In 1984 computer pioneer Ken Thompson wrote one of the seminal works of computer security, Reflections on Trusting Trust [PDF]. In it he postulated putting a trojan horse inside a compiler as a means of infecting software compiled by it. 25 years later somebody has finally done just that. Researchers at anti-virus house Sophos have discovered a virus that places a backdoor into applications compiled with the Delphi language. They've identified at least 3000 separate Delphi applications that have had this backdoor compiled into them so far, including banking programs and programs used for cellphone programming.
An 8 year old critical security bug in the Linux kernel? No problem, we can fix that without even rebooting. You heard me, it is possible to apply a source code patch to a running kernel without reboot.
Neurosecurity: security and privacy for neural devices. "An increasing number of neural implantable devices will become available in the near future due to advances in neural engineering. This discipline holds the potential to improve many patients' lives dramatically by offering improved—and in some cases entirely new—forms of rehabilitation for conditions ranging from missing limbs to degenerative cognitive diseases. The use of standard engineering practices, medical trials, and neuroethical evaluations during the design process can create systems that are safe and that follow ethical guidelines; unfortunately, none of these disciplines currently ensure that neural devices are robust against adversarial entities trying to exploit these devices to alter, block, or eavesdrop on neural signals. The authors define 'neurosecurity'—a version of computer science security principles and methods applied to neural engineering—and discuss why neurosecurity should be a critical consideration in the design of future neural devices." [Via Mind Hacks]
San Francisco's largest residential landlord is refusing to give back security deposits. CitiApartments is possibly going broke and, according to the head of the San Francisco Tenants Union, refusing to refund many tenants security deposits (he says they're getting three to four complaints a week). CitiApartments' buildings are filled with vacancies because their business model is purchasing buildings and then harassing and intimidating tenants into moving out so they can raise the rent. [more inside]
Michael Scheuer, the former chief of the CIA's "bin Laden Station", and the initially anonymous author of Imperial Hubris, pulls an O'Reilly on yesterday's Glenn Beck broadcast:
"The only chance we have as a country have right now is for Osama bin Laden to deploy and detonate a major weapon in the United States [...] only Osama can execute an attack which will force Americans to demand that their government protect them [...] with as much violence as necessary."[more inside]
Clear, the "security service" that allowed travellers to bypass TSA security lines, offered a Father's Day discount if you purchased a one-year membership by June 21. On June 23, Clear ceased operations. Sorry, no refunds.
The dry, technical language of Microsoft's October update did not indicate anything particularly untoward.
Its reach is impossible to measure precisely, but more than 3 million vulnerable machines may ultimately have been infected. : The inside story on the Conficker Worm at New Scientist.
Hiding in "plane" sight. Images and details of the significant efforts made by the United States to prevent the Japanese from bombing our west coast aircraft factories. I wonder what this effort would take today to "fool" Google Maps/Earth. [more inside]
The commercials are all over television — and they certainly are attention-grabbing. They’re the ones where the heavy, bald guy is sitting in his easy chair talking in a squeaky female voice about all the clothes he bought — including a bustier. Or the little old lady speaking with the gruff voice of a younger man about the sweet motorcycle she now owned. Identity theft is a serious crime — one that is occurring with an alarming frequency. The Identity Theft Manifesto explains how criminals get your personal info, and what you can do about it.
You are Medeco, one of the world's premier lock companies. And you think your super-secure locks are tight. Until, that is, some upstart troublemaker comes along, reverse engineers them and shows the world (via Wired magazine--with video, natch) showing just how (supposedly) insecure they are. Then this same troublemaker releases a book giving all your secrets away. [more inside]
A message from baby Emily. Most popular baby names + Medicare advice + awful Elvis impersonation = EPIC FAIL. A single link video post from the Social Security Administration. You will laugh. Until you remember we (USians) paid for this. (via Andrew Sullivan)
According to an article posted in today's Wall Street Journal, the electricity grid in the U.S. has been compromised by foreign spies, leaving it vulnerable to disruption. Last year, the CIA acknowledged that the system had been compromised and that the goal had been extortion. In response, the Federal Electric Regulatory Commission issued new cybersecurity specs for the power grid, to which companies such as GE have begun responding. But could it be that the new security efforts are motivated by government officials who stand to gain by this attempt at drastically increasing government control over the Internet? [more inside]
Beyond even the outrageously broad "state secrets" privilege invented by the Bush administration and now embraced fully by the Obama administration, the Obama DOJ has now invented a brand new claim of government immunity, one which literally asserts that the U.S. Government is free to intercept all of your communications (calls, emails and the like) and -- even if what they're doing is blatantly illegal and they know it's illegal -- you are barred from suing them unless they "willfully disclose" to the public what they have learned. - Glenn Greenwald. [more inside]
Passport RFIDs cloned wholesale by $250 eBay auction spree. "Using inexpensive off-the-shelf components, an information security expert has built a mobile platform that can clone large numbers of the unique electronic identifiers used in US passport cards and next generation drivers licenses. The $250 proof-of-concept device - which researcher Chris Paget built in his spare time - operates out of his vehicle and contains everything needed to sniff and then clone RFID, or radio frequency identification, tags. During a recent 20-minute drive in downtown San Francisco, it successfully copied the RFID tags of two passport cards without the knowledge of their owners." [Via]
"Payments processor Heartland Payment Systems has learned it was the victim of a security breach within its processing system in 2008. Heartland believes the intrusion is contained." [more inside]
The embargo has been lifted on the newest research on growing internet infrastructure insecurity. Using an army of Playstations, researchers have managed to forge a RapidSSL (owned by Verisign) CA certificate in a couple hours due to known flaws in MD5.
