Tech firms squirm over their role in Prism surveillance

Tech firms squirm over their role in Prism surveillance

PC World
by Ellen Messmer
July 28, 2013


Tech firms squirm over their role in Prism surveillance
Tech firms squirm over their role in Prism surveillance


The disclosures about the National Security Agency’s massive global surveillance by Edward Snowden, the former information-technology contractor who’s now wanted by the U.S. government for treason, is hitting the U.S. high-tech industry hard as it tries to explain its involvement in the NSA data-collection program.

Last week, a gaggle of 22 large U.S. high-tech firms—including Apple, Facebook, Google, Microsoft, and Yahoo which have acknowledged they participate in NSA data-gathering efforts in some form, if not exactly as Snowden and some press reports have described it—begged to be freed from the secrecy about it in their pleading, public letter to President Obama, NSA director Keith Alexander, and a dozen members of Congress.

The July 18 A letter from America’s high-tech powerhouses, which was also signed by almost three dozen nonprofit and trade organizations as well as six venture-capital firms, begged for “greater transparency around national security-related requests by the US government to Internet, telephone, and web-based service providers” in terms of how much information the government demands on high-tech customers and subscriber accounts and how.

Tech firms squirm over their role in Prism surveillance
Tech firms squirm over their role in Prism surveillance

The letter begged for the U.S. government to make the amount of requests the government makes related to national security for individual customer information public.

“This information about how and how often the government is using these legal authorities is important to the American people, who are entitled to have an informed public debate about the appropriateness of those authorities and their use, and to international users of US-based service providers who are concerned about the privacy and security of their communications.,” the letter to President Obama, Congress, the NSA director and Director of National Intelligence, stated yesterday.

 NSA's global surveillance
NSA’s global surveillance


Firms on the defensive

The revelations last month from Snowden about NSA’s extensive involvement in U.S. high-tech firms for purposes of information collection has suddenly put the U.S. high-tech industry on the defensive as they struggle to offer an explanation about all this to their global users while still bound by secrecy under the U.S. Patriot Act. There’s no indication yet from the White House or others in government that any change in the NSA spying program, which relies on the participation of U.S.-based firms, will change.

“This should be debated in a public setting,” said John Dickson, principal at security firm Denim Group and a former U.S. Air Force officer, about the situation in which NSA’s global surveillance is tied so clearly to U.S.-based companies. He noted the U.S. government has actually said little but the media much.

This is all putting tremendous pressure on the U.S. high-tech industry, especially abroad in Europe where privacy questions may be making U.S. industry seem less competitive. This week Brad Smith, Microsoft general counsel and executive vice president, legal and corporate affairs at Microsoft, A issued a public statement that sought to clarify Microsoft’s participation in the U.S. government’s content gathering methods.

“”Recent leaked documents have focused on the addition of HTTPS encryption to instant messaging, which is designed to make this content more secure as it travels across the Internet,” Microsoft counsel Smith wrote. “To be clear, we do not provide any government with the ability to break the encryption, nor do we provide the government with the encryption keys. When we are legally obligated to comply with demands, we pull the specified content from our servers where it sits in an unencrypted state, and then we provide it to the government agency.”

Microsoft’s SkyDrive and Skype A is handled somewhat similarly in terms of government requests, Smith said. As far as enterprise and document storage for business customers, “we take steps to redirect the government to the customer directly, and we notify the customer unless we are legally prohibited from doing so,” Smith stated in his July 16 post. “We have never provided any government with customer data from any of our business or government customers for national security purposes.”

Smith added Microsoft got four requests related to law enforcement in 2012. “We do not provide any government with the ability to break the encryption used between our business customers and their data in the cloud, nor do we provide the government with the encryption keys.”


Is Prism even effective anymore?
Is Prism even effective anymore?



Is Prism even effective anymore?

In the meantime, it’s safe to assume in this NSA leaks debacle that “the bad guys have switched tactics” and probably wouldn’t use U.S.-based high-tech services, Dickson points out. And in this atmosphere of rising cyber-nationalism, the possible role of China’s government and its own high-tech industry have to be asked, too, he noted.

Former head of the U.S. Central Intelligence Agency and the NSA, Gen. Michael Hayden, recently charged forward on that topic in an interview with The Australian Financial Review.

