News

Supreme Court Ruling Prompts FBI to Turn Off 3,000 Tracking Devices

Mar 8th, 2012 | By | Category: News
By Ariane de Vogue | ABC News

A Supreme Court decision has caused a “sea change” in law enforcement, prompting the FBI to turn off nearly 3,000 Global Positioning System (GPS) devices used to track suspects, according to the agency’s general counsel.

When the decision-U.S. v. Jones-was released at the end of January, agents were ordered to stop using GPS devices immediately and told to await guidance on retrieving the devices, FBI general counsel Andrew Weissmann said in a recent talk at a University of San Francisco conference.  Weissmann said the court’s ruling lacked clarity and the agency needs new guidance or it risks having cases overturned.

The Jones case stemmed from the conviction of night club owner Antoine Jones on drug charges. Law enforcement had used a variety of techniques to link him to co-conspirators in the case, including information gathered from a GPS device that was placed on a Jeep primarily used by Jones. Law enforcement had no valid warrant to place the device on the car.

Justice Antonin Scalia, writing for a five-member majority, held that the installation and use of the device constituted a search under the Fourth Amendment based on trespass grounds. The ruling overturned Jones’ conviction.

“It is important to be clear about what occurred in this case,” Scalia wrote. “The government physically occupied private property for the purpose of obtaining information. We have no doubt that such a physical intrusion would have been considered a ‘search’ within the meaning of the Fourth Amendment.”

It was a narrow ruling only directly impacting those devices that were physically placed on vehicles.

Weissmann said it wasn’t Scalia’s majority opinion that caused such turmoil in the bureau, but a concurring opinion written by Justice Samuel Alito. Alito, whose opinion was joined by Justices Ruth Bader Ginsburg, Stephen Breyer and Elena Kagan, agreed with the Court’s conclusion in the case but wrote separately because his legal reasoning differed from the majority.

Alito focused not on the attachment of the device, but the fact that law enforcement monitored Jones for about a month. Alito said “the use of longer-term GPS monitoring in investigations of most offenses impinges on expectations of privacy.”  He also suggested that Scalia’s reliance on laws of trespass, will “provide no protection” for surveillance accomplished without committing a trespass.

“For example,” Alito wrote, “suppose that the officers in the present case had followed respondent by surreptitiously activating a stolen vehicle detection system that came with the car when it was purchased?”

In his talk at a University of San Francisco Law Review Symposium, Weissmann suggested that Alito’s concurrence means that several members of the court are concerned with long-term surveillance by technologies beyond GPS systems and that the FBI needs new guidance in order to ensure that evidence does not get thrown out.

“I just can’t stress enough,” Weissmann said, “what a sea change that is perceived to be within the department.”

He said that after agents were told to turn off the devices, his office had to issue guidance on how some of the devices that had been used without a warrant could actually be retrieved. “We had to come up with guidance about you could locate [the devices] without violating the law,” Weissmann said. “It wasn’t obvious that you could turn it back on to locate it because now you needed probable cause or reasonable suspicion to do that.”

Weissmann said the FBI is working on two memos for agents in the field. One seeks to give guidance about using GPS devices.  A second one targets other technologies beyond the GPS, because, Weissmann said, “there is no reason to think this is just going to end with GPS.”

“I think the court did not wrestle with the problems their decision creates,” Weissmann said. “Usually the court tends to be more careful about cabining its decisions” and offering useful guidance. But in the Jones opinion, he said, the court didn’t offer much clarity or any bright line rules that would have been helpful to law enforcement.

“Guidance which consist of  ’two days might be good, 30 days is too long’ is not very helpful,” Weissmann said.

Catherine Crump, and attorney with the ACLU, welcomed the court’s ruling as a first step toward preserving privacy rights.

“Alito’s concurrence concerned the FBI because if tracking someone’s movements violates their privacy, that should be true no matter what technology the FBI uses,” says Crump. “The FBI now needs to give guidance to agents in the field, and the Alito decision raises serious questions about the constitutionality of other ways of tracking suspects.”

As for Antoine Jones, the man whose conviction was thrown out because of the ruling, the government has announced that it wants to retry Jones without using evidence obtained from the GPS device. The trial is expected to start in May.



‘Anonymous’ hackers target US security think tank

Dec 26th, 2011 | By | Category: News

By CASSANDRA VINOGRAD and RAMIT PLUSHNICK-MASTI

LONDON

The loose-knit hacking movement “Anonymous” claimed Sunday to have stolen thousands of credit card numbers and other personal information belonging to clients of U.S.-based security think tank Stratfor. One hacker said the goal was to pilfer funds from individuals’ accounts to give away as Christmas donations, and some victims confirmed unauthorized transactions linked to their credit cards.

Anonymous boasted of stealing Stratfor’s confidential client list, which includes entities ranging from Apple Inc. to the U.S. Air Force to the Miami Police Department, and mining it for more than 4,000 credit card numbers, passwords and home addresses.

Austin, Texas-based Stratfor provides political, economic and military analysis to help clients reduce risk, according to a description on its YouTube page. It charges subscribers for its reports and analysis, delivered through the web, emails and videos. The company’s main website was down, with a banner saying the “site is currently undergoing maintenance.”

Proprietary information about the companies and government agencies that subscribe to Stratfor’s newsletters did not appear to be at any significant risk, however, with the main threat posed to individual employees who had subscribed.

“Not so private and secret anymore?” Anonymous taunted in a message on Twitter, promising that the attack on Stratfor was just the beginning of a Christmas-inspired assault on a long list of targets.

Anonymous said the client list it had already posted was a small slice of the 200 gigabytes worth of plunder it stole from Stratfor and promised more leaks. It said it was able to get the credit card details in part because Stratfor didn’t bother encrypting them — an easy-to-avoid blunder which, if true, would be a major embarrassment for any security-related company.

Fred Burton, Stratfor’s vice president of intelligence, said the company had reported the intrusion to law enforcement and was working with them on the investigation.

Stratfor has protections in place meant to prevent such attacks, he said.

“But I think the hackers live in this kind of world where once they fixate on you or try to attack you it’s extraordinarily difficult to defend against,” Burton said.

Hours after publishing what it claimed was Stratfor’s client list, Anonymous tweeted a link to encrypted files online with names, phone numbers, emails, addresses and credit card account details.

“Not as many as you expected? Worry not, fellow pirates and robin hoods. These are just the `A’s,” read a message posted online that encouraged readers to download a file of the hacked information.

The attack is “just another in a massive string of breaches we’ve seen this year and in years past,” said Josh Shaul, chief technology officer of Application Security Inc., a New York-based provider of database security software.

Still, companies that shared secret information with Stratfor in order to obtain threat assessments might worry that the information is among the 200 gigabytes of data that Anonymous claims to have stolen, he said.

“If an attacker is walking away with that much email, there might be some very juicy bits of information that they have,” Shaul said.

Lt. Col. John Dorrian, public affairs officer for the Air Force, said that “for obvious reasons” the Air Force doesn’t discuss specific vulnerabilities, threats or responses to them.

“The Air Force will continue to monitor the situation and, as always, take appropriate action as necessary to protect Air Force networks and information,” he said in an email.

Miami Police Department spokesman Sgt. Freddie Cruz Jr. said that he could not confirm that the agency was a client of Stratfor, and he said he had not received any information about a security breach involving the police department.

Anonymous also linked to images online that it suggested were receipts for charitable donations made by the group manipulating the credit card data it stole.

“Thank you! Defense Intelligence Agency,” read the text above one image that appeared to show a transaction summary indicating that an agency employee’s information was used to donate $250 to a non-profit.

One receipt — to the American Red Cross — had Allen Barr’s name on it.

