Revelations about PRISM, a US government
program that harvests data on the Internet, has sparked concerns about
privacy and civil rights violations. But has there ever been real
privacy and security on the WWW?
IMAGINE a time before
email, when all your correspondence was sent through the post. How would
you feel if you knew that somebody at the post office was recording the
details of all the people you were corresponding with, “just in case”
you did something wrong?
I think quite a few of you would be upset about it.
Similarly,
some Americans are furious over revelations made about a system called
PRISM. In the last few weeks, an allegation has been made that the US
government is harvesting data on the Internet by copying what travels
through some of its Internet Service Providers.
The US Director
of National Intelligence has said that PRISM “is not an undisclosed
collection or data mining program”, but its detractors are not convinced
that this doesn’t mean no such program exists.
I think there are mainly two kinds of responses to this revelation: “Oh my God!” and “What took them so long?”.
The
Internet has never really been secure. Because your data usually has to
travel via systems owned by other people, you are at their mercy as to
what they do with it. The indications are that this is already being
done elsewhere.
Countries such as China, India, Russia, Sweden
and the United Kingdom allegedly already run similar tracking projects
on telecommunications and the Internet, mostly modelled on the US
National Security Agency’s (unconfirmed) call monitoring programme. For
discussion, I’ll limit myself for the moment to just emails – something
that most people would recognise as being private and personal.
I
find many people are surprised when I tell them that sending email over
the Internet is a little bit like sending your message on a postcard.
Just because you need a password to access it, doesn’t mean it’s secure
during transmission.
The analogy would be that your mailbox is
locked so only you can open it, but those carrying the postcard can read
it before it reaches its final destination. Of course, there are ways
to mitigate this. One has to be careful about what one put in emails in
the first place. Don’t send anything that would be disastrous if it were
forwarded to someone else without your permission.
You could
also encrypt your email, so only the receiver with the correct password
or key could read it, but this is difficult for most end users to do.
(For those interested in encrypting emails, I would recommend looking at
a product called PGP.)
The analogy holds up for other Internet
traffic. It’s easy to monitor, given enough money and time. And as easy
as it is for the Good Guys to try to monitor the Bad Guys, it’s just as
easy for the Bad Guys to monitor us hapless members of the public.
But
who do we mean by the Bad Guys? Specifically, should the government and
law-enforcement agencies be categorised as ‘Bad Guys’ for purposes of
privacy? Generally, the line oft quoted is “if you have nothing to hide,
then you have nothing to worry about”.
Yet, I think we all
accept that there should be a fundamental right to privacy, for
everybody from anybody. An interesting corollary to being able to
express your thoughts freely is that you should also be able to decide
when and how you make them public.
The fault in relying on
organisations that say “trust us” isn’t in the spirit of their
objectives, but in how the humans in them are flawed in character and
action.
An example quoted regularly at the moment is how the FBI
collected information about Martin Luther King because they considered
him the “most dangerous and effective Negro leader in the country”.
One
way of defining the boundaries are by codifying them in laws. For
example, the Malaysian Personal Data Protection Act prohibits companies
from sharing personal data with third parties without the original
owner’s consent.
However, this law explicitly does not apply to
the federal and state governments of Malaysia. Another clause indicates
that consent is not necessary if it is for the purpose of
“administration of justice”, or for the “exercise of any functions
conferred on any person by or under any law”.
In relation to the
revelations of PRISM, several questions come to mind: Can Internet
traffic (or a subset of it) be considered “personal data”? Is it
possible for government agencies to collect and store such data without
your consent?
And if so, what safeguards are there to ensure that
this personal data is accurate, is used correctly and is relevant for
storage in the first place?
This should be a sharp point of
debate, not just in terms of which of our secrets the government can be
privy to, but also of which of the government’s information should be
readily accessible by us.
True, there is so much data out there
that analysing it is not a trivial task. However, companies such as
Google are doing exactly that kind of work on large volumes of
unstructured data so that you can search for cute kittens. The
technology is already on its way.