Hayden said he believes that China-based network vendor Huawei conducted clandestine activities and shared with the Chinese state “intimate and sensitive knowledge of the foreign telecommunications systems it is involved with.” According to the published report, Gen. Hayden said the Huawei is a significant security threat to Australia and the U.S., has spied for the Chinese government, and intelligence agencies have evidence of this.

A Huawei spokesman, John Suffolk, Huawei’s global cyber security officer, is quoted by the Australian publication yesterday as calling Hayden’s remarks “unsubstantiated and defamatory” and that any critics of the company should present any evidence publicly.In an opinion piece on today, Gen. Hayden railed openly against Edward Snowden as a national security threat, saying he “fled to China with several computers’ worth of data from NSANET, one of the most highly classified and sensitive networks in American intelligence.”

Hayden acknowledged that one aspect of the fallout from Snowden’s leaks is that “the undeniable economic punishment that will be inflicted on American businesses for simply complying with American law.”

Hayden’s remarks on CNN also seem to sarcastically criticize the Europeans now complaining about the NSA activities and how they may violate European data-privacy laws. “Others, most notably in Europe, will rend their garments in faux shock and outrage that these firms have done this, all the while ignoring that these very same companies, along with their European counterparts, behave the same way when confronted with the lawful demands of the European states.”

Hayden continued: “The real purpose of those complaints is competitive economic advantage, putting added burdens on or even disqualifying American firms competing in Europe for the big data and cloud services that are at the cutting edge of the global IT industry.”

As if all this weren’t enough, former President Jimmy Carter also spoke out yesterday on NSA global surveillance, suggesting the NSA data collection practices were harming democracy. Former president Carter also said Edward Snowden’s revelations didn’t really harm national security and and was actually “beneficial” because “they inform the public.”

Direct Link:

Data breaches hit 2.5 million in California in 2012, report says

Data breaches hit 2.5 million in California in 2012, report says

PC World
by Steve Ragan
July 21, 2013


Data breaches hit 2.5 million in California in 2012, report says
Data breaches hit 2.5 million in California in 2012, report says


In the first report of its kind, California’s Attorney General, Kamala D. Harris, revealed last week that 2.5 million people—roughly 6.5 percent of the state’s population—were exposed by data breaches in 2012.

California has always been the go-to state for innovative technologies. A law passed in 2009 requires data breaches affecting more than 500 residents to be reported to the state attorney general’s office. It was also the first state to have breach notification laws, which were adopted by the state legislature. Forty-six other states have since followed with their own notification requirements, so perhaps these states will now follow California once again, and release their own breach reports.

While not as detailed as some of the studies released by data security vendors, the California Attorney General’s breach report tells all of the essential data, including the fact that of the 2.5 million people placed at risk due to a data breach, 1.4 million of them didn’t need to be on the list. Specifically, the report states that those 1.4 million people would have been protected if only the “companies had encrypted data when moving or sending the data out of the [network].”

“Data breaches are a serious threat to individuals’ privacy, finances and even personal security. Companies and government agencies must do more to protect people by protecting data,” Attorney General Harris said in a statement.


Most breaches involved retail

The report covers 131 incidents in all, with the average (mean) breach accounting for 22.500 people. The retail sector reported the most data breaches with 26 percent of the cases, followed by the finance and insurance sectors with 23 percent and healthcare with 15 percent. It’s worth noting that more than half of the breaches involved intentional intrusions from the outside or intentional acts from insiders. The rest of the breaches, 45 percent, were largely due to failure “to adopt or carry out appropriate security measures,” the report notes.

As mentioned, the report singles out those firms that didn’t take precautions when it comes to protecting data, and focuses largely on encryption to make that point. In fact, the report says, 28 percent of the reported breaches in 2012 wouldn’t have required notification if the data was encrypted at the time of the incident.

“Despite the incentive created by the breach notification laws exemption for encrypted data, many companies are still failing to use this effective security measure. Far too many people continue to be put at risk when companies do not encrypt data,” the report adds.

As part of the California Online Privacy Protection Act, the state also requires app vendors to offer privacy policies that can be read before a consumer downloads or installs an app.

