Security Bullet In
Communiques from the security front, sir
Thursday 31 May 2007, 1:26 PM
Google privacy policy 'is vague'
Speaking to the BBC, Peter Fleischer, Google's global privacy counsel, has said that elements of Google's privacy policy are 'vague' and need to be made more precise in response to European Union privacy concerns.
An influential European Union group of privacy experts -- the Article 29 Working Group -- published a letter to Google on the 16 May outlining privacy concerns over the length of time Google will hold personally identifiable data as part of its European data processing activities.
Previously Google had no privacy policy on how long it would keep such data -- meaning in theory it could hold personally identifiable server log data indefinitely.
In March Fleisher announced that Google would still keep its server log data but that it would make it "much more anonymous, so that it can no longer be identified with individual users, after 18–24 months."
The Article 29 Working Group was concerned that the "storage period of 18 to 24 months on the basis indicated by Google thus far, does not seem to meet the requirements of the European legal data protection framework."
Meanwhile, the US Federal Trade Commission has antitrust concerns over Google's purchase of internet advertising firm Doubleclick.
Tuesday 29 May 2007, 5:29 PM
US military warns of China electronic warfare capability
The US Department of Defence has warned of China's increasingly complex electronic warfare capabilities.
In its 2007 report to congress entitled "Military Power of the People’s Republic of China", the US military said that the People's Liberation Army (PLA) is continuing to invest in both computer network defences and exploitation, known as computer network operations (CNO).
"China's CNO concepts include computer network attack, computer network defense, and computer network exploitation. The PLA sees CNO as critical to achieving "electromagnetic dominance" early in a conflict," said the report.
According to the US military, the PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.
While these capabilities could also be harnessed for industrial espionage, security experts pointed out that businesses in theory were at risk from spying by all countries with a national security agency.
"The Americans, the British, the French, the Israelis -- everyone is looking for stuff travelling the wires," said a senior source at security company Symantec. However, the source said that it was just another security concern for companies, and that the threat could be overplayed. "There's also a certain amount of FUD [fear, uncertainty, doubt]."
Tuesday 29 May 2007, 12:14 PM
Germany passes 'anti-hacking tools' law
Germany has toughened up its cybercrime laws in an effort to close up loop-holes, including those dealing with denial of service attacks.
However, the law, passed on Friday, has drawn criticism for allegedly making illegal the development of dual purpose tools -- programs that can be used for both security research and for hacking.
An amendment to the UK Computer Misuse Act passed in November drew similar criticisms from UK security experts.
On the German law, heise Security and ars technica have gone into the dual purpose tools angle in more depth, while Computerworld UK has more on the law.
Tuesday 29 May 2007, 11:22 AM
Google: 'Personalised search does raise privacy issues'
Google's global privacy counsel Peter Fleischer has said that Google's personalised search plan does raise privacy issues.
Writing in the Financial Times on Friday, Fleischer said:
"...personalised search does raise privacy issues. In order for it to work, search engines must have access to your web search history. And there are some people who may not want to share that information because they believe it is too personal. For them, the improved results that personalised search brings are not matched by the "cost" of revealing their web history."
Fleischer argues that Google can handle this privacy issue by asking users if they want to opt in to the service when they open an account.
Friday 25 May 2007, 3:58 PM
FBI network security slammed
The FBI has been given a dressing down by the US Government Accountability Office (GAO) over its network security.
In a report entitled "FBI Needs to Address Weaknesses in Critical Network", the GAO said that the FBI was not doing enough to guard its law enforcement data from insider threats.
The GAO had this to say about the spooks' security systems:
"Certain information security controls over the critical internal network reviewed were ineffective in protecting the confidentiality, integrity, and availability of information and information resources.
Specifically, FBI did not consistently
(1) configure network devices and services to prevent unauthorized insider access and ensure system integrity;
(2) identify and authenticate users to prevent unauthorized access;
(3) enforce the principle of least privilege to ensure that authorized access was necessary and appropriate;
(4) apply strong encryption techniques to protect sensitive data on its networks;
(5) log, audit, or monitor security-related events;
(6) protect the physical security of its network; and
(7) patch key servers and workstations in a timely manner.
Taken collectively, these weaknesses place sensitive information transmitted on the network at risk of unauthorized disclosure or modification, and could result in a disruption of service, increasing the bureau’s vulnerability to insider threats."
In a press release, responding to the GAO criticisms, John Miller, FBI assistant director for public affairs, admitted that the dressing down was valid, but said the FBI was already taking action on it:
"The majority of the issues and recommendations brought up in the GAO report have been previously identified by the FBI through our own audits and internal controls. The report omitted the fact that the FBI already has corrective action plans in place that proactively and aggressively address information security issues," said Miller.
Considering the number of attacks against governmental systems by hackers and by other governments, I wonder how much information has been compromised?
Previous
