Saturday, June 14, 2008

Trends: Employees prefer their own computers over those provided by their employers, especially when the employer is a government entity and computers are supplied by the lowest bidder. This is no excuse for failure to secure sensitive data.

Anti-terror police chief has laptop stolen

By Daily Mail Reporter Last updated at 10:30 PM on 13th June 2008

A LAPTOP belonging to a senior police officer who has access to counter-terrorist intelligence has been stolen.

The computer, which was owned by Rob Beckley, deputy chief constable of Avon and Somerset, was taken from his car outside Marylebone railway station in Central London on Wednesday.

It is believed his police driver was distracted by one thief while another made off with the laptop.

Police sources say Mr Beckley, a former member of the terrorism committee of the Association of Chief Police Officers, had insisted on using his own computer when he joined the force last year.

As a result, none of the information accessible from the machine - which includes anti-terror details, private information about individual officers, and details of criminal investigations, suspects and undercover operations - is encrypted.

... Yesterday, Mr Beckley said IT experts were working to ensure no one outside the force would be able to use the computer and log on to police servers. [This should be trivial – turn of his ID Bob]

... But he refused to discuss why Mr Beckley had insisted on having his own laptop and why information had not been encrypted.

...but the BBC says:

Police data 'secure' after theft

... It said the laptop had encryption software on it [Was it used? Bob] and that police computer systems used multiple passwords.

"There was no data breach and steps taken were as a precautionary measure."

I mentioned this one yesterday – looks like the judge agrees.

Judge Scuttles Ameritrade Hacking Settlement

By David Kravets June 13, 2008 9:58:33 PM

A federal judge on Friday declined to approve a proposed settlement of a class-action representing as many as 6.3 million TD Ameritrade customers whose privacy was breached when hackers stole personal identifying customer information.

U.S. District Judge Vaughn Walker was concerned whether the deal, which gives more than $1.8 million in legal fees to the plaintiff's attorneys, would provide any real benefits to the class of online brokerage customers.

... Walker said there were no "facts which would allow the court to make a proper valuation of the settlement, which on its own does not include any monetary relief."

... Among other things, the accord requires the company to post information on its web site regarding "important information on protecting your assets from online threats such as identity theft, phishing, spyware, viruses, e-mail fraud and stock touting spam."

Ameritrade also agreed to retain independent experts to conduct bi-annual penetration tests at least through 2009. It has also retained ID Analytics, a company specializing in identifying organized identity theft. "Two such analyses already have been performed and have identified no evidence of identity theft," according to the accord.

Also, the deal requires a $20,000 donation to the Honeynet Project and $35,000 to the National Cyber Forensics and Training Alliance.

Maybe this guy will have more luck?

Ex-patient sues storage firm over stolen U. records

Proposed class-action suit claims company was negligent; attorney says university is next

By Stephen Hunt The Salt Lake Tribune Article Last Updated: 06/14/2008 01:21:31 AM MDT

There is more than one way to make money from a breach... (Could be an educational video at some point?)

Leaked AOL search logs take stage in new play

Posted by Holly Jackson June 13, 2008 10:00 AM PDT

Imagine every question you've typed into an Internet search engine suddenly appearing online for the world to scrutinize. What would the queries say about you? Would the world view you as totally mundane? Totally bizarre?

Would your search log be intriguing enough to draw thousands upon thousands of viewers?

Brat Productions, a theater company in Philadelphia, found one such search string more than compelling enough to form the basis of its new play, User 927.

Wow! Could we do this in the US? (This happened in January, but I must have missed it.)

ICO takes enforcement action against Marks & Spencer

M&S ordered to encrypt all hard drives by April 2008

The Information Commissioner's Office (ICO) has found Marks & Spencer (M&S) in breach of the Data Protection Act.

... An ICO investigation revealed that the laptop, which contained details of the pension arrangements of M&S employees, was stolen from the home of an M&S contractor. [Third party again. Bob] In light of the nature of the information contained on the laptop, it is the ICO's view that M&S should have had appropriate encryption measures in place to keep the data secure.

... The ICO has now issued M&S with an Enforcement Notice which orders the company to ensure that all laptop hard drives are fully encrypted by April 2008. [This was issued in late january. Imagine the scramble! Bob] Failure to comply with the Enforcement Notice is a criminal offence and may result in the ICO taking further action against the company.

[The order:

Another summer page turner...

June 13, 2008

Identity Theft: The Aftermath 2007

Identity Theft: The Aftermath 2007. Conducted by the Identity Theft Resource Center® (ITRC) With comparisons to The Aftermath 2003, 2004, 2005, 2006 Surveys.

Interesting that the authors of the browser can't turn off all the logging.

Firefox 3 won't have 'private browsing'

Posted by Robert Vamosi June 13, 2008 5:55 AM PDT

... The feature, Private Browsing, would have disabled all caching, cookie downloads, history records, and form data used during the current session. In essence, you could surf the Web and leave no fingerprints.

... He described the private browsing process as this: you hit a button and everything past that point isn't logged. Then, at some point in the future, you hit the button again and it's as though what you just did never happened.

... You can hear more of my interview with Nightingale on my Security Bites podcast here.

We're the government and we're here to help you.”

FBI warns of child-support card scam

Phishing scam targets single parents who use EPPICards, which work like debit cards and are promoted as alternative to child support payment checks

By Robert McMillan, IDG News Service June 13, 2008

The U.S. Federal Bureau of Investigation warned Friday that online scammers are now targeting single parents who use the EPPICard system to receive child-support payments.

Related? Or just a disaster waiting to happen...

New State Debit Cards Are Costing The Unemployed

Written by CBS4 special projects producer Libby Smith Jun 13, 2008 2:25 pm US/Mountain


... Desimone has a receipt showing she was charged 50 cents just to check the balance in her unemployment account.

