CounterMeasures - A Security Blog � snooping

ACTA, entrench & resist?

Rik Ferguson — Mon, 30 Jan 2012 17:03:09 +0000

It’s probably prudent to mention again that these blog posts represent strictly my own opinion, see my disclaimer here. In the security presentation game, we spend a lot of time talking about “bad actors”, today it has a somewhat different meaning.

The concerns with ACTA centre mostly around how the bill enforces liability on website for any links that point to disputed content and how ISPs may be obliged to dig deeper into their customers’ online activity. In the world of User Generated Content, the potential for any site to be forced to close down, in a Stalinesque way to become a “non-site” as it is obliterated from search results or even have its domain name seized, all as a result of the actions of its users, is seen as too great a threat to business online.

ACTA is in many senses the big brother of SOPA. SOPA would have had negligible effect outside of the US, as the proposed bill would only remove sites from the US visible part of the web (and even then there are plenty of ways around it). ACTA is proposed as a global “Agreement” which has been negotiated in closed-shops with only one side of the debate having been represented and no jurisdictional or democratic oversight. The closed shop appears to have been cynically and deliberately set up outside of existing structures such as the WTO perhaps to protect vested interests of large corporations and a subset, in fact a tiny minority, of governments.

Our business is not only about security, as far as I am concerned it is also about privacy and trust and this kind of legislation has a damaging effect on all three of those. Under ACTA, ISPs will become accountable for the actions of their subscribers and as such will have no option but to monitor the content that is being both posted and accessed by their customers. This represents a gross invasion of privacy and under much of the western world’s communications intercept laws is already currently at least a legal grey area, if not outright illegal. Under ACTA that same (as in SOPA) issue of sites that link to copyrighted content surfaces again with we sites facing similar risks and similar levels of accountability.

Under current copyright law (which itself should not be considered immutable) rights owners have the legal recourse to seek to defend their own property, however by the same token it should be recognised that “the internet” or even “that web site” does not fall under that definition. To propose legislation that would enable an entire site to be “disappeared” because of a link to copyright content is draconian in the extreme and undemocratic to boot.

The internet is not intellectual property, the internet is the crucible of modern innovation and in large part generated by “we the people”. US law, and many others besides, classify copyright as the right to revenue from the copying of original work in a fixed medium, the internet has surpassed this concept. If I link to a video you posted, in what sense am I “copying” and in what sense is that truly “tangible”? Is the rendering of a picture in my browser copying, or is it simply “display? How do we deal with the concepts of mash-ups, crowd-sourcing and social networks when antiquated laws must apply, and what happened to my freedom of expression?

Security is a much deeper concept that endpoints and data, security is my right to access and use the global resources available to me, unimpeded by the legal ramifications of the actions of other internet users. Legislation such as ACTA and SOPA would make this impossible. The mantra of online innovation should be adapt and survive, the mantra of rights holders is to often “entrench and resist”.

The only niche left for innovation & collaboration in an ACTA world is for ACTA compliance solutions that continually monitor your web properties for infringements (thereby monitoring also the content of any linked site as well) and remove any offending UGC promptly.

Polish Government under DDoS, Anonymous ACTA up again.

Rik Ferguson — Sun, 22 Jan 2012 22:54:55 +0000

Anonymous are again making headlines, as the majority of Polish government related web sites are taken offline in DDoS attacks over the weekend as a protest about an international agreement perceived as being cooked up in years of secret talks between governments and industry.

As the dust settles and the mutual back-slapping begins over the withdrawal of the SOPA bill in the US, an older and potentially uglier beast has once again reared its head in Europe. This particular beast is called ACTA (Anti-Counterfeiting Trade Agreement ) and you can certainly be forgiven if you haven’t heard of it before, even though it predates both SOPA and PIPA.

ACTA is what is known as a “plurilateral agreement” aimed at establishing international (not just US) standards on intellectual property rights enforcement. SOPA would have negligible effects outise of the US, but ACTA is a global agreement. It aims to create its own governing body outside of the existing World Trade Organisation, the World Intellectual Property Organisation and the United Nations. Preliminary talks began as far back as 2006 including Canada, the United States, Japan, the EU and Switzerland. Official negotiations began in 2008 with the addition of Australia, Mexico, Morocco, New Zealand, South Korea and Singapore. Alongside these national government representatives, an advisory body of large US-based corporations was involved, including the RIAA, the MPAA, International Intellectual Property Alliance and Pharmaceutical Research & Manufacturers of America.

