ContraRISK

A round-up of the past week’s IT security stories.

The ‘Diary’ at SANS’ Internet Storm Center reports that at least one malware outbreak started in a very low-tech way. Fake parking tickets attached to cars in Grand Forks, North Dakota encouraged recipients to visit a website to see pictures of improperly parked vehicles. The site was, of course, loaded with malware. The bad code itself wasn’t anything new, but the social engineering involved was certainly novel.

The current beta of Microsoft’s forthcoming OS, Windows 7, has a User Account Control (UAC) system that can be thwarted with a simple script, claims developer Rafael Rivera. But Microsoft insists this isn’t actually a problem because the machine would already have to be compromised in order to install the script. Apparently it’s not a bug, it’s a feature.

Using cheap electronics, including a $250 off-the-shelf RFID scanner bought on eBay, a researcher claims to have been able to grab information from six passports during a half-hour cruise through San Francisco. This data could be used to clone passports, he says. Well, well. Who’d have thought that a technology, designed to make data be easily readable from a distance, could pose such a security threat?

In November 2008, three London hospitals were heavily affected by an outbreak of the Mytob Windows worm. It now turns out (not very detailed report here, PDF) that all the computers had McAfee 8.5 anti-virus software installed. But the machines were ‘misconfigured’ and so failed to make their daily updates. As a result, a three year-old threat was allowed to walk right in. Just shows that not updating AV software makes it about as much use as buying a condom and leaving it in the packet.

Lotus Sametime, the instant messaging software from IBM, has a rather blatant vulnerability that has been overlooked until now, despite the fact that it is fully documented. The software makes user passwords available in plain text through its API, so that plug-ins can use them. IBM thinks this is okay. Carl Tyler does not.

Web developer James Padolsey has published a proof of concept clickjacking attack for Twitter. It means, he claims, that other people could publish tweets using your account. And these tweets, of course, could include links to dubious sites.

Data breaches cost organisations money and customers, and the cost is rising, claims a report from Ponemon Institute and PGP. (The latter, of course, has a vested interest.) For 2008, the report claims a cost per breached record of $202.

IBM’s X-Force Research group says that some 53 per cent of vulnerabilities discovered in 2008 are still unpatched. The Mac OS X platform is the worst affected, with 14.3 per cent of the unpatched flaws, followed by Linux and Solaris. Yep, Windows was fourth. This is no time for celebration by Microsoft, though. When you slice the data by manufacturer, MS comes out top, with Apple second.

While Microsoft busily boosts protection against XSS attacks, in the latest version of Internet Explorer, some people are getting very concerned about IE8’s ’suggested sites’ feature, which exploits the user’s browsing habits to suggest other sites they might like. The feature is open to privacy abuses, some experts believe.

A virus discovered on the network of major US government contractor SRA may have compromised personal details of the firm’s employees. The admission came in a breach disclosure notification filed by the company. The malware was not picked up by the company’s anti-virus software.

The prospect of e-terrorism is behind growing unease about vulnerabilities in SCADA systems. These systems are used to manage power stations and energy distribution networks. The Areva e-terrahabitat product has just been found to be infested with buffer overflow and potential DoS vulnerabilities. While SCADA system suppliers insist that scary things like nuclear power plants are not connected to the Internet, others point out that the systems are, in fact, increasingly managed remotely, opening possible attack vectors.

Recent updates, patches and announced vulnerabilities include:

• Novell Groupwise: updates have addressed a number of vulnerabilities. Affected packages include GroupWise 6.5x, GroupWise 7.0, 7.01, 7.02x, 7.03, 7.03 HP1a and GroupWise 8.0.
• Bugzilla: flaws were found in this bug reporting package that made it vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS) attacks. New versions - 2.22.7, 3.0.7, 3.2.1 and 3.3.2 - have fixed this.
• Firefox: version 3.0.6 fixes six bugs, one of which could have allowed remote attackers to gain control of the machine. That bug was also found in Thunderbird and the SeaMonkey Internet Suite.
• UltraVNC and TightVNC: the viewing clients for these packages have vulnerability that could compromise a user, says Core Security. The two packages use a common code base and the vulnerability is fixed in the latest versions, UltraVNC 1.0.5.4 and TightVNC 1.3.10.
• Microsoft: ‘Patch Tuesday’ on Feb 10 will see fixes for Internet Explorer 7, SQL Server 2000 and 2005, Exchange Server 2000, 2003 and 2007 and Visio 2002, 2003 and 2007. Some of these are deemed ‘critical’.
• OpenOffice.org: the current version of this office suite, 3.0.1, installs an outdated version of Java, according to the Washington Post. The Java 6 Update 7 version bundled with the suite contains several unpatched vulnerabilities: the current version - Update 12, which is now fully released - has fixed these. Users of OpenOffice 3.0.1 should update Java themselves if they installed the bundled version.
• Cisco: there are three DoS and one privilege escalation vulnerabilities in Cisco Wireless LAN Controllers (WLCs), affecting Catalyst 6500 Wireless Services Modules (WiSMs) and Catalyst 3750 Integrated Wireless LAN Controllers. Fixes are on their way.
• phpBB: this popular, if vulnerability-prone, open source bulletin board package has suffered another exploit. The third-party PHPlist email application presented a flaw that provided an attacker with access to account details for registered users. PHPlist has been updated, but phpBB-based forums tend to go unpatched for lengthy periods because they are run by amateurs who either don’t know about updates or don’t realise their importance.
• HP: certain HP LaserJet printers, Color LaserJet and Digital Senders contain flaws that may make documents stored in networked devices vulnerable to theft by attackers.
• Squid: this popular web proxy package contained a DoS vulnerability. A new version has been released to fix it.

