We recently wrote about Newsweek's coverage of Austin Heap and Haystack, a program he supposedly wrote to help Iranian internet users avoid being spied on by the Iranian government. Some of our commenters questioned the overall legitimacy of the story. It has a very too-perfect Hollywood sort of feel to it -- and some pointed out the fact that no one seems to be able to actually look at Haystack. It sounds like a lot more folks are skeptical of the claims around Haystack as well. Glyn Moody points us to a post by Evgeny Morozov that rips apart the total secrecy around Haystack, to suggest the whole setup is pretty hard to believe.
I like Hollywood as much as the next guy -- and yet something just doesn't feel right about Haystack. What really bothers me is that one cannot download and examine their software; as far as the Internet is concerned, Haystack doesn't exist. In fact, Heap says that it is only distributed to trusted contacts inside Iran; putting it online would create a situation where the government could easily get hold of it as well and then reverse-engineer it or ban it or find a way to track its users.
So, in essence, the outside public - including Iranians -- are asked to believe that a) Haystack software exists b) Haystack software works c) Haystack software rocks d) the Iranian government doesn't yet have a copy of it, nor do they know that Haystack rocks & works. (And who could fault them for not reading Newsweek? I certainly can't). For someone with my Eastern European sensibilities, that's a lot of stuff to believe in. Even Santa -- we call him Ded Moroz -- appears more plausible in comparison.
He goes on to note that, at the very least, this security by obscurity actually could be quite dangerous for Iranians actually using this program, since it may be giving them a very false sense of security:
To me, it seems like a no-brainer: if you want to distribute technology that may endanger lives, make sure that the technology is secure. The only good way that I know of to make sure that it's secure is to let outsiders test it.
Indeed. In retrospect, the Newsweek version of this story had too many holes that should have acted as red flags.
You may have seen the various stories making the rounds about how some malicious trojan originally on an unsecured USB key was put into a military laptop in 2008, and then propagated around the military, hitting both classified and unclassified documents. Why is this massive security breach being declassified now? Well, to warn us how scary computer threats out there are:
Lynn's decision to declassify an incident that Defense officials had kept secret reflects the Pentagon's desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said.
We've already noted that various government officials have been engaging in a massive hype campaign about "cyberwar" threats, in an effort to get more control over certain networks. But there's also a bit of an inter-departmental battle within government agencies over who should get to control these new powers. And, in this case, Deputy Defense Secretary William Lynn's revelation of this security breach is party of his jockeying to make sure that the Pentagon gets more power here, rather than Homeland Security:
He puts the Homeland Security Department on notice that although it has the "lead" in protecting the dot.gov and dot.com domains, the Pentagon -- which includes the ultra-secret National Security Agency -- should support efforts to protect critical industry networks.
The failure of the military to protect its own systems creates an argument for it to have preeminence in protecting private computer infrastructure? Perhaps the Department of Homeland Security will reveal how badly it has been hacked in order to regain the upper hand in the battle to protect us.
A few months back, a research report came out noting that e-voting machines in India were not secure. I had seen it at the time, but considering how many stories we've seen of e-voting machines with security problems, I let it pass and didn't write it up. However, the story has just taken a distressing turn. One of the researchers, Hari Prasad, who had obtained the e-voting machine from an anonymous source in the first place, has been arrested and taken into custody because he will not reveal who gave him the machine:
The police did not state a specific charge at the time of the arrest, but it appears to be a politically motivated attempt to uncover our anonymous source. The arresting officers told Hari that they were under "pressure [from] the top," and that he would be left alone if he would reveal the source's identity.
Prasad was taken from his home and driven to Mumbai, a 14-hour journey, where he is to be interrogated. Alex Halderman, who has done lots of research on e-voting machines over the years, and worked with Prasad on the research on the Indian e-voting machine was able to speak to him while he was being driven to Mumbai. Prasad worries that his arrest will create serious chilling effects on other security researchers, and plans to stand up to authorities to hopefully prevent such chilling effects from occurring. You can listen to excerpts from the call in the following YouTube video:
The initial post, written by Halderman, also gives plenty of background on the machines. The Indian government has refused to let researcher review the machine, and insists that it's tamper-proof. Even after the initial report came out proving this not to be the case, the government has continued to insist the machines are fine and have no problems. Here in the US, it's quite troubling how much the government has relied on e-voting machines without allowing security researchers to really test them, but at least they don't arrest those who have been able to access and test the machines. This is a hugely troubling move by the Indian government, and hopefully getting more attention on such a questionable arrest will make the Indian government regret this decision -- and open up the machines for real security testing.