Direct Link:

How we sabotage our own privacy for deals and ego

How we sabotage our own privacy for deals and ego

PC World
by Mark Gibbs (Network World)
June 29, 2013


How we sabotage our own privacy for deals and ego
How we sabotage our own privacy for deals and ego


There’s a select few of my friends who are really serious about their privacy. They all use strong passwords for everything, many don’t bother with online banking or use bill pay services, most don’t use eBay or Amazon, and most don’t have social media accounts or, if they do, they are very careful about what they post and very cautious about who they friend. They never use their home address online, they’re cautious about giving out their phone number, and so on.

In other words, despite being tech-savvy and computer literate, they are consciously trying to stay out of the world that many of them are creating.

And this kind of rather extreme self-protection is understandable: They, better than most, know how easily privacy is lost and how, once lost, it can’t be regained. That said, in the 21st Century, is trying to stay off the radar really possible?

The answer is no, unless— and this is a big hurdle to clear—you are willing to give up the thousands of conveniences and opportunities that the digital world seduces us with. If you wanted to be not so much off the grid as off the matrix but still be in the U.S., you’d have to be willing to live in a cabin way out in the woods somewhere, have no utilities, spend only cash, grow most of your own food, never, ever, ever get sick and, if you were really serious, break the law by not filing your taxes and being generally unaccountable as a citizen.

If that appeals to you then the best of luck to you because it would be, in modern America, very, very difficult to pull it off, and, the way things are going, within a few years it will become truly impossible.

Why? Because as the recent NSA intelligence gathering revelations demonstrated, if there’s some data out there that might have any bearing whatsoever on national security, homeland security, law enforcement, or taxation, then there’s some raving bureaucrat somewhere who wants to pigeonhole said data just in case. Once those little nuggets of data have been collected, collated, and corralled you are in the matrix, er, system forever.


It’s not the NSA

What these friends of mine are doing is perversely contrarian to the direction our global culture is taking. A majority of people worldwide no longer really seem to care about privacy (of course, “no longer” rather assumes they really understood or cared about privacy in the first place). How do I know that we collectively no longer care?

In May, business consulting firm Infosys conducted a survey of 5000 digitally savvy consumers (1000 each in the United States, United Kingdom, France, Germany, and Australia) aged 18 to 69 to establish their criteria for sharing their personal data and what they thought about ways their data might be used.

While it is generally accepted that Europeans are much more concerned about privacy than North Americans, the survey showed that the gap is arguably smaller than supposed. For example, when making an online purchase 57 percent of German users are willing to share data, while 75 percent of the French, and 79 percent of the Brits are OK with it. At 74 percent the Aussies are closer to the French but the winners and still champions at giving away the goods are … you guessed it, the Americans (at 88 percent).

Surprisingly, consumers seem to trust their banks: 56 percent of Germans, 62 percent of the French, 75 percent of Australians, and 78 percent of Brits said they were OK with sharing their personal data with their bank. Again, the Yanks win out with 83 percent willing to divulge their private details to their banks despite having been well and truly screwed by Wall Street.


Unexpected outcomes

The attitude toward banks is particularly surprising given 82 percent of all those surveyed saying they expect their bank to mine or review their purchases to detect anomalies from identity theft. This is interesting because to do this kind of analysis requires significant insight into patterns of purchasing—the who, what, when and, most importantly, why of people’s spending habits. So, how will those consumers feel when their wives show them an automated letter or email warning them of an unusual jewelry purchase that said wife, who isn’t near a birthday or other occasion that warrants said bling, hasn’t received?

Think that kind of event is unlikely? Then let me remind you of the little PR disaster that Target created for themselves when they mined customer data with the goal of identifying and then marketing to women who had recently become pregnant. They found purchasing patterns that identified these consumers very effectively, but the exercise wound up ratting out a 16-year old girl who was keeping her pregnancy secret from her family.

This is what’s called the mosaic problem. All those scattered bits of data have little meaning or significance in and of themselves, but put together, they paint a detailed picture that is far more revealing than expected or, if it’s your data, wanted.

And consumers don’t really know what they think about their data being mined to provide a more customized experience: While the survey showed 39 percent considered it to be an invasive practice, the terms helpful, convenient, time-saving and good service scored 35 percent, 33 percent, 32 percent, and 27 percent respectively, proving that these are sheep that want to get shorn.

What this survey shows us is what I think we know about ourselves—we’re blabbermouths who want to be treated like kings and queens. We just love getting what we want with as little effort as possible, we want it now and we want it cheap.

Sure, it’s two bucks more than down the road, but we’ve got free same-day shipping and we don’t have to get out of our pleather-covered Barcalounger and waste good tee-vee watching time to get what we want, so whatcha want to know?

