Saturday, August 22, 2009

Why steal 100 million card numbers? How else is a poor crook to make a living...

Stolen credit card data cheap on cyber-black market

August 21, 2009 by admin Filed under Commentaries and Analyses

The black market economy of the cyber-world is always busy, especially in an age of massive data breaches like the ones that occurred at Heartland Payment Systems and Hannaford Brothers.

According to research from Kaspersky Lab posted Aug. 17, U.S. credit cards are not worth as much as you might think. While analyzing malware, Kaspersky Lab virus analyst Dmitry Bestuzhev came across a Website with pricing information for the credit cards swiped by cyber-crooks. The highest prices belonged to German credit cards, which sold for $6 (USD) a piece. U.S. Visa cards sold for $2.

Read more on eWeek

Much ado about something?

Flickr v. Free Speech. Where Is Their Courage?

by Michael Arrington on August 21, 2009

… Flickr really stepped in it this time. And they’ve sparked a free speech and copyright fascism debate that is unlikely to cool down any time soon.

Sometime last week they took down a photoshopped image of President Obama that makes him look like the Heath Ledger (Joker) character from The Dark Knight.

Thomas Hawk has a good overview of some of the other details, but the short version is the image was removed by Flickr sometime last week due to “due to copyright-infringement concerns.”

People are angry over the takedown. There are lots of pictures mocking President Bush on a Time Magazine cover on Flickr that haven’t been removed. And of the Heath Ledger Joker character.

(Related) At last, a business model for cheap Internet music?

Yahoo wins appeal of music-streaming case

by Tom Krazit August 21, 2009 4:45 PM PDT

A three-judge panel ruled Friday that Yahoo will not have to pay up every time it plays a song on its Internet radio service, affirming an earlier verdict.

In what is being seen as a defeat for the music industry, Yahoo Music was not deemed "interactive" enough to require the company to negotiate with record companies for the rights to play songs over the Internet. Instead, according to Reuters, it merely has to pay licensing fees to digital music rights organization SoundExchange.

(Related) If it's stupid and it works, it ain't stupid.

You Tube Search-and-Delete Code Makes Money for Rights-Holders

By Eliot Van Buskirk Email Author August 21, 2009 9:47 am

You know how digital music works: People get sued, content gets deleted, startups go bankrupt. But with its ContentID program YouTube has created a mechanism that makes it just as easy for copyright owners to make money from unauthorized uploads as to order them deleted, the system’s design purpose. And they are starting to get with the program.

In an area known for bitter lawsuits and hastily issued take-down notices, this is that rarest of birds: a feel-good digital music story. YouTube accomplished this by writing what Lawrence Lessig calls “East Coast code” (in this case, copyright law) into “West Coast code” (computer code).

… Every minute, the world uploads roughly 20 hours of video to Google’s YouTube site, according to Zamost. Here’s what happens when it encounters YouTube’s ContentID system.

Interesting conclusions?

Why AT&T Killed iPhone Google Voice

Posted by CmdrTaco on Friday August 21, @05:54PM from the doesn't-take-a-genius dept.

ZuchinniOne writes

"The Wall Street Journal has a very interesting article about the likely reasons that AT&T and Apple killed the Google Voice application." ' With Google Voice, you have one Google phone number that callers use to reach you, and you pick up whichever phone--office, home or cellular--rings. You can screen calls, listen in before answering, record calls, read transcripts of your voicemails, and do free conference calls. Domestic calls and texting are free, and international calls to Europe are two cents a minute. In other words, a unified voice system, something a real phone company should have offered years ago.'"

[From the article:

What this episode really uncovers is that AT&T is dying. AT&T is dragging down the rest of us by overcharging us for voice calls and stifling innovation in a mobile data market critical to the U.S. economy.

Is it okay to be an idiot on your own time? Perhaps an article outlining the legal implications would be useful?

Uncouth Facebook postings closing doors for job candidates

More employers than ever are researching job candidates on sites like Facebook, MySpace, and Twitter in order to find out more about their activities and character. And, it turns out, many candidates are doing a great job of showing their potential bosses poor communication skills, inappropriate pictures, and even how many workplace secrets they can leak.

By Jacqui Cheng Last updated August 20, 2009 3:02 PM CT

(Related) Would we (the US) call this bullying? Isn't it Assault?

Teen becomes first jailed in U.K. for cyberbullying

by Chris Matyszczyk August 21, 2009 12:10 PM PDT

… In Worcester Magistrates Court of England, an 18-year-old woman was allegedly sent to three months in a young-offenders institute after being found guilty of posting death threats on Facebook, according to the Daily Mail. It's thought to be the country's first jail sentence for cyberbullying.

Anyone think Microsoft will turn this into an ad for Internet Explorer?

Criminals Prefer Firefox, Opera Web Browsers

Posted by CmdrTaco on Friday August 21, @06:37PM from the choosy-criminals-choose-chimera dept.

An anonymous reader writes

"Security researchers at Purewire have leveraged vulnerabilities in malware infrastructure to track the criminals behind it. In a three-month long project, they used security flaws in exploit kits to get operators to expose themselves (Obnoxious interstitial ad between link and content) when they access the kits' admin control panels. Data collected shows that 50% of those tracked use Firefox, while 25% use Opera."

Tools & Techniques This is cool. My website students will love it...

3DBin is a new technology that allows our customers to enhance their profits by providing high quality 360-view pictures on their web sites.

To Begin, you just have to take several pictures around an object you want to make the 360 view image of with any kind of camera and upload the photos to our web site.

Then 3DBin automatically processes your snapshots. Through technology developed by us, it is now possible to automatically determine the form and parameters of objects from snapshots.

The processed snapshots are aligned together and converted into a flash file so the viewer can see the object from all sides.

Friday, August 21, 2009

A bit more information on the case and an exam question or two for my Forensics students

In Gonzalez Hacking Case, a High-Stakes Fight Over a Ukrainian’s Laptop

By Kim Zetter Email Author August 20, 2009 4:21 pm

When Turkish police arrested Maksym “Maksik” Yastremskiy — a Ukrainian wholesaler of stolen identity data — in July 2007, they didn’t just collar one of the most-wanted cybercriminals in the world. They also got a trove of evidence about Yastremskiy’s buyers and suppliers, all locked in an encrypted vault on his laptop computer.

