Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

CALEA-mandated systems are abused and probably will continue to be

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

May 21, 2013

Powerful people at the top of the cryptographic industry have lined up behind a campaign against newly proposed wiretapping laws in the United States that could require IT vendors and system integrators to place new backdoors in digital communications services equipment.

As can be expected, the idea was met with a lot of criticism and left more than one surprised at the peoposal. Technical details are still very sketchy at this point, but the planned law could mandate putting wiretap capabilities on devices such as laptops, tablets and smartphones to cover everything from instant messaging and chat to services such as Skype, Google Hangouts and even Xbox Live.

The plan to update the Communications Assistance for Law Enforcement Act (CALEA) comes as part of various proposals to update U.S. wiretapping laws drafted in the mid-1990s, which were designed to apply to telephone exchanges and switching equipment, not the internet.

Critics of the newly proposed law - including cryptographer Bruce Schneier and Phil Zimmermann, the creator of email encryption package PGP - argue that any backdoor would be open to abuse by hackers, including foreign governments.

Any such system would necessarily make software both more complex and harder to secure, as well as posing a privacy risk.

Advocates of updating CALEA say it should apply to encrypted VoIP channels, P2P and instant mobile messaging services to help fight organised crime and terrorism.

The FBI is still arguing that the internet is going dark to them, thanks to encryption technologies which render valid wiretapping warrants useless in many cases.

Computer scientists argue that the opposite is closer to the truth-- information about people's movements and communications is more freely available than ever before, thanks to social networking and smartphones.

Through various moves such as the proposed "CALEA II" law, agencies in the United States are getting closer and closer to achieving their goal of real-time tapping of online communications.

So some would correctly argue that we are living in a golden age of state surveillance, and that the trend will most likely increase going forward.

Additionally, there are also some critics that say CALEA-mandated systems have been abused a lot in the past, and that this will probably get worse before it gets any better.

For example, eavesdroppers and hackers tapped the mobile phones of the Prime Minister of Greece, Kostas Karamanlis, his cabinet ministers and security officials for about nine months between June 2004 and March 2005 around the time of the Athens Olympics. And it took at least a whole year before any of this came to light.

Those eavesdroppers used CALEA backdoors on Vodafone switches in Greece to illegally plant spyware so that conversations were relayed to no less than fourteen shadow pay-as-you-go mobile phones.

The Greek newspaper Kathimerini on Sunday revealed two years ago that four of those phones were originally purchased by the U.S. embassy, although the eavesdroppers were never traced.

In a similar case, AT&T's CALEA controls went through a Solaris server that was rooted by hackers, giving crooks the ability to tap into calls.

Critics of CALEA also point out that if endpoint wiretaps were mandated in the U.S., there would be nothing to stop software developers creating non-compliant software elsewhere, and then releasing it as open source code.

Also, there would be no way of preventing this technology from being imported into the U.S. and rendering the whole proposal largely pointless, at least when applied against criminals and terrorists.

In that scenario, the general population and corporate executives would be using the technology that is easier for hostile parties to wiretap, warn the crypto scientists.

The FBI’s only desire to expand CALEA mandates amounts to developing adversary capabilities that may not have the competence, access, or resources to develop on their own. In that sense, the endpoint wiretap mandate of CALEA II may lower the already low barriers to successful cybersecurity attacks.

We believe that on balance, mandating that endpoint software vendors build intercept functionality into their products will be much more costly to personal, economic and governmental security overall than the risks associated with not being able to wiretap all communications.

Weakening device security makes users more vulnerable to criminals and spies without really inconveniencing terrorists or fraudsters, even for those who trust U.S. government agencies not to abuse increased wiretap powers.

"The plan would endanger the security of users in the United States and the competitiveness of companies all across the nation, without making it much more difficult for criminals to evade wiretaps," Felten said.

In other internet security news

It's revealed this morning that the Stuxnet worm may have actually helped Iran's controversial nuclear program to move forward.

Critical internet-facing industrial systems controlling crucial equipment used by nuclear power plants, airports, factories and other sensitive systems are still subjected to sustained attacks within a few hours of appearing online, according to new research by Trend Micro.

The security vulnerabilities of SCADA (supervisory control and data acquisition) industrial control systems are numerous, and have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy virus attacks.

A security expert has challenged a theory on how the infamous Stuxnet worm, best known for tampering with Iranian lab equipment, somehow escaped into the internet. New York Times reporter David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a U.S. / Israeli team. The sophisticated malware virus was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.

According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge device and was almost immediately infected by the malfunctioning equipment.

The news that the Stuxnet worm may have helped Iran is according to a report published by the Royal United Services Institute, an influential defence think tank operating in Britain.

Stuxnet infected many systems at Iran's uranium enrichment facility at Natanz in 2009 and 2010, hobbling high-speed centrifuges after infecting computers connected to various SCADA industrial control systems at the plant.

