Essentially, Apple’s patent provides for a device to investigate a user’s identity, ostensibly to determine if and when that user is “unauthorized,” or, in other words, stolen. More specifically, the technology would allow Apple to record the voice of the device’s user, take a photo of the device’s user’s current location or even detect and record the heartbeat of the device’s user. Once an unauthorized user is identified, Apple could wipe the device and remotely store the user’s “sensitive data.” Apple’s patent application suggests it may use the technology not just to limit “unauthorized” uses of its phones but also shut down the phone if and when it has been stolen.

However, Apple’s new technology would do much more. This patented device enables Apple to secretly collect, store and potentially use sensitive biometric information about you. This is dangerous in two ways: First, it is far more than what is needed just to protect you against a lost or stolen phone. It’s extremely privacy-invasive and it puts you at great risk if Apple’s data on you are compromised. But it’s not only the biometric data that are a concern. Second, Apple’s technology includes various types of usage monitoring — also very privacy-invasive. This patented process could be used to retaliate against you if you jailbreak or tinker with your device in ways that Apple views as “unauthorized” even if it is perfectly legal under copyright law.

Here’s a sample of the kinds of information Apple plans to collect:

• The system can take a picture of the user’s face, “without a flash, any noise, or any indication that a picture is being taken to prevent the current user from knowing he is being photographed”;
• The system can record the user’s voice, whether or not a phone call is even being made;
• The system can determine the user’s unique individual heartbeat “signature”;
• To determine if the device has been hacked, the device can watch for “a sudden increase in memory usage of the electronic device”;
• The user’s “Internet activity can be monitored or any communication packets that are served to the electronic device can be recorded”; and
• The device can take a photograph of the surrounding location to determine where it is being used.

In other words, Apple will know who you are, where you are, and what you are doing and saying and even how fast your heart is beating. In some embodiments of Apple’s “invention,” this information “can be gathered every time the electronic device is turned on, unlocked, or used.” When an “unauthorized use” is detected, Apple can contact a “responsible party.” A “responsible party” may be the device’s owner, it may also be “proper authorities or the police.”

Apple does not explain what it will do with all of this collected information on its users, how long it will maintain this information, how it will use this information, or if it will share this information with other third parties. We know based on long experience that if Apple collects this information, law enforcement will come for it, and may even order Apple to turn it on for reasons other than simply returning a lost phone to its owner.

This patent is downright creepy and invasive — certainly far more than would be needed to respond to the possible loss of a phone. Spyware, and its new cousin traitorware, will hurt customers and companies alike — Apple should shelve this idea before it backfires on both it and its customers.

Prosecutors had previously decided not to file charges against any police for killing 27-year-old Jean Charles de Menezes in a London subway car two weeks after 52 commuters were killed in suicide bombings on the British capital’s transport network.

But prosecutors were required to review the case one final time after a jury at a coroner’s inquest returned an “open verdict” on his death in December.

Prosecutor Stephen O’Doherty said there was insufficient evidence that police had committed any offense.

De Menezes was mistaken for a suicide bomber. In returning its “open verdict,” the inquest jury rejected police claims that they lawfully killed de Menezes, who was shot seven times at close range by police who followed him onto a subway car.

Police had insisted they were trying to protect the public from a suicide attack when its officers shot the unarmed man. De Menezes was killed as he sat aboard a subway train on July 22, 2005, a day after terrorists tried to set off bombs on London’s transit system and two weeks after four suicide bombers killed 52 bus and subway commuters.

The two officers who shot him testified that they believed de Menezes was one of the failed bombers who had tried to attack subway trains and a bus the day before. De Menezes had an apartment in the same building as Hussain Osman, a subway bombing suspect later convicted in the failed July 21 attack. But in their December verdict, the 10 jurors rejected several claims made by police.

London’s acting police chief Paul Stephenson said de Menezes’ killing had been a “terrible mistake.” “He was an innocent man and we must, and do, accept full responsibility for his death,” Stephenson said in December. But he said that the anti-terror officers “set out with the intention to defend and protect the public” and that “no one set out that day to kill an innocent man.”

