Saturday, August 09, 2008

I think this has not already been reported here.

Stanadyne employee information on stolen laptop

Posted by Evan Francen at 8/8/2008 11:11 AM

Reference URL: The New Hampshire State Attorney General breach notification

[From the letter:

Stanadyne maintains records of information contained in laptop computers. This information is updated each time the laptop is connected to the company computer network. We are confident in our knowledge of the contents of the stolen laptop. [Doesn't this sound much better than “We don't know?” Bob]

Is there an April Fool's Day in the Netherlands?

NL: Dutch police notify botnet victims

Saturday, August 09 2008 @ 06:42 AM EDT Contributed by: PrivacyNews

Police in the Netherlands have claimed a world first after warning victims whose computers were infected by a botnet that was shut down last week. The victims will be forwarded to a special web page offering instructions on cleaning up their systems.

Source - Computerworld UK Props, Fergie's Tech Blog

[From the article:

Users with infected systems are automatically sent a special page [a technique learned from phishers. Bob] when they log onto the internet. The page offers instructions on disabling the botnet, as well as a link to Kaspersky's online virus scanner and a request to file charges [“Would you like to join our lynch mob? Bob] against the botnet herder, a 19- year-old man from the Dutch city of Sneek [This is a “Sneeky” guy? (Sneeker?) Bob] who was arrested last week.

... "This might initiate other actions in neighboring countries, so we can continue doing this in a coordinated fashion throughout the European Union," Willems told Webwereld, an IDG affiliate. "That would be a good way to fight these crimes." [With as many police-warning bots hijacking our browsers as the bad-guy bots? Bob]

An alternate opinion on the TJX mess. (I think every under-reacted.) Also interesting because it looks like this lawyer is paid to blog. (I'm available at reasonable rates.)

Credit Card Issuers Over-reacted to TJX (commentary)

Saturday, August 09 2008 @ 06:20 AM EDT Contributed by: PrivacyNews

... TJX settles with VISA & Mastercard issuers for $65 million, whereas the actual reported fraud is only a tiny fraction of that amount. Further, when card issuers cancelled all those cards, they alarmed and inconvienced millions of cardholders to excess.

To be sure, a final accounting for the TJX fraud has not been made, at least to the public. However, public information suggests the costs incurred to cancel cards far exceeded the true magnitude of the TJX break-in.

In other words, the credit card issuers over-reacted.

Source - Electronic Data Records Law blog

Related For your background researchers...

Friday, August 08, 2008

TJX Update: The San Diego Indictments

[Which points to:

Nothing here is unique to China. My students could do any of the hacks mentioned in the “warning.” The techniques mentioned should be used every day at home, but likely are not.

US Warns Olympic Visitors of Chinese Cyber-Spying

Posted by ScuttleMonkey on Friday August 08, @03:30PM from the these-concerns-aren't-chinese-specific dept.

An anonymous reader writes to tell us the US Government has issued a strong warning to travelers headed to the Beijing Olympics (PDF) with respect to electronic data. Part FUD, part awareness, the CBS article reads like 1984, urging travelers to treat all electronic devices (from fax to cellphone and back) as compromised, and proceeds to talk about China's aggressive cyber-espionage programs.

"China is one of a number of countries pushing active cyber-espionage programs aimed primarily at cracking U.S. national security computers and stealing corporate trade secrets. Billions have already been lost. In addition, cyber-gangs and criminals, many based in Asia, have stolen bank accounts and credit card numbers from an untold number of Americans."

US warns US citizens of FBI spying?

FBI Apologizes to Post, Times

Saturday, August 09 2008 @ 06:03 AM EDT Contributed by: PrivacyNews

FBI Director Robert S. Mueller III apologized to two newspaper editors yesterday for what he said was a recently uncovered breach of their reporters' phone records in the course of a national security investigation nearly four years ago.

Mueller called the top editors at The Washington Post and the New York Times to express regret that agents had not followed proper procedures when they sought telephone records under a process that allowed them to bypass grand jury review in emergency cases.

Source - Washington Post

[From the article:

In the case of the four reporters highlighted yesterday, FBI spokesman Michael P. Kortan said, "No investigative use was made of the records, and they have now been removed from the FBI's databases." [Does this mean “no one ever looked at this data?” or “We investigated, but found nothing useful?” Bob]

... Bureau officials said yesterday that, in an effort to prevent recurrences, they recently reminded agents in charge of field offices and their top lawyers that requests for news media records involve special rules. [Translation: They would never apologize for obtaining my records... Bob]

Related? (and I love lists!) Be sure to read the comments!

15 Great, Free Privacy Downloads

Saturday, August 09 2008 @ 06:09 AM EDT Contributed by: PrivacyNews

One of the worst privacy invaders the world has ever seen is the Internet. When you surf, Web sites can find out where you've been and can gather other information about you. Trojan horses and spyware can snoop on you. Key loggers can capture your keystrokes as you type. Eavesdroppers can steal your passwords.

It doesn't have to be that way. The 15 downloads presented here can protect you. You'll find firewalls, password protectors, rootkit killers, trace cleaners, anonymity securers, and more. So check them out, and help yourself to a safer online experience. (Note that the 15 downloads we look at here don't include any antivirus and antispyware programs. We figured that we've covered those packages well enough elsewhere. So instead, we focus on tools you might not have heard about.)

Source - PC World

There's “opt in” and then there's “You damn well better opt in” Looks like the Credit Card companies are looking for ways to reduce their losses...

Net Shoppers Bullied Into "Verified By Visa" Program

Posted by kdawson on Friday August 08, @01:13PM from the not-exactly-optional dept. Security The Almighty Buck

bluefoxlucid writes

"According to The Register, several banks are forcing users to opt-in to the Verified by Visa optional service by locking their cards if and when they encounter a Verified by Visa participating site and fail to opt-in. Register reader Steve says, 'This seems like a strange way to implement a voluntary system. On most of the retailers' websites there is no clue that you are about to be challenged by Verified by Visa until you attempt to complete the transaction. This means that you trigger the "fraud protection" unintentionally. And when you have located a retailer who doesn't require Verified by Visa to complete a purchase, you can't because your account is on hold.' Further, '[I]n some cases resetting the password is all too easy. Fraudsters know this and go after these credentials which, once obtained, make it harder for consumers to deny responsibility for a fraudulent transaction. Phishing scams posing as Verified by Visa sites have sprung up targeting these login credentials.'"

