The FCC just passed sweeping new rules to protect your online privacy

Federal regulators have approved unprecedented new rules to ensure broadband providers do not abuse their customers’ app usage and browsing history, mobile location data and other sensitive personal information generated while using the Internet.

The rules, passed Thursday in a 3-to-2 vote by the Federal Communications Commission, require Internet providers, such as Comcast and Verizon, to obtain their customers’ explicit consent before using or sharing that behavioral data with third parties, such as marketing firms.

Also covered by that requirement are health data, financial information, Social Security numbers and the content of emails and other digital messages. The measure allows the FCC to impose the opt-in rule on other types of information in the future, but certain types of data, such as a customer’s IP address and device identifier, are not subject to the opt-in requirement. The rules also force service providers to tell consumers clearly what data they collect and why, as well as to take steps to notify customers of data breaches.

“It’s the consumers’ information,” said FCC Chairman Tom Wheeler. “How it is used should be the consumers’ choice. Not the choice of some corporate algorithm.”

In the near term, what consumers see and experience on the Web is unlikely to change as a result of the rules; targeted advertising has become a staple of the Internet economy and will not be going away. But the regulations may lead to new ways in which consumers can control their Internet providers’ business practices. That could mean dialogue boxes, new websites with updated privacy policies or other means of interaction with companies.

The fresh regulations come as Internet providers race to turn their customers’ behavioral data into opportunities to sell targeted advertising. No longer content to be the conduits to websites, social media and online video, broadband companies increasingly view the information they collect on users as they traverse the Web as a source of revenue in itself.

With its move, the FCC is seeking to bring Internet providers’ conduct in line with that of traditional telephone companies that have historically obeyed strict prohibitions on the unauthorized use or sale of call data.

But the Internet era has brought new challenges, in some cases creating different categories of personal information — and ways to use it — that did not exist in the telephone era. And as the line increasingly blurs between traditional network operators and online content companies, regulators have struggled to keep pace.

For example, Verizon’s acquisition of AOL and potential purchase of Yahoo are both aimed at monetizing Internet usage beyond the straightforward sale of broadband access.

With greater insights into customer behavior, the company could market additional services or content to its wireless subscribers as part of a bundle, policy analysts say. That arrangement could allow Verizon to effectively earn money twice from the same subscriber — once for the data plan, and then again when the customer consumes Verizon-affiliated content.

Although Thursday’s vote by the FCC requires companies, such as Verizon, to obtain explicit permission from consumers when it shares sensitive personal data with outside firms, it does not require broadband providers to ask permission before using the data themselves in certain ways — such as providing broadband service.

For instance, Verizon would be able to use a wireless subscriber’s usage history to recommend purchasing a larger mobile data plan. It could also use the customer’s information to market its home Internet service, Verizon FiOS, even though FiOS is a separate product operated by a different part of the company. In neither case would Verizon have to ask for the subscriber’s affirmative consent.

But Verizon would have to allow consumers the chance to opt out of having their usage history shared with other Verizon businesses that do not sell communications services, such as AOL or Yahoo, according to the rules.

Consumer advocates say it’s a step in the right direction, even if they would have preferred stricter requirements.

“It’s not so far off the mark that it guts the provision,” said Harold Feld, a senior vice president at the consumer advocacy group Public Knowledge. “It still provides sufficient protections for consumers to regard this as a positive step.”

A trade association for the cable industry criticized the regulations Thursday as “profoundly disappointing.”

“Today’s result speaks more to regulatory opportunism than reasoned policy,” said the NCTA — The Internet & Television Association.

The FCC measure also received pushback from Internet providers in the run-up to the vote, over complaints that telecom companies would now be treated differently from websites, such as Google and Facebook, which also use personal data for advertising purposes on a tremendous scale.

“There is no sound reason to subject broadband providers to a different set of rules than other Internet companies,” wrote AT&T in a regulatory filing last week. “This would … deny broadband providers the same opportunity other Internet companies have to participate in the fast-growing digital advertising market.”

