Hi, please

Tag Archives: security

Cyberterrorism: Additional Reading Summary

What is cyberterrorism? Even experts can’t agree

By Victoria Baranetsky, The Harvard Law Record

Published: Thursday, November 5, 2009

No Consensus on a Definition

  • “We even lack a unified definition of cyberterrorism and that makes discourse on the subject difficult.”
  • “The FBI alone has published three distinct definitions of cyber-terrorism: “Terrorism that initiates…attack[s] on information” in 1999, to “the use of Cyber tools” in 2000 and “a criminal act perpetrated by the use of computers” in 2004.”
  • Two explanations on why it is difficult to agree on a definition:
    • “The interest in cyber issues only started in the nineties so the terms are still nascent.”
    • “The meaning [of cyberterrorism] depends on differing interests.”
  • Some believe that “terrorists will use any strategic tool they can” so “cyber” terrorism is no more important then other forms.

What is the goal and who is affected by cyberterrorism?

  • Like any form of terrorism, cyberterrorism aims to “cause severe disruption through widespread fear in society.”  Because we are so dependent on digital material and systems, we are very vulnerable to this type of terrorism.
  • The U.S. is particularly dependent on online systems.  Countries that don’t depend so strongly on digital systems have an opportunity to attack without the risk of suffering from similar counterattacks.

Richard Clarke On The Growing ‘Cyberwar’ Threat

From Fresh Air on NPR

April 19, 2010

Richard Clarke served as a counterterrorism adviser to Presidents Bill Clinton and George W. Bush.  Clarke predicted the 9/11 attacks but was not taken seriously.  Now he is focusing on the possibilities of computer-based terrorism attacks.

What kind of harm could a cyberattack cause?

According to Clarke, here are a few examples:

  • Disable trains all over the country
  • Blow up pipelines
  • Cause blackouts and damage electrical power grids so that the blackouts would go on for a long time
  • Wipe out and confuse financial records so that we would not know who owned what
  • Disrupt traffic in urban areas by knocking out control computers
  • Wipe out medical records

Where can attacks come from and how are they executed?

Cyberattacks are not limited by national boundaries, and just one person can cause much harm.  A large team is not necessary to successfully complete this type of attack.  “Malicious code may infect a computer via a security flaw in a Web browser, or it could be distributed through secret back doors built into computer hardware.”

The government does have security set up to protect military and intelligence networks, but Clarke “worries not enough is being done to protect the private sector — which includes the electrical grid, the banking system and our health care records.”

“One common attack is for hackers to take over a series of home computers through backdoor security exploits. For example, malicious software can be downloaded onto a hard drive after you accidentally visit a compromised website. Your computer can then be used in conjunction with other compromised computers to engage in a large-scale attack. The average computer user may not realize when their computer has been drafted into a cyberattack.”

Clarke’s recommendations on how to reduce your risk of an attack

  • Never use your work computer at home, where it may be unintentionally compromised by another member of your family.
  • Make sure your online banks have more than just a password for security protection.
  • If you’re going to buy things online, have a credit card for that purpose with a low credit limit.
  • Don’t do banking or stockbrokering online and have a lot of money at risk — unless your stockbroker gives you a two-step process for getting in.

Assessing The Threat of Cyberterrorism

From Fresh Air on NPR

February 10, 2010

James Lewis is a senior fellow at the Center for Strategic and International Studies and the co-author of the report “Security Cyberspace in the 44th Presidency.” He predicts that within a decade, Al Qaeda will develop capabilities to carry out attacks on the web.

“Every single day, sensitive information is stolen from both government and private sector networks as criminals become increasingly more sophisticated…

Recent breaches at Google and the Department of Defense have illustrated that the United States is not yet ready to deal with a large scale cyber-attack.”

The battle against cyberterror

By John Blau, Network World

November 29, 2004

The Good News

Experts “don’t think [would-be terrorists] have the technical ability yet – in other words, the combined IT and control system skills needed to penetrate a utility network.

The Bad News

Hackers “are beginning to acquire some of these skills… and in many parts of the world [people] are willing to peddle their expertise for the right price or political cause.”

