ACLU Warns State Dept. Against Firing Worker Who Criticized Government

The American Civil Liberties Union has come to the defense of a former State Department employee who looks likely to be fired for blogging and writing critically about the reconstruction efforts in Iraq.

The ACLU says doing so would violate the constitutional rights of veteran State Department employee Peter Van Buren, according to a letter the group sent the government on Tuesday.

The letter further accuses the government of unlawful retaliation against Van Buren for publishing critical comments about U.S. foreign policy on his personal blog last year.

“The Supreme Court has repeatedly held that public employees retain their First Amendment rights even when speaking about issues directly related to their employment, as long as they are speaking as private citizens,” and as long as they’re writing about matters of public concern, the ACLU wrote in its letter (.pdf). “There can be no dispute that the subject matter of Mr. Van Buren’s book, blog posts, and news articles – the reconstruction effort in Iraq – is a matter of immense public concern.”

Van Buren, a 23-year Foreign Service officer, was a former leader with the reconstruction team in Iraq following the recent war there. But after he left that position to take up different work in the department, he became a public critic of the U.S. government’s reconstruction efforts in a book he published last year titled We Meant Well: How I Helped Lose the Battle for the Hearts and Minds of the Iraqi People.

Van Buren submitted his book to the State Department for pre-publication review in accordance with federal rules that require employees to obtain clearance before publishing information on “matters of official concern.”

Such matters are broadly defined as “policy, program, or operation of the employee’s agency or to current U.S. foreign policies, or [that] reasonably may be expected to affect the foreign relations of the United States.”

The rule states that material “must be submitted for a reasonable period of review, not to exceed thirty days.” But after 30 days had passed and Van Buren had no response from the State Department, he proceeded with publication of his book.

Last August, to coincide with the release of the book, Van Buren wrote a blog post criticizing the government for hypocritical actions against Libyan leader Muammar Gaddafi and linked to a leaked U.S. State Department cable that had been published by the secret-spilling site WikiLeaks. The link went to a 2009 cable about the sale of U.S. military spare parts to Gaddafi through a Portuguese middleman.

State Department investigators subsequently interrogated Van Buren twice, demanding to know who had helped him write the blog post and asking about the publishing contract for his book.

The investigators warned him that he would be fired if he refused to answer questions and that he could be charged with interfering with a government investigation if he wrote publicly about the inquiry against him, which he did anyway.

The Principal Deputy Secretary of State then wrote Van Buren’s publisher demanding three small redactions from a chapter of his book, which had already shipped to bookstores.

Van Buren’s “top secret” security clearance was suspended, and the State Department also confiscated his diplomatic passport and placed him on administrative leave. He was banned from the State Department building, lost access to his work computer, and was re-assigned from his position on the department’s Board of Examiners to a “makeshift telework position,” all for failing to submit his writing before publication.

The State Department has lately been putting Van Buren’s two decades’ worth of foreign service skills to use by having him do Google searches on all coroners working in the U.S. and copying their addresses into a document while it decides his fate.

The Department has recommended Van Buren be fired, a proposal that is currently being reviewed by the department’s human resources division. Van Buren was scheduled to respond to the proposal Tuesday, and the ACLU’s letter was sent in support of his response objecting to his firing.

The ACLU said in its letter that the State Department’s publication review policy, as it applied to the pre-publication of blog posts and articles, raised serious constitutional questions, since it amounted essentially to restricting the speech of Van Buren and other State Department employees and doesn’t comply with other federal policies that allow soldiers, for example, to blog from battlefields without having their writing reviewed.

“Their official reason, that the blogs didn’t comply with pre-clearance, makes sense for books,” said Ben Wizner, director of the ACLU’s Speech, Privacy & Technology Project. “A 30-day delay in publishing a book doesn’t make any difference. For blogs and articles, it’s impractical.”

The State Department’s actions have clearly been meant to punish him for what he wrote, Van Buren told Wired last year. He said the suspension of his security clearance was particularly vindictive.

“I’m fairly close to retirement [from government work] and this is a way of not allowing me to retire with a security clearance,” he said. “It’s like having a big scarlet ‘loser’ painted on my forehead.”

The ACLU’s Wizner agrees that the State Department’s actions are meant as punishment for what Van Buren wrote.

“There’s nothing he has done that would trigger his firing had he not been a vocal critic of the State Department’s policies,” Wizner told Wired. “He’s coming to the end of his career. It calls into question why they’re going to the trouble of firing this guy except to send the message to other government employees that they should stay in their lane.”

Google Releases Google Chrome 19

Google has released Google Chrome 19 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review the Google Chrome Release blog entry and update to Chrome 19.

This product is provided subject to this Notification and this Privacy & Use policy.