The negotiations were classified as “Secret” in the US on the grounds that there was a risk of damage to national security. The process by which negotiations took place, without public scrutiny or judicial oversight and the way in which the details of ACTA only emerged as a series of leaks until a draft was eventually published in 201O, after the 8th round of negotiations, has attracted widespread criticism from academics and groups such as the EFF.

The major concerns regarding the actual content of the draft centre around a couple of important issues. Perceived infringement on communications privacy for Internet users, as ISPs are obliged to filter content in more depth as a result of their liability for the actions of their subscribers and an increase in liability for websites that link to copyrighted material (sound familiar?) . There has also been concern that the section dealing with border controls would authorise invasive searches of personal laptops or MP3 players in the search for copyright infringing material. It should be noted that EU legislation prohibits travellers from checks if the offending goods are not a part of “large-scale” traffic and US legislation amply demonstrates that unilateral implementation of invasive border searches is entirely to be expected.

So why Poland, and why today? Well, the government of the Donald Tusk made a surprise announcement ( two PDFs in Polish) on the 19th January that they would be signing ACTA one week later on the 26th, taking them down the road to ratification. Many Poles feel that this has been done without inclusion or open debate and without a mandate from the people. The strength of feeling is immediately visible in Twitter, with thousands of Poles making tweets of thanks to Anonymous for this initial and ongoing action. Even those not actively participating in the DDoS have contributed to the failures of multiple websites by attempting to access them in their browser to see if the site had been taken offline.

Whatever the rights and wrongs of the proposed agreement, it is certainly true to say that democracy is never served in secret, where the interests of only one side of the debate are represented. The Polish Minister for Administration and Digitalisation, Michal Boni has asked Prime Minister Donald Tusk to reconsider the decision before signing and a further meeting has been scheduled for the 24th Jan.

Making the most of Facebook privacy – Part III

Rik Ferguson — Tue, 11 Oct 2011 12:04:07 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part of this series can be found here, and part two here.

Lists – Control privacy when you post

Use the Facebook lists feature to divide your friends into lists. This is a great feature for protecting your privacy because it allows you to select an individual audience for each one of your status updates or wall posts, be aware though it is not possible to individualise the audience for your “Likes”.

Facebook offers three default lists; Close Friends, Acquaintances and Restricted. Dividing friends between “Close friends” and “Acquaintances” will influence how much or how little they show up in your news feed. Adding a friend to the “Restricted” list means they will only be able to see content that you make “Public”. Facebook has also introduced the concept of Smart Lists, these could be related to where you live, where you work, or where you went to school for example.

If you add a friend to any of the “Close Friends”, “Acquaintances” or “Restricted” lists, they will not be informed. However, be aware that if you add a friend to a Smart List that is related to a place of work or college for example, they will receive a notification that you have done so and will be able to approve that information for posting to their own timeline. You can also create custom lists and again your friends will not be notified if they are added to these lists. It is worth noting that when you share content with a specific list of friends, your friends will not see the name of the list you have shared it with, but they will see that you have chosen a restricted audience for your post and they will be able to see every individual name in that group.

Subscriptions

Subscriptions is a new Facebook feature that allows you to follow the public activity of people on Facebook, without having to add them as a friend. Of course this means that the possibility exists for people to follow your content, without you having accepted them as a friend as well. It’s one more reason to tightly control your privacy on Facebook. For example, default behaviour on Facebook if you defriend someone is that they will remain subscribed to you and able to see any public content and perhaps content that is shared by mutual friends too, unless you do something about it. If you want to enable or disable the permission for other users to subscribe to your content, go to your timeline and click the arrow to expand the view of your “favourites boxes”. You will see the subscriptions box, click the box and you will be able either to click the “Allow subscribers” box or, more advisedly a “Settings” button where you will be able to turn it off.

