Date: Wed, 22 Dec 2010 19:45:22 +0530
From: sysman01@mtnl.net.in
Subject: [CCCNews] CCCNews Newsletter - dated 2010 December 22
To: sysman01@mtnl.net.in
December 22, 2010
Editor - Rakesh Goyal (rakesh@sysman.in)
In today's Edition - (This is a news-letter and not a SPAM)
CONTROL : New UN committee could handle governments internet control
LAW : French Parliament Adopts Website Blocking Legislation
VULNERABILITY : Web browser flaw secretly bares all
FOR RECORDS : WiFi Vulnerabilities Advances and incidents in 2010
IT Term of the day
Quote of the day
* Direct Circulation in 4 Google groups (control-computer-crimes@googlegroups.com and IT-Sec-NSE@googlegroups.com) and 2 more groups
--
You received this message because you are subscribed to the Google Groups "control-computer-crimes" group.
To post to this group, send email to control-computer-crimes@googlegroups.com.
To unsubscribe from this group, send email to control-computer-crimes+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/control-computer-crimes?hl=en.
--Forwarded Message Attachment--
IT and Related Security News Update from
Centre for Research and Prevention of Computer Crimes, India
Courtesy - Sysman Computers Private Limited, Mumbai (www.sysman.in)
December 22, 2010
Today�s edition �
CONTROL : New UN committee could handle governments internet control
LAW : French Parliament Adopts Website Blocking Legislation
VULNERABILITY : Web browser flaw secretly bares all
FOR RECORDS : WiFi Vulnerabilities Advances and incidents in 2010
(Click on heading above to jump to related item. Click on �Top� to be back here)
CONTROL : New UN committee could handle governments internet control
By Jane Fae Ozimek
20th December 2010
http://www.theregister.co.uk/2010/12/20/un_committee_internet/
The endgame in the long-running battle over who is to control the internet may be upon us, with the appointment of a little-reported but highly significant new UN committee to look into initiatives for policing the internet.
This follows the decision at the UN Commission on Science and Technology for Development (CSTD) 2010-2011 Inter-sessional Panel, reported in RawStory last week for a recently-formed United Nations task force to look at the possibility of creating a new inter-governmental working group to help further international cooperation on policies to police the internet.
At stake was the future of the Internet Governance Forum (IGF), a UN-sponsored body that puts forward recommendations on how governments should respond to internet developments. With the IGF mandate about to expire, the question to be answered was whether to allow the IGF quietly to pass away or to breathe new life into it, extending its mandate both in scope and term.
The CSTD Bureau decided that there was life in the Forum yet - or at least there should be - and put forward proposals for a re-energised IGF that sent shivers of apprehension down the collective spine of those committed to the internet as a highway to free expression and democratic debate.
They proposed that the task force be limited in future to governments, with no representation by civil or industry groups. Unsurprisingly, delegates at Tuesday�s task force meeting from countries such as China, Brazil, India, South Africa, Serbia and Saudi Arabia indicated that they were favourable to the government-only plan.
Some of those present, including Portugal and Brazil, focussed on the positive aspects of this decision, particularly in respect of how it might help to further proliferate broadband services in poorer nations. Brazil went out of its way to insist that this move should not be seen as a "takeover" of the internet.
However, critics have been swift to condemn this move. Writing on Google�s official blog on Friday, Chief Internet Evangelist Vint Cerf stated: "The beauty of the Internet is that it�s not controlled by any one group. Its governance is bottoms-up � with academics, non-profits, companies and governments all working to improve this technological wonder of the modern world.
"This model has not only made the Internet very open - a testbed for innovation by anyone, anywhere - it's also prevented vested interests from taking control.
"The current bottoms-up, open approach works � protecting users from vested interests and enabling rapid innovation. Let�s fight to keep it that way."
This decision has also excited condemnation from a powerful alliance of internet interests, including ICANN, Nominet, the Internet Governance Caucus and the International Chamber of Commerce who joined together with other concerned organisations to express their concerns, and to launch a petition. They write: "We are surprised and deeply concerned about the decision taken by an extraordinary meeting of the Commission on Science and Technology for Development (CSTD) Bureau on Monday.
"The format decided by the Bureau of the CSTD is contrary to both the report and the spirit of the ECOSOC resolution [(2010/2) of the United Nations Economic and Social Council] and is therefore disappointing.
"In any event, it is not up to the Bureau of the CSTD to make a decision on this matter.
