The Electronic Frontier Foundation (EFF) has a new tool called Panopticlick that examines you browser configuration (or at least what it announces about itself) and compares against it's database to determine how unique your presense is. It turns out that significant identifying information is available even with IP obfuscation and cookies disabled; Private browsing doesn't quite cut it ...
Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.
Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.[from panopticlick.eff.org]
In case you didn't catch Clinton's address on cybersecurity last night, I'm imbedding it here:
Generally, she's saying the right things -- an open and uncensored Internet is a tremendous force for good in the world. She should also be addressing net neutrality in this context, but I can understand that she didn't want to broaden her scope too much.
Then, a couple of minutes in, she says this:
Now, all societies recognize that free expression has its limits. We do not tolerate those who incite others to violence, such as the agents of al-Qaida who are, at this moment, using the internet to promote the mass murder of innocent people across the world. And hate speech that targets individuals on the basis of their race, religion, ethnicity, gender, or sexual orientation is reprehensible. It is an unfortunate fact that these issues are both growing challenges that the international community must confront together. And we must also grapple with the issue of anonymous speech. Those who use the internet to recruit terrorists or distribute stolen intellectual property cannot divorce their online actions from their real world identities. But these challenges must not become an excuse for governments to systematically violate the rights and privacy of those who use the internet for peaceful political purposes.[Full text of the speech here]
So, privacy, anonymity, and an open economy of ideas is good except when our enemies have it? Despite all of the rhetoric to the contrary, I don't think she really wants a free Internet. She just wants an Internet that promotes US best-interests.
Considering some of the electronic surveillance actions our government took after 9/11, adminishing China is a little bit of the pot calling the kettle black. I was hoping that we'd also take this opportunity to embrace these ideas domestically as well as promoting them overseas.
Embracing a free exchange of information means embracing the exchange of dangerous and radical ideas along with the popular and prosperous ones. You cannot selectively grant privacy and anonymity -- either you support it or you don't.
This has been up for a couple of weeks (it's taken me that long to find an hour to watch), but it's definitely worth passing along. It's a talk given at Google by Harvard Professor Dr. Christopher Thorpe on cryptography titled "Efficient, Secrecy-Preserving, Provably Correct Computation (and Some Cool Applications). It goes beyond some of the very basic crypto that most of us understand into interesting and much more recent ideas.
What makes this video remarkable isn't the crypto he's discussing, it's that he makes it accessible to someone who has forgotten most of their math (such as me). In fact, an attentive viewer with little more than a high-school algebra education can follow most of it.
This certainly has potential to be huge, but it's still too early to tell. If the technique can be directly applied against the common ciphers listed below, then it could render these ciphers completely impotent against a dedicated attacker.
Adi Shamir, who is the S in RSA, has presented material at the Crypto 2008 conference that has promised a new form of mathematical attack against a broad range of cryptographic ciphers, including hash functions (such as MD5, SHA-256), stream ciphers (such as RC4), and block ciphers (such as DES, Triple-DES, AES). The new method of cryptanalysis has been called a "cube attack" and formed part of Shamir's invited presentation at Crypto 2008 - "How to solve it: New Techniques in Algebraic Cryptanalysis".
* * *
Without access to the paper (expected to be published later this year), the full scope of the discovery can't be easily determined. It may be that it delivers an order of magnitude improvement over existing methods, but implementation will still take such a long period of time that it is effectively impractical for attack against time sensitive content. Then again, it may be that it has brought it into a viable timeframe, something that can be achieved with a handful of modern machines - nothing that is too far out of reach of the motivated and resourced attacker. [From Computerworld - New attack against multiple encryption functions]
Clearly, the mortgage industry had its hands full before Friday's arrest of a Citywide Financial Corp. employee for allegedly stealing sensitive personal information for up to two million mortgage applicants.
