Saturday, October 10, 2009

Well now the cat is out of the bag. If USA Today starts writing about basic computer security, soon everyone will understand it and us consultants won't be able to charge the big bucks!

Cyberthieves find workplace networks are easy pickings

October 10, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Hack, ID Theft, U.S.

Byron Acohido provides a write-up of some of the TJX and Heartland Payment Systems incidents that emphasizes the point that many hacks go undetected or unnoticed — and that cyberthieves often take considerable time to start and continue stealing data:

Companies, understandably, rarely discuss data breaches. However, proof that data thieves are targeting hundreds of organizations using similar approaches to breach networks comes from Verizon Business, a division of Verizon Communications that sells consulting services to other corporations. Since 2004, Verizon has dispatched forensic specialists to conduct CSI-like probes of nearly 600 cases of corporate data theft.

In the vast majority of those cases, investigators discovered thieves routinely took days after initially penetrating a network to locate and break into valuable databases. And most often, the intruders spent weeks to years extracting data before being discovered.

“It’s one of the more shocking statistics we’ve run across,” says Verizon principal researcher Wade Baker. “The length of time it takes an organization to discover that data is leaving is often five to six months” after the initial breach.

That pattern suggests “many organizations right now have breaches they don’t know about and won’t discover for some time to come,” says Baker.

Read more on USA Today.

Political Rule # 4: “In the end, you can't tell one party from another.”

Round-Up of Reactions to PATRIOT Vote

October 10, 2009 by Dissent Filed under Legislation, Surveillance, U.S.

Kevin Bankston of EFF provides a round-up of reactions to the Senate Judiciary Committee’s vote on a bill reauthorizing portions of the PATRIOT Act that were set to expire this year:

Yesterday, as the Senate Judiciary Committee voted to recommend and send to the Senate floor a USA PATRIOT Act renewal bill lacking critical civil liberties reforms, EFF’s reaction was much the same as Senator Feingold’s, as he expressed in his post-vote blog post at Daily Kos.

Feingold, one of only three Democrats to vote against the bill and a sponsor of the PATRIOT reform bill the JUSTICE Act, was left scratching his head over how a Democratic super-majority with a Democratic Administration could so thoroughly fail at reforming the PATRIOT Act, a law long maligned by Democrats as an affront to civil liberties. [Political Rule #407.b “Never fix anything you can blame the other party for.” Bob] He closed by posing a choice to his Democratic colleagues: “In the end…Democrats have to decide if they are going to stand up for the rights of the American people or allow the FBI to write our laws.”


However, the biggest disappointment of all yesterday was the Obama Administration itself. Of the seven amendments to water down the bill’s civil liberties protections that were offered by the Committee Republicans, at least five of them were recommended by Obama’s Justice Department. As one anonymous Democratic staffer told the New York Times, the amendments “were a verbatim transfer of the text of amendments the Obama administration had privately sent to Congress on Wednesday.”

Read more on EFF.

Ah, that explains a lot. Big Brother owns the phone companies...

Telephone Company Is Arm of Government, Feds Admit in Spy Suit

By Ryan Singel October 8, 2009 8:24 pm

The Department of Justice has finally admitted it in court papers: The nation’s telecom companies are an arm of the government — at least when it comes to secret spying.

… The feds argued that the documents showing consultation over the controversial telecom immunity proposal weren’t subject to the Freedom of Information Act since they were protected as “intra-agency” records: [“See, we was really just talking to ourselves. ...and buying ourselves dinner. … and taking ourselves on golf outings. ...and contributing to our reelection.” Bob]

(Related) How they do it in Canada. As I read it, it makes no difference what their Privacy Policy promised when you used their system. If they change the policy to say you have no rights, that applies retroactively.

Canada: New decision on warrantless access to ISP customer data

October 10, 2009 by Dissent Filed under Businesses, Court, Featured Headlines, Internet, Non-U.S.

David Fraser writes:

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect’s internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I’ve put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell’s contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

Read more on Canadian Privacy Law Blog.

Related: The debate about warrantless access to ISP customer information on Slaw and Fraser’s commentary.

(Related) Hint! Hint! My Forensic students better find a way to work this into our discussion...

2 People Died In A Sweat Lodge Last Night. And Deleted Tweets Have Surfaced.

by MG Siegler on October 9, 2009

Last night, at a retreat in Arizona, two people died and another 19 had to be hospitalized after something went horribly wrong at a sweat lodge. Normally, such a story, while interesting, wouldn’t be right for TechCrunch. But there’s a tech angle here.