Barr, of Austin, Texas, recently retired from the Texas Department of Banking and said he discovered last Friday that a total of $700 had been spent from his account. Barr, who has spent more than a decade dealing with cybercrime at banks, said five transactions were made in total.

“It was all charities, the Red Cross, CARE, Save the Children. So when the credit card company called my wife she wasn’t sure whether I was just donating,” said Barr, who wasn’t aware until a reporter with the AP called that his information had been compromised when Stratfor’s computers were hacked.

“It made me feel terrible. It made my wife feel terrible. We had to close the account.”

Wishing everyone a “Merry LulzXMas” — a nod to its spinoff hacking group Lulz Security — Anonymous also posted a link on Twitter to a site containing the email, phone number and credit number of a U.S. Homeland Security employee.

The employee, Cody Sultenfuss, said he had no warning before his details were posted.

“They took money I did not have,” he told The Associated Press in a series of emails, which did not specify the amount taken. “I think `Why me?’ I am not rich.”

But the breach doesn’t necessarily pose a risk to owners of the credit cards. A card user who suspects fraudulent activity on his or her card can contact the credit card company to dispute the charge.

Stratfor said in an email to members that it had suspended its servers and email after learning that its website had been hacked.

“We have reason to believe that the names of our corporate subscribers have been posted on other web sites,” said the email, signed by Stratfor Chief Executive George Friedman and passed on to AP by subscribers. “We are diligently investigating the extent to which subscriber information may have been obtained.”

“Stratfor’s relationship with its members and, in particular, the confidentiality of their subscriber information, are very important to Stratfor and me,” Friedman wrote.

One member of the hacking group, who uses the handle AnonymousAbu on Twitter, claimed that more than 90,000 credit cards from law enforcement, the intelligence community and journalists — “corporate/exec accounts of people like Fox” News — had been hacked and used to “steal a million dollars” and make donations.

It was impossible to verify where credit card details were used. Fox News was not on the excerpted list of Stratfor members posted online, but other media organizations including MSNBC and Al-Jazeera English appeared in the file.

Anonymous warned it has “enough targets lined up to extend the fun fun fun of LulzXmas through the entire next week.”

The group has previously claimed responsibility for attacks on credit card companies Visa Inc. and MasterCard Inc., eBay Inc.’s PayPal, as well as other groups in the music industry and the Church of Scientology.

————————

Plushnick-Masti reported from Houston. Associated Press writers Jennifer Kay in Miami and Daniel Wagner in Washington, D.C. also contributed to this report.



Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks

Dec 21st, 2011 | By | Category: News

Hackers attack Norway’s businesses

Nov.20, 2011 in National security

Oil, gas and defence firms in Norway have been hit by a series of sophisticated hack attacks.

Industrial secrets and information about contract negotiations had been stolen, said Norway’s National Security Agency (NSM).

It said 10 firms, and perhaps many more, had been targeted in the biggest wave of attacks to hit the country.

Norway is the latest in a growing list of nations that have lost secrets and intellectual property to cyber thieves.

The attackers won access to corporate networks using customised emails with viruses attached which did not trigger anti-malware detection systems.

Targeted attacks

The NSM said the email messages had been sent to specific named individuals in the target firms and had been carefully crafted to look like they had come from legitimate sources.

Many of the virus-laden emails were sent while the companies were in the middle of negotiations over big contracts.

It said user names, passwords, industrial drawings, contracts and documents had been stolen and taken out of the country.

The NSM believes the attacks are the work of one group, based on its analysis of the methods used to target individuals, code inside the viruses and how the data was extracted.

The agency said it was publishing information about the attacks to serve as a warning and to encourage other targeted firms to come forward.

“This is the first time Norway has revealed extensive and wide computer espionage attacks,” the NSM said in a statement.

Singled out

It said it found out about the attacks when “vigilant users” told internal IT security staff, who then informed the agency.

However, the NSM said, it was likely that many of the companies that had been hit did not know that hackers had penetrated their systems and stolen documents.

Security firms report that many other nations and industrial sectors have been targeted by data thieves in recent months.

The chemical industry, hi-tech firms and utilities appear to have been singled out.

(BBC news)



DHS Discloses Privacy Protection Hides Spying

Dec 20th, 2011 | By | Category: News
20 December 2011DHS Discloses Privacy Protection Hides Spying 


[Federal Register Volume 76, Number 244 (Tuesday, December 20, 2011)]
[Notices]
[Pages 78934-78935]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-32483]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

Office of the Secretary

Published Privacy Impact Assessments on the Web

AGENCY: Privacy Office, DHS.

ACTION: Notice of Publication of Privacy Impact Assessments (PIA).

-----------------------------------------------------------------------

SUMMARY: The Privacy Office of DHS is making available seven PIAs on
various programs and systems in DHS. These assessments were approved
and published on the Privacy Office's web site between September 1,
2011 and November 30, 2011.

DATES: The PIAs will be available on the DHS Web site until February
21, 2012, after which they may be obtained by contacting the DHS
Privacy Office (contact information below).

FOR FURTHER INFORMATION CONTACT: Mary Ellen Callahan, Chief Privacy
Officer, Department of Homeland Security, Washington, DC 20528, or
email: pia@hq.dhs.gov.

SUPPLEMENTARY INFORMATION: Between September 1, 2011 and November 30,
2011, the Chief Privacy Officer of the DHS approved and published seven
Privacy Impact Assessments (PIAs) on the DHS Privacy Office web site,
www.dhs.gov/privacy, under the link for ``Privacy Impact Assessments.''
These PIAs cover seven separate DHS programs. Below is a short summary
of those programs, indicating the DHS component responsible for the
system, and the date on which the PIA was approved. Additional
information can be found on the web site or by contacting the Privacy
Office.

    System: DHS/FEMA/PIA-018 Suspicious Activity Reporting (SAR).
    Component: Federal Emergency Management Agency (FEMA).
    Date of approval: September 9, 2011.
    FEMA, a component of DHS, manages a process for SAR. This process,
assigned to FEMA's Office of the Chief Security Officer, is designed to
collect, investigate, analyze, and report suspicious activities to the
Federal Bureau of Investigation's (FBI) Joint

[[Page 78935]]

Terrorism Task Force, Federal Protective Service, and/or other federal,
state, or local law enforcement authorities required to investigate and
respond to terrorist threats or hazards to homeland security. FEMA is
conducted this PIA because this SAR process collects, maintains, and
uses PII.

    System: DHS/NPPD/US-VISIT/PIA-007(a) Biometric Interoperability Between
 the U.S. Department of Homeland Security and the U.S. Department of Justice.
    Component: National Protection and Programs Directorate (NPPD) and
United States Visitor and Immigrant Status Indicator Technology (US-
VISIT).
    Date of approval: September 16, 2011.
    In 2006, the US-VISIT Program of DHS and the Criminal Justice
Information Services Division of the FBI, Department of Justice (DOJ),
developed an interoperability project to support the sharing of
information among DHS, DOJ, and their respective stakeholders. This PIA
update was conducted to reflect the expansion of DHS-DOJ
interoperability to include new users and uses not covered. In
addition, this PIA allows users to access more data in IDENT.

    System: DHS/ICE/PIA-031 Alien Medical Tracking Systems.
    Component: Immigration and Customs Enforcement (ICE).
    Date of approval: September 26, 2011.
    ICE provides medical care to and maintains medical records about
aliens that ICE detains for violations of U.S. immigration law. The ICE
Health Service Corps, a division of ICE's Office of Enforcement and
Removal Operations, has several information technology systems that are
used to track information from medical records for aliens in ICE
custody for various monitoring and reporting purposes. These are the
Social Services Database, Hospitalization Database, Significant
Detainee Illness Spreadsheet, Mental Health Coordination Database,
Epidemiology Database, and Performance Improvement Database. This PIA
describes the data maintained in these medical tracking systems, the
purposes for which this information is collected and used, and the
safeguards ICE has implemented to mitigate privacy and security risks
to PII stored in these systems.

