Thursday, June 19, 2008

Unreported breach, or just cleverly disguised?

http://www.pogowasright.org/article.php?story=20080619060558997

Citibank Hack Blamed for Alleged ATM Crime Spree

Thursday, June 19 2008 @ 06:05 AM EDT Contributed by: PrivacyNews News Section: Breaches

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

... Notwithstanding the court documents, Citibank said in an e-mailed statement that it was not the source of the breach. "There is no evidence that Citi servers were compromised in connection with this fraud," the company wrote.

Source - Threat Level

[From the article:

Citibank denied to Wired.com's Threat Level that its systems were hacked. But the bank's representatives warned the FBI on February 1 that "a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached," according to a sworn affidavit by FBI cyber-crime agent Albert Murray. [Why the denials? Bob]

... When they raided Ryabinin's home, agents found his computer logged into a carding forum. They also found a magstripe writer, and $800,000 in cash, including $690,000 in garbage bags, shopping bags and boxes stashed in the bedroom closet. Another $99,000 in cash turned up in one of the safe deposit boxes rented by Ryabinin and his wife, Olena. Biltse was also found with $800,000 in cash. [These are not small crimes. Bob]

... The timing of the caper -- which prosecutors say began in October -- overlaps Citibank's previously-unexplained lowering of ATM withdrawal limits in New York last December.

... That language suggests that the attackers may not have had access to stored account numbers and PINs, but instead were tapping into transactions in real time to vacuum up PIN codes as they flew past.



No one learns...

http://www.pogowasright.org/article.php?story=20080618131758799

KS: Used state computers found with confidential files

Wednesday, June 18 2008 @ 01:17 PM EDT Contributed by: PrivacyNews News Section: Breaches

Used state computers that had been sent to the Surplus Property agency to sell still contained confidential information, according to a state audit released Wednesday.

... Foster and his team checked 15 computers at the state Surplus Property agency. Data was still on 10 of the computers, and 7 of those contained confidential documents, including thousands of Social Security numbers, he said.

Source - LJWorld

From the report [pdf]: We picked 15 computers from Surplus Property and used inexpensive fi le recovery software to see if any of them contained agency fi les. We were able to recover fi les from ten of the computers. Seven computers contained confi dential information (social security numbers, Medicaid information, and password fi les), four contained sensitive fi les that agencies probably wouldn’t want made public, and one contained copyrighted music files. In general, it didn’t appear that much had been done to most of the computers to remove the data. We found that the data weren’t properly removed from the computers because agencies lacked policies, thought that Surplus Property was removing the data, or did a poor job of keeping track of their computers. Because of the severity of our early fi ndings, the Department of Administration temporarily stopped selling computers in early May until they could make sure data were properly removed from all they had in stock.

[From the article:

For the Legislative Post Audit Committee, Foster demonstrated how he was able to access confidential files by using readily available $60 software. [Typical government employee – he could have used free software, just like the crooks do. Bob]



A few more details and some interesting questions. The very definition of “undue reliance”

http://it.slashdot.org/article.pl?sid=08/06/18/2213232&from=rss

Man Fired When Laptop Malware Downloaded Porn

Posted by samzenpus on Wednesday June 18, @06:59PM from the your-computer-wants-porn dept. Security

Geoffrey.landis writes

"The Massachusetts Department of Industrial Accidents fired worker Michael Fiola and initiated procedutes to prosecute him for child pornography when they determined that internet temporary files on his laptop computer contained child porn. According to Fiola, "My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, "You are being fired for a violation of the computer usage policy. You have pornography on your computer. You're fired. Clean out your desk. Let's go." Fiola said, "They wouldn't talk to me. They said, "We've been advised by our attorney not to talk to you." [Shouldn't someone ask a few questions? Bob] However, prosecutors dropped the case when a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files. Computer forensic analyst Tami Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye. [Not sure what that means... Bob] The virus protection and software update functions on the laptop had been disabled, and apparently the laptop was "crippled" by malware. According to Loehrs, "When they gave him this laptop, it had belonged to another user, and they changed the user name for him, but forgot to change the SMS user name, so SMS was trying to connect to a user that no longer existed... It was set up to do all of its security updates via the server, and none of that was happening because he was out in the field." A malware script on the machine surfed foreign sites at a rate of up to 40 per minute whenever the machine was within range of a wireless site."

[From the first article:

Loehrs, who spent a month dissecting the computer for the defense, explained in a 30-page report that the laptop was running corrupted virus-protection software, and Fiola was hit by spammers and crackers bombarding its memory with images of incest and pre-teen porn not visible to the naked eye.

Two forensic examinations conducted by the state Attorney General’s Office for the prosecution concurred with that conclusion, Wark said.

