Threat Level Privacy, Crime and Security Online

Feds Move to Break Voting-Machine Monopoly

polling-booth

Citing anti-competitive concerns, the Justice Department sued Election Systems & Software in order to force the company to divest itself of the voting machine assets it obtained from Premier Election Solutions last year.

The department’s antitrust division, along with nine state attorneys general, filed the civil antitrust lawsuit (.pdf) in U.S. District Court in Washington, D.C., charging that the acquisition threatened competition. The department proposed a settlement that, if accepted, would dissolve the merger and force ES&S to sell its Premier business to a buyer approved by the Justice Department.

“The proposed settlement (.pdf) will restore competition, provide a greater range of choices and create incentives to provide secure, accurate and reliable voting-equipment systems now and in the future,” said Molly S. Boast, deputy assistant attorney general for the antitrust division in a statement.

The nine states that joined the suit are Arizona, Colorado, Florida, Maine, Maryland, Massachusetts, New Mexico, Tennessee and Washington.

Last September, Premier (formerly Diebold Election Systems) announced that ES&S had purchased the company for $5 million in cash, plus 70 percent of revenue collected on existing accounts through the end of August 2009.

Even before the sale, ES&S, based in Omaha, Nebraska, was the nation’s largest voting-machine maker, with machines being used in 43 states. ES&S systems were “utilized in counting approximately 50 percent of the votes in the last four major U.S. elections,” according to the company’s website. The company also created statewide voter registration systems used in California, Maryland, Missouri, Nebraska and New Mexico.

Its acquisition of Premier, the second-largest voting machine maker with equipment used in 33 states, gave it a near monopoly on election gear and would have had the company providing 70 percent of voting equipment in the country. Premier was a division of Diebold, Inc, which is based in Canton, Oh.

Election integrity activists expressed concern at the time that the purchase would have a detrimental effect on competitive pricing for election districts and would also affect the development of accurate and secure voting systems, since ES&S would have little incentive to improve its voting systems without viable competitors. They were also concerned that ES&S would stop supporting the Premier equipment and try to pressure election officials who owned the equipment into purchasing ES&S machines.

Spokeswomen for Verified Voting and Voter Action declined to comment on the lawsuit or proposed settlement until their organizations have a chance to review the documents and discuss them with the Justice Department.

The settlement would force ES&S to divest itself of all intellectual property and means associated with producing all versions of Premier’s software, firmware and hardware as well as all inventory of parts and components.

ES&S must also grant to whoever acquires the Premier business a “fully paid-up, irrevocable, perpetual license” to use ES&S’s own AutoMark system. The AutoMark is a ballot marking device for disabled voters. Premier had obtained a limited license to sell the device prior to the acquisition. The buyer of the Premier business will be able to modify both the Premier products and the AutoMark system.

The proposed settlement would also require ES&S customers who are currently under contract to use Premier systems the chance to switch to the new buyer or remain with ES&S and obtain ES&S equipment. ES&S would be prohibited from bidding on new contracts for Premier equipment.

To make the transition smooth and avoid disrupting upcoming elections, ES&S must provide existing Premier customers with access to employees who are knowledgeable about the Premier systems and work out a supply agreement until the new buyer is able to take over manufacturing of the equipment.

ES&S said in a statement that it recognized that the acquisition had caused concern.

“With that in mind, we fully cooperated and have been working closely with the antitrust division of
the Department of Justice to address those concerns,” the company said. “We look forward to a resolution of this matter that will allow jurisdictions to move forward immediately in planning for upcoming election events.”

The company added that since the merger, it had provided support for more than 1,000 election events administered by former Premier customers.

Photo: Ben Sutherland/Flickr

See also:

Funeral Flap: Justices Weigh Religion, Speech Rights

fred_f

The Supreme Court agreed Monday to delve into the sensitive question of whether the First Amendment protects anti-gay protesters carrying placards outside military funerals, bearing “America is Doomed,” “Thank God for 9/11″ and other volatile slogans, like “Thank God for dead soldiers.”

