What Happened When One Man Pinged the Whole Internet

MITechnologyReview

You probably haven’t heard of HD Moore, but up to a few weeks ago every Internet device in the world, perhaps including some in your own home, was contacted roughly three times a day by a stack of computers that sit overheating his spare room. “I have a lot of cooling equipment to make sure my house doesn’t catch on fire,” says Moore, who leads research at computer security company Rapid7. In February last year he decided to carry out a personal census of every device on the Internet as a hobby. “This is not my day job; it’s what I do for fun,” he says.

Moore has now put that fun on hold. “[It] drew quite a lot of complaints, hate mail, and calls from law enforcement,” he says. But the data collected has revealed some serious security problems, and exposed some vulnerable business and industrial systems of a kind used to control everything from traffic lights to power infrastructure.

Moore’s census involved regularly sending simple, automated messages to each one of the 3.7 billion IP addresses assigned to devices connected to the Internet around the world (Google, in contrast, collects information offered publicly by websites). Many of the two terabytes (2,000 gigabytes) worth of replies Moore received from 310 million IPs indicated that they came from devices vulnerable to well-known flaws, or configured in a way that could to let anyone take control of them.

It’s a Feature, Not a Bug!

Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight

A legal fight over the government’s use of a secret surveillance tool has provided new insight into how the controversial tool works and the extent to which Verizon Wireless aided federal agents in using it to track a suspect.

Court documents in a case involving accused identity thief Daniel David Rigmaiden describe how the wireless provider reached out remotely to reprogram an air card the suspect was using in order to make it communicate with the government’s surveillance tool so that he could be located.

Rigmaiden, who is accused of being the ringleader of a $4 million tax fraud operation, asserts in court documents that in July 2008 Verizon surreptitiously reprogrammed his air card to make it respond to incoming voice calls from the FBI and also reconfigured it so that it would connect to a fake cell site, or stingray, that the FBI was using to track his location.

Air cards are devices that plug into a computer and use the wireless cellular networks of phone providers to connect the computer to the internet. The devices are not phones and therefore don’t have the ability to receive incoming calls, but in this case Rigmaiden asserts that Verizon reconfigured his air card to respond to surreptitious voice calls from a landline controlled by the FBI.

Kicked off Facebook, pre-teen creates his own social network

NBCNews

That’s the attitude one Florida preteen ran with after his parents banned him from using Facebook. Instead of begging or slamming doors when his account was deactivated, the 11-year-old launched his own social network tailored specifically to children.

Grom Social founder Zachary Marks had a Facebook account for roughly a week despite being two years too young to join the site, having lied about his age to create an account. And when his parents discovered that he may have been engaging in risky online activities, they pulled the plug.

In order to keep kid members safe, only parents and parent-approved adults can join Grom Social. Parents of kid members are kept up to date on their youngster’s online activities via email. The site also has a built-in language filter to keep the expletives from flying straight into kids’ virgin eyes.

Grom Social is also compliant with COPPA, the Children’s Online Privacy Protection Act, a controversial law aimed at keeping kids safe online that some argue is ineffective and unconstitutionally limits children’s First Amendment rights.

Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Wired

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

The age of the password is over. We just haven’t realized it yet.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

DON’T

• Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
• Use a dictionary word as your password. If you must, then string several together into a pass phrase.
• Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
• Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.

DO

• Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
• Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
• Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
• Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like m****n@wired.com—so it can’t be easily guessed.

U.S. Admits Surveillance Violated Constitution At Least Once

Wired

The head of the U.S. government’s vast spying apparatus has conceded that recent surveillance efforts on at least one occasion violated the Constitutional prohibitions on unlawful search and seizure.

The admission comes in a letter from the Office of the Director of National Intelligence declassifying statements that a top U.S. Senator wished to make public in order to call attention to the government’s 2008 expansion of its key surveillance law.

“On at least one occasion,” the intelligence shop has approved Sen. Ron Wyden (D-Ore.) to say, the Foreign Intelligence Surveillance Court found that “minimization procedures” used by the government while it was collecting intelligence were “unreasonable under the Fourth Amendment.” Minimization refers to how long the government may retain the surveillance data it collects.  The Fourth Amendment to the Constitution is supposed to guarantee our rights against unreasonable searches.

Wyden does not specify how extensive this “unreasonable” surveillance was; when it occurred; or how many Americans were affected by it.

In the letter, acquired by Danger Room (.pdf), Wyden asserts a serious federal sidestep of a major section of the Foreign Intelligence Surveillance Act.

