Categories
News Security

ISOC: WikiLeaks Attacks Threaten Free Expression

 by Sophie Curtis

The Internet Society wants a legal solution to the WikiLeaks debacle, not DoS attacks and DNS alterations

The Internet Society has waded into the WikiLeaks debate, stating that the Internet needs free expression. Legal challenges, not DoS attacks, are the best way to deal with the whistleblowing site, said ISOC.

The news comes as Julian Assange (left), founder of WikiLeaks, is imprisoned in London facing rape charges, and has been refused bail on the grounds there was a risk he would escape.

WikiLeaks sparked a diplomatic crisis at the end of November by releasing more than 250,000 confidential cables from its embassies round the world. Along with Arab leaders urging strikes on Iran’s nuclear plants, and embarrassing assessments of foreign leaders, the massive leak shed new light on the incident in January, when Google was subject to hacking from within China.

The site was subsequently hit with a giant denial-of-service (DoS) attack and cut off the Internet by domain name service provider EveryDNS. The site’s administrators sought refuge in various locations around Europe – including the Swiss Pirate Party – and users can reach the wikileaks.org and cablegate.org sites if they bypass the DNS lookup, and type in their respective IP addresses.

Undermining integrity of the Internet

Despite the political outcry over the exposure of highly sensitive communications, the Internet Society says that attacks against WikiLeaks threaten free expression and non-discrimination, which are the founding principles of the Internet.

“Recognising the content of the wikileaks.org website is the subject of concern to a variety of individuals and nations, we nevertheless believe it must be subject to the same laws and policies of availability as all Internet sites,” said the Internet Society in a statement. “Free expression should not be restricted by governmental or private controls over computer hardware or software, telecommunications infrastructure, or other essential components of the Internet.”

ISOC said the continued availability of WikiLeaks shows the resilience of the Internet, and demonstrated that EveryDNS’ removal of a domain listing is an ineffective tool to suppress communication, merely serving to “undermine the integrity of the global Internet and its operation”.

“Unless and until appropriate laws are brought to bear to take the wikileaks.org domain down legally, technical solutions should be sought to re-establish its proper presence, and appropriate actions taken to pursue and prosecute entities (if any) that acted maliciously to take it off the air,” it said.

Operation Payback

Amid all the controversy, it was reported yesterday that the ‘Anonymous’ group of hackers are targeting companies perceived to be anti-WikiLeaks – such as PayPal and the Swiss bank PostFinance, which froze assets belonging to Julian Assange.

The group has an ongoing “Operation Payback” campaign against “anti-piracy groups” and have targeted Motion Picture Association of America and the Recording Industry Association of America in the past, as well as the UK’s Intellectual Property Office.

According to security firm Imperva, supporters of the WikiLeaks campaign are knowingly infecting their machines to enable themselves to become part of the DDoS botnet.

“Operation Payback’s goal is not hacking for profit. In the classical external hacker case we see hackers grab information from wherever they can and monetise on it. In this case though, the hackers’ goal is to cripple a service, disrupt services, protest their cause and cause humiliation,” said Noa Bar Yosef, Senior Security Startegist at Imperva.

“The Operation Payback is recruiting people from within their own network. They are actually asking supporters to download the piece of code, the DDoSing malware itself that upon wake-up call the computer engages in the DoS. There is no victimised machine as the participants knowingly engage in what they call an act of defiance.”

Anonymous itself is now also suffering a DDoS attack for supporting the whistleblowing site.

Categories
News Search Engines Security

Jeremy Hunt To Press Google On Copyright

 by David Jamieson

The culture secretary wants a new front in the war on online copyright infringement with the help of Google

The government is set to press Google to start pulling its weight in the fight against online piracy this week.

The call for more to be done will come in a speech from secretary of state for culture, media and sport Jeremy Hunt in Cambridge tomorrow, reports the Financial Times.

Hunt is expected to tell the Royal Television Society that search engines, advertisers and credit card companies should go further to “make life more difficult” for online pirates.