    System: DHS/ICE/PIA-004(a) ICE Pattern Analysis and Information
Collection (ICEPIC) Update.
    Component: ICE.
    Date of approval: October 26, 2011.
    ICE has established a system called the ICEPIC system. ICEPIC is a
toolset that assists ICE law enforcement agents and analysts in
identifying suspect identities and discovering possible non-obvious
relationships among individuals and organizations that are indicative
of violations of the customs and immigration laws as well as possible
terrorist threats and plots. The PIA for ICEPIC was published in
January 2008. This PIA Update was completed to provide transparency
related to the Law Enforcement Information Sharing Service that enables
law enforcement agencies outside DHS to query certain information
available through ICEPIC. Additionally, through LEIS DHS law
enforcement personnel are able to query external law enforcement
agencies' sensitive but unclassified law enforcement information.

    System: DHS/ICE/PIA-015(c) Enforcement Integrated Database Update.
    Component: ICE.
    Date of approval: November 7, 2011.
    The Enforcement Integrated Database (EID) is a DHS shared common
database repository for several DHS law enforcement and homeland
security applications. EID captures and maintains information related
to the investigation, arrest, booking, detention, and removal of
persons encountered during immigration and criminal law enforcement
investigations and operations conducted by ICE, U.S. Customs and Border
Protection, and U.S. Citizenship and Immigration Services, all
components within DHS. The PIA for EID was published in January 2010.
In July 2010, a PIA Update for EID was published to address an
expansion of the information entered into EID and the scope of external
information sharing. This EID PIA Update addresses planned changes to
the types of information shared and an added method of sharing.

    System: DHS/S&T/PIA-006 Protected Repository for the Defense of
Infrastructure Against Cyber Threats (PREDICT).
    Component: Science and Technology.
    Date of approval: November 8, 2011.
    The S&T Directorate's PREDICT system has undergone a PIA 3-Year
Review. The PIA requires no changes and continues to accurately relate
to its stated mission. PREDICT is a repository of test datasets of
Internet traffic data that is made available to approved researchers
and managed by an outside contractor serving as the PREDICT
Coordination Center. The goal of PREDICT is to create a national
research and development resource to bridge the gap between (a) the
producers of security-relevant network operations data and (b)
technology developers and evaluators who can use this data to
accelerate the design, production, and evaluation of next-generation
cyber security solutions, including commercial products.

    System: DHS/ALL/PIA-013(a) PRISM System Update.
    Component: DHS.
    Date of approval: November 10, 2011.
    DHS Management Directorate, Office of the Chief Procurement Officer
is the owner of the PRISM contract writing management system. PRISM
provides comprehensive, Federal Acquisition Regulation-based
acquisition support for all DHS headquarters entities. The purpose of
this PIA update is to reflect changes to the collection of information,
and the addition of a classified PRISM system.

    Dated: December 12, 2011.
Mary Ellen Callahan,
Chief Privacy Officer, Department of Homeland Security.
[FR Doc. 2011-32483 Filed 12-19-11; 8:45 am]
BILLING CODE 9110-9L-P


Black Hat: System links your face to your Social Security number and other private things

Nov 24th, 2011 | By | Category: News

Black Hat presentation to show how photos, facial recognition and overlapping databases will lead to less privacy

By Tim Greene, Network World


Soon it will be practicable to take someone’s photo on a smartphone and within minutes know theirSocial Security number and a range of other private data like their personal interests, sexual preference and credit status, researchers will tell the Black Hat security conference this week.

The technique calls for linking faces of random individuals to images in databases that contain other information about them and using that information to project Social Security numbers, says Alessandro Acquisti, a professor at Carnegie Mellon University, who will present the research at the conference.

He says if he can arrange the logistics, he will demonstrate the technique at the show using an application on a smartphone that taps cloud-based databases and facial recognition software. He uses Social Security numbers as an example of what can be projected, but other information such as sexual orientation and credit ratings can also be inferred, he says.

The point, Acquisti says, is to show that a framework of digital surveillance that can go from a person’s image to personal data exists today and will only get better as technologies improve, making privacy more scarce and making surveillance readily available to the masses. “This, I believe and fear, is the future we are walking into,” he says.

He admits the method is far from foolproof, but that the individual pieces of technology are developing rapidly and could be ready for use in the real world in the foreseeable future. He is working on projections of how long it will take for the technologies involved to develop to the point of being reliable.

Acquisti bases his presentation on three pieces of research he and his team carried out. The first took the primary Facebook images that people posted to establish their identity. The team compared the Facebook images using PittPatt face-recognition software to identify other photos of the same person in another database, namely that of a popular dating service where people registered under phony names.

After the software made a match, actual people looked at the pictures to determine how accurate the matches were. They considered just PittPatt’s best guess for each photo.

The software correctly identified 1 in 10 dating site members, which the researchers say is pretty good considering the experiment used just one photo — the Facebook profile photo — to identify the person with the known identity.

Plus, they only considered PittPatt’s best guess. Had they considered the second and third best guesses, accuracy might improve as well, he says.

The second experiment photographed random college students and asked them to fill out a questionnaire. Meanwhile, the photo was compared to others in online databases to identify the students realtime and compile other photos of them.

The students checked the photos and found they were accurate about a third of the time.

The third experiment took the subjects’ Facebook profiles and, from inferences made from the profiles, predicted the first five digits of their Social Security numbers and their interests and activities.

The last part is an implementation of a Social Security number-predicting algorithm Acquisti presented at Black Hat two years ago. Based on when and where a person was born, the algorithm predicts the first five digits, which are based on location. It can then guesses the remaining digits, but that could take 100 tries.

 

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com

 



Facial recognition security, privacy issues grab FTC attention

Nov 24th, 2011 | By | Category: News

Facial recognition technology on the rise as governments increase use; Facebook, Microsoft implement it

By Michael Cooney, Network World

The Federal Trade Commission the week said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security.

From the FTC: “Facial recognition technology has been adopted in a variety of new contexts, ranging from online social networks to digital signs and mobile apps. Its increased use has raised a variety of privacy concerns. The FTC workshop will gather consumer protection organizations, academics, business and industry representatives, privacy professionals, and others to examine the use of facial recognition technology and related privacy and security concerns.”

The agency said the workshop will look at many topics including:

The workshop will take place in Washington, DC on Dec. 8, 2011 is free and open to the public.

Use of facial recognition technology is growing fast. One of its biggest pushes could come in the form of Microsoft’s Windows 8.  Network World recently wrote that the software giant is building facial recognition technology into Windows 8, offering a more secure way to access your computer.

This month the U.K.’s largest airport,  Heathrow, will install facial recognition scanners for international and domestic passengers to prevent illegal immigration in the country, the IDG News Service reported. The facial recognition technology comes from Aurora Computer Services, a U.K.-based company. It’s called the Aurora Image Recognition (AIR) system and uses a camera with an infrared flash, which the company says can function in either bright or low light. It can identity a person from about 3 feet away. The camera verifies a person’s identity using biometric details, identifying a person in 4.7 seconds, a time that includes properly positioning a passenger, according to Aurora.

The changing face of biometrics

And facial recognition technology has raised privacy concerns. Recently Connecticut Attorney General George Jepsen expressed concern that Facebook’s “Tag Suggestions” face recognition feature compromises consumer privacy, and asked for a meeting with company officials.

According to an IDG News Service story: In Facebook’s desire to promote photo sharing and tagging among its users, it appears to have overlooked a critical component of consumer privacy protection, which is an opt-in requiring users to affirmatively consent before Facebook can use those images, Jepsen wrote in a letter this week to Facebook’s director of public policy and its product and regulatory counsel. Jepsen joins European Union (EU) regulators and consumer advocacy groups that are questioning the feature on Facebook.