Now federal prosecutors are hoping to introduce a copy of Yastremskiy’s files in its case against accused hacker Albert “Segvec” Gonzalez. Chat logs and other information on the disk allegedly show that Gonzalez was Yastremskiy’s major supplier of credit and debit card numbers.

But Gonzalez’s attorney is fighting to keep the data, and similar information seized from a server in Latvia, far away from the New York court room where Gonzalez is scheduled to stand trial next month on the first of three federal indictments. The argument unfolding over the disks illustrates the challenges and controversies of using electronic evidence gathered in foreign jurisdictions, and sheds more light on the unusual methods used to investigate what authorities have called the largest identity theft case in U.S. history.

… One notable revelation in the government’s own filings (.pdf) is that Yastremskiy’s arrest did not mark the first time the Secret Service gained access to his computer files. On June 14, 2006 the Secret Service worked with local authorities to conduct a “sneak-and-peek” search of Yastremskiy’s laptop while he was traveling through Dubai, in the United Arab Emirates. The agency secretly obtained a copy of the man’s hard drive in the search.

The government says that stealth operation is irrelevant now, because it doesn’t plan on introducing the data from the sneak-and-peek at trial — only the data taken in Turkey at Yastremskiy’s arrest. But defense attorney Rene Palomino, Jr., says the earlier search may have been unlawful, and could have legally tainted the case: The disk image may have been used by U.S. authorities to obtain a provisional arrest warrant for Yastremskiy in California, and it was that warrant that led Turkish authorities to arrest him and seize his laptop.

In a court filing this month, the lawyer is asking (.pdf) for an evidentiary hearing to, among other things, “determine the extent to which the arrests and seizures were causally motivated by the prior sneak-and-peek conducted by the USSS in Dubai.”

Also at issue is the procedure used by Turkish authorities to recover data from the laptop. While U.S. forensics examiners routinely make a bit-for-bit copy of a seized hard drive and leave the original undisturbed, there’s evidence that Turkish police tried to install software on the laptop in order to change the Windows password on the machine. Additionally, access times on some 3,000 files were disturbed. The hard drive broke while in Turkish custody, and was later deemed irreparable by the Secret Service.

… Cronos employee Ivars Tenters imaged the server and gave it to the LVS, who gave it to the Secret Service. About two weeks later, on June 6, U.S. authorities submitted a mutual legal assistance treaty request for the physical server itself, and Tenters disassembled it and passed it to Latvian prosecutors who gave it to U.S. authorities in September.

Palomino points out that the hash value of the Latvian server provided by prosecutors in the New York case is different from the hash value for the same server provided by authorities in the Massachusetts case against Gonzalez. [In other words, something was changed... Bob] He argues that Gonzalez has a right to cross-examine Tenters and the LVS officers about the chain-of-custody of the data and the server.

Palomino says the foreign police were acting as agents of the Secret Service, and thus there should be some Fourth Amendment protection for the searches in Latvia and Turkey, and that foreign authorities should be required to show that they adhered to local legal requirements for searches and seizures as well.

The feds counter (.pdf) that Gonzalez has no Fourth Amendment protection on the server in Latvia, because he’s never acknowledged it belongs to him, [Can the Fed assert it does and still claim he gets no protection? Bob] and the informant gave them the password and permission to search it. Gonzalez also doesn’t have protection for the laptop in Turkey, because it belongs to Yastremskiy, a non-U.S. person.

Just a point for management to consider. The main justification for laptop computers (which are more expensive than desktops of similar capacity) is that they allow employees to take work home. Obviously these computers weren't taken home, so why did you spend the extra (taxpayer) money on laptops?

Computers stolen from Cal State L.A.

August 20, 2009 by admin Filed under Breach Incidents, Education Sector, Theft, U.S.

More than a dozen computers have been stolen from California State University, Los Angeles, sparking concerns over possible identity theft.

Officials say on Aug. 1 someone broke a window in the office of the university’s Minority Opportunities in Research program and stole 14 computers, two desktops and 12 laptops.

The computers contain the names, social security numbers and addresses of more than 600 students and faculty members.

Read more on KABC

I don't think they're tapping my phone, I think they're tapping the Judges phone. And remember, I worked with these guys for a few years...

Judge rejects challenge to overseas wiretap law

August 21, 2009 by Dissent Filed under Court, Featured Headlines, Legislation, Surveillance, U.S.

A judge rejected a challenge to a law letting the United States eavesdrop on overseas conversations Thursday, saying fears by Americans that their conversations will be monitored and their rights violated were ”purely subjective.”

U.S. District Judge John Koeltl ruled that the latest version of the Foreign Intelligence Surveillance Act could not be challenged by attorneys, journalists and human rights organizations unless they could show their own communications had been affected. [Which they can't because the evidence (if any) is classified. Bob]


The law was challenged by Amnesty International, Human Rights Watch, a group of international criminal defense lawyers and an organization of women, among others.

Read more from the Associated Press in The New York Times.

Looks like it's shaping up to be a good year for the guys who sell trojans to the bad-but-not-as-smart guys.

August 20, 2009

New Release Identifies Proliferation of ID Theft Malware

"PandaLabs issued a release on the proliferation of identity theft malware during times of economic crisis. Our research found that the number of users affected by malware designed for identity theft has increased 600 percent this year compared to the same time in 2008. PandaLabs receives nearly 37,000 samples of new viruses, worms, Trojans and other types of Internet threats each day. Of these, 71 percent are Trojans, mostly aimed at stealing bank details or credit card numbers, as well as passwords for other commercial services. Between January and July 2009, PandaLabs received 11 million new threats, approximately 8 million of which were Trojans. This is in clear contrast, for example, to the average of 51 percent of new Trojans that PandaLabs received in 2007."

(Related) Here's an example of a bad-but-not-as-smart Identity Thief. I think the instruction manual that comes with the “I want to be a Millionaire Identity Thief” kit must tell them to keep moving so they don't get caught.

Police discover suspected $1 million credit card fraud

By: Staff Writer 18/08/2009 12:58 PM

WINNIPEG - Police say they uncovered a credit card fraud worth as much as $1 million early Friday morning while investigating a vehicle break-in downtown.