Apparently, the man who rented the place and threw the retreat, author James Arthur Ray, is also an avid Twitter user. And yes, during the night of the incident he was tweeting about it. Ray later deleted those tweets and all the tweets about the retreat. But, as Mark Maunder discovered, they’re still available in Twitter search. And a couple are pretty interesting:

… The fact that these tweets still exist in Twitter Search is very interesting. Twitter recently updated its terms of service agreement, making it very clear that “your tweets belong to you.” But that ownership for whatever reason, be it technical or otherwise, doesn’t fully extend to the point that when you delete a tweet, it is gone forever.

This could become amusing...

FCC To Probe Google Voice Over Call Blocking

Posted by Soulskill on Friday October 09, @07:15PM from the keep-your-eye-on-the-ball dept.

Over the past few months, we've been following the FCC's inquiry into Apple and AT&T after they rejected Google Voice from the App store. A couple weeks ago, AT&T did their best to deflect the FCC by dangling a shiny object in front of them — the use of Google Voice to block calls. It now appears the FCC has taken the bait, as they've sent an official inquiry to Google asking why the service restricts connections. "In its letter, the FCC asked Google to describe how its calls are routed and whether calls to particular numbers are prohibited. It also asks for information on how restrictions are implemented, how Google informs customers about those restrictions, whether Google Voice services are free, and if Google ever plans to charge for them in the future." Richard Whitt has already posted a brief explanation on Google's Public Policy blog. "The reason we restrict calls to certain local phone carriers' numbers is simple. Not only do they charge exorbitant termination rates for calls, but they also partner with adult sex chat lines and 'free' conference calling centers to drive high volumes of traffic." The FCC also received a push from members of the House of Representatives on Wednesday.

For my Computer Security students. This is what you must secure...

Report: Two of every five of workers telecommute

by Lance Whitney October 9, 2009 12:50 PM PDT

… More than 38 million people, or 37 percent of the total U.S. workforce, work from home at least once a month, according to the report "Telework and the Technologies Enabling Work Outside Corporate Walls" released Thursday by the Consumer Electronics Association.

The CEA survey found that among telecommuters, 98 percent use computer technology, such as PCs and printers; 90 percent use communications equipment, including cell phones and fax machines; and 75 percent use accessories, such as surge protectors and docking stations.

Am I reading this correctly? Is Microsoft about to install Office on every computer exactly like it installs Internet Explorer? What are they thinking?

Microsoft Ditching Works for Ad-Supported Office Starter 2010

Thursday, October 08, 2009 - by Michael Santo

Microsoft Works, which is frequently offered as part of new PCs, is about to meet its end. Instead, in an interesting move, Microsoft announced it will allow OEMs to install the entire Office 2010 Suite on new PCs in a free, ad-supported form, but with much functionality disabled unless an activation key is purchased.

… This software, of course, will come pre-installed on new PCs. For those with older systems, Microsoft will sort of stream Office 2010 to their PCs when required using Click-To-Run, a new technology, which the company unveiled in the July invitation-only Technical Preview of Office 2010. It downloads the essential pieces you need for the task at hand, and does the rest in the background.

The computer auditors are finally speaking up. I wonder if anyone in this country will bother to have this article translated from the Canadian?

Open Source Could Have Saved Ontario Hundreds of Millions

Posted by Soulskill on Saturday October 10, @12:06AM from the proprietary-pocket-change dept.

Platinum Dragon writes

"Ontario's auditor-general released a blistering report this week detailing how successive governments threw away a billion dollars developing an integrated electronic medical record system. This CBC article highlights an open source system developed at McMaster University that is already used by hundreds of doctors in Ontario. As one of the developers points out, 'we don't have very high-priced executives and consultants,' some of whom cost Ontario taxpayers $2,700 per day."

The McMaster University researchers claim their system could be rolled out for two percent of the billion-dollars-plus already spent on the project. The report itself (PDF) also makes note of the excessive consultation spending: "By 2008, the Ministry’s eHealth Program Branch had fewer than 30 full-time employees but was engaging more than 300 consultants, a number of whom held senior management positions."

Interesting that they noticed what the Streisand Effect was doing to them and backed down.

Ralph Lauren admits it needs Photoshop lessons

by Chris Matyszczyk October 9, 2009 1:11 PM PDT

… Ralph Lauren has gurgitated a mea gulpa: "For over 42 years we have built a brand based on quality and integrity. After further investigation, we have learned that we are responsible for the poor imaging and retouching that resulted in a very distorted image of a woman's body."

