Inflight Wifi Provider Goes Above and Beyond to Compromise Passenger Info Security

From Wired:
Gogo, the inflight Wi-Fi provider, is used by millions of airline passengers each year to stay connected while flying the friendly skies. But if you think the long arm of government surveillance doesn’t have a vertical reach, think again.
Gogo and others that provide Wi-Fi aboard aircraft must follow the same wiretap provisions that require telecoms and terrestrial ISPs to assist U.S. law enforcement and the NSA in tracking users when so ordered. But they may be doing more than the law requires.
According to a letter Gogo submitted to the Federal Communications Commission, the company voluntarily exceeded the requirements of the Communications Assistance for Law Enforcement Act, or CALEA, by adding capabilities to its service at the request of law enforcement.  The revelation alarms civil liberties groups, which say companies should not be cutting deals with the government that may enhance the ability to monitor or track users.
“CALEA itself is a massive infringement on user’s rights,” says Peter Eckersley of the Electronic Frontier Foundation. “Having ISP’s [now] that say that CALEA isn’t enough, we’re going to be even more intrusive in what we collect on people is, honestly, scandalous.”
Posted by on No comments:
Labels: ,

Heartbleed: Critical OpenSSL Bug Exposes Secure Traffic

From Ars Technica:
Lest readers think "catastrophic" is too exaggerated a description for the critical defect affecting an estimated two-thirds of the Internet's Web servers, consider this: at the moment this article was being prepared, the so-called Heartbleed bug was exposing end-user passwords, the contents of confidential e-mails, and other sensitive data belonging to Yahoo Mail and almost certainly countless other services.
The two-year-old bug is the result of a mundane coding error in OpenSSL, the world's most popular code library for implementing HTTPS encryption in websites, e-mail servers, and applications. The result of a missing bounds check in the source code, Heartbleed allows attackers to recover large chunks of private computer memory that handle OpenSSL processes. The leak is the digital equivalent of a grab bag that hackers can blindly reach into over and over simply by sending a series of commands to vulnerable servers. The returned contents could include something as banal as a time stamp, or it could return far more valuable assets such as authentication credentials or even the private key at the heart of a website's entire cryptographic certificate.
Posted by on No comments:
Labels: , ,

Government and Media Incompetence Puts Americans' Data at Risk

In a chilling, but not especially surprising, report at ZDNet, David Gerwitz reveals that incompetence in government has led to a doubling of the number of information security breaches over the last five years, and that incompetence in the media has led to reporting that understates the extent of these breaches by an order of magnitude.  Excerpt:
According to testimony given by Gregory C. Wilshusen, Director of Information Security Issues for the Government Accountability Office to United States Senate Committee on Homeland Security and Governmental Affairs that, and I quote, "most major federal agencies had weaknesses in major categories of information security controls."  In other words, some government agency data security functions more like a sieve than a lockbox. . . .

Some of the data the GAO presented was deeply disturbing. For example, the number of successful breaches doubled since 2009. Doubled. There's also a story inside this story, which I'll discuss later in the article. Almost all of the press reporting on this testimony got the magnitude of the breach wrong. Most reported that government security incidents numbered in the thousands, when, in fact, they numbered in the millions.

Posted by on No comments:
Labels:

USAID Cuban Social Media Front Outed by AP

From The Associated Press:
The U.S. government masterminded the creation of a "Cuban Twitter" — a communications network designed to undermine the communist government in Cuba, built with secret shell companies and financed through foreign banks . . .

USAID and its contractors went to extensive lengths to conceal Washington's ties to the project, according to interviews and documents obtained by the AP. They set up front companies in Spain and the Cayman Islands to hide the money trail, and recruited CEOs without telling them they would be working on a U.S. taxpayer-funded project.
"There will be absolutely no mention of United States government involvement," according to a 2010 memo from Mobile Accord Inc., one of the project's creators. "This is absolutely crucial for the long-term success of the service and to ensure the success of the Mission." . . . 

USAID said in a statement that it is "proud of its work in Cuba to provide basic humanitarian assistance, promote human rights and fundamental freedoms, and to help information flow more freely to the Cuban people," whom it said "have lived under an authoritarian regime" for 50 years. The agency said its work was found to be "consistent with U.S. law."

Interestingly, the initial subscriber base appears to have been put together after the shell corporations illicitly obtained the contact information of thousands of Cubans targeted by the government.
The social media project began development in 2009 after Washington-based Creative Associates International obtained a half-million Cuban cellphone numbers. It was unclear to the AP how the numbers were obtained, although documents indicate they were done so illicitly from a key source inside the country's state-run provider. Project organizers used those numbers to start a subscriber base.
Posted by on No comments:
Labels: ,

Google to Launch Wireless Companion to Fiber Networks

From The Verge:
Google is reportedly considering running its own wireless network. Sources tell The Information that company executives have been discussing a plan to offer wireless service in areas where it's already installed Google Fiber high-speed internet. Details are vague, but there are hints that it's interested in becoming a mobile virtual network operator or MVNO, buying access to a larger network at wholesale rates and reselling it to customers.
Here in NYC, Google began spoonsring wireless hotspots in various neighborhoods and subway stations two years ago.  From 2012:
Beginning Monday, free Wi-Fi will be available at a number of stations courtesy of Google. Boingo Wireless, the Wi-Fi provider well known for its wireless service for airports, has teamed up with Google Offers, the search company’s service for getting deals, to offer the free Internet. Google is paying for the service from now until Sept. 7.
Last year, Google began offering free wifi in Chelsea in Manhattan.  From CNN:
Google's ambitions to wire the world are expanding. The company announced on Tuesday that it will provide free Wi-Fi service to Chelsea, a New York City neighborhood where Google has its local headquarters.

In a joint press conference with New York Mayor Michael Bloomberg and New York Senator Charles Schumer, Google said it hoped to keep the tens of thousands of residents, and millions of tourists, in the area connected at all times when they're outdoors. Google also will be providing indoor coverage for public housing units in the area.
Posted by on No comments:
Labels:

Apple Issues Safari Security Update

Make sure you're up to date.  From ZDNet:
Apple has issued security updates for the Safari browser on Mac OS. All of the vulnerabilities are in the WebKit browser engine in Safari and many other programs.
The update fixes 27 vulnerabilities, 26 of which could lead to remote code execution. The 27th could allow a program running arbitrary code (such as one which exploited one of the first 26 vulnerabilities) to read arbitrary files despite sandbox restrictions.
Posted by on No comments:
Labels:

Illegal Government Search and Surveillance Costs States Millions

From Al Jazeeera America:
The DeVarys were unwitting victims of one of the most widespread cases of data abuse in Minnesota’s history. A state audit found that fully half of the state’s law enforcement employees were likely accessing state databases for questionable reasons. And Hilary DeVary is the 10th person to file a federal suit over misuse of driver’s license data it in just over a year.

“We have paid out tens of millions in the last five years because representatives of government that have illegally searched data,” said John Lesch, a state representative from the Minnesota Democratic-Farmer-Labor Party.

But Lesch’s greatest concern is a different form of data that law enforcement has begun collecting across the country that has far more potential for abuse. It’s gathered by license plate readers, or ALPRs.
“This technology allowed law enforcement to do something completely different,” Lesch explained, “which is essentially dragnet the entire population.”
Posted by on No comments:
Labels:
Subscribe to: Posts (Atom)