Social networking Archives

House lawmakers on Tuesday are slated to mull updating a 1986 anti-hacking law that even ideological opponents agree criminalizes innocent Web surfing. However, when a Senate panel discussed the Computer Fraud and Abuse Act in September, Justice Department officials argued that changing the penalties could let legitimate bad guys off the hook.

At issue is the government's power to convict people who have broken website terms of service agreements. In written testimony released on Monday, Orin S. Kerr, a George Washington University Law School professor, argues that the current law threatens the civil liberties of millions of Americans, like those who fudge information on Facebook and online dating services.

"If a user writes in his profile that he goes to the gym every day -- but in truth he goes only once a month -- he has violated Match.com's Terms of Use," Kerr's testimony states. "Similarly, a man who claims to be 5 foot 10 inches tall, but is only 5 foot 9 inches tall, has violated the Terms . . . One study has suggested that about 80 percent of Internet dating profiles contain false or misleading information about height, weight and age alone. If that estimate is correct, most Americans who have an Internet dating profile are criminals under the Justice Department's interpretation of the [act]."

Critics like Kerr want lawmakers to spell out what the law means by "exceeds authorized access" so that employers do not have wiggle room to punish personnel who accidentally breach terms of service agreements. Congress is expected to insert revisions to the law in broader cybersecurity legislation.

But Justice officials have said limiting the law could derail cyberspy trials. At the Senate hearing, James A. Baker, associate deputy attorney general, noted, for example, that the government was able to prosecute State Department staff for improperly accessing passport records of then Sen. Barack Obama, D-Ill., and Sen. John McCain, R-Ariz., during the 2008 presidential campaign, by breaking the agency's computer access rules.

Kerr recommends that Congress rewrite the section of the law in question to exclude Terms of Service violations except in the case of federal employees who handle confidential information.

The Senate Judiciary Committee already has passed an amendment that narrows the law in this way. Kerr's testimony states, "Notably, the language carves out one significant exception. The government can pursue prosecutions for violations of computer use policies used by government employees. This will enable prosecutions when government officials misuse sensitive government databases."

Or, Kerr suggests, lawmakers could limit the law to specific types of information that, if misused, could cause harm. The mandate would only cover, perhaps, data worth more than $5,000, as well as sensitive or private information about a person, such as medical records, diaries and financial records.

Kerr, along with Richard Downing, deputy chief of Justice's computer crime unit, former Homeland Security Secretary Michael Chertoff, and Harvard Law School lecturer James Barker, are scheduled to testify on Tuesday before the House Judiciary Subcommittee on Crime, Terrorism, and Homeland Security.

Strange bedfellows, like the American Civil Liberties Union, Americans for Tax Reform, the Competitive Enterprise Institute, the Electronic Frontier Foundation and the FreedomWorks Foundation have co-signed a letter seeking to protect people who accidentally run afoul of site service contracts.

The subject came into focus during the 2008 "MySpace Suicide" case. In that incident, a federal attorney brought criminal charges against a MySpace user who registered under an alias, a breach of the website's terms of service. A mother whose daughter had a falling out with a 13-year-old girl had been impersonating a teenage boy on MySpace to befriend and then reject the teen.

The young girl later killed herself and the mother was charged with, among other things, violating the computer fraud law. Kerr briefed and argued a successful motion to dismiss the case in 2009.

When Twitter rose to power, giving anyone with an Internet connection the ability to post memos on a massive online bulletin board, everyone knew misinformation would spread like summer wildfire.

Over the years, viral tweets have prematurely killed off Gordon Lightfoot, Bill Cosby and Morgan Freeman, among other celebrities. Disinformation damaging to corporate reputations also quickly became a nuisance.

But, in general, Twitter rumors have remained relatively harmless to society at large. On Monday, that changed. When a Tweet purportedly from a reputable news organization said the president of the United States had been murdered, the false report became a national security matter.

"Hackers sent out several malicious and false Tweets claiming that President Obama had been assassinated. Those reports were incorrect, of course, and the president was spending the July 4 holiday with his family at the White House," Fox News Digital announced.

"FoxNews.com alerted the U.S. Secret Service, which will investigate the hacking and do 'appropriate follow up,'" the article said, citing George Ogilvie, the service's spokesman.

Iran's efforts to disconnect its Internet from the rest of cyberspace have gained urgency amid fears of another Stuxnet worm and other perceived moves by the U.S. government to exert influence through the Web, a report suggests.

Iran watchers said the discovery of Stuxnet put more momentum into an initiative to build up a "national Internet" that would block access to non-Iranian sites, the Wall Street Journal reports.

