Wednesday, May 11, 2011

House Panel Demands WikiLeaks-Proof Pentagon

The Pentagon has labored for months to lock down its data from WikiLeaks. Now Congress is stepping in to demand it finish the job — in about, oh, a year and a half.
A small section of the 2012 defense bill, under consideration Wednesday by the House Armed Services Committee, requires the Defense Department to put in place an “insider-detection” system to ferret out the suspicious acquisition of sensitive information. Call it the “No More Bradley Mannings” provision. It could be a great boon to an effort already under way by the Pentagon’s blue-sky researchers.
There aren’t many specifics listed in the provision, just technical requirements the program has to meet. It needs to “allow for centralized monitoring and detection of unauthorized activities,” including the use of external ports. It needs to implement a “roles-based certification” system, meaning if you work on missiles and want to read about tanks over the Pentagon’s secure internet, it’ll record your attempt. And it needs “cross-domain guards for transfers of information between different networks.”
Darpa’s already got a head start. Last summer, it launched a program run by star hacker Peiter “Mudge” Zatko called Cyber Insider Threat, or CINDER, to find “tells” in military online usage that might tip the Defense Department to the next WikiLeaker. The project is still in its infancy: a proposal period ended March 31.

But the House panel isn’t in a hurry, despite their concern about the danger from WikiLeaks. The mandated “insider detection” program won’t have to be operational until October 2012. (That’s the same timetable that the House intel committee mandated for the spy community’s insider-detection effort, by the way.)
In the meantime, the military has taken a number of ad hoc measures to protect against another huge document leak. It banned removable media. The Air Force briefly threatened to prosecute airmen who allowed their families to read WikiLeaks — before promptly reversing itself when the threat became public — and temporarily banned websites that published the purloined docs. Currently, it requires employees who come across the Wiki Leaks documents on their work computers to summon their “information assurance manager” to delete the illicit material.
Intriguingly, the insider threat provision suggests that those early anti-WikiLeaks measures have an unintended consequence. “[T]he committee is concerned that the technological and procedural responses [to WikiLeaks] may be having a negative impact on the productivity and effectiveness of forces supporting ongoing operations in areas of hostility,” the panel notes.

Facebook leaked personal data to advertisers

SAN FRANCISCO — US computer security firm Symantec on Tuesday said that Facebook accidentally left a door open for advertisers to access profiles, pictures, chat and other private data at the social network.
Symantec discovered that certain Facebook applications leaked tokens that act essentially as "spare keys" for accessing profiles, reading messages, posting to walls or other actions.
Facebook applications are Web software programs that are integrated onto the leading online social network's platform. Symantec said that 20 million Facebook applications such as games are installed every day.
The tokens were being leaked to third-party applications including advertisers and analytics platforms allowing them to post messages or mine personal information from profiles, according to Nishant Doshi of Symantec.
"Fortunately, these third-parties may not have realized their ability to access this information," Doshi said in a blog post.
"We have reported this issue to Facebook, who has taken corrective action to help eliminate this issue."
Symantec estimated that as of April, nearly 100,000 applications were giving away keys to Facebook profiles.
"We estimate that over the years, hundreds of thousands of applications may have inadvertently leaked millions of access tokens to third parties," Doshi said.
Facebook confirmed the problem, which was discovered by Doshi and Symantec colleague Candid Wueest, according to the computer security firm.
There was no reliable estimate of how many tokens have been leaked since the release of Facebook applications in 2007.
Despite whatever fix Facebook has put in place, token data may still be stored in files on third-party computers, Symantec warned.
"Concerned Facebook users can change their Facebook passwords to invalidate leaked access tokens," Doshi said.
"Changing the password invalidates these tokens and is equivalent to 'changing the lock' on your Facebook profile."