Direct Link:


Profile of Likely E-Mail Phishing Victims Emerges in Human Factors/Ergonomics Research

Profile of Likely E-Mail Phishing Victims Emerges in Human Factors/Ergonomics Research

Science Daily

July 25, 2013

Profile of Likely E-Mail Phishing Victims Emerges in Human Factors/Ergonomics Research
Profile of Likely E-Mail Phishing Victims Emerges in Human Factors/Ergonomics Research


The author of a paper to be presented at the upcoming 2013 International Human Factors and Ergonomics Society Annual Meeting has described behavioral, cognitive, and perceptual attributes of e-mail users who are vulnerable to phishing attacks. Phishing is the use of fraudulent e-mail correspondence to obtain passwords and credit card information, or to send viruses.

In “Keeping Up With the Joneses: Assessing Phishing Susceptibility in an E-mail Task,” Kyung Wha Hong discovered that people who were overconfident, introverted, or women were less able to accurately distinguish between legitimate and phishing e-mails. She had participants complete a personality survey and then asked them to scan through both legitimate and phishing e-mails and either delete suspicious or spam e-mails, leave legitimate e-mails as is, or mark e-mails that required actions or responses as “important.”

“The results showed a disconnect between confidence and actual skill, as the majority of participants were not only susceptible to attacks but also overconfident in their ability to protect themselves,” says Hong. Although 89% of the participants indicted they were confident in their ability to identify malicious e-mails, 92% of them misclassified phishing e-mails. Almost 52% in the study misclassified more than half the phishing e-mails, and 54% deleted at least one authentic e-mail.

Gender, trust, and personality were correlated with phishing vulnerability. Women were less likely than men to correctly label phishing e-mails, and subjects who self-reported as “less trusting, introverts, or less open to new experiences” were more likely to delete legitimate e-mails.

Hong will continue to develop a user profile that can predict when and with whom phishing attacks are likely to be successful. Information gained in these studies will be used to design effective tools to prevent and combat phishing attacks.

Story Source:

The above story is based on materials provided by Human Factors and Ergonomics Society, via EurekAlert!, a service of AAAS.

Note: Materials may be edited for content and length. For further information, please contact the source cited above.



Human Factors and Ergonomics Society (2013, July 25). Profile of likely e-mail phishing victims emerges in human factors/ergonomics research. ScienceDaily. Retrieved July 26, 2013, from­ /releases/2013/07/130725091238.htm

Note: If no author is given, the source is cited instead.

Direct Link:

Car hackers use laptop to control standard car

Car hackers use laptop to control standard car

Next time you have a passenger in the back seat of your car offering infuriatingly “helpful” advice about your driving skills, count yourself lucky that they aren’t doing anything more sinister in their attempts to guide your vehicle.

BBC News

by Zoe Kleinman / Technology reporter
July 26, 2013


The researchers managed to stop, start and steer a car with an old Nintendo handset
The researchers managed to stop, start and steer a car with an old Nintendo handset


Two security experts in the US have demonstrated taking control of two popular models of car, while someone else was driving them, using a laptop.

Speaking to the BBC ahead of revealing their research at security conference Defcon in Las Vegas in August, Charlie Miller and Chris Valasek said they hoped to raise awareness about the security issues around increasingly computer-dominated car control.

“At the moment there are people who are in the know, there are nay-sayers who don’t believe it’s important, and there are others saying it’s common knowledge but right now there’s not much data out there,” said Mr Miller, a security engineer at Twitter.

“We would love for everyone to start having a discussion about this, and for manufacturers to listen and improve the security of cars.”

Their work, funded by the Pentagon’s research facility Darpa, has so far received a mixed reaction from the manufacturers themselves.


How they did it

The researchers used cables to connect the devices to the vehicles’ electronic control units (ECUs) via the on-board diagnostics port (also used by mechanics to identify faults) inside a 2010 model Ford Escape and Toyota Prius.

Contained within most modern vehicles, ECUs are part of the computer network that controls most aspects of car functionality including acceleration, braking, steering, monitor displays and the horn.

The pair were able to write software which sent instructions to the car network computer and over-rode the commands from the actual drivers of the cars.

They filmed themselves in the back of one of the vehicles steering it left and right, activating the brakes and showing the fuel gauge drop to zero, all while the vehicle was under driver control and in motion.


