Wednesday, July 31, 2013

NSA chief addresses hackers as lawmakers grill underlings

NSA Director Gen. Keith Alexander is interrupted during a speech in Las Vegas Wednesday as he was talking about government surveillance programs.


While intelligence officials briefed lawmakers on Capitol Hill about the country’s secret data-collecting programs, the nation’s top snoop met an even more critical audience Wednesday: Hackers.

Gen. Keith Alexander, the embattled head of the U.S. National Security Agency, spoke to a tech-savvy and somewhat hostile crowd gathered at the Black Hat conference in Las Vegas, Nev. — where he unapologetically defended wide-ranging intelligence gathering programs.

“You’re the greatest gathering of technical talent in anywhere the world, if we can make this better, the whole reason I came here was to ask you to help us make it better,” Alexander appealed to the crowd. “And if you disagree with us, you should work twice as hard.”
 
“Read the Constitution!” an audience member shot back at him.
 
“I have, you should too,” the general responded to large applause.

At another point, a conference attendee yelled, “Bulls---!” after the NSA chief said his spy agency stands for freedom.

Alexander also insisted that oversight and strict regulation of the telephone and electronic monitoring programs meant someone was watching the watchers and keeping them in check.

“The assumption is that people are out there just wheeling and dealing, and nothing could be further from the truth,” Alexander told the crowd. “We have tremendous oversight in these programs … You know that we can audit the actions of our people 100 percent in this case, and we do that.”

Though the nearly hour-long speech was tense at times, it ended with a hearty applause and many Twitter thank you’s from attendees who respected Alexander for the visit into unfriendly territory.
But Alexander wasn’t the only intelligence official facing a tough crowd on Wednesday. In Washington, other NSA officials testified before a skeptical Senate Judiciary Committee, which harshly criticized the agency’s sweeping domestic surveillance powers.

The hearings began as director of National Intelligence declassified documents relating to the government’s collection of telephone data, one of the wide-ranging surveillance programs that brought global outcry over privacy concerns after being thrust into the public spotlight by Snowden.
The documents, which in some places are heavily redacted, were released “in the interest of increased transparency,” the office of the Director of National Intelligence said in a statement.

Deputy Director John Inglis told the Congress that no one has been disciplined over the former security contractor's leak and his ability to take large amounts of classified data from agency computers. 
"No one has offered to resign. Everyone is working hard to understand what happened,'' Inglis said.
The three newly released documents include the 2009 and 2011 reports on the government’s “Bulk Collection Program” under the Patriot Act. The other record made public was an order from the Foreign Intelligence Surveillance Court detailing how data should be gathered and stored.
 
"The custodian of records of [redacted] shall produce to NSA upon service of the appropriate secondary order, and continue production on an ongoing daily basis thereafter for the duration of this order," the primary order reads. 
  
It originally was not set to be declassified until April 12, 2038.

Snowden offered details to news agencies about a court order calling for Verizon to hand over Americans phone records and the existence of a program called Prism, which collects bulk data of foreign citizens that are suspected to be involved with terrorist organizations.

The declassified documents also contain information about government efforts to gather intelligence on electronic communications. The Dec. 4, 2009 report to the House Intelligence Committee shows that for years the NSA has been collecting records of all Americans emails, including the sender, recipient and time of day the emails were sent.

However the content of those communications have not been collected, according to the report.
Officials have previously acknowledged the bulk collection of emails was terminated in December 2011 after questions arose about its usefulness.

The 2009 document also notes that the collection of phone and email data is “some of the most sensitive” intelligence gathering programs conducted by the government, and warns members of Congress that public disclosure of their existence would cause “exceptionally grave” damage to national security.

The report then describes both the telephone and emails efforts as programs that "operate on a very large scale" and had been authorized by the Foreign Intelligence Surveillance Court under regular  day orders.

In addition to the bulk collection of telephone records being collected under the Patriot Act, the report states that another legal authority -- called the "pen register" provisions of the Foreign Intelligence Surveillance Act-- authorized the government "to collect similar kinds of information about electronic communications."

These electronic communications are described in the report as "the 'to’ and 'from' lines in email and time an email is sent-- excluding the content of the email and the 'subject' line."

The report adds: "Again, this information is collected pursuant to court order (generally last 90 days) and, under relevant court decisions, is not protected by the Fourth Amendment."
 
Both the documents from 2009 and 2011 acknowledge there had been "compliance" problems  with both programs.
 
The 2009 report states that the problems "generally involved the implementation of highly sophisticated techniques"  that  "in some instances, resulted in the automated tools operating in a manner that was not completely consistent" with court orders.

The problems prompted the NSA to create an "Office of Compliance" to address the problems, the 2009 report states.

The documents also reference security contractors like Snowden, saying that “appropriately trained and authorized technical personnel” may access the government data.

Snowden, who remains stuck at an airport in Moscow awaiting an asylum request to the Russian government, has said he accessed information of the government’s massive intelligence gathering programs while working at intelligence contractor Booz Allen Hamilton.

Also on Wednesday, the British newspaper The Guardian revealed more information about an NSA spying program known as “Xkeyscore,” which the paper reports allows analysts to search through huge databases including emails, online chats and internet history with no prior authorization. The German magazine Der Spiegel first revealed the program’s existence and that Germany’s foreign intelligence service and its domestic intelligence agency were utilizing it.

Last week the House narrowly rejected a proposal that would have severely restricted the NSA’s ability to collect phone records, with some Congress’ most liberal and conservative members voting in accord.

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., pressed intelligence officials for hard numbers on how many potential terror plots have actually been foiled by the call-tracking database –known as Section 215, the Patriot Act provision that authorizes it.

Leahy said he was “far from convinced” that the intelligence officers know how many attacks have been thwarted by the collection of phone records.

He also criticized the documents made public Wednesday for containing little rationale behind the legalization of the program.

NBC's Jim Miklaszewski, Courtney Kube and Reuters contributed to this report. 
 
