Monthly Archives: April 2013

Even After Hacks And Bombings, Privacy Advocates Have Big Week In Congress

640px-United_States_Capitol_west_front_edit2 (1)

In light of the AP’s high-profile Twitter hacking and a vicious domestic bombing, Americans have not let fear derail privacy legislation. Just this week, the Senate advanced an anti-email snooping law and the controversial Cyber Intelligence Sharing and Protection Act (CISPA) is reportedly on its way to the grave. It appears that the burden of proof has shifted to proponents of government surveillance, and they’ve been conspicuously silent about how spying will keep Americans safe.

Two Bills

CISPA, which gives immunity to Internet companies for sharing sensitive data with law enforcement, will reportedly not be taken up for a vote in the Senate. “We’re not taking [CISPA] up,” a representative from the Senate’s Committee on Commerce, Science and Transportation told US News, “Staff and senators are divvying up the issues and the key provisions everyone agrees would need to be handled if we’re going to strengthen cybersecurity. They’ll be drafting separate bills.”

After wavering support from Facebook and other high-profile Internet companies, the White House threatened to veto the bill over privacy concerns, most likely related to ambiguous definitions of what constitutes a cyber “threat” and how agencies would be kept honest.

ECPA Reform – The 1970′s law that permits security agencies to access emails opened or older than 180 days, is on its way to a privacy upgrade. Designed before users kept their email indefinitely in the cloud (i.e. Gmail), a few high-level privacy breaches, including the unearthing of General David Petraeus’s romantic affair, have created overwhelming demand to overhaul the antiquated law. Today, an amendment to require a warrant before reading emails was voted on by voice, which means there wasn’t even enough opposition among the Judiciary committee members for a debate.

Staff members inside the House of Representatives, where the bill will go if it passes the senate, tell me that there also isn’t much opposition to the reforms on their side of Congress, and that a bill by Rep. Zoe Lofgren (CrunchGov Grade: A) could very well be combined with the Senate’s version for a streamlined change (yes, occasionally things are efficient in Congress).

Why Not?

Even after the AP’s Twitter account was hacked to spread a rumor about an explosion at the White House and two American men successfully detonated bombs at the Boston Marathon, there’s no reason to believe that either CISPA or ECPA would have kept Americans safer.

Even President Obama’s freak-everyone-out op-ed last year urging cyber security legislation couldn’t muster more than hypotheticals.

“Last month I convened an emergency meeting of my cabinet and top homeland security, intelligence and defense officials…Unknown hackers, perhaps a world away, had inserted malicious software into the computer networks of private-sector companies that operate most of our transportation, water and other critical infrastructure systems. Fortunately, last month’s scenario was just a simulation,” he wrote in a largely unconvincing imaginary example to prove why we needed enhanced surveillance.

As for the Boston bombers, American and Russian authorities had already been following them. At any level, it appears to be an internal slip up, which neither data from their email nor Facebook pages would have helped prevent.

On the other hand, privacy advocates have had some very tangible close calls. It appears the least liked government agency in the country, the Internal Revenue Service, was spying on the emails of suspected tax dodgers.

While I’m not convinced email and social media privacy necessarily outweigh very real terrorist threats, the burden is on the government to prove it needs a bigger spy glass. Ironically, if the government wants the American people to be more supportive of surveillance, they’ll need to be more transparent.

Retrieved from TechCrush

House passes CISPA

The controversial Cybersecurity Intelligence Sharing and Protection Act passed April 18 in the House by a margin of 288-127, joining three other cybersecurity bills that will move forward for Senate consideration.

CISPA passed the House last year as well, but died in the Senate amid privacy and civil liberties concerns as well as a White House veto threat.  The latest vote drew praise from information-sharing advocates but, as in the past, ignited a firestorm of criticism as well.

“I am very proud that so many of my colleagues were able to look past the distortions and fear-mongering about this bill, and see it for what it really is — a very narrow and focused authority to share cybersecurity threat information to keep America safe,” said Rep. Mike Rogers, (R-Mich.), who co-sponsored the bill. “I look forward to working with my Senate colleagues to get cyber threat information sharing legislation passed into law this year.”

Some parties — IT trade groups, Capitol Hill backers of the legislation — applauded CISPA’s passage, characterizing it as a step toward comprehensive cybersecurity legislation. In particular, the bill’s measures addressing information-sharing between private companies and the government garnered praise.

“Early detection and notification of cybersecurity threats is the most critical component of preventing and mitigating attacks as well as increasing security across the board,” said Ken Wasch, president of the Software and Information Industry Association. “CISPA creates the necessary flexibility for businesses to share security information without fear of legal or regulatory liability.”

However, other organizations voiced concerns over privacy and civil liberties threats the bill could pose by allowing companies, including Internet service providers, to furnish the government with information on citizens’ online activities.

“CISPA is an extreme proposal that allows companies that hold our very sensitive information to share it with any company or government entity they choose, even directly with military agencies like the [National Security Agency], without first stripping out personally identifiable information,” said Michelle Richardson, a legislative counsel at the ACLU’s Washington Legislative Office. “We will work with Congress to make sure that the next version of information sharing legislation unequivocally resolves this issue, as well as tightens immunity provisions and protects personal information. Cybersecurity can be done without sacrificing Americans’ privacy online.”