When you start to read the fine print on the CAP card, there are more charges:

-- $1.50 for using a non-Chase ATM
-- $5.00 for a teller transaction at a non-Chase bank
-- $12.50 to write a check on the account

... "I can't take my debit card to my lease office to pay my rent ... and say, 'Here' ... that doesn't work," Bruck said.

She has to go to an ATM get her money out in cash and carry it to her own bank.

... Lori Halpenny was also laid off this year. She's uncomfortable giving her personal information to a bank where she doesn't have an account.

"Which was frightening to me because of all the problems with identity theft," Halpenny told CBS4.

She says she not only have her social security number and other information to Chase, but she had to agree to allow the information to be shared with "third party affiliates" as well.

Tools & Techniques: Someone needs to think this through...

Mobile Phone Number Moving Caused Feds to Wiretap Wrong American

By Ryan Singel June 12, 2008 5:33:29 PM

In poring through the latest round of documents the FBI turned over to the Electronic Frontier Foundation about how the FBI legally plugs into the nation's telephone system, THREAT LEVEL discovered that the nation's secret spy court repeatedly questioned the FBI in 2005 and 2006 about whether the Bureau was exceeding its wiretap authority.

But there were other fine eavesdropping nuggets in those pages, including info on when the FBI learned to wiretap VOIP calls, how number portability messed with FBI taps, and a moment of candor from an FBI technician about how the FBI's wiretapping software could work with the NSA's warrantless wiretapping program.

For instance, the FBI accidentally listened in on one innocent American phone conversations due to a hack a phone company used to let people take port their phone numbers from one cell provider to another. At issue is a workaround used by CDMA providers, where a carrier assigns an alias number to a ported number in order to speed up switching at a user's usual calling area. The workaround has the unfortunate side effect of occasionally reporting the alias -- which could actually be a real person's number -- instead of the real caller to the FBI's wiretapping software.

In the FBI's own words, "due to misinformation in the call records, the unrelated subscriber was temporarily included in the investigation" and "this error has recently misled a few FBI investigations.

Is a fine sufficient?

'Free Software' Scammers Fined $2.2 Million

from the this-is-not-the-'free'-business-model-we're-talking-about dept

We've seen various incarnations of the scam (often found in infomercials) where a company offers you something for "free," but in the fine print, you're really signing up for an ongoing paid service. For years, some of the biggest "ringtone" companies made much of their money this way, offering "free" or cheap ringtones that actually involved the user signing up for a monthly service without realizing it. The infamous "Video Professor" has been accused of running a similar system, though the company vehemently denies this.

Either way, it appears that the FTC is starting to crack down on some of these practices, fining a competitor to "Video Professor," called ThinkAll, $2.2 million. Apparently ThinkAll took this scam to a new level. It offered "free" software, where you simply had to pay for the shipping and handling -- though, it sounds like that was really just so the company could get your credit card on file. After receiving that first free CD, customers were offered 3 more titles totally free (not even any shipping). If you decided to accept that software (and why wouldn't you?) it made you check a box saying you had read the terms of service. Of course no one reads the full terms of service, which include (hidden down in the 7th paragraph) the fact that in accepting this "free" software, you're actually agreeing to sign up for a monthly fee-based service. Quite sneaky... until the FTC stepped in. Hopefully other businesses take notice and start avoiding these types of scams.

Friday, June 13, 2008

What happens when “What can we do to settle?” becomes “What would make you lawyers happy?”

Judge Weighing Ameritrade Hack Lawsuit Settlement

Friday, June 13 2008 @ 06:21 AM EDT Contributed by: PrivacyNews News Section: In the Courts

A federal judge on Thursday put off approving a proposed settlement of a class-action representing as many as 6.3 million TD Ameritrade customers whose data was breached when hackers stole personal identifying customer information.

Among the reasons: The lead plaintiff, who signed the deal, opposed it in open court Thursday and said his lawyers coerced him into accepting the accord.

Source - Threat Level blog

[From the article:

Under the accord, class members would be entitled to a one-year subscription of "Trend Micro Internet Security Pro," about a $70 retail value. The biggest payout goes to class lawyers, [“Surprise, surprise, suprise!” G.Pyle] who are set to get more than $1.8 million.

Ameritrade lawyer Lee Rubin said Ameritrade was paying "significantly less" than retail value for the Security Pro software.

Elvey said the software is "available for free after rebate" at some electronics stores.

This may explain why there is so much resistance – or it may not.

When it comes to data security breaches, the general public doesn’t need to know

Friday, June 13 2008 @ 06:45 AM EDT Contributed by: PrivacyNews News Section: Breaches

When it comes to data security breaches, 78 percent of US IT decision-makers feel that companies do not need to inform the general public; this according to a recent survey by content security specialists Clearswift. While respondents felt the general public did not need to know (78%), they did indicate that affected customers and partners should be informed (95%) while less than half of them felt that industry regulators (42%) or even the police (35%) should be notified.

Of the U.S. organizations polled, 19 percent had suffered a data loss in the last 12-18 months, and of those, 50 percent had experienced more than one. Despite the fact that more than 89 percent of those surveyed said that data loss/data breach was a very important or critical issue to their organizations, the research indicated that they are still not locking down the transfer of sensitive information appropriately. E-mail is the most popular method of transferring confidential data (over 70% allow staff to transfer confidential data via e-mail), and yet over a quarter of businesses (26%) admit to losing data via e-mail. [Not clear from the article how they define “losing data via e-mail” Bob]

Source - Help Net Security

For the White Hat club: So much for unbreakable security... (Does this mean that E MC2?)