A round-up of the past week’s IT security stories.

Twitter is the next big target for spammers, claim some security experts. This new breed, dubbed ‘Twammers’ by the ThreatChaos blog, use the TweetTornado.com application to create hundreds or thousands of new Twitter accounts that then attach themselves as followers to unsuspecting Twitter users. They then post links to ads of various kinds.

Monster.com, the job-seekers website which also hosts the official US Government employment site USAJobs.gov, has been hacked. This has resulted in the potential compromise of a huge number of accounts, including passwords and personal details. Security experts are expecting to see an increase in spearphishing and attacks on bank accounts. As many users will have employed the same password on Monster.com that they use on other sites, the potential for harm is immense. The website, however, decided not to tell its users directly about the problem, by email, but simply posted a warning on the site itself.

There are further cases to add to the long list of ex-employees taking revenge against their erstwhile employers - or rather, in this Australian example, their customer. CSG Service had to let Anthony McIntosh go. He promptly used a former colleague’s login details and a borrowed laptop to hack into the systems of one of CSG’s clients - the Northern Territory Government. He could have stolen information, but in this instance he preferred to delete it, including profiles of 10,475 public servants. This vandalism rendered many of the systems inoperative. He has pleaded guilty to 12 hacking offences but sentencing has been delayed pending a psychiatric review.

And an IT contractor at Fannie Mae, similarly disgruntled at being laid off, tried to bring down 4,000 servers by leaving behind a malware bomb. As the economic downturn bites harder, we can expect more of this.

The UK Government’s sometimes bizarre and unworkable ideas about policing the Internet have already suffered their first reversal. According to The Times, the idea of forcing ISPs to disconnect habitual bittorrent users has been scuppered - apparently by the legal complexities involved.

Kaspersky recently identified a trojan designed for Symbian-based phones, which can exploit an Indonesian phone service to transfer funds from one account to another. The Trojan-SMS.Python.Flocker exploit uses specially crafted SMS messages. But Kaspersky says that it has been misquoted by various news sources which are now warning of a rapid spread of the trojan to Australia.

Following the report that some pirated copies of Apple’s iWork 09 software, available via torrents, contained a trojan, it now seems that similarly illegal versions of Adobe Photoshop CS4 are also infected. This is a clever trojan that leaves no trace.

Careless data loss continues unabated. In the UK, Great Ormond Street Hospital had a laptop filched, which happened to contain some data on several hundred patients. And a New Zealand chap, who bought a used MP3 player while in Oklahoma, found it contained US military files, including details on personnel and technical details of equipment and operations. Oops. We have one word for anyone who puts sensitive information on mobile devices. Encryption.

Updates, patches and announced vulnerabilities include:

• VMware: updates for the ESX server and ESXi hypervisor fix a number of vulnerabilities, including buffer overflows.
• Cisco: when the Cisco Security Manager server is combined with the IPS Event Viewer (IEV), attackers might be able to gain access to the underlying MySQL database. Cisco Security Manager versions 3.1, 3.1.1.SP3, 3.2.SP2 and 3.2.1.SP1 are affected, but 3.2.2 isn’t. Patches are available.
• Google Chrome: Version 1.0.154.46 fixes three vulnerabilities that include the potential for cross-site scripting with specially crafted PDF files. Meanwhile, several browsers remain vulnerable to clickjacking exploits.
• FFmpeg: this open-source audio and video library had a flaw that could allow the execution of arbitrary code by an attacker. Version 16846 has fixed this hole.
• Windows Mobile 6: a Bluetooth component of this software has a very basic, and really rather stupid, directory traversal flaw that could allow attackers to steal files. So far no fix is available.
• EMC AutoStart: this has a vulnerability to could allow code to be executed without authorisation being required. Upgrading to 5.3 SP2 apparently fixes the problem.
• GStreamer: This media framework, used by free media players like Totem and Amarok, has heap overflow problems. These were fixed in version 0.10.12 which itself has been replaced by 0.10.13.
• OpenX: this free ad server suffers from cross-site scripting, cross-site request forgery and SQL injection vulnerabilities, says Secunia. No fix is available yet.

A round-up of security related stories from the past week.

F-Secure reckons the Conficker/Downadup worm has now infected around 9 million PCs, and by the time you read this they’ll probably have updated that figure significantly. This is in spite of the fact that a patch to protect against the worm has been available since last year. The problem seems to be that it is difficult to eradicate because of its use of multiple infection vectors.

