Technology Blog

I may actually subscribe to the “what’s new” service; the paranoia
levels change fo infrequently as to be meaningless - we’re still at
the “second-highest” level and have been so for months, at worst
they’ll crank it up when some public event is about to happen, or
retrospectively after a bomb goes off, so where’s the information in
either of those scenarios?

However a view into MI5’s spin machine might be interesting.

BBC News

MI5 to send e-mail terror alerts

A system sending e-mail terror alerts to the public is being launched
by security chiefs at MI5. People will be able to register on the
MI5 website to receive updates when the threat level changes.

The initiative follows considerable interest in similar information
for the public introduced in August on the MI5 and Home Office
websites.

[…]

There will be two types of service on offer initially.

The first, called Threat Level Only, will inform the recipient if
the nationwide terror threat level changes. The condition is currently
listed as severe.

The second more inclusive service is called What’s New, and will
be a digest of the latest information from MI5, including speeches
made by the director general and links to relevant websites.

The level of the terror threat to the UK is assessed by the
government’s Joint Terrorism Analysis Centre.

The current threat is set at the second highest level, “severe”,
which means an attack is considered “highly likely”.

In November, Dame Eliza, MI5’s director general, warned the terror
threat was “serious” and “growing”, and that 1,600 individuals were
being kept under surveillance.

Update / Thought: just think of it: a database of e-mail
addresses and phone numbers for the most paranoid people in Britain;
the traffic will not contain breaking news, that’s for sure, so what’s
the point other than for “things being seen to be done”?

[ comments ]

source: MI5 to send e-mail terror alerts

news.com.com.com

A systems administrator who apparently feared imminent layoffs was
arrested Tuesday in connection with installing “destructive computer
code” on servers at his company, a major manager of prescription
benefit plans.

FBI agents arrested Yung-Hsun “Andy” Lin, 50, at his Montville, N.J.,
home on Tuesday morning, one day after a grand jury returned a
two-count indictment (PDF) against him.

The indictment accuses Lin of planting a “logic bomb” sometime around
October 2003 that, if activated successfully, would have deleted
“virtually all information” on more than 70 HP-Unix servers at Medco
Health Solutions and wreaked havoc on the business and its users.

The servers contained numerous applications and databases that managed
bills, rebates, new prescription call-ins from doctors, insurance
coverage, and clinical assessments of patients. One database that
received special attention in the indictment, known as the Drug
Utilization Review, was designed to allow pharmacists to see what
drugs patients were already taking so that they could determine
whether taking different medicines simultaneously was safe.

“The potential damage to Medco and the patients and physicians served
by the company cannot be understated,” Christopher Christie,
U.S. attorney for the New Jersey district, said in a statement.

continues…

(Via) Adriana.

[ comments ]

source: IT worker indicted in hacking scheme at health firm

Reading the attached, I’d expect the tabloid press to come up with a rant like:

This country needs a law so that

criminals who try and hide their activity behind walls of
cryptography can be prosecuted for not handing over the key to
incriminate themselves!

…but, wait, there
already is one.

Does the Government not consider this an excellent opportunity to employ the
Regulation of Investigatory Powers Act?
After all, Casper Bowden of FIPR explains:-

Casper Bowden

“The burden of proof is on the suspect to prove that they don’t have
the key, and if they fail, they go to prison. But if they can give an
explanation for not having the key, then the prosecution must prove
beyond reasonable doubt that they are lying,” Bowden said.

Bowden explained that in circumstances when the police suspected
someone had encrypted incriminating data, officers could issue an
order under Section 49 of the act, ordering the suspect to hand over
the key. Failure to do so could lead to a prosecution under Section 53
of the Act.

…and what is described in the attached sounds pretty squarely like
the target circumstances: organised crime, crypto, willfulness…

Are they perhaps worried about setting a bad precedent? That RIPA is
a bad act, and that a test case in the wrong circumstances might go
awry?

Hohum.

Does anyone else want to help me reverse engineer the “400
computers and 12 years” statistic into a target algorithm?

news.com.com.com

Jailed ID thieves thwart cops with crypto

Three men have been jailed in the U.K. for their part in a massive
data theft operation.