No individual has been charged in de Menezes’ death. A British court convicted London’s police force last year of health and safety violations for endangering the public’s safety during the shooting. The force was fined 560,000 pounds ($820,000).

AP

Russia and China have been identified as having the most active spy networks operating in the UK but it is understood that some European countries are also involved in espionage attacks against Britain.

Details of the spy plots were revealed in a government security document obtained by The Sunday Telegraph which states that Britain is “high priority espionage target” for 20 foreign intelligence agencies.

Security sources have revealed that the list of foreign agencies operating within the UK includes Iran, Syria, North Korea and Serbia, as well as some members of the European Union, such as France and Germany, who have traditionally been regarded as allies.

The document, marked “restricted”, warns that foreign spies are trying to steal secrets related to the military, optics, communications, genetics and aviation industries.

The report, which was drawn up by an Army intelligence cell inside Whitehall, warns that it is too easy to “lose sight” of the threat from traditional espionage and become solely focused on attacks by al Qaeda.

The document, which has been distributed to all government departments, states: “Whilst our primary threat would seem to come from International Terrorism, it is important that we do not lose sight of another omnipresent threat. Espionage against UK interests continues to come from many quarters.”

The report, dated 19th January 2009, continues: “In the past, espionage activity was typically directed towards obtaining political and military intelligence. In today’s high-tech world, the intelligence requirements of a number of countries now include new communications technologies, IT, genetics, aviation, lasers, optics, electronics and many other fields. Intelligence services, therefore, are targeting commercial enterprises far more than in the past.

“The UK is a high priority espionage target and a number of countries are actively seeking UK information and material to advance their own, military, technological, political and economic programmes.

“It is estimated that at least 20 Foreign intelligence services are operating to some degree against UK interests. Of greatest concern are the Russians and Chinese. The number of Russian intelligence officers in London has not fallen since the Soviet times.”

A Whitehall source told The Sunday Telegraph that Russia uses its massive spy network as an “extension of state power” in an attempt to “further its own military and economic base”.

The source said: “If a country, such as Russia or Iran, can steal a piece of software which will save it seven years in research and development then it will do so without any hesitation. Russian agents will target anybody that they believe could be useful to them. Spying is hard-wired into the country’s DNA. They have been at it for centuries and they are simply not going to stop because the Cold War has ended.”

The source added that Britain’s European neighbours, including Germany and France, were also engaged in industrial and political espionage within the UK.

Many senior figures in Britain’s intelligence community are frustrated by the activities of Russian spies which they claim is detracting from the fight against al-Qaeda and international terrorism.

In a speech in November 2007, Jonathan Evans, the director general of MI5, said that foreign intelligence services were active in the UK, with the Russians at the forefront of covert operations.

He said: “Despite the Cold War ending nearly two decades ago, my service is still expending resources to defend the UK against unreconstructed attempts by Russia, China and others, to spy on us.

“A number of countries continue to devote considerable time and energy trying to steal our sensitive technology on civilian and military projects, and trying to obtain political and economic intelligence at our expense.

“They do not only use traditional methods to collect intelligence but increasingly deploy sophisticated technical attacks, using the internet to penetrate computer networks.

“It is a matter of some disappointment to me that I still have to devote significant amounts of equipment, money and staff to countering this threat.

“They are resources which I would far rather devote to countering the threat from international terrorism – a threat to the whole international community, not just the UK.”

Patrick Mercer, the chairman of the House of Commons counter-terrorist subcommittee, said the document served as a warning to Britain that the Cold War espionage threat had not gone away.

He said: “Britain is at the forefront of many cutting edge technologies and these are extremely attractive to lots of other countries, some of whom may actually be our allies.

“This serves as a timely reminder that our counter-intelligence assets must not be solely concentrated on countries with a traditional track record of espionage against us.”

The Sunday Telegraph

Surfing the web for vulnerabilities is the new modus operandi for them. Unsuspecting netizens, who put out their woes about systems crashing on the web, are in for a nasty surprise.

Web attackers are taking this code that crashes the PC and combining it with their own code that takes control over the machine. This cuts their work by half.