Stuxnet, a computer worm designed to disrupt Iran's nuclear program, is widely believed to have been created by Israel and the United States. Stuxnet's mysterious origins point to, among other places, the CIA., Energy Department research laboratories and Homeland Security, a New York Times investigation suggested.

The State Department's support of tools to circumvent online censorship -- including State Secretary Hillary Clinton's promise to make Internet freedom a foreign policy priority -- have heightened concerns about U.S. attempts to influence Iran through the Internet.

State has appropriated $50 million to help promote Internet freedom since 2008, with $22 million officially spent so far, National Journal reported.

Whether Iran can actually achieve its ambitious censorship aims, warnings of a renewed push should be a reminder that agencies need to tread carefully when playing in today's politicized technological landscapes.

A State Department spokesman quit Sunday after he made disparaging remarks at a new media conference about the Defense Department's treatment of WikiLeaks' suspect Bradley Manning, revealing internal tensions that the Obama Administration faces in dealing with the technological forces changing the political landscape.

Manning, an Army private, has been charged with 34 offenses related to leaking more than 250,000 State Department cables and classified war logs from Iraq and Afghanistan.

"There is sometimes a need for secrets... for diplomatic progress to be made," Philip Crowley said in an off-the-cuff remark at the MIT conference, but added that the Defense Department's treatment of Manning was "ridiculous and counterproductive and stupid."

Manning was being held in solitary confinement at the Marine Corps brig in Quantico, V.A., where he was made to sleep naked to prevent him from harming himself, according to the Marine Corps.

Manning's pre-trial treatment, described in a letter by his attorney as "punitive" and "unlawful," has roiled human rights activists and prompted the United Nations to open an investigation into the conditions of his detention last December.

"The exercise of power in today's challenging times and relentless media environment must be prudent and consistent with our laws and values," said Crowley, in a statement released by the State Department on March 13. He took full responsibility for his earlier remarks.

His remarks were intended to highlight the fact that any discreet actions taken by national security agencies had an impact on the country's global standing.

"It is with regret that I have accepted the resignation," Secretary of State Hillary Clinton said in a statement released in conjunction with Crowley's. She commended him for a "deep devotion to public policy and public diplomacy."

Principal Deputy Assistant Secretary Michael Hammer will serve as acting assistant secretary for public affairs.

After the conference, Crowley tweeted on March 10,

Good news: Spam is quickly disappearing from inboxes without any assistance from e-mail filters.

Bad news: Spammers now are rapidly infiltrating your private data through fraudulent "click-through" ads on your Web browser and attacks on your social networks.

Brian Krebs, a cybersecurity blogger and former Washington Post reporter, tells us -

Global spam volumes have fallen precipitously in the past two months, thanks largely to the cessation of junk e-mail from Rustock - until recently the world's most active spam botnet. But experts say the hackers behind Rustock have since shifted the botnet's resources toward other money-making activities, such as installing spyware and adware.

. . .since Christmas Day, the Rustock botnet has basically disappeared, as the amount of junk messages from it has fallen below 0.5 percent of all spam, according to researchers at Symantec's anti-spam unit MessageLabs. Turns out, other spam botnets also have been MIA since Christmas: "The Lethic botnet has been quiet since December 28, and the Xarvester botnet went silent on December 31," writes Symantec's Eric Park.

Botnets are masses of infected computers that hackers hijack to spam as many people as possible.

This week, Krebs asked Phil Hay, senior threat analyst with M86 Security Labs, about the reasons for the decline and received this response -

"Hello Brian. After talking to you today, we had another look at Rustock. While it was still quiet on the spam front, we did notice the malware performing what looks to be a pay-per-click fraud. When we doubled checked our older Rustock trace files from December, we also noticed the same sort of traffic. We missed it the first time because the sheer volume of spam-related traffic overshadowed the pay-per-click traffic. So Rustock was spamming and 'clicking' concurrently, but now is just clicking."

Meanwhile, computer security firm McAfee reports that the biggest 2011 cyber threats will include spammers who are more interested in directly stealing the data stored on your iPads and social networks than luring you to divulge it with fake e-mails:

In 2010 we saw some significant changes in how both malicious code and malicious links are distributed. This year ended with some of the lowest global email spam levels in years,. . . we anticipate a greater focus on botnets removing data from targeted machines and companies, rather than the common use of sending spam. Botnets will also engage in advanced datagathering functionality as well as focus more on targeting and abusing social networking.

The State Department has taken to the Twittersphere to shoot down rumors the government pressured PayPal to sever ties with WikiLeaks, which had been using the online payment service to collect donations.

