SecurityMaverick.com

I received the following email:

Are you of the flap in our area – Lower Merion Pa – that has international attention. It seems that the schoolboard bought software that can control the laptop camera to track lost or stolen computers. Someone got the bright idea that they could spy on a kid suspected of drug use. Fourth amendment issues aside this is spyware. It seems a great opportunity to alert the public of how likely things like this may well be on their computers. You might have the needed “Bull Pulpit.”

I’ve been silent on this issue for awhile. Here’s my email reply to the inquiry:

It’s a very difficult case. When does the public sphere end and the private one begin? Would you be against turning on the camera/mic if it occurred only on school grounds? Could asset tracking software constitute a breach of privacy even if it does not turn on the camera and microphone? What about administrators who need to update the machine with the latest patches, software versions, etc?

I admit that I do not have the answers to these questions and how to proceed. Intuitively I think that software that remotely turns on the camera and mic should categorically be denied on public/school computers. Although laptops will need some type of asset tracking (perhaps installed in the bios at the hardware level) to prevent theft of devices and illegal resales of hardware. If the BIOS tracking was disclosed and explained to the laptop recipient then I think it would be OK. Updating software remotely may give too much access by administrators who could then install additional “spyware”. How to proceed with such laptop maintenance is still unclear to me.

Popularity: unranked [?]

Randomly saw #defcon on #NYC street while at lunch. Never know when #infosec will popup in the everyday landscape http://yfrog.com/izmidsmj

Popularity: 17% [?]

Data stolen from HSBC in 2006 and 2007 still carry an impact. In this case around 15,000 people could suffer tax consequences. (Naturally, the issue of whether they sheltered money and cheated on their taxes is a separate issue.) The impact is worldwide.

A former IT employee of Swiss subsidiary HSBC Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, obtained the information between late 2006 and early 2007, the bank said. The accounts, held by individuals worldwide, were all opened before October 2006..

Ultimately this means that the value of data is dependent on it’s relationship to the relevant state of affairs. Put differently, if a credit card account is inactive that data is worthless if someone attempts to use it. If the inactive data ties one back to fraud that occurred last year, it’s still relevant.

In the case of HSBC, the accounts reflect who was (potentially) cheating on their taxes in 2006. If the statute of limitations has not run out the information is still valuable.

Popularity: 12% [?]

It appears that the US has eased sanctions on technology exports in order to help empower people and potentially spread Democracy. I wrote about this a few weeks back when it was proposed in the New York Times.

Popularity: 5% [?]

Not at #RSAC but still networking here in NYC…. Time for lunch with another infosec pro… Always enjoy these chats.

Popularity: 10% [?]

In the past I wrote that sometimes end user share a single facebook account exposing your private email to others.

This time it’s the app itself as Facebook routed the emails to the wrong boxes.

Cloud computing gaffes will expose privacy limits.

Popularity: 19% [?]

I hope I don’t test positive for substances because I just take normal vitamins from GNC.

Earlier today GNC sent me the following email (which is worth reading in full):

On February 3, 2010, Senators John McCain and Byron Dorgan introduced S. 3002, a bill entitled, The Dietary Supplement Safety Act. The supposed purpose of the bill is to make dietary supplements “safer.” This is ironic because dietary supplements are already hundreds of times safer than either prescription or over-the-counter drugs.

The real purpose of this bill is to limit your access to dietary supplements. The government would tell you, the consumer, what dietary supplements you could and could not buy. There is little doubt that if this bill becomes law your choices will be drastically reduced, and many of the supplements you take today will become illegal. This misguided bill affects ALL dietary supplements, including vitamins, minerals, herbs, sports and diet products.

But, who is behind this bill? The answer is simple: big time sports leagues, especially Major League Baseball, which in recent years have been plagued by steroid scandals. Fearful that Congress will end their lucrative anti-trust exemption and require real drug testing, they have decided to make the supplement industry their scapegoat. When one of their players tests positive for steroids, they’d like people to think it must have been an adulterated dietary supplement.