The Electronic Privacy Information Center and three other advocacy groups filed a complaint asking the U.S. Federal Trade Commission to require Facebook to get affirmative opt-in consent from users before collecting and using their biometric data.

 

All contents copyright 1995-2011 Network World, Inc. http://www.networkworld.com



Biometric: UID Glitch Hits Senior Citizens

Oct 27th, 2011 | By | Category: News

The bigger the privacy violation the more progress it makes away from its real goals - Many senior citizens are facing difficulties as the Biometric machines are unable to read their fingerprints. 

 

Neelam Pandey, Hindustan Times
New Delhi, October 26, 2011

The government’s much-hyped scheme of issuing a unique identification number (UID) to citizens has hit a roadblock in Delhi. Many senior citizens are facing difficulties as the biometric machines are unable to read their fingerprints. Said an operator recording fingerprints in GK-I, “Due to old age, the lines on fingers virtually disappear and the machines are unable to register them. But we have been told to follow the rules.”

“I stood in the queue thrice, but the operator said my fingerprints were not being processed. They said they had to follow the guidelines and my form was rejected” said GK-I resident ML Khetrapal.

Along with this, cameras used by officials are unable to read the irises of people who have had their cataracts removed. Delhi revenue minister AK Walia said, “We were not aware of this problem. We’ll take it up in our review meeting next week.”

A regional officer of the Unique Identification Authority of India said, “We’ve  asked the agency implementing it (UID) to submit a report.”



ISRAEL: Justice Ministry cracks case of massive information theft

Oct 25th, 2011 | By | Category: News

By BEN HARTMAN AND JOANNA PARASZCZUK
10/25/2011 00:44

Government employee sells identification numbers, addresses and other details of 9 million Israelis.

Investigators from the Justice Ministry announced on Monday that they have cracked a massive information theft case, in which a former employee of the Ministry of Social Affairs and Social Services stole and copied the personal details of over nine million Israelis, and sold the data to a private buyer.The theft included the publication of detailed personal information on the millions of victims, including many minors, deceased persons and citizens living abroad. The information, which is accurate as of 2006, includes full names, ID numbers, addresses, dates of birth, family status, names of siblings and other information. It also includes an extensive search engine and allows the user to determine all of the extended family relations of any Israeli in the database.

RELATED:
Biometric ID database to be launched in November 
Biometric passports – how will spies cope? 

The database could also represent a serious security threat in that it affords anyone who accesses it online the ability to look at the place of residence and next of kin of all types of people in the political and military echelon, whose personal data is otherwise classified.

At the moment there are six suspects involved, and the Tel Aviv Magistrate’s Court has placed a travel ban on all six, barring them from leaving the country.

The theft took place in 2006, when a contract worker hired by the Ministry of Social Affairs and Social Services made a copy of the database after taking it home from work. The employee, who was responsible for safeguarding the database, is then believed to have given a copy to a friend of his, who later passed it to a classmate from his Jerusalem yeshiva.

That classmate allegedly sold the data to a businessman who collects personaldata databases for a rather nominal fee of a few thousand shekels. The businessman who bought the data then allegedly gave it to a programmer who built a program called “Agron 2006,” that included all of the stolen material.

Shortly thereafter, a different computer technician crossed paths with the database, and according to the Justice Ministry, uploaded it to the Internet, where it could be accessed in its entirety by anyone in the world.

The technician then allegedly launched a website with a step-by-step guide on how to download a copy of the database and how to use it. The technician, who operated under the name “aRi,” also found ways to mask the IP address of the computers he used and cover his tracks at nearly every turn, the ministry said.

In 2009, following a police investigation that yielded no results, the Law, Information and Technology Authority of the Justice Ministry began probing the case. Over the course of the investigation they compiled mountains of evidence from hard drives, hard discs and cloud-computing storage.

Altogether the investigation compiled six terabytes of data, roughly 6,000 gigabytes.

Investigators said they were particularly dismayed by the discovery that the former employee had a copy of the Ministry’s adoption database for the Jerusalem and Tel Aviv area. The database is considered one of the most sensitive in the country, and includes specific information on the parents of adopted children.

Investigators said they have found no evidence that the document was leaked. The investigation also reportedly turned up data related to national security, as well as voter-registration lists.

According to a statement by the Justice Ministry on Monday, the uploading of the database “will make it easier to carry out forgery and fraud, and provide the necessary information to carry out identity theft. It helps create fraudulent documents that appear authentic, therefore allowing people to bypass security systems. It could also have an effect on the democratic processes in elections, in that it makes it easier for someone to impersonate someone else in the voting booth.”

Following the Justice Ministry’s announcement regarding the population database leak, and ahead of Interior Ministry plans to pilot a biometric database next month, civil rights lawyers warned on Monday of “irreversible damage” should biometric data be leaked.

Leaked biometric data, including fingerprints, could greatly increase the risk of identity theft, according to civil rights lawyer Avner Pinchuk, head of the Association for Civil Rights in Israel’s Privacy and Information project.

“The leak of the population database is a warning to all citizens of Israel not to give their fingerprints to those who don’t know how to secure sensitive personal data,” said Pinchuk.

Pinchuk noted that the Interior Ministry admitted recently that any biometric data leakage could cause “irreparable damage” to citizens, while assuring the public it is capable of securing its planned biometric database.

“The ministry is conducting a misleading campaign to promote its biometric database pilot and for years has refrained from issuing quality ID cards that are impossible to fake so that it could ‘sell’ the public on the idea of a biometric database,” said Pinchuk. “But this database will only serve to greatly increase the risk of identity theft, just as experts have warned.”

Speaking to The Jerusalem Post from New York on Monday, CEO of the IT firm Green Armor Solutions Joseph Steinberg said that the theft should encourage efforts to create more stringent means of identification.

“One of the things I’ve been arguing for a long time is that any information that’s public, or not difficult for the public to obtain, shouldn’t be used to authenticate anyone,” said Steinberg. “The government is going to have to come up with more stringent means to prove someone’s identity. Having just your date of birth or ID number won’t be sufficient [in Israel] because now it’s common knowledge that anyone has access to this.”



The Dark Side Of Biometrics: 9 Million Israelis’ Hacked Info Hits The Web

Oct 24th, 2011 | By | Category: News

BY NEAL UNGERLEIDER Today

Biometrics are the next big thing in government and homeland security. But the recent theft of the personal information of 9 million Israelis living and dead–including the birth parents of adoptees and sensitive health information–could have big ramifications for foreign governments.

Every time a foreigner comes to the United States, their biometric data–fingerprints and photographs–are processed into a massive database called US-VISIT. The service prevents identity fraud and helps find criminals, and countries all over the world have adopted similar systems. Now Israel’s has been hacked, leading to the leak of personal information of nearly every single citizen there (even some dead ones) onto the Internet.

Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He’s a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel’s primary national biometric database in 2006. He had access to the database, which is part of the country’s population registry, through his office.

The stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis–including children–and detailed health information on individual citizens.

Shortly after being fired from his job for unrelated offenses, the unnamed suspect began passing the database around to members of Israel’s surprisingly numerous Hasidic Jewish criminal underworld. According to the ultra-Orthodox Jewish Yeshiva World Newsthe stolen biometric database was passed around by six separate suspects, who made copies of the records in exchange for cash.

Identity theft and petty Internet crimes being what they are, the stolen biometric information quickly made its way online. One of the secondary suspects uploaded the whole of Israel’s biometric records database to the Internet under the name “Agron 2006.” A quick Google search reveals numerous torrents and uploaded copies of the database easily available for download.

According to Yoram Cohen of the Israeli Justice Ministry, “Any person who handles personal information and any citizen should lose sleep over the chain of information from the now exposed theft of the Population Registry information.”