Related:

TGI Fridays in NJ fined $500K for switching booze: Associated Press

TGI Fridays in NJ fined $500K for switching booze: Associated Press

Tuesday, July 30, 2013

Bagged salad caused parasite outbreak, states say



Health officials in Iowa and Nebraska on Tuesday tagged prepackaged salad mix as the source for an outbreak of parasite-borne food poisoning in those states even as federal officials worked to see if the conclusion applies elsewhere as well.

Iowa's top food inspector, Steven Mandernach, said that bagged salad was behind the cyclospora outbreak that has sickened at least 143 people in that state and another 78 in Nebraska. Overall, at least 372 people in 15 states have been sickened by the rare parasite since June.

"The evidence points to a salad mix containing iceberg and romaine lettuce, as well as carrots and red cabbage as the source of the outbreak reported in Iowa and Nebraska," said Mandernach, chief of the Food and Consumer Safety Bureau of the Iowa Department of Inspections and Appeals. "Iowans should continue eating salads as the implicated prepackaged mix is no longer in the state's food supply chain."

Nebraska officials also confirmed the source, a spokeswoman said, but neither state would name the brand or the producer of the bagged salad mix -- and they would not say whether it was an imported or domestic product.

But it wasn't yet clear whether the packaged salad was linked to other infections in other states, officials with the Food and Drug Administration and the Centers for Disease Control and Prevention said. At least 21 people have been hospitalized in connection with the outbreak.
The cyclospora parasite in human stool has made about 250 people sick in the Midwest.
CDC
 
Bagged salad contaminated with the rare parasite cyclospora appears to be the source of a food poisoning outbreak in Nebraska and Iowa.
 
"FDA is following the strongest leads provided by the states and has prioritized ingredients of the salad mix identified by Iowa for traceback investigation, but is following other leads as well," agency officials said in a statement Tuesday.
CDC officials said they would continue to work with federal, state and local partners "to determine whether this conclusion applies to the increase in cases of cyclosporiasis in other states." It is not yet clear whether the cases reported in the various states are all part of the same outbreak, the agencies added.
Iowa investigators found that the salad mix from a single source was a common exposure in 80 percent of the cases, officials said. In Nebraska, 85 percent of the cases had a link prepackaged salad mix, said Leah Bucco-White, a state spokeswoman. Officials would not say why they're withholding the brand of the salad, who made it and where it's sold.

Gathering the information was challenging because most of the sick people ate the salad mix during the past several weeks and by the time the parasitic illness was identified, most of the product was no longer on store shelves, Iowa officials said. In addition, it can take a week or more after eating contaminated foods for people to develop symptoms of cyclospora infection.

Cyclospora is a rare parasite typically spread by feces in contaminated food or water. It causes lingering diarrhea and other flu-like symptoms. It can be treated with common antibiotics, but the test to confirm cyclospora infection isn't commonly performed and must be specially requested.

Iowa officials said they would continue working with other states, the FDA and the CDC as the investigation continues. Health departments reporting illnesses include those in Iowa, Nebraska, Texas, Wisconsin, Arkansas, Connecticut, Florida, Georgia, Illinois, Kansas, Minnesota, Missouri, New Jersey, New York, New York City and Ohio.

JoNel Aleccia is a senior health writer with NBC News. You can reach her on Twitter at @JoNel_Aleccia or send her an email.

Monday, July 29, 2013

                            

Jury hands woman $18.6M over screwed-up credit history

Score one for the folks convinced their credit history is ruining their lives. In the lawsuit she filed against credit reporting agency Equifax, Julie Miller contended that the company's incorrect information, including such basic details as her birthday and Social Security number, had left her un-creditworthy — making her unable to assist her disabled brother and her husband with their financial problems. An Oregon jury has agreed, and on Monday they awarded Miller $18.6 million. Miller tried eight times to have her report corrected before filing suit in 2011. The verdict, unsurprisingly, is considered likely to be appealed.

Fed-up doctors are fleeing Medicare

Fed-up doctors are fleeing Medicare

Fed-up doctors are fleeing Medicare

Fed-up doctors are fleeing Medicare

The 10 biggest food label lies

The 10 biggest food label lies

9/11 photo nearly excluded from museum for being too pro-American

9/11 photo nearly excluded from museum for being too pro-American

Check out this great MSN video - Mind-controlled wheelchair

Check out this great MSN video - Mind-controlled wheelchair

Tuesday, July 23, 2013

Day-care teacher fired up after she's fired for putting out fire

     
Still of Michelle Hammack after being fired - Action Jax News, http://aka.ms/teacherfired

Day-care teacher fired up after she's fired for putting out fire

 
Michelle Hammack was in her day-care classroom in Arlington, Fla., when she smelled smoke. Her young charges were napping, so she slipped out to investigate, discovering a fire in the facility's oven. As the alarms shrieked, Hammack quickly got her kids out of the building, helped other teachers with head counts, then ran back in to ensure all of the students were outside. Shortly after the fire was extinguished (Hammack did that, too, before the firetrucks arrived), she lost her job. Day-care owner Olga Rozhaov fired Hammack for leaving her students alone in the classroom. "Even though children are sleeping, the teachers are supposed to be there," Rozhaov said. "If anybody else does the same thing, I will fire again." 

How big banks raised the price of a 6-pack

MillerCoors says financial institutions' stockpiles of aluminum have created false shortages and driven up costs.

 
 
 
Man holding a can of Pabst Blue Ribbon (© Jeremy Hogan/Alamy)When banks' financial chicanery resulted in Bear Stearns' and Lehman Bros.' collapse, a crushing recession and the wholesale loss of jobs, the nation's response ranged from folks exiting the workforce to activists pitching tents and occupying public spaces.

What will the response be now that the banks may have driven up the price of beer?

As the Senate banking committee listens to testimony related to the London Metal Exchange and banks' ownership of warehousing companies and their influence on aluminum prices, the beer industry says such maneuvering spiked global aluminum costs by $3 billion in the past year. Considering nearly a quarter of beer costs come from packaging, that's no small drop in the pint glass.

Tim Weiner, a global risk manager at MillerCoors, told the committee Tuesday that banks including Goldman Sachs (GS +0.01%), JP Morgan Chase (JPM +0.19%) and others gave warehouse owners approval to sit on huge stockpiles of aluminum, create artificial shortages and leave prices "inflated relative to the massive oversupply and record production."

