Security
Wiretapping and email
The legal protection for email has been expanded, just slightly. The full First Circuit Court of Appeals has overturned a First Circuit panel decision that allowed Bradford Councilman to monitor the content of his users' incoming email.
Councilman was vice president of Interloc, a company that ran an online service that listed rare and out-of-print books, and offered its customers an email at "interloc.com." (Interloc has become Albris.) In January 1998, Councilman directed employees to copy incoming email from Amazon.com to subscribers. A procmail script was used to copy those messages, without any notice to Interloc's users, into a mailbox that Councilman could read in an attempt to gain a commercial advantage.
In 2001, a grand jury charged Councilman with conspiracy to violate the Wiretap Act. This count was dismissed by district court, and the dismissal was affirmed by a panel hearing of the First Circuit Court last year, but the full court granted an en banc hearing which overturned the panel decision. The judgment has been vacated and the case has been remanded to the district court.
The case centers on whether email is an "electronic communication," or
whether Congress meant to -- by exclusion -- exempt "communications
in transient storage
" from the Wiretap Act. The Electronic Communications
Privacy Act (ECPA) of 1986 updated title 18 of the United States Code
(the Wiretap Act), making it an offense to
"intentionally intercept, endeavor to intercept, or procure any other
person to intercept or endeavor to intercept, any wire, oral, or electronic
communication
".
If email is considered an electronic communication, then it is considered protected under the ECPA. However, Councilman argued that email was not "electronic communication" when it was copied because it was "in storage" at the time.
The court has decided that Councilman's interpretation "is
inconsistent with Congress's intent
".
It's also worthwhile to note the court's comments on the Stored
Communications Act, saying that "
However, the Stored Communications Act does not provide a "safe harbor" for
Councilman, since the Wiretap Act has a much narrower service provider
exception, which only allows interception as "
The court concluded that "electronic communication" includes
"
Assuming this decision holds, the Councilman decision is a victory for
users and protects email in transit -- whether that is "on the wire" or in
temporary storage on a server awaiting delivery to its final destination --
granting email the same protection from interception and monitoring that
is given to phone calls.
Councilman's conduct may appear to
fall under the Stored Communications Act's main criminal provision
",
but that he would also fall under the provider exception, which says the
Act "
does not apply with respect to conduct authorized by the person
or entity providing a wire or electronic communications service
".
The Stored Communications Act, according to the Court's decision, appears
to establish "virtually complete immunity
" for service
providers in handling email on their systems.
necessary incident to
the rendition of his service or to the protection of the rights or property
of the provider of that service
". Obviously, Councilman's actions do
not fall within this definition.
transient electronic storage that is intrinsic to the
communication process for such communications
" and that
"interception of an email message in such storage is an offense
under the Wiretap Act
".
Brief items
An overview of multilevel security
One of the many features added to the 2.6.12 kernel is multilevel security support for SELinux. The only problem is that few people actually understand what MLS is. James Morris has posted a multilevel security overview which makes a good starting point. "The reason why we have categories as well as sensitivities is so that sensitivities can be further compartmented on a need to know basis. For example, while a user may be cleared to Secret, they may not need to know anything about project WarpDrive (which could be the name of a category)."
The Hidden Boot Code of the Xbox
The Xbox Linux Project site has posted a detailed article on how the Xbox was designed to prevent the booting of "unauthorized" software, and how that scheme was defeated. It is an interesting look at the design of non-free hardware. (By way of Bruce Schneier).
New vulnerabilities
Adobe Acrobat Reader: arbitrary code execution
| Package(s): | Adobe Acrobat Reader | CVE #(s): | CAN-2005-2470 | ||||||||||||
| Created: | August 16, 2005 | Updated: | August 22, 2005 | ||||||||||||
| Description: | A buffer overflow bug has been found in Adobe Acrobat Reader. It is possible to execute arbitrary code on a victim's machine if the victim opens a malicious PDF file. | ||||||||||||||
| Alerts: |
| ||||||||||||||
awstats: command injection vulnerability
| Package(s): | awstats | CVE #(s): | CAN-2005-1527 | ||||||||||||
| Created: | August 11, 2005 | Updated: | November 10, 2005 | ||||||||||||
| Description: | AWStats has a command injection vulnerability that can be exploited by specially crafting referrer URLs that contain Perl code. The code can then be executed with the privileges of the web server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
bluez: command execution
| Package(s): | bluez-utils | CVE #(s): | CAN-2005-2547 | ||||||||||||
| Created: | August 17, 2005 | Updated: | August 26, 2005 | ||||||||||||
| Description: | The bluez-utils package (through version 2.19) fails to properly validate device names. As a result, pairing the system with a device containing a maliciously-crafted name could result in the execution of arbitrary commands as root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
evolution: format string issues
| Package(s): | evolution | CVE #(s): | CAN-2005-2549 CAN-2005-2550 | ||||||||||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | March 23, 2006 | ||||||||||||||||||||||||||||
| Description: | Evolution has format string issues. SITIC advisory SA05-001 contains more information. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
kdeedu: tempfile handling vulnerabilities
| Package(s): | kdeedu | CVE #(s): | CAN-2005-2101 | ||||||||||||||||
| Created: | August 15, 2005 | Updated: | September 22, 2005 | ||||||||||||||||
| Description: | Ben Burton notified the KDE security team about several tempfile handling related vulnerabilities in langen2kvtml, a conversion script for kvoctrain. The script must be manually invoked. The script uses known filenames in /tmp which allow an local attacker to overwrite files writeable by the user invoking the conversion script. | ||||||||||||||||||
| Alerts: |
| ||||||||||||||||||
Mozilla: frame injection spoofing
| Package(s): | mozilla firefox | CVE #(s): | CAN-2004-0718 CAN-2005-1937 | ||||||||||||||||||||
| Created: | August 15, 2005 | Updated: | September 19, 2005 | ||||||||||||||||||||
| Description: | A vulnerability has been discovered in Mozilla and Mozilla Firefox that allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site. Thunderbird is not affected by this. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
Resources
(IN)SECURE Magazine issue 3
The third issue of (IN)SECURE magazine is out; covered topics include PDA attacks, adding signatures to nmap, SQL injection, and an interview with Michal Zalewski.
Page editor: Jonathan Corbet
Next page:
Kernel development>>