Events

Any “Public” event you have responded to will feature on your timeline and will be shared with the public, meaning that anyone viewing your Facebook profile will be able to see these events. To hide these events from your timeline, view your timeline, click “View Activity” and select “Events” from the activity type drop down menu that appears on the right. You may then hide any events you wish from being displayed on your timeline.

Check yourself out!

If you want to check how the changes you have made have affected the information you share you can view your own timeline as another Facebook user would see it, or as it is visible to the general public. To do this, select the downward pointing arrow just to the right of “View Activity”, select “View As…” and type the name of the friend whose view of your profile you wish to preview, or click the “public” link. This is a great way of identifying those last few pesky events, photos, videos or stories that may still be publicly visible. You can then find each unique event in your Activity Log and refine the audience to whom it is visible or remove it entirely from your timeline.

Five rules to remember…

1. If you post on someone’s wall then you cannot control the privacy of your post . The visibility of the comment is defined by the original post which may be less restricitve than you want, for example, “Friends of Friends”.

2. If you restrict the audience of a post in order that certain friends cannot see it that restriction should not be considered final. If someone later posts a comment that tags a Facebook user who was not a part of the original audience, then the entire thread and original post will be visible to that person. Be careful what you post.

3. If you post on, or respond to an invitation to a public event or a public page; you cannot control the privacy of your post. You can only hide it from your timeline after the post has been made.

4. If you post on a friends wall where their privacy setting is “friends of friends”, then any of your friends who are on your Restricted list will be able to see that post, because they are your friends.

5. This means that anything you post which is “Public” or “Friends of friends” (either by your own settings or those of the recipient) may show up in the ticker of people you do not necessarily know, have restricted or have defriended.

Making the most of Facebook privacy – Part II

Rik Ferguson — Tue, 11 Oct 2011 11:40:14 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

The first part in this series of posts can be found here.

Now it gets more granular… Let’s look at “Privacy Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook privacy settings

How you connect:

Change the setting for “Who can look up your timeline by name or contact info”, “Who can post on your timeline” and “Who can see posts by others on your timeline” to Friends. The default setting is Everyone except for “Who can see posts by others” which defaults to Friends of Friends, this setting is the cause of much of the noise in the ticker that so upset everyone when it was introduced.

The settings for “Who can send you messages” and “Who can send you friend requests” are just a question of how contactable you want to be, personal preference, again the default is Everyone.

How tags work:

Set Timeline Review to On. This does not stop you from being tagged in posts and those posts and tags will still appear in others’ feeds if they are connected to the originator or to someone else tagged in the photo, but they won’t appear on your wall/Timeline until you approve them. By default this is turned off.

Set Tag Review to On. When someone tags your content, you must review before it is posted. This is useful because once a person is tagged in a picture, post or comment, both that person and their own friends can see the content. Content you may not have wanted to share more widely. By default this is turned off.

Set Maximum Timeline Visibility to Friends. This controls the maximum extent of who can view posts to your *own* timeline. Don’t forget this content may have initially been posted on someone else’s wall and you cannot restrict the visibility of the original post. By default this is set to Friends of Friends.

Set Tag Suggestions to Off. This feature will suggest your name when someone uploads a picture that Facebook thinks looks like you. By default this is turned on.

Set Friends can check you into Places to Off – that way, you’re not going to get checked in to somewhere you would rather have kept secret, or even somewhere you never were. By default this is turned on.

Apps and websites

The Information accessible through your friends section controls what information about you can be accessed by Apps that your friends may have installed. Deselect every check box in this section. You will find that by default they are almost all allowed.

Instant personalisation shares Facebook data with certain partner websites. If the option is available, uncheck the box to turn it off. If it is greyed out it means that Instant personalisation is not yet available to your account. Note that it is turned on by default, so try to remember to keep an eye on it because you are not able to disable until the feature is already turned on…

Public Search, if you’ve been following the recommendations so far, this feature should already be off because you changed Who can look up your timeline to Friends only.

Limit the audience for past posts. Click Manage past post visibility and then click Limit old posts. This will ensure that any posts you have made in the previous years on Facebook will have their privacy restricted to Friends only. Unfortunately there is no indicator that tells you whether you have previously done this, so if you’re unsure, just do it again.