How To Build a Quantum Eavesdropper

Posted by kdawson on Friday June 13, @09:34AM from the perfection-is-not-a-requirement dept. Encryption Security Science

KentuckyFC writes

"Quantum encryption is perfectly secure, in theory. In practice, however, there are loopholes. Now Japanese scientists have designed a quantum eavesdropper that exploits one of these loopholes to listen in to quantum conversations. QC's security arises from the impossibility of making a perfect copy of a quantum object without destroying it — so the sender and receiver can always tell if they've been overheard. But it turns out that an eavesdropper can make imperfect copies and use them to extract information from a quantum message without alerting sender or receiver (abstract). The Japanese design does just this. That should worry banks and government agencies that have begun to use some of the commercial quantum encryption systems now available."

Even assuming they are being completely honest (never wise when dealing with politicians) they are clearly not aware of the minimal “learning curve” required to become a hacker...

China Says It Lacks Skills To Hack US Systems

Posted by CmdrTaco on Thursday June 12, @12:35PM from the next-you'll-tell-me-they-don't-play-checkers dept. Security United States Politics

ScentCone writes

"A spokesman for China's foreign ministry says that — China being the 'developing nation' that it is — he doubts that his country has the sophistication to hack foreign systems. This in response to statements by two congressmen regarding apparent probing by China-based crackers into congressional systems for information about communication between US officials and activists in China."

Related: Perhaps Congress could use a team like this?

Ask Lt. Col. John Bircher About Cyber Warfare Concepts

Posted by timothy on Thursday June 12, @01:20PM from the please-include-your-gps-coordinates dept.

The Air Force is not the only U.S. military branch trying to come to grips with the electronic side of warfare, both current and future. The U.S. Army Computer Network Operations (CNO)-Electronic Warfare (EW) Proponent (USACEWP), located at Fort Leavenworth, Kansas — home to the U.S. Army's Combined Arms Center — serves as the Army's hub for cyber-electronic concepts and capabilities. This is the organization responsible for developing doctrine, materiel and training to prepare the Army for cyber-electronic engagements. For example, USACEWP has developed training teams to ensure that U.S. commanders and soldiers around the world are fully informed of cyber-electronic capabilities at their disposal. Leading the Proponent's Futures branch is Lt. Col John "Chip" Bircher; Bircher entered the Army in 1989 as an Infantry officer, then served in various command and staff positions, most recently Information Operations (IO). He was the IO Chief for the 25th Infantry Division (Light), Hawaii, and Director of IO for Combined Joint Task Force -76, Bagram, Afghanistan. If you want to know more about the realities and challenges that face an armed, global IT department in a time when electronic warfare is ever more important and dangerous, now's your chance to ask Lt. Col. Bircher some questions. We'll pass on the highest-moderated questions for Lt. Col. Bircher to answer. Usual Slashdot interview rules apply.

These cases are always the best. However, if Prince didn't specifically identify what his copyright covered, shouldn't this case be tossed out?

Even Lawyers Are Confused About What's Legal Or Not In The Prince/Radiohead Spat

from the wait-a-second... dept

We were just discussing how copyright has been stretched and twisted so many times that it really just isn't designed properly to handle internet communications -- and a good case in point may be the funny little spat we covered a few weeks back between Prince and Radiohead. If you don't recall, Prince performed a cover of a Radiohead song at a concert. Someone in the audience videotaped it and put the video on YouTube. Prince's representatives demanded that the content be taken down under a DMCA request -- raising all sorts of questions. After all, Prince didn't own the copyright on the song. That's owned by Radiohead, whose lead singer wanted the video back online. Prince didn't own the copyright to the video either, since he didn't take it. So how could he use the DMCA to take down the video?

But, it's not that simple, apparently. As Ethan Ackerman details, as lawyers began to think about the situation, the more confused they got, noting that maybe there was a right under anti-bootlegging laws. Only, then things got more confusing, because it turns out that anti-bootlegging laws aren't actually a part of the copyright act (though it does fall under the same "title" just to add to the confusion), and the DMCA (under which the takedown occurred) only applies to copyright law.

However, again, we're left in a situation where the "law" is hardly clear at all, and even those who follow the space were somewhat confused over whether or not Prince had any sort of legal standing here. A law is not useful if the boundaries of that law are not clear, and if someone has no clue if their actions go against the law. In the internet era, copyright certainly falls under that category of laws in which it is no longer clear what is and is not legal -- and that should be seen as a problem.

This is interesting. I'll read it carefully to see if it also applies to Colorado.

June 12, 2008

Opinion of the Court by Justice Anthony Kennedy Grants Certain Habeas Corpus Rights to Detainees at Guantanamo Bay, Cuba

SCOTUSblog: "The opinion by Justice Kennedy in Boumediene v. Bush (06-1195) and Al-Odah v. United States (06-1196) is available here. Justice Souter issued a concurring opinion joined by Justices Ginsburg and Breyer. The Chief Justice wrote a dissent joined by Justices Scalia, Thomas and Alito. Justice Scalia filed a dissent, joined by the Chief Justice and Justics Thomas and Alito."

I think this likely, since I predict handhelds will replace laptops as the 'access tool' of choice.

Apple considering iPhone sales through universities

By Kasper Jade Published: 11:00 AM EST Thursday, June 12, 2008

... The iPhone has already become a fixture on a handful of top-tier campuses like Harvard, MIT and Stanford, thanks to a new educational learning initiative pilot initiated last year dubbed 'iPhone University.' Through an extension of its existing iTunes University service, the program sees underclassmen equipped with iPhones with which they can wirelessly download class materials, receive homework alerts, answer in-class surveys and quizzes, get directions to their professors’ offices, and check their meal and account balances.

Increasing the presence of iPhones at universities across the country is just one step towards Apple's much larger goal of helping to reestablish itself as a leader in higher education, where recent progress has seen it overtake rival Dell as the No. 1 supplier of notebook systems and record a new all-time best for quarterly sales throughout the sector.