But the FCC may have little jurisdiction — or appetite — for regulating the data practices of individual Web companies; Wheeler has repeatedly declined to extend new regulations to the sector.

Republican officials at the FCC opposed the new privacy rules, saying the different expectations for Internet providers and websites will create confusion among consumers.

“If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the Internet ecosystem at the new baseline the FCC has set,” said FCC Commissioner Ajit Pai, who suggested that the Federal Trade Commission could accomplish the task.

Opponents of the rules have called it an unlawful use of FCC power, setting the stage for a potential lawsuit by the broadband industry to overturn the privacy regulations. Michael O’Rielly, a Republican FCC commissioner, said Thursday that he expects “extensive” legal challenges to the rules.

He also added the rules may have “unintended consequences.” For example, he said, it is unclear how the FCC’s privacy regulations will address a burgeoning Internet of Things — the name for a growing class of connected devices such as thermostats, refrigerators and even automobiles. How Internet providers can use and share the data generated by those appliances will remain an open question, O’Rielly said.

Brian Fung covers technology for The Washington Post

Advertisements

MOST VULNERABLE OPERATING SYSTEM Apple’s Mac OS X

MOST VULNERABLE OPERATING SYSTEM
Windows, which is often referred to as the most vulnerable operating system in the world and also an easy pie for hackers, is not even listed on the top three vulnerable OS. According to an analysis by the network and security solutions provider GFI, the top three most vulnerable operating system are:
Apple’s Mac OS X
Apple iOS
Linux kernel
GFI analysis is based on the data from the US National Vulnerability Database (NVD), which shows that in 2014, the top three most vulnerable operating systems took owner by the following number of vulnerabilities reported in their software:
Mac OS X – Total 147 vulnerabilities were reported, 64 of which were rated as high-severity
Apple’s iOS – Total 127 vulnerabilities were reported, 32 of which were rated as highly-severity
Linux Kernel – Total 119 vulnerabilities were reported, 24 of which were rated as high-severity.
MAJOR VULNERABILITIES REPORTED IN 2014
The major vulnerabilities that took over the Internet in 2014 were as follows:
HEARTBLEED – A critical security vulnerability detected in OpenSSL left large number of cryptographic keys and private data from the most important sites and services on the Internet open to hackers. It was considered to be one of the biggest Internet threat in the history.
SHELLSHOCK – A critical remotely exploitable vulnerability discovered in the widely used Linux and Unix command-line shell, known as Bash, aka the GNU Bourne Again Shell, left countless websites, servers, PCs, OS X Macs, various home routers, and many more open to the cyber criminals.
Surprisingly, Microsoft’s Windows 7, 8 and 8.1 Operating Systems were the least vulnerable OS, as they fall into the bottom half of the list and rank at 5th, 7th and 8th, with 36 vulnerabilities reported in all of them.
“2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems,” explained GFI Software manager Cristian Florian.
Linux and Mac OS X Most Vulnerable Operating System In 2014
Windows Server 2008 was the fourth most vulnerable OS in 2014 with 38 vulnerabilities, but it isn’t a version aimed at consumers.
MOST VULNERABLE APPLICATION
However, when it comes to applications, Microsoft proved to be on the contrary, as its Internet Explorer browser lead the list with 242 total vulnerabilities, with 220 of them being rated as critical.
Obviously, this could embarrass Microsoft, as Internet Explorer has nearly twice as many security flaws than the second most vulnerable application, which was Google Chrome.
Google Chrome browser had 124 vulnerabilities reported in 2014. On the other hand, Adobe Flash Player improved last year with only 76 vulnerabilities reported.
Linux and Mac OS X Most Vulnerable Operating System In 2014
Overall, a total of 7,038 new security vulnerabilities were added to the National Vulnerability Database (NVD) last year, which indicates that an average of 19 new security vulnerabilities were reported every day.
Out of those, 80% were reported in third-party applications, 13% in operating systems, and 4% in hardware devices.
For those who aren’t aware, NVD is the US government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP).

Got to love Hacktivists ….