[From the article:

Both Verified by Visa (VbyV) and MasterCard's SecureCode services are designed to add an extra layer of security to credit or debit card purchases, and work using 3D Secure protocol checks. Each is designed to reduce the likelihood of fraudulent transactions while transferring the liability for bogus transactions from merchants who run purchases through the system back towards banks and other card issuers.

... One card issuer, MBNA, told Steve that you are only able to avoid enrolling by clicking "not at this time" three times.

Interesting, but I can imagine a number of false positives – every narcotics officer, for example.

Fingerprint Test Tells Much More Than Identity

Posted by kdawson on Friday August 08, @12:30PM from the i-know-what-you-touched-last-summer dept.

Mike sends in the story of a new fingerprint technology with interesting potential for both crime detection and rights violations; there are also intriguing possibilities in fighting cancer.

"Using a variation of mass spectrometry called 'desorption electrospray ionization' or 'Desi,' a fingerprint can identify what the person has been touching — drugs, explosives, or poisons, for example. Writing in the Friday issue of the journal Science, R. Graham Cooks, a professor of chemistry at Purdue University, and his colleagues describe how the technique could find a wider application in crime investigations. As it becomes cheaper and more widely available, the Desi technology has potential ethical implications, Cooks said. Instead of drug tests, a company could surreptitiously check for illegal drug use of its employees by analyzing computer keyboards after the employees have gone home, for instance."

“Security is as security does.” F. Gump The manufacturers must hate article like this, but they are inevitable. Perhaps they should have someone besides marketing evaluate their products?

Researchers Crack Medeco High-Security Locks With Plastic Keys

By Kim Zetter August 08, 2008 2:19:51 PM

... "Virtually all conventional pin-tumbler locks are vulnerable to this method of attack, and frankly nobody has really considered it or looked at it before," says Marc Weber Tobias, one of the researchers.

The researchers showed Threat Level how they could create the simulated keys from plastic simply by scanning or photographing a Medeco key, printing the image onto a label and placing the label onto a credit card or other plastic to cut out the key with an X-Acto blade or scissors and then use the key to open a lock covertly.

One of those areas colleges (and industry) are addressing by sponsoring “experience labs” like our White Hat Hacker Club...

Open source technology is hungry for new college grads

By Amber Gillies on August 08, 2008 (9:00:00 PM)

Interesting tool. I don't allow comments on my Blog because I don't want to spend time in discussion (and because my blog is really an online archive, not a true blog). - Comment About Anything

Don’t you just hate blogs that don’t allow you to comment? If you’re like me, then you should see what you can do over at The site will allow you to comment on any site you want to. Just log onto the site and search for the site you want to comment on. If people have already commented on it, you’ll be able to leave your two cents on there for everybody to discuss. This site could put a stop to comment censorship. Most of the time, if you leave a negative comment about an article or post on a blog, they might just take it down. Since the site is in no way affiliated with others, on there you’ll find everything from people praising a site to people putting it down. You can track the comments people make about your site through an RSS feed, or by adding the Firefox extension.

A somewhat fluffy overview of Cloud Computing, but worth reading

How Cloud Computing Is Changing the World

A major shift in the way companies obtain software and computing capacity is under way as more companies tap into Web-based applications

by Rachael King

Related. One interesting application of Cloud Computing

Researchers look to cloud computing to fight malware

CloudAV combines 10 antivirus engines and two behavioral detection ones into one service aimed at trapping malicious software

By Jeremy Kirk, IDG News Service August 08, 2008

... CloudAV uses a muscular approach, combining 10 antivirus engines and two behavioral detection ones into one service.

... "Antivirus engines have complementary detection capabilities, and a combination of many different engines can improve the overall identification of malicious and unwanted software," according to CloudAV.

... The research paper was authored by Jon Oberheide, Evan Cooke and Farnam Jahanian of the Electrical Engineering and Computer Science Department at the University of Michigan.

I doubt it's a Kindle Killer, but it's another indication that handhelds are the future.

Free Software Turns the iPhone Into an E-Book Reader

By Charlie Sorrel EmailAugust 08, 2008 9:57:32 AM

Related The trend toward cell phones that act like Personal Assistants... This site is rather trivial, but there is no reason you couldn't attach your phone to your accounting software (to record any transaction) It already serves as your checkbook. - Track Your Gas Mileage

Through the site, you’ll be able to keep up on how much you’re spending on fuel, in order to start doing something about it. The thing that makes the site unique is the fact that you can access the service through your mobile phone.

Thank god! I've needed this for those British and Australian Blogs! - RSS Blog Translator

If you’ve ever come across a blog that you find interesting, but is in another language you’re having a hard time understanding, then you should take a look at Through the site, you’ll be able to translate any RSS feed into one of the 24 languages offered.

Interesting collaborative tool, education oriented but don't take that as a limitation.


Sakai Collaborative and Learning Environment (CLE)

Friday, August 08, 2008

After years and years and hundreds of laptop thefts you would think that a bank (at least) would require encryption...

Bank of America laptop stolen; customer data compromised

Thursday, August 07 2008 @ 01:56 PM EDT Contributed by: PrivacyNews

A Bank of America laptop containing customer information including names, account numbers and social security numbers was stolen from a bank facility.

Bank spokesperson Betty Riess would not say how many customers were affected were involved or what location the laptop was taken from.

“It’s still part of an ongoing investigation, but I can tell you it’s a very small number,” she said.

The laptop contained encryption software, [If there was any reason to believe the “encryption software” had actually been used, this report would not have been required. Bob] and there was no evidence that any customer’s information had been accessed so far, she said.

Source - Times Herald Record

Perhaps scam means something else in Ireland... We would call this a hack.

Ie: Hundreds of credit card owners hit by online scam

Friday, August 08 2008 @ 05:17 AM EDT Contributed by: PrivacyNews

HUNDREDS of bank customers have had their credit cards cancelled following the latest international scam to hit the financial services sector.