At least 9,000 USB memory sticks are found in garments by the UK’s dry cleaners every year, claims Credant Technologies (which just happens to be in the business of providing data security for, among other things, memory sticks). It doesn’t say how many of the memory sticks’ owners are government employees.

But for data loss on a monumental scale you have to look to the US, where they do everything bigger. Heartland Payment Systems, which processes credit card transactions, admits to having had its systems hacked, but claimed customer data were not affected. However, others are claiming that as many as 100 million credit cards may have been compromised (though they may be confusing that with the fact that Heartland processes 100 million transactions a month), and some are even suggesting that Heartland has tried to play down the breach, hoping that the presidential inauguration would keep it off the front pages. This could turn out to be the largest-ever data breach, which is an achievement of a kind. However, the authorities may be closing in on the suspected perpetrator, who is outside the US.

Mac OS X users may not be as invulnerable as they like to think. Vincenzo Iozzo claims to have found a way to inject malware into a Mac’s memory without leaving any telltale traces on the hard disk, making detection and eradication difficult. He plans to tell more at the next Black Hat conference.

And more woes for Maccies: if you’re in the habit of getting your software illegally, via BitTorrent, beware. Copies of iWork 09 may contain the OSX.Trojan.iServices.A trojan.

Another one of those ‘well, duh’ moments as the Kroll Global Fraud Report warns that we’ll see an increase in white-collar crime as the financial crisis bites harder. This is actually just the latest in a series of reports from various sources making the same obvious point - if you fire people, or they think you’re going to, they’ll steal whatever is at hand in the hope of fencing it somewhere. It might be pens, staplers or perhaps your entire customer database. Companies might experience sabotage too, says ProCheckUp.

Elcomsoft’s launch of its Wireless Security Auditor 1.0 software has prompted a number of security vendors to warn people to examine their wi-fi security. The packet-sniffing, password-cracking package exploits known flaws in WEP and WPA/WPA2-DSK encryption. It deploys a brute-force approach using up to four graphic display cards to enhance the PC’s number-crunching capabilities. Moving to longer passwords should help wi-fi users stay safe.

Meanwhile, uses of DECT cordless phones are still vulnerable. It was discovered that the Com-On-Air PCMCIA card in a Linux notebook would allow the computer to be used as a very effective sniffer. That’s still the case, but it’s getting very difficult to find the cards. One can only assume this means that rather a lot of people have an interest in sniffing DECT networks.

Make a note on your diary: March 7 is now ‘Hack the Government Day’ in the UK, says RewiredState.org. Interested parties will gather at the offices of The Guardian newspaper to see how much information they can extract by mashing up online government data sources.

Security updates include:

• Sophos Anti-Virus: older versions of the software contain a flaw that might trigger a restart. This isn’t a security vulnerability so much as a flaw in software that many people rely on to provide security. Current versions are already fixed, says the company.
• Typo3: this free CMS apparently has multiple vulnerabilities. These are apparently fixed in the latest versions of the three last point releases - 4.0.10, 4.1.8 and 4.2.4.
• Quicktime: Apple’s release of version 7.6 fixes multiple vulnerabilities.
• Tor: After bragging about how their software scored zero on Coverity’s test for flaws, the Tor people have now released version 0.2.0.33 to fix a vulnerability discovered by security specialist Ilja van Sprundel. Hmm.

A round-up of security related stories from the past week.

This year, we’re going to see more abuse by spammers of free webhosting and blogging sites, says McAfee (reported by SC Magazine). The bad guys take advantage of ICANN’s rules under which they can register a domain name, try it out for five days and then return it for a full refund. There are plans to address this.

MessageLabs, Symantec (PDF) and MXLogic are all warning that financial spam scams tripled in the past year and are set to increase further. The spammers are manipulating people’s fears about the global financial crisis - having, presumably, got bored with exploiting fears about small breasts, small penises and sexual performance. Dark Reading has more here.

The Identity Theft Resource Center (ITRC) has a new paper about reports of data breaches in the US. These rose around 50% in 2008, it says. Whether this means, as the ITRC suggests, that organisations are being more ‘proactive’ in reporting breaches, or whether there are simply more breaches to report, is perhaps a moot point. Breaches that go both unreported and undiscovered don’t make it into the statistics, so it is perhaps more an indication of awareness than a way of judging the security problem itself.

Two Microsoft researchers have concluded that phishing might not be the ideal career path for high-flying hackers. Working on an independent project (ie, not for Microsoft - PDF here), Cormac Herley and Dinei Florencio suggest that phishing is both low-skilled and low-paid, at least for those doing the donkey work. But they do acknowledged that the organised crime bosses behind the majority of attacks might be making a bob or two.

Encryption may have a part to play in many security problems, but you have to get people to use it. And that may not be easy. A report by Absolute and Ponemon Institute found that half of the business managers it surveyed turned off encryption features they already have.