One of the accused ringleaders of the gang, Anton Dolgov–also known
as Gelonkin–was sentenced to six years at London’s Harrow Crown
Court on Wednesday for his part in the theft of millions of dollars
from victims in countries including the U.K. and the U.S.

The ID thieves used stolen credit card numbers and created false
identities to buy high-end electronics and other goods, which they
then resold on eBay, prosecutors said.

The gang pleaded guilty to conspiracy to defraud, obtain services
by deception, acquire, use and possess criminal property, and
conceal, disguise, convert, transfer or remove criminal property.

One of the gang members, Aleksei Kostap, was also found guilty of
perverting the course of justice, and was sentenced to four years’
imprisonment.

When the gang’s premises were raided by the members of the Serious
and Organised Crime Agency (SOCA), Kostap was handcuffed with his
hands in front of his body. He managed to leap up and flick an
electrical switch that wiped databases that could have contained
records of the gang’s activities stretching back more than 10 years,
SOCA said.

Kostap’s action also triggered intricate layers of encryption on
the gang’s computer systems, which SOCA’s experts were unable to
crack, the court heard.

SOCA was not prepared to discuss what encryption was used or why
it was unable to decrypt it, as such information would enable other
criminals to use the same methods.

According to the Crown Prosecution Service (CPS), which confirmed that
Kostap had activated the encryption after being arrested, it would
take 400 computers 12 years to crack the code.

Because much data was inaccessible to the police, it is not known
how much the criminals profited from their operation, but it is
believed that they made millions of dollars. Police were able to
find evidence of 750,000 pounds ($1.46 million) worth of transactions
between 2003 and 2006, but the gang had been operating since the
mid-’90s.

“The true scale of the gang’s crimes will probably never be known,”
said a representative for the CPS.

continues…

(Via)

[ comments ]

source: Jailed ID Thieves Thwart Cops With Crypto

An essay by Dave Walker.
If you deploy Solaris - or even if you don’t - and are thinking about IDS,
go read.

[ comments ]

source: Reinventing IDS - Intrusion Detection Systems, and Solaris

An essay by Dave Walker.
If you deploy Solaris - or even if you don’t - and are thinking about IDS,
go read.

[ comments ]

source: Reinventing IDS - Intrusion Detection Systems, and Solaris

…and with ID cards they could stop them buying, say, big knives?
Or garden shredders with which they might dispose of the evidence?

“Fargo” was in Wiltshire, after all, wasn’t it?

Via Bart:

news.com.au

BRITISH criminal psychologists are putting together a list of the 100
most dangerous murderers and rapists before they have committed any
such crimes, The Times has reported.

Experts from London’s Metropolitan Police’s Homicide Prevention Unit
are creating psychological profiles, compiled through statements from
previous partners, information from mental health workers, and details
of past complaints.

“My vision is that we know across London who the top 100 people are,”
Homicide Prevention Unit senior criminal psychologist Laura Richard
said.

“We need to know who we are targeting.”

The team is apparently focusing its work on reducing the risk of those
with a history of involvement in domestic violence turning to murder -
about 25 per cent of all murders are related to domestic violence, the
newspaper said.

Pilot projects to target high-risk future offenders have been operating in five London boroughs for about two months.

Once an individual has been targeted, police can decide whether to
make moves towards an arrest - though the newspaper did not specify on
what grounds this could occur - or they could alert relevant social
services.

The report was met with opposition from privacy groups with Simon
Davies, director of Privacy International telling the newspaper: “It
is quite right that the police should keep intelligence on suspected
criminals, but it is obscene to suggest there should be a … list of
those who might commit an offence.

[ comments ]

source: precrime unit established. minority report, anyone?

…and with ID cards they could stop them buying, say, big knives?
Or garden shredders with which they might dispose of the evidence?

“Fargo” was in Wiltshire, after all, wasn’t it?

Via Bart:

news.com.au

BRITISH criminal psychologists are putting together a list of the 100
most dangerous murderers and rapists before they have committed any
such crimes, The Times has reported.

Experts from London’s Metropolitan Police’s Homicide Prevention Unit
are creating psychological profiles, compiled through statements from
previous partners, information from mental health workers, and details
of past complaints.

“My vision is that we know across London who the top 100 people are,”
Homicide Prevention Unit senior criminal psychologist Laura Richard
said.