Related (Business Opportunity: Copyright/trademark/patent “Spitoon” as an anti-malware tool for phones...

Spit Will Be Worse Than Spam

Posted by CmdrTaco on Thursday June 12, @11:05AM from the but-less-fun-to-say dept. Security Spam

KentuckyFC writes

"A team of German computer scientists has developed a program that reproduces all the known forms of spit (spam over internet telephony) attack. Their plan is to make the spitting software available to computer security experts wanting to test antispit strategies. Developing these won't be easy. There are various antispit techniques, such as white lists that allow only calls from predetermined callers, Turing tests such as audio CAPTCHAs that make a caller prove he or she is human and payment-at-risk services where the caller makes a small payment in advance and is refunded immediately if the receiver acknowledges the call as legitimate. But all have weaknesses, say the researchers. The main difference between junk calls and junk email is that the email arrives at your mail server before you access it. This gives the server time to analyze its content and filter out the junk before it gets to you. Not so with internet telephony, which is why radically different strategies are needed."

1) Cost of gas is only part of the “Total cost of ownership” 2) Do we know any auto dealers in “Low gas cost” countries? readers holding on to big SUVs

updated 8:02 a.m. EDT, Thu June 12, 2008

... Holler paid thousands less than the cars' blue book values and also saves on insurance because they're older cars, he said.

One of his friends bought a Toyota Camry hybrid and is saving about $300 a month on gas, but has a $600 a month car payment, he said.

Holler also is making money off of the SUV glut by buying vehicles at cut rate prices and selling them to people in Central and South America, where gas is cheap and big trucks are in high demand.

"I'm snatching them up as fast as I can," he said.

He says he just bought a pair of 2007 Ford F150s for $9,000 each and he's selling them for $18,000 each. It costs him about $2,200 to ship a vehicle out of the country, which leaves him with a tidy profit.

For my Web Site class: I had lots of fun with – here's another one - Upload Photos and Add Effects

Dumpr is a really fun site that allows you to alter your photos and then save them or share them on your favorite social network. Simply upload your photo and then choose from an extensive list of tools that you’d like to use to alter your photo. Some of the more popular effects include museumr, which allows you to place your photo on a museum wall and Rubik’s Cube which turns your photos into a Rubik’s Cube. Other options include Celebrity Paparazzi, Peeling Paint, Sketch Artist, Jigsaw Puzzles, Photo to Sketch and bunch of other fun tools. There really are a great number of fun options for playing with your photos and sharing with your friends.

Thursday, June 12, 2008

Is security so trivial a concept that Secret documents are no more important than yesterday's newspaper, or is there another factor at work? (see next article)

Intelligence official suspended over al-Qaeda file left on train

Sean O’Neill and Jill Sherman From The Times June 12, 2008

Secret files on the al-Qaeda threat and the Iraqi security forces were left on a train by a senior intelligence official, the Cabinet Office said yesterday. Last night the department said that the man at the centre of the investigation into the loss of the documents had been suspended from his job.

The government documents were in an orange cardboard envelope, which was left on a commuter train between Waterloo Station in London and Surrey on Tuesday.

A passenger picked it up, realised what was inside and passed the contents to the BBC, which last night handed the documents to police.

... The official believed to have left the documents on the train is a senior civil servant working in the Cabinet Office’s intelligence and security unit.

Related? Discrimination or not, what the hell are they thinking? Perhaps we should offer a class: “How to look dumb on your Police Aptitude Test?”

METRO NEWS BRIEFS: CONNECTICUT; Judge Rules That Police Can Bar High I.Q. Scores

Published: September 9, 1999

A Federal judge has dismissed a lawsuit by a man who was barred from the New London police force because he scored too high on an intelligence test.

In a ruling made public on Tuesday, Judge Peter C. Dorsey of the United States District Court in New Haven agreed that the plaintiff, Robert Jordan, was denied an opportunity to interview for a police job because of his high test scores. But he said that that did not mean Mr. Jordan was a victim of discrimination.

Judge Dorsey ruled that Mr. Jordan was not denied equal protection because the city of New London applied the same standard to everyone: anyone who scored too high was rejected.

Mr. Jordan, 48, who has a bachelor's degree in literature and is an officer with the State Department of Corrections, said he was considering an appeal. ''I was eliminated on the basis of my intellectual makeup,'' he said. ''It's the same as discrimination on the basis of gender or religion or race.''

G8 nations talk ID crime at annual summit

Ministers from the Group of Eight nations hear that some estimates put the cost of ID crime in the U.S. at $50 billion last year and at $100 billion in Europe

By Martyn Williams, IDG News Service June 12, 2008

... Recognizing the growing sophistication of criminals and the increasing importance of identity documents in our ever-more digital lives the ministers discussed the issue for a little over an hour at the summit in Tokyo. [Well, that should solve the problem,,, Bob]

Coming soon to a cell phone near you!

419 SMS scams

Posted by Mikko @ 14:31 GMT

There's a ongoing SMS / email fraud underway.

How long before this is located on one of the archive sites and made available to everyone?,0,6220192.story

Judge suspends L.A. obscenity trial after conceding his website had sexual images

By Scott Glover, Los Angeles Times Staff Writer June 12, 2008

A closely watched obscenity trial in Los Angeles federal court was suspended Wednesday after the judge acknowledged maintaining his own publicly accessible website featuring sexually explicit photos and videos.

Alex Kozinski, chief judge of the U.S. 9th Circuit Court of Appeals, granted a 48-hour stay in the obscenity trial of a Hollywood adult filmmaker after the prosecutor requested time to explore "a potential conflict of interest concerning the court having a . . . sexually explicit website with similar material to what is on trial here."

In an interview Tuesday with The Times, Kozinski acknowledged posting sexual content on his website. Among the images on the site were a photo of naked women on all fours painted to look like cows and a video of a half-dressed man cavorting with a sexually aroused farm animal. He defended some of the adult content as "funny" but conceded that other postings were inappropriate.