The Worse News

  • “Few, if any, of the industrial control systems used today were designed with cybersecurity in mind because hardly any of them were connected to the Internet.”
  • “Many of the “private” networks now are built with the help of competitively priced fiber-optic connections and transmission services provided by telecom companies, which have become the frequent target of cyberattacks.”
  • Moreover, security isn’t necessarily related to a country’s wealth.  Levels of protection vary from country to country.

Surveillance Society & the Increasing Scarcity of Privacy

Below are some readings that dig into the increasing surveillance of today’s society. In many instances, these new surveillance methods are first being tested in Las Vegas & prisons, and then brought into every day life, most notably through companies searching for the next best way to track consumers.

Required Reading:

Recommended Reading:

Optional:

The digital afterlife: what happens in social media when we die? Part III

The last podcast of my travelogue explores how social media influence the mourning process. Two psychologists, Jennifer Boni and Arturo Peon, give insights into the experience of grief.  Is it better to maintain the profile of a deceased person, or should it be taken down? How does technology affect the construction of  personal and collective memory?

Although Facebook’s memorial profiles  can facilitate the mourning process, they can also be the source of profound dismay. Security loop holes make the system vulnerable to hoaxes, and add to the grief of the people left behind.

Grafiti-memorial in Montevideo, Uruguay (photo taken by Arturo Peon Barriga). "Sergio Silveira used to fish and teach here. Today he is no more. If you wish to use this place, do it in dignity. Daddy forever."

[podcast]http://blip.tv/file/get/Nw546-TheDigitalAfterlifeWhatHappensInSocialMediaWhenWeDieP948.mp3[/podcast]

Further resources:

More on grief cycle and mourning stages.

Facebook blog: Memories of Friends Departed Endure on Facebook

Jose van Dijk, Mediated Memories in the Digital Age

Mobile Donations – Concluding Post

1. Please text MONKEY to 89183 for a brief summary via 3 Text Messages to your mobile phone!

OR

2. Listen to the podcast and view the accompanied slides.



References:

Mobile Active Org

American Red Cross – Mobile Giving Program

US Mobile Carriers

Mobile Giving Foundation

Are Mobile Donations Safe? Why do they take so long? What can we do next?

Please Text SUMMARY to 89183.





A few references:

BBB Article

MMA Guidelines

WebcamGate: general state of (dis-)TRUST

The webcam school spying scandal that broke in mid-February was a bombastic scoop. It offered excellent material for sensationalist media coverage, nourished paranoiac fears, and created a heated debate about security and privacy in the Internet.

Harriton High school caught spying!

15-year-old student Blake Robbins accused its school of spying

A high school in Pennsylvania that distributed about 2300 laptops to its students, has got in the spotlight of the news as it was revealed that school officials activated secretly the webcameras, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of “inproper behavior” consuming drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a class-action lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft. It admitted that it has activated the students’ webcams 42 times over a 14-month period to recover 28 laptops. However, the family claims that it has never reported the computer missing. The FBI is now leading its own investigation. YouTube Preview Image

However, in the era of Skype, ChatRoulette, and the ubiquitous use of security cameras and webcams, this case raises concerns about general security and privacy issues in the Internet. Similar scenarios have occurred in the past. In 2008, a woman discovered that she was webcamera-stalked by a tech guy who was supposed to repair her computer, but turned out to take about 20,000 photos of her and her friends.

The slippery slope between monitoring and spying

It is not unusual that schools monitor on their students, as a documentary segment called „How Google saved a school“ indicates. However, the Harriton WebcamGate stands out as teachers accessed the webcameras of their students in their private homes. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to remotely activate the camera. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software qualifies as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“ Abundant similar products are on the market for private use, as for example Power Spy 2010, and even skype cameras can be converted into covert snoopers. Another troubling factor is that in Harriton High school,  only official computers with monitoring/spyware were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax).

Two IT employees involved in the spying were placed on temporary leave while the investigations into the case continue. However, their lawyers claim that the technicians only turned on the tracking software when they believed that the computers were stolen.  They argue that the student who filed the lawsuit hadn’t paid a $55 insurance fee to take the laptop home, so technically there were authorized to track down the computer. Computer recovery softwares, like for example Prey, an open source project, seem to have become very common. Even NYU offers such a service.