These “zero-day-attacks” , which do not yet have a software patch ready to fix the problem, have been cropping up of late, says a report by Websense, a global leader in integrated web, data and e-mail security. Web attackers are taking advantage of these codes put up by people who are sincerely looking for a solution to the problem and misusing it to steal financial and other sensitive data from PCs that come under their control.

How this attacks work is that hackers put out a combination of both codes on to any public forum. When any user clicks on the malicious site, the hackers gain control over that PC. The code put out by a genuine netizen helps corrupt the victim’s system and then the malicious code mixed with it by the attacker helps hack into the system completely. So far these attacks have targeted gaming sites and blogs, but they could spread else where too.

The Economic Times.

With terrorists using internet and other communication technologies to plan, plot and carry out their subversive activities, intelligence agencies reckon that some of the millions of spam mails that are sent out daily, could be the handiwork of these groups.

“Numerous softwares and websites are now available through which one can easily send spam to numerous e-mail account holders. Terrorists, who are now more tech savvy than before are sending out encrypted messages to millions including the one actually it is meant for,” a senior Home Ministry official said.

Explaining the rationale behind sending out a secret message to millions to avoid any risks, the official said, “99 per cent of the people don’t even bother to check spam mails which usually get delivered in the spam box because of strong firewall of e-mail service providers. Usually people just delete them. Moreover, the message is in encrypted form and hence any ordinary person would not be able to decipher it.”

Adding to spam mails, multimedia files like pictures, audio and video files are another source of sending coded information.

The Economic Times

New York police officials are studying the feasibility of disrupting cellphone communications between terrorists during any attack, after revelations that gunmen in Mumbai received electronic transmissions during their killing spree in November.

Police Commissioner Raymond W. Kelly raised the possibility in Washington at a Senate hearing on Thursday, but he noted there were technological hurdles to shutting down cellular service in a narrow location, like a hotel or movie theater.

At the hearing of the Senate Committee on Homeland Security and Governmental Affairs, Mr. Kelly testified, “Law enforcement needs to find ways to disrupt cellphones and other communications” during an unfolding crisis like the one in Mumbai.

But he stressed, under questioning by senators, that care must be taken in pursuing such plans, suggesting that widespread shutdowns could hamper emergency personnel or keep civilians from making emergency calls.

Later, Paul J. Browne, the Police Department’s chief spokesman, said the department wanted to preserve the option of monitoring conversations between terrorists should that prove more advantageous than cutting them off. He said that any plan to shut electronics transmissions was “only in the discussion stage.”

Mr. Browne said, “Our communications and technology people are looking for ways to disrupt cellphone and hand-held devices in a pinpointed way.”

He added: “We are not at a point where we are testing any equipment. We are talking to the industry and to people in other government agencies and among ourselves. What is known about this? What is possible? And what is being tested along these lines?”

Electronic jamming of cellphones or of global positioning systems is complicated but possible, and might already be in use by foreign military agencies, said Eric Lustig, a data systems manager at Eastern Communications, a Queens company that provides radio equipment to government agencies and other clients.

Cellular service in a big region, like a borough, could be simply shut down, he said. More compact sites, like an official motorcade, could be jammed by devices in the cars.

“You cannot draw straight lines around, or a circle around, an area where you would do it, but it is certainly possible to jam an area,” Mr. Lustig said. “If you are talking about a tall building, you would knock out cellphone communications for a far larger area. If you just wanted to knock out cellphones in a movie theater, it could be done.”

Mr. Lustig said it would be much more difficult to jam a satellite phone than a cellular phone, since the antenna is pointed at the sky.

Eric Schmitt contributed reporting. The New York Times

Terrorism experts warned the security services that the Internet is increasingly being used to train terrorists and raise money and has become the primary medium for promoting radical Islam.

Quoting security sources, a newspaper reported that they are fighting a new battle against al-Qaeda on the Internet.

Al-Qaeda wants to create an “online university of jihad” that is recruiting and training potential terrorists in Britain without them having to risk travelling to camps in Pakistan, they said.

The terrorist network has also used computer experts to develop encryption software, known as ‘Mujahideen Secrets 2′, to allow militants to communicate by email without fear of interception by intelligence services.

Speaking at a select conference on the terrorist threat to Britain, experts from Jane’s Intelligence Group, said an online community was growing with younger and more impressionable people inadvertently sponsoring terrorism.