Police said the rented vehicle, which was parked at Notre Dame Avenue and Albert Street, contained items associated with illegal credit card trafficking.

Police found the man who had rented the vehicle nearby. He attempted unsuccessfully to flee police in a taxi. [Like I said, not so bright Bob]

Police obtained a search warrant to search the vehicle and a hotel room, discovering hundreds of fraudulently obtained credit cards, a skimming device, laptop computers and thousands of dollars worth of legitimate gift cards.

Does this suggest we need a US version of the study?

A new study on privacy online in Israel

August 21, 2009 by Dissent Filed under Internet, Non-U.S.

Calls to better safeguard users’ privacy online and improve protection of personal data on the Internet are commonplace. The concerns about privacy issues are sometimes coupled with demanding higher legal standards of protection pertaining to access and use of personal data obtained over the Internet by third parties, may they be the government and its agencies or private entities that collect and use personal data for commercial purposes. Professors Michael Birnhack (Tel Aviv University) and Niva Elkin-Koren (University of Haifa) have just posted a new and highly interesting study that addresses questions of compliance with privacy regulation in Israel.

Read more on Stanford CIS

Related: “Does Law Matter? Informational Privacy and Online Compliance in Israeli Web Sites” (full-text article available on SSRN)

Now this is amusing. Why would anyone ignore a resource like Mitnick? I can see the competition's ads now: “We're so secure, we can even protect Kevin Mitnick. Can your provider say that?”

Besieged by attacks, AT&T dumps celebrity hacker

The perils of being Kevin Mitnick

By Dan Goodin in San Francisco Posted in Security, 19th August 2009 22:22 GMT

Updated Over the years, Kevin Mitnick has gotten used to the attacks on his website and cell phone account that routinely result from being a convicted hacker turned security expert. he finds much harder to stomach is the treatment he's getting from his providers.

Over the past month, both, his longtime webhost, and AT&T, his cellular provider since he was released from prison more than nine years ago, have told him they no longer want him as a customer. The reason: his status as a celebrity hacker makes his accounts too hard to defend against the legions of script kiddies who regularly attack them.

The move by AT&T came this week after Mitnick hired a lawyer to complain that his privacy was being invaded by people posting Mitnick's account information in public hacking forums. It included the eight-digit password Mitnick used to authenticate himself online, the numbers for his cell phone and land lines, his billing address, and the last four digits of his social security number.

"They can't seem to secure my account," Mitnick told The Register. "And then instead of doing something about it, they try to kill the messenger and want to boot me off their network when all I want them to do is to secure my account so no one gets access to my phone records."

Mitnick said the cellular account has been repeatedly breached over the years, despite a wide range of countermeasures he's followed to prevent the attacks. In recent years, he's committed the password to memory and has deliberately not shared it with anyone or kept it stored on a computer. For a while, his former girlfriend, who was also repeatedly attacked, disabled her online account altogether, but even then she regularly found it would later be restored. The people carrying out the attacks would then post the phone records online in an attempt to embarrass them.

"There are so many ways into these networks," he said. "They have to take some responsibility, not just silence the people that are filing complaints."

About 18 hours after this article was first published, an AT&T spokeswoman issued the following statement:

"We investigated Mr. Mitnick’s claims and determined they were without any foundation. We refused Mr. Mitnick’s demands for money, but did offer to let him out of his contractual obligations so that he could find a carrier that he would be comfortable with. In response to your question regarding customer password security: we require that any systems containing sensitive information regarding passwords encrypt the data."

Mitnick said that per AT&T policy, his password could only be digits and no more than eight characters long.

It was three weeks ago that Mitnick was forced to find a new webhost after HostedHere told him they no longer wanted to provide service for, his longtime website. The decision came after years of relentless attacks that the company was powerless to stop.

In the past three months, Mitnick's site was taken out twice, and one of those attacks also caused a sustained outage for the South Carolina-based service provider. After years of trying to fend off the assaults, the company decided it was time to part ways with Mitnick.

"Kevin is a high-profile target," said David Wykofka, IT director at HostedHere. "When vulnerabilities come out in third-party vendor software, he is one of the first targets on their list. This is just one of the perils of being Kevin Mitnick. If you're Barack Obama, you don't get webhosting at GoDaddy."

No doubt, the companies are free to choose who they count as customers. But in asking Mitnick to take his business elsewhere, they seem to be making the tacit admission that they are unable to secure the accounts of users whose only fault is being a high-profile target.

What's most irritating to Mitnick, he says, was the haste AT&T showed in asking him to find another provider. And that despite the unusually large roaming charges he incurs that often push his monthly bill above $2,000 per month.

"You'd think they'd like to talk to me and say 'how do you think these guys are getting in?', maybe even offer to set up an account not in my name," he said. "Rather than do that, for a customer that spends up to $20K a year, it's 'goodbye.'"

Good news, bad news. My forensic analyst side appreciates the new tool but my “every now an then I like to speak anonymously” side sees one more hurdle to leap.

Microsoft working to eliminate Internet anonymity

August 20, 2009 by Dissent Filed under Internet

Microsoft researchers have unveiled an anti-hacking concept that can help track hackers or malicious content to origin servers.

The Host Tracker program’s goal is to “de-anonymize the Internet” through the ability to host servers with 99 percent accuracy.

Host Tracker is designed to unmask would-be hackers who take advantage of anonymizing techniques by cross-referencing Internet protocol traffic data to identify the true origin. Microsoft’s representatives said the Host Tracker system relies on application-level events — in this case, Internet Explorer browser sessions — to automatically infer host-IP bindings.

Read more on GCN. Thanks to Brian Honan for this link.

[From the article:

Researchers Yinglian Xie, Fang Yu and Martin Abadi ran some initial tests by analyzing a month's worth of data from an e-mail server, roughly 330 GB, to ascertain from the samples who may have been responsible for sending out certain types of spam. They studied some 550 million user IDs and 220 million IP addresses, and matched time stamps for message transmission or e-mail log-ons.

"The fact that we are able to trace malicious traffic to the proxy itself is an improvement because we are able to pinpoint the exact origin," Xie said (a PDF of the study can be found here).

Is this wise on any level? Shouldn't their strategy be to attract as many riders as possible, by whatever means possible?