In the Harriton High case, a federal court judge banned the webcam activation of the school distributed laptops, and the company that sold the tracking feature has changed the name of its program and its user policy; from now on, the end users can’t activate the remote webcam anymore.

Is it legal or not?

Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

A Skype-camera spy-attack would therefore be illegal. But how about monitoring  software use in a school or a company with prior consent? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Even for the business world, the case holds important lessons learned for legal monitoring programs. Itn the past, he U.S. Supreme Court has underlined the importance of home privacy, as in 2001-ruling that reaffirmed that “police could not, without a warrant, use thermal imaging equipment outside a home to see if heat lamps were being used inside to grow marijuana.

Similar dilemmas arise also in the context of computer theft tracking software. In the beginning of March, a techie made it into the headlines in Boston when he helped the police to recover his stolen computers. Is is debatable if evidence collected in this way would be admissible in court, as it doesn’t prove who has actually stolen the computers. In addition, justice initiaves by individual citizens shouldn’t be promoted.

Who´s to blame?

The schools behavior provoked a public outcry. How could school officials abuse the trust that students and parents give them? The plaintiff argued that students were unaware of the school’s authority to track their computers. On the other hand, it becomes obvious that the responsibilty for the failure is shared. The statements issued by parents who sends his children to the Harriton High school contacted on Facebook draw a very different picture:

This means that parents knew about the feature, but haven’t discussed the full implications and privacy risks with their children or the school’s officials. Did therefore naiv trust in the school led to the spying scandal? The SANS Computer Security Institute points out that trust is the Internet’s biggest week points, as phishing and pharming- two forms of social engeneering that are based on eliciting crucial information from victims, represent one of the biggest security problems on the Internet. From this perspective, it is crucial to re-establish trust between the school and the students, indispensable for the success of the whole education system. However, the contrary point can be argued too. By installing the surveillance feature, the school proved to generally distrust its students. If the relationship would have been based on trust, the spy-problem wouldn’t have been occurred in the first place.

One for all, but not all for one?

As a commentator called willy25 points out on the comment section of ABC’s local Philadelphia television statement: “[o]nce one child’s rights have been violated, all children are at risk.” However, not all parents back the allagations against the school. In fact, the scandal has divided the school’s community. Students show their opposition to the schools policy with “LMSD [Lower Merion School District] is watching you” T-shirts. On the correspondent Facebook group, they refer to the school as a “prison.”  On the other side, many parents and kids defend the school, and have formed different anti-lawsuit groups, like LMSDParents.org / “Reasonable LMSD parents refusing to rush to judgement” (to whom belongs Jan Klinkewicz), or Parents in Support of the Lowe Merrion School District, which collects signatures for a petition to fight the lawsuit. Concerned about the financial impact of a large class-action settlement, the group held several meetings in opposition to the class-action lawsuit. At its current pace, the Lower Merion could end up spending estimating more than $1 million a year in legal fees to continue until June- at the expense of the taxpayers, the parents!

It seems that this week, a compromise has been found as lawyers for the school and the family yesterday agreed to “freeze the case for 30 days while computer experts from both sides determine how often the school used the remote tracking software, and how many students were photographed.” However, the question arises if parents would have gone trough with the lawsuit if they wouldn´t have to pay the costs out of their own pockets. Do we assist to a partial interpretation of privacy? Is the defense of civil rights a matter of financial resources? Besides these important questions, the Harriton Hight spy-case should open a wider and long-lasting debate about the education system in general, the implications of new technologies for society, and the role of both private and public actors in addressing its risks and opportunities.

New developments in the “WebcamGate”

Last Thursday, two IT employees involved in the Harriton High School webcam scandal were placed on temporary leave while the investigations into the case continue. However, their lawyers claim that the technicians only turned on the tracking software when they believed that the computers were stolen.  They argue that the student who filed the lawsuit hadn’t paid a $55 insurance fee to take the laptop home, so technically there were authorized to track down the computer.

Justice in your own hands?

