Hackers ‘steal entire 2011 census’ [The Telegraph]
Most of the article is a slightly confused report on whether or not LulzSec actually claimed to have gotten the UK census database. However, I think the real story is this bit here:
“The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have no evidence to suggest that any such compromise has occurred.” The US defence contractor Lockheed Martin, which collected the 2011 census data, was also preparing a statement. The compulsory national survey was carried out in march and gathered data including full names, dates of birth and addresses for everyone in the UK.
“The 2011 Census places the highest priority on maintaining the security of personal data. At this stage we have no evidence to suggest that any such compromise has occurred.”
The US defence contractor Lockheed Martin, which collected the 2011 census data, was also preparing a statement. The compulsory national survey was carried out in march and gathered data including full names, dates of birth and addresses for everyone in the UK.
So the oh-so-secure personal data for everyone in the UK was gathered by a US defense contractor? Not just an appendage of the Evil Empire, but a tightly integrated part of the Imperial Military? In what universe is that secure? There’s the evidence of your compromise right there!
Cheap GPUs are rendering strong passwords useless Think that your eight-character password consisting of lowercase characters, uppercase characters and a sprinkling of numbers is strong enough to protect you from a brute force attack? [ZDNet]
Yes, that’s really how the author defines a “strong password.” Fortunately I, not being a complete idiot, would only use such a simple password if I wanted other people to know it and be able to remember it easily. Here’s an example of what I consider a strong password, in this case generated by 1Password:
VbNwGIzrJWzccJMKJaQKCWXr4^mlWjglMQ*ZkcyMdyDOJrp9Kh
EFF Publishes Study On Browser Fingerprinting. Rubinstien writes “The Electronic Frontier Foundation investigated the degree to which modern web browsers are susceptible to ‘device fingerprinting’ via version and configuration information transmitted to websites. They implemented one possible algorithm, and collected data from a large sample of browsers visiting their Panopticlick test site, which we’ve discussed in the past. According to the PDF describing the study, browsers that supported Flash or Java on average supplied at least 18.8 bits of identifying information, and 94.2% of those browsers were uniquely identifiable in their sample. My own browser was uniquely identifiable from both the list of plugins and available fonts, among 1,557,962 browsers tested so far.” [Slashdot]
I visited the test site with my default browser with Tor and NoScipt on, and it had this to say:
Within our dataset of several million visitors, only one in 10,791 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 13.4 bits of identifying information.
Within our dataset of several million visitors, only one in 10,791 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 13.4 bits of identifying information.
However, it reports the user agent incorrectly, as Tor is set to lie about what browser I’m using. When I turned Tor off and reloaded the test page, I got this instead:
Within our dataset of several million visitors, only one in 21,435 browsers have the same fingerprint as yours. Currently, we estimate that your browser has a fingerprint that conveys 14.39 bits of identifying information.
Within our dataset of several million visitors, only one in 21,435 browsers have the same fingerprint as yours.
Currently, we estimate that your browser has a fingerprint that conveys 14.39 bits of identifying information.
If I’m not mistaken, this means that the test site thinks I’m in the first group of browsers when I’m actually in the second group.
Flaws in Tor anonymity network spotlighted. At the Chaos Computer Club Congress in Berlin, Germany on Monday, researchers from the University of Regensburg delivered a new warning about the Tor anonymizer network, a system aimed at hiding details of a computer user’s online activity from spying eyes.
The attack doesn’t quite make a surfer’s activity an open book, but offers the ability for someone on the same local network—a Wi-Fi network provider, or an ISP working at law enforcement (or a régime’s) request, for example—to gain a potentially good idea of sites an anonymous surfer is viewing. [Ars Technica]
There are things users can do to protect themselves. From the article:
Users themselves can guard against this type of fingerprint-based eavesdropping relatively easily, Herrmann noted. Downloading or requesting more than one site at a time through the network will muddy the pattern enough that certainty will be very difficult for the eavesdropper to establish.
And from one of the comments:
This attack should be significantly less effective as well if the target in question is a fully functional and quality relaying node. In that case other people accessing through the node would randomize things significantly, and their access would be impossible to differentiate from a local user without the kind of physical access that makes the entire thing moot.
A few days ago I found the notice on the left in the photo above in my apartment building. The notice states that someone from the local government will be conducting an illegal search of my apartment building tomorrow. This isn’t the first time something like this has happened. About ten years ago, a similar notice appeared and I took the day off from work to keep the “inspector” from getting into my apartment without a search warrant–which, naturally, he didn’t have. After a bit of the expected veiled threats and attempts at intimidation and trickery that inspector gave up and left, and I’m hoping that the one tomorrow will go as well.
The two pages of Korean text next to the notice are a translation of the Bill of Rights, with the Fourth Amendment highlighted. I found this on the website of a civil rights organization called Jews for the Preservation of Firearms Ownership, which has translations of the Bill of Rights into many different languages. Most of my neighbors were born in Korea, and many speak no English, so I figured it was likely they wouldn’t be aware that they have the right to refuse warrantless searches of their homes. Hopefully reading the translation of the relevant US law will help at least some of them stand up for themselves and their liberty.