New York MTA Asserts Copyright Over Schedule

Posted by timothy on Thursday August 20, @04:52PM from the might-be-a-bargain-if-they-always-kept-the-schedule dept.

Presto Vivace writes

"Greater Greater Washington reports that 'The New York Metropolitan Transit Authority's lawyers are going after a local blogger, and attempting to block an iPhone application showing Metro-North railroad schedules. The blog StationStops writes about Metro-North Commuter Railroad service north of New York City, and often criticizes its operations. Its creator, Chris Schoenfeld, also created an iPhone application to give Metro-North riders schedule information. Now the MTA is insisting he pay them to license the data, and at one point even accused the site of pretending to be an official MTA site.' I can't believe that this the MTA's actions are going to go over well with the public."

Tools & Techniques It's faster from the command line, but this may be better for non-geeks (and students?)

Run Windows Commands Easily With Commands In Demand

Aug. 20th, 2009 By Varun Kashyap

Talk about doing repetitive tasks and you would think of the command line to be the best place to do them. However it is not always easy for everyone to remember how to run Windows commands. Commands in Demand provides you with an interface to perform a number of such tasks at the click of a button.

Sadly there is no portable version of the application.

Thursday, August 20, 2009

Looks like the media believes the “era of the hacker” has come to an end, all major Identity Theft cases are resolved, and the Feds have demonstrated they can solve any crime – no matter where the perpetrators reside.. I wouldn't bet on it.

You gotta get the publicity while the story's hot. You never know when you might run for office!

Gonzalez’s lawyer criticizes federal prosecutors

August 19, 2009 by admin Filed under Breach Incidents, Business Sector, Financial Sector, Hack, Malware

Albert Gonzalez, a suspect in several hacking cases, was close to reaching a comprehensive plea agreement with federal prosecutors in Massachusetts and New York when federal prosecutors in New Jersey indicted him on Monday on a new raft of computer crimes, said Mr. Gonzalez’s lawyer, Rene Palomino Jr.


Mr. Palomino said the settlement would have ended all active investigations, including New Jersey’s. He charged that New Jersey prosecutors moved up their indictment to short-circuit the settlement talks. “I guess so they could bask in the glory of all the publicity they are getting from this,” he said. [Good guess. Bob]


Mr. Palomino also shed some light on some mysteries in Monday’s announcement. He said “P.T.,” an unindicted co-conspirator named in the new indictment, was Damon Patrick Toey, one of the 11 people charged last August as part of the data thefts at T.J. Maxx stores, which are owned by TJX. Mr. Toey has pleaded guilty and received a reduced sentence in exchange for cooperation in the government’s case against Mr. Gonzalez.

Mr. Palomino said that he was prepared to argue that Mr. Toey, not Mr. Gonzalez, took the lead in the data thefts in the New Jersey indictment.

He also said that one of the “unnamed Russian conspirators” named in the indictment was Maksym Yastremski, who is currently serving a 30-year sentence in a Turkish prison.

Read more in The New York Times.

Do you think the details of the hack will ever come out? Perhaps a tell-all book?

Gonzalez: The Al Capone Of Cyber Thieves?

August 19, 2009 by admin Filed under Commentaries and Analyses, Of Note

Evan Schuman and Fred J. Aun have a well-written commentary on the recent indictment of Albert Gonzales and two unnamed co-conspirators that highlights the questions left unanswered by the indictment, and the apparent contradictions between statements made. As one example, they write:

For example, 7-Eleven is a new name in the breach circle, and the indictment said that the $54 billion convenience store chain’s POS network files were directly—and successfully—attacked. In August 2007, “7-Eleven was the victim of a SQL injection attack that resulted in malware being placed on its network and the theft of an undetermined number of credit and debit card numbers and corresponding card data,” the indictment said.

But a statement that 7-Eleven issued on Tuesday (Aug. 19) tells a very different story. The 7-Eleven statement said that “affected transactions were limited to customers’ use of certain ATMs, owned and operated by a third party, located in 7-Eleven stores over a 12-day period from October 28, 2007, through November 8, 2007.”

That’s a very key difference, given that third-party ATM data—from machines that essentially leased space from various stores—would never be in the possession of 7-Eleven.

Read more on StorefrontBacktalk.

This can't be correct, can it? They have the victims personal information and still can't identify them? The reporter must mean “contact” rather than identify, otherwise the charge of Identity Theft would become “Making up a phoney Identity”

Md. police trying to find ID theft victims

August 19, 2009 by admin Filed under Breach Incidents, ID Theft, U.S.

Police said they were trying to identify at least 100 victims of identity theft whose private information was found in a hotel room in Elkridge, Md.

Four suspects from Florida face charges for a theft scheme that stretches across at least four states, the Howard County, Md., police said Wednesday in a news release.

Police said a hotel housekeeper alerted them to some suspicious documents she found in a trash can. A search of the hotel room and the vehicle of the person registered to the room turned up hundreds of personal and financial documents from various states and victims, including driver’s licenses, credit cards, checks, Social Security cards and bank statements, the police said.

Read more on UPI.

Now hate speech is part of the economic stimulus package? Did he become too good at his job? Did he say something that embarrassed the FBI or made them look silly? More importantly, WHY DON”T THEY PAY ME! I can pretend to hate people for enough money, honest I can.

Lawyer: FBI Paid Right-Wing Blogger Charged With Threats

By David Kravets Email Author August 19, 2009 4:00 pm

A notorious New Jersey [I'm from New Jersey! Bob] hate blogger charged in June with threatening to kill judges and lawmakers was secretly an FBI “agent provocateur” paid to disseminate right-wing rhetoric, his attorney said Wednesday.

Hal Turner, the blogger and radio personality, remains jailed pending charges over his recent online rants, which prosecutors claim amounted to an invitation for someone to kill Connecticut lawmakers and Chicago federal appeals court judges.

But behind the scenes the reformed white supremacist was holding clandestine meetings with FBI agents who taught him how to spew hate “without crossing the line,” [Can I get a copy of that book? Bob] according to his lawyer, Michael Orozco.

“Almost everything was at the behest of the Federal Bureau of Investigation,” Orozco said in a 45-minute telephone interview from New Jersey. “Their job was to pick up information on the responses of what he was saying and see where that led them. It was an interesting dynamic on what he was being asked to do.”