Kozinski, 57, said that he thought the site was for his private storage and that he was not aware the images could be seen by the public, although he also said he had shared some material on the site with friends. After the interview Tuesday evening, he blocked public access to the site.

... Kozinski has a reputation as a brilliant legal mind and is seen as a champion of the 1st Amendment right to freedom of speech and expression. Several years ago, for example, after learning that appeals court administrators had placed filters on computers that denied access to pornography and other materials, Kozinski led a successful effort to have the filters removed. [That is unlikely to help in his defense.. Bob]

... Before the site was taken down, visitors to were greeted with the message: "Ain't nothin' here. Y'all best be movin' on, compadre."

Related? Using “scientific” research in defense?

The Bikini Effect Makes Men Impulsive

By Robin Nixon, Special to LiveScience posted: 10 June 2008 ET

... It wasn't that the men were simply distracted by their sexual arousal, which caused them to choose more impulsively. On the contrary, they exhibited improved cognition and creativity after exposure to sexy stimuli.

Status of the ubiquitous surveillance society in the UK

June 11, 2008

Report on the "Surveillance Society" by the House of Commons Home Affairs Select Committee

UK House of Commons, Home Affairs Committee, A Surveillance Society? Fifth Report of Session 2007–08 Volume I Report, together with formal minutes Ordered by The House of Commons to be printed 20 May 2008.

House of Commons Home Affairs Committee - A Surveillance Society? Fifth Report of Session 2007–08, Volume II, Oral and written evidence, Ordered by The House of Commons to be printed 20 May 2008.

  • "We call on the Government to give proper consideration to the risks associated with excessive surveillance. Loss of privacy through excessive surveillance erodes trust between the individual and the Government and can change the nature of the relationship between citizen and state. The decision to use surveillance should always involve a publicly-documented process of weighing up the benefits against the risks, including security breaches and the consequences of unnecessary intrusion into individuals’ private lives. Our Report sets out a series of ground rules for Government and its agencies to build and preserve trust. Unless trust in the Government’s intentions in relation to data collection, retention and sharing is carefully preserved, there is a danger that our society could become a surveillance society. The potential for surveillance of citizens in public spaces and private communications has increased dramatically over the last decade, making it possible for what the Information Commissioner calls “the electronic footprint” we leave in our daily lives to be built up into a detailed picture of our activities. This has prompted growing concern about a wide range of issues relating to the collection and retention of information about individuals."

For your Security Geek...

Malware Silently Alters Wireless Router Settings

A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. [Always change the default password Bob] If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like into numeric addresses that are easier for networking equipment to handle.

... The other, more important reason this shift is scary is that a Windows user with a machine infected with a Zlob/DNSChanger variant may succeed in cleaning the malware off an infected computer completely, but still leave the network compromised. Few regular PC users (or even PC technicians) think to look to the router settings, provided the customer's Internet connection is functioning fine.

... Sunbelt also found that if there are multiple machines using the same router, all of the systems connected to that router will have their traffic hijacked. [At least the whole family Bob]

... Relatively few people ever change the default username and password on their wireless routers. [This site provides a list of all those default passwords Bob]

... Specific, manufacturer-based video tutorials on how to secure your wireless router are available at this link here. [This site tells you how to change them Bob]

If there was ever a program that needed to be reverse engineered and published as open source, this is it – although I don't see how we could make it mandatory... On the other hand, think of the applications for controlling the behavior of second class citizens!

Microsoft Applies For "Digital Manners" Patent

Posted by samzenpus on Thursday June 12, @04:54AM from the what-mouse-do-you-use-for-salad dept. Microsoft Patents

SirLurksAlot writes

"Ars Technica reports that Microsoft has recently applied for a patent for a technology which would attempt to enforce manners in the use of cell phones, digital cameras, DVRs and other digital devices. According to the article the technology could be used to bring common social conventions such as 'No flash photography' and 'No talking out loud' to these devices by disabling features or disabling the device entirely. The article also points out that the technology could be implemented in situations involving sensitive equipment, such as in airplanes or hospitals. The patent application itself is also an interesting read, as it describes a number of possible uses for the technology, including 'in particular zones to limit the speed and/or acceleration of vehicles, to require the use of lights, to verify an indication of insurance coverage and/or current registration, or the like.' While this technology could certainly be of interest to any number of organizations one has to wonder how the individuals who own devices which obey so-called 'Digital Manners Policies' would feel about it."

Hardware hacking: “Because we copyright the (software/music/video) you can't modify your (iPhone/CD player/VCR)”

Mod Chips Found Legal In The UK

from the mod-away dept

For many years, we've wondered why some folks considered the process of mod chipping to be illegal. After all, if you own a device, why shouldn't you be able to modify it? It's not illegal to modify your computer, so why would it be illegal to modify a game console? Well, thanks to the DMCA in the US, the question wasn't entirely clear -- because console makers use encryption, they consider any modification to be a circumvention of that encryption, and the DMCA has that pesky anti-circumvention clause. In the US, it's become even more bizarre, with federal officials taking up the cause and fining mod chippers while claiming (seriously) that mod chipping was a national security issue.

Luckily, it looks like the courts in Europe are a lot more reasonable about all of this. A few years back, we noted that an Italian court ruled that mod chips were perfectly legal. And, now, a tipster alerts us to the news that a UK appeals court has found the same thing, tossing out all of the charges against a mod chip seller, noting that mod chips do not circumvent copy protection systems. Not only that, but the defendant was awarded legal fees. This is a big deal, as the lower court had found the guy, Neil Higgs, guilty for selling mod chips he had imported from Hong Kong. So, now that's Italy and the UK that recognizes modifying your gaming consoles shouldn't be illegal. Anyone else?