“We need to know who we are targeting.”

The team is apparently focusing its work on reducing the risk of those
with a history of involvement in domestic violence turning to murder -
about 25 per cent of all murders are related to domestic violence, the
newspaper said.

Pilot projects to target high-risk future offenders have been operating in five London boroughs for about two months.

Once an individual has been targeted, police can decide whether to
make moves towards an arrest - though the newspaper did not specify on
what grounds this could occur - or they could alert relevant social
services.

The report was met with opposition from privacy groups with Simon
Davies, director of Privacy International telling the newspaper: “It
is quite right that the police should keep intelligence on suspected
criminals, but it is obscene to suggest there should be a … list of
those who might commit an offence.

[ comments ]

source: precrime unit established. minority report, anyone?

This afternoon I received an e-mail:

Subject: We’re Unable to Reset Your Apple Password

From: AppleID@apple.com

Date: Tue, 21 Nov 2006 02:55:15 +0000 (GMT)

Dear alec muffett,

We apologize but we were unable to verify your account information
with the answers you provided to our security questions.

Because too many invalid attempts were made to answer these questions,
you will not be able to reset your password for the next 8 hours.

If you need further assistance, please visit:

http://survey.info.apple.com/feedback/appleid.html

Thank You.

…which perplexed me mightily, because I have not touched my Apple
Store account for several weeks. Therefore there is only one
conclusion that could be drawn: someone is trying to hack into my Apple
Store account to retreive my credit card details. It can’t be an
accident, it’s not like my name is particularly common, or that many
people with that name would share my birthday.

But that shouldn’t be possible, right?

Well, it turns out that it is possible.

You see, it used to be that if you wanted to change your Apple ID
password, you would receive an e-mail which looked like:

(example from 2004)

Date: Wed, 21 Apr 2004 14:11:45 +0000 (GMT)

From: AppleID@apple.com

Subject: How to Reset Your Apple Password

Dear Alec Muffett,

To reset your Apple password, please click on the link below or copy
and paste the address onto your web browser’s address window. Once
you’re on the web page, you will be instructed to enter and confirm
your new password.

https://iforgot.apple.com/cgi-bin/resetPassword.cgi?key=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ&language=US-EN

Please note that this link will expire 3 hours from the time it was
sent.

If you require further assistance in resetting your password, please
visit:

http://survey.info.apple.com/feedback/appleid.html

Thank you for contacting Apple.

…but no more.

It now appears that the dialogue merely requires you to answer your
“security question” for password recovery, typically some pievce of
trivia, which in association with your month and year of birth will be
all that is necessary to retreive your credit card numbers and billing
address.

The confirmatory e-mail and requirement to click on a password-change
confirmation link has been rescinded, so unless your “password
recovery” question is really really obscure, then knowing your
birthdate someone can trivially get at your details and
mess around, possibly stealing stuff off of your account and billing it to you.

I know this works, because I just tried it on myself as a proof-of-concept.

This is a dreadful situation, and I implore Apple to reinstate the
extra HTTP security check at soonest opportunity.

If you have an Apple ID and you want to check how easy it is to change your password without
any requirement for external authentication, go to http://store.apple.com/
and click on Sign in or create your own personal account.

Then click Did you forget your password? Click here for assistance.

A pop-up window will be created; either enter your Apple ID directly, or
click on the Forgot your Apple ID? button which will accept any
recent e-mail address of an Apple customer.

Then try guessing, or supply the answer to the Security Question. If
you manage it, you can set a new password and Voila! you have
access to your patsy’s credit card details.

Tell your friends: This sucks. Randomise the answer to your security question immediately, and store that answer in a safe place.

And complain to Apple. Hell, this is an old hack, it’s not far removed from the way
Paris Hilton had her phone hacked.
A company like Apple should be beyond this sort of thing, even in the name of usability.

UPDATE:
For those who want to walk through the dialogue
- or who for local circumstances or cookies will not be able to
reproduce it
- I’ve snapshotted the whole thing
here; I reckon the only things which saved me from being ripped-off
are that:

• My cat is not a single colour
  
• I lied about the colour anyway, and chose something different
  
• I almost never save my credit details with a vendor
  

But I am paranoid. Lots of people are not.