Terry Pattar, a specialist in counter-terrorism with Jane’s Strategic Advisory Services, said: “Al-Qaeda want to create a university of jihad online, both in a spiritual and financial sense.

“They want a community that can carry out attacks without having to travel abroad for training.”

Economic Times.

Independent security researchers in California and researchers at the Centrum Wiskunde & Informatica (CWI) in the Netherlands, EPFL in Switzerland, and Eindhoven University of Technology (TU/e) in the Netherlands have found a weakness in the Internet digital certificate infrastructure that allows attackers to forge certificates that are fully trusted by all commonly used web browsers. As a result of this weakness it is possible to impersonate secure websites and email servers and to perform virtually undetectable phishing attacks, implying that visiting secure websites is not as safe as it should be and is believed to be. By presenting their results at the 25C3 security congress in Berlin on the 30th of December, the experts hope to increase the adoption of more secure cryptographic standards on the Internet and therewith increase the safety of the internet.

When you visit a website whose URL starts with “https”, a small padlock symbol appears in the browser window. This indicates that the website is secured using a digital certificate issued by one of a few trusted Certification Authorities (CAs). To ensure that the digital certificate is legitimate, the browser verifies its signature using standard cryptographic algorithms. The team of researchers has discovered that one of these algorithms, known as MD5, can be misused.

The first significant weakness in the MD5 algorithm was presented in 2004 at the annual cryptology conference “Crypto” by a team of Chinese researchers. They had managed to pull off a so-called “collision attack” and were able to create two different messages with the same digital signature. While this initial construction was severely limited, a much stronger collision construction was announced by the researchers from CWI, EPFL and TU/e in May 2007. Their method showed that it was possible to have almost complete freedom in the choice of both messages. The team of researchers has now discovered that it is possible to create a rogue certification authority (CA) that is trusted by all major web browsers by using an advanced implementation of the collision construction and a cluster of more than 200 commercially available game consoles.

The team of researchers has thus managed to demonstrate that a critical part of the Internet’s infrastructure is not safe. A rogue CA, in combination with known weaknesses in the DNS (Domain Name System) protocol, can open the door for virtually undetectable phishing attacks. For example, without being aware of it, users could be redirected to malicious sites that appear exactly the same as the trusted banking or e-commerce websites they believe to be visiting. The web browser could then receive a forged certificate that will be erroneously trusted, and users’ passwords and other private data can fall in the wrong hands. Besides secure websites and email servers, the weakness also affects other commonly used software.

“The major browsers and Internet players – such as Mozilla and Microsoft – have been contacted to inform them of our discovery and some have already taken action to better protect their users,” reassures Arjen Lenstra, head of EPFL’s Laboratory for Cryptologic Algorithms. “To prevent any damage from occurring, the certificate we created had a validity of only one month – August 2004 – which expired more than four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security.”

According to the researchers, their discovery shows that MD5 can no longer be considered a secure cryptographic algorithm for use in digital signatures and certificates. Currently MD5 is still used by certain certificate authorities to issue digital certificates for a large number of secure websites. “Theoretically it has been possible to create a rogue CA since the publication of our stronger collision attack in 2007,” says cryptanalyst Marc Stevens (CWI). “It’s imperative that browsers and CAs stop using MD5, and migrate to more robust alternatives such as SHA-2 and the upcoming SHA-3 standard,” insists Lenstra.

Additional information:

The expert team of researchers consists of: Alexander Sotirov (independent security researcher), Marc Stevens (Cryptology Group, CWI), Jacob Appelbaum (Noisebridge, The Tor Project), Arjen Lenstra (EPFL), David Molnar (UC Berkeley), Dag Arne Osvik (EPFL) and Benne de Weger (TU/e).

More information on the discovery may be found on the websites of the researchers:

http://www.win.tue.nl/hashclash/rogue-ca/

http://www.phreedom.org/research/rogue-ca/

To accomplish that, the researchers said today that they had exploited a bug in the MD5 hashing algorithm used to create some of the digital certificates used by Web sites to prove they are what they claim to be. The researchers said that by taking advantage of known flaws in the algorithm, they were able to hack VeriSign Inc.’s RapidSSL.com certificate authority site and create fake digital certificates for any Web site on the Internet.