Personal banking details of hundreds of customers were compromised after thieves hacked into the online database of one of the country’s leading retailers.

The scam was discovered on Wednesday night after the fraudsters attempted to use the credit card details to test if the cards were valid.

It is likely hackers got credit card details by getting into the retailer’s website or obtaining details from an employee, according to the Irish Payment Service Organisation (IPSO). IPSO’s head of card services Una Dillon confirmed a large number of Irish cards were compromised.

Source - Irish Examiner

If you collect “more than minimal”(?) data, you have a “more than minimal” duty to protect it.

UK: BBC loses personal details of hundreds of children

Thursday, August 07 2008 @ 04:47 PM EDT Contributed by: PrivacyNews

The BBC has apologised to parents and started an investigation after a memory stick containing the personal data of hundreds of children was stolen.

Parents have been sent a letter by the BBC informing them that details such as the names, addresses, mobile phone numbers and dates of birth of children who applied to take part in a cookery show had been taken. The stolen data also included details of when children and their parents would be away on holiday. [Attention burglars! Bob]

Source - Times Online

For the “We can, therefore we must” ethics debate. What justifies publishing this data?

Rex Smith: Pay data worth taking a few knocks (editorial)

Friday, August 08 2008 @ 05:30 AM EDT Contributed by: PrivacyNews

... This week, we’re doing something we think is required by the honorable pursuit of our work, knowing some readers won’t agree with our decision.

Like some newspapers in other states, and a few in New York, we are publishing the entire state public payroll online. Everybody who drew a paycheck last year from New York state and from 108 state-chartered public authorities … 375,000 names … is now listed at You can make your own spreadsheets and become a data analyst.

We understand that if your name is on one of those payrolls, you may be annoyed. Never mind that somewhat less complete versions of the payroll already have been posted by the Empire Center, a conservative think tank, and by the five newspapers in the Gannett chain in this state. If the Times Union is your newspaper, this may strike you as an intrusion.

Source - Times Union

[From the article:

... because we believe it’s something taxpayers are entitled to see.

... What we offer you now was pieced together from separate requests filed with DiNapoli’s staff. [Aggregation Bob]

No useful details (sorry hackers) and a lot of “that can't be right” comments. We'll have to wait and see.

Vista's Security Rendered Completely Useless

Posted by kdawson on Friday August 08, @08:08AM from the bypassing-memory-protection-safeguards dept.

scribbles89 sends in a story with that alarmist headline from; it does sound like it could be a game-changer.

"While this may seem like any standard security hole, other researchers say that the work is a major breakthrough and there is very little that Microsoft can do to fix the problems. These attacks work differently than other security exploits, as they aren't based on any new Windows vulnerabilities, but instead take advantage of the way Microsoft chose to guard Vista's fundamental architecture. According to Dino Dai Zovi..., 'the genius of this is that it's completely reusable. They have attacks that let them load chosen content to a chosen location with chosen permissions. That's completely game over.'"

This, not “Skynet” or “Colossus”, is how the computers will take over.

Computer Beats Pro At US Go Congress

Posted by kdawson on Friday August 08, @08:52AM from the going-going-gone dept. Programming Games

Bob Hearn writes

"I was in attendance at the US Go Congress match yesterday where history was made: the go program MoGo, running on an 800-core supercomputer, beat 8-dan professional go player Myungwan Kim in a 9-stone handicap game. Most in the audience were shocked at the computer's performance; it was naturally assumed that the computer would be slaughtered, as usual. Go is often seen as the last bastion of human superiority over computers in the domain of board games. But if Moore's law continues to hold up, today's result suggests that the days of human superiority may be numbered."

Read below for more details in Bob's account of the match.

Related? Granted, I'm a SiFi fan, but apparently there are people working on these issues.

When Laws Can't Keep Up With Technology: Future Lawsuits To Worry About

from the well,-it'll-keep-the-lawyers-busy dept

We were just talking about how copyright law has been unable to keep up with technology changes, but that's not the only law that rapidly changing technology is already impacting. As the pace of technology innovation continues to increase, things are only going to get even more troublesome -- leading to all sorts of legal conundrums to deal with. Parker Mason alerts us to a post at Science Fiction blog io9, which tries to predict five future lawsuits that are likely to come about as a result of certain technology advances. These involve questions about things from the liability of artificial intelligence to the privacy of your thoughts due to brain scanning. If you want one sure thing, it's that there will be no shortage of work for lawyers.

Related? “We can, therefore we must?”

Hacker Claims Apple Can Spy On iPhone Users, Disable Apps Remotely

Posted by Eric Zeman, Aug 7, 2008 10:42 AM

Apple may have opened up the iPhone to third-party applications, but it is keeping a very close eye on those apps. According to hacker Jonathan Zdziarski, the iPhone can "phone home" to tell Apple what apps are installed, and if Apple doesn't like what it sees on your iPhone, it can kill the offending application.

Oh man. Apple, please tell me you didn't open this can of worms for real.

... MacRumors suggests that Apple will most likely only use this functionality to kill malware or other code it deems dangerous. But what about unsanctioned applications that are downloaded to unlocked iPhones? Will Apple keep tabs on the applications that unlocked iPhone users download and install? Will it kill apps it doesn't like, even if the user has paid for it?

All these questions remain unanswered.

The bigger one that lingers in my mind is, if Apple is keeping tabs on the applications I am downloading, what else is it keeping tabs on? My phone calls? My text messages? My browsing history? The type of content I chose to consume? I surely hope not, as that's a major breach of privacy.

About time!

Ohio Sues Over Missing Electronic Votes

Posted by timothy on Thursday August 07, @06:47PM from the oh-it-was-only-a-few-votes dept. The Courts Bug Security United States Politics

dstates writes

"The Columbus Post Dispatch reports that the State of Ohio is suing Premier Election Systems (previously known as Diebold) over malfunctions in electronic voting machines. Election workers found that votes were 'dropped' in at least 11 counties when memory cards were uploaded to computer servers. The same voting machines are used nationwide. The company blames a conflict between their software and antivirus software for the problem and says that an advisory was issued on the subject. The Ohio lawsuit contends that the company made false representations and failed to live up to contractual obligations and seeks punitive damages."