…but if you guess right, you 0wn the user’s account.

[ comments ]

source: Easy AppleID Password & Account Theft

This afternoon I received an e-mail:

Subject: We’re Unable to Reset Your Apple Password

From: AppleID@apple.com

Date: Tue, 21 Nov 2006 02:55:15 +0000 (GMT)

Dear alec muffett,

We apologize but we were unable to verify your account information
with the answers you provided to our security questions.

Because too many invalid attempts were made to answer these questions,
you will not be able to reset your password for the next 8 hours.

If you need further assistance, please visit:

http://survey.info.apple.com/feedback/appleid.html

Thank You.

…which perplexed me mightily, because I have not touched my Apple
Store account for several weeks. Therefore there is only one
conclusion that could be drawn: someone is trying to hack into my Apple
Store account to retreive my credit card details. It can’t be an
accident, it’s not like my name is particularly common, or that many
people with that name would share my birthday.

But that shouldn’t be possible, right?

Well, it turns out that it is possible.

You see, it used to be that if you wanted to change your Apple ID
password, you would receive an e-mail which looked like:

(example from 2004)

Date: Wed, 21 Apr 2004 14:11:45 +0000 (GMT)

From: AppleID@apple.com

Subject: How to Reset Your Apple Password

Dear Alec Muffett,

To reset your Apple password, please click on the link below or copy
and paste the address onto your web browser’s address window. Once
you’re on the web page, you will be instructed to enter and confirm
your new password.

https://iforgot.apple.com/cgi-bin/resetPassword.cgi?key=ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ&language=US-EN

Please note that this link will expire 3 hours from the time it was
sent.

If you require further assistance in resetting your password, please
visit:

http://survey.info.apple.com/feedback/appleid.html

Thank you for contacting Apple.

…but no more.

It now appears that the dialogue merely requires you to answer your
“security question” for password recovery, typically some pievce of
trivia, which in association with your month and year of birth will be
all that is necessary to retreive your credit card numbers and billing
address.

The confirmatory e-mail and requirement to click on a password-change
confirmation link has been rescinded, so unless your “password
recovery” question is really really obscure, then knowing your
birthdate someone can trivially get at your details and
mess around, possibly stealing stuff off of your account and billing it to you.

I know this works, because I just tried it on myself as a proof-of-concept.

This is a dreadful situation, and I implore Apple to reinstate the
extra HTTP security check at soonest opportunity.

If you have an Apple ID and you want to check how easy it is to change your password without
any requirement for external authentication, go to http://store.apple.com/
and click on Sign in or create your own personal account.

Then click Did you forget your password? Click here for assistance.

A pop-up window will be created; either enter your Apple ID directly, or
click on the Forgot your Apple ID? button which will accept any
recent e-mail address of an Apple customer.

Then try guessing, or supply the answer to the Security Question. If
you manage it, you can set a new password and Voila! you have
access to your patsy’s credit card details.

Tell your friends: This sucks. Randomise the answer to your security question immediately, and store that answer in a safe place.

And complain to Apple. Hell, this is an old hack, it’s not far removed from the way
Paris Hilton had her phone hacked.
A company like Apple should be beyond this sort of thing, even in the name of usability.

UPDATE:
For those who want to walk through the dialogue
- or who for local circumstances or cookies will not be able to
reproduce it
- I’ve snapshotted the whole thing
here; I reckon the only things which saved me from being ripped-off
are that:

• My cat is not a single colour
  
• I lied about the colour anyway, and chose something different
  
• I almost never save my credit details with a vendor
  

But I am paranoid. Lots of people are not.

…but if you guess right, you 0wn the user’s account.

[ comments ]

source: Easy AppleID Password & Account Theft

If you ever feel the need to find or cite an introduction to the
British ID Card proposition, and of the likely failings, weaknesses
and actual threats of it, my friend and colleague
Dave Walker
has
posted a clear and concise summary
which I recommend to all.

The matter of ID cards came up at the weekend
party
where Brian Mickelthwait
and Antoine Clarke
amongst others were trying to compose arguments in favour of cards,
so as to “think like their opposition” and put themselves ahead of the
game; I recommended against this activity because I don’t think it’s
wise to let your opponent know your own perceived weaknesses and
prefer to think on my feet instead, but by then there was enough
booze in the air that cynical debate was not going to get airtime.

