entrants, 894. India followed at 705, but none of its programmers was a finalist. Russia had 380 participants; the United States, 234; Poland, 214; Egypt, 145; and Ukraine, 128. Participants in the TopCoder Open was open to anyone, from student to professional; the contest proceeded through rounds of elimination that finished this month in Las Vegas. Rob Hughes, president and COO of TopCoder, says the strong finish by programmers from China, Russia, Eastern Europe and elsewhere is indicative of the importance those countries put on mathematics and science education. '

"We do the same thing with athletics here that they do with mathematics and science there..."

Read more of this story at Slashdot

Bruce Schneier - cloud computing is nothing new

IT is because Bruce 'knows' IT
...cloud computing is nothing new . It's the modern version of the timesharing model from the 1960s, which was eventually killed by the rise of the personal computer. It's what Hotmail and Gmail have been doing all these years, and it's social networking sites, remote backup companies, and remote email filtering companies such as MessageLabs. Any IT outsourcing -- network infrastructure, security monitoring, remote hosting -- is a form of cloud computing.

The old timesharing model arose because computers were expensive and hard to maintain. Modern computers and networks are drastically cheaper, but they're still hard to maintain. As networks have become faster, it is again easier to have someone else do the hard work. Computing has become more of a utility; users are more concerned with results than technical details, so the tech fades into the background.

You don't want your critical data to be on some cloud computer that abruptly disappears because its owner goes bankrupt . You don't want the company you're using to be sold to your direct competitor. You don't want the company to cut corners, without warning, because times are tight. Or raise its prices and then refuse to let you have your data back. These things can happen with software vendors, but the results aren't as drastic.

Trust is a concept as old as humanity, and the solutions are the same as they have always been. Be careful who you trust, be careful what you trust them with, and be careful how much you trust them. Outsourcing is the future of computing. Eventually we'll get this right, but you don't want to be a casualty along the way.

This essay originally appeared in The Guardian.

Dark Reading - Desktop Security - Vint Cerf: Father Knows Best - Security News Analysis

"Securing his baby won't be easy....
'Security is a mesh of actions and features and mechanisms,' he says. 'No one thing makes you secure.'"

I'm a Mac vs P.C. Bill Gates - Hello ... Linux

Good T.V. Spot?

I think you need a MAC they are VERY pretty and soooo simple to use an APE could do it. So if your "artistic" with limited computer and software skills.... this is the system for YOU. Did, I mention it's pretty.

I say you MUST us a Microsoft based computer is you want to play games, use 10,000's of free applications the business world runs on. Without our Microsoft tools you will be hard pressed to get any "real" work or gaming done. Did, I mention your company can't run effectively without Microsoft tools.

I really don't care if you use the most stable platform that MAC's are based on and runs Microsoft tools "native". Hey, it's free, stable, runs anything and has millions of people for tech support free. Did, I mention "no-viruses", no-malware and no "MAC a hacks".

Apple Patches 100's Security Flaws a year...

Microsoft Warns of Attacks on Unpatched Windows, IE and Office Flaws...


Fact
Ratio of IT pros that are aware of obvious "open" security threats 1 of 1000.

Ratio of preteen hackers that are aware of "open" security threats 1 of 10 (then they i.m. the rest :-o

I try to save $1000's on my systems as I invest the rest in viable security & performances "tweaks" and run Linux on the "day to day" work horses.

Secure your network, NSA-style

(Via -lifehacker.com)

If you're nutso for network security, the NSA's 60 Minute Network Security Guide PDF (yes, that NSA) should get your network up to brick wall status in - apparently - 60 minutes. The guide, which checks in at just under 50 pages, is serious about airtight network security, urging you, for example, to enforce a password history of at least 24 different 12+ character passwords, swapping out passwords at least once every 90 days. The free PDF covers Windows and Unix security setups. If you give it a look, let us know how your network measures up to the NSA's specifications in the comments. — (Adam Pash lifehacker.com) The 60 Minute Network Security Guide [NSA via Treelimb]

Hotmail Crash & Burn - using MSN support

I installed a "silly" (MSN recommended) security feature in place to "block cookies" on our work systems as recommended BY MS.

I then went to access my hotmail account (VIA pop) and low and behold, pop not working.

While I assumed it was the new cookie blocker... I just thought I would "follow the rules" and go to the MSN hotmail help site.

The image below is a screen shot of what I got. Zip, nothing the MSN "help" is down.

While I know they were not trying to be "funny" by alerting me to a cookie flaw and how to fix it that intern generated and security flaw that finally brought me to the originating help site that was "down".... This was a I.T. scream of a joke on me. You guys bust me up...

Hacking A reputation in MySpace and Facebook

Schneier on Security "Fake Your Space" is a site where you can hire fake friends to leave their pictures and personalized comments on your page. Now you can pretend that you're more popular than you actually are... What's next? Services that verify friends on your friends' MySpace pages? Services that block friend verification services? Where will this all end up?

Comments I left are said at best...

---

After 20 years of being part of the "collective" (since Commodork64 BBS years)

I must "assimilate" my life and take back the creative, unique, professional & social skills that the "collective" internet has eroded in me... because "the Internet is way better at letting us be weird than it was at helping us be normal."

I have great fear for my family, my friends & our future after watching the "social" networks turn our great nation into criminal, self absorbed, socially dysfunctional, deviant junkies... I thought that was the governments job ;-)

Wow, a reference to "Whuffie"... I love your readers!