Security

Check it out here. I’m not on the list, but my 13-year-old nephew is, due to his common last name. (Via Bruce Schneier’s Blog.)

Bob Hagen has put up a post on the evolution of botnets at the Global Crossing blog. (BTW, I’m hoping to have future opportunity to use titles like “Where the bots are”, “The bots from Brazil”, and “The bots of summer”.) UPDATE (August 27, 2009): I’ve replaced the above link with one to the Internet Archive, since the blog post is no longer present at its original location.

A Justice Department review of 293 National Security Letters issued by the FBI found 22 instances (7.5%) of apparent violations of FBI and Justice Department regulations. The FBI issued more than 19,000 National Security Letters in 2005. UPDATE: This story has now hit CNN, which has more details. The Justice Department’s inspector general says the FBI is guilty of “serious misuse” of National Security Letters and that use of them may be underreported by as much as 20%. The audit found that more than half of NSLs were used to get information about U.S. citizens. CNN reports 26 violations, of which 22 were the FBI’s fault and 4 were caused by errors by the recipients of the National Security Letters. UPDATE (March 10, 2007): FBI Director Robert Mueller and Attorney General Alberto Gonzales have acknowledged that the FBI broke the law, apologized, and promised to stop further such intrusions. Gonzales left open the possibility of criminal prosecutions against FBI agents or lawyers who misused their PATRIOT Act powers. UPDATE (June 14, 2007): An audit has discovered that the above-reported 26 violations were the tip of the iceberg. 10% of National Security Letters have been reviewed, and the total number of violations is now over 1,000. UPDATE (March 7, 2008): This year’s audit has shown that the NSL abuses continued through 2006 and that the FBI underreported to Congress the number of NSLs by more than 4,600. UPDATE (January 20, 2010): Yet further evidence of FBI abuses in collecting telephone records has been uncovered.

Barbara Peterson took a job as a TSA screener and has written an interesting description of her experience for Conde Nast Traveler. She blames TSA’s incompetence not on the individual screeners (who are generally doing as well as they could be hoped to under the demands of the job) but on Congress.

A web page on the TSA’s website for travelers “who were told you are on a Federal Government Watch List” displays evidence of being a phishing site–it’s probably not, it’s just so badly done that it looks like a hacked web site that’s submitting its details to an unrelated third party. TSA responded that “We are aware there was an issue and replaced the site. The issue has been fully addressed. We take IT responsibilities seriously. There never a vulnerability; just a small glitch." The full story may be found at Wired Blogs, which points out fifteen features that make the TSA form submission site look dangerous. Also check out this comment at Christopher Soghoian’s blog: This may be surprising to hear: I am an employee at a major airline and I just recieved an e-mail that said we now have access to the TSA no-fly list, selectee list, and cleared list. I just accessed it and found it to contain thousands of names, DOB, SSN#s, drivers licesense #’s, military ID #’s, addresses, and even home phone #’s. The TSA just made this list and all of this information readily available to thousands of employees at my airline (and probably others). I think that previously this list was only available to ticket agents, but now it is available to every employee. I find it quite disturbing that any airline employee has access to this information, and that many of the ppl on the cleared list have to give up there SSN# and other information.Nice. (Hat tip to Bruce Schneier’s blog.)

Computer Associates CEO John Swainson, the keynote speaker at last week’s CA Expo ‘07 conference in Sydney, Australia, spoke about how the deployment of IPv6 will bring unavoidable and unknown security threats. He was quoted in SC Magazine: “I don’t know what they will be but I can predict with a high degree of probability that it will happen,” he said. “This is not something you can test in the lab, it’s something that emerges through practice.” Swainson’s comments on IPv6 were part of a broader theme addressing the emerging complexities in IT infrastructure and their more complex insecurities. “We’re talking about new complexities on top of existing complexities. As networks expand to include remote device types and additional applications [they] produce a wide variety of security threats,” he said.The new Apple AirPort Extreme for 802.11n wireless networks demonstrates Swainson’s point quite vividly. The device supports IPv6, and the default setting is for the device to set up an IPv6 tunnel over the IPv4 Internet and to provide IPv6 addresses to hosts on the local network with IPv6 enabled. For those using the device as their local firewall (which I’d argue is not a great idea–it’s not really adequate to the task), while it will reject most incoming IPv4 connections, it will allow all IPv6 connections through. For those not using it as a firewall, if their actual firewall allows the IPv6 tunnel (and most firewalls allow all inbound connections out, which would allow the tunnel to be established), the tunnel then becomes a path through the firewall. That is, if you put this device on your network in its default configuration, you’ve just completely opened up your internal systems to connections from any IPv6 host–your firewall may as well not be there, from an IPv6 perspective. There is no “disable IPv6” option, but if you set the device to “Link Local” mode instead of “Tunnel” mode, it will only talk IPv6 to your internal network, not to the outside world. My own home network runs IPv4 and IPv6, including wirelessly, but I have my wireless network as a separate network off my firewall, and have IPv6 firewall rules in place. It’s my firewall that provides the tunnel to the IPv6 Internet. This means that any machines connected to my wireless network that want to communicate with machines on my wired network (like servers) need to pass traffic through the firewall to get to them. Also, as my firewall is an OpenBSD machine, it will not route (for security reasons) the 6to4 packets the Apple AirPort is using to create automatic IPv6 tunneling (though this makes IPv4-to-v6 migration even more difficult). Note that in the comments on the Apple AirPort article at Ars Technica, one commenter says “The primary reason why the situation is so bad with IPv4, is that almost the entire address space is populated. Worms and virii can easily guess neighboring addresses, and since most of those are windows machines, they make great targets.” This gives a false sense of safety to IPv6, as security researchers have already pointed out numerous ways in which worms can locate other IPv6 hosts despite the sparsely populated IP space (PDF).