The messages and picketing are part of a Kansas church’s belief that the United States’ tolerance for homosexuality is cause for soldiers’ deaths in Iraq and Afghanistan.

The case the justices decided to review Monday tests the boundaries of free speech versus freedom of religion — doctrines both embodied in the First Amendment.

Without comment, the justices agreed to review last year’s federal appellate decision that overturned a $5 million verdict (.pdf) in favor of a Baltimore man who sued the Westboro Baptist Church of Topeka and its pastor, Fred Phelps, in 2006. The father of Marine Lance Cpl. Matthew Snyder was awarded damages for, among other things, invasion of privacy and emotional distress for the events that occurred outside his son’s funeral at a Catholic church in Maryland.

“Whether the freedom of religion and assembly is subordinate to the freedom of speech is an important question because by necessary implication, one of the tenets of the First Amendment is undermined,” (.pdf) lawyers for the soldier’s father, Albert Snyder, told the high court in a filing.

His lawyers told the justices that the presence of Phelps and a handful of others “created a negative and circus-like atmosphere during a solemn and religious occasion” and “added insult to injury during a time of grief and mourning.” The protesters also displayed a banner depicting two men engaging in anal sex.

Lawyers for Phelps, however, urged the court to stay out of the case, saying the deaths of U.S. soldiers are a matter of public concern and debate.

“How these soldiers are living and dying is a topic of substantial public interest and dialogue, at least nationwide, probably worldwide. The prevailing view is that the soldiers are heroes, and that God is obligated to bless America,” (.pdf) Phelps’ lawyers wrote. “Those views clash with the Bible, in respondents’ sincerely held religious opinion, and when these funerals are used to express those viewpoints, respondents feel duty-bound to provide a countervailing message, to wit, if you want God’s blessings, you have to obey him, and if you want the soldiers to stop dying, you have to stop sinning in this nation.”

Photo: The Rev. Fred Phelps prepares to protest outside the Kansas Statehouse in Topeka in 2006./Associated Press

Tags: , , ,

11 More U.S. Airports Get Body Scanners

screen-shot-2010-03-05-at-11502-pmTransportation officials announced Friday 11 more United States airports will begin receiving full-body imaging machines

“By accelerating the deployment of this technology, we are enhancing our capability to detect and disrupt threats of terrorism across the nation,” Homeland Security Secretary Janet Napolitano said in a statement.

Despite concerns of privacy and their effectiveness, the 11 airports are to get the 150 machines beginning Monday at Boston’s Logan International Airport, and one at the O’Hare International Airport in Chicago. In all, 30 U.S. airports will employ the scanning devices.

Fliers declining to submit to the machines that create X-ray-like virtual images of the body may get intense pat-downs from Transportation Security Administration authorities. The combined 150 imaging machines are being bought, in part, by $1 billion the government set aside from its $787 billion federal bailout bill.

The American Civil Liberties Union has decried the scanners as “virtual strip searchs.” The Electronic Privacy Information Center, in a Freedom of Information Act request, said the machines are capable of storing and transmitting images of passengers despite the government’s claim to the contrary.

A test-image shown to reporters Friday at Logan International “showed the blurry outline of a female volunteer. None of her clothing was visible, nor were her genitals, but the broad contours of her chest and buttocks were. Her face also was blurred,” The Associated Press said. “The image included the shadow of a cellphone purposely left on her belt, as well as the metal buttons on her pants. But overall, it looked like the outline of a ghost.”

The Amsterdam airport where suspected underwear bomber Umar Farouk Abdulmutallab boarded a Detroit-bound Christmas flight had the scanning machines. But they were not used to check the Nigerian.

The machines also cannot detect so-called “booty bombs” in which an explosive is inserted into the body.