"This is not a Working Group of the CSTD, but rather a Working Group to be convened by the Chair of the CSTD as instructed by the ECOSOC resolution.
"The CSTD Chair entrusted you with the mission of implementing the request made to her. In light of that and the above information we urge you to retract the decision of 7 December, and to establish an appropriately constituted Working Group consistent with the WSIS formulation ensuring 'the full and active participation of governments, the private sector and civil society from both developing and developed countries, involving relevant intergovernmental and international organizations and forums'."
LAW : French Parliament Adopts Website Blocking Legislation
By Lucian Constantin
December 20, 2010
The French National Assembly has adopted a controversial article of a bill known as LOPPSI 2, which allows the government to order websites blocked without a court order.
LOPPSI 2 stands for "loi d'orientation et de programmation pour la performance de la s�curit� int�rieure," which translates to "law on guidelines and programming for the performance of internal security."
The proposed law has forty-eight articles dealing with issues like traffic crimes and online child pornography. Article 4, in particular gives the government the power to request that certain websites be blocked immediately without any judicial oversight.
Civil rights activists consider this a significant blow to Internet neutrality. They also claim that child protection is only being used as an execuse and that the government will abuse the new power to block other websites as well.
Its willingness to do so was displayed recently when industry minister Eric Besson warned ISPs that there will be consequences for hosting WikiLeaks on their servers because it is unacceptable for French companies to host websites deemed criminal.
Of course, the illegality of WikiLeaks' actions have never been proven in court. In fact, the whistleblowing organization has not even been charged with anything in France or elsewhere.
"It is very worrying to see Members of the French Parliament have given their approval to the administrative censorship of the Net just as the government is trying to ban WikiLeaks without fair trial," said F�lix Tr�guer, legal and policy analyst at La Quadrature du Net, an Internet freedoms watchdog organization.
"Nobody will be able to verify the way blocking measures are implemented, through a secret blacklist, and there will be no way of challenging them. Such a provision is a blatant violation of free speech," he concluded.
Leaving aside the proven inefficiency of blacklists to keep users away from illegal content, the Interpol is already working on a similar service to which ISPs will be able to opt-in voluntarily.
Interpol has probably more experience in monitoring child abuse websites than the French government and ISPs who refuse to adhere to the blacklist can be publicly shamed.
VULNERABILITY : Web browser flaw secretly bares all
'History sniffing' helps con artists learn more about targets' online visits.
BY JORDAN ROBERTSON
THE ASSOCIATED PRESS
December 19, 2010
http://www.thonline.com/article.cfm?id=305711
SAN FRANCISCO -- Dozens of websites have been secretly harvesting lists of places that their users previously visited online, everything from news articles to bank sites to pornography, a team of computer scientists found.
The information is valuable for con artists to learn more about their targets and send them personalized attacks. It also allows e-commerce companies to adjust ads or prices -- for instance, if the site knows you've just come from a competitor that is offering a lower price.
Although passwords aren't at risk, in harvesting a detailed list of where you've been online, sites can create thorough profiles on their users.
The technique the University of California, San Diego researchers investigated is called "history sniffing" and is a result of the way browsers interact with websites and record where they've been. A few lines of programming code are all a site needs to pull it off.
Although security experts have known for nearly a decade that such snooping is possible, the latest findings offer some of the first public evidence of sites exploiting the problem. Current versions of the Firefox and Internet Explorer browsers still allow this, as do older versions of Chrome and Safari, the researchers said.
The report adds to growing worry about surreptitious surveillance by Internet companies and comes as federal regulators in the U.S. are proposing a "Do Not Track" tool that would prevent advertisers from following consumers around online to sell them more products.
The researchers found 46 sites, ranging from smutty to staid, that tried to pry loose their visitors browsing histories using this technique, sometimes with homegrown tracking code. Nearly half of the 46 sites, including financial research site Morningstar.com and news site Newsmax.com, used an ad-targeting company, Interclick, which says its code was responsible for the tracking.
Interclick said the tracking was part of an eight-month experiment that the sites weren't aware of. The New York company said it stopped using the technique in October because it wasn't successful in helping match advertisers to groups of Internet users. Interclick emphasized that it didn't store the browser histories.
Morningstar said it ended its relationship with Interclick when it found out about the program, and NewsMax said it didn't know that history sniffing had been used on its users until The Associated Press called. NewsMax said it is investigating.
The researchers studied far more sites -- a total of the world's 50,000 most popular sites -- and said many more behaved suspiciously, but couldn't be proven to use history sniffing. Nearly 500 of the sites studied had characteristics that suggested they could infer browsers' histories, and more than 60 transferred browser histories to the network. But the researchers said they could only prove that 46 had done actual "history hijacking."
"Browser vendors should have fixed this a long time ago," said Jeremiah Grossman, an Internet security expert at WhiteHat Security Inc., which wasn't involved in the study. "It's more evidence that we not only needed the fix, but that people really should upgrade their browsers. Most people wouldn't know this is possible."
The latest versions of Google Inc.'s Chrome and Apple Inc.'s Safari have automatic protections for this kind of snooping, researchers said. Mozilla Corp. said the next version of Firefox will have the same feature, adding that a workaround exists for some older versions as well.
Microsoft Corp. noted that Internet Explorer users can enable a private browsing mode that prevents the browser from logging the user's history, which prevents this kind of spying. But private browsing also strips away important benefits of the browser knowing its own history, such as displaying Google links you've visited in different colors than those you haven't.
"It's surprising, the lifetime that this fundamental a privacy violation can stick around," said Hovav Shacham, an assistant professor of computer science and engineering at UC San Diego and one of the paper's authors.
FOR RECORDS : WiFi Vulnerabilities Advances and incidents in 2010
Looking back at WiFi security issues and what we learned in 2010
By Ajay Kumar Gupta,
Network World
December 20, 2010
http://www.networkworld.com/news/2010/121020wifiin2010.html
The 802.11n standard was ratified in 2009 and WiFi really took off in 2010, with support showing up in an array of consumer electronic devices. Unfortunately security related issues escalated right along with growing acceptance.� Here�s a look back at the WiFi security issues that emerged this year.
Virtual WiFi leads to rogue access points: The Windows 7 virtual WiFi capability, or soft AP, became popular in the early part of 2010, with users downloading millions of copies of free programs such as Connectify to exploit feature.� But it didn�t take long for security experts to see the danger and warn organizations about the possibility of employees creating possible rogue access points using virtual WiFi. These rogue APs can create a hole in your network security and allow an unauthorized user to �ghost ride� into the corporate network.� This type of access can be difficult to notice using traditional wire-side techniques, so experts advocated watching carefully for the appearance of rogue APs while upgrading machines to Windows 7.
MiFi gains popularity:� Steve Jobs experienced a WiFi malfunction during the iPhone 4 launch in June 2010. An examination after the fact revealed that around 500 mobile hotspot networks were in use, supporting some 1,000 WiFi devices. This incident brought to light the security issues that can crop up from use of MiFi, and experts suggest using dedicated monitoring solutions capable of detecting these unauthorized devices on a 24x7 basis.
The 802.11n standard was ratified in 2009 and WiFi really took off in 2010, with support showing up in an array of consumer electronic devices. Unfortunately security related issues escalated right along with growing acceptance.� Here�s a look back at the WiFi security issues that emerged this year.
Virtual WiFi leads to rogue access points: The Windows 7 virtual WiFi capability, or soft AP, became popular in the early part of 2010, with users downloading millions of copies of free programs such as Connectify to exploit feature.� But it didn�t take long for security experts to see the danger and warn organizations about the possibility of employees creating possible rogue access points using virtual WiFi. These rogue APs can create a hole in your network security and allow an unauthorized user to �ghost ride� into the corporate network.� This type of access can be difficult to notice using traditional wire-side techniques, so experts advocated watching carefully for the appearance of rogue APs while upgrading machines to Windows 7.
MiFi gains popularity:� Steve Jobs experienced a WiFi malfunction during the iPhone 4 launch in June 2010. An examination after the fact revealed that around 500 mobile hotspot networks were in use, supporting some 1,000 WiFi devices. This incident brought to light the security issues that can crop up from use of MiFi, and experts suggest using dedicated monitoring solutions capable of detecting these unauthorized devices on a 24x7 basis.
Google�s WiFi snooping controversy: In the middle of 2010 Google admitted that their cars used to collect Street View information also mistakenly collected payload data from unsecured WiFi networks. Many viewed the act as a privacy breach because the data collected included personal information such as email, passwords, fragments of files, browsed Internet data, pictures, video clips, etc. The controversy was a major black eye for Google but served as a big wake up call for all those WiFi users who still haven�t secured their WiFi networks.�
Russian spies and peer-to-peer WiFi links: The use of private, adhoc WiFi networks for secret communication came to light when the FBI arrested a group of Russian spies who were using the tools to privately transfer data. Such adhoc WiFi networks set up links between WiFi users without using a centralized WiFi router. Corporations are advised to deploy monitoring tools that can snoop out such connections.
