Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Letter to the Editor of *The New York Times*, published 6 Nov 2013 For many years, consumer privacy organizations urged Internet companies to adopt better practices to safeguard the personal information they collected. As data services expanded, we asked the companies to minimize collection when possible and to delete data when it was no longer necessary to keep. When cloud services were first offered, we proposed routine encryption for stored user data. We recommended segregating credit files and cautioned against the consolidation of user profiles. We urged the companies to support necessary updates to privacy laws that would lead to the adoption of new privacy-enhancing techniques. And when Google and the National Security Agency entered into a secret arrangement in 2010 about Internet security, we brought an open government lawsuit to make the agreement public. Companies were often reluctant to adopt these security measures, arguing cost, convenience and trade secrets. They said that self-regulation was adequate and no new laws were necessary. Now we learn that vast amounts of user data have been unlawfully acquired by the N.S.A. and that companies are scrambling to implement new security practices to protect against our own government agencies ("Angry Over U.S. Surveillance, Tech Giants Bolster Defenses," front page, 1 Nov 2013). Perhaps it is time to rethink the cloud computing model. The risks are too high. The safeguards are too weak. And the companies are not prepared to carry the responsibility of gathering so much user data. Marc Rotenberg, Washington DC, 4 Nov 2013 [Marc Rotenberg is the president of the Electronic Privacy Information Center.]
[Note: This item comes from reader Randall Head, DLH, via Dave Farber] * Wireless street lights can play music, video, interact with pedestrians and have 'Homeland Security' applications like video surveillance monitors. * Las Vegas residents worry that the lights are an invasion of privacy -- 'Who's protecting our rights? * Some cities in the UK and Holland have street lights that reprimand pedestrians for minor offenses like littering. *Daily Mail*, 10 Nov 2013 <http://www.dailymail.co.uk/news/article-2497624/Las-Vegas-street-lights-record-conversations.html> Las Vegas is currently installing Intellistreet lights to their well-lit city. But Intellistreets are not just any street-lighting system. The wireless, LED lighting, computer-operated lights are not only capable of illuminating streets, they can also play music, interact with pedestrians and are equipped with video screens, which can display police alerts, weather alerts and traffic information. The high tech lights can also stream live video of activity in the surrounding area. But there's one major concern. These new street lights, being rolled out with the aid of government funding, are also capable of recording video and audio. Neil Rohleder with the Public Works Department told NBC News 3 in Las Vegas that the main reason for installing the new lighting system is not to record anyone or anything. 'We want to develop more than just the street lighting component,' Rohleder said.'We want to develop an experience for the people who come downtown.' But some residents worry that the lights, which are currently being tested in and around Las Vegas City Hall, are an invasion of privacy. Civil rights activist, Daphne Lee told NBC News 3 that she is worried about her freedom as an American citizen. “This technology, you know is taking us to a place where, you know, you'll essentially be monitored from the moment you leave your home till the moment you get home.'' On the Intellistreets website, inventor Ron Harwood explains that cameras for surveillance and recording devices can be installed in the light fixtures. But Las Vegas public works director, Jorge Servantes told News 3 that recording pedestrians is not in the cards in the immediate future. “Right now our intention is not to have any cameras or recording devices, It's just to provide output out there, not to get any feed or video feed coming back.'' That said, the lights are being touted as security devices that can assist with 'Homeland Security' measures by providing applications like video surveillance and motion sensors. Lee wonders who protecting our rights? ... Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
FYI—These scenarios only contemplate _passive_ surveillance; even the tiniest amount of non-passive activity would greatly magnify these effects: a computer system which fails on election day, a selected number of email accounts and/or text messaging systems become inaccessible at inopportune times, mobile phones whose connections are broken during press interviews, an inconvenient "backhoe fiber cut" which cancels a TV appearance, plane flights delayed due to computer glitches, etc. There's more than enough natural "static" under which to hide considerable amounts of mischief. http://www.theatlantic.com/politics/print/2013/11/the-surveillance-state-puts-us-elections-at-risk-of-manipulation/281232/ The Surveillance State Puts U.S. Elections at Risk of Manipulation By Conor Friedersdorf Did the Obama Administration ever spy on Mitt Romney during the recent presidential contest? Alex Tabarrok, who raised the question at the popular economics blog Marginal Revolution, acknowledges that it is provocative. Until recently, he would've regarded it as a "loony" question, he writes, and he doesn't think that President Obama ordered the NSA to spy on Romney for political gain. Let's be clear: I don't think so either. In every way, I regard Obama as our legitimate head of state, full stop. But I agree with Tabarrok that today, "the only loonies are those who think the question unreasonable." * Most Americans have a strong intuition that spying and electoral manipulation of that kind could never happen here. I share that intuition, but