As promised the collective Anonymous has started the opHackingCup hacking campaign against the Brazilian Government agencies and many other organizations.

The group of Anonymous hacktivists a few hours before the start of the Brazil World Cup have started its hacking campaign against Brazilian Government organizations’ websites and official World Cup website (www.worldcup2014.gov.br), many other organizations are suffering a DDoS (distributed denial of service) cyber attack.

Anonymous protests against spending on the Brazil World Cup because the economic situation in the country where people are suffering to get hold of basic services.

 

Anonymous posted a series of videos on YouTube announcing the “#OpHackingCup”, #opWorldCup operations, in time I’m writing hacktivists are targeting a number of World Cup-related websites in a large scale cyber attack.

One of the mots active hackers known as the Che Commodore declared:

“Companies and institutions that work with a government that deny the basic rights of its people in order to promote a private, exclusive and corrupt sports event will be targeted.” “We had a busy last few days and there is more still to come.”

Several dozen websites linked to government activity have been brought down by Anonymous, including the Matto Grosso state website, the Sao Paulo police website, the Sao Paulo Metro website and the Brazilian Football Confederation.

A spokeswoman for the local government said:

“Our site was hacked.” “We were able to take it off the air and restore the service within 30 minutes.”

The list of victims of opHackingCup is long, many of the alleged targets have denied being hacked.

opHackingCup Anonymous

Recently the collective of Anonymous has hacked into Brazil’s Foreign Ministry computers and leaked highly confidential documents, including emails.

“A hacker known as AnonManifest used a phishing attack to break into the Foreign Ministry’s databases and eventually access its documentation system” Che Commodore told Reuters.

 The hacker group Anonymous is preparing cyber-attacks on corporate sponsors of the World Cup in Brazil to protest the spending of money on the event instead of public services.

“The [hack] attacks will be directed against official websites and those of companies sponsoring the cupthese attacks will most likely take the form of DDoS attacks.”

“We have a plan of attackWe have already conducted late-night tests to see which of the sites are more vulnerable… This time we are targeting the sponsors of the World Cup” states tweets from the collective.

Security experts believe that also opHackingCup will most likely leverage multiple attack vectors, Distributed Denial of Service (DDoS), Web Application Exploits, Intrusion and Data Theft Attempts, Vulnerable Software Exploration, Web Application Exploits, and Website Defacement.

Symantec reported that the following possible attack vectors:

  • Distributed Denial of Service (DDoS) AttacksIntrusion and Data Theft Attempts
    • Bandwidth Saturation
    • Resource Starvation
    • DDoS Attacks could extend to streaming providers, major entertainment outlets (physical/digital), cloud, or infrastructure-as-a-service (IaaS) providers, which targets rely upon.
  • Vulnerable Software Exploitation
  • Website defacement
  • Attacks on critical infrastructure

The possible targets includes the following FIFA partners, supporters and sponsors:

  • Adidas
  • Coca Cola
  • Hyundai / KIA Motors
  • Emirates Airlines
  • Sony
  • VISA
  • Budweiser
  • Castrol
  • Continental
  • Johnson & Johnson
  • McDonalds
  • Marfrig Group / Moy Park
  • OI
  • Yingli
  • FIFA.com
  • ApexBrasil
  • Centauro
  • Garoto
  • Itau
  • liberty Seguros
  • Wise Up
  • Football For Hope

A lot of websites have probably already been already attacked and infected, the complete and updated list is available at this link.

Stay Tuned!

Why the Web Needs Perfect Forward Secrecy More Than Ever

EFF has long advocated for websites to support HTTPS instead of plain HTTP to encrypt and authenticate data transmitted on the Internet. However, we learned yesterday of a catastrophic bug, nicknamed “Heartbleed,” that has critically threatened the security of some HTTPS sites since 2011. By some estimates, Heartbleed affects 2 out of 3 web servers on the Internet. 1

Heartbleed isn’t a bug in the design of HTTPS itself but rather the result of a simple programming error in a widely-used piece of software called OpenSSL. It allows an attacker who connects to an HTTPS server running a vulnerable version of OpenSSL to access up to 64KB of private memory space. Doing the attack once can easily cause the server to leak cookies, emails, and passwords. Doing the attack repeatedly can potentially leak entire encryption keys, such as the private SSL keys used to protect HTTPS traffic. If an attacker has access to a website’s private SSL key, they can run a fake version of the website and/or steal any information that users send, including passwords, private messages, and credit card numbers. Neither users nor website owners can detect this attack as it happens.

