Even crooks can learn... (Good description in the SF Chronicle article)
Stolen AT&T Credit-Card Info Used To Launch Phishing Scam
from the be-sure-and-thank-them dept
It's not at all surprising any longer to hear about companies leaking data, or losing it to hackers, so the other day's news that 19,000 customers' credit-card information had been stolen from AT&T wasn't particularly interesting. However, some more information has come to light, showing this wasn't a run-of-the-mill credit-card theft. David Lazarus in the SF Chronicle discovered that the hackers didn't immediately go and try to max out the credit cards, they used the stolen info as the basis for an elaborate phishing attack in an attempt to gather more information -- such as Social Security numbers and dates of birth -- from their victims. A lot of credit-card theft remains a relatively low-level crime, where thieves will just try to buy stuff as long as they can. But these hackers eschewed those short-term gains, instead trying to get enough information to commit more serious identity theft, something that could have much longer-lasting and detrimental effects. The used the stolen information to make the email they sent to victims look much more credible than the average "DEAR SIR, Pleease be updating in your PayPal akount informations" message. Given people's growing suspicion of emails, even legitimate ones, it's an interesting tactic, and one that could become more common.
Have market, will cash in...
Breaking: MySpace to Sell Music From 3 Million Bands
September 1, 2006 Pete Cashmore
In a direct challenge to Apple’s iTunes, MySpace has announced its intention to sell songs from the 3 million unsigned bands on MySpace.com. Even more surprising: the songs will be sold as unprotected MP3s, free from DRM.
... the new feature will be powered by Snocap, the music distribution service from Napster founder Shawn Fanning. Snocap only recently launched a MySpace music player, which allows users to buy unprotected songs via Paypal. Snocap charges the artists a small distribution fee, and most of the tracks are DRM-free. Unlike the fixed-price model of iTunes, artists on Snocap set their own price.
It sounded so good. Maybe someone will do it legitimately.
Is Browzar Just An Adware Machine?
Michael Arrington September 1 2006
Browzar promises to make web surfing more anonymous by disabling cookies, history, auto-complete, etc. The story was widely circulated, including writeups on BBC, CNET, Slashdot and Digg, among others. We even wrote about in on TechCrunch UK.
There were initial doubts raised that this was simply a stripped down version of IE with the offending functionaltiy turned off, and therefore nothing special. But none of the publications above did enough research into the product to realize that not only is Browzar not really an interesting product from a security point of view, but that the “browser” is going to great lengths to force users to click on Overture ads by constantly redirecting them to search ad pages served by Browzar itself.
My guess is that subpoenas from many countries will result in a “least common denominator” type of retention policy... Isn't that bad?
Brazil Judge Orders Google to Disclose Users' Data
By Reuters September 1, 2006
SAO PAULO, Brazil (Reuters)—A Brazilian judge has ordered the local office of Web search company Google to disclose the data of users of Google's social networking site Orkut accused of crimes like racism or child pornography.
Federal judge Jose Lunardelli ruled late on Aug. 31 that Google be given 15 days to disclose the information, including the Internet Protocol addresses that can uniquely identify a specific computer on a network.
The judge set a daily fine of 50,000 reais ($23,255) for each individual case if Google refuses to reveal the data.
Brazilians account for 65 percent of Orkut's nearly 27 million users and public prosecutors have recently been investigating Orkut communities set up by Brazilians and dedicated to such subjects as racism, homophobia and pedophilia.
Google officials in Brazil have said all clients' data is stored on a server in the United States and is subject to U.S. laws, which makes it impossible for them to reveal the data in Brazil. They also said the local affiliate only deals in marketing and sales and has nothing to do with Orkut.
"The fact that the data are stored in the United States has no relevance as all the photographs and messages investigated by the prosecutors' office were published by Brazilians using Internet connections on the national territory," the judge said in his ruling.
He said Google's local office had shown a complacent attitude toward "the serious crimes practiced on Orkut" and showed "profound disrespect [Isn't that redundant? Google already said they were salesmen... Bob] for national sovereignty."
Company representatives could not provide an immediate comment on the ruling. Google lawyer Durval Goyos earlier called the case against the company absurd.
Hummm. I wonder what military grade equipment could do...
Hacker-Built PC Scans 300 Wifi Networks At Once
Posted by Zonk on Saturday September 02, @12:19AM from the quite-the-multitasker dept.
An anonymous reader writes to mention an Engadget post on an incredibly powerful wifi scanner. The 'Janus Project', as it is called, can sniff 300 networks simultaneously. It stores and encrypts the data as it receives it, for later use. From the article: "In addition, the Janus Project has an instant off switch, which requires a USB key that has a 2000-bit passkey and a separate password to regain access. What's under the hood? Williams packed an Ubuntu Linux machine running on a 1.5GHz VIA C7 processor with an Acer 17-inch screen into that snazzy little rugged yellow box. Oh, and the closed case is waterproof too, in case you need to transport Janus Project on a whitewater raft to your next hacking hotspot. We don't doubt someone will." The post leads to a tgdaily article, which offers more details.