“He’s a devoted American,” added the lawyer, who claims Turner was paid “tens of thousands of dollars” for his service.

How not to cross that line...

Court offers guidelines on when to unmask anonymous posters

August 19, 2009 by Dissent Filed under Court, Internet

In the US, the right to free speech is construed as also protecting the anonymity of the person doing the speaking. Provided that the content, be it spoken or written, violates no laws, citizens have the right to fulminate in public fora without said public being aware of their identity. Courts have also extended this protection to anonymous Internet communications, and are now being asked to weigh in on a related issue: when do accusations of wrongdoing justify the removal of anonymity from the sources of anonymous statements made via the Internet.

Read more on Ars Technica.

[From the article:

The appeals court, noting that DC courts had no precedent for this situation, examined the varied decisions handed down in other areas. It found the Virginia standard—a "good faith basis" for the accusations—far too lax, given the importance that anonymity has been granted in the US. Instead, the court laid out guidelines that are far closer to the New Jersey standard:

the court should: (1) ensure that the plaintiff has adequately pleaded the elements of the defamation claim, (2) require reasonable efforts to notify the anonymous defendant that the complaint has been filed and the subpoena has been served, (3) delay further action for a reasonable time to allow the defendant an opportunity to file a motion to quash, (4) require the plaintiff to proffer evidence creating a genuine issue of material fact on each element of the claim that is within its control, and (5) determine that the information sought is important to enable the plaintiff to proceed with his lawsuit.

In short, the plaintiff has to provide evidence that its claims are reasonable and the identity of the defendant is needed before the suit could continue. The defendant should also be given the opportunity to attempt to block his or her unmasking in court.

This makes sense. I wonder if Google would archive the page for the court?

August 19, 2009

US Courts - Internet Materials in Opinions: Citations and Hyperlinking

The Third Branch: "The Judicial Conference has issued a series of “suggested practices” to assist courts in the use of Internet materials in opinions. The recommendations follow a pilot project conducted by circuit librarians who captured and preserved webpages cited in opinions over a six-month period... The guidelines suggest that, if a webpage is cited, chambers staff preserve the citation by downloading a copy of the site’s page and filing it as an attachment to the judicial opinion in the Judiciary’s Case Management/Electronic Case Files System. The attachment, like the opinion, would be retrievable on a non-fee basis through the Public Access to Court Electronic Records system."

Further indication that I led a deprived childhood.

August 19, 2009

Teens and Mobile Phones Over the Past Five Years: Pew Internet Looks Back

Teens and Mobile Phones Over the Past Five Years: Pew Internet Looks Back, August 2009: "Teenagers have previously lagged behind adults in their ownership of cell phones, but several years of survey data collected by the Pew Internet & American Life Project show that those ages 12-17 are closing the gap in cell phone ownership. The Project first began surveying teenagers about their mobile phones in its 2004 Teens and Parents project when a survey showed that 45% of teens had a cell phone. Since that time, mobile phone use has climbed steadily among teens ages 12 to 17 – to 63% in fall of 2006 to 71% in early 2008. In comparison, 77% of all adults (and 88% of parents) had a cell phone or other mobile device at a similar point in 2008."

Something for my Criminal Justice students? My suspicion is this type of database would find lots of sponsors in the “Single Topic” world (MADD for example) that would use reports of “their crime” to drum up new members, harangue politicians, etc.

Crimespotting: Crime Has Never Looked So Good

by MG Siegler on August 19, 2009

There’s nothing cool about crime, but Stamen Design comes pretty damn close to making it cool with the new site it built and designed, San Francisco Crimespotting, that launched today. The site offers a visual representation of reported crimes in the city during a set period of time. Various types of crime ranging from alcohol-related to theft to murder are represented by different color dots placed on a map of the city.

I'm getting a strong recommendation from one of my Geek friends. Protect your home network. It's free, check it out

ClarkConnect Server and Gateway

ClarkConnect is a powerful and affordable Internet server and gateway solution. The software solution will give your organization enterprise-level server features at an affordable price.

Wednesday, August 19, 2009

Not all Identity Theft is large scale.

7-Eleven statement regarding 2007 credit card fraud

August 18, 2009 by admin Filed under Breach Incidents, Business Sector, Hack, Malware, U.S.

7-Eleven, Inc. has learned that federal authorities in New Jersey have indicted individuals for the theft of credit and debit card numbers in a computer hacking scheme targeting multiple retailers in a number of separate incidents over the last several years.

The company became aware in late 2007 that a security breach had occurred. The affected transactions were limited to customers’ use of certain ATMs, owned and operated by a third party, located in 7-Eleven stores over a 12-day period from October 28, 2007, through November 8, 2007. Steps were immediately taken to contain the security breach and prevent any recurrence.

Upon being notified of the breach, the card companies in accordance with their standard fraud response procedures then alerted the issuing financial institutions regarding the security breach. Each financial institution made its own decision about what appropriate actions to take, including the issuance of new cards or putting card numbers on alert for fraud. These remedial measures were taken in late 2007 and early 2008.

7-Eleven would like to thank the federal authorities for their diligence in pursuing the perpetrators of this crime. Because this matter is pending, we are not providing further details.

Is it naive to assume that those with the tools to read email traveling in both directions would limit themselves to incoming mail only?

UK Govt Mail Services operations manager on allegedly illegal mail screening

August 19, 2009 by Dissent Filed under Featured Headlines, Govt, Non-U.S., Surveillance

Which is exactly what the GMS have been doing.

Just a little bit of background information. GMS is the Government Mail Service which are a department within government who protect government employees from terrorist attacks such as mail bombs, razor blades and probably anthrax – but they are only supposed to screen incoming mail to government departments – and therein lies the rub.

According to the Investigatory Powers Tribunal, GMS do not have “RIPA powers” which means if they open outgoing mail from a government agency/department they are actually breaking the law (just the same as Phorm’s WebWise does) as it would be classed as interception.

So imagine the shock for one of our members when he got a reply today from the Crown Prosecution Service which was delayed by an entire week due to being “Screened” [What takes a full week? Bob] by the GMS. Yes you read that correctly – it now seems that GMS are screening outgoing mail from the CPS.