According to media reports, the Lower Merrian Police Department also knew about the software. In the case of a theft, the security feature would take every 15 minutes a photo with the webcam. Meanwhile, the company that sold the tracking feature to the Harriton High School, has changed the name of its program and its user policy; from now on, the end users can’t activate the remote webcam anymore. In the Harriton High case, a federal court judge banned the webcam activation of the school distributed laptops. Computer recovery softwares, like for example Prey (open source project!), seem to have become quite common. Even NYU offers such a service. This week, a techie made it into the headlines in Boston when he helped the police to recover his stolen computers. In this case, the victim had previously connected his home computer to his laptops (GoToMyPC is a software that would enable that), and could therefore access the stolen devices, and track their location. However, this feature has a flip side too. As the amateur techie observed, “[i]f (the family) had known what they were doing, they actually could have accessed my home computer from the laptop.” In addition, the question remains if individuals should be motivated to use this software. It is also debatable if evidence collected in this way would be admissible in court. First, it doesn’t prove who has actually stolen the computers; it only shows who the new user is. Second, isn’t first a warrant needed to follow up (even your own) computer?

Who knew what?

The are contrary statements on who knew about the school’s authority to track their computers. On one hand, the plaintiff argues that he was unaware of the feature. On the other hand, I contacted on Facebook a parent who sends his children to the Harriton High school, and he told me the following:

However, it is unclear if teachers have discussed the full implications of the tracking feature with its students, and pointed out the possible risk of privacy invasion. In addition,  as I outlined in my previous post, the Electronic Frontier Foundation (EFF) believes that “private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“

Polarized reactions

The scandal has divided the school’s community. Students show their opposition to the schools policy with “LMSD [Lower Merion School District] is watching you” T-shirts. On the correspondent Facebook group, they refer to the school as a “prison.” I’ve contacted several students to get more details, but they haven’t got back to me (yet). Nevertheless, many parents and kids defend the school, and have formed different anti-lawsuit groups, like LMSDParents.org / “Reasonable LMSD parents refusing to rush to judgement” (to whom belongs Jan Klinkewicz), or Parents in Support of the Lowe Merrion School District, which collects signatures for a petition to fight the lawsuit. Concerned about the financial impact of a large class-action settlement, the group held a meeting in opposition to the lawsuit last Tuesday.

I’ve also detected ad-hominem attacks on the comment section of ABC’s local Philadelphia television statement, that seek to discredit the plaintiff’s family and imply that they are seeking personal financial profit from the affair. What should be the appropriate steps to follow? One commentator called willy25 underlines that “[o]nce one child’s rights have been violated, all children are at risk.” In any case, I believe that the most important step is to (re-)establish trust between the school and the students, indispensable for the success of the whole education system.

How can somebody spy on your webcam?

The recent webcam spying scandal at a school in Pennsylvinia has caused worldwide uproar in the news, and proves that paranoiac scenarios are actually not so far stretched. In the era of Skype, ChatRoulette, and the ubiquitous use of security webcameras, this case raises serious questions about privacy and Internet security. As I will combine my introductory post and my question, here first some background information.

The spying scandal at Harriton High School

In mid-February, a high school in Pennsylvania got in the spotlight of the news- and now of the FBI- as it was revealed that school officials were spying on their students by secretly activating the webcameras of school-issued laptops, even when students were at home. The scandal unfolded when the assistant principal summoned a student to her office, and accused him of selling and taking drugs. She based her allegations on photos that were taken by the kid’s webcam showing him eating suspicious substances at home, or what later turned out to be Mike and Ikes candy. Shortly after, the student’s parents have filed a lawsuit against the school. As the scandal become public, various other students reported that they had been perplexed by the bizarre on- and off-going green lights of their laptops. The school denied that it invaded the students privacy, and explained that the software installed on the computers that allowed to remotely access the cameras was a monitoring and security device that allowed to locate laptops in case of theft.YouTube Preview Image

It is not unusual that schools monitor and spy on their students, as an documentary segments called „How Google saved a school“ indicates. However, Harriton school stands out as teachers accessed the webcameras of their students in their private homes, a reason why the FBI is now investigating the case.