Perhaps I am being
over-cautious, but it seems a bit fantastical that people can know your
deepest and darkest secrets by just monitoring a sequence of 1’s and
0’s. But, to quote science fiction author Phillip K. Dick, “It’s strange
how paranoia can link up with reality now and then”.
> Logic
is the antithesis of emotion but mathematician-turned-scriptwriter Dzof
Azmi’s theory is that people need both to make sense of life’s vagaries
and contradictions. Speak to him at star2@thestar.com.my.
Related post:
US Spy Snowden Says U.S. Hacking China Since 2009
Share This
Showing posts with label Federal Bureau of Investigation. Show all posts
Showing posts with label Federal Bureau of Investigation. Show all posts
Sunday, June 23, 2013
Monday, June 17, 2013
Upset over US cyber spying!
There are increasingly strong reactions to revelations that United
States agencies are spying on Internet use by Americans and foreigners
as well as planning cyber actions on foreign targets.
Weekend News Round-up: US cyber spying whistle-blower revealed; is Snapchat worth US$1bn?
THE revelations of data collection on a massive scale by the United States’ security agencies of details of telephone calls and Internet use of its citizens and foreigners are having reverberations around the world.
Much of the responses have been on the potential invasion of privacy of individuals not only in the United States but anywhere in the world who use US-based Internet servers.
Also revealed is a US presidential directive to security agencies to draw up a list of potential overseas targets for US cyber-attacks.
This lays the Unites States open to charges of double standards and hypocrisy: accusing other countries of engaging in Internet snooping or hacking and cyber warfare, when it has itself established the systems to do both on a mega scale.
The revelations, published in the Guardian and Wall Street Journal, and based on a leak by a former US intelligence official, include that US security agencies have access to telephone data of Verizon Communications, AT&T and Sprint Nextel, as well as from credit card transactions.
They also can access data from major Internet companies – Google, Yahoo, Microsoft, Facebook, AOL, Apple, PalTalk, Skype and YouTube—under the Prism surveillance programme.
Millions of Internet users around the world use the servers or web-based services of the companies mentioned.
Two American citizen groups, the American Civil Liberties Union (ACLU) and the New York Civil Liberties Union, have filed a lawsuit against the US administration.
“Those programmes constitute unreasonable intrusions into American’s private lives that’s protected by the Fourth Amendment (on search and seizure),” said Brett Kaufman of the ACLU, as quoted by IPS news agency.
Governments and people outside the United States are equally upset, or more so, that they apparently are also covered by the massive US surveillance programme.
The European Union’s commissioner of justice Viviane Reding has written to the US attorney general asking if European citizens’ personal information had been part of the intelligence gathering, and what avenues are available for Europeans to find out if they had been spied on.
In China, commentators and opinion makers are citing double standards on the part of the United States.
An article in the China Daily commented that the massive US global surveillance programme as revealed is certain to stain Washington’s overseas image and test developing China-US ties.
An editorial in another Chinese paper, Global Daily, stated: “China needs to seek an explanation from Washington.
“We are not bystanders. The issue of whether the United States as an Internet superpower has abused its powers touches on our vital interests directly.”
In their summit last week in California, United States President Barack Obama reportedly pressed Chinese President Xi Jinpeng to curb cyber-spying by Chinese agencies and companies.
The breaking news about the United States snooping on Internet users must have caused some discomfort to Obama when bringing up this issue.
A Chinese Foreign Ministry spokesperson last week reiterated that “China is also a victim to the most sophisticated cyber hacking”.
Though less publicised, a part of the leaks published in the Guardian, was a 18-page directive from President Obama to his security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks.
The October 2012 directive states that what it calls Offensive Cyber Effects Operations (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”, according to the June 7 Guardian article by Glenn Greenwald and Ewen MacAskill.
The directive says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.
The aim of the document was “to put in place tools and a framework to enable government to make decisions” on cyber actions, a senior administration official told the Guardian.
Obama’s move to establish a potentially aggressive cyber warfare doctrine will heighten fears over the increasing militarisation of the Internet, comments the Guardian article.
It adds that the United States is understood to have already participated in at least one major cyber attack, the use of the Stuxnet computer worm targeted on Iranian uranium enrichment centrifuges, the legality of which has been the subject of controversy.