It’s worth emphasizing that some important services that users access everyday were affected by Heartbleed, including Yahoo Mail and LastPass. We weren’t immune either, since most EFF servers were running vulnerable versions of OpenSSL. Even the private identity keys used by Tor Hidden Services may have been compromised, potentially putting some journalist organizations’ communication with anonymous sources at risk.

Luckily, there’s one important mitigation that could actually protect some users from the worst-case scenario: perfect forward secrecy. If a server was configured to support forward secrecy, then a compromise of its private key can’t be used to decrypt past communications. In other words, if someone leaks or steals a copy of EFF’s private SSL key today, any traffic sent to EFF’s website in the past since EFF started supporting forward secrecy is still safe.

Unfortunately, most HTTPS websites still don’t support forward secrecy, which means that a large chunk of your past communications with those servers is vulnerable to decryption when private SSL keys are compromised. For example, if someone has been intercepting your HTTPS-encrypted messages to Yahoo for the past several years and then stole a copy of Yahoo’s private key yesterday with Heartbleed, they would be able to use it to go back and decrypt the previously-unintelligible recording of your old communications today — if those communications weren’t made using a forward-secrecy-enabled connection.

At this moment, forward secrecy is more crucial than ever. Now that the details of Heartbleed are public, anyone can use it against servers that haven’t yet patched the OpenSSL bug and changed SSL certificates.2 It can easily take weeks or months for developers to deploy new SSL certificates, and even so, certificate revocation systems are unreliable and poorly-suited to the modern web. In the meantime, any data you send now to affected servers that don’t support forward secrecy will be open to eavesdropping and malicious tampering as soon as their SSL private keys are exposed.

In the aftermath of yesterday’s events, it’s clear that forward secrecy is necessary to protect against unforseeable threats to SSL private keys. Whether that threat is an existing or future software bug, an insider who steals the key, a secret government demand to enable surveillance, or a new cryptographic breakthrough, the beauty of forward secrecy is that the privacy of today’s sessions doesn’t depend on keeping information secret tomorrow.3

Although we’ve patched this bug on EFF’s servers and are scrambling to rotate our keys as fast as possible, we’re relieved that our potential damage from Heartbleed is lower because we enabled forward secrecy last summer. It’s clearly time for other websites to do so as well.

PS: Fortunately, the integrity of HTTPS Everywhere downloads for Firefox and Chrome are not compromised by Heartbleed. That’s because, in addition to serving downloads over SSL/TLS, we sign HTTPS Everywhere updates with an offline key to guarantee authenticity even if transport-level security is broken. You can use these instructions to check that your copy of HTTPS Everywhere has the correct update key. In light of Heartbleed, we’re glad that the Chrome web store allows extension developers to include their own code signing keys in case Google’s SSL certificates are compromised; until the Mozilla Addons Store does similarly, we plan to keep hosting HTTPS Everywhere for Firefox on our own servers.

Yahoo! Spread Bitcoin Mining Botnet Malware Via Ads

 

Bitcoin and other cryptocurrencies are pretty much headline news every day now, especially with the inflated values (Bitcoin over $1000 recently). We haven’t mentioned them for a long time though, back in 2012 we wrote about Hackers breaking into a Bitcoin Exchange Site called Bitcoinica.

There have been plenty of Bitcoin related hacks since then, mostly targeting exchanges, but there have been some other interesting developments like these so called bitnets, which are basically Bitcoin Mining malware botnets.

The most recent news is that Yahoo! recently served up some adverts which contained malware, the intent of the malware is to create a Bitcoin mining botnet.