That section — known as Section 702 and passed in 2008 — sought to legalize the Bush administration’s warrantless surveillance efforts. The 2008 law permitted intelligence officials to conduct surveillance on the communications of “non-U.S. persons,” when at least one party on a call, text or email is “reasonably believed” to be outside of the United States. Government officials conducting such surveillance no longer have to acquire a warrant from the so-called FISA Court specifying the name of an individual under surveillance. And only a “significant purpose” of the surveillance has to be the acquisition of “foreign intelligence,” a weaker standard than before 2008.

Wyden says that the government’s use of the expanded surveillance authorities “has sometimes circumvented the spirit of the law” — a conclusion that the Office of the Director of National Intelligence does not endorse. The office does not challenge the statement about the FISA Court on at least one occasion finding the surveillance to conflict with the Fourth Amendment. Danger Room initially misunderstood the letter to mean that its author, top intelligence official Kathleen Turner, made the statements she was merely informing Wyden he could to issue publicly without revealing classified information.

 

But this is a far cry from how Director of National Intelligence James Clapper typically describes the new FISA law. When the law was up for reauthorization this spring, Clapper wrote to congressional leaders to say its renewal was his “top priority in Congress,” (.pdf) as the law “allows the Intelligence Community to collect vital information about international terrorists and other important targets overseas while providing robust protection for the civil liberties and privacy of Americans.”

Suspicions about abuse of the government’s new surveillance powers are almost as old as the 2008 expansion of the law. In 2009, citing anonymous sources, the New York Times reported that “the N.S.A. had been engaged in ‘overcollection’ of domestic communications of Americans. They described the practice as significant and systemic,” if unintentional. The Justice Department told the Times that it had already resolved the problem.

But as the American Civil Liberties Union noted in a May letter to lawmakers, “There is little in the public record about how the government implements” the expanded law. An ACLU Freedom of Information Act request discovered that the Justice Department and intelligence bureaucracy refer to “compliance incidents” (.pdf) in their internal accounting of the new surveillance — which seemed to suggest difficulty staying within the broadened boundaries of the law. (Full disclosure: My wife works for the ACLU.)

Wyden has been a lonely congressional voice against renewing the government’s broadened surveillance powers. Last month, he quietly used a parliamentary maneuver to stall the renewal after it passed a key Senate committee.

Wyden’s argument was that the government had not fully disclosed the extent of its new surveillance powers. It argued to Wyden that it is “not reasonably possible to identify the number of people located in the United States whose communications may have been reviewed under the authority of the [FISA Amendments Act].” Separately, the National Security Agency insisted that it would violate Americans’ privacy even to tally up how many Americans it had spied upon under the new law.

On Friday, Wyden said in a statement: I applaud the DNI for agreeing that transparency should prevail in this situation… I believe that protections for Americans’ privacy need to be strengthened, and I believe that the FISA Court’s rulings help illustrate why this is necessary. I look forward to debating this issue on the Senate floor.”

In her letter to Wyden, Turner insisted — as the government has in the past — that all Constitutional and legal problems with the expanded surveillance have already been rectified. The government, she writes, believes the FISA Amendments Act is “a well-calibrated statute that strikes an appropriate balance between protecting national security and safeguarding privacy and civil liberties.”

“At no time,” she continues, “have these reviews found any intentional violations of law.”

Texas Jury Strikes Down Patent Troll’s Claim to Own the Interactive Web

‘Bout time

TYLER, Texas — After threatening web companies for more than a decade, Michael Doyle and his patent-holding company Eolas Technologies — named after the Irish word for knowledge — may be finished.

An eight-member federal jury in East Texas deliberated Thursday for just a few hours before concluding that all of Eolas’ asserted claims of ownership to technology allowing access to the interactive web were invalid. That means the three upcoming trials that were scheduled to rule on infringement and damages, for Google, Yahoo and other companies, have been canceled. The eight defendant companies who resisted the lawsuits won’t pay anything to Eolas or its partner, the University of California, for using the web.

Eolas maintained its patents entitled the company to royalty payments from just about anyone running a website with “interactive” features, like rotating pictures or streaming video. The chief issue in the case was whether the first computer program that allowed access to an “interactive web” was created by the little-known Chicago biologist Doyle, who runs Eolas out of Chicago. Or was it one of the web pioneers put on the stand by the defendant companies — such as Pei-Yuan Wei and his Viola browser, or Dave Raggett and his tag?

The dueling teams of lawyers have spent millions creating elaborate presentations, trying for the last three days to convince a jury of average folks in a federal district court in eastern Texas that their side was right.