MillerCoors, a U.S. joint venture between SABMiller (SAB) and MolsonCoors (TAP -0.63%), puts about 36 million barrels of the 59 million barrels of beer it produces each year into cans. As overhead goes, Weiner says, metal is the company's riskiest investment.

"We are challenged in managing our aluminum costs due to these LME warehouse practices," Weiner said in prepared remarks. "The aluminum we are purchasing is being held up in warehouses controlled and owned by U.S. bank holding companies, who are members of the LME, and set the rules for their own warehouses."

MillerCoors isn't the only company taking an active interest in how this Senate committee hearing plays out. Coca-Cola (KO +0.29%), Dr. Pepper Snapple Group (DPS -0.29%), Red Bull, Carlsberg Beer and sheet metal manufacturers Novelis and Ball Corp. (BLL -0.02%) also joined MillerCoors' complaint. Even the smaller craft beer industry has a stake in the outcome, with Boston Beer Company's (SAM -0.07%) Samuel Adams releasing its first canned beer this year and several other craft brewers embracing cans since 2002.

As Brewer's Friend pointed out five years ago, packaging alone accounts for 28% of the cost of a six-pack of beer. The price of aluminum that cratered below 60 cents per pound at the height of the recession in 2009 soared to more than $1.20 per pound in 2011 before settling around 81 cents, according to Kitco. During the same span, the amount of aluminum being warehoused skyrocketed steadily from 1.5 million tons to a current stockpile of nearly 5.5 million tons.

According to the Bureau of Labor Statistics and the Beer Institute, the cost of a six-pack jumped from $3.92 to $5.05 between 2001 and 2011, the last year for which information is available. However, nearly 40% (or 39 cents) of that increase occurred between 2008 and 2011, boosting six-pack prices by 8.1% during that span alone. There are many factors that affect the price of beer, but doubling the price of aluminum tends to have a more than coincidental effect on what beer lovers pay.

Ex-supervisor at Indian Point nuclear plant charged with falsifying test reports

Mike Segar / Reuters file
The Indian Point nuclear power plant in Buchanan, New York, is seen from across the Hudson River, in this April 6, 2010 file picture.

A former supervisor at the Indian Point nuclear plant in New York has been accused of falsifying test results involving emergency generators so the plant would not have to shut down.
Daniel Wilson, 57, of Walden, N.Y., was charged in federal court for the Southern District of New York with engaging in deliberate misconduct and making false statements, the U.S. Attorney’s Office said in a statement Tuesday.

The charges stem from tests of the diesel fuel used in emergency power generators that the Nuclear Regulatory Commission requires the plant to maintain as part of its license.
 
A criminal complaint says that 2011 tests showed particulate matter in the diesel fuel exceeded NRC limits. Wilson, chemistry manager at the plant from 2007 through 2012, is accused of fabricating resample tests to show that the fuel was within limits, then lying to other employees at the Buchanan, N.Y., plant about it.

The complaint says that Wilson later admitted to NRC personnel that he “fabricated the test results so that Indian Point would not have to shut down.” He resigned in April 2012.

The nuclear plant, which is about 35 miles north of midtown Manhattan in New York City, later replaced one of the tanks involved in the tests that showed the excess particulates.

Plant owner Entergy said other employees of the Indian Point plant uncovered the deception.
In a statement Tuesday, Entergy said: “At no time was the plant in an unsafe condition. We completed an evaluation of the fuel oil and determined that all the generators would have performed as designed.”

Wilson could not be reached for comment and it was not known if he had a lawyer.

Entergy is involved in a long-running battle to get new 20-year licenses for the plant’s two reactors but faces stiff opposition from the state and environmental groups. The license for one reactor expires this September; the NRC said it can continue operating pending a decision on the relicensing.

After the 2011 earthquake and meltdown in Japan, it was revealed that Indian Point was rated by the NRC as having the highest risk of catastrophic failure because of an earthquake of any nuclear plant in the United States.

Other incidents have provided fodder for opponents of the relicensing. In February, one of the reactors was forced to shut down because two pumps stopped working.

In 2009, an estimated 600,000 gallons of radioactive steam was released during a shutdown. The NRC said the level of tritium released was within acceptable federal levels for drinking water. But the New York Daily News noted that the release was in steam not drinking water and that the Environmental Protection Agency does not set a safe level for inhaled tritium.
 
The NRC has said it believes the plant is safe and gave the reactors a "green rating" for safety in 2012.

Monday, July 22, 2013

Bank of America accounts "compromised"

Bank of America accounts "compromised"

 


 CHARLOTTE, NC (WBTV) - Bank of America is sending letters to an undisclosed number of customers to inform them their debit card accounts have been "compromised."

"To protect your accounts, Bank of America is presenting you with this replacement card with a new account number and your existing PIN," the letter reads. "Please destroy your old debit card by cutting it up."

The bank isn't telling reporters how many people are at risk.

But a WBTV producer received the note, and when she called the bank as a client, a representative told her "thousands and thousands" of the letters went out.

BofA says in the letter that the problem occurred at "an undisclosed third party location."
Hackers have been targeting big retail stores.

If you haven't received a letter, you're account is probably not involved.

Crippled Japanese nuclear plant likely leaking radioactive water into sea

Crippled Japanese nuclear plant likely leaking radioactive water into sea

Toshifumi Kitamura / AP
A construction worker walks beside the underground water tanks at the Fukushima Dai-ichi nuclear plant at Okuma in Fukushima prefecture, Japan.
TOKYO — A Japanese utility said Monday its crippled Fukushima nuclear plant was likely leaking contaminated water into the sea, acknowledging for the first time a problem long suspected by experts.
 
Tokyo Electric Power Co., which operates the Fukushima Dai-ichi plant, also came under fire Monday for not disclosing earlier that the number of plant workers with thyroid radiation exposures exceeding thresholds for increased cancer risk was 10 times what it said earlier.
 