Getting software developers to incorporate security continues to be an uphill struggle. In order to raise awareness, 30 security related organisations have released a list of the 25 most common programming errors, drawn from Mitre’s Common Weakness Enumeration (CWE) project.

F-Secure has claimed that as many as 2.5 million PCs (or 3.5 million, depending which report you read) are already infected with the Conficker worm (aka Downadup). The success of this worm is due to its use of multiple attack vectors, says the firm. And security reseachers believe it may be building a new botnet.

The Storm botnet might be eradicated by using its own command and control system, even if doing that might invite prosecution under Germany’s anti-hacking laws, suggests the Register. Steps have already been taken to destroy this infamous botnet, and it all but disappeared last year. But other reports suggest it is back with a vengeance.

A report from security firm Trusteer (PDF) claims that Internet Explorer, Firefox, Safari and Chrome are all vulnerable to a Javascript exploit that could be used to steal bank details if a user has windows open for both their bank and a specially crafted web page. The exploit would identify the bank then pop up a fake login window. The way to prevent this in-session exploit, says report writer Amit Klein, is to ensure you don’t have any other windows or tabs open while visiting your bank.

Meanwhile, organisations continue to play fast and loose with their data. The Chicago office of US Attorney Patrick Fitzgerald issued a press release, and inadvertantly attached a document revealing the (previously hidden) identities of 25 confidential witnesses in a major criminal case, reports The Chicago Tribune. The Register has more on this story here.

The past week has seen patches or upgrades for various vulnerabilities:

• Microsoft, of course, had one serious vulnerability to address. MS09-001 was described as ’super critical’ as an attack, using NetBIOS ports, would allow the attacker to take control of the machine with no credentials required. However, reports here and here suggest that the problem is not fully fixed.
  
• The SAP GUI has a faulty Active-X control that could allow an attacker to take control of the system, says Secunia. The fix is to upgrade to version 7.10PL or set a kill bit manually.
• Cisco has fixed a vulnerability in its Application Control Engine Global Site Selector (GSS ACE).
• RIM has issued a fix for a problem with its Blackberry server which could have been exploited with specially crafted PDF files.
• Apple’s Safari browser has a vulnerability that would allow an attacker to read files on a user’s hard disk, according to Brian Mastenbrook.
• Oracle had no fewer than 41 fixes, affecting a very wide range of products, in its last set of updates.
• TOR now claims to have zero issues - at least as far as a scan using Coverity is concerned.
• Symantec has fixed its AppStream software management platform, which also had an Active-X vulnerability.

The year has got off to a bang with some high-profile hacks and an avalanche of phishing attacks. So, same old same old - except that there is just a hint of how the technology at the centre of many of our lives might be running out of control.

The Twitter hacker's handiwork

Mind you, the hacking of 33 Twitter accounts was a classic example of old-fashioned, low-skill cracking techniques. Barack Obama, CNN journalist Rick Sanchez, Britney Spears and Fox News were among those affected. The hacker, who poses under the pseudonym ‘GMZ’, deployed a dictionary attack against an account that turned out to belong to a member of Twitter’s own support staff. The hack succeeded because of two weaknesses: first, Twitter allows repeated and rapid login attempts; and second, the user had chosen a simple password - ‘happiness’.

Twitter has also had a rough time with the advent of high levels of phishing attacks. And LinkedIn has copped some unenviable publicity, with reports of fake profiles being used to spread malware.

Individually, these attacks are regrettable but not disastrous. What concerns me is our ability to spot, intercept and deal with them as the Net becomes increasingly connected, and as sites and services integrate with each other.

Any sufficiently complex system is prone to chaotic behaviour. Just look at the financial markets. With deregulation, globalisation and, above all, the introduction of advanced technologies, markets have become unpredictable, unstable and vulnerable to manipulation. If someone in a pin-stripe suit tells you he knows exactly what he’s doing when it comes to derivatives, hedge funds or any one of the seemingly endless range of financial instruments, he’s either lying or deluded. These things are out of our control because they are too complex - the variations and possibilities are too numerous to predict or model. And, as with all chaotic systems, small events can have major effects.

The Internet isn’t quite at that level. But it’s getting there. While the Net as a whole looks chaotic, the underlying technology and concepts are pretty basic. Where we’ll see problems arise is in the complex network of interactions that are now being forged between sites and technologies.

Social networking sites are prime examples, but similar concerns apply to cloud computing, mobile platforms and so on.

The essential issue is this: there’s just too much of this stuff out there. I mean, I’m a techno-freak: I love gadgets and cool sites. But there simply aren’t enough hours in the day to update every blog and social networking page, to tweet, IM and email. And it’s not just me. Clearly other people out there are also overwhelmed, which is why there are so many helpful tools to allow us to integrate our online activity. So now I tweet via the address bar of Firefox. And that tweet appears as my status update on Facebook and turns up in a widget on MySpace. If I save a bookmark with Delicious, this too turns up automatically on those sites.