Update: This time around the inspector took “get a warrant” quickly and without making a fuss.
Cryptography Success Story. From Brazil: the moral, of course, is to choose a strong key and to encrypt the entire drive, not just key files. [Schneier on Security]
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil. The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s Globo newspaper reports.
The files were encrypted using Truecrypt and an unnamed algorithm, reportedly based on the 256-bit AES standard. In the UK, Dantas would be compelled to reveal his passphrase under threat of imprisonment, but no such law exists in Brazil.
The Brazilian National Institute of Criminology (INC) tried for five months to obtain access to the encrypted data without success before turning over the job to code-breakers at the FBI in early 2009. US computer specialists also drew a blank even after 12 months of efforts to crack the code, Brazil’s Globo newspaper reports.
I use TrueCrypt to protect the Windows laptop I use for work. Unfortunately, the Mac version doesn’t support whole disk encryption.
End-to-End Encrypted Cell Phone Calls.
Android app. (Slashdot thread.)
[Schneier on Security]
From the article:
RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption. […] TextSecure uses a similar scheme developed by cryptographers Ian Goldberg and Nikita Borisov known as “Off The Record” to exchange scrambled text messages.
RedPhone uses ZRTP, an open source Internet voice cryptography scheme created by Phil Zimmermann, inventor of the widely-used Pretty Good Privacy or PGP encryption.
[…]
TextSecure uses a similar scheme developed by cryptographers Ian Goldberg and Nikita Borisov known as “Off The Record” to exchange scrambled text messages.
This means that you could talk securely to anyone using Zfone on a computer, and IM securely to anyone with Adium or another app that supports the OTR protocol.
There’s also this rather important distinction from Skype, the “security” of which I’ve criticized before:
Whisper Systems’ apps aren’t the first to bring encrypted VoIP to smartphones. But apps like Skype and Vonage don’t publish their source code, leaving the rigor of their security largely a matter of speculation.
Browser add-on blocks Google Analytics. Google has released an add-on for Web browsers that blocks information from being sent to its Analytics service. [MacCentral]
This is rather pointless, as Tor blocks Google Analytics, and any other form of spying on the Internet. Anyone who wants their browsing to be private is using it, which means that the people complaining about Google Analytics tracking their activity are only announcing their own ignorance or stupidity (or both).
Browsing the web without Tor and complaining about privacy is like standing on a crowded sidewalk and then complaining that people can see you.
Gov’t, certificate authorities conspire to spy on SSL users?.
SSL is the cornerstone of secure Web browsing, enabling credit card and bank details to be used on the ‘Net with impunity. We’re all told to check for the little padlock in our address bars before handing over any sensitive information. SSL is also increasingly a feature of webmail providers, instant messaging, and other forms of online communication.
Recent discoveries by Wired and a paper by security researchers Christopher Soghoian and Sid Stamm suggests that SSL might not be as secure as once thought. Not because SSL itself has been compromised, but because governments are conspiring with Certificate Authorities, key parts of the SSL infrastructure, to subvert the entire system to allow them to spy on anyone they wish to keep tabs on.
[Ars Technica]
The weaknesses of SSL are well known, which is why people who know anything about security don’t trust Certificate Authorities, but in the past this has just been known as something that governments were probably doing. Now we have the first bit of evidence that they’re actually doing it. I don’t think this will make any difference in the long run–after all, nobody cared when, after years of suspicion, the US government admitted to using cell phones as tracking and listening devices–but hopefully at least a few people will read this and recognize that the government can and does spy on them.
Brief: TSA subpoenas bloggers to find source of security doc leak.
The Transportation Security Administration is attempting to find the source of a leak of a sensitive security directive that followed a failed airline bombing attempt on Christmas Day. Two travel bloggers have revealed that they have been subpoenaed to provide information that may lead to the source of the leak.
Shortly after an attempted “underwear” bomber was discovered on Northwest Airlines Flight 253 from Amsterdam to Detroit on December 25, the Transportation Security Administration issued immediate, temporary changes to security procedures in an attempt to prevent similar incidents. The particular details of those changes were issued in an internal security directive, intended only for TSA employees. However, copies of the directive were leaked to several bloggers and quickly spread around the ‘Net.
Writers Chris Elliott and Steven Frischling both received copies of the security directive from anonymous sources, and both published the text of the directive after mass confusion set in among holiday travelers affected by the sudden changes in security procedures. It appears that the TSA is not punishing either for publishing the document; rather, they are trying to find the source of the leak.
“The DHS & TSA are taking this matter seriously, and that tells me that they are paying attention to security in detail,” Frischling wrote on his blog. So far, neither has admitted to knowing the identity of the source of the TSA directive.
The leak is somewhat embarrassing for the TSA, though, in light of a recent leak of the entire contents of the TSA’s “Standard Operating Procedures” manual online. That disclosure was due to improper redacting of the document, which the TSA later claimed to be out of date.
The lesson to be learned here is that if you find yourself in possession of information which would embarrass the government, don’t pin a giant target on yourself by posting it to your blog. Instead, use Tor to upload it anonymously to Wikileaks.