By summer, TSA expects the units, made by California-based Rapiscan, to be deployed at airports in Fort Lauderdale, Florida; San Jose, San Diego, Los Angeles and Oakland, California; Columbus, Ohio; Charlotte, North Carolina; Cincinnati; and Kansas City.

See Also:

Tags: , , ,

White House Cyber Czar: ‘There Is No Cyberwar’

howard_schmidt1Howard Schmidt, the new cybersecurity czar for the Obama administration, has a short answer for the drumbeat of rhetoric claiming the United States is caught up in a cyberwar that it is losing.

“There is no cyberwar,” Schmidt told Wired.com in a sit-down interview Wednesday at the RSA Security Conference in San Francisco.

“I think that is a terrible metaphor and I think that is a terrible concept,” Schmidt said. “There are no winners in that environment.”

Instead, Schmidt said the government needs to focus its cybersecurity efforts to fight online crime and espionage.

His stance contradicts Michael McConnell, the former director of national intelligence who made headlines last week when he testified to Congress that the country was already in the midst of a cyberwar — and was losing it.

Schmidt’s official title is cyber-security coordinator at the White House, a job he took over just before Christmas. Schmidt has no budgetary authority, but he said that doesn’t make him powerless, because his office is in the White House. He’s been there before as an adviser to President George W. Bush, and he’s been the president and board member of countless security associations.

One of his first moves in his new job was to publish an unclassified summary of the country’s 12-point cybersecurity plan, known as the Comprehensive National Cybersecurity Initiative, a move toward transparency that he announced Monday as the keynote speaker at the world’s premier security conference.

That plan was first formulated under a veil of secrecy in January 2008 by President Bush. He was prompted in no small part by McConnell, who was director of national intelligence and reportedly convinced the president that a cyberattack could cause more economic damage to the United States than the 9/11 terrorist attacks.

Much of the authority and the funds under that initiative fell to the National Security Agency, the military’s premier spying agency that also has responsibility for locking down the government’s classified networks. Not surprisingly, McConnell, as DNI, held power over the NSA.

McConnell rejoined Booz Allen Hamilton, a defense contractor who made more than $4 billion in 2008, mostly in government contracts, including secret ones. A former NSA director, McConnell now servers as the vice president for national security business at Booz Allen Hamilton. It was recently acquired by the powerful and politically connected Carlyle Group, the world’s largest private equity whose advisers and board members have included George Bush, George W. Bush, James Baker and former SEC chief Arthur Levitt.

In an op-ed in the Washington Post last weekend, McConnell called for a re-engineering of the internet and a return to a Cold War mentality of deterrence, based on the threat that the United States would massively retaliate against any perceived attack.

“More specifically, we need to re-engineer the internet to make attribution, geolocation, intelligence analysis and impact assessment — who did it, from where, why and what was the result — more manageable,” McConnell wrote.

Threat Level rebutted that notion Monday, in a post that called McConnell the greatest threat to the internet.

For his part, Schmidt said no re-engineering of the internet is in the plans under the Obama administration. And he re-emphasized the president’s promise — delivered in a May speech addressing cybersecurity — that the government would not monitor the internet at large.

“People have to recognize that when we close the door and go home, we are just normal netizens like anyone else,” Schmidt said. “I’ve been in the internet from the very beginning. We don’t want to see it changed to where it is no longer available and we don’t have the ability to do things anonymously as we choose to in certain realms.”

Continue Reading “White House Cyber Czar: ‘There Is No Cyberwar’” »

Tags: , , , ,

Security Pros Question Deployment of Smart Meters

pge-smart-meter

The country’s swift deployment of smart-grid technology has security professionals concerned that utilities and smart-meter vendors are repeating the mistakes made in the rollout of the public internet, when security became a priority only after malicious attacks had reached mass levels.

But when it comes to the power grid, the costs of remote hack attacks are potentially more dramatic.

