LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Announcements
->One big page
This page
Previous weekFollowing week
Recent Features
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
SecurityCybersecurity and CISPADepending on whom you listen to, "cybersecurity" is either an enormous national security concern or a largely overblown issue promulgated by those with something to gain. There is little question that there are security threats to computers that emanate from "cyberspace"—though that term might best be relegated to the science fiction where it originated—and that some of those threats could cause serious harm to the infrastructure of the internet and to systems connected to it. But, like most internet "protection" laws, the proposed US "Cyber Intelligence Sharing and Protection Act" (CISPA) does little to actually improve the problem it is slated to solve and is, instead, an enormous overreach into the private communications of internet users. The ostensible purpose of CISPA is to facilitate the sharing of network traffic information between US government agencies and various US companies to assist in investigating and thwarting internet attacks. While that may sound relatively harmless—possibly even beneficial—the devil, as always, is in the details. In this case, the details aren't very clear; as the bill is written it could allow for nearly limitless internet data collection, with provisions to share that information with the US government, all with little or no oversight. It is, in short, an enormous circumvention of the usual protections against warrantless wiretapping (not that we haven't seen those protections ignored before, of course). Part of the problem stems from overly vague language in CISPA. The bill only requires that cybersecurity or national security be "one significant purpose" of the government's use of the data being shared. That leaves a lot of wiggle room, not only because the two terms are not well-defined, but also because it allows the use of the data for non-security purposes if some kind of security tie can be made. Earlier versions of the bill specifically mentioned things like copyright enforcement as one of the things that the data could be used for. CISPA would also shield companies (like ISPs or web sites) from civil and criminal liability for any "good faith" sharing of data. That would severely limit the legal recourse for users harmed by inappropriate data collection or sharing. The government is also shielded from legal recourse unless there is intentional or willful mishandling of the data—notably, negligent handling of the data is protected. As we have seen time and time again (e.g. the PATRIOT Act, Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act (CFAA), etc.) the vagueness of computer-related statutes makes them likely to be abused, either by prosecutors, government agents, companies, or private parties, to further aims that are arguably unrelated to the intent of the law—or at least its stated intent. There have been claims that entering incorrect information in the registration for a web site can be construed as "unauthorized access" under the CFAA for example. Unauthorized access is one of the threats specifically mentioned by CISPA. That could potentially turn anyone who registered a false name or birth date with a social network (or violated the terms of service of some web site) into a cybersecurity threat under the law, which would allow the collection and sharing of their internet traffic. Proponents claim it would never be used that way, of course, but those same claims were made for the CFAA and others. In an effort to clarify what else the government could use any of the collected data for, the US House approved an amendment to CISPA before passing the measure. Instead of being able to use the data for "any lawful purpose" (assuming it was collected and shared due to some tie to cyber or national security), the amendment narrowed it to five separate uses: "cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security". While that's better, certainly, it enshrines an expansion of CISPA from strictly being about computer security to cover additional illegal activities. That expansion is part of what worried civil liberties organizations (the Electronic Frontier Foundation (EFF), TechFreedom, American Civil Liberties Union (ACLU), Reporters Without Borders, and on and on). CISPA is sold as protecting computers and networks, but stretches further to protecting exploited children and dealing with "cyber crime". That's not to say that there isn't good reason to fight those kinds of problems, but there are already tools at hand to do so. Part of the selling point of CISPA is that cybersecurity threats are so fast moving that stopping to get a judge to issue a warrant could cause irreparable harm. That may be true, but it may also be less true for some of the other threats now listed in the House version of CISPA. The "extra" threats probably seem like an obvious addition, but they may really just end up allowing carte blanche fishing expeditions in the internet traffic of those suspected of being some kind of security threat. Normally, it is the role of judges to impartially look at the reasons that law enforcement has for its suspicions before they grant search warrants. That is meant to provide some "checks and balances" in the system. Circumventing that requirement should not be taken lightly as it is only a question of when, not if, these kinds of provisions will be abused. There may be situations where it does make sense to short-circuit the search warrant process (at least for a short period of time), but it's not at all clear that the bill's proponents have clearly thought that out. Instead, it seems like the "threat du jour"; one that Congress must take action on. The US Senate will also be considering CISPA sometime soon, though the Obama administration has threatened a presidential veto over privacy concerns. That threat isn't being taken very seriously by some, but passage by the Senate is far from assured anyway. That said, it is a worrisome bill and the EFF and others are gearing up to oppose it in the Senate. If there truly is a need for some kind of sweeping cybersecurity legislation because existing laws cannot handle some violations—something that hasn't been well articulated by proponents—there are a number of steps that could be taken to make CISPA more palatable to civil liberties and privacy advocates. Adding a mandatory judicial review, reducing the scope to the actual problem being addressed, and not giving blanket protection against "good faith" misuse of the data to the government and internet carriers and providers would all be steps in the right direction. Unfortunately, while there have been amendments made, the core problems with CISPA remain. While it may be tempting to write this off as a "US problem", passage of CISPA is likely to affect internet users worldwide. Large chunks of internet traffic pass through the US, which would make it vulnerable to collection. In addition, many internet services are based in the US, and those US companies might well be asked to hand over data on those in other countries perceived to be security threats. In fact, the supposed intent of CISPA is to protect against threats from "overseas". In the end, CISPA is a poorly thought out, knee-jerk reaction to a real problem. The scope and severity of that problem is not well understood, however, and there is a burgeoning cybersecurity industry that is, at a minimum, cheerleading for tougher measures like this one. That's not a recipe for good legislation. CISPA is just another in a long line of proposed and enacted legislation with a stated intent that is far different from the language in the bill itself. But it is certainly something to keep an eye on.