... DIA spokeswoman Linnea Walsh confirmed Fiola “was terminated,” but declined to say if any internal discipline has been meted out as a result of his name being cleared in court.

We stand by our decision,” she said.

... “Anybody who has a work laptop, this could happen to,” he said. “Mike Fiola is a hunt-and-peck kind of computer guy. He can barely get on the Internet.”

Fiola’s troubles began in November 2006 when, seven years into a job probing workers’ compensation fraud, DIA gave him a replacement laptop for one that was stolen.

Months later, DIA information technology officials noted that the data usage on Fiola’s Verizon wireless bill was 4 times greater than his colleagues’. After discovering the child porn , Commissioner Paul Buckley fired him on March 14, 2007. [It took them 4 months to notice something was odd? Bob]

DIA turned the matter over to state police who, after confirming “an overwhelming amount of images of prepubescent children engaged in pornographic poses” were stored on the laptop, persuaded Boston Municipal Court to issue a criminal complaint against Fiola in August 2007. [For five months, all they looked for was the porn? Bob]

... Consistently, Loehrs’ findings noted, there was “no apparent origin or user interaction [Wouldn't “who done it?” be part of the prosecution's case? Bob] preceding the pornographic activity,” some of which was downloaded “fast and furious.”

[From article two:

IDGNS: So what do you think happened?

Fiola: It was either a rogue hack ... or after my computer was stolen, [the new computer] might have been loaded with the stuff, ready to go. I'm not accusing anybody, but if it was someone in the IT department who was doing this, [maybe they] never had a chance to take it off of there. [Interesting idea. Do you suppose there is still evidence to prove or disprove it? Bob]

[From article three:

"In the SMS software, they forgot to change the user name, so SMS was trying to connect to a user that no longer existed. So the day he walked out with the laptop, the SMS logs were red. If the IT department would have taken a single look at it, they would have seen that it was red and wasn't connecting to the server.

... "What I found is, he would log in to the state's Web site, he'd be on for five or 10 minutes and during the exact same time that he's filling out a form, an image shows up, out of nowhere. No typed [Uniform Resource Locator], no search, no Web site activity, just bam, a cached image shows up on his computer," Loehrs said. The offending images were located in the laptop's browser cache directory.

"He'd have 40 Web sites hitting his computer in a minute -- who's the IT guy who looked at this and said, "Wow, this guy is pretty active on the Internet?'" Loehrs said. "It's physically impossible!"

Loehrs found a script file that was set to go out and run its own searches on foreign Web sites, she said. "And once you get into some of these foreign sites, you'll get all kinds of stuff you don't want to see.

"Actually, the child pornography was just a very small portion of it. The majority was just bizarre porn. He was being hit with everything," she added.

Still, it took prosecutors months to drop the charges -- largely due to Loehrs uncovering the true nature of the images.

... Fiola's case raises serious questions about government security. If a state-run IT department can't configure a laptop properly, what can a person do to protect themselves from rogue malware?

... "Trojans are written by tech-savvy people. What's the first thing they are going to do? They're going to disable the protection," she added, noting that Fiola's Symantec-based logs were missing from the compromised laptop. [That would have been the easy way to determine what Fiola did. If they were missing, prosecutors must have assumed he was “covering up” and done no further investigation. Bob]

... The Fiola case brings up some troubling questions. What if a person actually did realize that his PC was compromised with child porn? How could someone safely remove it? If an innocent user took it to the company's IT department, he or she might get fired. A computer repair shop would probably alert the authorities, and there's a good chance the police would seize the computer, arrest the user and start the prosecution process.

[In case you need Tami Loehrs: http://www.law2000.net/



It would be nice if they contacted the victims, however the criminals encrypted their data (being more interested in security than the companies they stole it from)

http://www.pogowasright.org/article.php?story=20080618073003747

Finjan Finds Health And Business Data Being Auctioned Online

Wednesday, June 18 2008 @ 07:30 AM EDT Contributed by: PrivacyNews News Section: Breaches

More than 500 megabytes of premium health- and business-related data, along with stolen social security numbers, have been found being offered to the highest bidder on crimeware servers in Argentina and Malaysia.

Security firm Finjan discovered the illicit data market and issued a report about its findings today.

Source - InformationWeek

Related - Finjan Discovers more than 500 Mb of Stolen Medical, Business and Airline Data on Crimeware Servers in Argentina and Malaysia
Finjan Report - Malicious Page of the Month [pdf] (requires free sub.)