The sophisticated attacks, seen as an alternative to a military strike against the facility, is credited with putting Iran's nuclear programme back by between eighteen months up to two years.

The malware worked by infiltrating the SCADA systems used to run the high-speed gas centrifuges. It then randomly and surreptitiously accelerated them and then slowed them down to induce seemingly random but frequent failures.

But a journal article published by the Royal United Services Institute claims that Iranian authorities redoubled their efforts after Stuxnet was discovered, so that production of fissile material went up - rather than down - a year after the SCADA-busting worm was discovered.

The malware acted as a wake-up call that prompted the Iranians to throw more resources at their ill-designed nuclear project, bonded personnel together and prompted security audits that uncovered critical security vulnerabilities that might otherwise have gone unnoticed, the Daily Telegraph also reported.

In 2012, the White House leaked its role in developing Stuxnet as part of a wider U.S.-Israeli effort, codenamed Operation Olympic Games, that began under the presidency of George W. Bush. Public revelation of this suspected role thwarted the slim possibility of a diplomatic resolution to Iran's nuclear ambitions, while acting to put the country closer towards a war footing with Israel.

The Washington-based Institute for Science and International Security claimed in February 2011 that Stuxnet likely destroyed about 1,000 IR-1 centrifuges, out of 9,000 deployed at Natanz.

Yet Ivanka Barzashka, an academic at King's College in London, who penned the RUSI article, says that the initial impact of the worm has been overestimated by those left somewhat awestruck by the effect of the world's first cyber-weapon.

"While Stuxnet may have had the potential to seriously damage Iranian centrifuges, evidence of the worm’s impact is circumstantial and inconclusive," wrote Barzashka in the RUSI journal.

"Related data shows that the 2009 version of Stuxnet was neither very effective nor well-timed and, in hindsight, may have been of net benefit to Iran," she added.

Barzashka's analysis is primarily based on publicly available data from the International Atomic Energy Agency. Tehran decommissioned and replaced about 1,000 high-speed IR-1 centrifuges at its fuel enrichment plant at Natanz over just a few months starting late in 2009.

However, since August 2010, the number of operational machines at Natanz has been steadily growing, as Barzashka claimed in her study-- "Iran began enrichment to 20 percent in one IR-1 cascade at the Pilot Fuel Enrichment Plant at Natanz in February 2010, ostensibly to manufacture its own fuel for the Tehran Research Reactor, which is used to produce medical isotopes. This development shows that Iran was able to successfully install and operate new machines in early 2010, between the first and second Stuxnet attack waves. If Stuxnet was the cause of the drop in machine numbers at block A26, it had no effect on Iran's ability to operate and install new IR-1 centrifuges several months later."

The Natanz fuel enrichment plant began operation in February 2007, but prior to Stuxnet, it could only produce enrichment levels of about 3.5 percent, which is suitable only as low-grade reactor fuel.

Barzashka explained that IAEA physical inventory data on the number of centrifuges installed at the Iranian facility are potentially misleading because machines have constantly been installed and upgraded over time.

Specific calculations reveal that performance at the FEP – measured as separative capacity – has increased every year since the beginning of operations in 2007," she writes. "Data for the 2010 reporting period – from November 22, 2009 to November 21, 2010 – are no exception.

In fact, uranium-enrichment capacity actually grew during the time that Stuxnet was said to have been destroying Iranian centrifuges.

Barzashka concluded-- "Iran produced more enriched uranium, more efficiently. The entire plant's separative capacity per day increased by about 40 percent, despite the fluctuations in centrifuge numbers. In January 2010, Iran was running 1,148 centrifuges fewer than it had operating seven months earlier, in May 2009," she said.

"In August 2010, IAEA inspectors counted the same number of machines as in August 2008, giving rise to the probable source of the claim that Stuxnet set back Iran's enrichment programme by two years," she added.

However, both of these raw numbers are misleading, according to the defence analyst. Barzashka says that while Stuxnet might have temporarily slowed Iran, at least in 2009, its operations emerged in fact stronger from the aftermath of the worm.

Its technicians improved centrifuge performance before achieving higher concentrations and greater volumes of enriching uranium than before.

Worse, the Iranians are far more wary about - and in fact better prepared to defend against - future cyber-attacks against their nuclear facilities by possible successors to Stuxnet.

"As a result, Iran's uranium-enrichment capacity increased and, consequently, so did its nuclear weapons potential," Barzashka wrote. "The malware - if it did in fact infiltrate Natanz - has made the Iranians more cautious about protecting their nuclear facilities.

"The malware didn't set back Iran's enrichment program, though perhaps it might have temporarily slowed down Iran's rate of expansion. Most importantly, Stuxnet or no Stuxnet, Iran's uranium enrichment capacity increased and, consequently, so did its nuclear weapons potential," she concludes.