Yahoo confirmed that for a four-day period in January, malware was served in ads on its homepage. Experts estimate that as many as two million European users could have been hit. Security firm Light Cyber said the malware was intended to create a huge network of Bitcoin mining machines.
“The malware writers put a lot of effort into making it as efficient as possible to utilise the computing power in the best way,” Light Cyber’s founder Giora Engel told the BBC.
Bitcoin mining malware is designed to steal computing power to make it easier for criminals to accumulate the virtual currency with little effort on their part.
“Generating bitcoins is basically guessing numbers,” said Amichai Shulman, chief technology office of security firm Imperva. “The first one to guess the right number gets 25 bitcoins and if you have a large volume of computers guessing in a co-ordinated way then you have a more efficient way of making money,” he added.
Other than a computer running slower, victims will be unaware that their machine is being used in what could become known as a “bitnet”. It is a variation on the traditional botnet, networks of malware-infected computers used to churn out spam or bombard websites with requests in order to knock them offline. Some experts estimate that such networks could be generating as much as $100,000 (£60,000) each day.
If the estimates are true, then whoever wrote this malware and managed to get it onto the Yahoo! frontpage could be minting money – $100,000 a day! That’s 3 million bucks a month, certainly no chump change.

I’d be interested to know more though, as CPU mining for Bitcoin is incredibly inefficient – so I wonder if this malware also harnesses GPU minining – which whilst can’t be compared to ASICS miners – still has a decent amount of grunt.

Yahoo acknowledged the attack in a statement earlier this week.
“From December 31 to January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines – specifically, they spread malware,” the statement read.
It went on to say that users in America, Asia and Latin America weren’t affected but did not specify how many European users were victims. Fox IT, the Dutch cybersecurity firm which revealed the malware attack, estimates that there were around 27,000 infections every hour the malware was live on the site. Over the period of the attack that could mean as many as two million machines were infected. Such attacks may be hard to avoid, said Mr Shulman.
“For an ad platform it is virtually impossible to guarantee 100% malware free ads. There are many independent stakeholders involved in the process of web advertising, so from time to time any ad platform is bound to deliver malware.”
It’s a pretty scary thought that no ad platform can be malware free, but honestly I’ve never experienced Google Adsense serving any kind of malware – although when I’m browsing on mobile lately I’ve had a lot of sides trying to push random .apk files to me.

It seems to like it was only regional as well with European users being targeted (perhaps due to the advert geo-targeting) – but with up to 2 million people infected – that’s a fairly decent sized Bitcoin mining botnet.

Source: BBC News

Bloggers’ Rights

 

 

One of EFF’s goals is to give you a basic roadmap to the legal issues you may confront as a blogger to let you know you have rights and to encourage you to blog freely with the knowledge that your legitimate speech is protected.

To that end we have created the Legal Guide for Bloggers a collection of blogger-specific FAQs addressing everything from fair use to defamation law to workplace whistle-blowing.

In addition EFF continues to battle for bloggers’ rights in the courtroom:

Bloggers can be journalists (and journalists can be bloggers). We’re battling for legal and institutional recognition that if you engage in journalism you’re a journalist with all of the attendant rights privileges and protections. (See Apple v. Does.)

Bloggers are entitled to free speech. We’re working to shield you from frivolous or abusive threats and lawsuits. Internet bullies shouldn’t use copyright libel or other claims to chill your legitimate speech. (See OPG v. Diebold.)

Bloggers have the right to political speech. We’re working with a number of other public-interest organizations to ensure that the Federal Election Commission (FEC) doesn’t gag bloggers’ election-related speech. We argue that the FEC should adopt a presumption against the regulation of election-related speech by individuals on the Internet and interpret the existing media exemption to apply to online media outlets that provide news reporting and commentary regarding an election — including blogs. (See our joint comments to the FEC [PDF 332K].)

Bloggers have the right to stay anonymous. We’re continuing our battle to protect and preserve your constitutional right to anonymous speech online including providing a guide to help you with strategies for keeping your identity private when you blog. (See How to Blog Safely (About Work or Anything Else).)