I know it's nonsense: the Nixon Administration did spy on its opponents for political gain. Why do I worry that an unreformed surveillance state could put us in even greater jeopardy of such shenanigans? Actually, I have a particular scenario in mind, and it seems frighteningly plausible. I'll sketch it out at the end of this article. But first, let's get back to Tabarrok: Do I think Obama ordered the NSA to spy on Romney for political gain? No. Some people claim that President Obama didn't even know about the full extent of NSA spying. Indeed, I imagine that President Obama was almost as surprised as the rest of us when he first discovered that we live in a mass surveillance state in which billions of emails, phone calls, Facebook metadata and other data are being collected. The answer is yes, however, if we mean did the NSA spy on political candidates like Mitt Romney. Did Mitt Romney ever speak with Angela Merkel, whose phone the NSA bugged, or any one of the dozens of her advisers that the NSA was also bugging? Did Romney exchange emails with Mexican President Felipe Calderon? Were any of Romney's emails, photos, texts or other metadata hovered up by the NSA's break-in to the Google and Yahoo communications links? Almost certainly the answer is yes. Of course, that doesn't mean that Romney's information was improperly exploited during the election. "Did the NSA use the information they gathered on Mitt Romney and other political candidates for political purposes? Probably not," Tabarrok writes. "Will the next president or the one after that be so virtuous so as to not use this kind of power? I have grave doubts. Men are not angels." I'll tell you why I agree on both counts. Why do I doubt Romney was treated unfairly? Because I doubt Obama would have dared order it, and because the prospect of a Romney victory didn't threaten either the NSA nor a contractor like Booz Allen Hamilton nor the national-security state generally. There was reason to believe he'd have been friendlier to them than Obama! The scenario I worry about most isn't actually another Richard Nixon type in the Oval Office, though that could certainly happen. What I worry about actually more closely resembles Mark Felt, the retired FBI agent exposed 32 years after Watergate as Deep Throat—that is, I worry more about people high up inside the national-security state using their insider knowledge to help take down a politician. Is part of the deference they enjoy due to politicians worrying about that too? Imagine a very plausible 2016 presidential contest in which an anti-NSA candidate is threatening to win the nomination of one party or the other -- say that Ron Wyden is challenging Hillary Clinton, or that Rand Paul might beat Chris Christie. Does anyone doubt where Keith Alexander or his successor as NSA director would stand in that race? Or in a general election where an anti-NSA candidate might win? What would an Alexander type do if he thought the victory of one candidate would significantly rein in the NSA with catastrophic effects on national security? Would he really do nothing to prevent their victory? I don't know. But surely there is some plausible head of the NSA who'd be tempted to use his position to sink the political prospects of candidates antagonistic to the agency's interests. And we needn't imagine something so risky and unthinkable as direct blackmail. Surveillance-state defenders will want to jump in here and insist that there are already internal safeguards and congressional oversight to prevent the abuses I am imagining. But I don't buy it. It isn't just that I can't help but think Alexander could find a way to dig up dirt on politicians if he wanted to without it ever getting out to overseers or the public. Forget about Alexander. Let's think about someone much lower in the surveillance state hierarchy: Edward Snowden. As we know, Snowden broke protocol and violated his promise to keep classified information secret because his conscience demanded it: He believed that he was acting for the greater good; his critics have called him a narcissist for taking it upon himself to violate rules and laws he'd agreed to obey. It isn't hard to imagine an alternative world in which the man in Snowden's position was bent not on reforming the NSA, but on thwarting its reformers -- that he was willing to break the law in service of the surveillance state, fully believing that he was acting in the best interests of the American people. A conscience could lead a man that way too. This Bizarro Edward Snowden wouldn't have to abscond to a foreign country with thousands of highly sensitive documents. He wouldn't have to risk his freedom. Affecting a U.S. presidential election would be as easy as quietly querying Rand Paul, or Ron Wyden, or one of their close associates, finding some piece of damaging information, figuring out how someone outside the surveillance state could plausibly happen upon that information, and then passing it off anonymously or with a pseudonym to Politico, or The New York Times, or Molly Ball. Raise your hand if you think that Snowden could've pulled that off. And if you were running for president, or senator, even today, might you think twice about mentioning even an opinion as establishment friendly as, "Hey, I'm all for NSA surveillance, but I don't trust a private contractor like Booz Allen Hamilton to do it"? Maybe safeguards put in place since the first Snowden leak would prevent a Bizarro Edward Snowden with strong Booz loyalties from targeting you. Maybe. Why risk it? In yet another scenario, the NSA wouldn't go so far as to use information obtained through surveillance to affect an election. But they'd use it to their advantage to thwart the reform agenda of the candidate they didn't like if he or she won. And maybe the NSA would be as horrified by this sort of thing as I am. But maybe one of their contractors is on the payroll of a foreign