Some people need more, so a Brazilian firm is providing a service that allows you to update multiple social networking sites from one web page. This involves giving the site - Power.com - the login details for all your accounts, and that means placing a great deal of trust in them. They use this information to log into your accounts, which is a somewhat crude way of going about it and has led to the firm being sued by Facebook. A much better method, Facebook says, would be to use the API it provides. But frankly, it’s these APIs that worry me.

In the competition to provide more flexible services and a simpler, more pleasurable web experience, we’re going to see APIs of increasing power and connectedness. And that’s where chaos creeps in - in the sheer complexity of these connections.

It won’t be helped by the fact that too few web services organisations seem to consider security a high priority. Learning about security principles and coding techniques is still a minor part - if in exists at all - of most programmer’s education. And the organisations themselves often seem too enthralled by their own coolness, too excited by their novel concepts, to worry about stodgy old things like security. The fact that ‘DMZ’ could hack a staff account on Twitter, and get access to special support tools, is as clear an example as you could want. Why on earth was a staff member at Twitter allowed to choose such a simple password? This is Security 101 stuff.

The complexity that will arise out of increased use of APIs and burgeoning interconnectedness would be less worrying if equal attention were being given to securing these systems. As things stand, the more connected we become, the more vulnerable we are.

There seems to be a weird disconnect among some sections of the population - particularly those in authority.

On the one hand, losses of confidential data have become so common that this kind of cock-up is now regular material for stand-up comedians (”the Government will issue its report in the standard way - by leaving a memory stick on a train”).

On the other hand, technology is still regarded by those in power as the solution to society’s ills. ID cards will prevent benefit fraud, they say. Surveillance systems combat crime. And the interception of everyone’s emails and text messages will eradicate terrorism.

It’s as though the people promoting these technological solutions have never used a computer - have never experienced a blue screen or spinning pizza wheel of death. Sure, at a very simplistic level technology would seem to offer major benefits. If everyone’s DNA is on a database, then crimes will be solved in a jiffy, right?

It is this kind of simple-mindedness that can lead to MPs talking seriously about movie-like ratings for websites. Yes, the concepts are very enticing when reduced to sound-bite politicking, but they rarely take into account the technological challenges and almost never address the issues of privacy and civil liberties.

We will come back to the problems raised for individual freedom another day. The technological issues are scary enough. For the plain fact is, technology is prone to failure. There is no system built by mankind of any reasonable complexity that does not have bugs and weaknesses - one of those weaknesses being mankind itself.

The faith being placed in databases by those in authority is especially worrying. The UK’s police forces are continuing to press for increased DNA testing and subsequent data retention, in spite of the recent finding by the European Court of Human Rights that the current database breaches human rights. Now the UK’s security forces are planning a massive database of all phone calls, emails, text messages and Internet use. To save costs, the plan is to outsource this job to a private contractor. This is in spite of the fact that outsourced Government contracts are notorious for: a) failing; b) massively overrunning their budgets; and c) being a source of data leaks.

No less an authority than Sir Ken Macdonald, the former director of public prosecutions, has characterised this database as a “hellhouse” of personal information. His worries derive primarily from the potential invasion of privacy. This proposed database is all of a piece with the current thinking among many western governments and their security services that we should all be treated as suspects all the time - and be grateful for it.

My immediate concern is with the databases themselves. If you have ever created and managed a database - even something as simple as a Xmas card mailing list - you’ll know that databases:

• Always contain errors - either because the information you were given was wrong or because of data entry mistakes.
• Are always out of date - someone moves, gets married, changes sex. So even basic information like names and addresses is quickly invalidated.
• Always contain unnecessary data - Aunt Bessie has died or you no longer like that couple you met on holiday, so they shouldn’t be on your Xmas card list.
• Are easy to copy to a flashdrive and leave on a train.

The issue of incorrect source information can be a particular concern with something like a DNA database. DNA data depends on meticulous processes for its accuracy. Problems such as cross-contamination, mislabelling or a simple failure to follow procedures rigorously at any stage of the process - from crime scene through lab analysis to data entry on the database - can result in unreliable data.

That’s bad enough, but here’s the real problem with databases: once a piece of information is in the database it gains its own implicit authority. This principle is itself implicit in the call for the creation of ever larger databases by those in authority. They wouldn’t want them unless they thought the data in them was valuable, and that means they believe them to be inherently trustworthy.

Perhaps most of it is. Commercial organisations spend massive amounts of money on creating and using databases. But they can accept a certain level of inaccuracy - actually, quite a high level. If a piece of junk mail goes to the wrong person, or a dead person, it matters little to either the company or the person receiving it. But if you’re undeservedly arrested for child molestation, murder or terrorism because your DNA was mishandled or misfiled, you might feel you have cause to be somewhat more agitated.

Governments and security services always talk of ‘checks and balances’, of ‘rigorous procedures’ and ‘professional standards. And yet, only recently we’ve seen HM Revenue & Customs confess that its key ‘framework’ database, which it shares among numerous authorities, has errors in as many as one in 10 records.

Databases themselves are not dangerous. It’s our use of databases, and above all our trust in them, that is dangerous. Even before we start discussing the civil liberties issues surrounding their use - which we must - I would like to see more consideration of the weaknesses of the technology itself, because all I see at the moment, from those in authority, is blind faith.

