Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Category Archives: PC Security

What Every Librarian Needs to Know About HTTPS

EFF – “Librarians have long understood that to provide access to knowledge it is crucial to protect their patrons’ privacy. Books can provide information that is deeply unpopular. As a result, local communities and governments sometimes try to ban the most objectionable ones. Librarians rightly see it as their duty to preserve access to books, especially banned ones. In the US this defense of expression is an integral part of our First Amendment rights. Access isn’t just about having material on the shelves, though. If a book is perceived as “dangerous,” patrons may avoid checking it out, for fear that authorities will use their borrowing records against them. This is why librarians have fought long and hard for their patrons’ privacy. In recent years, that include Library Connection’s fight against the unconstitutional gag authority of National Security Letters and, at many libraries, choosing not to keep checkout records after materials are returned. However, simply protecting patron records is no longer enough. Library patrons frequently access catalogs and other services over the Internet. We have learned in the last two years that the NSA is unconstitutionally hoovering up and retaining massive amounts of Internet traffic. That means that before a patron even checks out a book, their search for that book in an online catalog may already have been recorded. And the NSA is not the only threat. Other patrons, using off-the-shelf tools, can intercept queries and login data merely by virtue of being on the same network as their target. Fortunately, there is a solution, and it’s getting easier to deploy every day. HTTPS, the secure version of HTTP, encrypts all traffic between a web browser and a server. The conventional wisdom of the 1990s was that HTTPS was only necessary to protect credit card numbers and passwords. But that opinion has changed for two reasons: First, it’s become clear how frequently information is spied on for non-financial reasons, and second, improved algorithms and processing speeds have made HTTPS dramatically cheaper. For instance, Google reported only a 1% increase in CPU costs from deploying HTTPS. The other former cost of HTTPS, obtaining a certificate, has gone from very expensive to completely free over the last decade. It can be complicated to obtain and configure even a free certificate, but EFF, Mozilla, and several other organizations are working to eliminate the hassle with a new project called Let’s Encrypt, which will offer certificates that are both free and easy to set up. To celebrate the American Library Association’s Choose Privacy Week, EFF offers five recommendations for libraries..”

The Spy in the Sandbox – Practical Cache Attacks in Javascript

The Spy in the Sandbox — Practical Cache Attacks in Javascript. Yossef Oren, Vasileios P. Kemerlis, Simha Sethumadhavan, Angelos D. Keromytis (Submitted on 25 Feb 2015 (v1), last revised 1 Mar 2015 (this version, v2)) “We present the first micro-architectural side-channel attack which runs entirely in the browser. In contrast to other works in thisContinue Reading

House Reconsiders Data Breach Bill

EPIC – “Members of the Energy and Commerce Committee have convened to rework the Data Security and Breach Notification Act. The Act, introduced by Reps. Blackburn and Welch, would require businesses to notify consumers of a data breach “unless there is no reasonable risk of identity theft or financial harm.” The bill would also preemptContinue Reading

CRS – Cyberwarfare and Cyberterrorism

Cyberwarfare and Cyberterrorism: In Brief, Catherine A. Theohary, Specialist in National Security, Policy and Information Operations. John W. Rollins, Specialist in Terrorism and National Security. March 27, 2015. “Recent incidents have highlighted the lack of consensus internationally on what defines a cyberattack, an act of war in cyberspace, or cyberterrorism. Cyberwar is typically conceptualized asContinue Reading

Even more unwanted software protection via the Safe Browsing API

Google Online Security Blog: ” Deceptive software disguised as a useful download harms your web experience by making undesired changes to your computer. Safe Browsing offers protection from such unwanted software by showing a warning in Chrome before you download these programs. In February we started showing additional warnings in Chrome before you visit aContinue Reading

The Emergence of Cybersecurity Law

Prepared for the Indiana University Maurer School of Law by Hanover Research | February 2015 “This paper examines cyberlaw as a growing field of legal practice and the roles that lawyers play in helping companies respond to cybersecurity threats. Drawing on interviews with lawyers, consultants, and academics knowledgeable in the intersection of law and cybersecurity,Continue Reading

Report – Largest global manufacturer of SIM cards hacked

The Intercept – Jeremy Scahill and Josh Begley – “American and British spies hacked into the internal computer network of the largest manufacturer of SIM cards in the world, stealing encryption keys used to protect the privacy of cellphone communications across the globe, according to top-secret documents provided to The Intercept by National Security AgencyContinue Reading

Paper – The Quest to Replace Passwords

The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes, by Joseph Bonneau, Cormac Herley, Paul C. van Oorschot, Frank Stajano. “We evaluate two decades of proposals to replace text passwords for general-purpose user authentication on the web using a broad set of twenty-five usability, deployability and security benefits that anContinue Reading

Hearing Before the Senate On Protecting America from Cyber Attacks: The Importance of Information Sharing

CDT – “Greg Nojeim’s testimony for the January 28th hearing before the Senate Homeland Security and Government Affairs Committee on Protecting America from Cyber Attacks. He will explain how Congress can embrace cybersecurity information sharing policies with appropriate authorities and safeguards that enhance both privacy and security, first describing the cybersecurity threat then identifying different approachesContinue Reading

Prying Eyes: Inside the NSA’s War on Internet Security

By SPIEGEL Staff: “…Software giant Microsoft, which acquired Skype in 2011, said in a statement: “We will not provide governments with direct or unfettered access to customer data or encryption keys.” The NSA had been monitoring Skype even before that, but since February 2011, the service has been under order from the secret US ForeignContinue Reading

Congress Tells DoD to Report on Leaks

Secrecy News – Steven Aftergood: For the next two years, Congress wants to receive quarterly reports from the Department of Defense on how the Pentagon is responding to leaks of classified information. The reporting requirement was included in the pending National Defense Authorization Act for FY 2015 (Sec. 1052). “Compromises of classified information cause indiscriminate andContinue Reading

Regin: Top-tier espionage tool enables stealthy surveillance

Symantec Security Response: ” An advanced spying tool, Regin displays a degree of technical competence rarely seen and has been used in spying operations against governments, infrastructure operators, businesses, researchers, and private individuals.  An advanced piece of malware, known as Regin, has been used in systematic spying campaigns against a range of international targets since atContinue Reading