IOWA CITY, Iowa (AP) — The University of Iowa has launched an investigation after employees at a medical clinic complained their supervisors hid a baby monitor to eavesdrop on them.
John Stellmach, president of a union that represents university employees, said Department of Urology workers discovered the monitor hidden on a shelf near a reception area on Monday. He says it would have picked up chatter by five secretaries and clerical workers.
Stellmach says managers explained the monitor was being used to determine whether secretaries were chatting too much and it was removed after they complained. He says employees feel their privacy was violated by the monitoring, which may have also picked up confidential medical information.
UI Vice President for Strategic Communication Tysen Kendig said Tuesday that human resources officials are leading the investigation.
Users of Internet Protocol version 4 (IPv4) networks, beware man-in-the-middle attacks. That’s because such networks can be exploited using capabilities built into IPv6, the next-generation standard for expanding the number of addresses for Internet-connected devices.
In particular, someone with malicious intent could “impose a parasitic IPv6 overlay network on top of an IPv4-only network, so that an attacker can carry out man-in-the-middle attacks on IPv4 traffic,” said Alec Waters, a security researcher for InfoSec Institute, in a blog post. While his proof-of-concept attack scenario targets Windows 7, it should also work against Windows Vista, Windows 2008 Server, or “any operating system that ships with IPv6 installed and operational by default,” he said.
The attack works by introducing an IPv6 router into an IPv4 network, but only connecting the router to the IPv4 Internet. Using router advertising (RA) to create addresses–via a process known as Stateless Address Auto Configuration (SLAAC)–the attacker can control where traffic travels. Next, an attacker can use NAT-PT, “an experimental protocol used to connect IPv6 only networks to the legacy IPv4 network,” said Johannes Ullrich, chief research officer for the SANS Institute, in a blog post that analyzes this so-called SLAAC attack.
“By combining the fake RA advertisements with NAT-PT, the attacker has the ability to intercept traffic that would normally use IPv4,” he said. “To make things more interesting, if a host has IPv6 and IPv4 connectivity, the IPv6 connection is preferred, causing this attack to work even better.”
One mitigating factor, however, is that an attacker would have to physically place a router in the targeted environment–although that could also be a public Wi-Fi hotspot.
This vulnerability was filed with MITRE on April 6, though a Windows fix was absent from this month’s mega-Patch Tuesday.
But is this a vulnerability or a feature? In fact, there’s a dispute over whether this is a bug at all. According to the MITRE vulnerability listing, “it can be argued that preferring IPv6 complies with [the IPv6 protocol], and that attempting to determine the legitimacy of an RA is currently outside the scope of recommended behavior of host operating systems.”
“The severity of the attack is disputed, because this is the default configuration of Windows Vista/7/2008 OSes, and it also follows the RFC recommended implementation of a ‘dual stack’ (IPv4 and IPv6) network stack,” said Jack Koziol, a senior instructor and security program manager at InfoSec Institute, and co-author of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, in an email interview. Regardless of how it’s labeled, he said, IPv4 is still “vulnerable to the traffic interception and the SLAAC attack.”
The IPv6 story has been a tale of slow adoption. But as IPv4 addresses dwindle, organizations have been urged to increase their adoption of IPv6, for which a standard was developed by the Internet Engineering Task Force (IETF) in 2003. Even the White House has put its muscle behind such a message, releasing a transition tool to emphasize the importance of adopting the newer protocol.
So, how can IPv4-using organizations protect themselves against a SLAAC attack? “IPv6 is a wonderful protocol. But if you don’t need it: Turn it off. If you need it, then monitor and defend it like IPv4,” said Ullrich.
Interestingly, there’s a defense against the SLAAC attack, known as the Secure Neighbor Discovery (SEND) protocol, said Koziol. Except that Microsoft doesn’t use SEND in its current products. “It seems after the engineers from Microsoft and Ericsson finished writing the IETF document, they also wrote and filed a patent on the process. So Microsoft has concerns implementing SEND, due to legal concerns with Ericsson,” he said.
