Rogue Nodes Turn Tor Anonymizer Into Eavesdropper's Paradise

September 21, 2008 — 585

A security researcher intercepted thousands of private e-mail messages sent by foreign embassies and human rights groups around the world by turning portions of the Tor internet anonymity service into his own private listening post.

A little over a week ago, Swedish computer security consultant Dan Egerstad posted the user names and passwords for 100 e-mail accounts used by the victims, but didn’t say how he obtained them. He revealed Friday that he intercepted the information by hosting five Tor exit nodes placed in different locations on the internet as a research project.

Tor is a sophisticated privacy tool designed to prevent tracking of where a web user surfs on the internet and with whom a user communicates. It’s endorsed by the Electronic Frontier Foundation and other civil liberties groups as a method for whistleblowers and human-rights workers to communicate with journalists, among other uses.

It’s also used by law enforcement and other government agencies to visit websites anonymously to read content and gather intelligence without exposing their identity to a website owner.
But Egerstad says that many who use Tor mistakenly believe it is an end-to-end encryption tool. As a result, they aren’t taking the precautions they need to take to protect their web activity.
He believes others are likely exploiting this oversight as well.
“I am absolutely positive that I am not the only one to figure this out,” Egerstad says. “I’m pretty sure there are governments doing the exact same thing. There’s probably a reason why people are volunteering to set up a node.”

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise.

Tags:
Posted in privacy. Tags: , , . No Comments »

Anonymous Internet Access – Is it Possible?

September 21, 2008 — 585

Anonymous Internet access hardly exists anymore. Google track your searching habits, the ISPs record your IP address, BT/Phorm track and monitor your Internet browsing, and police can intercept your email, and the government can access all of it legally or illegally, with the likes of Echelon

With that in mind is it possible to have anonymous access to the Internet anymore and should anybody want it?

When the USA PATRIOT Act came into power there was uproar about libraries handing over information about who reads what. But this information pales into insignificance with the amount of information available from accessing Internet logs. Anyone who buys from Amazon will know that you get “suggested reading lists” automatically sent to you. That means that Amazon not only track what your reading, but also “understand” it and target you accordingly (it is, in general, fairly accurate). Amazon has the ability to store all the searches you have made, and books you have looked at, not just bought – surely this is more concerning than the records of taking out a few books from the local library?

Access to Internet records means more than just working out which web sites you have visited, it can show who you talk to, who your friends talk to, how you are linked across the world, what you buy, what you like to eat, what your political interests are, what debates and discussions you have, what your sexual interests are, or are not, you bank details, your personal emails, you work emails.

In fact your entire personal and private life is available from a detailed analysis of your Internet habits.  Companies make a leaving from trading in personal data, from Nectar cards to Double Click, and other targeted ads, they all want to know more about you. Even this site (depending on where you are reading it) has Google Ads, which  are automatically target at the audience; in fact adverts will be different on what you are reading, when you are reading it, and where you are reading it.

YouTube, also owned by Google, will give individuals information about who views their “Channel”, including age and sex.

Over the next few weeks this site will be looking at some of the technology that is supposed to be able to help provide the user with anonymous Internet activity.

Tags:
Posted in privacy. Tags: , , . No Comments »

Hackers infiltrate Palin's e-mail

September 18, 2008 — 585

Hackers have broken in to the e-mail of the US Republican vice-presidential candidate, Alaska Governor Sarah Palin.

The hackers, who targeted a personal Yahoo account, posted several messages and family photos from her inbox.

The campaign of running mate John McCain condemned their action as “a shocking invasion of the governor’s privacy and a violation of the law”.

The hacking comes amid questions about whether Mrs Palin used personal e-mail to conduct state business.

According to law, all e-mails relating to the official business of government must be archived and not destroyed. However, personal e-mails can be deleted.

Mrs Palin is currently under investigation in Alaska for alleged abuse of power while governor.

BBC NEWS | World | Americas | Hackers infiltrate Palin’s e-mail.

Tags:
Posted in US Law. Tags: , . No Comments »

Its all there to protect us…honest

September 17, 2008 — 585

The surveillance industry, the CCTV, the UAVs, the ANPR network, the DNA databases, et al, is, apparently, all here for our benefit, to protect us from the menace of terrorism.