government, and that person wants to affect a presidential election by exploiting the unprecedented amounts of data that the surveillance state has collected and stored on almost everyone. American democracy could be subverted in all sorts of hypothetical ways. Why worry about this one in particular? Here's the general standard I'd submit as the one that should govern our thinking: If a powerful institutional actor within government has a strong incentive to do something bad, the means to do it, and a high likelihood of being able to do it without getting caught, it will be done eventually. The NSA has the incentive. At least as recently as the Snowden leaks, an unknown number of its employees or contractors had the means. And many informed observers believe abuse undetected by overseers could be easily accomplished. If this particular abuse happened, it would be ruinous to self-government. Let's fix this before it causes a scandal even bigger than Watergate—or permits behavior more scandalous than Watergate that is never uncovered, rectified or punished. *And yes, it's just as legitimate to ask, did the Bush Administration spy on John Kerry? **How sure are we that we know why he leaked? This article available online at: http://www.theatlantic.com/politics/archive/2013/11/the-surveillance-state-puts-us-elections-at-risk-of-manipulation/281232/
Monica Goya, IT Business, 12 Nov 2013 http://www.itbusiness.ca/blog/internet-gambling-play-at-your-own-risk/44701
A Fraying of the Public/Private Surveillance Partnership http://www.theatlantic.com/technology/archive/2013/11/a-fraying-of-the-public-private-surveillance-partnership/281289/ The public/private surveillance partnership between the NSA and corporate data collectors is starting to fray. The reason is sunlight. The publicity resulting from the Snowden documents has made companies think twice before allowing the NSA access to their users' and customers' data. Pre-Snowden, there was no downside to cooperating with the NSA. If the NSA asked you for copies of all your Internet traffic, or to put backdoors into your security software, you could assume that your cooperation would forever remain secret. To be fair, not every corporation cooperated willingly. Some fought in court. But it seems that a lot of them, telcos and backbone providers especially, were happy to give the NSA unfettered access to everything. Post-Snowden, this is changing. Now that many companies' cooperation has become public, they're facing a PR backlash from customers and users who are upset that their data is flowing to the NSA. And this is costing those companies business. How much is unclear. In July, right after the PRISM revelations, the Cloud Security Alliance reported that US cloud companies could lose $35 billion over the next three years, mostly due to losses of foreign sales. Surely that number has increased as outrage over NSA spying continues to build in Europe and elsewhere. There is no similar report for software sales, although I have attended private meetings where several large US software companies complained about the loss of foreign sales. On the hardware side, IBM is losing business in China. The US telecom companies are also suffering: AT&T is losing business worldwide. This is the new reality. The rules of secrecy are different, and companies have to assume that their responses to NSA data demands will become public. This means there is now a significant cost to cooperating, and a corresponding benefit to fighting. Over the past few months, more companies have woken up to the fact that the NSA is basically treating them as adversaries, and are responding as such. In mid-October, it became public that the NSA was collecting e-mail address books and buddy lists from Internet users logging into different service providers. Yahoo, which didn't encrypt those user connections by default, allowed the NSA to collect much more of its data than Google, which did. That same day, Yahoo announced that it would implement SSL encryption by default for all of its users. Two weeks later, when it became public that the NSA was collecting data on Google users by eavesdropping on the company's trunk connections between its data centers, Google announced that it would encrypt those connections. We recently learned that Yahoo fought a government order to turn over data. Lavabit fought its order as well. Apple is now tweaking the government. And we think better of those companies because of it. Now Lavabit, which closed down its e-mail service rather than comply with the NSA's request for the master keys that would compromise all of its customers, has teamed with Silent Circle to develop a secure e-mail standard that is resistant to these kinds of tactics. The Snowden documents made it clear how much the NSA relies on corporations to eavesdrop on the Internet. The NSA didn't build a massive Internet eavesdropping system from scratch. It noticed that the corporate world was already eavesdropping on every Internet user—surveillance is the business model of the Internet, after all—and simply got copies for itself. Now, that secret ecosystem is breaking down. Supreme Court Justice Louis Brandeis wrote about transparency, saying "Sunlight is said to be the best of disinfectants." In this case, it seems to be working. These developments will only help security. Remember that while Edward Snowden has given us a window into the NSA's activities, these sorts of tactics are probably also used by other intelligence services around the world. And today's secret NSA programs become tomorrow's PhD theses, and the next day's criminal hacker tools. It's impossible to build an Internet where the good guys can eavesdrop, and the bad guys cannot. We have a choice between an Internet that is vulnerable to all attackers, or an Internet that is safe from all attackers. And a safe and secure Internet is in everyone's best interests, including the US's.