Unless you want the government to tell you what supplements you can and cannot take, and unless you want to see your freedom of choice drastically reduced, you need to make your views known to your United States Senators.Tell them to oppose this terrible piece of legislation.

Clearly this bill will affect GNC’s bottom line. Unfortunately from an email such as this I cannot make a reasonable determination if this is truly for my benefit or theirs.

What if the supplements that are proposed to be banned really are bad for my health and I just don’t know it? Or, what if GNC is 100% correct?

Popularity: 19% [?]

The New York Times has an interesting article on how to help Iran’s Green Movement and push the country toward Democracy. Don’t issue new sanctions, allow them free software! I think it’s particularly brilliant:

The sanctions will feel cathartic, satisfy the have-to-do-something itch in the Congress, and change nothing. I’m just about resigned to that. But there is a smarter approach to Iran: Instead of constraining trade, throw it open.

…

Verma wrote: “The Department of State is recommending that the Department of Treasury’s Office of Foreign Assets Control (O.F.A.C.) issue a general license that would authorize downloads of free mass-market software by companies such as Microsoft and Google to Iran necessary for the exchange of personal communications and/or sharing of information over the Internet such as instant messaging, chat and e-mail, and social networking.”

Now that’s smart! There’s a way to bolster the remarkable, still unbowed opposition movement in Iran as well as weaken the Revolutionary Guards’ stranglehold on society and the economy. And what has O.F.A.C. done about this request in the past two months?

Nothing.

No license has been issued. It’s still illegal for Microsoft to offer MSN Messenger in Iran. Instead, earlier this month, Treasury sanctioned four Guards companies — a meaningless gesture. Treasury has things upside down.

Now if they would only include encryption modules!

Popularity: 14% [?]

Yesterday the Wall Street Journal broke the story of a major botnet that has infected over 2,500 companies. That day I also received an email from a major anti-virus vendor that claimed the trojan used to create the botnet is well known and easily detectable. They sent it to me in the hopes that I would write their counter argument on bloginfosec.com.

I couldn’t help but think that it was one company battling against another through PR. One seeks to publicize their name, the other seeks to claim it’s over-hyped (and hence get their name out there).

Here’s a sanitized version of the email:

There has been some recent high profile coverage of an online threat being referred to as “Kneber.” Some news coverage [company name removed] has observed has put forth that this is a new type of malware, which is simply not the case.

Kneber, in reality, is not a new threat at all, but is simply a pseudonym for the infamous and well-known Zeus Trojan. The name Kneber simply refers to a particular group, or herd, of zombie computers, a.k.a. bots, being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot, which also goes by the name Zeus, which has been being observed, analyzed and protected against for some time now.

Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strings, such as Kneber, of the overall Zeus botnet.

Though it is true that this Kneber string of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, computer users with up-to -date security software should already be protected from this threat. (emphasis mine)

Popularity: 11% [?]

Did you know that your car has a blackbox similar to airplanes? Most car companies use an open platform that allows this blackbox data to be downloaded and analyzed in order to aid investigations.  In the February 22nd, 2010 issue of Newsweek, Matthew Philips reported that Toyota uses a closed data system. Unfortunately this article is not online so I cannot link to it, but it is on page 12 of the current issue.

The article gives no indication whether or not the data is encrypted or encoded. It is my guess that it’s an uncrypted proprietary format. To me it seems unlikely that Toyota would go though such efforts to protect/encrypt data that they claim is not designed for accident reconstruction but namely intended to “aid research on safety systems such as airbags.”

Given the Toyota recall, we see the double edged nature of closed systems: on one hand, the data is protected from eyes outside Toyota; on the other hand, the lack of transparency (and non-compliance with industry open standards) leaves it vulnerable to attack by the larger justice system for being potentially negligent about the technical malfunctions that leads to a higher crash rate.

Popularity: 29% [?]