According to reports, if a court deems a site to be unlawful the government wants search engines to push it down the rankings to stifle traffic and at the same time cut off advertising or payment revenues to make the site economically unviable.

In the absence of an industry-led solution the government is apparently prepared to use the upcoming Communications Bill to legislate on the issue. The government has previously demanded that ISPs cut off pirate sites and users who infringe copyright, but this has been challenged in court by BT and TalkTalk – and ISPs have proposed an independent watchdog with the power to blacklist sites.

Equal rights

Hunt (pictured) will reportedly say that online businesses deserve the same legal protection and rights as offline, physical ones.

“We do not allow certain products to be sold in the shops on the high street, nor do we allow shops to be set up purely to sell counterfeited products. Neither should we tolerate it online,” the Financial Times expects him to say.

“The government has no business protecting old models or helping industries that have failed to move with the times. But those new models will never be able to prosper if they have to compete with free alternatives based on the illegal distribution of copyrighted material.”

The government has promised to table the new Communications Bill this parliament.

Pressuring search engines rather than ISPs over copyrighted content is a new approach for the government and opens up another front in the war against illegal content.

In July, Hollywood finally won a protracted legal bid to compel BT to block access to file-sharing site Newzbin which linked to copyright content around the Internet.

The ruling prompted fears from digital rights activists over the precedent set for other Internet service providers, potentially paving the way for further website blocking.

The Daily Telegraph reports that Google claims it already deals with requests from copyright holders within four hours.

In the US, the Departmebnt of Justice has fined Google £300 million for displaying adverts from Canadian online pharmacies, for products which it is illegal to sell in the US. Investors have sued the search giant over the incident.

Categories
Infrastructure News Security

IPv6 Traffic Remains Minuscule

 by Fahmida Y Rashid

Despite growing interest in IPv6, the traffic over the protocol remains less than 1 percent of overall online traffic, Arbor Networks has found

Even though the number of available IPv4 addresses are dwindling faster than expected, the move to IPv6 remains sluggish, according to a recent study from Arbor Networks.

In a study of native IPv6 traffic volumes across multiple large carriers, IPv6 adoption remains minuscule as a result of technical and design challenges, no economic incentives, and a dearth of IPv6 content, according to the Arbor Networks study released on 19 April. During the six-month study period, Arbor Networks researchers found that traffic over IPv4 networks grew by an average of 40 percent to 60 percent while IPv6 traffic actually decreased by an average of 12 percent proportionately because it was not growing fast enough in comparison to IPv4 traffic.

Rising IPv6 traffic

“Despite 15 years of IPv6 standards development, vendor releases and advocacy, only a small fraction of the Internet has adopted IPv6,” said Arbor Networks chief scientist Craig Labovitz.

While actual IPv6 traffic volumes have gone up, it has shrunk as a percentage of all Internet traffic, to a mere 0.25 percent of all net traffic, Labovitz said. The top IPv6 applications are largely peer-to-peer applications such as BitTorrent, accounting for 61 percent of traffic. In comparison, peer-to-peer networks account for 8 percent of IPv4-based traffic. Web traffic makes up the second largest block of traffic on both IPv4 and IPv6 networks, but the differences are still striking. HTTP traffic accounts for 19 percent of IPv4 traffic, compared to a mere 4.6 percent over IPv6.

Online video, such as Netflix, YouTube and web video, accounted for a little less than half of IPv4 traffic, but they didn’t even make a dent over IPv6. It’s ironic considering Netflix is one of the few major companies with an IPv6-accessible website.

Users and businesses that are interested in migrating, but stymied by their ISP’s lack of IPv6 offerings, can use tunnels to get IPv6 connectivity. Arbor examined the total IPv6 traffic over a specific 24-hour period in February and found over 250,000 such tunnels. More than 90 percent of the tunnels belonged to five major tunnel brokers, including Hurricane Electric, Anycast and Microsoft’s Teredo service.

The Arbor research highlighted the fact that most companies and ISPs are way behind in their transition plans to move their networking infrastructure to the newer address space. This is worrying in light of the fact that the remaining IPv4 addresses are running out faster than predicted.