If we follow this line of argument we must believe that the threat to the country from terrorism is both massive and likely; there could be no other justification.

Why else would the UK government spend so much on the security services and invading other countries? It is all about defending and protecting us in the long term. Isn’t it?

But, what if there was another completely different risk far more deadly than terrorism, and equally likely, surely the government would target that with equal determination?

According to the cabinet office’s own National Risk Register (Page 5) the greatest threat to the UK is the flu, or to be more precise, an Influenza Pandemic.

This is a fair assessment, as the 1918 pandemic killed over 50 million people – or to give it a sense of scale about 25,000 time more than in the 9/11 attacks.

If the solution to the threat from the crazy (if not slightly inept) terrorist is: CCTV, ANPR (clever CCTV), Facial recognition (really clever CCTV), behavior pattern matching CCTV (amazingly clever CCTV), and lots of databases, then what would be the best prevention against pandemic?

Perhaps building hospitals, lots of doctor training, building more hospitals, having lots of ambulances, and high level of clinical research. The plus side of all this medical infrastructure is that it benefits the country as a whole, even if the pandemic never comes.

Clearly the government do none of this. How many people are even  aware of the 1918 Spanish Flu? Compare that number with how many know about 9/11, Osma Bin Laden, or the chemical weapons of Saddam Hussein.

Strange how the governments mass information and education system is so effective and selective at the same time.

So if the government is not combating the threat of the flu, “War on Colds” , why all the surveillance?

 

Tags: ,
Posted in Terrorism. Tags: , , , , . No Comments »

Fingerprinting Kids in School

September 13, 2008 — 585

Below are artilces on the issue of fingerprinting children in School

Tags: ,
Posted in Fingerprint Scanners. Tags: . No Comments »

Data Theft Statistics

September 13, 2008 — 585
  • 91.1 % of IT security proffesionals stated that they percieved cyber crime as a major business risk
  • 95% of IT security proffesionals in the financial sector percieved cyber crime as a major business risk
  • 73% of CIO/CSO’s stated they there were concerned about data theft than hacking.
  • 68% of CIO/CSOs stated that critical data was at risk
  • 25% of CIO/CSOs stated that there had been a breach of their data
  • 42% did not know if there has been a breach
  • Source

Those who have had their data stolen deliberately, e.g by theft from an employee with access to the data, are 12 times more likely to be victims of fraud than those who have their data lost by accident (e.g missing laptop) Source

More than 244 million pieces of data have been lost or stolen (at the time of writing) according to Privacy Rights Clearinghouse.

According to the Identify Theft Centre there have been 449 incidents of data breaches so far this year (in the US). This is more than the whole of last year.

In over 40% of the incidents of data breaches/data theft the number of records lost/exposes is not reported or fully dislclosed. I.e all the figures are a lot higher. Source (ITC) ITC 2008 Report

The categorization of breaches by industry verticle was:

  • 37% for Business
  • 20.3% for Educational
  • 15.6% for Medical/Healthcare
  • 15.4% for Government/Military
  • 11.6% for “Banking/Finance

Causes of data theft/loss were catergorised as follows:

  • 12.9% hacking
  • 15.6% theft by company employees
  • 21% lost laptops and other digital media
  • 14%, accident publishing
  • 11% due to subcontractors

Source

 

 

 

 

Tags: ,
Posted in Data Loss, Data Theft. Tags: , . No Comments »

Councils, Spying, and more of the same

September 11, 2008 — 585

Several months ago this site reported on the spate of incidents in UK where surveillance laws where used against the public for the most petty of incidents. From dog fouling to school selection to children shell fishing.

There was a host of complaints about these issues, with Local Government Association chairman, Sir Simon Milton, writing to all of the councils to warn them that they were misusing their powers and several Amps stood up and commented on the issue, including Brian Binley.

Numerous other influential people commented on the issue including:

Quincy Whitaker, a human rights barrister, who said that “[the] majority of these applications are potentially illegal…Most[ Uses of RIPA] don’t seem proportionate — there are probably less intrusive ways of investigating dog fouling, for instance.”

Keith Vaz, chairman of the Commons Home Affairs select committee stated “I am personally shocked by the numbers involved in surveillance by the local authorities. It is important we make sure there is proper accountability and transparency in the way this operates”.