Popular Surveillance Cameras Open to Hackers, Researcher Says

Photo: redjar/Flickr

In a world where security cameras are nearly as ubiquitous as light fixtures, someone is always watching you.

But the watcher might not always be who you think it is.

Three of the most popular brands of closed-circuit surveillance cameras are sold with remote internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research.

The cameras, used by banks, retailers, hotels, hospitals and corporations, are often configured insecurely — thanks to these manufacturer default settings, according to researcher Justin Cacak, senior security engineer at Gotham Digital Science. As a result, he says, attackers can seize control of the systems to view live footage, archived footage or control the direction and zoom of cameras that are adjustable.

“You can essentially view these devices from anywhere in the world,” Cacak said, noting that he and his security team were able to remotely view footage showing security guards making rounds in facilities, “exceptionally interesting and explicit footage” from cameras placed in public elevators, as well as footage captured by one high-powered camera installed at a college campus, which had the ability to zoom directly into the windows of college dorm rooms.

Cacak and his team were able to view footage as part of penetration tests they conducted for clients to uncover security vulnerabilities in their networks. The team found more than 1,000 closed-circuit TV cameras that were exposed to the internet and thus susceptible to remote compromise, due to inherent vulnerabilities in the systems and to the tendency of the companies to configure them insecurely.

The inherent vulnerabilities, he said, can be found in at least three of the top makers of standalone CCTV systems that he and his researchers examined — MicroDigital, HIVISION, CTRing — as well as a substantial number of other companies that sell rebranded versions of the systems.

Control panel that a hacker can see, showing blurred-out video feeds from 16 closed-circuit TV cameras and the motion controls for tilting and turning the cameras remotely.

CCTV video surveillance systems are deployed at entrances and exits to facilities as well as in areas considered to be sensitive, such as bank vaults, server rooms, research and development labs and areas where expensive equipment is located. Typically, the cameras are easily spotted on ceilings and walls, but they can also be hidden to monitor employees and others without their knowledge.

Obtaining unauthorized access to such systems could allow thieves to case a facility before breaking into it, turn cameras away from areas they don’t want monitored or zoom in on sensitive papers or prototype products at a workstation. The cameras could also be used to spy on hospitals, restaurants and other facilities to identify celebrities and others who enter.

Remote access capability is a convenient feature in many of CCTV systems because it allows security personnel to view video feed and control cameras via the internet with laptops or mobile phones. But it also makes the systems vulnerable to outside hackers, particularly if they’re not set up securely. If the feature is enabled by default upon purchase, customers may not know this is the case or understand that they should take special steps to secure the systems as a result.

“All the ones we found have remote access enabled by default,” Cacak says. “Not all the customers may be aware [of this]…. Because most people view these via console screens, they may not be aware that they can be remotely accessed.”

Compounding the problem is the fact that the systems come deployed with default easy-to-guess passwords that are seldom changed by customers. They also don’t lock-out a user after a certain number of incorrect password guesses. This means that even if a customer changes the password, an attacker can crack it through a bruteforce attack.

Many of the default passwords Cacak and his team found on CCTV systems were “1234″ or “1111.” In most cases the username was “admin” or “user.”

“We find about 70 percent of the systems have not had the default passwords changed,” Cacak said.

Because many customers who use the systems don’t restrict access to computers from trusted networks, nor do they log who is accessing them, Cacak said owners often cannot tell if a remote attacker is in their system viewing video footage from outside the network.

Log-in screen showing default username and password for a CCTV system accessible via the internet.

To help companies determine if their CCTV systems are vulnerable, Cacak’s team worked with Rapid7 to produce a module for its Metasploit software targeting CCTV systems made by MicroDigital, HIVISION and CTRing or sold by other companies under a different name. Metasploit is a testing tool used by administrators and security professionals to determine if their systems are vulnerable to attack, but it’s also used by hackers to find and exploit vulnerable systems.

The module can determine if a specific user account, such as “admin,” exists on a targeted CCTV system, and it can also conduct automatic log-in attempts using known default passwords, brute force a password crack on systems using unknown passwords, access live as well as recorded CCTV footage, and redirect cameras that are adjustable. HD Moore, chief security officer at Rapid7, said they’re working on a scanner module that will help locate CCTV systems that are connected to the internet.

Earlier this year, Moore and another researcher from Rapid7 found similar vulnerabilities in video-conferencing systems. The researchers found they were able to remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all by simply calling in to unsecured videoconferencing systems that they found by doing a scan of the internet.

They were able to listen in on meetings, remotely steer a camera around rooms, as well as zoom in on items in a room to read proprietary information on documents.

Cacak said that customers using CCTV systems should disable remote access if they don’t need it. If they do need it, they should change the default password on the systems to one that is not easily cracked and add filtering to prevent any traffic from non-trusted computers from accessing the systems.