“The cost factor here is what’s turned on its head. We lose control of our grid, that’s far worse than a botnet taking over my home PC,” said Matthew Carpenter, senior security analyst of InGuardian, speaking at a panel at the RSA Security Conference in San Francisco this week.

The panel included Seth Bromberger, manager of information security at Pacific Gas and Electric, a San Francisco-based utility company that provides natural gas and electrical services to customers in Central and Northern California and is in the forefront of the smart-meter rollout; and Matt Franz, principal security engineer at Science Applications International Corporation.

Carpenter serves on the AMI-SEC Task Force, a group working on developing security guidelines and best practices for smart-meter infrastructure, and has done penetration testing on smart-meter systems to uncover security issues. He said the most common vulnerability he’s seen so far is susceptibility to “cross-site request forgery” on the control systems.

“That took me by surprise,” he said. “That’s not something that I would have imagined to be one of the greatest vulnerabilities found.”

Cross-site request forgery allows an attacker to hijack an authentication cookie stored in a user’s browser — to authenticate him, for example, to his bank or, in this case, a utility control system — and obtain access to the system as that user.

Last October, President Barack Obama announced $3.4 billion in grants to utility companies, municipal districts and manufacturers to spur a nationwide transition to smart-grid technologies and fund other energy-saving initiatives as part of the federal economic stimulus package.

Smart grids use digital meters and control mechanisms that allow utility companies to better control the flow of electricity remotely and promise to save energy and reduce utility costs. Smart meters installed in homes and businesses allow utility companies to remotely communicate with the devices to read usage levels and control the delivery of services.

But security research on the systems is lagging behind the deployment of smart meters, which has already occurred in some places in the United States. PG&E is in the lead with 5 million gas and electric smart meters deployed since 2006, which represents about half of its customer base. PG&E expects to deploy an additional 5 million smart meters by 2012.

Among the concerns Carpenter expressed was one related to vulnerabilities that could arise in the encryption schemes used in smart-grid systems, given that the systems are expected to have a lifespan of 15 to 20 years. Advances in encryption cracking that are likely to occur over that time period would make the encryption obsolete, he said.

He also discussed a need to examine the aggregation points that receive communication from the meters and have “an immense amount of control” in some cases.

“In some circumstances they’re simply going to give you a denial-of-service if you tamper with them because the crypto is done appropriately from the head-end control system down to the meters and the aggregation point really can’t tinker much with it,” Carpenter said. “But in other [cases] there’s a great deal of control that that aggregation point has, and they’re sitting on the top of a [utility] pole — not in a brick building [with] guard dogs and razor wire … and [they have] an ethernet cable.”

An attacker could sniff traffic going to the aggregation point or possibly send commands to the meters or inject code into the backend control system.

But even more pressing and immediate, in terms of vulnerabilities, is the remote shut-off capability in smart meters. Digital smart meters have an electronic disconnect switch that allows the utility company to shut down electricity remotely. Carpenter asked PG&E’s Bromberger directly, “Why not think about disconnecting the disconnect switch until we figure out more of what we’re dealing with?”

Bromberger responded that PG&E had in fact disabled the remote disconnect function in the first generation of electricity smart meters it deployed.

“We wanted to be sure that we had detection-response capabilities and security figured out before we started implementing that,” he said.

What he didn’t say was that this actually represents only a tiny portion of the meters PG&E has deployed.

A PG&E spokesman provided details to Threat Level after the panel discussion. Of the 5 million PG&E smart meters currently deployed, 2.5 million are electricity meters, with the remainder gas meters. Spokesman Paul Moreno confirmed that 300,000 of the electricity meters do have the remote disconnect function disabled, but he couldn’t say how many, if any, of the 2.2 million other meters have been disabled in the same manner. When asked if he could obtain the information, Moreno said the company had never been asked for it before and wasn’t sure if those figures existed. UPDATE: In a follow-up e-mail, Moreno said that “most of the 2.2 million second-generation electric SmartMeter meters are capable of remote connect/disconnect.”