ICANN (Internet Corporation for Assigned Names and Numbers) allocated the last blocks of IPv4 addresses to the five regional internet registries in a public ceremony on 3 February.

While existing sites will continue working just fine even when the last IPv4 address has been assigned, any organisations wanting to expand or add new capabilities will be unable to without transitioning their network infrastructure to IPv6.

IPv4 exhaustion

In fact, that’s more or less the case for Asia-Pacific businesses. The Asia Pacific Network Information Centre, the RIR responsible for assigning IP addresses to the region, announced the release of its last available batch of IPv4 addresses on 15 April. While analysts had predicted APNIC would run out of the IP address blocks first, the predictions had estimated the supply would last till the summer.

“Considering the ongoing demand for IP addresses, this date effectively represents IPv4 exhaustion for many of the current operators in the Asia Pacific region,” said APNIC director general Paul Wilson.

APNIC have placed the remaining IPv4 addresses under limited distribution. “From this day onwards, IPv6 is mandatory for building new Internet networks and services,” Wilson said.

Asia-Pacific is well on the way to become the first “IPv6-enabled region”, but businesses need to begin the migration if they haven’t already done so in order to “remain viable”, according to Wilson.

The American Registry for Internet Numbers received 253 requests for IPv6 address blocks from internet service providers in the first quarter of 2011, compared to 134 requests in the last quarter of 2010. It’s not just ISPs talking about IPv6, as ARIN also received 247 end-user requests for IPv6 address space in the first quarter 2011, compared to 103 requests in first quarter 2010. ARIN received a total of 434 requests from ISPs in 2010, and expects requests to exceed that in 2011.

The upcoming “World IPv6 Day” on 8 June marks “a major milestone in the Internet’s evolution”, Labovitz said, because it will force businesses and ISPs to stress test the global network infrastructure. “Will the flood of IPv6 traffic result in network failures? As an industry, we’re not sure,” Labovitz concluded.

Categories
News Security

Facebook’s Zuckerberg Questions Privacy Expectations

  • January 11, 2010
  • By Tom Jowitt

Privacy is no longer a social norm, according to the founder of Facebook, Mark Zuckerberg commenting on the rise of social networking

Mark Zuckerberg, the founder and chief executive of Facebook has said that people no longer have an expectation of privacy thanks to increasing uptake of social networking.

Speaking at the Crunchie Awards in San Francisco this weekend, the 25 year-old web entrepreneur said: “People have really gotten comfortable not only sharing more information and different kinds but more openly and with more people.”

Zuckerberg went on to add that the rise of social media reflects the changing attitudes among the general public, saying that this radical change has happened in the space of five years.

“When I got started in my dorm room at Harvard, the question a lot of people asked was, ‘why would I want to put any information on the Internet at all? Why would I want to have a website?’,” he said.

“And then in the last 5 or 6 years, blogging has taken off in a huge way and all these different services that have people sharing all this information,” he said.

Facebook is estimated to have over 100 million users in the United States alone, and more than 350 million users worldwide. Zuckerberg’s comments come after the social networking giant recently decided to (somewhat controversially) change the privacy settings of all its users.

In December, Facebook launched a number of new tools which enabled users to control who sees what content on their account, as well as a Transition Tool and simplified privacy settings.

The issue of privacy is a vexed one, especially in the United Kingdom where, late last year, the Home Office pledged to push ahead with controversial plans to monitor all Internet use. The Ministry is requiring communications firms to monitor all Internet use, and is asking them to retain information on how people use social networks such as Facebook.

Yet the dangers posed by people opening up online to the rest of the world is well know. Back in August, a survey sponsored by British insurance firm Legal & General found that users of social networking sites were giving away vital information about themselves and their whereabouts that was being used by professional burglars to establish a list of targets. The report, “The Digital Criminal,” found that 38 percent of users of sites such as Facebook and Twitter have posted status updates detailing their holiday plans and a third of people have posted status updates saying that they are away for the weekend.

Zuckerberg also said it was important for companies such as Faceook, to reflect the changing social norms in order to remain relevant and competitive.