Phishers have bad security? Have these thieves no honor!

How Phishers Think, Act, and Make a Profit

Posted by timothy on Thursday August 07, @09:29PM from the good-laugh-at-your-expense dept.

whitehartstag writes with a write up of "the excellent session at Black Hat that detailed 'how phishers create sites, share info and code, and basically are lazy.' They store their stolen data 'on websites that they have hacked into, or on [publically available] sites like guestbooks. And even worse, they are not protecting their stolen data ... which means that all one needs to do to find this info is to reverse engineer a real phisher's website, look at their PHP script, and find out where they are storing the data.'"

[From the article:

Then simply go there and grab the stolen data. Anyone can find an active phishing site by visiting, a well known site that hosts info on known bad phishing sites, similar to a URL blacklist site.

Why do we design procedures to be followed? (Didn't the OJ trial teach us anything?);_ylt=Aoie0SIPJboPrHExx0YEvwes0NUE

Police reopen 7,000 cases after DNA error

Thu Aug 7, 11:20 AM ET

Australian police will re-examine 7,000 crimes solved through DNA evidence after a mistake forced detectives to free a suspect wrongly accused of murder.

... Police last month said a DNA sample taken from the murder scene, where Margaret Tapp was strangled and her daughter Seana raped and later killed, matched Gesah after comparison with 400,000 other DNA profiles on a national database.

Gesah was arrested and faced court, but a later check found the DNA evidence used against him was taken elsewhere and mistakenly tested with samples from the Tapp murder scene.

Overland said every crime solved by DNA in the state since the testing technology was introduced 20 years ago would now be reviewed to check no other bungles had occurred.

Geek tools

Linux Foundation launches killer development tool

By Steven J. Vaughan-Nichols on August 07, 2008 (5:30:00 PM)

The Linux Foundation has just released a beta of a new program, Linux Application Checker (AppChecker), that's going to make ISVs and other programmers start to love developing for Linux.

... AppChecker then checks your program not only against different versions of the Linux Standard Base (LSB), but also against all the Linux distributions in the LSB Database. After the test is done it will present you with a report. It's this report that makes AppChecker special.

In the Web-based report, you're shown the compatibility status of your application with the various distributions, and which external libraries and interfaces your program uses. If all goes well, it gives you the option of putting your program in for LSB certification straight from the test program.

Are we devolving? If so, perhaps we should provide more opportunities for individuals to earn a “Darwin Award” not fewer.;_ylt=Ai9K2uzJWfZvEs3bxNGPsKGs0NUE

Kinder surprise egg facing ban in Germany: reports

Thu Aug 7, 4:54 AM ET

Despite being a massive hit with children and adults alike, German lawmakers want to ban Kinder surprise eggs on safety grounds, press reports said on Thursday.

... "Children cannot tell the difference between a toy and food," the Welt newspaper cited Miriam Gruss from the commission as saying.

... The commission is also looking at forcing youngsters to wear cycle helmets and making schoolbooks lighter so children don't injure themselves or tire themselves out carrying them around all day, the paper added.

For my Security students (and the hacker club) – think of it as an advanced degree?

'A-Z' and Other Celebrity Hackers (Gallery)

by Terrence O'Brien, posted Aug 6th 2008 at 7:12PM

... It's an increasingly popular job, according to Nick Newman, a computer crime specialist, who told USA Today: "All you need is a computer, Internet access and programming skills, and now you have a viable career path in front of you."

And, if you check out our gallery of other notorious electronic criminal masterminds, you'll see that many of them parlayed their hacking experience into some pretty decent legit jobs when they got out of prison!

Thursday, August 07, 2008

Another serial-security-screwup?

Security breach at S&K Menswear website: The Real Deal

Wednesday, August 06 2008 @ 04:24 PM EDT Contributed by: PrivacyNews

Wednesday, we're learning of yet another breach, this time at S&K Menswear. Here's The Real Deal.

Steve Hurn bought some suits online from S&K Menswear about a year ago. He was happy with them, until he got a letter from the FBI.

“They said that there had been thousands of people who did business with S&K and that all their information had been compromised,” says Hurn.

Source - WSYR-TV

Related - S&K breach notification letter

Comment: this appears to be related to the same incident reported on in December 2007.

Interesting in this context: Credit cards stolen in the US are shipped (emailed) to other countries where authorization is not immediate. Is this a case of the reverse? Or perhaps it indicates a “card swap” between gangs?

ID thefts at England Air Force bases total $70G

Wednesday, August 06 2008 @ 07:42 PM EDT Contributed by: PrivacyNews

Thieves spent $650 on a shopping spree at Bloomingdale's in New York City and more than $1,100 at various Canadian businesses in just two cases of identity theft reported in the past month within Air Force communities in England.

Sixty-six victims reported losses totaling $37,917 at RAF Lakenheath from July 5 to Aug. 5.

Victims' bank accounts were hacked and duplicate debit cards were created to make purchases all over North America, from Canada to Mexico and throughout the States, according to statistics provided by Lakenheathfs 48th Security Forces Squadron.

Approximately 150 identity theft incidents totaling about $70,000 were reported within the RAF Mildenhall and Lakenheath communities in the past month, according to Air Force investigators.

Source - Stars and Stripes

BreachBlog does a nice job of research, again.

127 UCLA Medical employees implicated in privilege abuse

Posted by Evan Francen at 8/6/2008 11:42 AM

Breach Description:

"LOS ANGELES (AP) — More than 120 workers at a Los Angeles hospital looked at celebrities' medical records and other personal information without permission between January 2004 and June 2006 — nearly double the number initially reported earlier this year, according to a state report."

Reference URL:

The Mercury News USA Today Los Angeles Times AHN

... The California Department of Public Health also found that nearly twice as many medical center employees as had previously been reported peeked at confidential medical records at UCLA.

[Evan] If the state had not audited the hospital, would these breaches have ever been noticed? I am not a big fan of government oversight or additional laws and regulations, but this breach may present a valid argument to support them. When an organization does not adequately protect sensitive information, the consequences sometimes end up costing us all more.

More detail on an earlier report.