Former Foreign Secretary Malcolm Rifkind criticized Barzashka's report before stressing that bilateral diplomatic talks between the U.S. and Iran remain the best method to address Iran's nuclear ambitions.

"Part of the objective of many people in the international community has been to stop, or if you can’t stop, to slow down the Iranian nuclear program," said Rifkind, chairman of Parliament's Intelligence and Security Committee in the U.K.

"In so far as Stuxnet may have done that, and I emphasise may have done that, it was a plus," he added. "What is undoubted is that Stuxnet significantly slowed down the enrichment process," he added.

In other internet security news

The Financial Times website this afternoon was hijacked by pro-government hackers from a group that calls itself the 'Syrian Electronic Army'. The site and its Twitter account were both compromised to run stories headlined "The Syrian Electronic Army Was Here" and "Hacked by the Syrian Electronic Army".

And while all of this was happening, the Technology News, FT Media and FT Markets' Twitter feeds were seized by miscreants, who posted web links to disturbing YouTube videos of jihadis executing several men by a firing squad.

The website has since been cleaned up, but the Twitter accounts still remain compromised nevertheless. The attack is the latest in a series of high-profile hacking attacks against several media organizations by hackers apparently in favor of Syrian president Bashar al-Assad.

The so-called electronic army has knackered the online operations of the The Guardian, Associated Press, the BBC and even satirical newspaper The Onion.

Tech geeks at The Onion published an informative postmortem after the attack, revealing its email accounts were infiltrated following a multistage phishing expedition-- a raid that gave the hackers control of the magazine's social networking pages.

The techniques used against the FT are unclear at the time of writing, while a full-fledged investigation is ongoing. Internet security firm Arbor Networks said Twitter's anticipated introduction of two-factor authentication ought to curtail, if not eliminate, this sort of account hijacking.

Dan Holden, director of research at Arbor, commented-- "Twitter recently announced a few plans to introduce two factor authentication, which is a big step forward from a security perspective. As this particular event clearly demonstrates, the human element is often the weakest link in any security solution, and this is no exception."

"Given similar attacks in recent weeks against the Guardian in the United Kingdom and The Onion in U.S., these attacks seem to be very targeted. Organizations should put processes in place to ensure that their staff are trained on best practices and have the support and training needed to allow them to follow these practices easily during their normal working routine. Ideally, network monitoring solutions should also be put in place to alert an organization when a user system connects to a known bad actor on the internet as this may indicate a compromise, allowing remedial action to be taken before there is any business impact," he added.

In other internet security news

According to IT head hunter firm e-Skills, just seven percent of all computer and internet security professionals are aged between 20 and 29. e-Skills sees apprenticeships as a vital method of encouraging young students to work effectively in this critical IT segment of the industry and help reduce online threats that are constantly escalating in the enterprise segment.

The employment/consultancy firm is working with a number of British companies, including privatized defense scientists at QinetiQ, and engineers at British Telecom, IBM, Cassidian, the CREST Group and disability benefit assessors Atos.

The new initiative is an effort to develop nationally available degree-level apprenticeships in the field of computer and internet security.

Just like trade apprenticeships, these various positions will be offered with competitive salaries and will give young people a chance to build a strong and promising career while earning industry certification degrees.

Coordinated by the National Skills Academy for IT, the apprenticeships will be created later this year. The goal is to provide the sort of useful skills in demand from employers, while attracting women and other groups who are currently under-represented in the computer security industry.

Paul Thorby, technical and strategy director at QinetiQ and Chair of the employer group says: "QinetiQ is pleased to be driving this partnership with e-skills and other industry employers in the United Kingdom to shape new career development opportunities for our next generation of cyber professionals."

Specializing in defense technology, Qinetiq knows very well the risks of inadequate digital defense methods, having been repeatedly targeted by Chinese hackers over a three-year period.

"There are currently just a few structured routes for young people to enter the cyber security work sector", said Bob Nowill, director of cyber security at British Telecom.

"We are pleased to be contributing to this opportunity to proactively grow new talent which is directly aligned to the needs of industry,” he added.

The new program will be supported by the U.K. Commission for Employment and Skills, a taxpayer-funded operation set up to offer the British government advice on skills and employment in the country.

In other internet security news

For more times than it probably cares to remember, China has been singled out by the United States and its allies as one of biggest source of internet hacking attacks. But amid all the anti-China rhetoric, has China been given an unfairly bad name in all of this?

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: The Communications Assistance for Law Enforcement Act.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Get your Linux or Windows dedicated server today.

Click here to order your new fully dedicated Plesk server with the Linux operating system.

Click here to order your new fully dedicated Plesk server with the Linux operating system.