In order to try and figure out what was going on, I attempted to phone GMS Screening Office only to never have the call answered – so I then phoned the Operations Manager for GMS using the number on their web site. An audio recording of the conversation can be found by clicking on the link below:

Recording of Conversation with GMS Operations Manager (mp3)

Read more on NoDPI.

Related: has mirrored the mp3 file.

Question: What's worse than failing to change the default password?

Australian Police Database Lacked Root Password

Posted by kdawson on Tuesday August 18, @10:02PM from the kick-me dept.

Concerned Citizen writes

"The Australian Federal Police database has been hacked, although 'hacked' might be too strong a word for what happens when someone gains access to a MySQL database with no root password. Can you be charged with breaking and entering a house that has the door left wide open? Maybe digital trespassing is a better term for this situation. ' These dipshits are using an automatic digital forensics and incident response tool,' the hacker wrote. 'All of this [hacking] had been done within 30-40 minutes. Could of [sic] been faster if I didn't stop to laugh so much.'"

Total deniability. (Also allows Russia to hold back their cyberwar technology.) “Hey Guidoski, Want to help I screw with Georgia or would you rather become the number one priority of the Police Department?”

Report: Russian mob aided cyber attacks on Georgia

by Mark Rutherford August 18, 2009 8:53 PM PDT

Civilians recruited by Russian language social networking sites and using Russian Mafia-associated botnets perpetrated many of the cyber attacks on Georgian government websites during the five-day Russian-Georgian war in 2008, according to a recent report.

However, while the cyber attackers appear to have had advance notice of the invasion and the benefit of some close cooperation from a state organ, there were no fingerprints directly linking the attacks to the Russian government or military, according to the U.S. Cyber Consequences Unit (US-CCU), an independent nonprofit research institute that produced the report.

(Related) Perhaps they should contact Tony Soprano?

Air Force Establishes ‘Reduced’ Cyber-War Command

By David Axe Email Author August 18, 2009 4:36 pm

A year ago, the Air Force suspended its plans to set up a new “cyber command” for network defense and online warfare. The suspension came at a tumultuous time for the air service. Its two top officials had just been canned, botched airplane buys were under close scrutiny and Air Force nuke handlers were reeling from several potentially catastrophic gaffes. “It makes sense for new leadership to want to pause and evaluate,” cyber-security specialist Richard Bejtlich said.

Things are calmer now. The Air Force has new leaders, new and more modest acquisition plans and tighter nuke controls. Amid the calm, and without much fanfare, the Air Force on Tuesday established a new, “greatly reduced” cyber-warfare organization, to borrow Gannett’s description.

What to do with your 52 inch flat screen between SuperBowls...

August 18, 2009

London: New National Gallery Website

News release: "The re-launched is the first major gallery website to offer a full-screen zoom facility for its entire collection. Users can now examine every National Gallery masterpiece in outstanding detail, effortlessly sweep across digital canvases and zoom into minute details of their choosing. Also for the first time, users can now check the up-to-date locations of their favorite works of art prior to visiting. Using the Gallery’s own collection database, the new website updates the layout of the collection twice daily. Users can explore the paintings room-by-room using an interactive floorplan, allowing them to follow the narrative of the hang, as well as access new research material for specific works of art... For the best visual experience, the site has been designed to take advantage of the new generation of larger computer screens. Visitors can now access over 12,000 images, 18 hours of audio and at least 200 videos. The site has also been optimised to enable visitors to find specific content with greater ease through search engines like Google, including every painting in the collection."

Tools & Techniques Backgrounder for hackers.

Technology Explained: How Does An Email Server Work?

Aug. 18th, 2009 By Saikat Basu

Tools & Techniques This is the technical side. Anyone want to write up the legal issues?

How to Copy DVDs That Are Copyright Protected With WinX DVD Ripper (Windows)

Aug. 19th, 2009 By Karl L. Gechlik

I have been looking for a good free easy to use DVD ripper for a little while now that I can use to copy DVDs that are copyright protected (for backups). I came across this gem called WinX DVD Ripper which is a 6.5 MB download and which will have you ripping DVD’s with ease.

Tools & Techniques

Easiest screencasts ever: Screenr

by Rafe Needleman August 18, 2009 5:31 PM PDT

The just-launched Screenr product isn't the only easy Web-friendly screencast tool out there, but among the competing products I've tried, including ScreenJelly and Jing, it is the best option for creating screencasts fast and getting them posted immediately. All you do is let the Java-powered recording app load from the Screenr Web page and hit a button to record a screencast of up to five minutes.

Screenr's special power is its slick Twitter integration. As with TwitPic and TwitVid, once the service collects your media, it posts it on a page for you and can send a description and a link out directly from your Twitter account. The screencasts can also be embedded on any Web page.

There's no editing option or other fancy features like picture-in-picture recording. If you want to go that route, look at apps like Camtasia for Windows, or ScreenFlow on the Mac. However, you can set the size of your image-recording window before you start recording, to make sure you don't include distracting interface elements in your presentation.

Tools & Techniques (Not just for Math teachers...)

2009 MCC Math and Technology Workshop

… In this week, “Technology Bootcamp” participants learned how to use:

Tuesday, August 18, 2009

Even when we start to get answers we find more questions.

Over 130 million stolen: 3 indicted for hacking Heartland, 7-Eleven, Hannaford

August 17, 2009 by Dissent Filed under Breaches, Court, Featured Headlines

An indictment [pdf] was returned today against three individuals who are charged with being responsible for five corporate data breaches, including the single largest reported data breach in U.S. history, announced Acting U.S. Attorney Ralph J. Marra, Jr., along with Assistant Attorney General of the Criminal Division Lanny A. Breuer and United States Secret Service Director Mark Sullivan.

The scheme is believed to constitute the largest hacking and identity theft case ever prosecuted by the U.S. Department of Justice.