“You may install software on my computer at any time for $327.50 per bit per day. Installation is evidence of acceptance of this contract.” (O boy, I'm gonna be rich!)

http://www.eweek.com/c/a/Legal/Watchdogs-Claim-NebuAd-Hijacking-Sites/

Watchdogs Claim NebuAd Hijacking Sites

By Roy Mark 2008-06-18

Two watchdog groups accused Silicon Valley startup NebuAd June 18 of hijacking Web sites and intercepting users' browsers. NebuAd is an online advertising company that provides targeted advertising for ISPs

According to a new technical report (PDF) by Free Press and Public Knowledge, NebuAd uses special equipment that "monitors, intercepts and modifies the contents of Internet packets" as consumers go online. The report found that NebuAd inserts extra hidden code into users' Web browsers that was not sent by the Web site being visited.

In turn, the code directs the browser to another site not requested or even seen by the consumer, where more hidden code is downloaded and executed to add more tracking cookies. Using the secretly collected information, NebuAd serves up ads based on the user's browsing habits.


Related: A more subtle hack

http://techdirt.com/articles/20080531/1924311274.shtml

Web Browsers' 'Visited' Feature Creates Privacy Concerns

from the just-visiting dept

Ben Adida points to an interesting hack that takes advantage of a bug/feature (depending on your perspective) of modern browsers. When a webpage is rendered, the browser will typically display links that have been previously visited in a different color. Under the hood, this is implemented by setting the link's style to "visited." A website can use JavaScript to detect this information and report it back to the server -- and could even do something sneaky like adding "hidden" links not actually visible to users just to find out if you had visited certain sites. This behavior was noticed by the Mozilla community way back in 2002, but because of the way the spec was written, there wasn't any easy solution. Now somebody has figured out at least one useful purpose for this particular data leak: reducing the number of links some websites provide to social networking sites. As Digg, Reddit, and dozens of social news competitors have proliferated, blogs and news sites have increasingly faced the challenge of supporting ways to submit stories to those sites without unnecessarily cluttering up their pages. But this guy has developed some JavaScript code that will use the "visited" data leak to determine which social networking sites the user has visited and display badges only for those sites. It's a clever hack, albeit one that will make privacy sticklers' skin crawl. Browser vendors ought to fix the underlying privacy issue, which will break this little hack in the process, but in the meantime it doesn't hurt to put it to a useful purpose.



“Stupid is as stupid does.” F. Gump

http://techdirt.com/articles/20080617/1110341434.shtml

Blog Receives Takedown Notice For Embedding A Video With Authorized Embed Code

from the keep-the-lawyers-busy dept

A year and a half ago, I wondered outloud if embedding an infringing video would be considered infringement as well. Technically, it's no different than just linking to infringing content. However, imagine an even more ridiculous scenario: what if a website puts up its own videos with an embed code, but then sends out takedown notices to anyone who embeds it? Russ writes in to let us know that's exactly what happened with an Iowa sports blog that was trying to raise awareness of the floods in Iowa (a good thing) and embedded a video from the website of the Des Moines Register using the very embed code offered by the Des Moines Register. So what happens? The Des Moines Register sends a takedown notice claiming copyright infringement. After complaining about this on the blog, and getting some attention over it, someone from the Register apologized and said that it was an overeager staffer who was unfamiliar with the fact that videos on the site included embed codes.

While it's great that the Des Moines Register quickly recognized its mistake, apologized and promised to make sure it wouldn't happen again, it still does raise some questions that are almost certain to show up in the future. It's still not clear if a site is responsible for embedding infringing videos. But what if the video's copyright holder doesn't like how a video is being used? What if, for example (and this is not what happened in this case) a site had used that same video of the Iowa floods to mock the victims? I would imagine that it would be tempting in that case to send out the takedown notice, even though the embed code had been offered up. We're almost certainly going to see this happen in the near future. Someone who puts up a video with an embed code is going to be unhappy with how that content is being used, and will claim infringement, even though the content was freely offered up.

The copyright implications of embedding are not at all clear -- and that means you can be sure that lawsuits are on their way.



Is it overly optimistic to think someone will actually read these?

http://www.pogowasright.org/article.php?story=2008061814014345

GAO releases three privacy-related reports

Wednesday, June 18 2008 @ 02:01 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

The following GAO reports are now available:

Privacy: Agencies Should Ensure That Designated Senior Officials Have Oversight of Key Functions, GAO-08-603, May 30, 2008: Summary Full Report [pdf]

Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information, GAO-08-536, April 19, 2008: Summary Full Report [pdf]

Privacy: Congress Should Consider Alternatives for Strengthening Protection of Personally Indentifiable Information, GAO-08-795T, June 18, 2008: Summary Full Report [pdf[



This is interesting. The text message is private despite being transmitted by radio (unencrypted?) to a local receiver (think cell tower and anyone else with a radio tuned to that frequency) and then to the provider's computers via wire (secure) or satellite (now even aliens can intercept it), then it is archived (where the copy the cops obtained came from). Then the whole process is reversed to deliver the message to the addressee.

http://www.pogowasright.org/article.php?story=20080618142748906

Ninth Circuit Upholds Privacy of Text Messages

Wednesday, June 18 2008 @ 02:27 PM EDT Contributed by: PrivacyNews News Section: In the Courts

Today the Ninth Circuit issued its opinion in Quon v. Arch Wireless, holding that "users of text messaging services such as those provided by Arch Wireless have a reasonable expectation of privacy in their text messages."

