The Indelible Bonobo Experience

Renaissance Monkey: in-depth expertise in Jack-of-all-trading. I mostly comment on news of interest to me and occasionally engage in debates or troll passive-aggressively. Ask or Submit 2 mah authoritah! ;) !

Photo Post
Police need to have a special wiretap warrant to access a suspect’s daily batch of text messages from their wireless provider, the Supreme Court of Canada decided Wednesday, in its latest ruling on privacy protection in the age of cellphones and digital communication. The ruling recognized that text messages are a type of private electronic communication, so police need to meet a higher standard when seeking a judge’s permission to access them than simply asking for a routine search warrant. (via What powers do police have for online surveillance? - Technology & Science - CBC News) The case worked its way up to Canada’s top court as wireless provider Telus Corp., which opts to keep a database of text messages within its network for 30 days, argued it should not have to hand over clients’ text messaging logs daily when police ask for them using a general search warrant. Telus based its case on the argument that seizing the messages would be an “interception,” which would require a wiretap warrant. Wiretap warrants are more difficult for police to obtain than general search warrants because private communications are afforded special privacy provisions in the Criminal Code. The decision affirms that there is no practical difference between texting and a traditional phone conversation, which would also require a wiretap warrant to be intercepted. Canadian law allows the police to legally intercept Canadians’ private communications without their knowledge or consent only through an intercept authorization warrant, said Abby Deshman, the director of the Canadian Civil Liberties Association public safety program. Typically, police can apply for three types of warrants: a standard search warrant (which can include searching a computer and printing out data), a production order (which compels someone to hand over information stored in a physical space or on an electronic device) or a general warrant (which can be a little more wide-ranging). In February, federal Justice Minister Rob Nicholson introduced a new bill, C-55, which would give police the right to intercept private communications without a warrant in emergency situations, like immediate harm to an individual or national security. Police powers were also expanded last month when the Court of Appeal for Ontario ruled that officers have the right to search a person’s phone — as long as it is not password protected. But if police want to intercept a private communication they must apply for a wiretap authorization and meet a higher standard, including: having tried other investigative procedures; demonstrating that other investigative procedures have failed or are likely to fail; showing the urgency of the case makes it impractical to use only other investigative procedures. If granted, interceptions are time-limited, and the person whose communication was intercepted will eventually be notified.

Police need to have a special wiretap warrant to access a suspect’s daily batch of text messages from their wireless provider, the Supreme Court of Canada decided Wednesday, in its latest ruling on privacy protection in the age of cellphones and digital communication. The ruling recognized that text messages are a type of private electronic communication, so police need to meet a higher standard when seeking a judge’s permission to access them than simply asking for a routine search warrant. (via What powers do police have for online surveillance? - Technology & Science - CBC News)

  • The case worked its way up to Canada’s top court as wireless provider Telus Corp., which opts to keep a database of text messages within its network for 30 days, argued it should not have to hand over clients’ text messaging logs daily when police ask for them using a general search warrant.
  • Telus based its case on the argument that seizing the messages would be an “interception,” which would require a wiretap warrant.
  • Wiretap warrants are more difficult for police to obtain than general search warrants because private communications are afforded special privacy provisions in the Criminal Code. The decision affirms that there is no practical difference between texting and a traditional phone conversation, which would also require a wiretap warrant to be intercepted.
  • Canadian law allows the police to legally intercept Canadians’ private communications without their knowledge or consent only through an intercept authorization warrant, said Abby Deshman, the director of the Canadian Civil Liberties Association public safety program.
  • Typically, police can apply for three types of warrants: a standard search warrant (which can include searching a computer and printing out data), a production order (which compels someone to hand over information stored in a physical space or on an electronic device) or a general warrant (which can be a little more wide-ranging).
  • In February, federal Justice Minister Rob Nicholson introduced a new bill, C-55, which would give police the right to intercept private communications without a warrant in emergency situations, like immediate harm to an individual or national security.
  • Police powers were also expanded last month when the Court of Appeal for Ontario ruled that officers have the right to search a person’s phone — as long as it is not password protected.