This will no doubt evolve from an Elisa-like text chat to full motion 3-d video interaction (as soon as the Holodeck starts working properly) Meanwhile, it still might be interesting. - Breathing Life into the Dead

Although historical legends such as Abe Lincoln and Marilyn Monroe are long dead and gone, social media company Virsona has brought them back to life as revived virtual personas. Virsona resurrects the dead and breathes life into fictional characters via their interactive chat platform. You can actually chat with famous figure via what is essentially instant messaging. The characters learn to interact as more information about them is input into the database—this can be done by any registered community member. Thus, as you ask the digital persona questions, it will answer using the information programmed into it. Each figure has a wiki like data sheet page, where you can find out vital facts such as birth date and place, along with accomplishments and education. Users can also create their own virsonas for departed pets and loved ones. [Okay, that's weird... Bob]

If you have an interest/specialty you should try Google Trends... I searched for 'eDiscovery' and got evidence that the world changed late in 2006.

Google Trends

Wednesday, June 11, 2008

Sound familiar? You send your backup tapes for safe keeping and the tapes don't even make it to the vendor's office. (Seems somewhat casual to have an employee pick up the tapes in his personal vehicle.)

U of U Hospital billing records stolen; data from 2.2m patients at risk (update 1)

Tuesday, June 10 2008 @ 01:20 PM EDT Contributed by: PrivacyNews News Section: Breaches

Billing records have been stolen from a business that does work for the University of Utah Hospitals and Clinics. The records, reportedly containing data from 2.2 million patients, were stolen from an outside vendor of University of Utah Hospitals and Clinics, according to a news release from the university.

Source - Salt Lake Tribune

Update 1:


A metal box containing the backup tapes, which contained billing records for approximately 2.2 million patients and guarantors, was stolen on Monday, June 2, from a car belonging to a driver who worked for an independent storage company contracted by the health-care system. The driver violated the protocols his company had established to ensure secure data transportation.

... The billing records included patient names, related demographic information and diagnostic codes. None of the records contained credit card information. Records for a subset of 1.3 million patients also contained Social Security numbers.

The company contracted by the university to transport and store the tapes, Perpetual Storage Inc., said this is the first and only such incident in its 40-year history. It also said that the employee who left the tapes in his car had been with the company for nearly 18 years.

Nevertheless, The University of Utah Hospitals & Clinics has suspended deliveries of backup tapes to Perpetual Storage pending the review of all procedures and protocols for transporting and storing backup data.

Source - Business Wire

Interesting because it seems part of an Network Neutrality protest.

Security breach at Belgacom exposed

Wednesday, June 11 2008 @ 05:24 AM EDT Contributed by: PrivacyNews News Section: Breaches

Belgacom, the largest Belgian ISP, admitted today that 2,000 of its ADSL accounts were compromised earlier this year.

The company discovered details of its subscribers posted on a webpage by hackers who weren’t happy with download limits on broadband internet connections.

... Belgacom didn't communicate the security breach to its users at large, apparently to avoid panic.

Source - The Register

[From the article:

"We sent postal letters [They used 'snail mail' rather than email – rather casual wasn't it? Bob] to small groups of users since April and asked them to change passwords as a matter of precaution," Belgacom spokesperson Jan Margot told The Register. "The site was closed down immediately, and we haven't seen any abuse since then." [Translation: “We burned down the bank, and it hasn't been robbed since.” Bob]

Belgacom insists it is a minor issue. "We have 1 million ADSL users, it wasn't a big threat." [Do you know how many users were compromised? Will the hackers release 2,000 a day? Bob]

Last week HSBC was “featured” in two breach articles on the same day. Never thought that would happen again.

HSBC customer data loss probed (update)

Wednesday, June 11 2008 @ 05:28 AM EDT Contributed by: PrivacyNews News Section: Breaches

The Monetary Authority is studying HSBC's report on the loss of a computer server containing customer data, and supervisory action may be taken if the bank has breached personal data protection guidelines, Secretary for Constitutional & Mainland Affairs Stephen Lam says.

The authority received HSBC's notification on May 2 concerning the loss of a computer server containing customer data on April 26. It ordered the bank to inform affected customers, boost personal data protection and submit an incident report.

Source -

What does this mean? Perhaps it shows that crooks do try new and innovative ways to steal your money...

Speaking of HSBC.... (Hannaford update)

Wednesday, June 11 2008 @ 05:32 AM EDT Contributed by: PrivacyNews News Section: Breaches

HSBC Card and Retail Services and HSBC Bank Nevada notified [pdf] the NH Dept. of Justice in April that they had discovered "irregular activity" on one of their Forget Login Password pages. When they investigated, they found it was due to the use of a script employed by unauthorized third parties.

Of particular interest, HSBC reports that "the accounts involved in this security incident had a 95 perc match rate with the accounts compromised by the third party Hannaford Brothers breach..."

HSBC did not indicate the total number of accounts affected.

“Don't ask, don't tell” is not a viable security management technique... “We didn't notice it for THREE YEARS!?!?

Thousands of UF students’ private records breached online

Tuesday, June 10 2008 @ 01:23 PM EDT Contributed by: PrivacyNews News Section: Breaches

The private records of 11,300 current and former University of Florida students — including names, addresses and Social Security numbers — were inadvertently made publicly accessible online.

The information was posted online between 2003 to 2005, but remained online because of an error until it was discovered during a recent routine audit, according to a UF news release.

Source -

This could be the outline of a great presentation for the White Hat club...

50 Ways to Take Back Control of Your Personal Data

Use these tips to avoid identity theft, financial loss and other crimes.

By Inside CRM Editors on June 10, 2008

Interesting statistics?