In the presidential directive, the criteria for offensive cyber operations in the directive is not limited to retaliatory action but vaguely framed as advancing “US national objectives around the world”.
Obama further authorised the use of offensive cyber attacks in foreign nations without their government’s consent whenever “US national interests and equities” require such non-consensual attacks. It expressly reserves the right to use cyber tactics as part of what it calls “anticipatory action taken against imminent threats”.
The Guardian commented: “The revelation that the US is preparing a specific target list for offensive cyber-action is likely to reignite previously raised concerns of security researchers and academics, several of whom have warned that large-scale cyber operations could easily escalate into full-scale military conflict.”
Meanwhile, UN Human Rights Council’s Special Rapporteur Frank La Rue issued a report on June 4 on the increasing use of surveillance, warning that unfettered state access to surveillance technologies could compromise human rights to privacy and freedom of expression, as protected by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR).
The report warned too against the use of “an amorphous concept of national security” as a reason to invade people’s rights to privacy and freedom of expression, arguing that such an invasion potentially “threatens the foundations of a democratic society”.
Related posts:
US Spy Snowden Says U.S. Hacking China Since 2009
New China-US relationship can avoid past traps
Xi-Obama summit aims to boost ties, aspirations between China and USA
Weekend News Round-up: US cyber spying whistle-blower revealed; is Snapchat worth US$1bn?
THE revelations of data collection on a massive scale by the United States’ security agencies of details of telephone calls and Internet use of its citizens and foreigners are having reverberations around the world.
Much of the responses have been on the potential invasion of privacy of individuals not only in the United States but anywhere in the world who use US-based Internet servers.
Also revealed is a US presidential directive to security agencies to draw up a list of potential overseas targets for US cyber-attacks.
This lays the Unites States open to charges of double standards and hypocrisy: accusing other countries of engaging in Internet snooping or hacking and cyber warfare, when it has itself established the systems to do both on a mega scale.
The revelations, published in the Guardian and Wall Street Journal, and based on a leak by a former US intelligence official, include that US security agencies have access to telephone data of Verizon Communications, AT&T and Sprint Nextel, as well as from credit card transactions.
They also can access data from major Internet companies – Google, Yahoo, Microsoft, Facebook, AOL, Apple, PalTalk, Skype and YouTube—under the Prism surveillance programme.
Millions of Internet users around the world use the servers or web-based services of the companies mentioned.
Two American citizen groups, the American Civil Liberties Union (ACLU) and the New York Civil Liberties Union, have filed a lawsuit against the US administration.
“Those programmes constitute unreasonable intrusions into American’s private lives that’s protected by the Fourth Amendment (on search and seizure),” said Brett Kaufman of the ACLU, as quoted by IPS news agency.
Governments and people outside the United States are equally upset, or more so, that they apparently are also covered by the massive US surveillance programme.
The European Union’s commissioner of justice Viviane Reding has written to the US attorney general asking if European citizens’ personal information had been part of the intelligence gathering, and what avenues are available for Europeans to find out if they had been spied on.
In China, commentators and opinion makers are citing double standards on the part of the United States.
An article in the China Daily commented that the massive US global surveillance programme as revealed is certain to stain Washington’s overseas image and test developing China-US ties.
An editorial in another Chinese paper, Global Daily, stated: “China needs to seek an explanation from Washington.
“We are not bystanders. The issue of whether the United States as an Internet superpower has abused its powers touches on our vital interests directly.”
In their summit last week in California, United States President Barack Obama reportedly pressed Chinese President Xi Jinpeng to curb cyber-spying by Chinese agencies and companies.
The breaking news about the United States snooping on Internet users must have caused some discomfort to Obama when bringing up this issue.
A Chinese Foreign Ministry spokesperson last week reiterated that “China is also a victim to the most sophisticated cyber hacking”.
Though less publicised, a part of the leaks published in the Guardian, was a 18-page directive from President Obama to his security and intelligence officials to draw up a list of potential overseas targets for US cyber-attacks.