There’s only one problem: Biometric databases are the future. The Indian government is building the world’s largest biometric database, which will handle the personal information of nearly 1 billion citizens and give millions easy access to health care and education. Many European Union members such as Germany and the Netherlands automatically include biometric information on passport RFID chips. Here in the United States, the FBI is building a billion-dollar biometric database that will give every single police department and sheriff’s office in the country instant access to millions of mugshots and fingerprints. While they might be scary and big brother-ish, biometric databases save massive amounts of taxpayer money and help streamline lumbering bureaucracies.

In the Israeli case, a valuable database was stolen through an inside job. Although the information was stolen by a white-collar criminal with an identity theft jones rather than by a hostile intelligence service or an enemy hacker, the end effect was the same.

The Federal Bureau of Investigation and the Department of Homeland Security have been less than forthcoming about efforts to secure the data contained in their respective biometric databases. However, a DHS privacy impact assessment conducted for the Coast Guard’s “Biometrics at Sea” program found numerous privacy concerns and weak spots that required additional security. Both the FBI and Homeland Security’s databases will retain decades’ worth of personal information, photographs, and fingerprints.

In the end, the government–and taxpayers–have chosen the efficiency and cost savings of biometric databases over the privacy and civil liberties concerns that experts have raised. But as the Israeli example shows, today’s biometric database could easily become tomorrow’s warez download.

[Image: Flickr user Bob AuBuchon]



Information Technology – Israel New Biometric ID database raises significant privacy concerns

Sep 22nd, 2011 | By | Category: News

 The act as a whole (and the biometric database specifically) raises significant concerns. Privacy advocates have urged the Home Office to re-evaluate the potential grave risks to information security and privacy that the database poses – for example, the irreversibility of biometric data loss and the public’s general mistrust of the government’s ability to secure the database. A proposition to transform the database into a blurred set-base that would enhance security and privacy was recently offered by Professor Adi Shamir, a well-known cryptographer. However, despite backing from the Law Information and Technology Authority, the government eventually rejected Shamir’s proposition.

 

Contributed by Pearl Cohen Zedek Latzer

 

September 20 2011

New regulations and orders introduced by the Ministers’ Committee for Biometric Applications have paved the way for a two-year trial period for the issuance of biometric identification documents (IDs). The Ministry of Home Affairs is in the process of making its final preparations and aims to start issuing the IDs shortly. The IDs will contain encoded fingerprints and a facial image, and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has thus far failed to yield a positive result.In December 2009 the Israeli Parliament (the Knesset) enacted the Biometric Identifiers and Biometric Data Inclusion in Identification Documents and a Database Act.(1) The act is intended to tackle the large-scale loss and theft of identification cards and passports, which may then later be used by criminals or terrorists.The Biometric Data Act is far reaching. Following a two-year trial period, every citizen will be compelled to provide two fingerprint samples and a facial photograph, to be digitally stored in a national database and on chips embedded in passports and national IDs (mandatory in Israel for citizens over the age of 16). The digital ID will also carry a certified electronic signature that can be used as a substitute for regular handwritten signatures in the execution of transactions.

The biometric database is not intended solely to manage the processing of ID and passports applications. It will also serve as a valuable source of information for law enforcement agencies, under the supervision of a new authority that has been established specifically for that purpose by the Ministry of Home Affairs.

The act as a whole (and the biometric database specifically) raises significant concerns. Privacy advocates have urged the Home Office to re-evaluate the potential grave risks to information security and privacy that the database poses – for example, the irreversibility of biometric data loss and the public’s general mistrust of the government’s ability to secure the database. A proposition to transform the database into a blurred set-base that would enhance security and privacy was recently offered by Professor Adi Shamir, a well-known cryptographer. However, despite backing from the Law Information and Technology Authority, the government eventually rejected Shamir’s proposition.

The new regulations under the Biometric Data Act include procedures for:

  • issuing a biometric ID;
  • taking fingerprints and facial images from applicants;
  • encrypting and securing the data; and
  • transferring data between authorities.(2)

A governmental order accompanies the regulations and sets specific rules for the two-year trial period.(3)During this period (starting in November 2011), biometric IDs will be issued to Israeli citizens, subject to their written and signed consent. At the end of the trial period, professional auditors will evaluate the extent of the trial’s success, under a set of pre-determined parameters and following feedback from applicants. Unless the Ministry of Home Affairs decides otherwise, in light of the trials results and public debate, the Biometric Data Act will come into full effect at the end of the trial period and all citizens will be obliged to provide their biometric data, which will be included in IDs and passports, and stored in the national database.

 

For further information on this topic please contact Haim Ravia or Dan Or-Hof at Pearl Cohen Zedek Latzer by telephone (+972 9 972 8000), fax (+972 9 972 8001) or email (haimr@pczlaw.com ordano@pczlaw.com).

Endnotes

(1) The full wording of the Biometric Data Act (in Hebrew) is available at http://law.co.il/media/computer-law/biometric_law.pdf.

(2) The full wording of the new regulations (in Hebrew) is available at http://law.co.il/media/computer-law/biometric_id_reg.pdf.

(3) The full wording of the governmental order (in Hebrew) is available at http://law.co.il/media/computer-law/biometric_id_decree.pdf.

 

 



Biometric: FTC takes aim at Facial Recognition security – privacy issues

Sep 20th, 2011 | By | Category: News


Michael Cooney

Layer 8

Michael Cooney

 

Facial recognition technology on the rise as governments increase use; Facebook, Microsoft implement it

By Layer 8 on Tue, 09/20/11 – 10:16am.

The Federal Trade Commission the week said it will hold a workshop that examines how burgeoning use of facial recognition technology impacts privacy and security.

From the FTC: “Facial recognition technology has been adopted in a variety of new contexts, ranging from online social networks to digital signs and mobile apps. Its increased use has raised a variety of privacy concerns. The FTC workshop will gather consumer protection organizations, academics, business and industry representatives, privacy professionals, and others to examine the use of facial recognition technology and related privacy and security concerns.”

More FTC news: Got acne? There’s NOT an iPhone, Android app for that, FTC says

The agency said the workshop will look at many topics including:

  • What are the current and future uses of facial recognition technology?
  • How can consumers benefit from the technology?
  • What are the privacy and security concerns surrounding the adoption of the technology; for example, have consumers consented to the collection and use of their images?
  • Are there special considerations for the use of this technology on or by children and teens?
  • What legal protections currently exist for consumers regarding the use of the technology, both in the United States and internationally?
  • What consumer protections should be provided?

The workshop will take place in Washington, DC on December 8, 2011 is free and open to the public.

Use of face recognition technology is growing fast.  One of its biggest pushes could come in the form of Microsoft’s Windows 8.  Network World recently wrote that the software giant  is building facial recognition technology into Windows 8, offering a more secure way to access your computer.

This month the U.K.’s largest airport, Heathrow, will install facial recognition scanners for international and domestic passengers to prevent illegal immigration in the country, the IDG News Service reported.  The facial recognition technology comes from Aurora Computer Services, a U.K. based company. It’s called the Aurora Image Recognition (AIR) system and uses a camera with an infrared flash, which the company says can function in either bright or low light. It can identity a person from about three feet away. The camera verifies a person’s identity using biometric details, identifying a person in 4.7 seconds, a time that includes properly positioning a passenger, according to Aurora.

And facial recognition technology has raised privacy concerns.  Recently Connecticut Attorney General George Jepsen expressed concern that Facebook’s “Tag Suggestions” face recognition feature compromises consumer privacy, and asked for a meeting with company officials.