The delayed announcements underscored the criticisms the company has faced over the Fukushima crisis. TEPCO has been repeatedly blamed for overlooking early signs and covering up or delaying the disclosure of problems and mishaps.
 
Company spokesman Masayuki Ono told a regular news conference that plant officials have come to believe that radioactive water that leaked from the wrecked reactors is likely to have seeped into the underground water system and escaped into the sea.
 
Nuclear officials and experts have suspected a leak from Fukushima Dai-ichi since soon after a huge earthquake and tsunami in March 2011 triggered a crisis at the plant. Japan's nuclear watchdog said two weeks ago a leak was highly suspected and ordered TEPCO to examine the problem.
 
TEPCO had persistently denied contaminated water reached the sea, despite spikes in radiation levels in underground and seawater samples taken near the plant. The utility first acknowledged an abnormal increase in radioactive cesium levels in an observation well near the coast in May and has since monitored water samples.
 
Ono said plant officials believe a leak is possible because the underground water levels in suspected areas fluctuate in accordance with tide movements and rainfall.
 
"We are very sorry for causing concerns. We have made efforts not to cause any leak to the outside, but we might have failed to do so," he said.
 
Ono said the radioactive elements detected in water samples are believed to have come largely from initial leaks that have remained since earlier in the crisis. He said the leak has stayed near the plant inside the bay, and officials believe very little has spread farther into the Pacific Ocean.
 
Marine biologists have warned that the radioactive water may be leaking continuously into the sea from underground, citing high radioactivity in fish samples taken near the plant.
 
Most fish and seafood from along the Fukushima coast are barred from domestic markets and exports.
 
Ono said that an estimated 1,972 plant workers, or 10 percent of those checked, had thyroid exposure doses exceeding 100 millisieverts — a threshold for increased risk of developing cancer — instead of the 178 based on checks of 522 workers reported to the World Health Organization last year.
Explore related topics: , , , , , , ,

How food stamps can end up feeding people abroad

How food stamps can end up feeding people abroad

Some recipients of the $75 billion federal program use the benefit to buy favorite treats for relatives in the Caribbean.

 
A sign in front of a convenience store accept SNAP cards (© Richard Levine / Alamy)Mr. and Mrs. Alderson Muncy of West Virginia made history in 1961 when they became the country's first food stamp recipients by using $95 in benefits to buy groceries for their 15-person family.
More than 50 years later, the food stamp program has changed in ways that the Muncy family probably wouldn't recognize. For one, the program now provides debit cards. Second, it has swelled into a $75 billion federal program. It's so big now that critics say it's simply too huge and is prone to abuse.

Now comes a newspaper story that won't do much to convince critics the program helps only people in need. Some families in New York City are reportedly using their benefits to buy food that they then ship to relatives in less affluent countries, such as the Dominican Republic, Jamaica and Haiti, the New York Post reports. 

Transplants from the Caribbean and other island countries often send home barrels packed with food, a practice so common that sites are devoted to selling prepacked barrels (such as the Carnival Barrel from DialABarrel.com, which packs grocery favorites such as Kraft (KRFT +0.88%) BBQ sauce and Heinz ketchup).

But using food stamps to purchase food that's shipped abroad isn't kosher, a spokeswoman for the U.S. Department of Agriculture told the Post. Only households like the Muncy home -- where people buy and prepare food together -- are supposed to use the benefit. States that catch recipients of the Supplemental Nutrition Assistance Program (SNAP) shipping food abroad should intervene, the spokeswoman said.

"The purpose of this program is to help Americans who don't have enough to eat. This is not intended as a form of foreign aid," Michael Tanner, a senior fellow at the libertarian Cato Institute, told the publication.

The revelation will only add to the debate over the SNAP program, as it's part of the almost $1 trillion farm bill that's embroiled in a political fight. While the bill provides government subsidies to farmers, it also includes funding for the food stamp program. Earlier this month, House Republicans passed a version of the bill without SNAP funding. It marks the first time in 40 years that food stamps haven't been in the farm bill, The New York Times points out.

While food stamps could still end up in the final bill, the debate will likely continue for years. 

'I have my life back': Alleged rape victim's 16-month jail term axed

Karim Sahib / AFP - Getty Images
Marte Dalelv was pardoned by the United Arab Emirates on Monday. The Norwegian claimed she was raped in March by a co-worker, but was charged with having sex outside marriage after going to the police.

DUBAI, United Arab Emirates -- A Norwegian woman at the center of a Dubai rape claim dispute said Sunday that officials have dropped her 16-month sentence for having sex outside marriage and she is free to leave the country.

"I am very, very happy," Marte Deborah Dalelv told The Associated Press. "I am overjoyed."
The sentence against the 24-year-old Dalelv last week stirred widespread outrage in the West and highlighted the frequent clash between Dubai's Western-friendly image and its Islamic-based legal codes.

Dalelv claimed she was raped in March by a co-worker, but was charged with having sex outside marriage after going to the police. Her decision to go public about the sentence last week in a series of interviews appeared to put pressure on authorities in Dubai and tarnish the city's reputation as a cosmopolitan hub, including possible fallout on its high-profile bid for the 2020 World Expo.
 
"I have my passport back. I am pardoned," said Dalelv, who worked for an interior design firm in Qatar and was in Dubai for a business meeting when the alleged rape took place.
 
There was no immediate word from Dubai officials, including whether the pardon was linked to traditions of clemency during the current Islamic holy month of Ramadan.

It also was unclear whether authorities would keep the 13-month sentence against Dalelv's alleged attacker, identified as a 33-year-old Sudanese man who was charged with consuming alcohol and sex outside marriage. While liquor is widely available in Dubai hotels and restaurants, public intoxication can bring serious charges.

"I have my life back," said Dalelv. "This is a great day."

In Norway, Foreign Minister Espen Barth Eide posted a Twitter message: "Marte is released! Thanks to everyone who signed up to help."

Barth Eide told the Norwegian news agency NTB that international media attention and Norway's diplomatic measures helped Dalelv, who was free on appeal with her next court hearing scheduled for early September. Norway also reminded the United Arab Emirates of obligations under U.N. accords to seriously investigate claims of violence against women.