The indictment describes a scheme in which more than 130 million credit and debit card numbers together with account information were stolen from Heartland Payment Systems, Inc., based in Princeton, N.J., 7-Eleven, Inc., and Hannaford Brothers Co. In addition, the indictment describes two unidentified corporate victims as being hacked by the coconspirators. [Two more? Should we assume the hacked in but got no data requiring disclosure? I'd think they (whoever they are) would be bragging about that. Bob]

As alleged in the indictment, between October 2006 and May 2008, Albert Gonzalez, 28, of Miami, Fla., acted with two unnamed coconspirators to identify large corporations, often by scanning the list of Fortune 500 companies and exploring corporate websites. Upon identifying a potential victim, Gonzalez and his coconspirators sought to identify vulnerabilities, both by physical observation and by online exploration. For example, according to the Indictment, Gonzalez and an individual identified in the Indictment as “P.T.” would go to the retail locations of their potential victims in an attempt to identify the type of point-of-sale (“checkout”) machines utilized by the victim companies. After reconnaissance of the computer systems was completed, information would be uploaded to servers which served as hacking platforms. These servers, located in New Jersey and around the world, were used by the coconspirators to store information critical to the hacking schemes and to subsequently launch the hacking attacks.

According to the Indictment, the hacking attacks launched against the corporate victims consisted of what is known as a SQL-injection attack, which is an attack that exploits security vulnerabilities in elements of a computer that receives user input. Gonzalez provided some of the malicious software (malware) to his coconspirators, and they added their own as they sought to identify the location of credit and debit card numbers and other valuable data on the corporate victims’ computer systems.

The coconspirators often worked together on a real-time basis, contacting each other by instant messaging as they were improperly accessing the corporate victims’ computer systems, according to the Indictment. Once the target information was discovered, it would be stolen from the corporate victims’ servers and placed onto servers controlled by Gonzalez and the coconspirators. In addition to searching for credit and debit card data on the victims’ computer systems, the Indictment alleges that Gonzalez and the coconspirators installed “sniffers” which conducted real-time interception of credit and debit card data being processed by the corporate victims and subsequently stolen from the corporate victims’ computer servers.

The indictment alleges that Gonzalez and the coconspirators employed numerous techniques to hide their hacking efforts and data breaches. For example, they allegedly accessed the corporate websites only through intermediary, or “proxy,” computers, thereby disguising their own whereabouts. They also tested their malware by using approximately twenty of the leading anti-virus products to determine if any of those products would detect their malware as potentially unwanted. Furthermore, they programmed their malware to actively delete traces of the malware’s presence from the corporate victims’ networks.

Upon stealing the credit and debit card data, Gonzalez and the coconspirators would seek to sell the data to others who would use it to make fraudulent purchases, make unauthorized withdrawals from banks and further identity theft schemes.

… A federal grand jury sitting in Newark, N.J., charged Gonzalez and two individuals identified only as “Hacker 1,” and “Hacker 2,” both in or near Russia, in the two-count Indictment. The first count charges conspiracy to (1) gain unauthorized access to computers, (2) commit fraud in connection with computers, and (3) damage computers. The second count charges conspiracy to commit wire fraud. Each defendant faces a maximum penalty of 5 years in prison on Count One and an additional 30 years on Count Two, for a total of 35 years. In addition, each of the individuals is subject to a maximum fine of $250,000 per Count One, and $1 million per Count Two, or twice the gain resulting from the offense, whichever is greater.

Gonzalez was previously indicted in the Eastern District of New York on May 12, 2008, and the District of Massachusetts on August 5, 2008, for his involvement in different conspiracies relating to data breaches of multiple companies. He was also previously arrested in New Jersey in 2003 for his role in ATM and debit card fraud. Gonzalez is currently detained in the Metropolitan Detention Center in Brooklyn, New York.

… The case is being prosecuted by Assistant U.S. Attorneys Seth Kosto and Erez Liebermann of the U.S. Attorney’s Office Computer Hacking and Intellectual Property Section, [Talk about a cool business card. Does the job come with a cape and secret identity? Bob] part of the Commercial Crimes Unit in Newark, New Jersey, and Senior Counsel Kimberly Kiefer Peretti of the Criminal Division’s Computer Crime & Intellectual Property Section.

Source: U.S. Attorney’s Office, District of New Jersey

(Related) Of course we've seen Mr. Gonzalez before. Is he really that good or are we blaming him for everything just to close the case?

TJX Hacker Charged With Heartland, Hannaford Breaches

By Kim Zetter Email Author August 17, 2009 2:34 pm

Impacting the Google and Microsoft “Health Data Sharing” systems. Perhaps they caused the Financial Collapse?

FTC issues Health Breach Notification Rule

August 18, 2009 by Dissent Filed under Breaches, Featured Headlines, Govt

The Federal Trade Commission (“FTC” or “Commission”) is issuing this final rule, as required by the American Recovery and Reinvestment Act of 2009 (the “Recovery Act” or “the Act”). The rule requires vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.

DATES: This rule is effective [insert date 30 days after date of publication in the FEDERAL REGISTER]. Full compliance is required by [insert date 180 days after date of publication in the FEDERAL REGISTER].

The rule can be found on the FTC’s site (pdf, 88 pp.). There will be more coverage of this after everyone has a chance to read through it.

See also the Health Breach Notification form (pdf) and the FTC’s press release.

[From the rule:

A second and related point that many commenters raised was that, to the extent possible, consumers should receive a single notice for a single breach.9 These commenters pointed out that receiving multiple notices for the same breach would confuse consumers and convey an exaggerated sense of risk.1 [...and it would point out how many entities had their data... Bob]

Finally, many commenters expressed concerns about particular statutory requirements governing breach notification. For example, some commenters stated that entities should be required to provide breach notification for paper, as well as electronic, information;19 others expressed concerns about requiring media notice.20

18 Section 13400(5) of the Recovery Act defines “electronic health record” as an electronic record of health-related information on an individual that is “created, gathered, managed, and consulted by authorized health care clinicians and staff.” In contrast, section 13400(11) defines “personal health record” as an electronic record “on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual.”

(Related?) If this means the FTC will start blogging about Privacy, I'll follow it. More likely, he just gets to explain what a blog is...

FTC hires privacy blogger

August 18, 2009 by Dissent Filed under Govt, Other, U.S.

In yet another sign that the Federal Trade Commission is serious about examining online privacy, Christopher Soghoian said today that he’s accepted a job as technical consultant to the FTC’s Bureau of Consumer Protection, Division of Privacy and Identity Protection. Soghoian, currently with Harvard’s Berkman Center for Internet & Society, is among the most influential researchers today when it comes to online privacy and advertising.