Part three of this series is available here.

Making the most of Facebook privacy – Part I

Rik Ferguson — Tue, 11 Oct 2011 11:07:29 +0000

The full guide to Facebook security settings is now available for download Making the Most Out of Facebook’s Privacy Settings.

Since the long list of new features recently unveiled has begun to be rolled out for all Facebook users; I have been receiving ever-increasing amounts of questions from friends, colleagues and Countermeasures readers concerned with how their online privacy may be affected. So I have put together this guide to Making the Most of Facebook Privacy in 2011. I refer to the forthcoming Facebook feature “Timeline” a lot in this post, but don’t be fooled these settings are available right now, even if you haven’t enabled Timeline yet.

Don’t Get Facejaked

So initially, let’s get to the recommended settings for locking down your Facebook security without having a negative effect on your enjoyment of the social network. Follow the three steps in this earlier blog article to help protect your account from unauthorised access, so-called “facejacking”.

Lock Out Leakage

With that out of the way, let’s go on to tweak your account and privacy setting to better protect the content you share and control the audience with whom you share it. Let’s look at “Account Settings” which can be accessed through the drop down menu in the top right of your Facebook page.

Facebook Account Settings

App & Adverts

In this menu you should review the individual permissions that you have allowed the Apps that you have installed. Have a first pass through this list and remove any apps you no longer use. Then review individual permissions by clicking the Edit link next to each remaining App. Some permissions are required for an App to work but many optional permissions can be revoked here. At the same time, ensure that the App itself is not giving out too much information by changing the setting “Who can see posts and activity from this app” to “Friends” unless you have specific Apps that you wish to grant greater visibility.

Finally, in the Facebook Adverts section, change the Third party advert settings and Edit Social Advert settings to No one. The default setting here is Friends.

Protect Your Privacy

The changes to Facebook have radically changed the ways in which we can share content with our friends, friends of friends and the general public. There are two main ways to configure this privacy; when you post through the Facebook interface or when you post through a device or App that doesn’t allow per post privacy settings. To configure these settings select Privacy Settings which is accessed through the same drop down menu as above.

Facebook Privacy

The Default Privacy setting only applies to posts made through an interface or App that doesn’t support inline sharing controls. I recommend setting this to Friends, the default setting again is Public.

In the next part of this blog series, I detail some of the more specific settings for controlling how you share information and perhaps more importantly, how information is shared about you.

Part two of this series is available here.

It ain’t the Timeline, it’s the Ticker, Doc.

Rik Ferguson — Fri, 23 Sep 2011 22:38:12 +0000

Ever since the forthcoming Facebook profile changes announced earlier this week at the f8 Facebook Developer Conference, there has been a lot of talk online about how the new Timeline layout of your user profile will affect your privacy.

Essentially Facebook is taking all of the information that you have already entered into the social network, your profile, your photos, your posts, comments and other’s comments about you and presenting it in clickable chronological order. This has given some commentators cause for concern. Not I.

I’ll admit that when I first read about the changes I was a little worried, even to the point where I messaged my girlfriend to express my concern (I know, geek). So I thought to myself, “Ferguson, don’t be so negative, at least check it out first before going off the deep end.”

So I logged into Facebook and enabled the new Timeline view (it’s not publicly released yet, but here’s how you can get it in advance) and to be honest I loved what I saw. It’s pretty, it’s intuitive and it certainly says a lot more about me (it’s a profile after all) than the previous layout.

Enough of the aesthetics though, what of the security concerns? The thing that led me to write this blog was an article by Gregg Keizer which featured commentary from Sophos’ Chet Wisniewski. Chet is of the opinion that the new layout simplifies the procedure of data mining any given individual, he says “Timeline makes it a heck of a lot easier [for attackers] to collect information on people“. He’s right too, If I had previously wanted to look at everything someone had ever done on Facebook , it would mean a aeons of clicking to load older posts. Now it’s all presented in a scrollable timeline, much more simple. So why do I disagree?