Sounds to me like this will be a common way around open meetings laws...
Health administrator takes pot shot at editorial
Beginning Jan. 1, e-mail deliberations violate Illinois law
By DIANE KOMISKEY - Prairie Advocate Reporter, (815) 493-2560 DKomiskey@prairie-advocate-news.com
MT. CARROLL – A public health department official took a swipe Aug. 24 at the wellness of an editorial in a Thomson paper that criticized the local health department.
"Our View," in the Aug. 2 issue of "The Carroll County Review" appeared with the headline, "Meetings by e-mail are violation."
Its author, who was not identified in the column, alleged that the Carroll County Board of Health violated the intent of a recent amendment to the Illinois Open Meetings Act by using e-mail.
Among the things that the writer of the opinion piece said in a 60-word sentence were, "(The board members) are disenfranchising the public from being involved in the decision-making process and from learning how each members arrived at whatever decision they made."
Carroll County Public Health Administrator Craig Beintema took issue with the editorial and any allegation that the board had violated the act. He said the bill that amended the state law passed after the health board met, and the measure's effective date is Jan. 1, 2007.
"I've not responded to any editorial, but it wasn't done in secret," Beintema said. "We weren't trying to do anything illegal."
The allegation arose over how the health department planned to meet a County Board deadline for submitting a budget: by Beintema distributing a budget by e-mail for members to comment on by e-mail.
Governor Rod Blagojevich signed Senate Bill 585, now Public Act 094-1058, into law on July 31. The Board of Health had met July 27. The amendment to the Open Meetings Act is effective Jan. 1, 2007.
"We weren't trying to do anything illegal," said Beintema. He said that the person who wrote the editorial needed to continue reading to the effective date.
Beintema did not dispute the effects of electronic communications on the public's right to an accountable government with public officials deliberating and making decisions in a public forum that is open to citizens.
The amendment to the Open Meetings Act can be found by linking to www.ilga.gov and entering SB585 under "By Number."
The health board considered the budget in an open meeting on Aug. 24. Most of the debate centered on whether to contract with Stephenson County or hire employees. For more, see story about the department's proposed budget and levy in this week's issue of the Prairie Advocate.
If this is done by IT types, is there less liability than if it is corporate policy?
Comcast Blocks Yet Another ISPs E-Mail
Posted by kdawson on Thursday August 31, @03:13PM from the i-can't-heeeeear-youuuu dept. Censorship
Nom du Keyboard writes, "Last week Comcast shutdown e-mail forwarding from NameZero entirely. People who have bought private domain names (i.e. email@example.com) and have e-mail forwarding to their current Comcast e-mail account through NameZero aren't receiving it any longer. No warnings — no e-mail. Now, again without warning, they've blocked out The Well, one of the oldest ISPs on the net. And nobody can get through to the Comcast people in charge of this to discuss the issue with them. Not the ISPs being blocked. Not the customers who pay Comcast to deliver e-mail to them. Comcast says they're protecting 10M customers from spam. I am a current Comcast broadband customer and I feel I should have the right to whitelist and receive e-mail from whomever I designate. I don't want as much protection as Comcast is giving me. Is it a basic right to be allowed to receive e-mail from whomever I desire, or does Comcast have the right to censor as they wish?" Last week Comcast was also blocking mail from alum.mit.edu. I (probably among many others) left a complaint on the phone line identified in bounce messages; the block was eventually lifted.
Study Analyzes 16 Months of Data Breaches
A new report on consumer data breaches recorded over the past 16 months indicates that hacking remains the most frequent source of data theft and loss, with breaches reported by educational institutions making up 43 percent of all reported data thefts or losses.
The study was conducted by the AARP (formerly the American Association of Retired Persons) using data from 244 breaches reported from Jan. 1, 2005, through May 26, 2006. The data was compiled from publicly disclosed security breaches involving information that collectively involved nearly 90 million people, as compiled by the Identity Theft Resource Center, a San Diego-based nonprofit organization.
The study found that criminal hacking was responsible for one-third of all reported breaches, while physical theft of laptops and other data storage media accounted for 29 percent. Twenty-three percent of breaches were the result of sensitive consumer information being improperly displayed, such as on a public Web site. Roughly 7 percent of breaches were caused by employees stealing or selling personal data, while just 2 percent resulted from back-up tapes being lost.
Colleges and universities were more than twice as likely to report a breach as any other entity, followed by government agencies (17 percent) and businesses (15 percent). While educational institutions reported the most largest number of breaches, the total number of potential identity fraud victims of those breaches was just over 3.6 million, far less than the number of potential victims of data breaches, thefts or losses at financial institutions (47 million) and government entities (34.1 million).