The 300,000 meters that have the functionality disabled are mechanical meters that can be read remotely through the power line; the remaining 2.2 million are digital meters that use a radio frequency signal for remote communication.

The gas smart meters don’t allow for remote turnoff. They aren’t actually new meters but simply devices that go on top of existing gas meters to record the number of therms being used.

With regard to vulnerabilities in general, the panelists acknowledged that new vulnerabilities would always arise in smart systems no matter how well the systems are designed. The important thing is to make compromise as painful and time-consuming a process as possible to deter or delay an attacker and implement processes for adequate detection and response so that when a compromise does occur, utility companies can do something swiftly to limit the damage.

Photo courtesy PG&E

See also:

DMCA Muscle Kills DVD Copying, for Real

screen-shot-2010-03-04-at-121056-pmThose awaiting a legitimate method to duplicate DVDs for personal use will likely have to wait even longer, perhaps forever, after RealNetworks tossed in the white towel and abandoned its litigation on the matter.

RealNetworks spent almost two years in a legal battle with the Motion Picture Association of America, which sued the Seattle company to block the sale of its DVD-copying software and hardware –- generally known as RealDVD. The company said late Wednesday it’s dropping its appeal of an August federal court decision that declared RealDVD an illegal violation of the Digital Millennium Copyright Act of 1998.

The act, which the Hollywood studios strongly lobbied for, prohibits the circumvention of encryption technology. DVDs are encrypted with what is known as the Content Scramble System, and DVD players must secure a license to play discs. RealDVD, U.S. District Judge Marilyn Hall Patel ruled, circumvents the CSS technology designed to prevent copying and is therefore a breach of the CSS license.

The litigation cost RealNetworks millions of dollars, including $4.5 million to reimburse the MPAA for its legal costs. The outcome cost Rob Glaser, RealNetworks’ CEO, his job.

Most important, RealNetworks’ admitted defeat solidifies the DMCA’s power –  and leaves in its wake a legal and political vacuum: There is no active movement to legalize the duplication of DVDs under the DMCA, and every attempt to do so has failed.

For the moment, consumers will have to opt for underground services like Handbreak and others to copy their DVDs — a practice whose legality is questionable under the Patel’s ruling. Pirating and sharing movies on illicit BitTorrent sites is also available, but clearly unlawful under the copyright act.

In the end, there is no legitimate method to copy ones DVD, even children’s DVDs that are often scratched by their juvenile owners.

Copying DVDs amounts to “theft,” the MPAA’s general counsel, Daniel Mandil, said Wednesday. And RealNetworks’ white flag has emboldened the movie studios’ litigation arm, which Mandil said would “vigorously pursue companies that attempt to bring these illegal circumvention products and devices to market.”

Continue Reading “DMCA Muscle Kills DVD Copying, for Real” »

Tags: , , , ,

‘Google’ Hackers Had Ability to Alter Source Code

macafee_whitepaper

Hackers who breached Google and other companies in January targeted source-code management systems, security firm McAfee asserted Wednesday. They manipulated a little-known trove of security flaws that would allow easy unauthorized access to the intellectual property the system is meant to protect.

The software-management systems, widely used at businesses unaware that the holes exist, were exploited by the Aurora hackers in a way that would have enabled them to siphon source code, as well as modify it to make customers of the software vulnerable to attack. It’s akin to making yourself a set of keys in advance for locks that are going to be sold far and wide.

A white paper released by security firm McAfee during this week’s RSA security conference in San Francisco provides a couple of new details about the Operation Aurora attacks (.pdf) that affected 34 U.S. companies, including Google and Adobe, beginning last July. McAfee helped Adobe investigate the attack on its system and provided information to Google about malware used in the attacks.