"The United Arab Emirates and Dubai is a rapidly changing society. This decision won't only affect Marte Dalelv, who can travel home now if she wishes to, but also serve as a wake-up call regarding the legal situation in many other countries," Barth Eide was quoted as saying.

Norway's Prime Minister Jens Stoltenberg wrote on Twitter: "Happy that Marte has been pardoned and that she is a free woman again."

Dalelv said she planned to leave the UAE soon, but "first I have to thank some very special people," including local groups that supported her. She had been staying at a Norwegian-linked aid center.
The AP does not identify the names of alleged sexual assault victims, but Dalelv went public voluntarily to talk to media.

In an interview with the AP last week, she said she fled to the hotel lobby and asked for the police to be called. The hotel staff asked if she was sure she wanted to involve the police, Dalelv said.
"Of course I want to call the police," she said. "That is the natural reaction where I am from."

She said she was held in custody for four days before being able to reach her stepfather in Norway.
Norway's foreign minister said "very high level" Norwegian officials, including himself, had been in daily contact with counterparts in the United Arab Emirates since the verdict against Dalelv.

"We have made very clear what we think about this verdict and what we think about the fact that one is charged and sentenced when one starts out by reporting alleged abuse," Barth Eide said.
This story was originally published on

Sunday, July 21, 2013

There's Finally A Way To Make Your Phone Useless After It's Stolen
 
 
Kashmir Hill
Kashmir Hill, Forbes Staff
Welcome to The Not-So Private Parts where technology & privacy collide
 

In a move that’s long overdue, major cell phone carriers are finally making an effort to discourage phone theft with the creation of a database that tracks stolen phones so that carriers can block them from being used on their networks. The FCC-negotiated plan, pushed by a wireless industry trade group and iPhone-robbery-weary police chiefs, was announced in April and the databases were “switched on” last week. The move was met with cries of both “ Hallelujah” and “Why did this take so long?”

The database works by tracking a phone’s IMEI, a unique identification number that can’t be changed by swapping out the SIM card. As of now, AT&T, Verizon, Sprint Nextel, and T-Mobile are among the major carriers creating databases, that are separate now but will be shared and integrated in 2013 (fingers crossed). Smaller carriers Nex-Tech and Cellcom are also doing a pilot database, says Chris Guttman-McCabe, VP of regulatory affairs at CTIA, a wireless industry trade association that helped bring the database into existence. Consumers have to call up their carrier after the phone is stolen to get it added to the No-Service List.

“We want to make these devices into worthless pieces of plastic and glass once they’re stolen,” says Guttman-McCabe.

It’s great it’s finally here, but many of those who have had their phones stolen wonder why it took so long. Back in April, a bunch of iPhone users sued AT&T for “[making] millions of dollars in improper profits, by forcing legitimate customers, such as these Plaintiffs, to buy new cell phones, and buy new cell phone plans, while the criminals who stole the phone are able to simply walk into AT&T stories and ‘re-activate’ the devices, using different, cheap, readily-available ‘SIM’ cards.” Other countries, meanwhile, have had these databases for some time, as noted by the Wall Street Journal earlier this year:

Similar stolen-phone databases are already in use abroad, including in the U.K., Germany, France and Australia. The U.K. database was set up in 2002. Australia’s was set up in 2004. Crime hasn’t stopped, but the number of incidents has declined.
via U.S. Government, Carriers Plan a National Database of Stolen Cellphones – WSJ.com.
Guttman-McCabe said the delay was due in part to wanting to make sure the effort was “really comprehensive.”

“It’s not just about creating a blacklist but getting people to adopt pins and passwords and remote wipes. We want them to turn their phones into something off-the-street criminal can’t break into,” he said, noting that CTIA has a web page on cell phone security practices. “The challenge is creating a database that all streams dip into — from kiosks in malls to major retailers. We have to get a lot of players involved and given access to the database to check before giving someone service.”

Guttman-McCabe estimates that 90% of consumers and carriers are now part of this given the carriers that are on board. Obviously, that means cell phone thieves will be gravitating toward the uninvolved carriers when it comes to seeking out a new cell phone plan.

What about other electronic devices? As more and more of what we own has to be connected to the Internet to be useful, is there a possibility of a world
without with very little theft? Could you brick your Xbox as soon as you realized your house had been robbed?

“We’re really focused on just the wireless,” says Guttman-McCabe. “Smartphones are easy to snatch and take. Chiefs of police wanted help with this.”
Parmy Olson, Forbes Staff
I cover agitators and innovators in mobile.
First Posted 3/21/13                 

 

Malicious software is nothing new to the cyber security world. So-called malware is what unscrupulous folk use to disrupt or gather sensitive data from our desktop computers. Targeted attacks with malware have been relatively unseen on smartphones, those other computers we carry around that are teeming with personal data.

Now, however, security researchers at Kaspersky Labs say they’ve uncovered the first-known targeted malware attack on Android phones. The victims were specifically Tibetan activists, but the disclosure underlines the broader possibilities for targeted cyber attacks on smartphones.

The attack relied heavily on social engineering, a kind of verbal manipulation, to hack into their targets’ devices. Kaspersky explains that on March 24, the attackers infiltrated the email account of a high-profile Tibetan activist, and used that account to send a spear-phishing email to their contacts list.

The email looked like this:

Image via Kaspersky Labs 

Notice that it included an attachment, called “WUC’s Conference.apk.” Several activist groups had recently organized a human rights conference in Switzerland. (Kaspersky say they’ve seen several attacks mentioning this event as a baiting tool.)

People who opened that e-mail on an Android smartphone, along with the attached Android Package (APK) file, would find that the file opened an Android application. Once installed, the app called “Conference” would appear on the desktop:


Image via Kaspersky Labs 

If a user went on to open the app, they’d see a window of text with information about the upcoming “conference.” (See below) At this point, some might have noticed the misspelling of “World” as “Word.”