Stunning! WATCH THE VIDEO DEMO! My website students will all look like Michelangelo!

PhotoSketch picture software wins plaudits

An image manipulation tool built by a group of Chinese students has taken the internet by storm.

By Claudine Beaumont, Technology Editor Published: 3:18PM BST 06 Oct 2009

PhotoSketch, which transforms basic stick-figure drawings in to a photograph, has been described by technology website Mashable as "mind blowing".

Think of this as a personal alibi generator! - Keep Track Of Your Position

… This site gives you all the information you need to know … to help you out when it comes to tracking your movements using a GPS logger.

Interesting freebie from ISACA. Governance, Risk & Compliance seminar online. (You need to register)

GRC & IT Virtual Seminar

ISACA and have teamed up to present a free one-day virtual seminar (Tuesday, November 3rd.) demystifying GRC and IT frameworks. Join us for this unique opportunity to network with hundreds of like-minded auditors, IT strategists and business leaders.

Friday, October 09, 2009

Fishing expedition or something more? A backup tape wouldn't hold a lot of data (relative to a complete customer database) and there is nothing I'm aware of that requires JPMorgan to itemize the records lost (much as I'd like to see that) So why the kerfuffle?

US lawmakers ask JPMorgan Chase about data breach

October 8, 2009 by admin Filed under Breach Incidents, Financial Sector, Lost or Missing, U.S.

Diane Bartz reports:

Two lawmakers want JPMorgan Chase (JPM.N), the second largest U.S. bank by assets, to answer a few questions about how many customers were affected when a computer tape with their personal information was lost earlier this year.

Representatives Joe Barton, the top Republican on the Energy and Commerce Committee, and George Radanovich, the top Republican on the subcommittee on commerce, trade and consumer protection, wrote JPMorgan Chase Bank CEO James Dimon on Wednesday.

Read more on Reuters. Previous coverage here.

We've been talking about the increase in sophistication of malware and other tech-supported crime. Remember, sophisticated doesn't always mean workable.

The Evolution Of Click Fraud: Massive Chinese Operation DormRing1 Uncovered

by Erick Schonfeld on October 8, 2009

As long as advertisers pay for clicks, there will be click fraud. And the more people combat it, the more sophisticated the attacks become to get around the defenses that advertisers, search engines, and others put in place. But a recent click fraud ring discovered by click-fraud monitoring service Anchor Intelligence suggests that the practice is evolving to a scale never seen before.

Anchor Intelligence identified a click fraud ring being run out of China which involved 200,000 different IP addresses and racked up more than $3 million worth of fraudulent clicks across 2,000 advertisers in a two-week period. That money was never paid out and the ring has now dissipated (or moved onto another scam), but who knows how long the ring was in operation before Anchor noticed.

Good news, bad news? “The longer we work with our systems the buggier they become?”

Microsoft Plans Largest-Ever Patch Tuesday

Posted by timothy on Thursday October 08, @07:49PM from the 24-hours-but-bigger-minutes dept.

CWmike writes

"Microsoft said it will deliver its largest-ever number of security updates on Tuesday to fix 13 flaws in every version of Windows, as well as Internet Explorer (IE), Office, SQL Server, important developer tools and Forefront Security client software. Among the updates will be the first for the final, or release to manufacturing, code of Windows 7, Microsoft's newest operating system. The 13 updates slated for next week, eight of them pegged 'critical,' beat the previous record of 12 updates shipped in February 2007 and again in October 2008."

Update Reader Kurt Seifried writes to correct the math a bit, pointing to Microsoft's Advance Notification page for the release, which says that rather than 13 flaws, this Patch Tuesday involves "13 bulletins (eight critical and five important), addressing 34 vulnerabilities ... Most of these updates require a restart so please factor that into your deployment planning."

Definitions are critical here. Will they flag my nightly backups as high-volume, therefore SPAM? What actions will they take? A pop-up in my browser isn't much use if I'm not there and my browser isn't running. Is it good customer service to first mention this new “service” AFTER it starts?

Comcast's War On Infected PCs (Or All Customers)

Posted by timothy on Thursday October 08, @04:21PM from the could-go-badly dept.

thadmiller writes

"Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections if the computers are behaving as if they have been compromised by malware. For instance, a significant overnight spike in traffic being sent from a particular Internet Protocol address could signal that a computer is infected with a virus, taking control of the system and using it to send spam as part of a botnet." [Or it could be a bunch of lawyers filing an appeal at the last minute. Blocking that traffic could have interesting consequences. Bob]

Update: Jason Livingood of Comcast's Internet Systems Engineering group sent to Dave Farber's "Interesting People" mailing list a more detailed explanation of what this trial will involve.