According to the paper, the hackers gained access to software-configuration management systems (SCM), which could have allowed them to steal proprietary source code or surreptitiously make changes to the code that could seep undetected into commercial versions of the company’s product. Stealing the code would allow attackers to examine the source code for vulnerabilities, in order to develop exploits to attack customers who use the software, such as Adobe Reader, for example.

“[The SCMs] were wide open,” says Dmitri Alperovitch, McAfee’s vice president for threat research. “No one ever thought about securing them, yet these were the crown jewels of most of these companies in many ways — much more valuable than any financial or personally identifiable data that they may have and spend so much time and effort protecting.”

Many of the companies that were attacked used the same source-code management system made by Perforce, a California-based company that makes products used by many large companies. McAfee’s white paper focuses on the insecurities in the Perforce system and provides suggestions for securing it, but McAfee said it will look at other source-code management systems in the future. The paper doesn’t indicate which companies were using Perforce or had vulnerable configurations installed.

As previously reported, the attackers gained initial access by conducting a spear-phishing attack against specific targets within the company. The targets received an e-mail or instant message that appeared to come from someone they knew and trusted. The communication contained a link to a website hosted in Taiwan that downloaded and executed a malicious JavaScript, with a zero-day exploit that attacked a vulnerability in the user’s Internet Explorer browser.

A binary disguised as a JPEG file then downloaded to the user’s system and opened a backdoor onto the computer and set up a connection to the attackers’ command-and-control servers, also hosted in Taiwan.

From that initial access point, the attackers obtained access to the source-code management system or burrowed deeper into the corporate network to gain a persistent hold.

According to the paper, many SCMs are not secured out of the box and also do not maintain sufficient logs to help forensic investigators examining an attack. McAfee says it discovered numerous design and implementation flaws in SCMs.

“Additionally, due to the open nature of most SCM systems today, much of the source code it is built to protect can be copied and managed on the endpoint developer system,” the paper states. “It is quite common to have developers copy source code files to their local systems, edit them locally, and then check them back into the source code tree…. As a result, attackers often don’t even need to target and hack the backend SCM systems; they can simply target the individual developer systems to harvest large amounts of source code rather quickly.”

Alperovitch told Threat Level his company has seen no evidence yet to indicate that source code at any of the hacked companies had been altered. But he said the only way to determine this would be to compare the software against backup versions saved over the last six months to when the attacks are believed to have begun.

“That’s an extremely laborious process, particularly when you are dealing with massive projects with millions of lines of code,” Alperovitch said.

Among the vulnerabilities found in Perforce:

  • Perforce runs its software as “system” under Windows, giving malware the ability to inject itself into system-level processes and providing an attacker access to all administrative functions on the system. Although the Perforce documentation for UNIX tells the reader not to run the server service as root, it doesn’t suggest making the same alteration to the Windows service. As a result, the default installation on Windows runs as a local system, or as root.
  • By default, unauthenticated anonymous users are allowed to create users in Perforce, and no user password is required to create a user.
  • All information, including source code, that is communicated between the client system and the Perforce server is unencrypted and therefore easily sniffed and compromised by someone on the network.
  • The Perforce tools use weak authentication, allowing any user to replay a request with a cookie value that is easy to guess and obtain authenticated access to the system to perform “powerful operations” on the Perforce server.
  • The Perforce client and server store all files in cleartext, allowing easy compromise of all the code in the local cache or on the server.

The paper lists a number of additional vulnerabilities.

Tags: , , ,

Spain Busts Hackers for Infecting 13 Million PCs

picture-13BOSTON (Reuters) — Spanish police have shut down a ring of computer hackers who infected more than 13 million PCs with a virus that stole credit card numbers and other valuable data in what may be the biggest cyber-raid to date.

Spain’s Civil Guard said on Tuesday that it arrested three men suspected of running the so-called Mariposa botnet, named after the Spanish word for butterfly. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in more than half of the world’s 1,000 largest companies and in at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring, Canada’s Defense Intelligence and Spain’s Panda Security.