Malicious Botnet Stole Bank, Credit Union Credentials (updated)

Wednesday, August 06 2008 @ 03:35 PM EDT Contributed by: PrivacyNews

The researcher who first discovered a motherlode of stolen enterprise user names and passwords in June has found that nearly 9,000 of them are bank and credit-card account credentials from around the world that were grabbed by an old but crafty botnet. And it turns out the initial 50 gigabytes' worth of data that included 463,582 passwords on the crime server is only about one-fourth of the total number of accounts stolen by the so-called Coreflood botnet.

Source - Dark Reading

Update:: GCN reports that the cache of stolen data contained user ids and passwords for:

  • 8,485 bank accounts

  • 3,233 credit card accounts

  • 151,000 e-mail accounts

  • 58,391 social networking site accounts

  • 4,237 online retailer accounts

  • 416 stock trading accounts

  • 869 payment processor accounts

  • 413 mortgage accounts, and

  • 422 finance company accounts

[From the GCN article:

The Trojan apparently has been around since 2002, when it was being used for distributed denial of service attacks. It has since evolved to selling anonymity services and to full-fledged back fraud.

I'm glad I can have an impact on national security.

Chertoff: I'm Listening to the Internet (Not in a Bad Way)

By Ryan Singel August 06, 2008 | 8:28:51 PM

Enjoy your trip to the Olympics... Hope they let you leave.

Beijing Olympics Visitors To Come Under Widespread Surveillance

Thursday, August 07 2008 @ 07:40 AM EDT Contributed by: PrivacyNews

The government has installed about 300,000 cameras in Beijing and set up a network to spy on its citizens and foreigners.

Source - Hartford Courant

Fodder for the conspiracy theorists?

August 06, 2008

DOJ Releases Documents on the Anthrax Investigation

AP - US: Ivins solely responsible for anthrax attacks

Press release: "As the Department indicated last week and has been widely reported, substantial progress has been made in the Amerithrax investigation in recent years. As you know, this investigation into the worst act of bioterrorism in U.S. history has been one of the largest and most complex ever conducted by the FBI. The U.S. Postal Inspection Service has also made an extraordinary contribution to this investigation. Over the past seven years, hundreds of thousands of agent-hours have been dedicated to solving this crime.

Ordinarily, we do not publicly disclose evidence against a suspect who has not been charged, in part because of the presumption of innocence. But because of the extraordinary and justified public interest in this investigation, as well as the significant public attention resulting from the death of Dr. Bruce Edwards Ivins last week, today we are compelled to take the extraordinary step of providing first, the victims and their families, as well as Congress, and the American public with an overview of some recent developments as well as some of our conclusions.

Earlier today, several search warrant affidavits were unsealed in federal court in the District of Columbia. Among other things, these search warrants confirm that the government was investigating Dr. Ivins in connection with the attacks, which killed five individuals and injured 17 others in 2001. Dr. Ivins was a resident of Frederick, Maryland, and a long-time anthrax researcher who worked at the U.S. Army Medical Research Institute for Infectious Diseases, known as USAMRIID. Dr. Ivins died of an overdose on July 29, 2008, and, at the time of his death, was the sole suspect in the case."

“It is better to look secure than to be secure” This assumes TSA doesn't confiscate your laptop for copying. I now have reports of three laptop confiscation incidents on domestic flights.

TSA To Allow Laptops In Approved Bags

Posted by CmdrTaco on Wednesday August 06, @11:21AM from the security-theater dept. Transportation Security

mnovotny writes

"TIME is reporting that TSA will be allowing laptops in approved bags through security checkpoints. 'The new rules, announced Tuesday and set to take effect Aug. 16, are intended to help streamline the X-ray inspection lines. To qualify as "checkpoint friendly," a bag must have a designated laptop-only section that unfolds to lie flat on the X-ray machine belt and contains no metal snaps, zippers or buckles and no pockets.'"

Don't you feel safer? I wish an independent 3rd-party group could get together and see what they could get through security without being arrested for the experiment. So little of what the TSA is doing is any more than illusion.

“It is better to look secure than to be secure” “We need this totally insecure system to protect you security!”

Cloned e-passports fiasco renews calls for £4.7bn ID card scheme to be axed

Wednesday, August 06 2008 @ 04:40 PM EDT Contributed by: PrivacyNews

Opposition MPs accused the Government last night of being naive in believing that new microchipped passports would be foolproof against criminals involved in identity theft.

After The Times disclosed that new passports could be cloned and manipulated in minutes and would then be accepted as genuine, MPs also gave warning of serious implications for the security of the Government's £4.7 billion identity card scheme.

Source - Times Online Related - ‘Fakeproof’ e-passport is cloned in minutes

Thanks to Brian Honan for the link.

“It is better to look secure than to be secure”

Hacking electronic-toll systems

Thursday, August 07 2008 @ 05:43 AM EDT Contributed by: PrivacyNews

Electronic toll systems like FasTrak and E-ZPass may be convenient for drivers, but they are rife with privacy risks, a security expert said Wednesday at the Black Hat 2008 security conference.

... The transponder ID, which lacks encryption, could be wiped and switched with that of a device from a different car used in a crime, such as for alibi purposes, he said. [Sounds like a project for the Forensics Majors... Bob]

The e-toll systems also pose a risk in that a driver's movements could be tracked in real time, and e-toll operators have already been served with subpoenas seeking customer information, Lawson said.

Source - C|net

and one more “It is better to look secure than to be secure”

August 7, 2008

Hacking Mifare Transport Cards

London's Oyster card has been cracked, and the final details will become public in October. NXP Semiconductors, the Philips spin-off that makes the system, lost a court battle to prevent the researchers from publishing.

The latest “We can, therefore we must” technology? What happens if you need rapid (eco-unfriendly) acceleration to avoid an accident and the car resists?

Nissan Puts the Meddle to the Pedal

By Keith Barry August 06, 2008 | 3:00:00 PM

... The ECO Pedal, for those of you who haven't already complained about it, is a device that causes a reactive force in the gas pedal when the car senses the driver is accelerating too rapidly for optimum fuel economy. In other words, if you push too hard, it pushes back.