Timeline certainly makes it easier for anyone who has access to my profile to find out about my Facebook past, but my profile is set to private. Not only that I am also very selective about who I add as a friend on Facebook. In all honesty I really don’t mind my friends data-mining me if they have nothing better to do on a rainy afternoon. I’d have to wonder why, but hey, whatever turns your crank… Incidentally, Timeline also let’s you work out who has “unfriended” you.

Of course if my profile was configured to be viewable to the general public, or if I added just anyone as a friend, then timeline would indeed add a whole new set of concerns. To be honest though, if your Facebook profile is publicly viewable or your an inveterate befriender of stranger, you have far bigger concerns already… None of you do that, do you?

There has to be something that worries me in the new Facebook though, and as my fellow Tweeter Kurt Wismer agreed, it’s the Ticker. You’ve seen the Ticker, right? It’s the new scrolling display of updates int he top right corner of your Facebook page. Why do I worry about the Ticker? It publishes all your activities, including check-ins, in real time to all your friends, including your interactions with people and groups those friends don’t know (if that content is public). This is very much a stalker enabler. Now not only can I watch what you are doing on Facebook with people I know, I can also see when you comment, post or like something I have no connection to whatsoever, this is A Bad Thing.

For now, there’s not not you can do about this other than appeal for Facebook to reconfigure this functionality and apply the same kind of discretion any normal person applies in real-life. There is current a groundswell of people posting the following status and for now it’s the only option you have…

Here’s the text in case you want to copy/paste.

“Please do me a favour: please hover over my name here, wait for the box to load and then hover over the “Subscribe” link. Then uncheck the “Comments and likes” choice. I would rather my comments on friends’ posts not be republished. Thanks** Then repost if you don’t want your EVERY MOVE posted on the right for everyone to see! :) i’ll do the same for you if you want. just click “like.”

DigiNotar, Iran, Certificates and YOU

Rik Ferguson — Mon, 05 Sep 2011 11:57:50 +0000

The story that has been slowly breaking over the past few days regarding the compromise at Dutch certificate authority DigiNotar and the subsequent “theft” of many important credentials is one that is of huge importance for internet users, governments and even the trust foundation that underlies the internet in general.

What has happened exactly?

DigiNotar is a trusted authority. That means that they can issue certificates that allow websites offering secure, encrypted communications to prove that they are who they say they are. Think of it as a digital passport. When you browse to your bank, your email provider or any other secure site, in the background these certificates are exchanged before secured communications can begin. Your web browser contains a list of “root authorities” whose certificates can be trusted. If a web site presents a valid certificate then your browser will trust it and begin encrypted communications. When the certificate is valid, this all happens transparently to you, the end user. DigiNotar’s security has been compromised and a large number of fraudulent certificates have been issued. A full list can be found here (CSV file), although it should be stated that this list may yet grow over time.

What is a valid certificate?

A valid certificate is one that matches the name of the site that is using it, that has an expiry date that has not yet been exceeded and critically is signed by a trusted authority. It is this last step that is normally difficult for those with malicious intent to overcome. If I present an faked, expired or otherwise fraufdulent certificate, your browser will alert you and you may well choose not to continue the communication.

So what does this mean?

If I can set up a “man-in-the-middle”, for example a proxy server, between you and your bank it is very simple for me to intercept and read plain old HTTP traffic as it is not encrypted. However HTTPS traffic would be a problem, it is encrypted and I don’t have the keys to decrypt it, the encryption is between you and your bank. If I have a valid certificate that appears to come from your bank I can overcome this problem, my proxy can pretend to be your bank, present the right credentials and I can decrypt and read all your content, before I pass it on to the real final destination.

Who is at risk?

In a normal situation where I am browsing the internet I can connect directly from my computer to my bank I am on a network I trust and I am not at risk. If however all my traffic must pass through a proxy, either at my Internet Service Provider or at state level, which is the case in some more restrictive nations, then I am at risk. The owner of the proxy can make use of fraudulent certificates and act as a man-in-the-middle. There is also a risk on public networks such as wi-fi hotspots, again the hot-spot provider will often make use of a proxy. Under normal circumstances encrypted traffic will simply be passed through untouched, but if I have a shady certificate and malicious intent I can intercept your traffic.