[From the article:

Customers in Denver are set to begin receiving notifications that their system may be infected with a virus or other malware via a pop-up message in the browser, as part of the new free service, called Comcast Constant Guard. The "Service Notice" will include a link to a Comcast security Web site where customers can follow a set of instructions to remove the malware from their computer.

So are we bragging or complaining here? Either position starts with the assumption that Yahoo was acting as the laws of Iran require. (Legal may not be ethical)

Did Yahoo provide Iran with names of 200,000 users?

Posted by Richard Koman @ October 8, 2009 @ 10:13 PM

This post is going to make some major allegations. I realize this is not completely buttoned down, but I believe there is sufficient veracity in what I have right now to publish. I am expecting to be able to provide further proof as the story unfolds.

Yahoo collaborated with the Iranian regime during the election protests, providing to the authorities the names and emails of some 200,000 Iranian Yahoo users, according to a post on the Iranian Students Solidarity (Farsi) blog.

Lawyers are not considering the Streisand effect before they send those notices.

Photoshop Disaster Draws DMCA Notice For Boing Boing

Posted by timothy on Thursday October 08, @01:58PM from the need-to-fatten-that-one-a-bit dept.

Pickens writes

"Cory Doctorow writes that Ralph Lauren issued a DMCA takedown notice after Boing Boing republished the Photoshop disaster contained in a Ralph Lauren advertisement in which a model's proportions appear to have been altered to give her an impossibly skinny body with the model's head larger than her pelvis. Doctorow says that one of the things that makes their ISP Priority Colo so awesome is that they don't automatically act on DMCA takedowns and proceeded to dare Lauren to sue. ' This is classic fair use: a reproduction "for purposes such as criticism, comment, news reporting," etc,' writes Doctorow. 'Copyright law doesn't give you the right to threaten your critics for pointing out the problems with your offerings.' Doctorow adds that every time Lauren threatens to sue he will 'reproduce the original criticism, making damned sure that all our readers get a good, long look at it,' 'publish your spurious legal threat along with copious mockery,' and 'offer nourishing soup and sandwiches to your models.'"

Another “shortage?” Do you suppose none of the telecommunication companies understood this when they bid at the spectrum auctions? Sounds to me like the government is about to add another tax “to correct the market.”

FCC Chairman Warns of Wireless Spectrum Gap

Posted by timothy on Thursday October 08, @06:52PM from the congress-from-whom-all-blessings-flow dept.

locallyunscene writes

"'We are fast entering a world where mass-market mobile devices consume thousands of megabytes each month,' FCC Chairman Julius Genachowski warned at CTIA Wireless yesterday. 'So we must ask: what happens when every mobile user has an iPhone, a Palm Pre, a BlackBerry Tour, or whatever the next device is? What happens when we quadruple the number of subscribers with mobile broadband on their laptops or netbooks?'"

Once upon a time, in a courtroom far, far away... (Apparently, all of IBM's lawyers who were involved with the huge anti-trust case have retired and left nothing for their replacements – not even an oral history.)

IBM Faces DOJ Antitrust Inquiry On Mainframes

Posted by ScuttleMonkey on Thursday October 08, @01:07PM from the goliath-syndrome dept.

Several sources are reporting that IBM is facing an antitrust inquiry from the US Department of Justice due to a supposed refusal to issue mainframe OS licenses to competitors.

"Part of CCIA's complaint stems from the tech giant's treatment of former competitor Platform Solutions. IBM had little competition in the mainframe market when Platform Solutions, early this decade, began work on servers that could mimic the behavior of more expensive IBM mainframes, CCIA said. Platform Solutions, based on past mainframe agreements between IBM and the DOJ, requested copies of IBM's OS and technical information under a licensing agreement. IBM declined to grant Platform Solutions a license and prohibited customers from transferring IBM software licenses to Platform Solutions machines, said CCIA, which has members that are potential competitors of IBM."

It's one thing to sue these guys, but with bias allegations against all the judges and now indications of faked/falsified evidence, you have to wonder if the courts can function correctly in “high tech” cases?

