TAIPEI, Taiwan (AP) — A prosecutor says a Taiwanese political science professor has been detained for providing data on visiting Chinese activists to Beijing.
Huang Mou-hsin says Wu Chang-yu of Central Police University was detained Friday pending filing of formal charges.
Taiwan’s United Daily News quoted unidentified sources as saying Wu frequently visited China to lecture on fortunetelling — his other specialty. It says Chinese officials offered him fortunetelling businesses in exchange for spying on the Taiwan activities of selected Chinese. None of the alleged targets were named.
Taiwan and China continue to spy on each other despite a recent improvement in their relationship amid growing economic ties. The two sides split amid civil war in 1949.
The engineer and former American Superconductor Corp. employee who is at the center of AMSC’s claims of corporate espionage by Sinovel Wind Group Co. Ltd. has pleaded guilty on charges of passing AMSC secrets to the Chinese company.
Dejan Karabasevic, 38, was sentenced to one year in jail and two years probation. Formerly employed by AMSC’s Austrian subsidiary, Karabasevic also was ordered by the court in Klagenfurt, Austria, to pay roughly $270,000 in damages to AMSC.
Read More
Walk into a NASCAR garage on any given Friday at the racetrack and it’s sure to be teeming with fans clad in T-shirts and ball caps supporting their favorite driver. As crews work on cars, the fans mill about, seeking autographs and taking pictures of anything and everything. If they want, they’re free to walk up to their favorite driver’s car and snap photo after photo.
It’s part of NASCAR’s effort to bring fans closer to the sport. Inadvertently, it allows teams to go undercover and gain an edge.
Read More
This screenshot shows the researcher’s demo in action on a PayPal account.
(Credit:
Juliano Rizzo and Thai Duong)
Browser makers are devising ways to protect people from a security protocol weakness that could let an attacker eavesdrop on or hijack protected Internet sessions. Potential solutions include a Mozilla option to disable Java in
Firefox.
The problem–considered theoretical until a demonstration by researchers Juliano Rizzo and Thai Duong at a security conference in Argentina last week–is a vulnerability in SSL (Secure Sockets Layer) and TLS (Transport Layer Security) 1.0, encryption protocols used to secure Web sites that are accessed using HTTPS (Secure Hypertext Transfer Protocol).
The researchers created software called BEAST (Browser Exploit Against SSL/TLS) that can decrypt parts of an encrypted data stream and can be used in what is known as a “man-in-the-middle” (MITM) type of attack. BEAST uses JavaScript running in the browser and can let an attacker snoop on traffic, as well as impersonate a Web surfer by compromising session cookie data used to authenticate a Web surfer with a site. More details and a video of the demo are on Duong’s blog.
Here are responses from representatives of the major browsers:
Firefox
“We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so,” a Mozilla Security blog post says. “Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser, which Firefox does not allow. The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution.”
Internet Explorer
“We consider this to be a low risk issue for customers, but we released Security Advisory (2588513) to provide guidance and protection for customers with concerns,” Jerry Bryant, group manager of Response Communications at Microsoft Trustworthy Computing, said in an e-mail. To be clear, Internet Explorer depends on the Windows implementation of these protocols, so our mitigations and workarounds apply to the operating system and not the browser. We are looking at other ways to address the issue both in our products and within the industry and will update our guidance as it becomes available.”
Chrome
A Google representative referred CNET to a blog post from late last week written by Adam Langley, a member of the Chrome team, that said the company was preparing and testing a workaround. “The attack is still a difficult one; the attacker has to have high-bandwidth MITM access to the victim. This is typically achieved by being on the same wireless network as the victim,” the post says. “Nonetheless, it’s a much less serious issue than a problem which can be exploited by having the victim merely visit a Web page. (Incidentally, we pushed out a fix to all Chrome users for such a Flash bug only a few days ago.)”
Opera
Opera developed a fix and tried shipping it in Opera 11.51 but found that changes made to how the browser connects to servers were “incomprehensible to thousands of servers around the world,” Opera’s Sigbjorn Vik wrote in a blog post. “This issue will have to be solved in close cooperation between browser vendors and Webmasters. Since this cannot be directly exploited in Opera, we decided to wait until we have an industry agreement on how to move forward. We have test systems in place which can connect to millions of secure sites around the world and detect how these sites will react to changes to the protocol. We will be sharing our results from these test runs with other browser vendors and affected parties, to give us a good basis for finding the best solution to the issue.”
Safari
Apple representatives did not respond to e-mail or telephone requests for comment about the
Safari browser.
Just upgrading to TLS 1.1, which is not vulnerable to the threat, won’t work because nearly all SSL connections use TLS 1.0, according to a Qualys study reported on by Dan Goodin at The Register, which broke the BEAST story. In addition, “upgrading TLS is proving surprisingly difficult, mostly because almost every fix breaks widely used applications or technologies,” he wrote.
A Tredyffrin Township man has been accused of cyber spying on his estranged wife.
Jay Anthony Ciccarone, 39, was charged Monday night with unlawful use of a computer and related offenses. He allegedly installed “Web Watcher,” a spyware package, on the woman’s computer, Tredyffrin Township police said.
“As far as I’m concerned, he was really behaving like a stalker,” Sgt. John R. Bailey said. “He violated her trust and her privacy. . . . It seemed like a big chess game to him.”
Police said the investigation began a year ago when the woman, who was in the midst of divorce proceedings with Ciccarone, contacted police because Ciccarone appeared to be monitoring her daily activities.
A forensic examination of the woman’s computer revealed the presence of the spying program, which “works by recording all manner of activity on the computer, including keystroke logging, capturing e-mail and Internet activity,” the criminal complaint said.
The complaint said the program “is designed to be completely ‘stealthed,’ meaning it is automatically hidden from everyone except the people authorized to see it.”
This month, investigators received confirmation from Awareness Technologies, a California company that sells the program, that the software had been purchased by Ciccarone, the complaint said.
Ciccarone, who previously worked in sales for Philly.com, was arraigned Monday night in District Court and released after posting $75,000 cash bail. A preliminary hearing is scheduled for Friday.
Ciccarone filed for divorce in April 2010, a proceeding that has not yet been finalized, according to court records.
Contact staff writer Kathleen Brady Shea at 610-696-3815, kbrady [at] phillynews [dot] com, or @brandywinebits on Twitter. Read her blog, “Chester County Inbox,” at www.philly.com/chescoinbox.