Incidentally, as I remember it, the pro-card argument put forth by
Brian was that the Police will be happy with identity cards, even
forged identity cards, because frequent demanding presentation of
identity cards will leave a breadcrumb-like trail of activity behind
any miscreant. I
believe Forsyth’s “Day of the Jackal” was presented
as example of this.

To me, this has a pair of fairly obvious complementary counterarguments in
snowballing - viz: carry enough disposable fake identity cards and use
them one time only - which makes this argument redundant; and/or the
unwearable social and financial cost of a strongly functional technological
infrastructure to check cards online and in real-time, not reliant
upon human inspection of a photograph for authentication, with
associated “mandatory-carry” and frequent checking requirements beyond
the “mortgages and job applications” we currently hear mooted.

But hey, what do I know? I’m only a computer security geek who builds
that sort of thing for a living - not a political commentator.

[ comments ]

source: A primer on the failings of British ID cards

If you ever feel the need to find or cite an introduction to the
British ID Card proposition, and of the likely failings, weaknesses
and actual threats of it, my friend and colleague
Dave Walker
has
posted a clear and concise summary
which I recommend to all.

The matter of ID cards came up at the weekend
party
where Brian Mickelthwait
and Antoine Clarke
amongst others were trying to compose arguments in favour of cards,
so as to “think like their opposition” and put themselves ahead of the
game; I recommended against this activity because I don’t think it’s
wise to let your opponent know your own perceived weaknesses and
prefer to think on my feet instead, but by then there was enough
booze in the air that cynical debate was not going to get airtime.

Incidentally, as I remember it, the pro-card argument put forth by
Brian was that the Police will be happy with identity cards, even
forged identity cards, because frequent demanding presentation of
identity cards will leave a breadcrumb-like trail of activity behind
any miscreant. I
believe Forsyth’s “Day of the Jackal” was presented
as example of this.

To me, this has a pair of fairly obvious complementary counterarguments in
snowballing - viz: carry enough disposable fake identity cards and use
them one time only - which makes this argument redundant; and/or the
unwearable social and financial cost of a strongly functional technological
infrastructure to check cards online and in real-time, not reliant
upon human inspection of a photograph for authentication, with
associated “mandatory-carry” and frequent checking requirements beyond
the “mortgages and job applications” we currently hear mooted.

But hey, what do I know? I’m only a computer security geek who builds
that sort of thing for a living - not a political commentator.

[ comments ]

source: A primer on the failings of British ID cards

…if they have to resort to this sort of tactic; people understand
that Amazon and Ebay don’t need to know their customer’s identity
beyond a certain, basic level (”does a transaction go through
uncontested, is there a history of that happening?”) - so resorting to
that as a bolster for ID cards will fail…

Independent

Blair makes fresh bid to promote ID cards

Tony Blair has insisted that people will soon rely on identity cards
in all aspects of ordinary life, from shopping online to obtaining
a mortgage, as he announced a fresh attempt to sell the scheme to
the public.

Legislation establishing ID cards, which are strongly opposed by the
Tories and Liberal Democrats, became law seven months ago.

At a Downing Street conference yesterday Mr Blair fired the first shot
in a drive to persuade voters of the merits of the cards, which will
be issued from 2008. He put a new emphasis on the benefits to
consumers of carrying ID cards in obtaining goods and services.

[ comments ]

source: ID Cards are dying…

…if they have to resort to this sort of tactic; people understand
that Amazon and Ebay don’t need to know their customer’s identity
beyond a certain, basic level (”does a transaction go through
uncontested, is there a history of that happening?”) - so resorting to
that as a bolster for ID cards will fail…

Independent

Blair makes fresh bid to promote ID cards

Tony Blair has insisted that people will soon rely on identity cards
in all aspects of ordinary life, from shopping online to obtaining
a mortgage, as he announced a fresh attempt to sell the scheme to
the public.

Legislation establishing ID cards, which are strongly opposed by the
Tories and Liberal Democrats, became law seven months ago.