The really important point is that they did this in three afternoons (and remember, these machines are often left totally unguarded, in the open at polling places for days before elections) without breaking any of the "tamper-resistant" seals that are supposed to alert anyone to any foul play. As Halderman noted:
We could have reprogrammed it to steal votes, but that's been done before, and Pac-Man is more fun!
Remember Heartland Payment Systems? It's the giant credit card clearinghouse that was involved in the largest ever security breach in terms of the number of credit card numbers exposed. They were successfully targeted by the same guys who had also set the previous record for largest credit card data breach, so you could question whether the issue was just a sophisticated group of hackers or poor security at Heartland (or, possibly, a combination of both). Either way, it looks like Heartland may still have some issues. Carlo sends over the news that a new security breach has been discovered at a restaurant in Austin, Texas that appears to involve someone hacking into the network between the restaurant and Heartland. It's not yet clear if this goes beyond that one restaurant, but this can't look good for Heartland.
Update: Heartland got in touch to let us know that this appears to be an issue outside of Heartland's system, and that Heartland is not the target of the investigation into the breach. Heartland's press release is basically pointing out that the weakness was with the restaurant's credit card security, not its own.
We just wrote about the new publicity campaign from a group called Project Vigilant, linking to three separate articles discussing how it was a private organization monitoring internet traffic and providing it to the US government. The whole thing seemed dubious on a legal basis, and now plenty of people are questioning whether or not the whole thing is real or some sort of hoax or publicity stunt. Julian Sanchez points out that the "parent company" behind the Project, one "BBHC Global" looks painfully amateurish (and right now appears down). Then, a bunch of security experts are skeptical of the whole concept, noting that if it's been around for 14 years, how come no one's heard of it, and it hasn't participated in any serious security efforts. Others point out that it's almost certainly a publicity stunt of some kind, pointing out that the website was registered just last year. The suggestion there is it's an attempt to jumpstart a new security company. I'm guessing it's more of a hoax to try to show how gullible some people are.
A few years ago, we discussed how bank ATM's just aren't very secure, despite the belief by many that they were. That discussion revolved around the fact that many people often compare bank ATMs to e-voting (in part because Diebold was a big player in both businesses). It looks like more and more folks are realizing the same thing. Some security researchers are about to release their evidence on just how easy it is to hack bank ATMs. And, of course, if security researchers are talking about it now, you can be pretty sure that hackers already figured this out a while ago.
So various governments around the world remain furious with Google for its accidental Street View wifi data collection. However, at the same time, governments are also getting annoyed and using filters to block government employees from using Google products because Google is now increasingly running more and more of its apps (including search and Gmail) via SSL, making it harder for those gov't agencies to spy on what users are doing. So... which is it? Is Google bad for spying on data? Or is Google bad for not letting governments spy on data?
Last week, we wrote about the security glitch by AT&T, that allowed hackers to figure out the email addresses of 114,000 iPad users. A few people in the comments mocked this news, claiming that such info was pretty much meaningless, as email addresses are hardly private info these days. Of course, that ignored the connection of the email address to the fact that you bought an iPad. But now, some are realizing the potential security problems with this may be significantly worse. Slashdot point us to a story where someone walks through how poor security choices by the various mobile operators means that knowing the information revealed by the glitch can actually reveal much, much more. As the blog post walks through the details, it concludes that potentially, the data from the breach in some cases (though, not all) could then be used to figure out a lot more:
So yeah, knowing someone's ICCID can give you their full unpublished billing name, their cellular phone number (and hence their home address), their current location on a realtime basis, their voicemail, and if you're prepared to follow them around (within a few miles) then you get all their phone calls and SMS messages too.
There is a later edit, when he realizes that the voicemail/phone calls/SMS stuff might not be that big of a deal, since the iPad is not a phone device, but it's still instructive of how a "simple" data breach can lead to much more in certain circumstances.
Jaime Novoa was the first of a few of you to point us to a series of links about how French ISP Orange has started offering a service to let subscribers pay 2 euros to "block" file sharing services on their connection. The theory, of course, is that this service "protects" you from getting any strikes. Of course, you could also do that for free -- by limiting yourself and encrypting your connection, but that's a separate story. Beyond the fact that this system involves a secret blacklist that could very well block legitimate uses as well, lots of folks started digging into the service and discovered that the software in question is basically malware and ridiculously insecure that more or less broadcasts the private info of anyone who uses it for anyone else to see. So, not only is the program costly, limiting and useless, but it's a massive security and privacy problem as well. All because of three strikes/Hadopi.