According to an IDG News Service story: In Facebook’s desire to promote photo sharing and tagging among its users, it appears to have overlooked a critical component of consumer privacy protection, which is an opt-in requiring users to affirmatively consent before Facebook can use those images, Jepsen wrote in a letter this week to Facebook’s director of public policy and its product and regulatory counsel.  Jepsen joins European Union (EU) regulators and consumer advocacy groups that are questioning the feature on Facebook.

The Electronic Privacy Information Center and three other advocacy groups filed a complaint asking the U.S. Federal Trade Commission to require Facebook to get affirmative opt-in consent from users before collecting and using their biometric data.



Canada to launch biometric passports by 2012 – Critics warn privacy at risk

Sep 18th, 2011 | By | Category: News

By Amy Chung, Postmedia News September 15, 2011

Some countries, such as France and Germany, implemented “ePassports” (with Empty Biometric information on their chip) five years ago to allow their citizens to travel to the U.S. under its Visa Waiver Program, which requires participating countries to have specified security measures on their passports. Canadians do not require a visa to enter the U.S. and are not subject to the program. Despite the new passport’s enhanced security features, some information security experts say the document is not necessary and can be vulnerable to privacy leaks.

The current Canadian passports will soon be replaced with a more high-tech design. Photograph by: Tom Hanson   Read more: http://www.canada.com/news/Canada+launch+biometric+passports+2012/5404109/story.html#ixzz1YHrR1K6w

 

OTTAWA — Canada’s long awaited ePassports will be ready by the end of 2012, making this country the last among G8 nations to have enhanced digital security measures on the documents.

The electronic passport program was first announced as part of the government’s National Security Policy in 2004.  Also known as a biometric passport, the document looks like the traditional book but will contain an electronic chip encoded with the bearer’s name, sex, date and place of birth, as well as a digital image of the person.

According to Passport Canada, 95 countries have issued approximately 350 million Biometric passports worldwide.

Asked why Canada was so late in bringing about the passports, Passport Canada spokeswoman Beatrice Fenelon said the agency had to repatriate overseas passport printing to Canada, which was completed in 2006, and it had to implement new facial recognition technologies.

Also, Fenelon said between 2007 and 2009, the department was flooded with increased numbers of passport applications when the U.S. Western Hemisphere Travel Initiative required Canadians to show their passports to enter the United States.

“As a result, the organization was not able to turn its full attention to the ePassport project until 2009, when planning began in earnest,” Fenelon wrote in an email.

Some countries, such as France and Germany, implemented “ePassports” (with Empty Biometric information on their chip) five years ago to allow their citizens to travel to the U.S. under its Visa Waiver Program, which requires participating countries to have specified security measures on their passports. Canadians do not require a visa to enter the U.S. and are not subject to the program. Despite the new passport’s enhanced security features, some information security experts say the document is not necessary and can be vulnerable to privacy leaks.

“After 9/11, the U.S. pressured the visa waiver countries to get (ePassports). Canada was out of that, but we were encouraged to go along with it,” said professor Andrew Clement, who coordinates the Information Policy Research Program at the University of Toronto. Clement says there has not been enough discussion to say if there are any problems with our current passport.

“With the 19 hijackers, there were a couple who had expired visas and not travelling under false documents. So it’s a bit of security theatre. So I think this was brought in for other reasons and there hasn’t been any debate if it’s a good thing or not,” said Clement. He said the facial recognition technology can allow border agents to screen your image in other databases like watch lists, creating risks of misidentification.

“It’s concerning that our everyday activity is surveyed, even if our behaviour is innocent, it could get the attention of authorities unnecessarily,” said Clement.

Postmedia News

© Copyright (c) Postmedia News

Dr. Ann Cavoukian, Information & Privacy Commissioner of Ontario, Canada



Australia: Monash Council’s debate on Bometric library scanners

Sep 14th, 2011 | By | Category: News

13 SEP 11 @ 04:48PM BY TIM MICHELL

UPDATE 8pm: MONASH Council tonight met to consider plans to use biometric scanners to monitor library staff.

The system would involve staff checking in and out of work by having their fingers scanned, rather than using timesheets.

But Australian Services Union assistant branch secretary Igor Grattan said the system was an invasion of privacy that angered library staff and councillors.

“Staff have a very real concern about what it means for their privacy and how the information will be used,” he said.

“A lot of the workers are part-time workers and casual workers … they’re worried that if they speak up they could be out of a job.”

Five Monash councillors called a special meeting for tonight to push to ban the use of the scanners.

But after a meeting lasting 10 minutes, councillors voted to consider the idea further before making a decision.

Cr Geoff Lake said he was determined to block the “draconian” technology.

“Our staff are our greatest asset and they deserve to be treated as intelligent human beings and not like cattle.”

Council chief executive David Conran said the system would not be introduced unless it was widely accepted by staff and did not compromise their security.

Mr Grattan said several questions remained unanswered about the system, but staff told the union the council wanted to start the rollout next month.

A council spokesman said Woolworths and the public sector used similar systems.

Woolworths’ Siobhan Quinn said the company had used finger scanners for about 15 years with no major issues.

Follow as Monash Council debates the issue live tonight.



UK ISP Entanet Slams Revived Plans to Monitor and Intercept your Online Comms

Sep 14th, 2011 | By | Category: News
|
By: MarkJ -  Score: 2055
isp entanet broadband uk
Communications and networking provider Entanet has today “raised concerns over the feasibility”, security and cost of the UK governments plan to expand its existing internet snoopingdata retention laws to potentially cover more than just your basic email and website access logs.At present a voluntary code already requires Internet Service Providers (ISP) to maintain a basic log of their customers email and website accesses, but not the content of your communications, for a period of between 6 and 12 months.

The UK is still working to introduce this and may now even expand such powers under its controversial £2 Billion Communications Capabilities Development Programme (CCDP), which use to be called theInterception Modernisation Programme (IMP) before it was renamed as part of a new counter-terrorism strategy (CONTEST).

Entanet’s Head of Marketing, Darren Farnden, said:“The idea of the IMP/CCDP is to collect and store all electronic communications including emails, social networking sites, website browsing histories and phone calls to help the police and, more likely, GCHQ fight cybercrime and terrorism. The problem with the IMP/CCDP is not only the huge privacy issues that it throws up but also the immense technical challenges.[We are concerned about] the feasibility of communications providers such as Entanet being required to collect and store this immense amount of data. We also raised concerns over the security of this data and how the government expects to protect it from potential hackers. Let’s face it, the Government doesn’t have the best track record in this area. We have had everything from lost laptops to website hacks in the past. Our views haven’t changed.”

The move appears to run contrary to the coalition governments own May 2010 commitment to “end the storage of internet and email records without good reason“. The European Commission (EC) has also begun to question related rules and at least one report has suggested that such measures could even be “illegal“. None of this seems to concern the current UK government.

Home Office Position on Communications DataThe UK communications market is one of the most highly competitive and technologically driven in the world. This means we now have access to many new forms of internet based communications, such as social networking sites, online role-playing games and instant messaging.Criminals use new technology to communicate with each other and to target their victims. The police need to keep up with modern communication methods to be able to investigate serious crime. This is essential in protecting public safety.

Much of our current capability is based on an era of fixed and mobile telephones and was not designed to deal with the growth in the use of the internet. With internet service providers often based abroad, and fewer communications being itemised for billing purposes, investigative capability is declining.

The Communications Capabilities Development programme was set up to look at how we can preserve communications capabilities to protect the public in the future, as internet-based communications technology becomes increasingly popular. We will legislate to ensure this is compatible with the government’s approach to civil liberties and use of communications capabilities.

Crucially the government claims that this new approach is “not about developing new, more intrusive powers“, although few appear to see it that way. It’s also important to stress that the government has yet to outline precisely what CCDP will mean for ISPs. The current documents contain no firm details, although new legislation is expected to be announced “in due course“.