Brief items Security quotes of the week
Gadzooks. A scared populace is much more willing to pour money into the
cyberwar arms race.
-- Bruce
Schneier
Structurally, the economics of cybercrimes like spam and password-stealing
are the same as those of fishing. Economics long ago established that
common-access resources make for bad business opportunities. No matter how
large the original opportunity, new entrants continue to arrive, driving
the average return ever downward. Just as unregulated fish stocks are
driven to exhaustion, there is never enough “easy money” to go around.
-- Dinei
Florêncio and Cormac Herley in The New York Times
As background, [Luigi] Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.
-- Brian
Donohue at threatpost.com
Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV [automatically] restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.
High school student trying to crack a system to download a game for free? Cyberattack declared!
-- Lauren Weinstein
Misconfigured hardware or software causing a denial of service problem? Cyberattack declared! Anything that seems at all out of the ordinary and you want to pass the buck as quickly as possible? Cyberattack declared!
Fuzzing for Security (The Chromium Blog)A posting on the Chromium blog describes the project's efforts to do fuzz testing of the browser. "Chrome’s fuzzing infrastructure (affectionately named "ClusterFuzz") is built on top of a cluster of several hundred virtual machines running approximately six-thousand simultaneous Chrome instances. ClusterFuzz automatically grabs the most current Chrome LKGR (Last Known Good Revision), and hammers away at it to the tune of around fifty-million test cases a day. That capacity has roughly quadrupled since the system’s inception, and we plan to quadruple it again over the next few weeks. [...] To appreciate just what that means, consider that ClusterFuzz has detected 95 unique vulnerabilities since we brought it fully online at the end of last year. In that time, 44 of those vulnerabilities were identified and fixed before they ever had a chance to make it out to a stable release." There is mention of pushing the fixes upstream to WebKit and FFmpeg, but there is no mention of whether the ClusterFuzz code will be made available, unfortunately.
The Tor Project's New Tool Aims To Map Out Internet Censorship (Forbes)The OONI-probe (Open Observatory of Network Interference) is an early attempt to "collect data about local meddling with the computer’s network connections, whether it be censorship, surveillance or selective bandwidth slowdowns." Forbes takes a look at this new effort by Tor developers Arturo Filasto and Jacob Appelbaum. "Tor’s OONI project, funded in part with a grant from Radio Free Asia, isn’t the first to monitor and measure Internet censorship around the world–other projects like the Open Net Initiative, the Berkman Center’s HerdictWeb and Google’s Transparency Report all aim to spot censorship and Internet slowdowns. But unlike those projects, OONI uses only open-source software and plans to make the raw data gathered by its tools public and accessible to any researcher. “This came from a bit of disappointment over the fact that all the existing tools out there for monitoring censorship were either not using open methodologies or not making their data available,” says Filasto, a 21-year old computer science student at Rome’s Sapienza university. “Our goal with OONI is to build that open framework, so that researchers can independently prove that the methodology is valid and repeat the tests.”" (Thanks to Paul Wise)
New vulnerabilities bugzilla: security bypass/cross-site scripting
cifs-utils: file existence disclosure flaw
gridengine: code injection
imagemagick: code execution
Messaging: unauthorized cluster access
mozilla: multiple vulnerabilities
nginx: code execution
openstack-nova: denial of service
rubygems: require valid certificates
samba: privilege escalation
spip: multiple vulnerabilities
Page editor: Jake Edge |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||