The scandal poses general questions about the education system, authority, and where to draw the line between monitoring and spying. What is the legal basis or guideline? But first of all, I’d like to know how this is technologically possible. Considering that most laptops have built-in cameras and have become all purpose devices that we use 24/7, how big is the risk of such kind of surveillance?

How can somebody spy on your webcam?

A simple Twitter search for #spycam quickly leads me to what seems the ultimate information source about the technology behind the Harriton Hight School scandal. A blogger called Stryde Hax , a part-time hacker and consultant for an Internet security company called Intrepidus Group, has investigated the case and discussed it on his blog. Stryde Hax explains that the school installed a remote monitoring product named LANRev on their laptops. Even when computer were connected outside the school networks, the track-and-monitor feature reported back to the administrator, and allowed to activate the camera remotely and take secret pictures. As the remote control was invisible (except the brief moments when the camera lit up), and the victims were unaware about it, this software would qualify as spyware, defined as„a type of malware that is installed on computers and collects little bits information at a time about users without their knowledge.“

The market for spy camera software seems to be tremendous! On Google search, a multitude of companies sell this kind of product. For example, Power Spy 2010 proudly claims that it is „[p]erfect for catching cheaters, monitoring employees, children and spouse and even investigating crimes!“

For reasons to spy on your spouse and other healthy relationship advice, please click on the picture above.

The software allows you to monitor all computer and Internet activities, take screen snapshots like a surveillance camera, record usernames and passwords, but is „completely legal“ according to the company that sells it. However, there are also cheaper ways to turn your webcam into a spying tool, you could simply “use Skype as a covert snooper.“

Legal issues involved

Does this sort of spying violate wiretapping laws? In the case of Harriton High, the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) believe that it constitutes an infringement, and filed an amicus brief in support of the victim. However, the matter is not that obvious. Kevin Bankston, an attorney for EFF, explains why:

“There is no federal statute that criminalizes or creates civil liability for such secret videotaping unless it involves sound, because then it is an intercept of a verbal communication. So no one can plant a bug in your house without violating wiretapping law, but they can still plant a camera without violating federal wiretapping laws.“

A Skype-camera spy-attack would therefore be illegal, but how about soundless spying with Power Spy 2010? For example, is it legal to use this software in an company or could you give your consent to spy? According to the EFF, „private schools or employers can ask you to sign away your right to privacy, but not a government entity like a public school.“ However, there is no juridical precedent, and is up to the court to give further indications. Collecting usernames and passwords without previous consent is certainly a violation of the Forth Amendment. Another troubling factor is that in Harriton High School,  only official (and monitored) computers were allowed, and “jailbreaking a school laptop in order to secure it or monitor it against intrusion was an offense which merited expulsion“ (source: Stryde Hax). How will this case be resolved?

Welcome to hacker culture!

Obviously, another central question is whether somebody can intrude your computer and gain control of your webcam by other means. As I am quite illiterate in technical issues, I turn to the wisdom of the crowd, and search the answer on Google, web forums, and even Yahoo Answer. I found out that all you need is trojan virus which can remotely access your webcam, and that a normal Windows firewall will not stop. Another option is to turn to social engeneering and to get crucial information (in-)voluntarily from the victim rather than breaking into its system. How easy/difficult is this?

Kevin Mitnick, worldwide hacker celebrity and now security consultant

To my surprise, the hacker community is very generous about sharing its tips and tricks: there are plenty of fun tutorials on Google on how to hack into your friends’ computers and spy trough their webcams. In addition, I learn that under the surface of anarchy, there are quite institutionalized platforms and various social norms. There even exists a Hacker Quarterly, and a related biennial hacker conference called HOPE (Hackers On Planet Earth), where the state of the art and future challenges are discussed. More basic, hacking isn’t only about hacking: different subcultures and -groups exist, like white hats (=ethical hackers, specialized in penetration testing), or black hats (=specialized in unauthorized penetration, seek personal profit). Is Stryde Hax therefore a white hat? Has he been a black hat before, like Kevin Mitnick? Who designs these categories? Plenty of questions to follow…