'The Digital Rights Forum is a public debate on the important issues surrounding digital rights, with each event designed around the general over-arching topic of digital rights, puls a more narrowly focused subject. On Friday, the 18th of May, the forum will tackle the issue of Online Privacy.

With our lives ever more integrated with the web and social media, staying safe online is becoming an increasing concern to everyone. From mobile apps to websites and email, protecting our personal information and online privacy has never been more complicated and more important. Faced with software vulnerabilities such as contacts being leaked onto the Internet by mobile application providers, the increasing push toward revealing more private and personal information on social networks, and attempts by some to protect their businesses through litigation or processes which require the disclosure of personal information, the modern digital landscape has made protecting one's privacy more difficult than ever before.

With this in mind, this Digital Rights Forum will discuss the current state of data protection and online privacy in the current context of social networks and mobile applications.'

Featuring Billy Hawkes (the DPC, no less!), and Devore from Boards.

some good tips on iPhone security settings, in particular disabling the ability to turn off location services via Restrictions. I should do this

'I was contracted to test the systems on a Boeing 747. They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 VLANs. We managed to break the VLANs and access other systems and with source routing could access the Engine management systems.' (via Risks)

Amazing response to a security bug report. 'what's happening in this bug report right now is a perfect example of how *not* to do security response. When faced with two people who clearly know a few things about secure coding, rather than taking their advice and actually fixing the root cause of the problem (or abandon it as a hopeless situation, which is probably the more appropriate response), you've chosen to waste our time by demanding that we write weaponized exploits to exploit what most people already know to be exploitable. To top it off, when shown repeatedly how your half-baked "fixes" don't actually fix anything, rather than taking our advice you just add another small hurdle that can be trivially bypassed. It would be sad if it weren't so funny. I've decided that it's time to stop beating a dead horse. Usually I get paid good money to own software this hard, and I don't think you're worth making an exception. Best of luck, I'm sure you'll figure it out eventually.'

'Predator and Reaper crews use removable hard drives to load map updates and transport mission videos from one computer to another. The virus is believed to have spread through these removable drives.'
hmm, not quite sure how that air gap is supposed to work

"Everything has an embedded processor and computer in it," he said. "Every time you hide behind [security by] obscurity, it is going to fail."

Brad Smith, a researcher and Black Hat conference staffer who also is a registered nurse, said the medical field largely looks the other way when it comes to securing patient devices.

"I lecture at all the medical conferences," he said during the press conference. "They just hide it. Pay attention to what [Radcliffe] is saying. His life is in this pump." (via Risks Digest)

'Convergence is a secure replacement for the Certificate Authority System. Rather than employing a traditionally hard-coded list of immutable CAs, Convergence allows you to configure a dynamic set of Notaries which use network perspective to validate your communication.
Convergence allows you to choose who you want to trust, rather than having someone else's decision forced on you. You can revise your trust decisions at any time, so that you're not locked in to trusting anyone for longer than you want.'

OpenPGP's web of trust extending further. 'Everyone who has used a web browser has been interrupted by the "Are you sure you want to connect?" warning message, which occurs when the browser finds the site's certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.'

jaysus. the Epic Marketplace online ad network performs a history stealing attack to determine if the viewer has recently visited 'pages about getting pregnant and fertility, including at the Mayo Clinic'. very very scummy -- massive privacy violation (via Adam Shostack)

'a network proxy that terminates TLS/SSL connections and forwards the unencrypted traffic to some backend. It's designed to handle 10s of thousands of connections efficiently on multicore machines.'

'Starting with Chrome 13, we'll have HTTPS pins for most Google properties. This means that certificate chains for, say, https://www.google.com, must include a whitelisted public key. It's a fatal error otherwise.' good anti-MITM protection

well-packaged, well-designed, two-factor auth for SSH from Dug Song. free for small-scale use, too, it looks like. awesome! I've signed up (via Nelson)

some good discussion on workarounds

'allows users to exploit Dropbox’s file hashing scheme to copy files into their account without actually having them. Dropship will save the hashes of a file in JSON format. Anyone can then take these hashes and load the original file into their Dropbox account using Dropship.' heh. that sounds very familiar, I seem to recall thinking about this problem on several occasions... ;) Dropbox certainly didn't like it, going by this account

'Honest Achmed is at least more honest than Comodo.' lol

seriously Apple, WTF were you thinking?

'a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend.'  basically, cause wifi clients to associate with an Ubuntu host, then sniff their packets

OCSP doesn't work -- the browser vendors have failed to implement it safely

pointing the finger at the Iranian state; various login URLs for GMail, Yahoo! Mail, Hotmail, and something called "global trustee" (wtf)

'If I had to make a bet, I'd wager that an attacker was able to issue high value [SSL] certificates, probably by compromising [the USERTRUST SSL certificate authority] in some manner, this was discovered sometime before the revocation date, each certificate was revoked, the vendors notified, the patches were written, and binary builds kicked off - end users are probably still updating and thus many people are vulnerable to the failure that is the CRL and OCSP method for revocation.' It seems addons.mozilla.org was one of the bogus certs acquired. Major ouch. Thanks to EFF/Tor et al for investigating this -- SSL cert revocation is a shambles

'I would like to call it "B.E.S.T. Scanner" so people kind of get stuck calling it "the best scanner". We can figure out what BEST means later.' omgwtf. Is this guy 12 years old?

the story of Ramnicu Valcea -- Romania's Silicon Valley of phishing

'When demonstrating FareBot, many people are surprised to learn that much of the data on their ORCA card is not encrypted or protected. This fact is published by ORCA, but is not commonly known and may be of concern to some people who would rather not broadcast where they’ve been to anyone who can brush against the outside of their wallet. Transit agencies across the board should do a better job explaining to riders how the cards work and what the privacy implications are.' (via Boing Boing)

Visa's atrociously-designed "security" program is now being used by criminals to process their credit-card payments, allegedly

ie. the same value as the PHP bug. 'Konstantin [Pressier] reported this problem to Oracle three weeks ago, but is still waiting for a reply.' good job, Oracle!

good inside account of the "wo0dh3ad" hack

interesting post from Nate Lawson -- he suggests that Stuxnet could have been much better in payload obfuscation, had the authors studied the state of the art in malware implementation.  I'm not convinced, however; as Halvar Flake suggests, KISS applies

'Any TCP session you initiate to one of the proxied IP addresses [specified on the command line] will be captured by sshuttle and sent over an ssh session to the remote copy of sshuttle, which will then regenerate the connection on that end, and funnel the data back and forth through ssh. Fun, right? A poor man's instant VPN, and you don't even have to have admin access on the server.'

some amazing details of Stuxnet's apparent background. 'By the accounts of a number of computer scientists, nuclear enrichment experts and former officials, the covert race to create Stuxnet was a joint project between the Americans and the Israelis, with some help, knowing or unknowing, from the Germans and the British.'

all signs point to 'they didn't.'  also, interesting comment in the Reddit thread: 'From a source close to the situation; the forms [on the FG site] were not being sanitised [against SQL injection attacks] at all.'  incredibly amateurish, if true

injects JS onto Google, Facebook, Yahoo! non-encrypted login pages to submit the typed username and password against nonexistent http URLs, e.g. 'http://www.google.com/wo0dh3ad', presumably so that DPI logging can collect them. apparently the HTTPS login pages are blocked to force use of HTTP

wow, incredible bug

great preso on the PS3 hack from the fail0verflow team. love the LaTeX "science bit". Sony's epic fail: non-random "random" key data

according to this, the US Dept of Homeland Security is "seizing" domains through a back-channel to Verisign, since they directly control the .com TLD's nameservers. Expect to see dodgy sites start using non-US TLDs, names in multiple TLDs a la Pirate Bay, and eventually IPs instead of DNS records

'It is alleged that some ex-developers (and the company<br />
they worked for) accepted US government money to put backdoors into [the OpenBSD] network stack, in particular the IPSEC stack. Around 2000-2001'

already fixed in Froyo, but still -- interesting write-up from Sophos. good to see Google have chosen to separate all apps into individual uids, too

photos of the current state-of-the-art in ATM skimmers via Brian Krebs

rather than force users of their official Android client to upgrade come the OAuthpocalypse, like everyone else has had to, they added a custom basic-auth backdoor: append "?source=twitterandroid" to the URLs. hilarity. apparently this also works for all other clients, too

Twitter seem to be attempting to control misbehaving clients, by using the "consumer key" pair as a secret key for app developers. This is proving impossible for FOSS clients to work with, and is trivially hacked to allow third-party app impersonation. Bad idea, Twitter

opportunistic encryption of TCP connections. not the simplest to set up, though

is the CAO (Ireland's Central Applications Office, for university admissions) being DDOS'd? sounds like it

Mind-boggling presentation; a load of sites are exposing memcacheds to the public internet, with no auth, and full of juicy data (samples included). iptables is hard

surprise! 'The U.S. Marshals Service admitted this week that it had surreptitiously saved tens of thousands of images recorded with a millimeter wave system at the security checkpoint of a single Florida courthouse.'

'Stuxnet is a new Internet worm that specifically targets Siemens WinCC SCADA systems: used to control production at industrial plants such as oil rigs, refineries, electronics production, and so on. The worm seems to uploads plant info (schematics and production information) to an external website. Moreover, owners of these SCADA systems cannot change the default password because it would cause the software to break down.'

establish an overlay, encrypted private "virtual LAN" for a small set of machines. like Hamachi, except it supports Macs, Linux, and a range of WRT54G firmware; can run off a USB stick

I should do this on my hosts

wonderful; our world's economies are now more networked than ever, and vulnerable to the attacks which that enables. Have we learned nothing from the last few years?

'Falling victim to a [phish] isn’t just a matter of not being wise to the ways of the world: it’s a matter of being caught out in a moment of distraction and of unlikely circumstance.' +1, that matches with the personal phishing stories I've heard from others

also, an RFID "jammer" to block reads of RFID chips within range. related: the Israeli govt is considering voting cards with RFID chips, apparently

by a Bugzilla developer. ;)

ASF's Paul Querna: 'Security on the Internet sucks, and it is only getting worse. The problem is systemic, with security researchers and developers not producing viable ways for the average user to live on the Internet in a secure fashion without excessive paranoia.'

Damian Beresford's experience installing his own home alarm. pretty cheap, sounds quite easy too

2 suits in the US, one vs Comerica, one vs PlainsCapital

Ross Anderson's lab demo an attack on TV whereby any Chip-and-PIN debit card can be used in conjunction with a MITM device, with a PIN of "0000", verified online, and producing a receipt saying "PIN Verified". thoroughly hosed

fascinating note from Bernie Goldbach: 'MORE THAN 20 YEARS ago, I worked with message traffic and the work told me the importance of verifying source material.'

'for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up.'

'this is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure.'

Ugh, very bad idea indeed. A backchannel for spammers/phishers/attackers from the mail reader is something we definitely do not want to provide. This is why we chose to cut URLs at the registrar boundary for URIBL lookups in SpamAssassin

phisher creates a banking app for Android phones which relays the authorization details to another site, possible because of insufficient app vetting (via Mulley)

ioerror published the '\00' wild-card SSL cert for any domain (for affected SSL client libs at least)

specifically, a port of dessid to the iPhone, recently causing headlines

why HMAC is more secure than secret-suffix and secret-prefix keyed hashing. good to know

massive fail. 'By simply disabling Javascript in his browser, he was able to [...] dump the router’s configuration file [...which] included the administrative login and password in cleartext.'

good research coming out of McAfee -- lots of Eastern European, Russian, and ex-USSR-country cybercrime businesses nowadays, apparently

as used to exploit Reddit and create a comment worm

'Ohm notes, this illustrates a central reality of data collection: "data can either be useful or perfectly anonymous but never both."'

'an online compiler/interpreter, and a simple collaboration tool. It's a pastebin that executes code for you. You paste your code, and codepad runs it and gives you a short URL you can use to share it.' supports C, C++, D, Haskell, Lua, OCaml, PHP, Perl, Python, Ruby, Scheme, and Tcl code; isolated by a geordi-based supervisor, in turn running inside a firewalled virt, in turn running inside a firewalled dom0. nice work!

next in a long line of one-to-many communication systems used by bad guys

'The platform API remains fundamentally broken and gives users no way to prevent applications from accessing their photos. Facebook would be best served by fixing this instead of dismissing users’ concern for privacy as “misleading rumors.”'

'[Joe] Stewart said the sophistication and stealth of this malware strain has become so bad that it's time for Windows users to start thinking of doing their banking and other sensitive transactions on a dedicated system that is not used for everyday Web surfing.' it's that bad

'A UK firm that turns mobile messages into text faces questions over its privacy standards, technology and finances following a BBC investigation' .. 'claims to the BBC suggest that the majority of messages have been heard and transcribed by call centre staff in South Africa and the Philippines.' 'The fact that messages appear to have been read by workers outside of the European Union raises questions about the firm's data protection policy.'

'an online service that enables you to look up the configuration of any public SSL web server. The configuration of known public SSL web servers will be periodically inspected and the results recorded. This service relies on the SSL Server Rating guide for the assessment'

according to this, a retired cop has set up a company called Lucid Intelligence with 'the records of four million Britons, and 40 million people worldwide, mostly Americans', and plans to 'charge members of the public for access to his database to check whether their data security has been breached.' How is this legal under Data Protection law? wtf