Turn student papers into a file for your iPod? I think not! (Might be useful when writing – what does your speech/article sound like?) - Turn Text Into Audio (mp3) is a website that allows you to turn up to 3000 characters of text into audio files. This could come in handy for college students who want to take less time to learn their lessons. Using the site is easy. Just copy the text into the text box, chose the voice you want to dictate the text, and click on Start Conversion.

... you can also take Spanish language texts and put them into sound. This could be a great tool for people learning Spanish to use for better understanding texts and things of that nature.

Your only option when your favorite sport is Synchronized Underwater Basket Weaving...

Watch the Olympics Online

With opening ceremonies kicking off Friday, August 8, we have compiled a list of online destinations for getting your fix of the summer sporting events.

Wednesday, August 06, 2008

Well, well, well. It looks like yesterday's FTC Consent Order was issued just in time (I sure it was pure coincidence). But an entirely new thread of the story begins. Let's see if TJX has been truthful in it's (very limited) disclosures.

U.S. charges 11 in theft of TJX customer data

Tuesday, August 05 2008 @ 12:39 PM EDT Contributed by: PrivacyNews

The U.S. Justice Department said on Tuesday it has charged 11 people in the theft of tens of millions of credit and debit card numbers of customers shopping at major U.S. retailers, including TJX Cos Inc.

The U.S. Attorney in Boston said those charged were involved in the theft of more than 40 million credit and debit card numbers.

Source - Reuters

[From the article:

The U.S. Attorney in Boston said those charged were involved in the theft of more than 40 million credit and debit card numbers from retailers that included: BJ's Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW Inc. [Maybe things aren't as resolved as I had assumed. TJX alone lost 95 million card numbers. (The article says 45.7 but that was only the initial number reported) This looks like a small fraction, suggesting there was at least one other hacker. Bob]

The charges target three people from the United States, three from the Ukraine, two from China, one from Estonia and one from Belarus. [The Internet facilitates “Virtual Gangs” as easily as it does any collaborative project. Bob]

Gonzalez, who is being held by New York authorities on another computer hacking-related charge, was charged with computer fraud, wire fraud, access-device fraud, aggravated identity theft and conspiracy, authorities said.

He faces life in prison if convicted of all charges. [What does that work out to be on a “per card” or “per dollar” basis? Bob]


Remarks Prepared for Delivery by Attorney General Michael B. Mukasey at the Identity Theft Press Conference

Tuesday, August 05 2008 @ 01:40 PM EDT Contributed by: PrivacyNews

Seems related, but no idea what letters they are talking about. TJX sent letters only to those whose drivers licenses were compromised if I recall correctly. Are these new victims?

Identity Theft Victim Letters Go Out

Last Update: 7:10 am

(Washington) -- On Tuesday, notices go out to people whose identities have been compromised in a huge computer hacking case.

Ignorance is bliss, but sometimes confusing... This from a sidebar article:

Online Fraud: How to Identify It and Fight Back

Tips on How to Recognize Fraud and Protect Yourself

August 5, 2008

[From the caption:

According to a federal investigation, conspirators of a retail identity theft ring used blank magnetic strips to withdraw thousands of dollars from people's bank accounts at ATM machines. [I have to assume the crooks write the stolen data onto the blank stripes. No ATM would be that easy to hack... Would they? Bob]

After praising Anheuser-Busch for encrypting their data, now I wonder what else they haven't disclosed...

150,000 hit by brewer data theft (A-B update)

Tuesday, August 05 2008 @ 02:38 PM EDT Contributed by: PrivacyNews

About 150,000 people in the US have been affected by the theft of laptops with personal information about current and former employees of brewing giant Anheuser-Busch.

A letter sent by the St Louis, Missouri-based brewer to the Florida Attorney General's Office said the laptops, stolen in June, contained personal information on nearly 87,500 residents, including current and former employees, and more than 3,000 people involved in employee assistance programmes, either as recipients or providers.

The state of California was notified that nearly 55,000 of its residents were affected, said Abraham Arredondo, a spokesman for the attorney general's office there.

In all, residents in at least six states: Florida, New Hampshire, Virginia, Missouri, Texas and California are involved.

Source - The Press Association

Comment: it always seem worse when the entity isn't forthcoming about numbers and people find out from required disclosures to states attorney general. Hopefully the day will come when companies just tell us straight out what the numbers are. -- Dissent. .

Oops, they did it again... “I'll see your 150,000 victims and raise you 40,000” Any other bidders?

Data for over 190,000 at risk (A-B update)

Wednesday, August 06 2008 @ 06:25 AM EDT Contributed by: PrivacyNews

The number of people nationwide affected by the theft of laptops with personal information about current and former employees of Anheuser-Busch Cos. Inc. has grown to more than 190,000.

About 45,000 people in Virginia have been affected, an increase from previous estimates of 2,250, said J. Martin Tucker, a spokesman for the attorney general's office on Tuesday.

Source - Chicago Tribune

Tools and Techniques: How the big boys do it.

Russian Gang Hijacking PCs in Vast Scheme

Wednesday, August 06 2008 @ 06:25 AM EDT Contributed by: PrivacyNews

A criminal gang is using software tools normally reserved for computer network administrators to infect thousands of PCs in corporate and government networks with programs that steal passwords and other information, a security researcher has found.

... The system infects PCs with a program known as Coreflood that records keystrokes and steals other information. The network of infected computers collected as much as 500 gigabytes of data in a little more than a year and sent it back to the Wisconsin computer center, Mr. Stewart said.

... As part of his investigation, Mr. Stewart charted the rate of computer infections at a state police agency and a large hotel chain. Both were victims of an outbreak that began after the gang obtained the password and login information of their network administrators. In both cases hundreds or thousands of computers were infected within minutes or hours.

Source - NY Times

[From the article:

One of the unique aspects of the malicious software is that it captures screen information in addition to passwords, according to Mark Seiden, a veteran computer security engineer. That makes it possible for gang members to see information like bank balances without having to log in to stolen accounts. [Why waste time on the small accounts? Bob]

Gee, we can feel confident again! The people who are doing background check used their incredible research powers to find the laptop that was under their noses the entire time. Or was it? Again, if I wanted to slip by TSA security, putting my name (or alias) on the database of “not second-class citizens” would certainly help.