Ross Anderson and Tyler Moore have published a nice paper that gives an overview of recent research in the economics of information security and some open questions (PDF). The paper begins with an overview of the relevance of economic factors to information security and a discussion of “foundational concepts.” The concept of misaligned incentives is described with the now-standard example of how UK and U.S. regulations took opposite positions on liability for ATM fraud is given–the UK held customers liable for loss, while the U.S. held banks liable for loss. This led to U.S. banks having incentives to make their systems secure, while UK banks had no such incentives (and the UK has now reversed its position after this led to “an epidemic of fraud”). other examples are given involving anti-virus deployment (where individuals may not have incentives to purchase software if the major benefit is preventing denial of service attacks on corporations), LoJack systems (where auto theft plummets after a threshold number of auto owners in a locality install the system), and the use of peer-to-peer networks for censorship resistance. The authors examine the economics of vulnerabilities, of privacy, of the deployment of security mechanisms including digital rights management, how regulation and certification can affect system security (and sometimes have counterintuitive adverse effects, such as Ben Edelman’s finding that TRUSTe certified sites are more likely to contain malicious content than websites as a whole). They end the paper with some open issues–attempts to develop network protocols that are “strategy-proof” to prevent cheating/free-riding/bad behavior, how network topologies have different abilities to withstand different types of attacks (and differing vulnerabilities), and how the software development process has a very high failure rate for large projects, especially in public-sector organizations (e.g., as many as 30% are death-march projects). There are lots of interesting tidbits in this paper–insurance for vulnerabilities, vulnerability markets, the efficacy of spam on stock touting, the negligible effect of music downloads on music sales, and how DRM has moved power from record labels to platform owners (with Apple being the most notable beneficiary), to name a few. (Hat tip to Bruce Schneier’s blog, where you can find links to a slide presentation that covers the highlights of this paper.)

I’ve been awarded a Thinking Blogger award, courtesy of Larry Moran at Sandwalk: Strolling with a Skeptical Biochemist. Thanks, Larry! As per the rules of this award-meme, I must tag five other blogs that make me think: 1. Glen Whitman and Tom W. Bell at Agoraphilia 2. The Technology Liberation Front 3. Martin Geddes at Telepocalypse 4. Ed Felten at Freedom-to-Tinker 5. Kevin Carson at the Mutualist blog

After Steve Jobs said that he’d prefer to have the iTunes store sell DRM-free music, but is forced into DRM by the music labels, Edgar Bronfman of Warner Music said that his company will have nothing to do with DRM-free music: “We advocate the continued use of DRM,” Bronfman said, adding that music deserves the same anti-piracy protections as software, TV broadcasts, video games and other forms of intellectual property. “We will not abandon DRM nor services that are successfully implementing DRM for both content and consumers."This quote appeared in an article reporting Warner’s dismal results: its fiscal first-quarter profit fell 74% because of fewer album releases and soft domestic and European sales. Its shares fell nearly 6%. The New York-based recording company said net income for the period that ended Dec. 31 declined to $18 million, or 12 cents a share, from $69 million, or 46 cents, a year earlier. Revenue fell 11% to $928 million.The competition at EMI, however, feels differently: Music label EMI Group is in talks to release a large portion of its music catalog for Web sales without technological protections against piracy that are included in most music bought over the Internet now, sources said on Thursday. … One source familiar with the matter said that EMI was in talks to release a large amount of its music in an unprotected MP3 format to various online retailers.EMI’s plans apparently include talks with Shawn Fanning’s SnoCap about releasing MP3-format music through MySpace. Which company is more likely to still be in business under the same management ten years from now?