At a Downing Street conference yesterday Mr Blair fired the first shot
in a drive to persuade voters of the merits of the cards, which will
be issued from 2008. He put a new emphasis on the benefits to
consumers of carrying ID cards in obtaining goods and services.

[ comments ]

source: ID Cards are dying…

Link, with pictures

[ comments ]

source: Scary Halloween Costume: Dress up as THE PATRIOT ACT!

Link, with pictures

[ comments ]

source: Scary Halloween Costume: Dress up as THE PATRIOT ACT!

In case you’ve not heard:

Friday

wired

Security researcher Christopher Soghoian created the Northwest Airline
Boarding Pass Generator in the hope of spurring Congress to look
closely at the nation’s aviation security policies, which he calls
“security theater.”

The site lets anyone create a facsimile of a Northwest Airlines
boarding pass, with whatever name they choose.

On Friday, Congress heard Soghoian’s message loud and clear. But
instead of promising to reform broken airport security procedures,
Rep. Edward Markey (D- Massachusetts), a member of the House Homeland
Security committee known for his defenses of privacy, wants the site
shut down and Soghoian arrested.

[…]

In reality, the “loophole” is nothing new. Security expert Bruce
Schneier wrote about it in 2003, and the online magazine Slate covered
it as major news in 2005. Soghoian points out that Sen. Chuck Schumer
(D-New York) publicized the same security hole in April 2006. “Perhaps
Sen. Schumer will end up being my cellmate,” Soghoian said.

Soghoian, a Ph.D. student at Indiana University, says he has never
used one of the fake boarding passes, which are likely good enough to
get someone through airport security into the “sanitized” area of the
airport, but not good enough to get anyone on a plane. He was waiting
for clearance from lawyers at Indiana University before attempting to
test if the method worked to get through security.

[…]

Even if Soghoian’s site is shut down, any boarding pass purchased over
the web can still be easily edited in any browser. That means fliers
can buy a legitimate ticket through an airline’s website under a false
name — evading the TSA’s no-fly list — then use a fake boarding pass
under their real name to get past airport metal detectors, the only
spot where IDs are checked. Fliers prone to selection for additional
screening could also create boarding passes without the “SSSS” mark
that tells TSA to search them more thoroughly.

Sunday

blogs

Congressman Edward Markey (D-Mass) no longer believes the government
should arrest Christopher Soghoian, and instead says the Department of
Homeland Security should the Indiana University Ph.D student to work
“showing public officials how easily our security can be compromised.”

On Friday, Markey, a senior member of the House Homeland Security
Committee, called for the administration to shut down the fake
boarding pass generator and “apprehend” Soghoian, who says he built
the site to publicize a vulnerability in airport security, not to help
would-be terrorists.

The FBI shut the site down on Friday and raided Soghoian’s house early
Saturday morning.

Markey announced his change of heart Sunday morning in a press release:

On Friday I urged the Bush Administration to ‘apprehend’ and shut down
whoever had created a new website that enabled persons without a plane
ticket to easily fake a boarding pass and use it to clear security,
gain access to the boarding area and potentially to the cabin of a
passenger plane. Subsequently I learned that the person responsible
was a student at Indiana University, Christopher Soghoian, who
intended no harm but, rather, intended to provide a public service by
warning that this long-standing loophole could be easily
exploited. The website has now apparently been shut down.

Under the circumstances, any legal consequences for this student must
take into account his intent to perform a public service, to publicize
a problem as a way of getting it fixed. He picked a lousy way of doing
it, but he should not go to jail for his bad judgment. Better yet, the
Department of Homeland Security should put him to work showing public
officials how easily our security can be compromised.

Hmmm. They can be taught? Won’t help the guy, though.

Main website: http://slightparanoia.blogspot.com/.

[ comments ]

source: Security Theatre

In case you’ve not heard:

Friday

wired

Security researcher Christopher Soghoian created the Northwest Airline
Boarding Pass Generator in the hope of spurring Congress to look
closely at the nation’s aviation security policies, which he calls
“security theater.”

The site lets anyone create a facsimile of a Northwest Airlines
boarding pass, with whatever name they choose.

On Friday, Congress heard Soghoian’s message loud and clear. But
instead of promising to reform broken airport security procedures,
Rep. Edward Markey (D- Massachusetts), a member of the House Homeland
Security committee known for his defenses of privacy, wants the site
shut down and Soghoian arrested.