“It was so nasty, we thought ‘We have to turn this off. We have to cut off the head,’” said Chris Davis, CEO of Defense Intelligence, which discovered the virus last year. He added that the ring was shut down on December 23.

The virus was programed to steal all login credentials and record every key stroke on an infected computer, then send the data back to a “command and control center,” where the ringleaders stored the data.

“Basically they were going after anything that would make them money,” Davis said.

Mariposa initially spread by exploiting a vulnerability in Microsoft Corp’s Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks, he said.

(Reporting by Jim Finkle, additional reporting by Madrid newsroom. Editing by Robert MacMillan)

Photo: Anvica/Flickr

See Also:

Tags: , ,

Flipping Off Cops Is Legal, Not Advised

picture-12Flipping the bird, or sticking out the middle finger, is perhaps the oldest insulting gesture on earth. The move dates back to ancient Greece and was adopted by the Romans as digitus impudicus — the impudent finger.

A zillion middle fingers later, an Oregon man is suing suburban Portland cops (.pdf) over his use of the gesture, claiming civil rights violations. Twice he flipped them off for no apparent reason while driving and was pulled over each time — resulting in what he said was a “bogus” traffic citation that was later dismissed, and a tongue lashing he still remembers.

“The guy flew into a road rage,” Robert Ekas, a retired Silicon Valley systems analyst, said in a telephone interview Tuesday.

Lawrence Wolf, a Los Angeles criminal defense attorney, said there was no law against flipping off cops. And in most instances when it leads to an arrest or conviction, the charges are dismissed. But the gesture invites police confrontation, he said.

“It’s certainly not the smartest thing one can do,” Wolf said.

American University legal scholar Ira Robbins has written a definitive paper on flipping the bird: “Digitus Impudicus: The Middle Finger and the Law.” (.pdf)

“The pursuit of criminal sanctions for use of the middle finger infringes on First Amendment rights, violates fundamental principles of criminal justice, wastes valuable judicial resources, and defies good sense,” Robbins wrote.

In November, a Pittsburgh man was awarded $50,000 after he was wrongly cited for disorderly conduct after flipping off an officer.

Ekas, in both instances, flipped off officers while they were driving a Clackamas County patrol car. “It seemed like the right thing to do,” said the 46-year-old, who is seeking damages and police reform amid allegations he was unlawfully stopped. “The long and the short of it, I was pulled over because I gave them the finger.”

A federal judge will entertain Clackamas County’s motion on March 15 to have the civil rights lawsuit tossed. The county denies the allegations. (.pdf)

Ekas said his actions, which occurred with his teen-aged son in the car both times, were a form of protest against the agency he claims is abusing its citizenry. “That’s why they get the finger,” he said, noting he wants a jury trial.

Wolf, meanwhile, suggested if Ekas’ case makes it to trial, the officers are likely to testify that they were concerned “about his sanity.”

The jury, he said, is likely to say, “‘Give me a break’ and then go home.”

Photo: davidsonscott15/Flickr

See Also:

Tags: , , , ,

U.S. Declassifies Part of Secret Cybersecurity Plan

howard_schmidt

The Obama administration declassified part of the government’s cybersecurity plan Tuesday, publishing parts of it that discuss intrusion detection systems for federal computer networks and the government’s role in securing critical infrastructure.

The declassification announcement was made by Howard A. Schmidt, a former Microsoft security executive who in December was appointed cybersecurity coordinator by President Barack Obama. Schmidt was speaking at the RSA Security Conference in San Francisco, an annual industry conference for computer security professionals.

The government’s Comprehensive National Cybersecurity Initiative was launched in 2008 by President George W. Bush under a shroud of secrecy. The plan has 12 directives that cover the government’s strategy to protect U.S. networks — including military, civilian, government networks and critical infrastructure systems — as well as the government’s offensive strategy to combat cyberwarfare.