Alternatively I could infect your system with malware that configures your computer to pass all your traffic through a proxy of my choice, wherever you are located. For this to be effective I would need to be able to install code on your system to make these changes. At least one of the fraudulent certificates allows “code signing” meaning it can be used to certify that a program is from a valid publisher so this possibility certainly exists in theory.

Trend Micro’s Feike Hacquebord has uncovered concrete evidence that the fraudulent certificates issued as a result of the DigiNotar compromise have disproportionately and suspiciously affected users based in Iran (link to TrendLabs blog to follow). In Iran, all web traffic must pass through state approved proxies, the perfect man in the middle. In this scenario, the “benefits” of owning fraudulent certificates are clear. All encrypted traffic for affected destinations can now be decrypted at will and the end-user will be entirely unaware. It has been reported that the fraudulent certificates obtained include certs for *.com and *.org, meaning that all traffic for any web site with one of these suffixes can be intercepted.

Is the internet broken?

Does this event undermine the foundations of trusted communication online? Not entirely, although it certainly highlights a weak link in the chain. Authorities that are trusted to certify the identity and validity of web servers have a responsibility to ensure that the security of their systems and networks is second to none; they represent the top of the food chain. Having said that, security should always be designed on the assumption that a breach will occur. The key to successfully responding to such an event lies in the honesty and transparency of an authority that has been the victim of such an attack. Details of any such breach should be made public immediately so that the bad certificates can be revoked and will no longer be accepted by browsers around the world, thus mitigating the effect of such an attack. Unfortunately in the case of DigiNotar the extent of the breach was reported as minimal at the outset and the full details are only now becoming clear, several days later. We now know that 531 bad certificates have been issued, including those for *.*.com and *.*.org, making the certificates for WindowsUpdate look tame by comparison. The compromise at DigiNotar happened in July of this year, at the time of the initial investigation the fraudulent cert for google.com was not discovered, meaning that that one at least was in the wild for over a month.

Trust in all certificates issued by DigiNotar has already been revoked by many browser and operating system manufacturers and the consequences for DigiNotar as a company are likely to be severe, possibly fatal.

Anonymous vows to attack Facebook?

Rik Ferguson — Wed, 10 Aug 2011 12:25:50 +0000

In a new video, Anonymous or at least an element of the “loose online collective” (how much am I growing to despise that term?) has announced plans for a coordinated attack on Facebook to be launched on the auspicious date (at least here in the UK) of the 5th of November. The video calls for volunteers to join the assault but does not give any details on planned activity. The video should for now be treated with suspicion. It was posted almost a month ago and yet has not been widely publicised, or publicised at all, on the usual Anonymous channels. The Twitter profiles that appear to be associated are inactive, and in a masterstroke of irony, there’s even a Facebook page for it

According to the video, Facebook deserves to be “killed” for a number of reasons

1 – They store personal information and do not delete it – “even if you “delete” your account, all your personal info stays on Facebook and can be recovered at any time. Changing the privacy settings to make your Facebook account more “private” is also a delusion. Facebook knows more about you than your family“.

2 – They sell rights of access to your data to external agencies - “Facebook has been selling information to government agencies and giving clandestine access to information security firms so that they can spy on people from all around the world. Some of these so-called whitehat infosec firms are working for authoritarian governments, such as those of Egypt and Syria”

Having set out their reasons, they sign off with the message “We exist without nationality, without religious bias. We have the right to not be surveilled, not be stalked, and not be used for profit. We have the right to not live as slaves.”

Let’s examine these accusations. Firstly data retention; according to Facebook’s own Privacy Policy “When you delete an account, it is permanently deleted from Facebook.” which seems pretty clear cut. There is a later caveat in a section dealing with backup copies of data that states, “Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others.” Of course if you have chosen to share information on Facebook and that information has been further shared by your friends or contacts, then you must consider it has passed beyond your control. This is the primary reason why caution should always be uppermost in your mind when posting anything online. On the face of it, point 1 of the Anonymous gripe seems invalid.

Secondly, Facebook sells information to third parties? Again a squint at the Privacy Policy tells us Facebook’s approach to this matter; “We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities.”