The cable used to connect the devices to the ECUs via the diagnostics port.
The cable used to connect the devices to the ECUs via the diagnostics port.


The cable used to connect the devices to the ECUs via the diagnostics port.

A spokesman for Toyota told the BBC that because the hardware had to be physically connected inside the car, he did not consider it to be “hacking”.

“Altered control can only be made when the device is connected. After it is disconnected the car functions normally,” he said.

“We don’t consider that to be ‘hacking’ in the sense of creating unexpected behaviour, because the device must be connected – ie the control system of the car physically altered.

“The presence of a laptop or other device connected to the OBD [on board diagnostics] II port would be apparent.”


Expensive and difficult

Mr Miller and Mr Valasek say this is not the point.

Their work builds on earlier research carried out by researchers at the University of Washington and the University of San Diego in 2010, who demonstrated that it was possible to control a car remotely and developed a tool, which they called CarShark, for the purpose.

“We’re big fans of their work but we figured they already proved you can remotely get into a car’s network,” Chris Valasek, director of security intelligence at consultancy IOActive told the BBC.

“We wanted to see how much control would you have once that’s happened.”

They admitted that they had destroyed a few cars while refining their technique.

“It’s very expensive and difficult to do the research to show you can hack into a car. It’s not like you can just download something and look at it,” said Mr Miller.


The hackers set the speedometer to read 199 miles per hour while the car was stationary
The hackers set the speedometer to read 199 miles per hour while the car was stationary


“I wouldn’t dare do this to my own car,” added Mr Valasek.

They said the cars did not appear to acknowledge the address from where a command was being sent, only the instruction itself.

“There’s no authentication,” said Mr Miller.

“But there are restrictions – the car has to operate very fast. If you run into a wall you need to kill the engine immediately, engage the airbag.

“Car manufacturers don’t have the luxury PC software makers have – if something doesn’t work in a car that can’t happen, it needs to function.”

Mr Miller and Mr Valasek intend to make their research openly available following the conference.

The hackers set the speedometer to read 199 miles per hour while the car was stationary

“The information will be released to everyone. If you’re just relying on the fact people aren’t talking about the problem to stay safe, you’re not really dealing with the problem,” said Mr Miller.

Toyota said it invested heavily in security research.

“Our focus, and that of the entire automotive industry, is to prevent hacking into a vehicle’s by-wire control system from a remote/wireless device outside of the vehicle.

“Toyota has developed very strict and effective firewall technology against such remote and wireless services. We continue to try to hack our systems and have a considerable investment in state of the art electro-magnetic R&D facilities.

“We believe our systems are robust and secure.”

Ford also told the BBC the company takes electronic security seriously.

“This particular attack was not performed remotely over-the-air, but as a highly aggressive direct physical manipulation of one vehicle over an elongated period of time, which would not be a risk to customers on any mass level,” it said in a statement.

“The safety, privacy, and security of our customers is and always will be paramount.”



Security expert Prof Alan Woodward, Chief Technology Officer at consultancy Charteris, said that car hacking hasn’t been widely discussed because as yet there has been no criminal incident of it.

“I think [car hacking] is one of the most scary things out there – [the hacking of] cars and medical devices are the two things nobody talks about,” he told the BBC.

“You’ve heard of ransomware – imagine that happening inside a car. It won’t take criminals that long.”

Ransomware is a computer virus that freezes a victim’s computer or threatens to release personal files unless a payment is made.


Actor Damian Lewis stars in Homeland, a TV series which featured a car hack storyline
Actor Damian Lewis stars in Homeland, a TV series which featured a car hack storyline


A car crash caused by a hacked car featured as a storyline on the US TV series Homeland but was widely dismissed as fantasy, he added.

“There was loads of talk afterwards saying it was rubbish. I remember saying on Twitter, ‘I’m sorry, it’s not.'”

However both the researchers and Prof Woodward agree that hacking into a car is not easy.

“This is a very technical attack, it requires a great deal of technical knowledge,” Prof Woodward said.

“A lot of manufacturers are doing work on security software but they don’t talk about it. It’s not about anti-malware software, it’s more about penetration testing – finding any holes left in the system.

“When people build things based on software, it is built with Intention A. They never think about intention B – which could be all sorts of nefarious purposes.”

Direct Link: