The Washington Post reports that IE 7 will not have the long known flaw that allows a website to steal the data that may be hanging out in your clipboard.
For those who don’t know, the clipboard is where anything you cut and paste hangs out. The trick is, it stays there until you cut or copy something else. So, if the last thing you copied was your tax record from one document to another and then you visit a nosy website, they could have all that data.
If it seems as stupid to you as it does to me that IE allowed this in the first place, then you’ll understand why security people like me knock Microsoft all the time (this is hardly the first or last instance of this kind of thing).
For another example, see this article, under the heading of Macro Viruses.
The EFF (who is also the organization spearheading the lawsuits against AT&T) is now taking on the secret profiling program that has hit the news recently. From their e-newsletter:
The Automated Targeting System (ATS) creates and assigns “risk assessments” to tens of millions of citizens as they enter and leave the country. In November, DHS announced that the program would launch on December 4, but Homeland Security Secretary Michael Chertoff later admitted that the program had already been in operation for several years.
Under ATS, individuals have no way to access information about their “risk assessment” scores or to correct any false information about them. But while you cannot see your score, it will be made readily available to untold numbers of federal, state, local, and foreign agencies. The government will retain the data for 40 years.
In the CAGW newsletter, they report that
In a widely-heralded and very long-sought victory for CAGW and all taxpayers, the Treasury Department announced last May that it would stop collecting the excise tax on long distance telephone service. Known as the Spanish-American War Tax, this “temporary ? tax on phone service, considered a luxury at the time, has survived for 108 years, far surpassing its raison d’etre, which lasted just four months. You can apply for a refund of the payment of that tax from 2003-2006 when you file your 2006 tax return next year.
Be sure to ask your accountant about this credit.
In this article, they explain that the Government can use the laws the way they’re written now to read any e-mail that is hosted on someone else’s computer (like the servers at AOL, Google, Hotmail).
A man who was partially convicted based on his e-mails is suing saying that it’s unconstitutional for them to read his e-mails without a warrant. While the case is in appeals, the arguments are that e-mail should have the same privacy protections as snail mail while the government cites several reasons why they can and should be able to read them.
Schneier links to an article about RFID passports being cloned in under 5 minutes. The authorities have stopped denying it’s possible and have shifted to denying that it can be used for any nefarious purposes.
The UK Home Office however dismissed the ability to get hold of the information on the chip.
A spokesman said: “It is hard to see why anyone would want to access the information on the chip.
“Other than the photograph, which could be obtained easily by other means, they would gain no information that they did not already have – so the whole exercise would be pointless: the only information stored on the ePassport chip is the basic information you can see on the personal details page.”
Well, it sure is hard to see why anyone would want to see someone’s credir report, criminal history, medical information, social security card, birth certificate, etc etc. Are these people for real? And they’re the ones in charge of security?
At the end of the article, they say the same thing I have always said: This “security feature” is actually LOWERING the security of passports… And not by a small amount.
Bruce Schnier found an intereting article in the NY Times about a bored computer science student wrote a webpage that printed nearly identical boarding passes to those used by Northwest Airlines. Using the fake passes, people were successfully able to bypass airport security. The important part of this article, is the fact that the student did no hacking, no cracking, no breaking of any system. All he did was make passes that looked real.
No cryptographic recipe was cracked; no airline computer system was compromised. Without visiting an airport, Mr. Soghoian needed access to nothing other than a public Web site to embarrass those responsible for airport security.
As security professionals have been saying for years, these measures make life difficult for law-abiding citizens, but do nothing to stop the bad guys.
In an amusing example of the kind of thing I wrote about on the 14th, Sony created a fake website called “alliwantforchristmasisapsp” where two employees of their marketing firm pretended to be young, hip gamers who blogged about wanting a PSP.
According to the 1-up article on the debacle:
The tide began to turn against Sony’s initiative after popular webcomic Penny-Arcade publicly outed the chicanery in a deliberate move to force a little transparency up ins. The Internet was quick to kick the horrid thing to death after that point in a classic example of pile-on. For a brief moment, the blog existed in a state of apology with the following classic phrase resplendent:
Consumer Affairs writes:
A laptop containing the personal information of 328,000 current and former employees of Boeing was stolen in Chicago, according to the company.
The laptop theft was the third to befall Boeing in the past twelve months.
Boeing is contacting the affected employees by mail and has promised to set up free credit monitoring for them through the Experian credit bureau.
Doesn’t that make you feel warm and fuzzy? Boeing gets to look like they’re being responsible about the problem and the Credit company gets all kinds of money for a worthless service.
If they could freeze their credit accounts, it wouldn’t really matter how many laptops they let get stolen.
WASHINGTON–U.S. Department of Homeland Security Secretary Michael Chertoff on Thursday defended forthcoming national ID cards as vital for security and consistent with privacy rights.
From the article:
“Do you think your privacy is better protected if someone can walk around with phony docs with your name and your Social Security number, or is your privacy better protected if you have the confidence that the identification relied upon is in fact reliable and uniquely tied to a single individual?” Chertoff asked rhetorically.
Has anyone heard of “false dilema” before? This is where you are presented with two choices when there are actually many. One choice is always extremely horrible to make the other seem reasonable. An example could be, “Would you rather put RFID in your credit cards or have a horde of violent viking warriors destroy your home and burn your family?”
Use of “false dilema” is a sure sign of low intelligence or complete lack of respect for the audience.
There’s more good stuff in the article, but I’ll let you read it yourself. I want to end by saying this, we’re supposed to trust a national card ID system when the same organization that gave us RFID passports? I don’t think so.
Obligation Inc. is documenting the exploits of BusRadio, a company that is producing programming intended for play on school busses. From the Obligation.org page on the issue:
These men realize that once on a school bus, children are a captive audience. Any captive audience can be exploited by forcing them to hear advertising. So Steven Shulman and Michael Yanoff developed BusRadio and were greatly aided by the venture capital moneyman Robert Davoli of Sigma Partners. As far as I can tell, this is the first time Sigma has chosen to financially back a very controversial company.
The Washington Post reports that the FTC has begun to crack down on false word-of-mouth advertising. This is where a company pays people to tell friends about their products. From the article:
As the practice has taken hold over the past several years, however, some advocacy groups have questioned whether marketers are using such tactics to dupe consumers into believing they are getting unbiased information.
In Schneier’s blog today, he writes about a University of Washington study explaining how to track people using their Nike+iPod Sport Kit (which uses RFID).
This is a great demonstration for anyone who is skeptical that RFID chips can be used to track people. It’s a good example because the chips have no personal identifying information, yet can still be used to track people. As long as the chips have unique IDs, those IDs can be used for surveillance.
Scheier goes on to say:
To me, the real significance of this work is how easy it was. The people who designed the Nike/iPod system put zero thought into security and privacy issues. Unless we enact some sort of broad law requiring companies to add security into these sorts of systems, companies will continue to produce devices that erode our privacy through new technologies. Not on purpose, not because they’re evil — just because it’s easier to ignore the externality than to worry about it.
Couldn’t have said it better myself.
Consumer Affairs reports:
Hackers have gained access to databases at the University of California-Los Angeles (UCLA), making off with the personal information of 800,000 current and former students, employees, and faculty.
The data breach is thought to be the largest of its kind at an American college or university.
I’ve always said it’s less about the security of the system than it is the value of the data stolen. If it weren’t so easy to use and abuse people’s personal data, then ID Theft wouldn’t be such a problem.
With Credit Seucrity Freezes, a crook could have all your data and still do nothing with it.