“A lot of companies would be trapped by the conventions and their legacies of what they’ve built,” he said. “Doing a privacy change for 350 million users is not the kind of thing that a lot of companies would do.

“But we viewed that as a really important thing, to always keep a beginner’s mind and what would we do if we were starting the company now and we decided that these would be the social norms now and we just went for it.”

Photo credit: (CC) Brian Solis, www.briansolis.com / bub.blicio.us / CC-BY

Categories
News Security Wikileaks

Twitter Fights US Court Demands For WikiLeaks Details

 by Brian Prince

Twitter is fighting a US court’s demand, made in December, for details of WikiLeaks supporters

Micro-blogging site Twitter is opposing an order from a US court, to reveal the account details of supporters of WikiLeaks. Twitter has called on Facebook and Google to reveal whether they also received similar court orders.

As part of the US government’s investigation into WikiLeaks, a court ordered Twitter, in mid-December, to give details of accounts owned by supporters of the whistle-blower site. Twitter has protested against the subpoena and informed the individuals whose account information has  been requested, while raising the possibility that other social networking players have received similar orders.

Records required for criminal investigation

The US Department of Justice obtained a subpoena for the micro-blogging site on 14 December, requesting records going back to 1 November 2009, that are “relevant and material to an ongoing criminal investigation.” Among those targeted are WikiLeaks founder Julian Assange, Dutch hacker Rop Gonggrijp (whose name is misspelled in the subpoena) and Bradley Manning, the US Army intelligence analyst suspected of leaking documents to WikiLeaks.

Also named in the subpoena are computer programmer Jacob Appelbaum (identified by his Twitter username, ioerror) and former WikiLeaks volunteer and current Icelandic parliament member Birgitta Jónsdóttir (left), who wrote the following in a tweet: “just got this: Twitter has received legal process requesting information regarding your Twitter account in (relation to wikileaks).”

Jónsdóttir also tweeted that she plans to oppose the subpoena.

According to a copy of the court order published by Salon.com (PDF), the government is looking for a variety of information, including session times and mailing addresses.

“WikiLeaks strongly condemns this harassment of individuals by the US government,” WikiLeaks said in a statement relayed to Reuters by WikiLeaks attorney Mark Stephens.

The recent WikiLeaks controversy began when the site started publishing a trove of US diplomatic cables in late November. The release of the documents has touched off months of debate and prompted WikiLeaks supporters and opponents alike to air their differences with denial-of-service attacks while businesses such as PayPal cut ties with the whistle-blower site.

In December, Assange was arrested in the UK on charges of sexual assault originating in Sweden. He is currently out on bail.

In its statement, WikiLeaks reportedly said that some of the people named in the subpoena were key figures in helping WikiLeaks make public US military video of a 2007 airstrike that killed Iraqi civilians. WikiLeaks is instructing its lawyers to oppose the subpoena, and is calling on Facebook and Google to disclose whether they received similar subpoenas as well.

A federal judge unsealed the court order on 5 January after Twitter requested the right to inform the people being targeted.

In addition to obtaining the subpoena, it was also revealed that the US government has taken steps to protect people judged by officials to be in danger because of the document leak. On 7 January, US State Department spokesperson P.J. Crowley told the media the department has helped relocate “a handful of people” identified in the diplomatic documents out of concern for their safety. The CIA set up a WikiLeaks Task Force (WTF) in response to the leak.

WikiLeaks has denied putting any lives at risk, and the UN has supported its right to publish the leaked material on human rights grounds.

WikiLeaks publication of the US cables resulted ina war of denial of service (DoS) attacks, hitting both WikiLeaks itself , and the sites of financial institutions such as Mastercard, which withdrew facilities for WikiLeaks supporters to donate money to the whistleblower.

Categories
Goverment IT News Security

Europe Holds Cyber-Warfare Test

The Cyber Europe 2010 will simulate an attack designed to cut Europe’s nations off from one another

Europe’s cyber security experts are staging a simulated cyber-attack on critical services today, across several EU member states.