NEW YORK, N.Y. – A lawsuit challenging a law that lets the United States eavesdrop on overseas communications more widely and with less judicial oversight than in the past was reinstated Monday by a federal appeals court that said new rules regarding surveillance had put lawyers, journalists and human rights groups in a “lose-lose situation.”
The 2nd U.S. Circuit Court of Appeals said it took no position on the merits of the lawsuit brought by those in jobs that require them to speak with people overseas, saying only that the plaintiffs had legal standing to bring it against the latest version of the Foreign Intelligence Surveillance Act.
U.S. District Judge John G. Koeltl in Manhattan had sided with the government in a 2009 ruling, saying the plaintiffs lacked standing to sue since none of them could show they were subject to the surveillance. He said Americans’ fears that their conversations would be monitored and their rights violated were “purely subjective.”
Attorneys, journalists and human rights groups whose work might require speaking to possible surveillance targets had brought the lawsuit on constitutional grounds, saying new government procedures for eavesdropping on international communications forced them to take costly and burdensome steps to protect the confidentiality of their overseas communications.
In a lengthy written ruling, the 2nd Circuit said the plaintiffs had standing to sue in part because they had established that they had a reasonable fear of injury from the surveillance and had incurred costs to avoid it.
A three-judge panel of the appeals court wrote that the new regulations had “put the plaintiffs in a lose-lose situation: either they can continue to communicate sensitive information electronically and bear a substantial risk of being monitored under a statute they allege to be unconstitutional, or they can incur financial and professional costs to avoid being monitored.”
The appeals court said its ruling “does not mean that their challenge will succeed; it means only that the plaintiffs are entitled to have a federal court reach the merits of their challenge.”
A spokeswoman for government lawyers who argued the case said they had no comment.
Jameel Jaffer, deputy legal director for the American Civil Liberties Union, called the ruling a “watershed opinion.”
“For too long, the government has used unwarranted secrecy to shield intrusive surveillance programs from constitutional scrutiny,” he said. “The government’s surveillance practices should not be immune from judicial review, and this decision ensures that they won’t be.”
The plaintiffs had argued that the new procedures made it possible for the U.S. to seek to review all telephone and email communications to and from countries of foreign policy interest, including communications made to and from U.S. citizens and residents.
“This is a statute that allows the government to engage in dragnet surveillance of Americans’ international communications. As far as Americans’ international communications are concerned, the statute eliminates the probable cause and warrant requirements altogether,” Jaffer said.
The appeals court noted plaintiffs’ declarations citing individuals whose work might be affected by the eavesdropping procedures. Those individuals included a lawyer for self-professed Sept. 11 mastermind Khalid Sheik Mohammed who regularly communicates with Mohammed’s family members, experts and investigators around the world.
A lawsuit challenging the government’s right to eavesdrop on Americans without warrants under the Patriot Act was re-instated by an appeals court Monday.
Libertarians cheered the decision, which will allow Amnesty International, Human Rights Watch and other groups to continue questioning the government’s ability to listen in on phone calls and to monitor emails.
An earlier ruling by District Judge John Koeltl dismissed the lawsuit, saying the plaintiffs didn’t show they would be the subject of surveillance.
The American Civil Liberties Union and others argued they should be allowed to sue because they feared that “their communications will be monitored, and thus force them to undertake costly and burdensome measures to protect the confidentiality of international communication necessary to carrying out their jobs.”
The Second Circuit Appeals court ruled in favor of the plaintiffs, finding they have “a reasonable fear of injury.”
The three-judge panel’s 63-page decision does not comment on the merits of the lawsuit.
“The government’s surveillance practices should not be immune from judicial review, and this decision ensures that they won’t be,” ACLU deputy legal director Jameel Jaffer said.
“The law we’ve challenged permits the government to conduct dragnet surveillance of Americans’ international communications, and it has none of the safeguards that the Constitution requires.