If the jury had upheld the patents, there would have been a potentially brutal damages phase in which Google, YouTube, Yahoo, Amazon, Adobe, JC Penney, CDW Corp. and Staples would have been sued for infringement and been asked for more than $600 million in damages, with the majority of that coming from Google and Yahoo.

The Eolas patents were denounced for years before this week’s landmark trial, but managed to survive repeated re-exams at the United States Patent and Trade Office.

However, Thursday’s verdict is likely a setback Eolas can’t overcome. It may well be appealed, but that will be a long process, and in the meantime Eolas won’t be able to go after new targets.

After the trial, Judge Leonard Davis visited with the jurors a while, as is his custom. They were awed, I’m told—as they often are—why such an important web case ended up in Tyler.

Apparently they were a little star-struck by Tim Berners-Lee, although you certainly couldn’t tell during trial.

At “Rick’s on the Square” opposite the courthouse, defense lawyers were celebrating. There was a giddy atmosphere; these folks truly felt like they saved the Web today.

As for the winner’s reactions: Yahoo spokeswoman Dana Lengkeek said: “Yahoo is pleased with the outcome of the case and the jury’s decision, and we thank the jury for their time and commitment to this case. Yahoo respects intellectual property and will continue to protect its freedom to operate by defending itself against meritless claims.”

Google spokesman Jim Prosser was less effusive. “We are pleased that the court found the patents invalid, as it affirms our assertion that the claims are without merit,” Prosser said.

Despite winning, Amazon declined to comment.

Lead Eolas attorney Mike McKool did not return a call seeking comment.

As for the many companies that settled with Eolas, they might be regretting that pragmatic decision in light of the verdict.

Those companies include: Apple, Argosy Publishing, Blockbuster, Citigroup, eBay, Frito-Lay, JP Morgan Chase, New Frontier Media, Office Depot, Perot Systems, Playboy Enterprises International, Rent-A-Center, Sun Microsystems (bought by Oracle while this litigation was underway), and Texas Instruments.

The ACTA Fight Returns: What Is at Stake and What You Can Do

MichaelGeistThe reverberations from the SOPA fight continue to be felt in the U.S. (excellent analysis from Benkler and Downes) and elsewhere (mounting Canadian concern that Bill C-11 could be amended to adopt SOPA-like rules), but it is the Anti-Counterfeiting Trade Agreement that has captured increasing attention this week. Several months after the majority of ACTA participants signed the agreement, most European Union countries formally signed the agreement yesterday (notable exclusions include Germany, the Netherlands, Estonia, Cyprus and Slovakia). 

This has generated a flurry of furious protest: thousands have taken to the streets in protest in Poland, nearly 250,000 people have signed a petition against the agreement, and a Member of the European Parliament has resigned his position as rapporteur to scrutinize the agreement, concluding that the entire review process is a “charade.”

Some are characterizing ACTA as worse than SOPA, but the reality is somewhat more complicated. From a substantive perspective, ACTA’s Internet provisions are plainly not as bad as those contemplated by SOPA. Over the course of several years of public protest and pressure, the Internet provisions were gradually watered down with the removal of three strikes and you’re out language. Other controversial provisions on statutory damages and anti-camcording rules were made optional rather than mandatory.

While the Internet provisions may not be as bad as SOPA, the remainder of the agreement raises many significant concerns.

10K Reasons to Worry About Critical Infrastructure

Wired

Screenshot showing an industrial control system in Idaho that's connected to the internet. The red tag indicates there are known vulnerabilities for the device that might be exploitable. Two known vulnerabilities are listed at the bottom of the text bubble.

MIAMI, Florida – A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.

Infrastructure software vendors and critical infrastructure owners have long maintained that industrial control systems (ICSes) — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they’re “air-gapped” from the internet — that is, they’re not online.

But Eireann Leverett, a computer science doctoral student at Cambridge University, has developed a tool that matches information about ICSes that are connected to the internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target an industrial control system.

“Vendors say they don’t need to do security testing because the systems are never connected to the internet; it’s a very dangerous claim,” Leverett said last week at the S4 conference, which focuses on the security of Supervisory Control and Data Acquisition systems (SCADA) that are used for everything from controlling critical functions at power plants and water treatment facilities to operating the assembly lines at food processing and automobile assembly plants.

“Vendors expect systems to be on segregated networks — they comfort themselves with this. They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected,” Leverett said. But how do they know?

To debunk the myth that industrial control systems are never connected to the internet, Leverett used the SHODAN search engine developed by John Matherly, which allows users to find internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could be used to hijack the systems or crash them. He used Timemap to chart the information on Google maps, along with red markers noting brand devices that are known to have security holes in them. He described his methodology in a paper (.pdf) about the project.