The “Cyber Europe 2010″ test will test Europe’s readiness for an attack which attempts to paralyse online services so internet connectivity is gradually lost between European countries. It follows the announcement of measures to strengthen and modernise the European Network and Information Security Agency (ENISA) to combat cyber warfare.

Testing links between states

Details of the exercise are being kept under wraps, but ENISA has been at pains to emphasise that this is not an operational test like the US Department of Homeland Security’s Cyber Storm, a series of week-long multi-million dollar tests of America’s attack-readiness.

“Our budget is in the order of hundred of Euros,” said an ENISA spokesman, adding that the test will not involve critical sectors, or industry and will not test response capabilities. Above all it will not carry the risk of a real network crash – it just tests how well agencies can share information.

By contrast, the US Cyber Storm III exercise, one month ago, was an operational exercise, which included industry and cost millions of dollars, the spokesman said.

During the exercise, through the day, one country after another will face fictitious access problems, and will co-operate on a response, testing their communications in the process. The exercise has been developed since November 2009, and will be followed by more complex scenarios, eventually going all the way to global tests.

“This exercise to test Europe’s preparedness against cyber threats is an important first step towards working together to combat potential online threats to essential infrastructure and ensuring citizens and businesses feel safe and secure online,” said Neelie Kroes, vice president of the European Commission for the Digital Agenda,
who is visiting the UK’s cyber-attack centre during the simulation exercise,

The exercise is based on fears that a denial of service attack by hackers could effectively put all major cross-country connections in Europeout of action, and make it difficult for businesses and citizens to access services such as eGovernment. In such an attack, the plan is to re-route communications.

Yesterday saw evidence that the fears are based on reality. The state of Myanmar (formerly Burma) was virtually cut off with a distributed denial of service (DDoS) attack. In the UK, Home Secretary Theresa May has promised increased support for cyber-warfare measures following warnings from the head of GCHQ that Britain faces “credible” cyber-attack threats.

Categories
Mobile & Wireless News Security

Serious Security Bugs Found In Android Kernel

An analysis of Google Android Froyo’s open-source kernel has uncovered 88 flaws that could expose users’ data

An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.

The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC’s Droid Incredible handset.

Enterprise fears

The results arrive as Android is increasing its market share and increasingly being used in the enterprise.

While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.

The report analysed a total of 61 million lines of open source code from 291 widely used projects, including Apache, Linux, PHP and Samba.

While Android’s density of bugs per thousand lines of code was lower than the average found in open source software overall, it was higher than that of the Linux kernel, according to Coverity. The company said some of the bugs appeared to be important enough to have been addressed before the code was released.

Fixes demanded

Coverity said it will hold off releasing the details of the flaws until January to allow Google and handset vendors to issue fixes. The flaws could be patched via an over-the-air update, Coverity said.

Canalys reported on Monday that Android now dominates the US smartphone market with a 44 percent share, up from 33 percent in the second quarter of this year.

While the deployment of Android on large numbers of handsets has allowed the software to claw market share away from competitors such as RIM, some have criticised Google’s “hands-off” approach for harming the quality of Android and its applications.

Categories
Goverment IT News Security

Most Consumers Support Government Cyber-Spying

Sixty-three percent of people believe that it is acceptable for their government to spy on another country’s computer systems

Nearly two thirds of computer users globally believe that it is acceptable for their country to spy on other nations by hacking or installing malware, according to Sophos’s mid-year 2010 Security Threat Report, with 23 percent claiming to support this action even during peace time.

One in 14 respondents to the survey claimed to believe that crippling denial of service (DDoS) attacks against another country’s communication or financial websites – like the one used to target Russian banks earlier this year – are acceptable during peace time. Nearly half said such an attack was only acceptable when two countries were at war, and 44 percent said it was never acceptable.

Graham Cluley

“I think there might be an attitude of all’s fair in love and war,” said Graham Cluley, senior technology consultant at Sophos, speaking to eWEEK Europe. “There’s always been one rule for your country and another rule for your citizens.