“Now that the appeals court has recognized that our clients have the right to challenge the law, we look forward to pressing that challenge in the trial court.”
The internet security firm Comodo Group said it had been victim to a hacker attack that appeared to have been part of a larger scheme to eavesdrop on encrypted e-mail and chat communications that may have been sponsored by Iran.
Comodo, a digital certificate authority and security software maker, said on Wednesday that it unwittingly issued fraudulent digital certificates for Web sites operated by Google, Yahoo, Microsoft, Skype and Mozilla. Digital certificates are used to vouch for the authenticity of a site owner and facilitate encrypted communications between sites and their users. Comodo revoked all of the certificates immediately upon discovery of the incident and notified the site owners, the major browser makers and relevant government authorities, it said.
The firm described the attack as well-planned and deployed with “clinical accuracy” from computers located mainly in Iran, though it pointed out in a company blog post that those computers could have been used to “lay a false trail.” But it said that the characteristics of the attack, and the fact that Iran has sought to penetrate online communication services in the past, led it to “one conclusion only” — that the attack was likely to be “state-driven.”
The Iranian government, like others in the Middle East facing opposition movements leveraging the Internet to organize protests and press for democratic change, has aggressively sought to restrict and monitor Internet access by its citizens.
With the certificates, a hacker would be able to set up server computers that would appear to work for the targeted Web sites. A government that controls Internet traffic inside its country would be able to use such a server to gain access to encrypted e-mail and chat conversations and collect user names and passwords for individuals’ accounts, said Mikko H. Hypponen, chief research officer at the security firm F-Secure, in a blog post.
Even without a grip on Internet traffic, a hacker could lure dissidents or other Web users to the rogue server and then intercept their communications and account details, said Roel Schouwenberg, a senior researcher at the security firm Kaspersky. “You can ‘own’ a target without having to compromise anything at the target’s end,” he said. “It might not be easier, but it might be ‘cleaner.’”
The fraudulent certificate for Mozilla, which was for its Firefox add-on site, might have allowed the attacker, posing as Mozilla, to install malware on targeted PCs or to block the installation of Firefox extensions that help users bypass government-imposed censorship filters, Mr. Hypponen said.
“Everything points to this being an intelligence operation,” Mr. Schouwenberg said, noting that theft of certificates has become a favored tactic among governments.
The Stuxnet worm that targeted Iranian nuclear installations last year also made use of stolen certificates, though those certificates were stolen from hardware companies who owned and used them to “sign” their products, not the certificate authorities that issued them.
In this recent attack, Comodo, one of several companies with the authority to issue digital certificates to Web sites, said one of its partners in Southern Europe, a so-called registration authority, which acts as an intermediary between it and some Web-site customers, suffered a security breach on March 15. That breach allowed the hacker to set up a bogus account and quickly prompt Comodo to generate the nine certificates.
News of the breach led to calls for increased scrutiny of the entire certificate system.
“This should serve as a wake up call to the Internet,” wrote Jacob Appelbaum in a blog post for Tor Project, a nonprofit group that makes free software that dissidents, journalists and other privacy-conscious people use to surf the Web anonymously and defeat online monitoring. “We need to research, build, and share new methods for ensuring trust, identity, authenticity, and confidentiality on the Internet,” he wrote.
Comodo said it has evidence that the hacker tried to use one bogus certificate for Yahoo, but no evidence of use for the other companies singled out. Yahoo said it was aware of the incident and “will continue to monitor this closely.”
Skype also said it was monitoring the situation and had taken steps to mitigate an attack on its service. “We do not expect any issues as a result,” Skype added in a statement.
Google said it had not detected any use of fraudulent Google certificates.
The major browser makers have all issued updates for their software to block the bogus certificates. Google pushed out an update to users of its Chrome browser on March 17. Mozilla said in a blog post Tuesday that it issued an update to its Firefox browser and urged users to download it. Microsoft did the same on Wednesday.