“David Vladeck, the new head of the Bureau of Consumer Protection recently told the New York Times that ‘he would hire technologists to help analyze online marketers’ tracking.’ I guess that means people like me,” Soghoian said on his blog.

Read more on Media Post and on Chris’s blog. This is good news, indeed.

Just call us here at Dial-a-Perp, and we'll provide you with the DNA evidence you need and deserve!

Fighting biological identity theft (updated)

August 17, 2009 by Dissent Filed under Featured Headlines, Other

Fascinating stuff: Elon Ganor is now working in the field of biotechnology with a new Israeli startup, Nucleix, a firm that is devoted to foiling biological identity theft.

Nucleix’s technology is designed to answer a new problem that has arisen where medicine and law meet: biological identity theft. That refers to the ability to build, in laboratory conditions, synthesized DNA based on the real DNA of a person. Other people could use that fabricated DNA to create the appearance of guilt where none exists, for example by disseminating it at crime scenes.


The startup’s expertise lies in differentiating between artificial DNA and the real genetic code of the actual person. Until now there has been no technology capable of distinguishing between genetic profiles obtained from faked DNA and real biological profiles, it says.


Update 1: The NY Times also has an article on this topic, and it links to a journal article by the investigators, “Authentication of forensic DNA samples.”

(Related) Now you can have a computer that's a clone of Bill Gates? Horrifying!

IBM Scientists Build Computer Chips From DNA

Posted by ScuttleMonkey on Monday August 17, @06:02PM from the some-chips-are-longer-than-others dept.

Enforcement should be an interesting challenge...

No Social Media In These College Stadiums

Posted by kdawson on Monday August 17, @09:46PM from the ninety-thousand-reporters dept.

RawJoe writes

"Today, the Southeastern Conference (SEC) is expected to release a final version of its new media policy that, at the moment, can best be described as a ban on all social media usage at SEC games. Earlier this month, the conference informed its schools of the new policy, which says that ticketed fans can't 'produce or disseminate (or aid in producing or disseminating) any material or information about the Event, including, but not limited to, any account, description, picture, video, audio, reproduction or other information concerning the Event.' Translated, that means no Twitter, Facebook, YouTube, TwitPic, or any other service that could in any way compete with authorized media coverage of the event. In the case of the SEC, authorized media coverage rights belong to CBS, who has a $3B deal with the conference over the next 15 years, according to The St Petersburg Times."

Good luck with that. To quote Clay Shirky, "The idea that people can't capture their own lived experience is a losing proposition."

We can, therefore we must? A whole new set of data for e-Discovery.

Miami health centre starts RFID soap snooping

August 18, 2009 by Dissent Filed under Surveillance, U.S., Workplace

RFID tags are being deployed at the University of Miami to report when doctors and nurses wash their hands, and let them know if their fingernails aren’t clean.

In contrast to previously-suggested systems involving chemical sniffers, the RFID-based technology being used in Miami just monitors when a doctor or nurse is near a bed and when they use a soap dispenser, then compares the times to ensure the latter is done directly before the former - failure to comply resulting in a recorded reminder being played out over the tannoy. [“Attention Patients! Dr. (insert name here) is a walking germ factory! If you catch anything, be sure to sue (him/her) and not us!” Bob]

Read more in The Register.

[From the article:

(This is all explained in more detail by RFID Journal.)

Ah, the joys of operating a business that goes global instantly...

Privacy offerings: Facebook submits plan to Canada

August 17, 2009 by Dissent Filed under Featured Headlines, Internet, Non-U.S.

Facebook has submitted its proposal to the Canadian Privacy Commissioner to bring Facebook into compliance with Canada’s privacy law. Although they revealed few details publicly, The Financial Post reports that:

the company proposed a number of updates to its Statement of Rights and Responsibilities with several changes which may address some of the concerns contained in the privacy commissioner’s report.

In one section which speaks directly to third party developers creating applications for the Facebook platform, Facebook proposed changing a section which reads: “You will only use the data you receive for your application, and will only use it in connection with Facebook.”

The new section reads: “You will only request data you need to operate your application.”

Developers will also now be required to make it clear to users the data they plan to use and how they “will use, display or share that data.”

Read more in The Financial Post.

(Related) Of course, some countries are more foreign than others...

Facebook sued over privacy

August 17, 2009 by Dissent Filed under Court, Internet

The Associated Press reports that five Facebook users in California have filed a civil suit against Facebook. According to the AP, the lawsuit reportedly alleges that

Facebook violates California privacy and online privacy laws by disseminating personal information posted by users to third parties. It also alleges that Facebook engages in data mining and harvesting without fully disclosing those practices to its members.

Update 1: Jason Kincaid of TechCrunch finds this suit somewhat amusing.

...because it was politically incorrect?

White House disables e-tip box

August 18, 2009 by Dissent Filed under Govt, Internet

Following a furor over how the data would be used, the White House has shut down an electronic tip box — — that was set up to receive information on “fishy” claims about President Barack Obama’s health plan.

E-mails to that address now bounce back with the message: “The e-mail address you just sent a message to is no longer in service. We are now accepting your feedback about health insurance reform via”

Read more on Politico.

No doubt the geek community will be watching (and blogging) about this one! “Who do you think you are? What make you think you can regulate communications? We have a right to force customers off our system, even when we're the monopoly ISP.”

Comcast Finally Files Suit Against FCC Over Traffic Shaping

Posted by ScuttleMonkey on Monday August 17, @04:18PM from the hoping-for-mutual-destruction dept.

Following up on their threat last year to sue the FCC over sanctions imposed, Comcast has finally filed suit, stating that there are no statutes or regulations that support the FCC's authority to stop traffic shaping procedures.

"First, let's recap: After months of proceedings, hearings, and investigations, the FCC concluded on August 1, 2008 that Comcast was discriminating against certain P2P applications using deep packet inspection techniques. These methods thwarted the ability of users to share video and other files via BitTorrent. 'Comcast was delaying subscribers' downloads and blocking their uploads,' declared then FCC Chair Kevin Martin. 'It was doing so 24/7, regardless of the amount of congestion on the network or how small the file might be. Even worse, Comcast was hiding that fact by making [affected] users think there was a problem with their Internet connection or the application.'"