Fake WiFi stealing data from smartphones: Security experts discover that using a smartphone�s WiFi capability to access an open or public network can lead to a vulnerability if the user doesn�t tell the phone to forget the network.� Users that don�t follow this advice are in danger of getting trapped into a fake WiFi network by someone with malicious intents. Once trapped, users can end up leaking passwords and other private data, and might be at risk of malware and worms.
Hole196 uncovered for WPA/WPA WiFi networks:� The name Hole196 was used for the vulnerability that was uncovered at security conferences in Las Vegas in July by AirTight Networks. The vulnerability was mainly targeted at WPA2 (using AES encryption) WiFi networks configured with 802.1x Authentication mechanism. Before Hole196 showed up, such networks were considered some of the most secure WiFi deployments around. With Hole196, these networks can be subjected to a fatal insider attack, where an insider can bypass the WPA2 private key encryption and 802.1x authentication to scan devices for vulnerabilities, install malware and steal personal or confidential corporate information. Although specially targeted at WPA (AES)/802.1x networks, the vulnerability also applies to the WPA/WPA2-PSK networks.
The folks that found Hole196 say exploiting the vulnerability is simple and the attack isn�t detected by traditional wire-side IDS/IPS systems. Being an insider attack, the importance of Hole196 was downplayed by some experts, but reports point out that, with the rise of insider attacks, Hole196 is now considered important. Security experts strongly advocate the use of a comprehensive WIPS solution.
Firesheep turns layman into WiFi hackers: Firesheep, the Firefox extension developed by Eric Butler, was released for public use in late 2010. Since then it has gained tremendous attention because it has almost automated the task of hacking over insecure WiFi networks such as hotspots. With Firesheep and a compatible WiFi client card, a malicious user just needs a single click to see the details of various people in his/her vicinity, visiting their respective accounts on websites (using unencrypted after-login session), such as Facebook, Twitter, Amazon, etc.
Another click and the malicious user can log into these sites, meaning even laymen can become hackers. Security experts remind people to exercise extra precaution while enjoying unsecured WiFi connections. The world is hoping Firesheep�s popularity will motivate the popular social network websites to take further steps to protect user security.
Smartphone as WiFi attacker: The year 2010 witnessed the release of many new high end smartphones but these devices are now being seen as active threats. While attackers previously needed to carry a notebook to eavesdrop on WiFi links or launch sophisticated WiFi attacks, they can now perform these tasks using a high end smartphone.
Reviewing the list of WiFi security issues that came up in 2010, it can be expected that 2011 will witness more of the same. With new WiFi attack vectors emerging, corporations will realize they need additional layers of security that can provide active protection.
New IT Term of the day
choke packet
A specialized packet that is used for flow control along a network. A router detects congestion by measuring the percentage of buffers in use, line utilization and average queue lengths. When it detects congestion, it sends choke packets across the network to all the data sources associated with the congestion. The sources respond by reducing the amount of data they are sending.
The dissenter is every human being at those times of his life when he resigns momentarily from the herd and thinks for himself.
Archibald Macleish
(1892-1982)
Poet, playwright, Diplomat
Note -
- As a member of this group, you get useful information to protect yourself and your IT assets and processes from various Computer and Related Crimes.
- If you think that your other friends/colleagues/acquaintances/relatives/foes/enemies also needs this information, forward the mail to them and request them to send their e-mail addresses and names to us with subject as "Subscribe".
- If you or someone has become victim of Computer Crimes or has any query on prevention, you are welcome to write to us.
- If you are not interested in it and would like to unsubscribe - send a reply mail with subject as "Unsubscribe".
- Disclaimer - We have taken due care to research and present these news-items to you. Though we've spent a great deal of time researching these matters, some details may be wrong. If you use any of these items, you are using at your risk and cost. You are required to verify and validate before any usage. Most of these need expert help / assistance to use / implement. For any error or loss or liability due to what-so-ever reason, CRPCC and/or Sysman Computers (P) Ltd. and/or any associated person / entity will not be responsible.
No comments:
Post a Comment