But if police want to intercept a private communication they must apply for a wiretap authorization and meet a higher standard, including:

  • having tried other investigative procedures;
  • demonstrating that other investigative procedures have failed or are likely to fail;
  • showing the urgency of the case makes it impractical to use only other investigative procedures.

If granted, interceptions are time-limited, and the person whose communication was intercepted will eventually be notified.

Posted in canada privacy search warrant rob nicholson supreme court protections police password sms texting messaging
Quote Post
A Romanian computer scientist discovered that the Institute of Electrical and Electronics Engineers (IEEE) was storing its members’ usernames and passwords in plaint-text on a publically accessible file transfer protocol (FTP) server. Radu Drăgușin claims the collection of nearly 100,000 credentials had been accessible on the FTP server for at least one month before his discovery. Among those exposed are employees of Google, Apple, IBM, Oracle, Samsung, NASA and Stanford University to name a few. In addition to the username-password combinations, discovered last Tuesday, all visitor activity on the site for logged-in members was publicly available as well.

Researcher Finds 100k IEEE.org Passwords Stored in Plain-Text on Public FTP Server | threatpost

  • The IEEE is a professional association “dedicated to advancing technological innovation and excellence for the benefit of humanity.” It is the keeper of the 802.11 wireless networking standard. According to their website, the group boasts 400,000 members from more than 160 countries. Drăgușin reported the flaw to the IEEE and they fixed the problem.
  • Drăgușin writes that the noticeable failure in this incident belongs to the IEEE’s Web administrators who did not restrict access to the webserver logs on both ieee.org and spectrum.ieee.org. The FTP directory in question contained 100GB worth of logs. Until Monday when the issue was resolved, anyone who happened upon ftp://ftp.ieee.org/uploads/akamai/ could view these webserver logs, which documented more than 376 million HTTP requests.
  • This is a serious gaffe for a professional association of scientists and engineers, in whose membership is a fairly large number of computer science professionals. As serious as the gaff is, it resulted from an honest albeit careless mistake made by whomever established the access permission settings. The real problem here, and the reason Drăgușin says the problem is only partially solved, is the fact that the IEEE was storing usernames and passwords in plain-text. It almost goes without saying at this point that best practices call for the storage salted, cryptographic hashes of passwords. Drăgușin goes on to criticize the IEEE for keeping passwords with the logs at all, because it makes them available to any employee with access to the logs.
  • You can find Drăgușin’s complete analysis here, but the top five most popular passwords were: “123456,” “ieee2012,” “12345678,” “123456789,” and, yep, you guessed it, “password.”
Posted in ieee security dragusin password it
Photo Post
An online password cracking service for penetration testers and network auditors who need to check the security of WPA protected wireless networks, crack password hashes, or break document encryption. (via CloudCracker :: Online Hash Cracker) English dictionary, WPA handshake, here’s what they charge: 604 million words, $17, 1h max 1.208 billion words, $34, 1h max 2.416 billion words, $68, 1h max 4.832 billion words, $135, 2h max Specialized 2Wire dictionary (?) Also, phone numbers: 1.559 billion words, $46, 1h max

An online password cracking service for penetration testers and network auditors who need to check the security of WPA protected wireless networks, crack password hashes, or break document encryption. (via CloudCracker :: Online Hash Cracker)

English dictionary, WPA handshake, here’s what they charge:

  • 604 million words, $17, 1h max
  • 1.208 billion words, $34, 1h max
  • 2.416 billion words, $68, 1h max
  • 4.832 billion words, $135, 2h max

Specialized 2Wire dictionary (?)

Also, phone numbers: 1.559 billion words, $46, 1h max

    Posted in password cracking cloudcracker wpa wpa2 handshake pentest penetration testing wireless hashes | 1 note