“But it goes one stage further when you begin to ask, is it all right to launch attacks against communication systems and financial systems?” he added. “You can image the chaos that would ensue if there were organised denial of service attacks on a regular basis, purely to give your country an economic advantage.”

All’s fair in love and war

Cluley believes the attitudes of respondents are largely down to an ingrained cynicism about the role of governments in war. Governments have always spied on each other, and “used every dirty trick in the book” to do so, said Cluley. “Why wouldn’t they use the Internet to do this as well? If it’s your country’s interests at heart, and if they’re protecting your country, then you might think, ‘I don’t really care what they do’.”

Perhaps more surprisingly, 32 percent of respondents to Sophos’s survey said that countries should also be allowed to plant malware and hack into private foreign companies in order to spy for economic advantage.

“It’s kind of curious, because these are the people that have got no time for hackers and the bad guys at all, but seem to think it’s all right for countries to do this,” said Cluley. “I think they need to remember that, one day, it might be a country attacking your company’s network, and trying to infiltrate it, and how are you going to feel about it then?”

Malware-hosting websites

The Security Threat Report also found that the US is still has the majority (42.29 percent) of malware-hosting websites. These are websites that have been set up with the intention of infecting visitors, or legitimate websites that have been compromised by hackers. The UK was sixth on the list, with 2.41 percent hosted in this country.

According to Cluley, many of these websites are legitimate ones that have been targeted by hackers. “Businesses could end up infecting their customers, leaving them open to fraud,” he warned. Some hackers also use aggressive search engine optimisation techniques to push infected websites to the top of search results.

This news could be of particular concern, in light of the fact that the UK government recently axed plans for an increase in funding to the Metropolitan Police’s cyber crime unit. With online fraud and other electronic crimes becoming increasingly commonplace, the Police Central e-crime Unit had been hoping for extra funding from the Home Office for training and equipment purposes. However the extra funding was cut as part of the coalition government’s £6 billion deficit reduction plans.

“There is concern that at the moment the cyber crime authorities are pretty pitifully funded for the level of crime that is going on,” said Cluley. “I think the one thing we can be sure of is that the cyber criminals aren’t cutting their investment in this kind of crime. We are seeing more attacks than ever before. We see 60,000 pieces of new malware every single day, which is simply staggering, but that’s the level of crime that we’re seeing. So companies need to keep on top of this problem.”

Categories
Mobile & Wireless News Security

iPad Breach Could Heavily Impact Privacy

The AT&T; security breach that exposed some Apple iPad owners’ email addresses could help attackers carry out “IMSI catching”

The security breach at AT&T that exposed the email addresses of a reported 114,000 owners of the iPad with Wi-Fi + 3G could potentially impact privacy more than was initially thought.

Two security researchers told eWEEK that the ICCIDs (integrated circuit card identifiers) of iPad owners could be used to determine their IMSIs (International Mobile Subscriber Identities). With an IMSI in hand, it would be easier for an attacker to potentially find the person in an area by using an IMSI catcher to scan for mobile devices.

“You can do this without knowing the IMSIs of people, but you won’t know which IMSI belongs to which user,” explained independent security researcher Nick DePetrillo. “There are other ways to determine that, but knowing ahead of time also helps, like in the case of the AT&T leak.”

ICCIDs provide a route in

A group going by the name Goatse Security told Gawker.com that it was able in the AT&T breach “to guess a large swath of ICCIDs by looking at known iPad 3G ICCIDs … which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad ‘Settings’ application,” said a Valleywag post by Ryan Tate.

Goatse Security used a script on AT&T’s website to obtain the email addresses. “When provided with an ICCID as part of an HTTP request, the script would return the associated email address,” Tate wrote.

While AT&T said in a statement late June 9 the only information that could be derived from the ICCIDs was the email address attached to a particular device, DePetrillo and Don Bailey, a security consultant at iSec Partners, said the iPad information could help attackers launch a technically difficult attack on information that flows on the non-3G data portions of the GSM network.

Through IMSI catching, an attacker could potentially intercept control messages or other data that might not be protected by the stronger encryption of the 3G data network. There is no known way to directly compromise or take control of a user’s iPad with this information, however.