National security

Israel and Hamas are at it again. Hamas launched rocket attacks on southern Israel. Israel responded by heavily bombing the Gaza Strip. Israel wants to finish Hamas for good this time. The UN is warning that most of Gaza’s infrastructure is destroyed, and that the latest round in the conflict is a threat to regional peace. Israel refused a ceasefire, and Hamas is calling for a ‘day of wrath’. Stocks were down, oil was up.

The situation worsened in the Congo, with more civiliand massacred. The UN has sent in troops.

Environment

Forecasts of well-above average hurricane activity around the US in 2008 were on the money, says Colorado University’s Tropical Meteorology Project. 2009 will also see above-average hurricane, storm and hurricane landfall statistics. No wonder Munich Re is calling for more climate change measures. It released figures showing that 2008 was the third worst year on record for financial losses from natural disasters. 2005 and 1995 were ahead of it.

Deloitte Enterprise Risk Service and the Economist Intelligence Unit have released the results of a joint workshop on managing risk intelligence in emerging markets.

Economy

Look out for bigger holes in the high street as more mid-sized retailers go belly up, warn corporate rescue experts. In the US, consumer confidence is at an all-time low. House prices there also dropped by 18% from October 2007-8, which was the largest annual drop on record. UK prices fell by 2.2% in a month, and are down almost 17% - another record - year-on-year.

As the US Government pumped another $6bn into GM, the Levy Economics Institute warned in a report that expansionary fiscal policies alone can’t solve the world economic crisis. Shoot for a recovery in global output and sustainable balances in international trade, it advises.

The OECD says that the Internet and IT economy will be hit hard by the downturn in the economy. Expect flat or negative growth next year.

Belgian’s government collapsed and was reformed.

Leaders in America’s cities are the most disillusioned about the country’s direction than they have been in 20 years, says the National League of Cities. Nearly one in two can’t finance city services. Affordable healthcare is the number one problem, with declining transport infrastructure in second place.

Russia’s state oil provider Gazprom has cut off supplies to the Ukraine until it pays its bills (which the Ukraine will do in part on Jan 11). That’s making the rest of Europe (which gets its gas from Russia via the Ukraine) nervous. The Ukraine says it can meet European gas needs. Gazprom says it can’t, and that Balkan states were already seeing supplies drop. In the UK, which is at the far end of the trough, suppliers are privately discussing delaying price cuts.

States and municipalities unhappy with the Feds? What could that mean? One former KGB analyst thinks that the US will disintegrate in 2010 as groups of states secede from the nation. California will go to China, apparently, while Alaska will go to Russia. Sarah Palin won’t be pleased.

James Howard Kunstler, author of The Long Emergency , says that 2009 will be the year in which robust globalisation ends. He predicted the credit crunch in that book, which was published in 2005.

Technology

MD5 — the already discredited hashing algorithm still used frequently to create certificates online - was discredited still further by a group of researchers who announced a way to fake them at the 25th Chaos Computing Congress.

***

All in all, not a particularly peaceful and risk-averse start to the new year. Still, at least things aren’t quite as risky as they were in the seventies. We hope. Because nuclear war is really bad for global warming. So let’s try and avoid that if at all possible, shall we?

It’s starting to look as though 2009 will see some major battles in the war for control of the Internet. Comments by the UK’s Culture Secretary Andy Burnham - muddle-headed though they may be - are an indication of how governments are running scared of the Net and are desperate to control it.

Burnham’s calls for movie-style ratings for websites have been met with appropriate derision by most of those who actually know how the web works. UK TechCrunch even kidnapped his Twitter name in protest. There has been some speculation that Burnham is simply using the slack holiday period to make some noise - a bit of career building. But there’s no smoke without fire, and clearly the unregulated nature of the web has Burnham and his ilk worried.

The UK is rapidly turning into a police state in any number of ways, so it’s not entirely surprising to find a Government minister talking in much the same way you’d expect from, say, his Chinese counterpart.

“There is content that should just not be available to be viewed,” he said. He then provides a piece of classic New Labour doublespeak by insisting that this isn’t suppression of free speech - which, of course, it is.

Significantly, he also said: “You can still view content on the internet which I would say is unacceptable.” Note that “I would say”. Apparently, our access to information on the web will be dictated by what Burnham does or doesn’t like. Or someone like him. Because when you start imposing censorship, someone has to decide what is and isn’t acceptable (and no-one is without an agenda). Burnham gives the example of beheadings, but one can expect the list to grow. It might, for example, include government leaks. Or sites critical of the current regime.

Clearly, forcing website creators to implement ratings is a non-starter, given the sheer volume of sites and the ease with which they can be created and changed. So governments are going after ISPs. This is a canny move. A government wouldn’t even have to make content filtering mandatory - simply making it ‘advisable’, but with punishments for those who let through bad content would be enough to make risk-averse ISPs conform. That’s because ISPs have only a financial interest in all this: they are not concerned with free speech because they make no money from it.