Exclusive: Snowden persuaded other NSA workers to give up passwords - sources Mark Hosenball and Warren Strobel, Reuters, 07 Nov 2013 Former U.S. National Security Agency contractor Edward Snowden used login credentials and passwords provided unwittingly by colleagues at a spy base in Hawaii to access some of the classified material he leaked to the media, sources said. A handful of agency employees who gave their login details to Snowden were identified, questioned and removed from their assignments, said a source close to several U.S. government investigations into the damage caused by the leaks. Snowden may have persuaded between 20 and 25 fellow workers at the NSA regional operations center in Hawaii to give him their logins and passwords by telling them they were needed for him to do his job as a computer systems administrator, a second source said. The revelation is the latest to indicate that inadequate security measures at the NSA played a significant role in the worst breach of classified data in the super-secret eavesdropping agency's 61-year history. Reuters reported last month that the NSA failed to install the most up-to-date, anti-leak software at the Hawaii site before Snowden went to work there and downloaded highly classified documents belonging to the agency and its British counterpart, Government Communication Headquarters. It is not clear what rules the employees broke by giving Snowden their passwords, which allowed the contractor access to data that he was not authorized to see. Snowden worked at the Hawaii site for about a month last spring, during which he got access to and downloaded tens of thousands of secret NSA documents. COVERING TRACKS "In the classified world, there is a sharp distinction between insiders and outsiders. If you've been cleared and especially if you've been polygraphed, you're an insider and you are presumed to be trustworthy," said Steven Aftergood, a secrecy expert with the Federation of American Scientists. "What agencies are having a hard time grappling with is the insider threat, the idea that the guy in the next cubicle may not be reliable," he added. Officials with the NSA and the Office of Director of National Intelligence declined to comment due to a criminal investigation related to Snowden, who disclosed previously secret U.S. government mass surveillance programs while in Hong Kong in June and then fled to Russia where he was granted temporary asylum. People familiar with efforts to assess the damage to U.S. intelligence caused by Snowden's leaks have said assessments are proceeding slowly because Snowden succeeded in obscuring some electronic traces of how he accessed NSA records. The sources did not know if the NSA employees who were removed from their assignments were given other duties or fired. While the U.S. government now believes it has a good idea of all the data to which Snowden could have accessed, investigators are not positive which and how much of that data Snowden actually downloaded, the sources said. Snowden and some of his interlocutors, such as former Guardian writer Glenn Greenwald, have said that Snowden provided NSA secrets only to media representatives such as Greenwald, filmmaker Laura Poitras, and a reporter with the British newspaper. They have emphatically denied that he provided any classified material to countries such as China or Russia. The revelation that Snowden got access to some of the material he leaked by using colleagues' passwords surfaced as the U.S. Senate Intelligence Committee approved a bill intended in part to tighten security over U.S. intelligence data. One provision of the bill would earmark a classified sum of money - estimated as less than $100 million - to help fund efforts by intelligence agencies to install new software designed to spot and track attempts to access or download secret materials without proper authorization. The bill also requires that the Director of National Intelligence set up a system requiring intelligence contractors to quickly report to spy agencies on incidents in which data networks have been penetrated by unauthorized persons. (Editing by Alistair Bell and Paul Simao)
[Note: This item comes from friend David Isenberg. Moglen is in the process of giving a four-part series of talks on this subject. Links to the first two are below. You can go back to the website in the coming weeks to pickup the remainder. The talks are available in a number of formats. I rate this series as a must watch/listen! DLH (via Dave Farber)] From: David S. Isenberg (g) <isen@isen.com> Subject: Eben Moglen: Snowden and the Future Date: November 12, 2013 at 7:48:02 AM PST To: Dewayne Hendricks <dewayne@warpspeed.com> Dewayne, The members of your technology list may find this of interest. Eben Moglen, the Columbia University law professor who founded the Open Software Law Foundation, has delivered two lectures, entitled "Snowden and the Future," that cast today's events in a broad historical and sociological context. <http://snowdenandthefuture.info/PartI.html> <http://snowdenandthefuture.info/PartII.html> David I Dewayne-Net RSS Feed: <http://dewaynenet.wordpress.com/feed/>