“Most US GSM providers encode a unique portion of the International Mobile Subscriber Identity within the ICCID,” Bailey explained. “The IMSI is unique to each subscriber on the GSM network and is considered a protected value … Though the threat of IMSI catching is low, the attack can lead to a loss of personal privacy or an abuse of the victim’s mobile device.”

Complex, but worthwhile for an attacker

The technical difficulty of IMSI catching is currently high when trying to manipulate 3G data networks, but may be worthwhile for an attacker due to the high profile of individuals affected by the attack, he said. For now, the capability is limited to a handful of individuals, but anyone with a large enough budget can replicate the technique with varying success, he added.

“The equipment required to execute such an attack is decreasing,” Bailey said. “With the appropriate technical knowledge, an attacker can leverage equipment costing only a few thousand dollars to perform this attack within approximately a square mile of coverage. Traffic from handsets within that coverage area may be redirected through the IMSI catcher, which then may lead to a loss of privacy or an abuse of mobile handsets.”

Bailey suggested that the affected iPad owners consider requesting a new SIM (Subscriber Identity Module) card from AT&T.

DePetrillo said the iPad using 3G for data transfer has stronger encryption than just GSM voice, the typical target of IMSI catching. As a result, a man-in-the-middle attack using an advanced IMSI catcher won’t get user data in clear text. Still, the researcher said, there is a possibility that an attacker could intercept and manipulate any non-3G data.

“It really comes down to [the fact that] giving any advantages to the attacker, including just unique numbers with names, can help them and that’s never a good thing … For the average consumer, [this is] not that big a deal—the bigger deal is information leakage of your identity and that unique number from AT&T,” DePetrillo said.

Categories
News Security

Ofcom Lets Small ISPs Off Filesharing Laws

Ofcom plans to exempt small ISPs from the Digital Economy Act’s anti file-sharing measures

Internet Service Providers with less than 400,000 customers will be exempt from one of the most onerous sections of the Digital Economy Act, under proposals from Ofcom.

Ofcom has been working on a new code of practice for ISPs that have to deal with copyright infringement claims, under the terms of the controversial Digital Economy Bill, which was passed into law in early April, despite only two hours of debate in the Houses of Parliament. The bill requires ISPs to act against users who persistently infringe copyright by sharing files illegally.

Smaller ISPs Are Exempt

Under the new Ofcom proposals, ISPs with less than 400,000 subscribers will not have to issue warning letters to customers accused of illegally downloading content.

And it seems that mobile broadband operators will also be exempt, at least for now. Apart from anything else, mobile broadband is set up in a way which makes it much harder to track file-sharers according to several reports.

It is believed that there are currently only six to eight ISPs with more than 400,000 broadband customers in the UK market, and these large ISPs will be liable to follow the rules set down in the Act.

The reason why the large ISPs will have to toe the line, whilst the smaller operators can escape the regulations, is that most Ofcom agrees with the ISPs that they simply have not been given enough time to develop a code for something so complex.

“Due to the short timescales Ofcom has been working to, the Code will be instructional rather than setting out line-by-line what is required,” blogged Trefor Davies, Chief Technology Officer at ISP Timico. “For example, instead of dictating a standard approach for a CIR (Copyright Infringement Report), those affected will have to tell Ofcom how they will go about it and Ofcom will then approve it or recommend changes.”

But Large ISPs Have To Comply

But it seems that the large ISPs such as TalkTalk, BT, Virgin Media, will have to compile for now, despite opposition from the ISP community.

Late last year, Virgin Media revealed that it was already trialling a tool that could monitor illegal file-sharing over the Internet, although the European Commission said it would investigate the legality of the software.

The first draft of Ofcom’s code is expected to be published in the following few weeks, with a further statement to come in September. The code must then be submitted to the European Commission for approval.

Once it has been given the EC blessing, Ofcom will have to update the Secretary of State with quarterly reports detailing the levels of illegal file-sharing in the UK, as well as the extent of legal action by copyright owners.