The Australian Government has already started a trial in which ISPs must filter content against a blacklist provided by a private, non-accountable organisation backed by many large commercial interests. Immediately, one can see potential technical issues. For this approach to work at all, the blacklist must be completely up-to-date at all times, an impossible task given the nature of the Internet. The kind of controlled Internet that Burnham fantasises about is possible only when additional restrictions are in place - for example, by erecting a Great Firewall of Burnham around the UK. It wouldn’t be a surprise to find the UK Government considering this kind of parochial approach.

Predictably, this is all being done in the cause of protecting children. Understandably, no-one will stand up for child abusers (first they came for the paedophiles…), so arguing against measures that make the world safer for kids is very difficult. Of course, once mechanisms are in place to censor content that is deemed to be dangerous to children, the same systems can then be exploited to filter any other content the Government happens not to like.

Ultimately, this approach of Burnham’s - and that of the Australian Government - is entirely arse-about-face. It is, in fact, highly revealing of their mindset in which the perceived dangers of the world are solved by ever-greater government control and authoritarian intervention in our lives.

Burnham said: “Leaving your child for two hours completely unregulated on the internet is not something you can do.” Well, duh. Letting your child play in the middle of the road for two hours isn’t something I’d advise either. But the answer to these problems is not increased government interference in our lives or yet more erosion of our civil liberties. The answer is for parents to assume greater responsibility for the safety of their children.

But this isn’t really about children. It’s about a Government that feels it has the right to control us in whatever way it likes. It’s about a Government that doesn’t trust us to take responsibility for our own lives. And it’s about a Government that views all of its own citizens as suspects (which is why it wants all of us in a biometric database).

Yes, I know that there are videos of beheadings out there. I choose not to view them. That’s all the ‘filtering’ I need, thanks.

Some photojournalists fear that the UK may just have taken another significant lurch towards becoming a police state. Following statements by Home Secretary Jacqui Smith, in which she seemed to condone the harrassment of press photographers by police officers, Vernon Coaker, the Minister for Security, Counter-terrorism, Crime and Policing has sought to ‘clarify’ the situation. He wrote to the National Union of Journalists (NUJ) and what he said has left some photojournalists more worried than ever.

In part, he said that photography in public places - and this applies to everyone, not just journalists - may be prevented by the police:

“…on the grounds of national security or there may be situations in which the taking of photographs may cause or lead to public order situations or inflame an already tense situation or raise security considerations. Additionally, the police may require a person to move on in order to prevent a breach of the peace or to avoid a public order situation or for the person’s own safety and welfare or for the safety and welfare of others.”

On the face of it, this sounds reasonable. In reality, this provides police officers with a broad spectrum of excuses for stopping photojournalists from doing their work. Smith’s original statement, and the subsequent ‘clarification’ were in response to concerns raised about police officers abusing anti-terrorism laws. It is now depressingly common for officers to use the ’stop and search’ provisions of Section 44 of the Terrorism Act to prevent photographers from shooting. Nearly always, Section 44 is invoked inappropriately and illegally, but arguing the toss on the streets is likely to get you arrested for obstruction. There now seems to be a trend for using Section 43 of the same act to impound memory cards - giving the police an opportunity to copy a photographer’s picture, without consent - and also prevent the same photographer using those pictures for up to 48 hours. In news photography, this amounts to censorship.

This abuse of the Terrorism Act circumvents the 1984 Police and Criminal Evidence Act (PACE). Under the ’special provisions’ of Section 9 of PACE, journalists’ materials - cameras, memory cards, notebooks etc - gain certain protections against seizure. Any police officer seeking to impound such materials must obtain a court order first. Such protections vanish as soon as the Terrorism Act is invoked, whether or not such invocation is appropriate.

It’s not just real police officers who are at it. Police Community Support Officers (PCSOs, or ‘plastic plods’ as some prefer) have been known to threaten photographers with arrest and/or confiscation of their cameras, in spite of the fact that PCSOs do not have the authority to either arrest or confiscate.

The reasons for such abuses vary, but most fall into one of two main categories. The first, and perhaps most worrying, is that photojournalists are being harassed in order to prevent them getting pictures of abuses or illegal actions by police officers - typically on demonstrations. The other classic situation is where a police officer is simply acting officiously, throwing his or her weight around in an entirely inappropriate manner. This can reach bizarre and even comical heights. It’s not unknown for a police officer or PCSO to pick on a photojournalist - clearly identifiable by the amount and type of photo gear on display - who is innocently shooting pictures of, say, Trafalgar Square or the London Eye. The Boogie Man of terrorism is raised to explain why the photographer may not take the pictures. Meanwhile, all around, tourists are snapping away like crazy. (And would a terrorist really make the mistake of looking and acting like a journalist?) Now, should the photojournalist make the mistake of standing up for his or her rights, the police officer need only claim that such suppression is in the photographer’s own best interest, or that the photographer’s actions were likely to cause a disturbance.