Leverett found 10,358 devices connected through a search of two years worth of data in the SHODAN database. He was unable to determine, through his limited research, how many of the devices uncovered were actually working systems – as opposed to demo systems or honeypots – nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities or simply ICSes that controlled things like high school lighting systems or the heat and air conditioning system in office buildings.

But Leverett said a few of the systems he investigated did actually belong to water facilities in Ireland and sewage facilities in California.

He also found that only 17 percent of the systems he found online asked him for authorization to connect, suggesting that administrators either weren’t aware that their systems were online or had simply failed to install secure gateways to keep out intruders.

To avoid obtaining unauthorized access to the systems, Leverett didn’t try to connect to the systems himself but passed the information to the Department of Homeland Security last September, which took on the task of notifying the owners of systems, where they could be identified, or their ISPs. In the case of systems based overseas, DHS worked with some dozens of CERTs (Computer Emergency Response Teams) in those countries to notify ISPs and device owners.

Leverett’s tool shows how easy it is for a dedicated attacker or just a recreational hacker to find vulnerable targets online to sabotage.

He told conference attendees that he worked on the tool full time for three months and part time for an another three months, noting that if “a student can put this together, surely a nation state can do it.”

A conference attendee who works for Schweitzer, a maker of industrial control systems, called the tool “extremely valuable” and said his company had notified customers whose systems were found online.

“At least one customer told us ‘We didn’t even know it was attached’,” he said.

Leverett is not the first to use SHODAN to uncover ICSes connected to the internet. Last February, independent security researcher Ruben Santamarta used SHODAN to identify online remote access links to SCADA systems at multiple utility companies. But Leverett is the first to show how easy it would be for attackers to automate device location information with vulnerability and exploit data.

Leverett used 33 queries to find the devices online, using the names of popular industrial control systems such as “SoftPLC,” a control system used primarily in Eastern Europe, and “Simatic S7,” a system made by Siemens that was targeted last year by the Stuxnet worm in an attack aimed at sabotaging Iran’s uranium enrichment program.

Using banner information that is broadcast by each connected system – such as the date and timezone, which can help place a machine geographically, as well as the type and version of servers and devices being used – Leverett searched databases for information about patched and unpatched vulnerabilities (including a list of new vulnerabilities that a group of researchers exposed in six industrial control systems at the S4 conference) as well as known exploits to attack those systems. Then he plugged the data into his visualization tool. Without trying to access the ICSes, Leverett was unable to determine if the devices that were found are patched, and therefore not vulnerable to the existing exploits, or if they are protected by intrusion prevention systems.

Judge Orders Defendant to Decrypt Laptop

Wired

A judge on Monday ordered a Colorado woman to decrypt her laptop computer so prosecutors can use the files against her in a criminal case.

The defendant, accused of bank fraud, had unsuccessfully argued that being forced to do so violates the Fifth Amendment’s protection against compelled self-incrimination.

“I conclude that the Fifth Amendment is not implicated by requiring production of the unencrypted contents of the Toshiba Satellite M305 laptop computer,” Colorado U.S. District Judge Robert Blackburn ruled Monday. (.pdf)

The authorities seized the laptop from defendant Ramona Fricosu in 2010 with a court warrant while investigating financial fraud.

The case is being closely watched (.pdf) by civil rights groups, as the issue has never been squarely weighed in on by the Supreme Court.

Full disk encryption is an option built into the latest flavors of Windows, Mac OS and Linux, and well-designed encryption protocols used with a long passphrase can take decades to break, even with massive computing power.

The government had argued that there was no Fifth Amendment breach, and that it might “require significant resources and may harm the subject computer” if the authorities tried to crack the encryption.

Assistant U.S. Attorney Patricia Davies said in a court filing (.pdf) that if Judge Blackburn did not rule against the woman, that would amount to “a concession to her and potential criminals (be it in child exploitation, national security, terrorism, financial crimes or drug trafficking cases) that encrypting all inculpatory digital evidence will serve to defeat the efforts of law enforcement officers to obtain such evidence through judicially authorized search warrants, and thus make their prosecution impossible.”

A factually similar dispute involving child pornography ended with a Vermont federal judge ordering the defendant to decrypt the hard drive of his laptop. While that case never reached the Supreme Court, it differed from the Fricosu matter because U.S. border agents already knew there was child porn on the computer because they saw it while the computer was running during a 2006 routine stop along the Canadian border.

The judge in the Colorado case said there was plenty of evidence — a jailhouse recording of the defendant — that the laptop might contain information the authorities were seeking.