So, without getting into a debate about the rights and wrongs of specific governments around the globe, Facebook is certainly open that they will share information in response to requests from both US and “foreign” jurisdictions under the laws applicable in that jurisdiction. What is the lesson to take from this? If you are a Facebook user and you consider that your local government or law enforcement may take unwanted interest in your social networking activities then pay very close attention to the information that you disclose, both on your personal profile and in your activities on the website. If you are engaging in activity which your government would rather you didn’t, be aware that a legal or civil request to this social networking provider may well be honoured.

The biggest and most important point though is this. Facebook is voluntary. You join Facebook because you want to. You provide information of your own volition and essentially at your own risk. If Facebook does know more about you than your own family, it is only because you told them. Conversely, while the social networking provider does provide relatively granular controls over how and who you share your data with, it is certainly my opinion that the default settings on an account are still too open, and the mechanisms for controlling sharing too complex.

Posting information anywhere online is similar to pasting up a notice in a global meeting hall and should be treated in that way. Even if you restrict access to your information to only your friends, you cannot control how that information is further shared by people within your circle of trust. If you aren’t happy to stand in a crowded shopping centre and repeatedly shout out your telephone number, you shouldn’t be making it available online, anywhere.

However, the thing that bothers me most in the Anonymous announcement is the phrase “One day you will look back on this and realise what we have done here is right, you will thank the rulers of the internet, we are not harming you but saving you“. Joseph Goebbels once said something very similar, “It is the absolute right of the State [the rulers of the internet?] to supervise the formation of public opinion.“.

“For your own good is a persuasive argument that will eventually make a man agree to his own destruction.” – Janet Frame.

All your citizens are (not) belong to us

Rik Ferguson — Tue, 21 Jun 2011 10:39:48 +0000

UPDATE III: I just received the following statement from the Office for National Statisitcs in the UK

“Census data secure

The Office for National Statistics reaffirmed today (Wednesday) that personal census information is secure and an allegation made yesterday that it has been hacked is without foundation.

Census Director, Glen Watson, said:

“I can reassure the public that their census records are secure. We have strict measures in place protecting the nation’s census information. The claim that hackers got in looks like a hoax and our investigation concluded that there is no sign of any suspicious activity. The alleged hackers have also denied any involvement.

“However, we are not complacent and will remain vigilant. The security and confidentiality of census data remain our top priority.”"

UPDATE II: Recent tweets on the LulzSec Twitter account deny any truth to the UK Census data rumours.

UPDATE: The Metropolitan Police Cental e-crime Unit PCeU have confirmed that a 19 year-old man has been arrested in connection with LulzSec activity. If LulzSec preparation was in anyway similar to that of Wikileaks, should expect to start seeing mass release of previously witheld information?
_________________________________________________

In a surprising and worrying development, an unconfirmed post on Pastebin, purportedly from Lulz Sec, claims that they are in possession of the entire UK census data for 2011.

So far this claim has not been backed up on the LulzSec Twitter account, which is their usual habit, although a couple of prior post do lend some credence to it

Yesterday they tweeted

“Government hacking is taking place right now behind the scenes“

and a few hours ago, they posted a couple of statements that are similar in tone to the PasteBin document:

“Thank you to the supporters who have assisted in leaks. Like @WikiLeaks, our sources remain anonymous. Leak payloads are being decided now.”

and

“Our next step is to categorize and format leaked items we acquire and release them in #AntiSec “payloads” on our website and The Pirate Bay.“

No details are included in the PasteBin post regarding how the information was obtained, but the messages posted so far seem to indicate a leak rather than an intrusion or hack.

If this claim turns out to be true it means the personal details of every UK citizen, names, addresses, religion, family details, income levels, professional details are in the hands of a group who have already shown they have no objection to releasing illegally obtained material publicly.

This could undermine the confidence of the nation and possibly others to hand over sensitive information to a civil service that has already once demonstrated its inability to encrypt or safeguard it from loss.

Currently refusal to fill in a census is a criminal offence in the UK, will we be looking at mass criminality when the next census rolls around?

Lockheed Martin are currently responsible for the UK census. I have approached them to confirm or deny this claim and am awaiting a statement.

What the Hack is going on?