Image via Kaspersky Labs

As the target is reading the message, malicious software they had inadvertently installed would report back to a command-and-control server, before collecting information from the phone. According to Kaspersky, that information would include:

- Contacts that are stored on both the phone and the SIM card
- Call logs
- SMS messages
- Geo-location
- Data about the phone, including the phone number, what version OS it uses and the phone model.
  Once the victim received a text message that included a certain protocol, the malware would send     
  the collected data back to the command-and-control server.

Who were the perpetrators? Kaspersky mentions that throughout the malware’s code, the attackers included various messages in Chinese. Since this was probably done for debugging purposes, the malware may be an early prototype. The IP address for the command and control server points to Los Angeles, California, but a domain which used to point there was registered on March 8, by one Shanghai Meicheng Technology Information Co., Ltd, with contact details for the registrar pointing to Beijing.

There are other strong indications that the attackers were Chinese speakers, Kaspersky notes, adding that this is also just one of thousands of targeted cyber attacks on Tibetan and Uyghur supporters. The vast majority of attacks like these have target Windows via exploits in Word.

“Until now, we haven’t seen targeted attacks against mobile phones in the wild, although we’ve seen indications that these were in development,” the researchers said. “It is perhaps the first in a new wave of targeted attacks aimed at Android users. So far, the attackers relied entirely on social engineering to infect the targets. History has shown us that, in time, these attacks will use zero-day vulnerabilities, exploits or a combination of techniques.”


 
Parmy Olson
Parmy Olson, Forbes Staff
I cover agitators and innovators in mobile.
     
 SIM Cards Have Finally Been Hacked, And The Flaw Could Affect Millions Of Phones
 
Security researcher Karsten Nohl says some SIM cards can be compromised because of wrongly configured Java Card software and weak encryption keys; Photo credit Luca Melette

Smartphones are susceptible to malware and carriers have enabled NSA snooping, but the prevailing wisdom has it there’s still one part of your mobile phone that remains safe and un-hackable: your SIM card.

Yet after three years of research, German cryptographer Karsten Nohl claims to have finally found encryption and software flaws that could affect millions of SIM cards, and open up another route on mobile phones for surveillance and fraud.
Nohl, who will be presenting his findings at the Black Hat security conference in Las Vegas on July 31, says his is the first hack of its kind in a decade, and comes after he and his team tested close to 1,000 SIM cards for vulnerabilities, exploited by simply sending a hidden SMS. The two-part flaw, based on an old security standard and badly configured code, could allow hackers to remotely infect a SIM with a virus that sends premium text messages (draining a mobile phone bill), surreptitiously re-direct and record calls, and — with the right combination of bugs — carry out payment system fraud.
Payment fraud could be a particular problem for mobile phone users in Africa, where SIM-card based payments are widespread. The deployment of so-called NFC payment technology, already slow to take off, could also be at risk, Nohl says, as well as the ability for carriers to track charges to each caller’s account.

There’s no obvious pattern to the flaw beyond the premise of an older encryption standard. “Different shipments of SIM cards either have [the bug] or not,” says Nohl, who is chief scientist at risk management firm Security Research Labs. “It’s very random.”

In his study, Nohl says just under a quarter of all the SIM cards he tested could be hacked, but given that encryption standards vary widely between countries, he estimates an eighth of the world’s SIM cards could be vulnerable, or about half a billion mobile devices.

Nohl, who was profiled by Forbes’ Andy Greenberg in 2011 for his work on breaking mobile encryption standards, believes it unlikely that cyber criminals have already found the bug. Now that word of the vulnerability is out, he expects it would take them at least six months to crack it, by which time the wireless industry will have implemented available fixes.

That effort may already be underway. Nohl says at least two large carriers have already tasked their staff with finding a patch for the SIM vulnerability, which they will share with other operators through the wireless trade body GSMA.

“Companies are surprisingly open to the idea of working cooperatively on security topics because the competition is somewhere else,” says Nohl. “The competition is organized crime, not AT&T versus T-Mobile.” (The situation in similarly in finance, where payment services like MasterCard, Visa, and American Express will work together under  industry association EMVco to improve security standards for smart cards.)

The market for SIMs is almost entirely fed by mobile carriers, and supplied by two leading global vendors, Gemalto and Oberthur Technologies. Both have profited heavily from the huge growth in mobile handsets: two years ago there were 1 billion SIM cards worldwide, and today there are more than 5 billion, says ABI Research analyst John Devlin, though the market is slowly reaching a plateau. SIMs are thought to be one of the most secure parts of a phone, he added, and as the carrier’s property, are “key to their relationship between you and I, the subscriber.”

Vodafone would not answer questions about the level of encryption its SIM cards used, and referred all media questions to GSMA. Both Verizon and AT&T said they knew of Nohl’s research, but said their SIM profiles were not vulnerable to the flaw. AT&T added that it had used SIMs with triple Data Encryption Standards (3DES) for almost a decade; Verizon did not specify why its SIMs were not vulnerable.

The London-based GSMA said it had looked at Nohl’s analysis and concurred that “a minority of SIMs produced against older standards could be vulnerable.” It said it had already provided guidance to network operators and SIM vendors who could be impacted by the flaw. “There is no evidence to suggest that today’s more secure SIMs, which are used to support a range of advanced services, will be affected,” a spokesperson added.

Karsten Nohl

Nohl says that while AT&T and Verizon may benefit from robust SIM encryption standards, other carriers will use straight Data Encryption Standards (DES), guidelines developed in the 1970s that are fundamental to why he was able to “get root” on dozens of SIMs cards.

“Give me any phone number and there is some chance I will, a few minutes later, be able to remotely control this SIM card and even make a copy of it,” Nohl says.

SIM cards are essentially mini-computers with their own operating system and pre-installed software. To maintain security, many rely on a cryptographic standard called DES (digital encryption standard), which was invented by IBM in the 1970s and improved by the NSA. Some networks, like AT&T and the four major carriers in Germany, have moved away from using the old version of the standard, but others have not. Though Nohl didn’t identify a pattern to vulnerable SIMs in terms of manufacturers, the ones he could hack all used the old encryption standard.