[…]

In reality, the “loophole” is nothing new. Security expert Bruce
Schneier wrote about it in 2003, and the online magazine Slate covered
it as major news in 2005. Soghoian points out that Sen. Chuck Schumer
(D-New York) publicized the same security hole in April 2006. “Perhaps
Sen. Schumer will end up being my cellmate,” Soghoian said.

Soghoian, a Ph.D. student at Indiana University, says he has never
used one of the fake boarding passes, which are likely good enough to
get someone through airport security into the “sanitized” area of the
airport, but not good enough to get anyone on a plane. He was waiting
for clearance from lawyers at Indiana University before attempting to
test if the method worked to get through security.

[…]

Even if Soghoian’s site is shut down, any boarding pass purchased over
the web can still be easily edited in any browser. That means fliers
can buy a legitimate ticket through an airline’s website under a false
name — evading the TSA’s no-fly list — then use a fake boarding pass
under their real name to get past airport metal detectors, the only
spot where IDs are checked. Fliers prone to selection for additional
screening could also create boarding passes without the “SSSS” mark
that tells TSA to search them more thoroughly.

Sunday

blogs

Congressman Edward Markey (D-Mass) no longer believes the government
should arrest Christopher Soghoian, and instead says the Department of
Homeland Security should the Indiana University Ph.D student to work
“showing public officials how easily our security can be compromised.”

On Friday, Markey, a senior member of the House Homeland Security
Committee, called for the administration to shut down the fake
boarding pass generator and “apprehend” Soghoian, who says he built
the site to publicize a vulnerability in airport security, not to help
would-be terrorists.

The FBI shut the site down on Friday and raided Soghoian’s house early
Saturday morning.

Markey announced his change of heart Sunday morning in a press release:

On Friday I urged the Bush Administration to ‘apprehend’ and shut down
whoever had created a new website that enabled persons without a plane
ticket to easily fake a boarding pass and use it to clear security,
gain access to the boarding area and potentially to the cabin of a
passenger plane. Subsequently I learned that the person responsible
was a student at Indiana University, Christopher Soghoian, who
intended no harm but, rather, intended to provide a public service by
warning that this long-standing loophole could be easily
exploited. The website has now apparently been shut down.

Under the circumstances, any legal consequences for this student must
take into account his intent to perform a public service, to publicize
a problem as a way of getting it fixed. He picked a lousy way of doing
it, but he should not go to jail for his bad judgment. Better yet, the
Department of Homeland Security should put him to work showing public
officials how easily our security can be compromised.

Hmmm. They can be taught? Won’t help the guy, though.

Main website: http://slightparanoia.blogspot.com/.

[ comments ]

source: Security Theatre

UK academic security-folk are all of a flutter because the
Home Office have published
a Code of Practice
for “takedown notices”.

If like me you’ve only been paying scant attention: the Terrorism Act
of 2006 enables a police constable to notify an organisation - viz:
a University, a Company, or failing that the company’s ISP or hosting
provider - that their webserves are being used to publish
“terrorist material”, specifically stuff that is “unlawfully
terrorism-related”, a term which I find a worryingly vague:

1. This guidance sets out the procedures to be followed for the
giving of notices under section 3 of the Terrorism Act 2006 requiring
the relevant person (as defined) to takedown material on the internet
and other electronic services that is unlawfully terrorism-related.
The procedure in section 3 is linked to the offences in sections 1 and
2 of the Terrorism Act 2006 because a person can lose the benefit of
the defences in those sections if he does not comply with a section 3
notice.

2. Sections 1 and 2 of the Terrorism Act 2006 create the offences of
encouragement of terrorism (s.1) and the dissemination of terrorist
publications (s.2). Section 3 provides that those served with notices
who fail to remove, without reasonable excuse, the material that is
unlawfully terrorism-related within the specified period are treated
as endorsing it and this means that they cannot benefit from the
defences set out in sections 1 and 2.