Rik Ferguson — Thu, 16 Jun 2011 14:51:28 +0000

Used under creative commons from brittgow Flickr

With all the recent news stories of successful hacking attacks of some very prominent organisations, this seems like an entirely reasonable question. The litany of victims is impressive including such luminaries as Google, RSA, Visa, MasterCard, Citibank, Epsilon, the US Senate, the UK National Health Service, Fox, Sony (of course) and just last night the CIA website was targeted with what a Distributed Denial of Service Attack. The amount of prime time coverage these various activities are getting is prompting several questions. Is this hacking group stuff something new? Is this cyber-espionage or even cyber warfare? What impact will this have on me and the future of the internet?

The idea of a hacking group is certainly not a new phenomenon, in fact they began to flourish in the early eighties, the early days of home computing, acting as a forum for members to share information, learn and compare skills. Early groups bore names such as Legion of Doom, Cult of the Dead Cow or Masters of Deception and specialised not only in the nascent internet hacking scene and are responsible for the birth of hacktivism, but also in the perhaps dying are of phreaking (abuse of public telecommunications networks). The nineties saw the rise of a different kind of hacking group, L0pht Heavy Industries who operated more as a research organisation, providing software tools for penetration and security testing and issuing advisories. This group also famously testified to the US Congress that they could take down the entire internet in under 30 minutes back in 1998. L0pht later merged with @stake, who were eventually acquired by Symantec.

Now in the noughties we have witnessed the rise of Anonymous, and more recently LulzSec. Anonymous as a collective is something that began on message boards like the infamous 4chan, for the purposes of attacking the Church of Scientology, and has with generous media coverage evolved into a bigger deal. Instead of being a relatively closed group, Anonymous instead actively sought the participation of the general public when they began their actions in support of Wikileaks. Tens of thousands of volunteers are downloading tools which enable them to participate in the global assault on businesses with whom they feel personally aggrieved. The latest versions of this tool includes functionality which means the user can hand of control of their weaponised computer to a central authority (Anonymous) to better direct and control the attacks. Lulz Sec on the other had maintain the tradition of the closed group, and according to their own web site have no motivation but anarchy,

“We’re LulzSec, a small team of lulzy individuals who feel the drabness of the cyber community is a burden on what matters: fun. Considering fun is now restricted to Friday, where we look forward to the weekend, weekend, we have now taken it upon ourselves to spread fun, fun, fun, throughout the entire calendar year“.

Of course similar groups have emerged around the world in places as far flung as Pakistan and India, where there is fierce competition between the groups. In Romania groups such as HackersBlog have hit various companies. In China and Russia, many hackers are believed to act as proxies for their governments.

It’s not all about the hacking for fun and kudos gangs, organised criminal groups have been with us for many years now, and the last 12 months or so has seen a marked increase in the frequency of attacks on online aggregations of information, such as Sony, Epsilon or Citibank for the purposes of theft of information for financial reward. One single attack, if successful can yield such a vast amount of saleable or otherwise abusable personal data, that I’m only surprised the attacks took so long to gather pace.

Another phenomenon that has risen to prominence recently is purported nation-state activity. Again, despite recent press coverage this is also nothing new, the Titan Rain attacks for example date back to 2003 where the finger was firmly pointed at China for the theft of large amounts of information from military and governmental targets, gh0stnet in 2007 was similarly blamed on China, as were the Aurora attacks the following year. This year has already seen similarly motivated attacks on RSA, the European Council, the French Finance Ministry, the Canadian government, Lockheed Martin and of course Stuxnet.

So many technological and cryptographically advances have their roots in the centuries old art of espionage, we should really not be surprised to see national foreign intelligence services making use of cutting edge tools and techniques to further their national or economic interests.

None of this represents a global online meltdown, or the end of the internet economy or national security as we know it. Like everything else in this world we can trace a simple process of evolution at work here. Security companies, individuals and enterprises must evolve to keep pace and just maybe learn some of the lessons that some of these guys have been teaching us for years now. Encrypt your data, develop securely, configure correctly, test your defences effectively, use complex passwords, shield your vulnerabilities and build your systems under the assumption that a breach *will* happen.