In July 2008 the European Court of Human Rights found that the UK’s surveillance laws lack clarity and accountability to prevent abuses of power.

If this was not enough Privacy International now places the UK in the top rank of monitored countries, in the same grouping as China and Russia. Demonstrating that the time of “Big Brother”, is truly here.

Despite all of this, the incidents continue to happen. 

Recently the Sunday Telegraph produced a report showing that around 75% of councils use surveillance against their own electorate. The site also conducted a freedom of information request on its local council and found they did not use RIPA. There is not an unusually high crime rate in the area, nor is there a large amount of dog mess, piles or rubbish, or hoards of children attending the wrong school – in fact it all seems to work just fine here.

More recently, and perhaps more worryingly, councils are now starting to employ people, and children, to do the spying for them.

This means, due to the way the laws work, councils would not need to use RIPA, so if those powers are ever taken away from them, they already have other methods available to use against their population.

Tags: ,
Posted in RIPA, UK Law. Tags: , , . No Comments »

Once Bitten Twice Shy?

September 9, 2008 — 585

Data theft occurs all over the world, it is unfortunately a matter of life.

However we should distinguish between “data loss”, when somebody loses/misplaces/gives away the “data theft” and when somebody deliberately defeats systems and takes it.  Its the difference between throwing your money out of your window and being burgled.

We should never do the former and try to prevent the latter.

In the UK the government seems to have a very different approach. Don’t do anything about the former and ignore the latter.

In the rest of the world its a very different issue:

In Finland the Government did not provide enough protection of data and as a result worked to make changes, but despite this were still found guilty in the ECHR, and so even more changes are afoot.

The UK is appears to be losing data more often than any other government in the world at the moment.

In Korea when data was stolen the police are immediately called and appear to take action. In the US data theft cases have high profile results and fines handed down, which must have a deterrent effect. In Germany the government conducts investigations to try and find out how much personal data is out there, and then tries to clamp down on the issues.

In the UK data is lost all the time, from the Home Office, the Ministry of Justice, the Ministry of Defense, the NHS, and most famously the HMRC.

Yet, despite all of this, no effective measures have been put in place to deal with this.

The ICO has been pushing for tougher sentences, and for people dealing with data illegally, and Section 55 of the DPA creates a criminal offence of stealing data or being reckless in its loss.

Despite this the government is still losing data all the time, there is a trade in personal data   and nobody is getting prosecuted, with the exception of a couple of low level accountants.

How many times do the UK Government need to lose data, fail to protect it, or allow the trade to go unpunished before action is taken?

Certainly more than twice!

 

 

 

 

 

 

 

Posted in Uncategorized. Tags: , , , , . No Comments »

Germany to tighten laws after data theft scandal

September 9, 2008 — 585

BERLIN — Germany is to tighten data protection laws, Interior Minister Wolfgang Schaeuble said on Thursday, responding to revelations that Germans’ personal data can be bought easily on the Internet.

Mr. Schaeuble said a working group would draw up proposals on higher fines for data protection violations and tighter rules on the trade with personal and financial information.

“There will be no quick shots but speedy consultations to get the law proposal ready before the end of the year,” Mr. Schaeuble told a news conference after meeting Germany’s justice, economy and consumer protection ministers on the issue.

Germany’s latest privacy scandal was triggered by reports that a call centre employee alerted authorities to a problem with his company’s data collection practices by handing over data on some 17,000 addresses and bank account details to a privacy protection office.

Privacy officials have also said they had been able to buy millions of items of personal data, including bank and phone data, undercover on the Internet.

globeandmail.com: Germany to tighten laws after data theft scandal.

Posted in Data Loss, Data Misuse. Tags: , , , . No Comments »

Privacy Ranking

September 7, 2008 — 585

Privacy International have an excellent resource mapping the privacy issues around the world.

The UK, once again, is near the top of the leader board of the most intrusive countries in the world.

This map by Privacy International (available here in PDF format) shows that the UK is on par with the US and Russia, in relation to its infringement of privacy. PI Describes the UK as an “endemic surveillance society”

Tags: ,
Posted in UK Law, data retention. Tags: , . No Comments »
« Older posts
Newer posts »