Biometric: Cracks appear in Unique Identification Authority of India’s enrolment process

Sep 7th, 2011 | By | Category: News
 

NEW DELHI: The Home Ministry has identified flaws in the Biometric enrolment process followed by the Unique Identification Authority of India, citing cases where people have got UID numbers on the basis of false affidavits.

“Biometric collection is a compulsive tail-chasing – The bigger the privacy violation the more progress it makes away from its real goals”

“Biometric collection is a compulsive tail-chasing – The bigger the privacy violation the more progress it makes away from its real goals”

 

Cracks appear in Unique Biometric Identification Authority of India's enrolment process

NEW DELHI: The Home Ministry has identified flaws in the enrolment process followed by the Unique Identification Authority of India, citing cases where people have got UID numbers on the basis of false affadivits. 

In a note written to the Cabinet Committee on UIDAI headed by Prime Minister Mannohan Singh, the ministry has questioned the security of the biometric data captured by the UIDAI and pointed out uncertainties in its revenue model.

The UIDAI has sought an additional 15,000 crore to do biometric scanning of all residents of the country through its own registrars, a proposal that is being opposed by the home ministry and the planning commission, as the government has already tasked the census office with the primary responsibility of collecting biometric data of all indian residents for a National Population register card.

The data collected by the census office is supposed to be shared with the UIDAI and every NPR card will carry the UID number of the card holder. The census office is part of the home ministry and so far has collected biometric data for 30 lakh individuals.

Photo: Jonathan Torgovnik

In its comments on the UIDAI’s proposal, reviewed by ET, the home ministry has urged the Cabinet to restrict the authority’s multi-registrar model of biometric enrolment to the already decided level of 20 crore by March 2012. The UIDAI has issued 2.87 crore unique IDs by August 24.

“The home ministry, the Planning Commission and others have given their comments,” Home Minister P Chidambaram said about the UIDAI proposal for more funding on Thursday. He also said that the Cabinet Committee on UIDAI (CCUIDAI) would take a call on the overlap between the NPR and the UIDAI.

P chidambaram, India home minister

P chidambaram, India home minister

“Cases have come to light wherein enrolments were being done on the basis of affidavits which were being sold by unscrupulous persons without any verification,” the ministry has warned in a note to the CCUIDAI, stressing that UIDAI registrars enrol residents on a ‘walk-in’ basis, based on documents whose authenticity is not checked.



Hackers Forge Certificates to Break into Spy Agencies

Sep 5th, 2011 | By | Category: News

By Andreas Udo de Haes, webwereld.nl-    Sep 4, 2011 11:33 pm

 

After breaching the Dutch CA (Certification Authority) DigiNotar, Iranian hackers managed to sign forged certificates for the domains of spy agencies CIA, Mossad and MI6. Leading certification authorities like VeriSign and Thawte were also targeted, as were Iranian dissident sites.

 

The cyber attack on DigiNotar, a Dutch subsidiary of VASCO Data Security International Inc, is much more serious than previously thought. In July, hackers gained access to the network and infrastructure of several of DigiNotar’s CAs. Once inside, they generated hundreds of forged certificates for third-party domains.

With these certificates hackers can potentially syphon off user login credentials by spoofing a legitimate site, complete with a functioning but forged SSL-certificate, apparently issued by DigiNotar.

The forged certificates match domains of the U.S. Central Intelligence Agency, the Israeli secret service Mossad, and the British spy agency MI6. On top of that, the hackers created false certificates of other CA’s like VeriSign and Thawte, in an attempt to also misuse their trusted position in securing Internet communications.

Vulnerable Domains Revealed

The partial list of domains with forged certificates was published on Saturday by Gervase Markham, programmer at Mozilla. Sources close to the investigation into the DigiNotar hack have confirmed to Webwereld that the list is authentic. Chrome engineer Adam Langley also told Webwereld Google has the same list.

Later, the Dutch public broadcaster NOS published the full list of over fifty domains for which false certificates were issued. Among them are Google, Yahoo, Microsoft and Skype, as well as numerous sites popular among Iranian dissidents. The cyber attackers even created fake certificates with messages praising the Iranian Revolutionary Guard, NOS reported.

It’s still unknown how successful the hackers have been in harvesting logins and spying on e-mail and chat messages. Most certificates have either elapsed or were revoked after DigiNotar discovered the breach in mid July.

Chris Soghoian, security and privacy researcher at Indiana University and Graduate Fellow at the Center for Applied Cybersecurity Research, said the list is a “very interesting set of sites.” However, he’s skeptical that the hackers could have penetrated into the networks of the spy agencies with the forged certificates.

“Actually I think the secret service domains are the least alarming part. It’s sexy, and will probably lead to a lot of questions and interest from government agencies. Of course, nobody wants to get caught with their pants down, but there’s really no classified information on these domains. Those are on separate, secured internal networks. So the practical security impact of the Iranian government getting a certificate for the CIA is nill. It’s really just very embarrassing, that’s all,” said Soghoian in an interview with Webwereld.

Still, the cyber hack at DigiNotar has a very high profile. “What is alarming is that they forged certificates for other CA’s, like VeriSign and Thawte. But the most problematic are sites like Google and Facebook. And also Walla, which is one the biggest mail providers in Israel.” Through forged SSL certificates of these sites the Iranian regime would be able to syphon the accounts and online communications of countless people, explained Soghoian.

Sites Block Access

Google has already updated its Chrome browser so it blocks access to any site which uses a DigiNotar certificate. Mozilla and Microsoft are expected to issue patches for their browsers soon. The Microsoft Security Response team tweeted earlier: “We’re in the process of moving all DigiNotar CAs to the Untrusted Root Store which will deny access to any website using DigiNotar CAs.”

This means hundreds of Dutch government sites will become inaccessible by browsers over the coming days if the agencies don’t switch to another certificate issuer in time.

Last week, Dutch security company Fox-IT carried out a forensic examination of the cyber hack at DigiNotar. The preliminary results prompted the government in The Hague to go into crisis mode, putting in effect an immediate stop to any DigiNotar services, and taking over the operational management of the DigiNotar Certification Authority.

The report on this investigation will be sent to the Parliament and made public on Monday.

DigiNotar did not respond to a request to comment on this story.

 



Germany says “nein” to full-body scanners

Sep 4th, 2011 | By | Category: News

Germany has decided against deploying full-body scanners at German airports; after a 10-month trial, in which 1,280,000 passengers were scanned, the government said that the false alarm rate was just too high

Published 2 September 2011


Germany has decided against deploying full-body scanners at German airports; after a 10-month trial, in which 1,280,000 passengers were scanned, the government said that the false alarm rate was just too high

After trials which lasted ten month, the German government has decided against deploying full-body scanners at German airports.

The German Interior Ministry said that “the technology is not mature enough for the available equipment to be used in practice” and that it will therefore not be installed at the county’s airports “for the time being.”

The ministry spokesperson said that the agencies responsible for airport security were leaning toward supporting the use of body scanners to “improve efficiency and effectiveness of air transport security checks,” but that the trials showed that there were “too many” false alarms.

FlightGlobal quotes sources in the German federal police as saying that the false alarm rate was “significantly higher than 50 percent.”

There were also concerns about the health effects of backscatter X-ray scanners, so the system tested used millimeter wave technology.

The test was conducted at the Hamburg Airport from September 2010 to July 2011, and involved scanning 1,289,000 passengers.

 



Parties Divided Over Procurement Process For Biometric Register

Sep 1st, 2011 | By | Category: News

You may not comment or ask questions…. Ghanaian politicians, demo for Biometric voting system…

Source: Donald Ato Dapatem - Daily Graphic
General News1 day ago

The Electoral Commission (EC) and two political parties were yesterday sharply divided over the procurement process and selection of a vendor for the supply of equipment for the intended biometric voters registration.