Source - EFF



What happens when golf fans can't get to their televisions to watch Tiger Woods? Certain to join the Streisand Effect ( http://en.wikipedia.org/wiki/Streisand_effect ) in the lexicon.

http://tech.slashdot.org/article.pl?sid=08/06/18/199254&from=rss

The Tiger Effect and Internet DDoS

Posted by timothy on Wednesday June 18, @03:32PM from the aka-the-kenn-starr-steamroller dept. The Internet Media Security IT

An anonymous reader writes

"Many US and Canadian ISPs thought they were under a massive denial of service attack yesterday — traffic spiked by hundreds of gigabits across North America. Turns out that the traffic was due to live streaming of the U.S. Open and Tiger Woods nail-biting victory."



Perhaps I'll use this to explain arbitrage... Naaaaah. More likely to explain out-of-control marketing departments.

http://techdirt.com/articles/20080618/1321561448.shtml

Would You Buy $630 For $715? Thanks To Microsoft, You Can Make Money Doing So

from the loopholes dept

Just last month, Microsoft announced its desperation plan of bribing users to use Microsoft's search. Basically, if you bought certain products via a Microsoft search, Microsoft would pay you cash back. And, of course, as soon as the cash got involved, it didn't take long for people to find loopholes. Various messages boards are highlighting how this works, but the end result is that people are buying $630 in cash for $715 (via Whitney McNamara), knowing that Microsoft will pay them "cash back" that more than makes up the difference -- in some cases up to $250. So, in that case, the seller of the "cash" ends up making $85, and the "buyer" makes $165. Microsoft, of course, is out the $250. Talk about arbitrage.



Trend or aberration?

http://www.reghardware.co.uk/2008/06/18/tech_aids_pool_crashing/

Teens use technology to party in strangers' pools

By James Sherwood 18th June 2008 15:36 GMT

Tech savvy teens are using Google Earth’s splendidly clear aerial shots of the UK to launch a summertime craze – pool crashing.

Teens begin by surfing Google Earth’s satellite images to find houses with swimming pools — or at least paddling pools. Once a target has been identified, sweaty swimmers then use Facebook to arrange an organised, but uninvited, pool-crash.



Another way to interest children in the legal system.

http://afp.google.com/article/ALeqM5h9kqGvkVPSvo-KNWFDWAg-mVfleg

Court overturns father's grounding of 12-year-old

20 hours ago

OTTAWA (AFP) — A Canadian court has lifted a 12-year-old girl's grounding, overturning her father's punishment for disobeying his orders to stay off the Internet, his lawyer said Wednesday.

The girl had taken her father to Quebec Superior Court after he refused to allow her to go on a school trip for chatting on websites he tried to block, and then posting "inappropriate" pictures of herself online using a friend's computer.

... Beaudoin noted the girl used a court-appointed lawyer in her parents' 10-year custody dispute to launch her landmark case against dear old dad.



What does a data center cost? (Just a few pictures, early in the construction.)

http://digg.com/microsoft/Inside_Microsoft_s_550_Million_Mega_Data_Centers_2

Inside Microsoft's $550 Million Mega Data Centers

informationweek.com — A tour of Microsoft's gargantuan, under-construction San Antonio data center reveals a state-of-the-art IT infrastructure on an immense scale.

http://www.informationweek.com/galleries/showImage.jhtml?galleryID=191&articleID=208403723



Future: Anything digital on demand

http://www.alleyinsider.com/2008/6/youtube_tries_long_form_video

YouTube Shifts Strategy, Tries Long-Form Video

Michael Learmonth | June 18, 2008 11:47 AM

... YouTube's 10-minute limit has served a couple of purposes to date: It keeps bandwidth costs down, and it makes it harder for copyright owners to complain about unauthorized streams...



Future, convergence The device is still huge (the size of an iPod) but potentially could be squeezed into the next generation iPhone

http://www.popularmechanics.com/blogs/technology_news/4269248.html

World’s Smallest Projector, TI Optoma Pico, Coming to U.S. Next Year

June 18, 2008

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)