"The U.S. government did not write to PayPal requesting any action regarding #WikiLeaks. Not true," State spokesman P.J. Crowley broadcast via the e-messaging service on Wednesday.

The Tweet is one of 10 abbreviated statements he has posted to stop disinformation from spreading, ever since media outlets and WikiLeaks began preparing to publish a hoard of diplomatic cables that revealed sensitive and embarrassing details about the U.S. government and its foreign allies.

Other WikiLeaks denunciations State recently tweeted include:

• Contrary to what some are saying, @StateDept does not have a formal policy on students tweeting or posting links about #WikiLeaks. 11:25 AM Dec 7th via web
• Contrary to some #Wikileaks' reporting, our diplomats are diplomats. They are not intelligence assets. 5:50 PM Nov 28th via web
• Across the State Department, senior officials are reaching out to countries and warning them about a possible release of documents. 9:49 PM Nov 26th via web

In Russia, a formerly repressive regime, citizens seem to have at least one new avenue of freedom that U.S. State Department officials have been trying to prop open globally: the blogosphere.

Pro-government activists are not making much noise there, according to a new study by Harvard University's Berkman Center for Internet and Society. Researchers at the school figured this out by analyzing social networks to identify the most active Russian blogs. A key State Department priority is to uncensor the Internet in closed societies.

The Berkman Center clustered the more than 11,000 websites it found based on subject-matter patterns within posts. Pro-government bloggers were not prominent enough to constitute their own cluster, according the findings, which were released last week. Political bloggers mostly wrote from an independent standpoint or were affiliated with offline political and social movements, including the Democratic opposition and nationalist factions.

"The Russian blogosphere is a space that appears to be largely free of government control, although we are not able to confirm or deny the existence of subtle controls over Internet speech," the researchers wrote. "There are pro-government elements such as pro-Kremlin youth groups and bloggers who represent the government's point of view. However, they are not large in numbers and are not central nodes in any of the political or social clusters that we investigated."

A new security measure from Facebook will help make the service safer to access from public places. The social media service is enabling its over 500 million users to login from public places via a temporary password sent by text message. This one-time temporary password can be used in place of a user's regular password, and hopefully will help protect them from compromised public machines. The attack most commonly associated with this kind of breach is password stealing via key logging. But with the advent of this security measure, the keylogger would only record the user's temporary, one-time password.

To use this security measure, users must list their mobile phone numbers with their Facebook accounts. They would then text the letters "opt" to the number 32665 from their mobile phones. Facebook sends a temporary password, which is good for 20 minutes.

Though this is a perfectly reasonable solution by Facebook to the keylogging threat, it does involve providing the service with even more information about yourself. A social media security expert once told me that the personal information provided to a social media site is essentially owned by the site. There's no telling how your personal information might be used. As always, the best security measure to avoid keylogging is to avoid logging into Facebook from public spaces. Especially with the advent of Facebook apps on mobile telephones, users rarely should need any reason to login from an unfamiliar terminal.

Another day, another potential Facebook vulnerability.

SANS' Internet Storm Center posted an example of a status update today that plays off the Facebook "Like" feature. More and more status updates are using the word "like" to draw people to click on a link. For example, a post would have three different links you can click on, which take you to a page with "provocative quotes" that you can also "like." You also can see the visual example here. The links apparently have a domain of "x.co," which is highly suspicious.

Although there doesn't appear to be anything malicious going on here, it's certainly another form of spam on Facebook. Down the road similar methods could potentially be used for exploits like clickjacking or cross-site-request-forging.

I've always found that in Facebook it's better to not click on anything, including applications and games. You never know what you're downloading. I also worry a lot about tiny urls. Seems like it would be a lot easier for an attacker to send out a malicious link disguised in a tinyURL. Even if I trust the person who is posting the link, I tend to stay away from it. Sometimes I even send them an e-mail asking if they meant to post something.

Adam Ross is managing editor at the SANS Institute and wrote, edited, and Web produced for The Washington Post's opinions and politics sections, online and in print. You can reach him at aross@nextgov.com.

Twitter users report seeing tweets claiming if a user types his or her password into the live feed, twitter will automatically obfuscate it. These posters claim to have entered in their passwords to demonstrate, and allegedly all asterisks appeared when the tweet went live. If you've seen this tweet please ignore it, it's not true. The tweet is just a ploy/gimmick/joke to get people to post their passwords. Here's an example of this kind of nonsense.

On the other hand, though, twitter does have a list of "bad passwords" that the service will not allow you to use when setting up an account. Here's the list of banned passwords. Remember, just because it's on the Internet doesn't mean it's true.