Key to the hack is Java Card, a general purpose programming language used on 6 billion SIM cards. If operators need to update something on your SIM, for instance allowing interoperability with a carrier in another country, it will execute the right Java Card programs on your SIM by sending your mobile a binary SMS. This is a text message you will never see, sent through a method called over-the-air programming (OTA).

In early 2011, Nohl’s team started toying with the OTA protocol and noticed that when they used it to send commands to several SIM cards, some would refuse the command due to an incorrect cryptographic signature, while a few of those would also put a cryptographic signature on this error message.

With that signature and using a well known cryptographic method called rainbow tables, Nohl was able to crack the encryption key on the SIM card in about one minute. Carriers use this key  to remotely program a SIM, and it is unique to each card.

“Anybody who learns the key of a particular SIM can load any application on the SIM he wants, including malicious code,” says Jasper Van Woudenberg, CTO North America of smart-card security firm Riscure.

“We had almost given up on the idea of breaking the most widely deployed use of standard cryptography,” says Nohl, but it felt “great” to finally gain control of a SIM after many months of unsuccessful testing.

With the all-important (and till-now elusive) encryption key, Nohl could download a virus onto the SIM card that could send premium text messages, collect location data, make premium calls or re-route calls. A malicious hacker could eavesdrop on calls, albeit with the SIM owner probably noticing some suspiciously-slow connections.

Nohl found a second bug. Unrelated to the weak encryption key, it allows even deeper hacking on SIMs and is caused, Nohl says, by a mistake on the part of SIM card manufacturers. Java Card uses a concept called sandboxing, in which pre-installed programs like a Visa or PayPal app are shielded from one another and the rest of the SIM card. The term comes from the idea of only allowing programs to “play with their own toys, in their own sandbox,” says Nohl. “This sandboxing mechanism is broken in the most widely-used SIM cards.” The researcher says he found a few instances where the protocols on the SIM card allowed the virus he had sent to a SIM, to check the files of a payment app that was also installed on the card.

The way this works is somewhat complex, but Nohl’s virus essentially gave the infected Java software a command it could not understand or complete – eg. asking for the 12th item in a 10-item list, leading the software to forgo basic security checks and granting the virus full memory access, or “root,” in cyber security parlance.

In sum, a malicious hacker who wanted to use this method might start with a list of 100 phones. They could send a binary SMS to all of them, using a programmable cell phone connected to a computer. They might get 25 responses with cryptographic signatures, and dismiss the half that use a stronger security standard. From the rest, Nohl surmises they could crack the encryption key of perhaps 13 SIM cards, and send them a virus that breaks through the Java Card sandbox barriers and reads payment app details, as well as the master key of the SIM card.

Who’s to blame for this and who can fix it? Nohl says broken Java sandboxing is a shortcoming of leading SIM card vendors like Gemalto and Oberthur. Riscure’s Van Woudenberg agrees.

Gemalto which made about half its $2.5 billion revenue in 2012 selling SIM cards, said in an email to Forbes that its SIMs were “consistent with state-of-the-art and applicable security guidelines,” and that it had been working closely with GSMA and other industry bodies to look into Nohl’s research. Gemalto’s CEO Olivier Piou has said publicly that there are no security issues with mobile payments, and his company says on its website that SIM cards are “virtually impossible to crack.”

Despite this, Nohl believes badly-configured Java Card sandboxing “affects every operator who uses cards from two main vendors,” including carriers like AT&T and Verizon who use robust encryption standards. Are SIM cards with these 3DES standards vulnerable? Nohl suggests they might be, and that he’ll expound on the details at Black Hat.

At minimum it seems that carriers should upgrade to newer encryptions quickly, not just for the safety of their subscribers, but future revenue too. Payment providers like MasterCard and Visa will need to use the OTA protocol to fill SIM cards with Java applications, like credit card applets, and enable NFC-based payments on phones in the future — and they’ll pay carriers for the privilege of being on the SIM. “Operators see this as valuable real estate,” says Nohl, referring to this OTA communication channel. Leaving aside what this means for consumer privacy, Nohl’s findings may leave some carriers grappling with new questions over the security (and value) of this real estate.

“Carriers and SIM card manufacturers do need to step up their security game for when payments arrive,” says Van Woudenberg. Banks are slow and cautious with new technology as they wait for it be proven secure, he adds, but “the mobile world moves much faster, as time-to-market is for them more important.”

As mobile payments bring these two worlds together, Nohl’s research has shown the process of proving out security on SIMs could be more challenging than the key players originally thought.

See Also: 

Codebreaker Karsten Nohl: Why Your Phone Is Insecure By Design

Corporate Customers Flock To Anti-Snooping Mobile App Silent Circle

Six Mobile Security Screw-Ups You’re (Probably) Guilty Of

Follow me on Twitter: @Parmy, or read my book, “We Are Anonymous: Inside the Hacker World of LulzSec, Anonymous and the Global Cyber Insurgency.”

Norwegian woman fighting jail sentence in Dubai for reporting rape
 
Kamran Jebreili / AP
Marte Deborah Dalelv from Norway, 24, talks to the Associated Press reporter in Dubai on Friday, July 19, 2013, after she was sentenced 16 months in jail for having sex outside of marriage after she reported an alleged rape.
DUBAI, United Arab Emirates — A Norwegian woman sentenced to 16 months in jail in Dubai for having sex outside marriage after she reported an alleged rape said she decided to speak out in hopes of drawing attention to the risks of outsiders misunderstanding the Islamic-influenced legal codes in this cosmopolitan city.

The case has drawn outrage from rights groups and others in the West since the 24-year-old interior designer was sentenced Wednesday. It also highlights the increasingly frequent tensions between the United Arab Emirates' international atmosphere and its legal system, which is strongly influenced by Islamic traditions in a nation where foreign workers and visitors greatly outnumber locals.
 
"I have to spread the word. ... After my sentence we thought, 'How can it get worse?'" Marte Deborah Dalelv told The Associated Press in an interview Friday at a Norwegian aid compound in Dubai where she is preparing her appeal scheduled for early September.
 
Dalelv, who worked for an interior design firm in Qatar since 2011, claims she was sexually assaulted by a co-worker in March while she was attending a business meeting in Dubai.
She said she fled to the hotel lobby and asked for the police to be called. The hotel staff asked if she was sure she wanted to involve the police, Dalelv said.