The October 2012 directive states that what it calls Offensive Cyber Effects Operations (OCEO) “can offer unique and unconventional capabilities to advance US national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging”, according to the June 7 Guardian article by Glenn Greenwald and Ewen MacAskill.
The directive says the government will “identify potential targets of national importance where OCEO can offer a favorable balance of effectiveness and risk as compared with other instruments of national power”.
The aim of the document was “to put in place tools and a framework to enable government to make decisions” on cyber actions, a senior administration official told the Guardian.
Obama’s move to establish a potentially aggressive cyber warfare doctrine will heighten fears over the increasing militarisation of the Internet, comments the Guardian article.
It adds that the United States is understood to have already participated in at least one major cyber attack, the use of the Stuxnet computer worm targeted on Iranian uranium enrichment centrifuges, the legality of which has been the subject of controversy.
In the presidential directive, the criteria for offensive cyber operations in the directive is not limited to retaliatory action but vaguely framed as advancing “US national objectives around the world”.
Obama further authorised the use of offensive cyber attacks in foreign nations without their government’s consent whenever “US national interests and equities” require such non-consensual attacks. It expressly reserves the right to use cyber tactics as part of what it calls “anticipatory action taken against imminent threats”.
The Guardian commented: “The revelation that the US is preparing a specific target list for offensive cyber-action is likely to reignite previously raised concerns of security researchers and academics, several of whom have warned that large-scale cyber operations could easily escalate into full-scale military conflict.”
Meanwhile, UN Human Rights Council’s Special Rapporteur Frank La Rue issued a report on June 4 on the increasing use of surveillance, warning that unfettered state access to surveillance technologies could compromise human rights to privacy and freedom of expression, as protected by the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights (ICCPR).
The report warned too against the use of “an amorphous concept of national security” as a reason to invade people’s rights to privacy and freedom of expression, arguing that such an invasion potentially “threatens the foundations of a democratic society”.
Global Trends
By MARTIN KHOR
By MARTIN KHOR
Related posts:
US Spy Snowden Says U.S. Hacking China Since 2009
New China-US relationship can avoid past traps
Xi-Obama summit aims to boost ties, aspirations between China and USA
Sunday, June 16, 2013
US Spy Snowden Says U.S. Hacking China Since 2009
Support: Protesters shout slogans in support of former US spy Edward Snowden as march to the US consulate in Hong Kong
Video:
Director Robert Mueller says Edward Snowden has caused damage to national security.
http://www.dailymail.co.uk/ news/article-2341451/ Whistleblower-Edward-Snowden- smuggled-secrets-everyday- thumb-drive-banned-NSA- offices.html
Video:
Director Robert Mueller says Edward Snowden has caused damage to national security.
http://www.dailymail.co.uk/
That revelation was delivered by whistle-blower Edward Snowden, until recently a contractor for the National Security Agency. He emerged from hiding Wednesday to grant an interview to Hong Kong's South China Morning Post.
"We hack network backbones -- like huge Internet routers, basically -- that give us access to the communications of hundreds of thousands of computers without having to hack every single one," he told the Post.
According to NSA documents reviewed by the Post, which haven't been verified, targets of the NSA's Prism program have included computers in both mainland China and Hong Kong. People targeted included systems at Hong Kong's Chinese University, as well as government officials, businesses and students in the region. But the Post reported that the program didn't appear to target Chinese military systems.
[ Security standoff at recent U.S.-China summit: Read U.S.-Chinese Summit: 4 Information Security Takeaways. ]
According to Snowden, he learned of at least 61,000 such NSA hacking operations globally. The Post didn't specify whether those operations all allegedly occurred since 2009.
Why go public with the NSA's alleged hacking campaign? Snowden said he wanted to highlight "the hypocrisy of the U.S. government when it claims that it does not target civilian infrastructure, unlike its adversaries."
"Not only does it do so, but it is so afraid of this being known that it is willing to use any means, such as diplomatic intimidation, to prevent this information from becoming public," he said.