The National Security Agency is building a data center in San Antonio that’s the size of the Alamodome. Microsoft has opened an 11-acre data center a few miles away. Coincidence? Not according to author James Bamford, who probably knows more about the NSA than any outsider. Bamford's new book reports that the biggest U.S. spy agency wanted assurances that Microsoft would be in San Antonio before it moved ahead with the Texas Cryptology Center. Bamford notes that under current law, the NSA could legally tap into Microsoft’s data without a court order. Whatever you do, don't take pictures of it the spy building unless you want to be taken in for questioning.
Culture Of Fear. An interesting look at the security concerns National Football League players harbour in the wake of the death of Sean Taylor, who was robbed and shot within his own home. Previously. [more inside]
Trolling the Head of the TSA: Bruce Schneier [previously], consummate voice of sanity on all issues of security, co-authors an article in The Atlantic [previously] demonstrating how weak and ultimately pointless most of the new security practices put in place at airports since 9/11 are by, among other things, boarding airplanes with large amounts of liquid, using fake boarding passes he printed off his computer, and wearing an "I <3 Hezbollah" t-shirt. TSA head Kip Hawley then responds on the TSA's blog. Schneier then responds to the response on his blog. Hawley then leaves a comment to that post. Schneier fires back again in his monthly newsletter. Quite an interesting and intelligent debate, despite both men humorously falling victim to the idioms of the medium and getting increasingly snarky with each passing post. [via this month's crypto-gram, a good read all the way around.]
The latest paper-based video from the folks at Common Craft. This video explains the ins and outs of phishing scams. Show it to your less web-savvy brethren.
The Things He Carried. "Airport security in America is a sham—'security theater' designed to make travelers feel better and catch stupid terrorists. Smart ones can get through security with fake boarding passes and all manner of prohibited items—as our correspondent did with ease."
Psych Securities LLC. "With future forecasts declaring ultimate doom from all components of the man-altered world, it seems there is a clog in the conduit of information transmitted between those in control and the public at large. Black Ops, psychological torture, acoustic weapons, Project Starfire, and a multitude of other state sponsored programs exist, well-hidden in plain sight, shrouded in a stigma of conspiracy and diluting any significant public inquiry. Psych Securities LLC is an ongoing exploration of this aforementioned covert reality, most clearly seen while in an alternative psychological state. By compiling declassified documents, historical narratives, and psychedelic conjecture, a visual world is pieced together; undermining strategies of deception and concealed truths." [Via]
Clear passenger data stolen. A unencrypted laptop with the personal data, including name, address, SSi number, passport number, date of birth, etc. of every one of the 33,000+ users of the the Clear system has been stolen. The Clear system allows travelers who register and pay an annual fee to bypass airport security lines by using a smart card in some airports. TSA has suspended new registrations until Verified Identity Pass, Inc., a subsidiary of GE, figures out how to install PGP. VIP is the only private contractor allowed to register users to the Clear system. Via
The Department of Homeland Security has expressed interest [PDFs] in forcing all commercial airline passengers to wear a taser bracelet that can be used to incapacitate anyone on an airline. This video, from the company that will produce the bracelets, explains how the bracelet would be put on the passenger at the point that they clear security, and would not be removed until they leave secure areas. It would take the place of boarding passes, carry personal and biometric information about the passengers, track and monitor every passenger via GPS and shock the wearer on command, immobilizing him or her for several minutes. DHS official, Paul S. Ruwaldt of the Science and Technology Directorate, office of Research and Development is also excited about the possiblility of using it as an interrogation tool at airports. Ah freedom, who knew it smelled like burning flesh?
Scanners that see through clothing installed in US airports. Good news! No more testing. Time to roll these puppies out. It's OK though, seriously guys. See we're gonna blur the faces when we look at their sexual organs, so everything's cool. K? Prev.
Theives bypassed all security systems by simply posing as the security company on the phone These days as a robber dealing with high-tech security systems it seems that it's not about being a hacker or having loads of money to pull off a heist, its about making a phone call, having bear spray, and waiting for a guard to go on smoke break. [more inside]
The AI-Box Experiments. The hypothesis: "A transhuman can take over a human mind through a text-only terminal." Does Artifical Intelligence create moral monsters (PDF) ? Can we create friendly AI?