Bloggers have freedom from liability for hosting speech the same way other web hosts do. We’re working to strengthen Section 230 liability protections under the Communications Decency Act (CDA) while spreading the word that bloggers are entitled to them. (See Barrett v. Rosenthal.)

Pwn2Own hacking contest puts record $560K on the line

HP TippingPoint, the long-time organizer of the annual Pwn2Own hacking contest, has revamped the challenge for the second year running and will offer cash awards exceeding half a million dollars, more than five times the amount paid out last year, the company said yesterday.

The 2013 edition of the contest will offer $560,000 in potential prize money to hackers who demonstrate exploits of previously-unknown vulnerabilities in Chrome, Firefox, Internet Explorer (IE) or Safari, or the Adobe Reader, Adobe Flash or Oracle Java browser plug-ins.

At Pwn2Own, hackers compete for cash prizes by finding exploits in browsers, operating systems, and other software.

Prizes will be awarded on a sliding schedule, with $100,000 for the first to hack Chrome on Windows 7 or IE10 on Windows 8. From there, payments will fall to $75,000 for IE9 and slide through a number of targets before ending at $20,000 for Java. Prizes will also be given for exploiting Adobe Flash and Adobe Reader ($70,000 each), Safari ($65,000) and Firefox ($60,000).

About the Java award, Kostya Kortchinsky, a researcher who now works for Microsoft, quickly tweeted, “ZDI giving out $20k for free,” referring to the Oracle software’s recent vulnerabilities.

Pwn2Own will run March 6-8 at the CanSecWest security conference in Vancouver, British Columbia.

According to Brian Gorenc, a researcher with TippingPoint’s DVLabs, HP will sponsor this year’s Pwn2Own in conjunction with Google. Last year, Google was initially a co-sponsor, but withdrew over disagreements with TippingPoint about that year’s rules.

Google then ran its own hacking contest, dubbed Pwnium, at CanSecWest, where it handed out $120,000 to two researchers for exploiting Chrome.

This year’s contest is another revamp of the process and rules, the second in two years. The 2012 challenge used a complicated point system that awarded prizes to the researcher or team of researchers who exploited the most targets during a three-day stretch. It also challenged hackers to devise exploits on the spot.

With 2013’s Pwn2Own, TippingPoint has essentially dumped last year’s model and returned to earlier contest rules: Researchers will draw their order of appearance before the contest begins, each will have 30 minutes to try his or her luck, and the first to exploit a given target wins the prize.

Another change from last year is that researchers must provide TippingPoint with a fully-functional exploit and all the details of the vulnerability used in the attack. That’s different from last year, when Google backed out because Pwn2Own did not require hackers to divulge full exploits, or all of the bugs used, so that vendors, including Google, could then fix the flaws.

The rule changes and the large infusion of cash hint that Google returned to Pwn2Own sponsorship only after it convinced TippingPoint to revise the exploit disclosure policy. Yesterday, Google declined to comment on whether it would again run a Pwnium contest at CanSecWest, but did confirm it will host its Chrome-specific challenge at some point in 2013.

But it was the cash that caught researchers’ attention.

The $100,000 prize for an exploit of Chrome or IE10, for example, was 67 percent more than Google paid last year in its inaugural Pwnium contest, and over six times the maximum paid at Pwn2Own in 2011 for hacking a desktop browser.

The always-quotable Charlie Miller, who won prizes at Pwn2Own four years in a row—the only “four-peat” in the contest’s history — bemoaned the high awards.

“I have to say the Pwn2Own prize money is serious,” Miller said on Twitter Thursday. “I feel like a 1950’s pro athlete wondering why current athletes are paid so much.”

Miller, who won at Pwn2Own while a security consultant, now works for Twitter.

Others took up Miller’s line of thought, with Larry Seltzer, a long-time security reporter and now the editorial director of Byte, chiming in with, “They’re all using exploit-enhancing drugs these days.”

TippingPoint has published the 2103 Pwn2Own rules on its website, and will provide updates during the contest via a dedicated Twitter account.