Snowden first arrived in Hong Kong May 20, and said that the choice of venue wasn't accidental. "People who think I made a mistake in picking Hong Kong as a location misunderstand my intentions. I am not here to hide from justice, I am here to reveal criminality," he said, noting that he planned to stay until "asked to leave." Noting that the U.S. government had already been "bullying" Hong Kong authorities into extraditing him, Snowden said that he would legally fight any such attempt.
How will Hong Kong handle Snowden's case? "We can't comment on individual cases," Hong Kong's chief executive, Leung Chun-ying, told Bloomberg Wednesday. "We'll handle the case according to our law."
Hong Kong is a special administrative region of China, and Beijing could influence the government's legal thinking. But when asked in a Thursday press conference if the Chinese government had received any requests from Washington related to Snowden's case, Hua Chunying, a spokeswoman for China's foreign ministry, said only: "We have no information to offer," reported The Hindu in India.
Snowden previously said he would prefer to "seek asylum in a country with shared values," and named Iceland. Asked to respond to a spokesman for Russian president Vladimir Putin recently saying that were Snowden to apply for asylum in his country, authorities would consider his request, Snowden replied: "My only comment is that I am glad there are governments that refuse to be intimidated by great power."
Snowden said he hadn't contacted his family since leaving the country, but feared for both their safety as well as his own. He also appeared disinclined to glorify what he'd done. "I'm neither traitor nor hero. I'm an American," he said. "I believe in freedom of expression. I acted in good faith but it is only right that the public form its own opinion."
How has China reacted to Snowden's revelations that the NSA is spying on the Chinese? Chinese foreign ministry spokewoman Hua said in a regular press conference Thursday that the government has been following the revelations of NSA monitoring detailed by Snowden, and she repeated calls from the Chinese government -- agreed to in principle at last week's U.S.-China summit in California -- to launch a cybersecurity working group to increase "dialogue, coordination and cooperation" between the two countries.
"We also think adoption of double standards," she said, "will bring no benefit to settlement of the relevant issue."
By Mathew J. Schwartz
IT finally has its security priorities right, our annual survey shows. Also in the new, all-digital Strategic Security issue of InformationWeek: Five counterintuitive insights on innovation from our recent CIO Summit.
Related posts:
New China-US relationship can avoid past traps
Xi-Obama summit aims to boost ties, aspirations between China and USA
Monday, June 11, 2012
Warning DNSChanger victims, check for malware!
Facebook joins Google in warning DNSChanger victims
Warnings follow decision to withdraw safety net on 9 July
Federal authorities will not seek a further extension to a DNSChanger safety net, meaning an estimated 360,00 security laggards will be unable to use the internet normally unless they clean up their systems before a 9 July deadline.
DNSChanger changed the domain name system (DNS) settings of compromised machines to point surfers to rogue servers – which hijacked web searches and redirected victims to dodgy websites as part of a long-running click-fraud and scareware distribution racket. The FBI dismantled the botnet's command-and-control infrastructure back in November, as part of Operation GhostClick.
Last week Facebook joined Google and ISPs in notifying DNSChanger victims that they were surfing the net using a compromised machine.
"The warnings are delivered using a 'DNS Firewall' technology called RPZ (for Response Policy Zones)," Paul Vixie, chairman and founder of Internet Systems Consortium, told El Reg. "This allows infected users (who are using the 'replacement' DNS servers) to hear different responses than uninfected users (who are using 'real' DNS servers). We can control how an infected user reaches certain websites by inserting rules into the RPZ," he added.
More information – along with clean-up advice – can be found on the DNS Changer Working Group website here. ®
By John Leyden • Get more from this author
Newscribe : get free news in real time
PC users urged to check for malware
The problem is that many PC users may not even know that their computers have been infected.
F-Secure Labs Malaysia security adviser Goh Su Gim explained that the United State Federal Bureau of Investigation (FBI) planned to shut down hacker-controlled servers that had been reprogrammed to prevent infected PCs from being suddenly disconnected, causing support-call chaos.
The servers, located in Estonia and the United States, will be deactivated on July 9 and PCs still infected with DNSChanger will not function normally as they will not be able to access these servers.