On May 13, security advisories published by Debian and Ubuntu revealed that, for over a year, their OpenSSL libraries have had a major flaw in their CSPRNG, which is used by key generation functions in many widely-used applications, which caused the "random" numbers produced to be extremely predictable. [lolcat summary] [more inside]
"The United States Lacks a Comprehensive Plan to Destroy the Terrorist Threat and Close the Safe Haven in Pakistan's Federally Administered Tribal Areas" (PDF). A recent GAO report claims that the Bush administration has failed to prevent Al Qaeda's reemergence in Pakistan, and that we're basically right back where we started in 2001.
The Governmental Printing Office prints all United States passports but they decided that it was time to outsource part of the work. They claim it is secure [pdf].
NECs new biometric security cam will guess your age, gender, (and it would be nice if it could size you up according to how you dress).
NEC plans to market a system later this year that can derive someone's gender and age from images captured with a camera "The system compares the photo against a database of several thousand faces to figure gender and age based on such factors as facial shape and wrinkles. " According to Nikkei Weekly 01/28/2008 Edition. Link goes to Ubergizmo. "It's called FieldAnalyst and it's from NEC. The system homes in on faces of people who pass by the video camera. It then rapidly compares the image against samples in a database. It then spits out what it believes is your approximate age is and your gender." .."NEC scientists may next try to add clothing as a characteristic and classify people by whether they wear a suit or a T-shirt." more here
Two years ago, then NSA-chief Gen. Michael Hayden said its domestic surveillance program was "not a driftnet over Lackawanna or Fremont or Dearborn, grabbing all communications and then sifting them out." Today, a story in the Wall Street Journal alleges this is precisely what is happening. Total Information Awareness seems to not have died, but to have just been quietly absorbed into the NSA's already extensive surveillance apparatus, all without the hassle of any kind of transparency or oversight.
ACLU Watch List Counter: U.S. Terror List Now Exceeds 900,000 Names. That's an awful lot of terrorists. More Privacy and Surveillance Filter: Bruce Schneier on The Myth of the 'Transparent Society', Glenn Greenwald on The Banality of the Surveillance State, and Stephen Colbert on AT & Treason. [more inside]
"The Billboard Liberation Front today announced a major new advertising improvement campaign executed on behalf of clients AT&T and the National Security Agency. Focusing on billboards in the San Francisco area, this improvement action is designed to promote and celebrate the innovative collaboration of these two global communications giants." [Via Threat Level.]
Ready, kids! Unsatisfied with your kids slow adoption of very important homeland security adjustments? Buy them the Playmobil Security Check Point! How does this stack up against increased TSA checks of toys?
"SurveillanceSaver is an OS X screensaver that shows live images of over 400 network surveillance cameras worldwide." There is also a Windows version. Or check out the camera feeds without installing a screensaver (here are the feeds from Axis network cameras, for example). [Via.]
The Anonymity Experiment. Is it possible to hide in plain sight? Privacy-minded people have long warned of a world in which an individual’s every action leaves a trace, in which corporations and governments can peer at will into your life with a few keystrokes on a computer. Now one of the people in charge of information-gathering for the U.S. government says, essentially, that such a world has arrived.
The president of The University of Texas at Brownsville has refused to sign a right of entry request granting access to surveyors planning the U.S./Mexico border fence. This comes shortly after Cameron County landowners were forced to allow the government access to their land. Meanwhile, landowners in Hidalgo County are filing the next wave of lawsuits.
Odyssey of State Capitols and State Suspicion. "The story behind an exhibition: postcards, designs, photography, travels, history, stamps and law enforcement." [Via BB.]
Online communities to become more 'all-encompassing.' If you join the SHC community on Sears.com, all web traffic to and from your computer thereafter will be copied and sent to a third party marketing research firm - including, for example, your secure sessions with your bank! The Sears.com proxy will send your logins and passwords along with a cleartext copy of all the supposedly secure data. But wait, it gets better: you can only view the true TOS once the proxy has already been installed. [more inside]
Heckuva Job DHS! 5 Years of Corporate Cronyism. CREW and Brave New Foundation have joined forces to create this video and a report, Homeland Security for Sale, documenting five years of waste, fraud and abuse at the Department of Homeland Security. [Via Think Progress.]
This is an ironic tale of the consequences of inept application of cryptographic tools. Or is it? Dan Egerstad, a Swedish hacker, gained access to hundreds of computer network accounts around the world, belonging to various embassies, corporations and other organizations. How did he do it? Very easily: by sniffing exit traffic on his Tor nodes. [more inside]
The TSA wants you to know, dear American, that if you don't pack your bags neatly, the terrorists have already won. This busiest Thanksgiving travel week ever, why not Simplifly? [more inside]
Throw the tourist from the train. Ejected from a train for refusing to stop taking pictures from the train. Well, for not stopping anyway; the refusing part is unclear. The nation is now secure.
When Ron Paul email spam started hitting inboxes in late October, UAB Computer Forensics Directory Gary Warner published findings on the spam's textual patterns and the illicit botnet used to spread it -- findings which were picked up by media outlets and tech websites like Salon, Ars Technica, and Wired Magazine's "Threat Level" blog, the latter in a set of followup posts by writer Sarah Stirland: 1, 2, 3. [more inside]