SFO: Laptop reported stolen from airport found

Tuesday, August 05 2008 @ 01:44 PM EDT Contributed by: PrivacyNews

A laptop that contains the personal information of some 33,000 customers of an airport fast-pass program was found this morning after being reported stolen from San Francisco International Airport on July 26, a spokeswoman for the company that runs the program said.

Allison Beer, a spokeswoman for Verified Identity Pass Inc., said the laptop was found this morning in the same secured room at the airport that it went missing from and that officials are working to determine whether any of the data was compromised.

Officials are also investigating the circumstances surrounding the laptop's reappearance, she said.

Source -

A Lot More At Stake In TorrentSpy vs. MPAA Email Snooping Lawsuit

from the wiretapping-laws dept

For a few years now, we've been covering the battle between TorrentSpy and the MPAA. While TorrentSpy has given in and shut down on the question concerning the operations of its business, there was a separate legal question that is still being fought in court. As we noted recently, TorrentSpy has appealed the judge's ruling that the MPAA didn't break any laws in gaining access to its executives' emails. As you may recall, the MPAA hired a guy who hacked into TorrentSpy's servers to send copies of all the emails to himself first, which he then sold to the MPAA (he later regretted this decision and confessed to TorrentSpy, which is what resulted in the lawsuit in the first place). When the issue first came up in court, the MPAA played dumb, and pretended that it assumed the guy had legal access to the emails.

While this may seem like just a straight privacy case, the EFF, along with the ACLU and others, have filed a brief noting that there's much more at stake here. Specifically, the EFF is concerned that the court ruled that since the email messages were not technically "intercepted" under the wiretap act, due to the fact that the emails were stored, however briefly, on a mail server before they were copied and re-forwarded. In other words, as the EFF points out, if you have access to any server that handles a message as it travels across the internet, it's not "intercepted" for you to read that message. That has huge and very dangerous implications for any sort of internet wiretapping -- suggesting that as long as the government routed all communications through its own machines, it could read everything without a warrant. This case is about a lot more than a BitTorrent tracker battling the MPAA.

Apparently I need to take a legal research class, I couldn't find their definition of “online merchant.” Do they mean someone like Amazon or e-Bay or it is broad enough to include a business that has a “storefront” on the Internet but still has 200 transactions a year?

Housing bill raises tax, fingerprint privacy concerns

Tuesday, August 05 2008 @ 05:40 PM EDT Contributed by: PrivacyNews

The whopping housing bill that President Bush signed into law last week does far more than merely address the nation's real estate woes. Some sections have raised serious privacy concerns.

Tucked in near the end of the Housing and Economic Recovery Act is a requirement that banks and online payment networks annually collect and report to the IRS electronic payments made to online merchants. It takes effect in 2011, and will affect what information companies like PayPal collect from their sellers and could raise privacy and auditing complications.

Source - C|net

[From the article:

The housing bill also finalized the SAFE Mortgage Licensing Act. As CNET previously reported, the provision creates a national fingerprint registry of "loan originators"--essentially anyone involved in the mortgage industry.

E-Discovery: An interesting discussion of the technology used to identify users when dynamic addressing is used.

Tufts Tells Judge, We Can't Tie IP To MAC Addresses

Posted by kdawson on Wednesday August 06, @05:21AM from the we're-cooperatin'-here dept. The Courts

NewYorkCountryLawyer writes

"Protesting that Tufts University's DHCP-based systems 'were not designed to facilitate forensic examinations,' but rather to ensure 'smooth operations and to manage capacity issues,' the IT Office at Tufts University has responded to the subpoena in an RIAA case, Zomba v. Does 1-11, by submitting a report to the judge (PDF) explaining why it cannot cross-match IP addresses and MAC addresses, or identify users accurately. The IT office explained that the system identifies machines, not users; that some MAC addresses have multiple users; that only the Address Resolution Protocol system has even the potential to match IP addresses with MAC addresses, but that system could not do so accurately. For reasons which are unclear, the IT department then suggested that the RIAA next time send them 'notices to preserve information,' in response to which they would preserve, rather than overwrite, the DHCP data, for the RIAA's forensic benefit."

Looks like an attendee shot this video, but still worth viewing. Any organization should have a “wish list” and someone who evaluates current events to see when parts (or all) of the list has a chance of being implemented... (I wish every seminar did this.)

Lessig Predicts Cyber 9/11 Event, Restrictive Laws

Posted by kdawson on Tuesday August 05, @06:56PM from the waiting-for-the-other-shoe dept.

A number of readers are sending in links to a video from the Fortune Brainstorm Tech conference last month, in which Lawrence Lessig recounts a conversation over dinner with Richard Clarke, the former government counter-terrorism czar. Remembering that the Patriot Act was dropped on Congress just 20 days after 9/11 — the Department of Justice had had it sitting in a drawer for years — Lessig asked Clarke if DoJ had a similar proposed law, an "i-Patriot Act," to drop in the event of a "cyber-9/11." Clarke responded, "Of course they do. And Vint Cerf won't like it." Lessig's anecdote begins at about 4:30 in the video.

Seems like political balderdash to me. If the payroll system was programmed to even a moderate level of competence the problems described wouldn't be possible. Perhaps they should outsource the state's payroll – allowing them to save even more money by firing the entire payroll department! (I'll send Arnold an e-mail)

California Can't Perform Pay Cut Because of COBOL

Posted by kdawson on Tuesday August 05, @02:41PM from the handwaving-only-gets-you-so-far dept. Programming Government The Almighty Buck

beezzie writes

"Last week, California Governor Arnold Schwarzenegger ordered a pay cut, to minimum wage of $6.55/hr,, for 200,000 state workers because a state budget hadn't been approved yet. The state controller, who has opposed the pay cut on principle and legal grounds, now says the pay cut isn't even feasible because the state's payroll systems are so antiquated. He says it would take 6 months to go to minimum wage, and 9 months more to restore salaries once a budget is passed. The system is based on COBOL, according to the Sacramento Bee, and the state hasn't yet found the funds or resources, in 10 years of trying, to upgrade it."

The article quotes a consultant on how hard it is to find COBOL programmers; he says you usually have to draw them out of retirement. Problem is, if there were any such folks on the employment rolls in California, Gov. Schwarzenegger fired them all last week, too.