For more story in The Star Tue 14, June 2012
Thursday, November 10, 2011
Is Your Computer Infected by DNS Malware? Seven accused in $14 million click-hijacking scam
Tweet
Seven accused in $14 million click-hijacking scam
by Elinor Mills
The U.S. Department of Justice said today that it has uncovered a large, sophisticated Internet scam ring that netted $14 million by infecting millions of computers with malware designed to redirect their Web searches to sites that generated ad revenue.
Six people have been arrested in Estonia and a Russian is being sought on charges of wire fraud and computer intrusion, the FBI said. They are accused of infecting about 4 million computers in more than 100 countries--500,000 in the U.S. alone, including NASA--with malware called DNSChanger. The malware altered the Domain Name Server settings on the computers so they could be automatically redirected to rogue DNS servers and then on to specific Web sites.
In essence, the malware hijacked the computers when certain Web searches were done, redirecting them to sites that would pay them money when people visited or clicked on ads.
"When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software," an FBI statement said.
In addition, the malware would redirect infected computers searching for Netflix to a business called "BudgetMatch" and searches or the IRS to H&R Block, according to the FBI.
Defendants also allegedly replaced legitimate ads on sites with ads that triggered payments to them. For instance, they are accused of replacing an American Express ad on the Wall Street Journal home page with an ad for "Fashion Girl LA," and an Internet Explorer 8 ad on Amazon.com with one for an e-mail marketing firm.
Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus and operating systems from updating, according to officials.
The defendants allegedly created companies that masqueraded as legitimate advertising publisher networks. The operation began in 2007 and ended in October with the completion of the two-year FBI investigation called "Operation Ghost Click," the FBI alleges.
The rogue DNS servers used in the operation have been replaced with legitimate servers in the hopes that infected computers will still be able to access the Internet. Owners of infected computers will need to clean the malware off their machines. People can see if their computer is infected by typing in their DNS information on this FBI Web page.
The indictment filed in the U.S. District Court of New York was unsealed today.
Elinor Mills
Seven accused in $14 million click-hijacking scam
by Elinor Mills
The U.S. Department of Justice said today that it has uncovered a large, sophisticated Internet scam ring that netted $14 million by infecting millions of computers with malware designed to redirect their Web searches to sites that generated ad revenue.
Six people have been arrested in Estonia and a Russian is being sought on charges of wire fraud and computer intrusion, the FBI said. They are accused of infecting about 4 million computers in more than 100 countries--500,000 in the U.S. alone, including NASA--with malware called DNSChanger. The malware altered the Domain Name Server settings on the computers so they could be automatically redirected to rogue DNS servers and then on to specific Web sites.
In essence, the malware hijacked the computers when certain Web searches were done, redirecting them to sites that would pay them money when people visited or clicked on ads.
"When users of infected computers clicked on the link for the official Web site of iTunes, for example, they were instead taken to a Web site for a business unaffiliated with Apple Inc. that purported to sell Apple software," an FBI statement said.
In addition, the malware would redirect infected computers searching for Netflix to a business called "BudgetMatch" and searches or the IRS to H&R Block, according to the FBI.
Defendants also allegedly replaced legitimate ads on sites with ads that triggered payments to them. For instance, they are accused of replacing an American Express ad on the Wall Street Journal home page with an ad for "Fashion Girl LA," and an Internet Explorer 8 ad on Amazon.com with one for an e-mail marketing firm.
Computers became infected with DNSChanger when they visited certain Web sites or downloaded particular software to view videos online. In addition to altering the DNS server settings, the malware also prevented antivirus and operating systems from updating, according to officials.
The defendants allegedly created companies that masqueraded as legitimate advertising publisher networks. The operation began in 2007 and ended in October with the completion of the two-year FBI investigation called "Operation Ghost Click," the FBI alleges.
The rogue DNS servers used in the operation have been replaced with legitimate servers in the hopes that infected computers will still be able to access the Internet. Owners of infected computers will need to clean the malware off their machines. People can see if their computer is infected by typing in their DNS information on this FBI Web page.
The indictment filed in the U.S. District Court of New York was unsealed today.
Elinor Mills
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press.
Newscribe : get free news in real time
Newscribe : get free news in real time
Subscribe to:
Posts (Atom)