When responding to complaints about such abuses, police authorities frequently refer to the training of officers, and how they are being made aware of the needs and rights of journalists. But there’s a problem here. Unspoken in these responses is the assumption that police officers will always act in a professional, informed and responsible manner. The experience of photographers on the streets is very different.

Take the guidelines drawn up with the help of the NUJ and others and officially adopted by the Metropolitan Police Force (though always with the caveat that they remain merely guidelines and are not enforceable under law or in disciplinary matters). It is clear that training has failed: many police officers seem genuinely unaware of the guidelines. There is also a failure in discipline and professionalism in that many know of the guidelines but choose to ignore them, even deliberately flout them (policemen have said as much to photographers).

It doesn’t help when even senior authorities have been caught with their pants on fire. Vernon Coaker, the police minister, recently had to confess in the Commons that it wasn’t true that 70 police officers had been injured in clashes with environmentalist protestors at the Kingsnorth power station in Kent. It took a Freedom of Information request to reveal that the real figure was 12. Of these, only four involved contact with other people, the remainder consisting of things like “stung on finger by possible wasp”, “officer injured sitting in car” and “officer succumbed to sun and heat”. If this sounds like a typical politician cock-up, consider that Coaker insists that the figure of 70 officers had been supplied to him by the police.

Taken alongside the killing of Jean Charles de Menezes, the astonishing blunders and incompetence in the investigation of the Rachel Nickel murder, and … well, it’s a depressingly long list. The point is, no matter how much training we give police officers, no matter what oversight and regulation we impose, when you combine the power that police officers exert with normal human fallibility, you have a recipe for failure that can lead to severe erosions of civil liberties and freedom - both at individual and social levels.

We simply can’t assume that police officers will act professionally and honestly. We must assume that, at various times and various places, any powers we grant them will be abused. The issue is to balance the potential for harm to society that such abuse will cause and the need for police officers to carry out their unquestionably difficult and important task.

In the current climate of terrorism hysteria, it is all too easy to simply grant police and security services all the powers they want. And given their necessarily narrow outlook on life and society, they will take them.

For Jacqui Smith to say, in Parliament, that “the general position is that there is no legal restriction on photography” in public places, and then for another minister to issue a vague and comprehensive list of situations in which the police can impose precisely these restrictions, is dishonest.

The combined effect of poor police discipline, vague Government guidance and ever more Draconian powers is a deep erosion of civil liberties and basic democratic freedoms. The police now have all the power they need to censor press photography at the source - when the pictures are being taken.

National security

Not that we’re anticipating another sixties-style stand-off, but it’s ironic that just as Russian warships are back in Cuba, the US can’t seem to handle its nuclear missiles properly.

Economy

The IMF reports that Chinese growth could halve next year. Managing director Dominique Strauss-Kahn said that the world needs a $1.2 trillion stimulus package to avoid social unrest. Germany seems unlikely to offer any extra financial stimulus in the near future, while Ireland has carved out a £9bn bail-out package for its banks.

Just as OPEC cut production by 2.2m barrels per day, oil fell to under $40 per barrel, causing world leaders to worry about the effect of price volatility on the economy. The US Energy Information Administation released figures forecasting no growth in US oil consumption for the next three years. In 2010, the country expects to use less oil than it did in 2007.

The US now owes more than its citizens are worth. Bankruptcy filings were up more than 30% in 2008, topping 1 billion. $2 trillion was wiped from real estate values this year. Canada won’t grow next year, said RBC, and will instead shrink for the first half. Expect to see a moderate recovery in the second half, it added.

The White House still had some nickels in the purse, though. It stumped up $17.4bn from the TARP fund (originally meant entirely for the banks) to bail out troubled US automakers. The Canadians were also set to chip in up to $4bn this weekend. It wasn’t in time to stop Chrysler from shutting down all of its manufacturing plants for a month to save cash, however. Ford, in a better position than Chrysler and GM, isn’t taking the cash, and so won’t be subject to the strict oversight facing the other two.

Gordon Brown’s UK Government will be investing in carbon capture, digital economy, transport, and nuclear power next year to help jolly the troubled economy along, he said. Investments by UK businesses fell by far more than expected in the third quarter.

Environment

Heat waves kill more Americans than any other natural disaster, a new report reveals. And the Obama administration is set to tighten restrictions on CO2-emitting conventional coal plants to try and mitigate global warming. Although existing EPA administrator Steven Johnson is doing his best to avoid such moves while he is in office.

Technology

Undersea cables have been damaged, knocking out Internet access for millions of people across the middle east.

Cisco saw a 90% rise in attacks stemming from legitimate web sites this year. Attacks are also becoming more complex and targeted, it warned. But there are still some generic flaws appearing that provoke widespread, untargeted zero-day attacks. Microsoft issued an emergency patch following the discovery of a critical security flaw found in Internet Explorer.

SSL certificates on a large number of web sites are incorrectly handled, leading to potential security problems, a researcher has found.

An Indian court has allegedly been advised to ban Google Earth following the revelation that satellite imagery was used in the Mumbai attacks.

The Weekly Brief will be back on January 2, 2009.