The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants. The breach in security, which occurred over a two-year period though July. Countrywide detected the breach and alerted federal authorities, according to Suzy Martin, a spokeswoman for the company. [From Countrywide Financial Insider Steals And Sells Thousands Of Private Customer Records | CyberInsecure.com]
Congress has decided to look into behavioral advertising. It will be interesting to see how the committee proceeds -- Congress doesn't have a sterling record in dealing with complex issues. On one hand, I hope they decide to forbid ISPs from the practice as the neutral carriers of traffic that they should be, but I'm not sure that intrusion would be warranted if the behavior tracking is internal to a site's operation (such as Amazon, Google, or Microsoft).
"Committee on Energy and Commerce" and "rampage" don't often appear in the same sentence, but the House committee is certainly on a tear when it comes to behavioral advertising. Not content with firing off a bipartisan list of sharp questions to ISPs who installed NeduAd traffic analysis hardware, the Committee on Friday expanded its nastygram list to include "33 leading Internet and broadband companies" including Google, Microsoft, Time Warner, AT&T, Verizon, and Comcast. Legislation on the issue could be coming. [From Congress wants privacy answers from Google, MS, AOL]
"The sad truth is that the FCC is ill-equipped to detect ISPs
interfering with your Internet connection," said Fred von Lohmann, EFF
Senior Intellectual Property Attorney. "It's up to concerned Internet
users to investigate possible network neutrality violations, and EFF's
Switzerland software is designed to help with that effort. Comcast
isn't the first, and certainly won't be the last, ISP to meddle
surreptitiously with its subscribers' Internet communications for its
own benefit."
"Until now, there hasn't been a reliable way to tell if somebody --
a hacker, an ISP, corporate firewall, or the Great Firewall of China --
is modifying your Internet traffic en route," said Peter Eckersley, EFF
Staff Technologist and designer of Switzerland. "The few tests
available have been for narrow and specific kinds of interference, or
have required tremendous amounts of advanced forensic labor.
Switzerland is designed to make general-purpose ISP testing faster and
easier." [From EFF Releases "Switzerland" ISP Testing Tool - eff.org]
It looks like deniability may become a thing of the past, in which case the FCC might have it's hands full in the forseeacble future. Perhaps some still fines would serve as a better deterrant then a slap on the wrist ...
The Federal Communications Commission on Friday ruled 3-2 that Comcast
overstepped its network management authority by blocking BitTorrent
peer to peer traffic, but stopped short of fining the cable company.
The move clarifies the boundaries a bit for other carriers and sends
the message that the FCC enforces network neutrality principles. [From FCC slaps Comcast's wrist over network neutrality; sets precedence -- zdnet.com]
While a demonstration of teeth behind the net neutrality principals would have sent a clearer message to ISPs. Hopefully, the FCC will also start looking at mobile providers as well as home ISPs.
Just what the world needs, another Storm campaign. This is an example of the mixed threat that modern worms such as Storm and Kraken pose. It uses social engineering -- in this case threatening Facebook users' privacy -- to bring victims to a page that launches both browser-based threats (an iFrame attack) and a trojan horse download.
It's another new Storm campaign on the loose, with a minor change in the social-engineering trick. Mail with subjects like "FBI wants instant access to Facebook" is hitting users' inboxes at the moment. If a user follows the trick, he will be presented with the following web site:
As usual the fake web site is hosted on an infected Storm web proxy. The text states that "Your download will start shortly. If you are unable to read the article, save it in and run on your computer". If you follow the lure and click the link you'll end up with an executable named "fbi_facebook.exe". This is the malware - don't run it. Again the malware authors don't just rely on pure social-engineering, the web site also fires a set of browser exploits leveraging known vulnerabilities. [From TrustedSource - Blog - FBI vs. Facebook - Makes Any Sense?]
The Identity Theft Resource Center has released the 2008 Breach List. The 117 page document identifies 377 specific breaches that expose 17,011,691 identities as of July 22. It's a very specific and interesting look into data breaches so far this year.
About the center:
Identity Theft Resource CenterĀ® (ITRC) is a nonprofit, nationally respected organization dedicated exclusively to the understanding and prevention of identity theft. The ITRC provides consumer and victim support as well as public education. The ITRC also advises governmental agencies, legislators, law enforcement, and businesses about the evolving and growing problem of identity theft. [From Identity Theft Resource Center | A Nonprofit Organization]
Recent Comments