Would “terrorist publications” include Bruce Schneier’s recent
Movie-Plot Threat Contest
which actively thumbs its nose at the “hush hush you’ll give them ideas” brigade?
After all:

A statement, article or record is unlawfully terrorism-related if
it either likely to be understood by any one or more of the persons to
whom it is or may become available as a direct or indirect
encouragement to acts of terrorism or Convention offences; or it is
likely to be useful to any one or more of those persons in the
commission or preparation of acts of terrorism and it is likely to be
understood by those persons as being wholly or mainly for that
purpose.

(page 2 section

Anyway: if said information is not removed from the website within two
working days, then the organisation will be considered to “approve” of
the content - and presumably bring down the wrath of Plod upon ones’
self, albeit non-terminally:

Failure to comply with a notice may lead to the consideration of
whether to bring a prosecution and where there is an expectation that
the notice will not be complied with and where there is sufficient
time, the CPS should be consulted in the drawing up of the notice.
Early consultation will ensure the notice is drafted as effectively
as possible and that any charging and prosecution can follow soon
after the 2 working day notice. However it should be noted that
non-compliance is not in itself an offence.

(page 7 section 37, their emphasis)

What this means for the process of security forensics and/or
evidentiary handling, I have no idea - but I suppose you can say
goodbye to leaving the data undisturbed whilst you watch who tries to
access it.

[ comments ]

source: The Terrorism Act 2006, and Web Censorship

UK academic security-folk are all of a flutter because the
Home Office have published
a Code of Practice
for “takedown notices”.

If like me you’ve only been paying scant attention: the Terrorism Act
of 2006 enables a police constable to notify an organisation - viz:
a University, a Company, or failing that the company’s ISP or hosting
provider - that their webserves are being used to publish
“terrorist material”, specifically stuff that is “unlawfully
terrorism-related”, a term which I find a worryingly vague:

1. This guidance sets out the procedures to be followed for the
giving of notices under section 3 of the Terrorism Act 2006 requiring
the relevant person (as defined) to takedown material on the internet
and other electronic services that is unlawfully terrorism-related.
The procedure in section 3 is linked to the offences in sections 1 and
2 of the Terrorism Act 2006 because a person can lose the benefit of
the defences in those sections if he does not comply with a section 3
notice.

2. Sections 1 and 2 of the Terrorism Act 2006 create the offences of
encouragement of terrorism (s.1) and the dissemination of terrorist
publications (s.2). Section 3 provides that those served with notices
who fail to remove, without reasonable excuse, the material that is
unlawfully terrorism-related within the specified period are treated
as endorsing it and this means that they cannot benefit from the
defences set out in sections 1 and 2.

Would “terrorist publications” include Bruce Schneier’s recent
Movie-Plot Threat Contest
which actively thumbs its nose at the “hush hush you’ll give them ideas” brigade?
After all:

A statement, article or record is unlawfully terrorism-related if
it either likely to be understood by any one or more of the persons to
whom it is or may become available as a direct or indirect
encouragement to acts of terrorism or Convention offences; or it is
likely to be useful to any one or more of those persons in the
commission or preparation of acts of terrorism and it is likely to be
understood by those persons as being wholly or mainly for that
purpose.

(page 2 section

Anyway: if said information is not removed from the website within two
working days, then the organisation will be considered to “approve” of
the content - and presumably bring down the wrath of Plod upon ones’
self, albeit non-terminally:

Failure to comply with a notice may lead to the consideration of
whether to bring a prosecution and where there is an expectation that
the notice will not be complied with and where there is sufficient
time, the CPS should be consulted in the drawing up of the notice.
Early consultation will ensure the notice is drafted as effectively
as possible and that any charging and prosecution can follow soon
after the 2 working day notice. However it should be noted that
non-compliance is not in itself an offence.

(page 7 section 37, their emphasis)

What this means for the process of security forensics and/or
evidentiary handling, I have no idea - but I suppose you can say
goodbye to leaving the data undisturbed whilst you watch who tries to
access it.

[ comments ]

source: The Terrorism Act 2006, and Web Censorship

Many security-folk will be amused by
what happens when you search for the term
“pwned”
using Google’s code-search tool…

Wanna the source of several dozen
worms,
trojans and
rootkits?

Come to that,
Muffett
is a pretty interesting search string - from my perspective, anyhow -
there’s tons of stuff out there I’d forgotten.

Link c/o: Rob Diamond

[ comments ]

source: Googling Pwned