Civil libertarians criticized the Bush administration for failing to disclose the contents of the plan or allowing independent oversight of its implementation. Schmidt said that Obama recognized the need for some transparency.

“There are a lot of legal issues about what we’re doing,” he told the 2,000-member audience, adding that the government was currently working on a list of about 40 legal questions related to the cybersecurity initiative.

Obama said last May that he planned to appoint a separate official to ensure that the implementation of the cybersecurity plan doesn’t violate privacy and civil liberties and insisted that the government’s plan would not include spying on the public.

“Our pursuit of cybersecurity will not include — I repeat, will not include — monitoring private sector networks or internet traffic,”he said. “We will preserve and protect the personal privacy and civil liberties that we cherish as Americans.”

A White House spokesman said Tuesday that the administration had appointed Tim Edgar to oversee the privacy aspects of the cybersecurity initiative. Edgar, a former attorney for the American Civil Liberties Union, has been working as the deputy for civil liberties for the Civil Liberties and Privacy Office of the Office of the Director of National Intelligence.

The declassified portion of the plan published Tuesday includes information on only part of the initiative and does not discuss cyberwarfare. The plan instead discusses the deployment of Einstein 2 and Einstein 3, intrusion detection systems on federal networks designed to inspect internet traffic entering government networks to detect potential threats.

DHS (Department of Homeland Security) is deploying, as part of its EINSTEIN 2 activities, signature-based sensors capable of inspecting Internet traffic entering Federal systems for unauthorized accesses and malicious content. The EINSTEIN 2 capability enables analysis of network flow information to identify potential malicious activity while conducting automatic full packet inspection of traffic entering or exiting U.S. Government networks for malicious activity using signature-based intrusion detection technology…. EINSTEIN 2 is capable of alerting US-CERT in real time to the presence of malicious or potentially harmful activity in federal network traffic and provides correlation and visualization of the derived data….

The EINSTEIN 3 system will also support enhanced information sharing by US-CERT with Federal Departments and Agencies by giving DHS the ability to automate alerting of detected network intrusion attempts and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions.

The Einstein programs have raised concerns among privacy and civil liberties groups, such as the Center for Democracy and Technology, because they involve scanning the content of communications to intercept malicious code before it reaches government networks.

In 2008, the Department of Homeland Security’s Privacy Office published a Privacy Impact Assessment on early versions of Einstein 2 (.pdf) but has not published one on Einstein 3. The assessment left many questions unanswered, such as how much of a role the National Security Agency will play in the programs and whether information obtained in scans be shared with law enforcement or intelligence agencies.

What may be the most controversial part of the declassified plan is a discussion of a need for the government to define its role in protecting private critical infrastructure networks. Critical infrastructure includes the electrical grid, telecommunication networks, internet service providers, the banking and financial industry, and others.

The document indicates that DHS and private-sector businesses have already “developed a plan of shared action with an aggressive series of milestones and activities” but doesn’t discuss the nature of those shared actions other than to say that the two sectors are focused on developing a “public-private sharing of information regarding cyberthreats and incidents.”

The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyberthreats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR)…. It addresses security and information assurance efforts across the cyberinfrastructure to increase resiliency and operational capabilities throughout the CIKR sectors.

Additionally, the plan calls for a strategy to increase the security of classified networks and to develop and implement a government-wide cybercounterintelligence (CI) plan, but provides little detail about what that would involve.

“A government-wide cybercounterintelligence plan is necessary to coordinate activities across all Federal Agencies to detect, deter, and mitigate the foreign-sponsored cyberintelligence threat to U.S. and private sector information systems,” the plan says. “To accomplish these goals, the plan establishes and expands cyber CI education and awareness programs and workforce development to integrate CI into all cyber operations and analysis, increase employee awareness of the cyber CI threat, and increase counterintelligence collaboration across the government.”

Photo: huertk/Flickr

See also:

Tags: , , ,
« OLDER POSTS
See more Threat Level