CONSUMER PARTICIPATION: A Powerful Weapon in the Fight Against identity Theft

Wednesday, June 11 2008 @ 05:13 AM EDT Contributed by: PrivacyNews News Section: Breaches

Debix has released a study on how consumer participation in Debix Identity Protection Network can reduce the risk of ID theft. From the report:


Background: This is the largest identity theft study ever published with 259,761 consumers participating. The majority of these consumers were recent victims of data breaches in which their name, address, Social Security number, and date of birth were compromised.

This study is not based on survey questions asked to a random sampling of consumers, but rather on the electronic audit trail of live consumer transactions processed by the Debix Network over a 90-day period. Debix analyzed 30,618 Instant Authorization TM requests processed between 10/1/2007 and 12/31/2007. Instant Authorizations are secure electronic authorization requests sent from institutions to consumers via phone.

Some of their key findings:

  • Out of the 30,618 authorization requests for new lines of credit, consumers stopped 380 reported attempts of identity theft.

  • The rate of new credit account fraud that occurred when consumers participated in the decision was 0.00%, which means there were no successful attacks. This compares to an expected fraud rate of 1.05% when banks open accounts without consumer participation (source: Javelin 2007).

  • Consumers reported four incidents of identity theft that occurred when the consumer was not invited to participate in the decision. Per the above assumption, this number is likely understated, as consumers may not discover the fraudulent account for many months or even years.

Report (requires free reg.)

Ignore Ignorance. Never listen to what the politician claim a law is about – you have to actually read the words and think about it (something the politicians don't bother doing.)

June 10, 2008

Working Paper: Do Data Breach Disclosure Laws Reduce Identity Theft?

Do Data Breach Disclosure Laws Reduce Identity Theft? Sasha Romanosky, Rahul Telang, Alessandro Acquisti, Heinz School of Public Policy and Management, Carnegie Mellon University

  • "Identity theft resulted in corporate and consumer losses of $56 billion dollars in 2005, with about 30% of known identity thefts caused by corporate data breaches. Many US states have responded by adopting data breach disclosure laws that require firms to notify consumers if their personal information has been lost or stolen. While the laws are expected to reduce losses, their full effects have yet to be empirically measured. We use a panel from the US Federal Trade Commission with state and time fixed-effects regression to estimate the impact of data breach disclosure laws on identity theft over the years 2002 to 2006. We find no statistically significant effect that laws reduce identity theft, even after considering income, urbanization, strictness of law and interstate commerce. If the probability of becoming a victim conditional on a data breach is very small, then the law’s maximum effectiveness is inherently limited. Quality of data and the possibility of reporting bias also make proper identification difficult. However, we appreciate that these laws may have other benefits such as reducing a victim’s average losses [That is the true benefit Bob] and improving a firm’s security and operational practices."

The Storm Worm's Elaborate Con Game

By Jack M. Germain TechNewsWorld 06/11/08 4:00 AM PT

Security researchers at Cisco's IronPort say they've pieced together the complex con operation behind the Storm Worm, a persistent Web threat. The botnet's purpose, they say, was essentially to act as a virtual dealer of prescription -- and often bogus -- medication, sometimes enlisting work-from-home employees who thought they were doing legitimate tasks.

... IronPort announced its discovery of an online criminal ecosystem [A new term of art? Bob] comprised of illegal pharmaceutical supply chain businesses that recruit botnets to send spam promoting their Web sites. By converting spam into high-value pharmaceutical purchases, these supply chain enterprises allow the monetization of spamming botnets, providing an enormous profit motivation for botnet attacks and continuous innovation. [See, it's all economics Bob]

This has some potential. - Rich Online Timelines

So what’s the latest in social networking? The trend seems to be capturing niche audiences and markets catering to everything from nanobots to crowdsourcing movies. One of the latest of these is called Capzels which offers users the ability to create their own online time capsules and share them with the world. You can store pictures, videos, documents, music along with any other media file. Capzles offers a slick, entirely Flash based, interface that’s reminiscent of Apple’s coverflow . Files are organized in chronological order and you can scroll back and forth in time as is your preference. Find a file that piques your interest, and click on it fore more information. You can rate each moment or file with up to five stars, add it to your Favorites, flag it or send it to a friend. And it’s absolutely free to use.

Tuesday, June 10, 2008

A vast improvement in security can't result from a half-vast regulation. Wasn't this settled in a Supreme Court case... Walker something or other? (Unless flying is probable cause?)

Your Papers Please: TSA outlaws ID-less flight

Monday, June 09 2008 @ 01:55 PM EDT Contributed by: PrivacyNews News Section: Fed. Govt.

In a major change of policy, the Transportation Security Administration has announced that passengers refusing to show ID will no longer be able to fly. The policy change, announced on Thursday afternoon, will go into force on June 21, and will only impact passengers who refuse to produce ID. Passengers who lie and claim to have lost or forgotten their proof of identity will still be able to fly. {Typical Bob]

Source - C|net

Continuing illustration of the Management Does Not Know syndrome. Study: IT execs report lack of license compliance

Unlicensed software is in use in 44 percent of environments, according to a King Research study

By Chris Kanaracus, IDG News Service June 09, 2008

Sixty-nine percent of the respondents to a King Research study said they are unsure whether they are in full compliance with the terms of their software licenses, and 44 percent reported that unlicensed software is in use in their environments.

I've mentioned that portable devices are entering the workplace – here's an article on how to secure them.

How to make the new iPhone work at work

Apple's new SDK,3G handheld and iPhone 2.0 software should make it even easier to bring next-gen mobile to your enterprise. Here's what you need to know

By Galen Gruman June 10, 2008

So, where to begin gearing up the iPhone for use at work? How can you satisfy executive demands to make the iPhone fit for corporate essentials while maintaining security and manageability? For those looking to get a jump on business-enabling the iPhone, here's a handy guide on what's currently possible and how to get it done, as well as what is promised to be supported in the 2.0 software and 3G iPhone due in July. (Note that everything here applies to the iPhone's voiceless cousin, the iPod Touch with the January 2008 software update for the 1.x versions and the July 2008 2.0 update, which will cost $10 for current iPod Touch users.)