Anti-Pirates Try to Nail The Pirate Bay with Faked Evidence

Written by Ernesto on October 08, 2009

In August, Dutch anti-piracy outfit BREIN won its case against The Pirate Bay, and the court ordered the defendants to block access to Dutch visitors. The case was appealed today and rightly so. It appears that the evidence presented by BREIN was faked in an attempt to mislead the court.

Do I detect a slight political bias?

Barack Obama Wins the 2009 Nobel Peace Prize

Posted by kdawson on Friday October 09, @08:52AM from the taliban-not-happy dept.

Barack Obama has just been awarded the Nobel Peace Prize. The BBC opines:

"In awarding President Obama the Nobel Peace Prize, the Norwegian committee is honoring his intentions more than his achievements. all he has been in office only just over eight months and he will presumably hope to serve eight years, so it is very early in his term to get this award. ... The committee does not make any secret of its approach. It states that he is being given the prize 'for his extraordinary efforts to strengthen international diplomacy and co-operation between peoples.' This is of course an implied criticism of former US president George W Bush and the neo-conservatives, who were often accused of trying to change the world in their image."

The Washington Post collects more reactions from around the world.

Geek parents – watch the video

Thursday, October 08, 2009

Another update. Perhaps we'll see coverage like we saw with SCO?

Heartland Breach: Inside Look at the Plaintiffs’ Case

October 8, 2009 by admin Filed under Breach Incidents, Commentaries and Analyses, Financial Sector

Two stories today take a look at the the master complaint (pdf) filed last month in U.S. Southern District Court in Houston.

Linda McClasson of provides a timeline and re-hash of the breach that incorporates allegations from the lawsuit, including statements made by Heartland before and after the breach and the statement made by Ellen Richey of Visa, while Evan Schuman of StorefrontBacktalk was intrigued by one incident described in the complaint:

“On the day after the data breach, Heartland conducted a webinar about the data breach for its high-level employees, sales representatives and/or relationship managers. Upon information and belief, Heartland relationship managers were told that PCI compliance was not a big deal. One of Heartland’s relationship managers resigned on or around April 23, 2009, in part because of Heartland’s statements regarding its PCI compliance. A Referee’s Decision in a Delaware Department of Labor proceeding reached the conclusion that this relationship manager had “good cause” to leave her position at Heartland based, in part, on Heartland’s conduct.” That might prove quite significant or it could be an irrelevant red herring. Either way, it’s not the kind of detail we see very often.

It's no longer “Oi! Give me your password, mate!” But the concept is the same.

Web mail scam propagates itself

October 7, 2009 by admin Filed under Breach Incidents, Business Sector

The BBC reports:

The industry-wide phishing scam that has affected popular web mail services such as Hotmail and GMail, is spreading, according to experts.

Security firm Websense says it has noticed a sharp rise in spam emails from Yahoo, Gmail and Hotmail accounts.

This is because infected accounts are sending personalised e-mails to contacts suggesting shopping sites, which are in fact fakes.


Peter Griffin found his Hotmail account had been compromised on Tuesday. He is currently unemployed and is worried that he has been sending spam to prospective employers.

“I checked my account yesterday and found more than ten e-mails with links [that] were sent from my Hotmail [account] to people from my contacts,” he told the BBC.

Despite changing his password, he “found an hour later they had sent another six e-mails”.

One security expert thinks victims of the scam could have been part of a so-called key-logging attack.

Amichai Shulman from security firm Imperva said the high numbers of victims suggested this type of attack.

Read more on The BBC.

(Related) What kind of idiot falls for a phishing scam?

Citing cybercrime, FBI director doesn’t bank online

October 8, 2009 by Dissent Filed under Breaches, Internet

Robert McMillan reports that FBI Director Robert Mueller stopped using online banking after nearly falling prey to a phishing scheme:

Though he stopped before handing over any sensitive information, the incident put an end to Mueller’s online banking.

“After changing our passwords, I tried to pass the incident off to my wife … as a teachable moment,” he said. “To which she deftly replied, ‘Well, it is not my teachable moment. However, it is our money. No more Internet banking for you.”

Mueller said he considers online banking “very safe” but that “just in my household, we don’t use it.”

Read more in Computerworld.

(Related) Knowing the cause/source makes re-securing your systems easier.

Researcher refutes phishing account of hijacked Hotmail passwords

October 7, 2009 by admin Filed under Breach Incidents, Business Sector, Of Note

Gregg Keizer reports:

One researcher isn’t buying Microsoft’s and Google’s explanation that hijacked Hotmail and Gmail passwords were obtained in a massive phishing attack.