The judge ordered Fricosu to surrender an unencrypted hard drive by Feb. 21. The judge added that the government is precluded “from using Ms. Fricosu’s act of production of the unencrypted hard drive against her in any prosecution.”

SOPA, Guns, and Freedom

PJMedia

Q: What does the proposed SOPA (“Stop Online Piracy Act”) legislation have in common with gun control?

A: Both would punish the innocent for the bad acts of a guilty few.

Under the guise of combating online copyright piracy, the proposed Stop Online Piracy Act (SOPA) legislation would have given the government unprecedented power to shut down a website for hosting “infringing material,” even for something as minor as an online comment from a 3rd-party linking to pirated content. Although the goal of protecting intellectual property rights is a legitimate one, the proposed SOPA law would not have solved that problem and it would have disrupted all manner of legitimate internet activity in the process. Steve Blank offered this analogy: “It’s as if someone shoplifts in your store, SOPA allows the government to shut down your store.”

But even though SOPA proponents in Congress appear to be backing down in the face of public pressure, the legislation is not yet dead but merely temporarily “shelved.” The Senate version, Protect Intellectual Property Act (PIPA), is still very much alive. Furthermore, the U.S. government has repeatedly sought greater control over the internet, most notably with the proposed 2010 “internet kill switch” (“Protecting Cyberspace as a National Asset Act”) which would have allowed it to shut down the internet at its discretion during “emergencies.”

Like all technologies, computers can be used for good or for evil purposes. But the fact that bad people can misuse a technology does not justify restricting the freedoms of honest users. As Cory Doctorow notes, we would never let the government restrict the use of wheels because bank robbers sometimes use wheeled vehicles to make their escape.

Gun control advocates have adopted similarly flawed logic for decades. In essence they argue, “Some people will do bad things with guns; hence we should restrict law-abiding Americans’ ability to own guns.” Over the years, they have enacted numerous local, state, or federal-level restrictions such as mandatory gun registration, bans of certain types of dangerous-looking rifles, and (in some localities) complete bans on handgun ownership.

Some gun control advocates have even proposed requiring that all new guns include technology that would allow only approved users to discharge the weapon, for instance, by requiring that a microchip in the gun recognize the owner’s fingerprint or a special ring on the owner’s finger. The government would also have the ability to override these chips remotely and render the gun unusable if it deemed necessary — i.e., the gun control version of the “kill switch.”

Internet control and gun control are not the only examples of government infringements on our liberties in an attempt to stop a few people from acting badly or irresponsibly. We must now show photo IDs to buy Sudafed at the drugstore because someone might use it in an illegal meth lab. Under ObamaCare, we must purchase government-approved health insurance because some people can’t or won’t pay their medical bills. Honest political advocacy groups must abide by campaign finance laws that mandate burdensome spending restrictions and reporting requirements, because some people might theoretically attempt to “buy influence” in an election.

To fight these bad laws, it’s not sufficient to fight merely the individual issues. We must also fight at the level of broader principle. In other words, we should not fight merely for internet freedom or firearms freedom or medical freedom, but for freedom as such. This means promoting the concept of limited government.

The proper function of government is to protect individual rights, such as our rights to free speech, property (including intellectual property rights), and contract. Only those who initiate physical force or fraud can violate our rights. A properly limited government thus protects our rights by protecting us from criminals who steal, murder, rape, and so on, as well as from foreign aggressors. But it should otherwise leave honest people alone to live peacefully.

If someone uses a computer to violate individual rights, say, by disseminating pirated material, then he should be punished. Admittedly, it may be sometimes difficult to enforce intellectual property rights against overseas copyright thieves. But in the process of seeking to stop the bad guys, the government should not violate the rights of innocent people engaging in legitimate internet activities. This is just a variation on the basic principle of Western jurisprudence, “Better let ten guilty men go free, rather than convict one innocent man.”

You do not protect honest online content producers from pirates by breaking the internet for the innocent. You do not protect innocent people from criminals by disarming the good guys. You do not stop the guilty by punishing the innocent. You do not protect individual rights by violating individual rights.

The successes of gun-right activists and of anti-SOPA activists also show how to create positive political changes. In both cases, academicians, think tanks, and grass-roots activists all worked hard to shift public opinion in the right direction. As a result, gun control is now “a movement without followers.” Similarly, most previously pro-SOPA politicians have backpedalled furiously, at least for now. When Americans demand their freedom, the politicians will follow. Let’s make sure these two positive examples are just the beginning — and not the end — of the fight for freedom in America.