Related. Soon, all textbooks will be on these devices.

Looks Like a Million To Me: How I Realized that Amazon’s Kindle and Sony’s E-Reader Were Exceeding Sales Estimates

June 9, 2008 By Evan Schnittman

When the Kindle first launched there was plenty of predictions about how it and its predecessor the Sony Reader would sell. Over time the chatter died down, halted partly by the Kindle going out of stock. At the end of April, the chatter returned and hit full volume after last week’s Book Expo America in Los Angeles. The catalyst was Jeff Bezos’ speech, which let out some tantalizing, yet cryptic information on ebook sales volume at the Kindle store. The chatter, as reported in the NY Times, has publishers and others speculating that Amazon has sold somewhere between 10,000 - 50,000 Kindles.

I think all the speculations are completely wrong. By my calculations, combined sales of the Amazon Kindle and the Sony Reader will be 1,000,000 units in 2008. This estimate is based on solid data.

Think of it as a Terrorists Target Acquisition Device... - Mobile Signals Tell Where's Hot

Here’s another cool app that’ll either make you salivate or quiver in fear of the Orwellian implications. CitySense is a new downloadable application for your Blackberry (iPhone coming soon) that let’s you find out where the party’s at. How? This is the Orwellian bit. CitySense uses technology from its parent company Macrosense which is able to track billions of bits of data based on cell phones, GPS, WiFi and much more. So by sensing where people are, and then by using Yelp or Google to link to that location, you can find out where’s popular or not. The popular clubs, bars etc appear as a red blotch on the map. What’s more, once you use it long enough, it learns what you like and hooks you up with people like you. Currently, the results are only available in San Francisco.

Ethics & e-Discovery Shouldn't it be obvious that significant thought should be put into an e-Discovery plan?

Hundredth Blog: Thoughts on SEARCH and Victor Stanley, Inc. v. Creative Pipe, Inc.

... careful planning ... is the core message of the hot case of the day, Victor Stanley, Inc. v. Creative Pipe, Inc., 2008 WL 2221841 (D. Md., May 29, 2008).

.. Lawyers need to treat search and review seriously, and either take the time necessary to become adept in this complex area, or employ experts who are. If not, the consequences can be devastating, as Victor Stanley shows. The defendants waived their attorney-client and work product privileges to 165 ESI files by their botched search and review before production.

[Note: This is 165 documents out of 39 gigabytes of ESI. The article also list many obvious failures on the part of the defendant's legal team. (Why does that make me giggle? Bob]


June 09, 2008

Introduction to Information Retrieval

"This is the companion website for the following book. Christopher D. Manning, Prabhakar Raghavan and Hinrich Sch├╝tze, Introduction to Information Retrieval, Cambridge University Press. 2008. This "is the first textbook with a coherent treatment of classical and web information retrieval, including web search and the related areas of text classification and text clustering. Written from a computer science perspective, it gives an up-to-date treatment of all aspects of the design and implementation of systems for gathering, indexing, and searching documents and of methods for evaluating systems, along with an introduction to the use of machine learning methods on text collections. Designed as the primary text for a graduate or advanced undergraduate course in information retrieval, the book will also interest researchers and professionals. A complete set of lecture slides and exercises that accompany the book are available on the web."

Think of it as e-Stocks?

Better Response To Crimes On YouTube: Force The Criminals To Apologize On YouTube

from the much-better-response dept

We keep seeing stories of proposed legislation to make it a crime to post video evidence of yourself committing a crime. This seems totally backwards. If the person is posting evidence of themselves committing a crime, that makes it that much easier for the police to capture them. Giving them reasons not to post evidence of their own crime seems backwards -- and even some of those advocating these laws seem to implicitly recognize this fact.

It appears one judge has a much more reasonable response in a case involving some kids who committed a dumb act and put the video evidence on YouTube: part of their punishment is to also post a video apology on YouTube. If the idea behind putting the video up on YouTube was to get some "fame" for filming themselves doing something stupid, shaming them on YouTube seems a lot more sensible than adding additional criminal charges.

This probably doesn't apply to my take on blogging... (Although I do enjoy pointing out the stupid managers.)

Blogging Now Good for You, Still Bad for Some

Posted by ScuttleMonkey on Monday June 09, @02:01PM from the join-the-eggs-and-cholesterol-club dept.

Several users have alerted us to a May Scientific American article that has been getting some attention more recently. Apparently, blogging is now good for you and, at least in this context, is the suggested reason for the explosion of blogging. This is quite the departure from some of the results we have seen in practice for more prolific bloggers.

Tools & Techniques

OSWA Assistant - Wireless Hacking & Auditing LiveCD Toolkit

June 9, 2008 – 6:20 am

The OSWA-Assistant is a no-Operating-System-required standalone toolkit which is solely focused on wireless auditing. As a result, in addition to the usual WiFi (802.11) auditing tools, it also covers Bluetooth and RFID auditing. Using the toolkit is as easy as popping it into your computer’s CDROM and making your computer boot from it!

You can download OSWA Assistant here:

oswa-assistant.iso Or read more here.

More sites than I knew about, but still only keyword on titles. - Vast Video Search Engine is a search site that checks out over 100 video sites at once to provide users with a large array of videos from a specific search. Sites searched include the biggies, like YouTube and MySpace, and some of the smaller players too, like StupidVideo and ShowMeHowTo. Users click on the site they wish to search, having the option to select all of the video search engines, if they so choose. Because so many different sources are consulted, search results are varied and vast. The process is also consolidated and effort is drastically reduced, seeing as all the work is brought into one single location.