Dr Kwadwo Afari Djan - Chairman of Electoral Commission

Dr Kwadwo Afari Djan - Chairman of Electoral Commission

While the representatives of the New Patriotic Party (NPP) and People’s National Convention (PNC) took issue with legality of the procurement process, the EC maintained that the process for selection of a supplier was within the ambit of the law.

However, the National Democratic Congress (NDC) was of the view that its representative was invited to observe a demonstration exercise by companies shorted-listed for the biometric voters registration and not to make comments, contributions and arguments.

It all began when the EC extended invitation to the political parties to observe demonstration by companies short listed for the biometric voters registration, note down points of concern and make observation for discussion at the next Inter Party Advisory Committee (IPAC) forum.

Dr Matthew Opoku Prempeh and Mr Bernard Mornah, representatives of the NPP and PNC respectively, who arrived at the demonstration grounds at the EC offices in Accra when the process had already begun, were requested to sign a code that they would not talk, question or make comment but only observe and make notes, a situation they described as an affront to their constitutional rights to seek information.

Before the demonstration could end, the two representatives challenged the legality of the entire process because, according to them, the EC had informed them that one of the companies which was disqualified had taken the issue to the Public Procurement Authority which had also ordered EC to stop the procurement process until the apparent irregularities were resolved.

However, Mr David Adenze Kangah, Deputy EC Chairman, said the EC was going on with the process despite the intervention of the Public Procurement Authority because under the Procurement Law, organisations like the EC could proceed with such process if the process was of major national importance and time bound.

Apparently not satisfied with the arguments of the EC, the representatives of the NPP and PNC staged a walkout but Mr Hamid Girdo, the Electoral Advisor on Electoral Issues for the NDC and representatives from the Democratic Freedom Party (DFP) and the EGLE stayed throughout the observation period because that was what the letter inviting them stated.

Mr Girdo said he and his colleagues from the DFP and the EGLE stayed because they were made aware that only two companies which were shortlisted were making the demonstration after which the one that met the requirement would be selected.

Therefore, he said, there was no need to make comment at such a gathering and that they were aware that they would have the opportunity at an IPAC forum to express their views, concerns and make comments.

Explaining to the Daily Graphic, Mr David Adenze Kangah noted that the political parties were never invited to any meeting but to only observe the demonstration by companies shortlisted and note down points of concern, contributions and other observations for discussion in the next Inter Party Advisory Committee (IPAC) forum.

Expatiating further, Mr Mornah said after turning a deaf ear to the persistent calls for an urgent IPAC forum on the intended biometric registration from both the PNC and the NPP, the EC on Monday wrote to the parties to participate in the observations of the process the following day.

He said to their surprise, when they got to the EC premises they were asked to sign a code that they would not talk, question or make any comment but only observe and make notes, a situation he described as an affront to his constitutional right to seek information.

He said although the political parties were not part of and would not be interested in participating in the procurement process, as major stakeholders in the electoral process they had to ensure that there was proper improvement in the biometric process.

Dr Opoku-Prempeh explained on an Accra radio station that while the political parties would not want to be part of the procurement processes by the EC, their views must be heard in the selection and undertaking of the biometric registration process.

“I would rather walk out and go and tell my party that the EC is taking this country down a path that may not be well for us,” he said.


 




Expert warns facial biometrics could compromise privacy

Aug 31st, 2011 | By | Category: News

As facial biometric technology becomes increasingly ubiquitous, IT experts warn that these systems can easily be abused and therefore require stringent privacy policies and data encryption

Published 30 August 2011

 

As facial biometric technology becomes increasingly ubiquitous, IT experts warn that these systems can easily be abused and therefore require stringent privacy policies and data encryption.

In an interview with Information Security Media Group, Beth Givens, the founder and director of the Privacy Rights Clearinghouse, cautioned that organizations using biometric facial solutions should encrypt their data.

“If they back up those applications with good, solid privacy policies and practices, they’ll be in good shape,” she said.

Givens explained that a major problem with facial recognition technology is the chance that sensitive information could be compromised. As evidence, Givens pointed to a Carnegie Mellon University study where researchers used only a photo of a person’s face and publicly available information to track down that individual’s birth date, personal interests, and Social Security number.

“To me, that’s astounding,” Givens said. “There are many places where you can get a person’s birth date; in fact, that’s public information. But being able to link it to a Social Security number as well as personal interest is another matter entirely, that takes it to an all new level.”

To help protect against the loss of sensitive data, Givens encouraged organizations to investigate biometric encryption.

 



Mohammed Garba heads presidential election tribunal

Aug 30th, 2011 | By | Category: News

….access to INEC’s biometric data will compromise national security. He referred to the case of INEC vs AC 2009, 2NWLR, part 1126, p.524 at 618, which he said makes the privacy of the voter sacrosanct.

 

BY GOWON EMAKPE

August 29, 2011 10:48PM

 

 

 

Following the suspension of Ayo Salami as President of the Court of Appeal, another judge of the court, Garba Mohammed, on Monday presided over the Presidential Election Petition Tribunal.

At the resumed hearing of the tribunal yesterday, Mr Mohammed, who assumed the role of the presiding chairman of the tribunal, adjourned indefinitely ruling on the application by the Congress for Progressive Change (CPC), asking it to enter judgment in its favour over alleged failure of the Independent National Electoral Commission (INEC) to allow it unfettered access to ballot papers and other electoral materials used in the April presidential election.

The CPC is seeking to be declared winner of the April 16, 2011 presidential election, following the alleged refusal of INEC to grant the party access to sensitive electoral materials, in order to substantiate their allegation that the election was rigged in favour of President Goodluck Jonathan.

At the hearing yesterday, counsel to CPC, Oladipo Okpoyesi, asked the tribunal to enter judgment in its favour over INEC’s failure to comply with the tribunal’s directive to grant the party access to electoral materials.

But in INEC’s counter affidavit, the commission said if the CPC were allowed access to the database, it would technically contravene the rights of the voters under the provisions of the Electoral Act and the Nigerian Constitution as a whole.

Also in opposition, counsel to Mr Jonathan and Namadi Sambo, Alex Izinyon, and counsel to the Peoples Democratic Party (PDP), Joe Gadzama, insisted that the order of court was “for simplicita access, and not opening of software”. Mr Izinyon cited Section 125 (3) of the Electoral Act and paragraph 42 (5b) of the first schedule to the Act, to buttress the fact that access to INEC’s biometric data will compromise national security. He referred to the case of INEC vs AC 2009, 2NWLR, part 1126, p.524 at 618, which he said makes the privacy of the voter sacrosanct.

No judgement in sight

Mr Salami, the suspended chairman of the tribunal, had granted an order compelling INEC to allow the CPC and their forensic experts to have access to all electoral materials to analyse and examine all relevant documents relating to the April presidential poll. The tribunal also ordered INEC to provide CPC with the list of local contractors engaged by the commission to print ballot papers used in the presidential election.

The CPC filed a petition at the tribunal to challenge the result of the April presidential poll, alleging irregularities and non-compliance with the 2010 electoral act. The party is contesting the result of the election in about 20 states of the federation and are to call 151 witnesses to prove its case.

Joined as defendants in the suit are the Independent National Electoral Commission (INEC), 1st defendant; chairman of INEC, Attahiru Jega (2nd defendant); winner of the election and Nigerian president, Goodluck Jonathan (3rd defendant); his deputy, Namadi Sambo (4th defendant); the Peoples Democratic Party (5th defendant) and the Resident Electoral Commissioners for the 36 states, including the Federal Capital Territory, (6th-42nd respondents).

Having listened to submissions by the counsels, Mr Mohammed, who led other three Justices, said “ruling on the motion is hereby reserved and would be delivered on a date to be communicated to counsel.”