National Cyber Awareness System: TA13-309A: CryptoLocker Ransomware Infections https://www.us-cert.gov/ncas/alerts/TA13-309A Original release 05 Nov 2013, Last revised 13 Nov 2013 Systems Affected Microsoft Windows systems running Windows 8, Windows 7, Vista, and XP operating systems Overview US-CERT is aware of a malware campaign that surfaced in 2013 and is associated with an increasing number of ransomware infections. CryptoLocker is a new variant of ransomware that restricts access to infected computers and demands the victim provide a payment to the attackers in order to decrypt and recover their files. As of this time, the primary means of infection appears to be phishing emails containing malicious attachments. Description CryptoLocker appears to have been spreading through fake emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. In addition, there have been reports that some victims saw the malware appear following after a previous infection from one of several botnets frequently leveraged in the cyber-criminal underground. Impact The malware has the ability to find and encrypt files located within shared network drives, USB drives, external hard drives, network file shares and even some cloud storage drives. If one computer on a network becomes infected, mapped network drives could also become infected. CryptoLocker then connects to the attackers' command and control (C2) server to deposit the asymmetric private encryption key out of the victim's reach. Victim files are encrypted using asymmetric encryption. Asymmetric encryption uses two different keys for encrypting and decrypting messages. Asymmetric encryption is a more secure form of encryption as only one party is aware of the private key, while both sides know the public key. While victims are told they have three days to pay the attacker through a third-party payment method (MoneyPak, Bitcoin), some victims have claimed online that they paid the attackers and did not receive the promised decryption key. US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3) [ http://www.ic3.gov ]. Solution *Prevention* US-CERT recommends users and administrators take the following preventative measures to protect their computer networks from a CryptoLocker infection: * Do not follow unsolicited web links in email messages or submit any information to webpages in links. * Use caution when opening email attachments. Refer to the Security Tip * Using Caution with Email Attachments [ http://www.us-cert.gov/ncas/tips/st04-010 ] for more information on safely handling email attachments. * Maintain up-to-date anti-virus software. * Perform regular backups of all systems to limit the impact of data and/or system loss. * Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity. * Secure open-share drives by only allowing connections from authorized users. * Keep your operating system and software up-to-date with the latest patches. * Refer to the Recognizing and Avoiding Email Scams http://www.us-cert.gov/sites/default/files/publications/emailscams_0905.pdf (pdf) document for more information on avoiding email scams. * Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks [ http://www.us-cert.gov/ncas/tips/st04-014 ] for more information on social engineering attacks. *Mitigation* US-CERT suggests the following possible mitigation steps that users and administrators can implement, if you believe your computer has been infected with CryptoLocker malware: * Immediately disconnect the infected system from the wireless or wired network. This may prevent the malware from further encrypting any more files on the network. * Users who are infected should change all passwords AFTER removing the malware from their system. * Users who are infected with the malware should consult with a reputable security expert to assist in removing the malware, or users can retrieve encrypted files by the following methods: * Restore from backup, * Restore from a shadow copy or * Perform a system restore. [Lots of References: See original]
Roger A. Grimes, InfoWorld, 12 Nov 2013 Did a noted security researcher find a superbug—or go crazy? In light of the facts, supposed existence of BadBIOS doesn't add up http://www.infoworld.com/d/security/4-reasons-badbios-isnt-real-230636
Please report problems with the web pages to the maintainer