Hashes are used to create a digital “fingerprint” that is supposed to uniquely identify a given document and can easily be calculated to verify that the document hasn’t been modified in transit. But the flaw in the MD5 algorithm makes it possible to create two different documents that have the same numerical hash value.

That, the researchers said, explains how someone could create a digital certificate for a phishing site that has the same fingerprint as the certificate for a genuine Web site. They added, though, that they don’t expect to see any actual attacks using the flaw that they exploited — a point that Microsoft Corp. seconded in a security advisory in which it downplayed the threat to Internet users.

Using their farm of Playstation 3 machines, the researchers built a rogue certificate authority that could issue bogus certificates. The Playstation’s Cell processor is popular with code breakers because it is particularly good at performing cryptographic functions.

The researchers planned to present their findings today at the Chaos Communication Congress, a hacker conference being held in Berlin. Even before their talk took place, it already was the subject of speculation within the Internet security community.

The team that did the research work included independent researchers Jacob Appelbaum and Alexander Sotirov, as well as computer scientists from the Centrum Wiskunde & Informatica, the Ecole Polytechnique Federale de Lausanne, the Eindhoven University of Technology and the University of California, Berkeley.

Although the researchers believe that a real-world attack using their techniques is unlikely, they say their work shows that the MD5 algorithm should no longer be used by the certificate authority companies that issue digital certificates. “It’s a wake-up call for anyone still using MD5,” said David Molnar, a Berkeley graduate student who worked on the project.

In addition to VeriSign, TC TrustCenter AG, EMC Corp.’s RSA unit and Thawte Inc. use MD5 to generate their digital certificates, according to the researchers. They said that VeriSign also uses the algorithm on a certificate service offered through its Japanese Web site, in addition to RapidSSL.com.

Exploiting the MD5 bug to carry out an attack would be hard, because cybercrooks would first have to trick a victim into visiting the malicious Web site that hosts a fake digital certificate. That could be done, however, by using what’s called a man-in-the-middle attack. Last August, for example, security researcher Dan Kaminsky showed how a major flaw in the Internet’s Domain Name System could be used to launch such attacks.

And with this latest research, it’s now potentially easier to attack Web sites that are secured using Secure Sockets Layer (SSL) encryption, which relies on trustworthy digital certificates. “You can use Kaminsky’s DNS bug combined with this to get virtually undetectable phishing,” Molnar said.

“This isn’t a pie-in-the-sky talk about what may happen or what someone might be able to do, this is a demonstration of what they actually did with the results to prove it,” HD Moore, director of security research at BreakingPoint Systems Inc., wrote in a blog post about the researchers’ findings.

Cryptographers have been gradually chipping away at the security of MD5 since 2004, when a team lead by Shandong University’s Wang Xiaoyun demonstrated flaws in the algorithm.

Given the state of research into MD5, certificate authorities should have upgraded to more secure algorithms such as SHA-1 “years ago,” said Bruce Schneier, a noted cryptography expert and chief security technology officer at BT PLC.

RapidSSL.com will stop issuing MD5-based digital certificates by the end of January and is looking for ways to encourage its customers to move to new certificates after that, said Tim Callan, VeriSign’s vice president of product marketing. But first, Callan added, VeriSign wants to get a good look at the new research.

Molnar and his team have communicated their findings to VeriSign indirectly, via Microsoft, but they have yet to speak directly to VeriSign, out of fear that it might take legal action to quash their talk. In the past, companies sometimes have obtained court orders to prevent security researchers from talking at hacker conferences.

Callan said he wished that VeriSign had been given more information ahead of time. “I can’t express how disappointed I am that bloggers and journalists are being briefed on this but we’re not, considering that we’re the people who have to actually respond,” he said.

While Schneier said he was impressed by the math behind this latest research, he said that there are already far more important security problems on the Internet — weaknesses that expose large databases of sensitive information to attackers, for example.

“It doesn’t matter if you get a fake MD5 certificate, because you never check your certs anyway,” he said. “There are dozens of ways to fake that, and this is yet another.”

Computer World_Robert McMillan