"Of course I want to call the police," she said. "That is the natural reaction where I am from."
Dalelv said she was given a medical examination seeking evidence of the alleged rape and underwent a blood test for alcohol. Such tests are commonly given in the UAE for alleged assaults and in other cases. Alcohol is sold widely across Dubai, but public intoxication can bring charges.

The AP does not identity the names of alleged sexual assault victims, but Dalelv went public voluntarily to talk to media.

Dalelv was detained for four days after being accused of having sex outside marriage, which is outlawed in the UAE although the law is not actively enforced for tourists as well as hundreds of thousands of Westerners and others on resident visas.

She managed to reach her stepfather in Norway after being loaned a phone card by another woman in custody.

"My stepdad, he answered the phone, so I said, that I had been raped, I am in prison ... please call the embassy," she recounted.

"And then I went back and I ... just had a breakdown," she continued. "It was very emotional, to call my dad and tell him what happened."

Norwegian diplomats later secured her release and she has been allowed to remain at the Norwegian Seamen's Center in central Dubai. She said her alleged attacker received a 13-month sentence for out-of-wedlock sex and alcohol consumption.

Dubai authorities did not respond to calls for comment, but the case has brought strong criticism from Norwegian officials and activists.

"This verdict flies in the face of our notion of justice," Norway's foreign minister, Espen Barth Eide, told the NTB news agency, calling it "highly problematic from a human rights perspective."

Previous cases in the UAE have raised similar questions, with alleged sexual assault victims facing charges for sex-related offenses. Other legal codes also have been criticized for being at odds with the Western-style openness promoted by Dubai.

On Thursday, Dubai police said they arrested a man who posted an Internet video of an Emirati beating a South Asian van driver after an apparent traffic altercation. Police said they took the action because images of a potential crime were "shared."

In London, a spokesman for the Emirates Center for Human Rights, a group monitoring UAE affairs, said the Dalelv case points out the need for the UAE to expand its legal protections for alleged rape victims.

"We urge authorities to reform the laws governing incidents of rape in the country," said Rori Donaghy, "to ensure women are protected against sexual violence and do not become the targets of prosecution when reporting crimes."

Thursday, July 18, 2013

10 Countries That Love (and Hate) America the Most

10 Countries That Love (and Hate) America the Most

Who loves ya, baby? If you’re the United States of America, the answer is fewer and fewer people around the world.
In Britain, France, Germany and nearly a dozen other prominent nations, the percentage of people with a favorable view of the United States has declined over the last decade, according to a new global survey by the Pew Research Center. That trend has been apparent since the 2003 U.S. invasion of Iraq, which was highly unpopular in many countries. The 2008 financial meltdown marked another slip in America’s reputation, as many people blamed Wall Street for a global recession that still weighs on the world economy. Controversial drone strikes aimed at terrorists and childish political antics in Washington continue to mar America’s image abroad.
Some nations still have a soft spot for the U.S., however. Of 39 nations where Pew conducted surveys, here are the 10 where people have the most favorable impression of the U.S.:
1. Philippines (percentage with a favorable view of the United States: 85%)
2. Israel (83%)
3. Ghana (83%)
4. Senegal (81%)
5. Kenya (81%)
6. El Salvador (79%)
7. South Korea (78%)
8. Italy (76%)
9. Uganda (73%)
10. Brazil (73%)
Why are these particular countries so fond of us? For many of the African nations, it's largely because of the aid we send them, which is a strong starting point for better relations with this increasingly important continent. Most Americans don’t think much about Africa, but other nations -- like Chinado -- because economic conditions in several African nations are improving rapidly, and some of them are rich in rare-earth minerals, oil and other valuable resources. Africa is also important because it can serve as a staging area for counterterrorism operations in Somalia, Libya, and wherever the bad guys try to hide out next.
The strong U.S. showing in South Korea shows the two nations remain unified in their approach to the cranks in North Korea, perhaps the most nettlesome nation on earth. Brazil is one of the world’s biggest and most important developing nations, so good relations there are important. Israel’s spot near the top of the list shows a strong alliance on Middle East interests, despite some sharp differences on how to manage some of the more divisive issues, particularly the Israeli-Palestinian conflict.
America’s popularity in the Philippines, meanwhile, suggests Uncle Sam isn’t the exploitative quasicolonial power some critics claim it is. There's been a strong history of military and economic cooperation between the two nations since the Philippines became independent in 1946, including substantial U.S. aid to the archipelago. The Philippines also has territorial disputes with China, which could bind it even more closely to the United States.
It goes without saying that we remain unpopular in a few places. Here are the 10 nations with the least favorable impression of the U.S., according to Pew:
1. Pakistan (percentage with a favorable view of the United States: 11%)
2. Jordan (14%)
3. Palestinian territories (16%)
4. Egypt (16%)
5. Turkey (21%)
6. Greece (39%)
7. China (40%)
8. Argentina (41%)
9. Tunisia (42%)
10. Lebanon (47%)
It’s not surprising that America is most unpopular in Pakistan -- there are deep divisions over U.S. drone strikes on Pakistani territory and other unilateral efforts to hunt down terrorists without that country's approval or cooperation. Strong U.S. support of Israel has long been generating enmity in Muslim nations, including Jordan, Turkey and Egypt, plus the Palestinian territories.
The negative view of America in China — where we're the biggest consumer of Chinese exports -- may come from government efforts to paint the U.S. as a hypocritical nation that badgers others about environmental issues and human rights, even though its own record is spotty. Argentina has developed strong ties with China in recent years, which might explain its modest antipathy toward America.
There’s some consolation in those weak approval numbers. In several countries, including Egypt, Jordan, Germany, Australia and even Russia, American citizens are more popular than the nation they hail from. That suggests the U.S. government and its policies are the biggest threat to our standing in the world. A lot of Americans probably agree.
Rick Newman’s latest book is Rebounders: How Winners Pivot From Setback To Success. Follow him on Twitter: @rickjnewman.