[From the article:

Forrer said the system has tens of thousands of lines of code, so it is time-consuming to find and replace salaries for each job classification on an individual basis. [Anyone who programs variable data like pay rates into the program code (rather than an external table) should be shot. Bob]


Your Medical Treatment History Is For Sale

Posted by kdawson on Tuesday August 05, @03:32PM from the slippery-cliff dept. Privacy Medicine

PizzaFace writes

"The Washington Post reports on the booming business of selling your medical treatment records. Today these are mainly records of your prescriptions, but the data warehouses will soon have records of your lab tests, too. The companies selling these records make it easy for insurance companies to avoid risk by assigning each person a health score, similar to a credit score, or by flagging items in each person's history that suggest chronic or potentially expensive health problems. It's not just for insurers, either; employers who check applicants' credit scores will surely be interested in their health scores as well."

This is one of them thar “Slippery Slopey Thangs.” Rather than set a Maximum, let's call it a minimum and then never exceed it! And it reduced competitive pressure, since we can all say “my minimum is just as good as your minimum...

Google backs ISP-guaranteed minimum data rates

By Nate Anderson | Published: August 04, 2008 - 10:39PM CT

Blood in the water always attracts sharks

IBM Pushing Microsoft-Free Desktops

Posted by kdawson on Tuesday August 05, @07:50PM from the straight-for-the-jugular dept.

walterbyrd and other readers are sending along the news that IBM is partnering worldwide with Canonical/Ubuntu, Novell, and Red Hat to offer Windows-free desktop PCs pre-loaded with Lotus software and ready for customizing by local ISVs for particular markets. The head of IBM's Lotus division is quoted: "The slow adoption of Vista among businesses and budget-conscious CIOs, coupled with the proven success of a new type of Microsoft-free PC in every region, provides an extraordinary window of opportunity for Linux." One example of the cooperation:

"Canonical, which sells subscription support for Ubuntu, a Linux operating system that scores high marks on usability and 'the cool factor,' will re-distribute Lotus Symphony via their repositories. Symphony 1.1 will be available through the Ubuntu repositories by the end of August."

Thank god someone invented this technology! Where would the free world be without it!

IBM Granted "Paper-or-Plastic?" Patent

Posted by kdawson on Wednesday August 06, @02:46AM from the not-the-onion dept. Patents IBM

theodp writes

"On Tuesday, IBM was granted US Patent No. 7,407,089 for storing a preference for paper or plastic grocery bags on customer cards and displaying a picture of said preference after a card is scanned. The invention, Big Blue explains, eliminates the 'unnecessary inconvenience for both the customer and the cashier' that results when 'Paper or Plastic?' must be asked. The patent claims also cover affixing a cute sticker of a paper or plastic bag to a customer card to indicate packaging preferences. So does this pass the 'significant technical content' test, IBM'ers?"

Geeky hacker stuff

WiFi software arrives on Linux desktops

Aug. 05, 2008

A vendor of Linux-based WiFi arrays is finally releasing a version of its WiFi Monitor utility for Linux desktops. The open source, widget-like Xirrus WiFi Monitor for Linux enables users to monitor, secure, and troubleshoot WiFi networks, says Xirrus.

WiFi Monitor has been available as a free utility for Windows Vista, Windows XP, and MacOS platforms for some time, and has been downloaded a half million times, claims Xirrus.

I love lists! Ones that point to interesting data in particular.

Presentation Files

Open Source Presentations From OSCon


5 Known Office Suites for Linux

Tuesday, August 5, 2008

An interesting business model to add to my collection... - Get Money For Taking Jobs

Imagine a world where you can get money by just accepting a job. That might sound farfetched to some, but that is what is all about. Like in any other job search site, you’ll be able to find jobs posted on there. The catch is, that once you accept a job you found through the site, you’ll get up to 7.5% of your first month’s salary as a hiring bonus. This allows employers who post jobs up on the site to quickly find people to take them. It also allows the site to control how many people are actually finding jobs through them. [and receive extra compensation for it Bob] Companies can pay the site to feature them on it. Basically, by giving the job applicant money once he or she accepts the job, they make sure that the company that just hired you pays them for the job. It’s a surprisingly simple concept that works for everybody.

Hacking on the “Dark Side”

High-tech Peeping Tom rigged laptop webcam to snap nude pics

By Jacqui Cheng | Published: August 05, 2008 - 01:38PM CT

... Her friends recommended going to a student at the University of Florida who was known for his computer-fixing skills, 23-year-old Craig Matthew Feigin. She left the machine with him overnight and went on her way—until she noticed her computer having new issues several weeks later. In addition to reduced battery life, Garcia told the Gainesville Sun that her laptop's light turned on every time she got near it—a light that many of us know signals that the built-in camera is in use.

Garcia then took her machine to another computer expert—a trusted friend this time—who discovered that Feigin had installed two pieces of software onto her machine: Log Me In and Web Cam Spy Hacker. Web Cam Spy Hacker may have been written by Feigin himself (the address on the site was the same as his home address), and it allowed him to upload the various photos taken on the machine to a remote server. Unfortunately for Garcia, that included 20,000 photos of her, her friends, and her boyfriend. Since the laptop mostly resided in her bedroom, some of them were taken while she was not clothed.

For my website class

The Ultimate CSS Reference

Posted by samzenpus on Monday August 04, @02:21PM from the read-all-about-it dept.

stoolpigeon writes

"Cascading Style Sheets are now the dominant method used to format web pages

... There is an online edition of The Ultimate CSS Reference and as far as I can tell, it is completely open to use by anyone without any kinds of restrictions. I couldn't find any in my copy of the book, I didn't have to sign up for anything to use the site.

Ditto (also for teachers)

Is the world ready for Flash for dummies? Absolutely

Posted by Charles Cooper August 5, 2008 4:00 AM PDT

... The project recently moved out of beta testing and is being offered in a free general release as well as a professional version for $195 per seat.

Double ditto? This is horrible. I'll probably have to download a few (hundred) to prove my point.

Textbook Torrents Makes Long Awaited Comeback

Written by Ernesto on August 05, 2008

The Textbook Torrents tracker is considered to be the largest library of textbooks on BitTorrent.