According to reports, work is now under way in the Senate to draft a cybersecurity bill.

Retrieved from FCW

Researchers find serious flaw in latest JRE for desktops, servers

The Java 7 Reflection API contains a hidden threat, says security research firm

By Lucian Constantin, IDG News Service, 04/23/13

Java vulnerability hunters from Polish security research firm Security Explorations claim to have found a new vulnerability that affects the latest desktop and server versions of the Java Runtime Environment (JRE).

The vulnerability is located in Java’s Reflection API component and can be used to completely bypass the Java security sandbox and execute arbitrary code on computers, Adam Gowdiak, the CEO of Security Explorations, said Monday in an email sent to the Full Disclosure mailing list. The flaw affects all versions of Java 7, including Java 7 Update 21 that was released by Oracle last Tuesday and the new Server JRE package released at the same time, he said.

As the name suggests, the Server JRE is a version of the Java Runtime Environment designed for Java server deployments. According to Oracle, the Server JRE doesn’t contain the Java browser plug-in, a frequent target for Web-based exploits, the auto-update component or the installer found in the regular JRE package.

Although Oracle is aware that Java vulnerabilities can also be exploited on server deployments by supplying malicious input to APIs (application programming interfaces) in vulnerable components, its message has generally been that the majority of  Java vulnerabilities only affect the Java browser plug-in or that the exploitation scenarios for Java flaws on servers are improbable, Gowdiak said Tuesday via email.

“We tried to make users aware that Oracle’s claims were incorrect with respect to the impact of Java SE vulnerabilities,” Gowdiak said. “We proved that the bugs evaluated by Oracle as affecting only the Java plug-in could affect servers as well.”

In February, Security Explorations published a proof-of-concept exploit for a Java vulnerability classified as plug-in-based hat could have been used to attack Java on servers using the RMI (remote method invocation) protocol, Gowdiak said. Oracle addressed the RMI attack vector in the Java update last week, but other methods of attacking Java deployments on servers exist, he said.

Security Explorations researchers haven’t verified the successful exploitation of the new vulnerability they found against Server JRE, but they listed known Java APIs and components that could be used to load or execute untrusted Java code on servers.

If an attack vector exists in one of the components mentioned in Guideline 3-8 of Oracle’s “Secure Coding Guidelines for a Java Programming Language,” Java server deployments can be attacked through a vulnerability like the one reported Monday to Oracle, Gowdiak said.

The researcher took issue with the way Reflection API was implemented and audited for security issues in Java 7, because the component has been the source of multiple vulnerabilities so far. “The Reflection API does not fit the Java security model  very well and if used improperly it can easily lead to security problems,” he said.

Retrieved from InfoWorld

Facebook rethinks its ‘hackathons’ with an eye toward mobile

Facebook is retooling its famous “hackathon” all-night coding workshops to give engineers more time to conceive new products, hopefully with a focus on mobile.

The hackathons, a longstanding event at the company where “hacking” is central to the corporate mantra, have previously run as anything-goes, all-night workshops in which employees think up new product concepts and develop rough prototypes. If they impress, those prototypes sometimes end up as commercial products.

Some of Facebook’s most popular features, including the “Like” button, Timeline and Chat, were conceived during hackathons, so they play an important role.

Thursday’s event, dubbed “Project Mayhem,” began at 11 a.m. and will continue until 2 p.m. Friday. When it concludes, engineers get three minutes to pitch their ideas on stage at a prototype forum.

With the more flexible structure, Facebook wants to encourage more employees to take a break from their day-to-day work and get involved in coding.

“It’s like, ‘let’s take this day off to do this, and then if I need to get more done, we can hang out and finish at night,'” said Facebook engineering manager Pedram Keyani, who organizes the hackathons. About a couple hundred employees gathered outside on Facebook’s sprawling campus in Menlo Park, California, for the event’s kick-off. Some watched overhead from office windows.

Project Mayhem is also the first hackathon to offer classes to employees, on topics including PHP programming, data visualization and even juggling, Facebook said.

The longer hackathon could help facilitate the development of mobile products specifically, which often require more careful planning and development than Web-based products, Keyani said.

Recognizing the growing importance of mobile, Facebook put smartphone platforms at the heart of its development last year, but there are new considerations for mobile. While Web-based products can be pushed out gradually to select users, once an app goes live in the Apple App or Google Play Stores, it is out there for everyone, he said.

“There is a lot of focus now on mobile, without the same flexibility as the Web,” Keyani said. “We’re just adapting.”

This year’s longer hackathon could also encourage employees to use more time to build bigger prototypes that couldn’t be built in a few hours, said software engineer Bob Baldwin.

“The prototype may not be an exact solution of what we want to ship, but it could at least give us something to look at, play with and see how it works,” he said. “And we could see what type of reaction people have internally.”

During an afternoon tour of Facebook’s offices, engineers did not say much about what types of projects they were thinking about. Some, however, did describe early stage efforts to improve the coding in Facebook’s back-end infrastructure to make it more efficient. Another said he was considering doing something with emoticons.

On mobile, Facebook reported during its first-quarter earnings announcement on Wednesday that its monthly active users had increased by 54 percent to 751 million. The company has just over 1 billion monthly active users total.

Retrieved from Computer World