According to the study, that statistic holds true even without the two biggest incidents that contributed to those numbers -- the database breach at now-defunct credit card processor CardSystems that jeopardized roughly 40 million credit card accounts, as well as the theft of a laptop from the Department of Veterans Affairs, which contained sensitive data on more than 26 million Americans (the laptop was later recovered).
Taking away those two huge incidents, breaches from insider access and lost back-up tapes accounted for the greatest number of potential victims.
I'll be online today at 11 a.m. ET for my regular Web chat on computer security. Submit a question here.
Don't be surprised when the FBI requests Congress pass laws to “Match” those in other countries...
Zimbabwe debates 'oppressive' bugging laws
If you thought RIPA was bad...
By John Leyden Published Friday 1st September 2006 15:21 GMT
Proposed telecoms interception laws in Zimbabwe have created a furore with the government apparently awarding itself unlimited snooping powers.
The Interception of Communications Bill, the topic of hearings before the African country's Parliament on Wednesday, allows for email and phone interception warrants against targeted individuals that might be extended indefinitely, under the control of politicians and with little or no judicial oversight.
The bill also calls for the establishment of a monitoring centre, reportedly outfitted with bugging equipment supplied by China. Telecoms providers would be obliged to install snooping equipment onto their networks, linked to the proposed monitoring centre. ISPs, not the Zimbabwean government, would be forced to foot the bill.
The government says its proposals are needed for national security, in the fight against crime, and in line with measures introduced by other countries. Zimbabwean phone calls are already monitored, the BBC reports, so the bill essentially extends existing provisions for the internet age.
President Robert Mugabe's government has an abysmal human rights record, with laws that curtail movement and opposition against his regime. Criticism of the country's proposed telecoms interception laws has focused on the lack of judicial oversight. Earlier communications laws, which also lacked court oversight, were overturned by a Zimbabwean High Court in 2004 as unconstitutional.
"An aggrieved person is given a right to appeal to the minister (of Transport and Communications), who is neither independent nor impartial. He authorises the interception and monitoring in the first place," Wilbert Mandinde, legal officer of the Media Institute for Southern Africa in Zimbabwe, told the BBC.
Opposition parties joined in this criticism. "It seems to give carte blanche - the minister is the judge and the jury, it violates the whole concept of the separation of powers," said Jessie Majome, a legal advisor for opposition Movement for Democratic Change.
I want to start recording my lectures, perhaps with light jazz background music...
George Washington Students to Get a Taste of iTunes U
By Eric Roper The GW Hatchet 09/02/06 4:00 AM PT
Offering a service like iTunes U may be risky, says Dianne Martin, a GW computer science professor specializing in the social and ethical impact of technology. "However, if professors are doing interesting, interactive lessons instead of lectures, then students will need and want to be in class."
Beginning this fall, George Washington University will team up with Apple computers to offer audio recordings of classroom lectures over the Internet using the iTunes music program.
The new software, called "iTunes U," is designed to record lectures and broadcast them over the iTunes network where students can download them onto their computer or iPod.
According to Assistant Vice President of Academic Technology P.B. Garrett, the new service will be available for 15 courses this fall and most likely more in the future.
"It makes a lot of sense to deliver course content to students in a medium they are familiar with [rather than a classroom... Bob] as so many students already use iTunes, and have iPods," Garrett wrote in an e-mail.
... "I agree that students may skip lectures if they know they can download them at their convenience," Martin wrote in an e-mail. "However, if professors are doing interesting, interactive lessons instead of lectures, then students will need and want to be in class."
After extensive testing, we think Bill Gates is Osama bin Laudin...
In mixup, CA antivirus flags Windows component
Update erroneously flags a security-related process in Windows as malicious but is soon corrected
By Robert McMillan, IDG News Service September 01, 2006
CA Inc. caused some headaches this week after its antivirus software inadvertently flagged part of the Windows OS as malware.
The SANS Internet Storm Center reported the problem Friday saying that an overnight update to CA's eTrust Antivirus signatures had caused the software to flag a security-related process in Windows as malicious. The faulty update caused some Windows 2003 servers to crash and become unusable, SANS said.
... It is not unheard of for signature files to mistakenly identify legitimate software as malware, but it is remarkable that CA's software made the mistake with a well-known Windows component, according to Johannes Ullrich, chief research officer at SANS. CA should have been able to detect the problem in its quality-assurance testing, he said.
The mixup apparently did not disrupt a large number of users, but it still reflects poorly on vendors like CA, Ullrich said. "It's another loss in trust toward the antivirus business," he said. "It tells you that the antivirus vendors don't do the testing." [Why bother? We have thousands of customers who will tell us if their systems crash... Bob]
Today's Dilbert is on executive compensation: http://www.unitedmedia.com/comics/dilbert/