Mary Landesman, a senior security researcher at San Francisco-based ScanSafe, said it’s more likely that the massive lists — which include approximately 30,000 credentials from Hotmail, Gmail, Yahoo Mail and other sources — were harvested by botnets that infected PCs with keylogging or data stealing Trojan horses.

Landesman based her speculation on an accidental find in August of a cache of usernames and passwords, including those from Windows Live ID, the umbrella log-on service that Microsoft offers users to access Hotmail, Messenger and a slew of other online services.

That cache contained about 5,000 Windows Live ID username/password combinations, said Landesman, who found the trove while researching a new piece of malware. “From the organization [of that cache] and what the data looked like in raw form, I think it’s more likely that this latest was the result of keylogging or data theft, not phishing,” Landesman said.

Read more on Network World.

Probably not related... Note the organization and international connections. This isn't bored teenagers any more.

Operation Phish Phry reels in 100 in U.S. and Egypt

October 7, 2009 by admin Filed under Breach Incidents, ID Theft, Malware, Non-U.S., Of Note, U.S.

The largest number of defendants ever charged in a cyber crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks.

This morning, authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme.

… Operation Phish Phry commenced in 2007 when FBI agents, working with United States financial institutions, took proactive steps to identify and disrupt sophisticated criminal enterprises targeting the financial infrastructure in the United States.

… The 51-count indictment accuses all of the defendants with conspiracy to commit wire fraud and bank fraud. Various defendants are charged with bank fraud; aggravated identity theft; conspiracy to commit computer fraud, specifically unauthorized access to protected computers in connection with fraudulent bank transfers and domestic and international money laundering.

According to the indictment that was unsealed this morning, Egyptian-based hackers obtained bank account numbers and related personal identification information from an unknown number of bank customers through phishing—a technique that involves sending e-mail messages that appear to be official correspondence from banks or credit card vendors.

… Armed with the bank account information, members of the conspiracy hacked into accounts at two banks. Once they accessed the accounts, the individuals operating in Egypt communicated via text messages, telephone calls and Internet chat groups with co-conspirators in the United States. Through these communications, members of the criminal ring coordinated the illicit online transfer of funds from compromised accounts to newly created fraudulent accounts.

… A portion of the illegally obtained funds withdrawn were then transferred via wire services to the individuals operating in Egypt who had originally provided the bank account information obtained via phishing.

“The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed,” said Keith Bolcar, Acting Assistant Director In Charge of the FBI in Los Angeles. “Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft facilitated by the computer, including hacking, fraud and identity theft, with a common greed and shared willingness to victimize Americans.

Unlikely to ever make the Hacker Hall of Fame.

Former Teen Stock Swindler Pleads to New Hacking Charges

By Kevin Poulsen October 7, 2009 2:53 pm

A former teenage hacker who once served prison time for an online stock-trading scheme pleaded guilty last week to new charges of cracking a New York-based currency exchange service and gifting himself more than $100,000.

On Sept. 29, Van T. Dinh, now 25, confessed to computer fraud and identity theft in federal court in Manhattan.

… The FBI traced the hacking to an IP address assigned to the home Dinh shares with his mother in Phoenixville, Pennsylvania, near Philadelphia.

… He’s being held without bail at the Metropolitan Correctional Center in New York as a “danger to the community by hacking activities,” among other reasons.

It's not the Terminator-ness, it's the Big Brother-ness...

How Dangerous Could a Hacked Robot Possibly Be?

Posted by CmdrTaco on Thursday October 08, @09:36AM from the i-for-one-welcome-DELETED dept.

alphadogg writes

"Researchers at the University of Washington think it's finally time to start paying some serious attention to the question of robot security. Not because they think robots are about to go all Terminator on us, but because the robots can already be used to spy on us and vandalize our homes. In a paper published Thursday the researchers took a close look at three test robots: the Erector Spykee, and WowWee's RoboSapien and Rovio. They found that security is pretty much an afterthought in the current crop of robotic devices. 'We were shocked at how easy it was to actually compromise some of these robots,' said Tadayoshi Kohno, a University of Washington assistant professor, who co-authored the paper."

Want to do some Privacy Research?

The Privacy Projects launches to fund ‘evidence-based’ privacy research

October 8, 2009 by Dissent Filed under Other

Mobile devices, cloud computing and global business partnerships enabled by the Internet and other network services have redrawn the map of the global flow of personal information.

Technology will continue to drive simple services built on these complex systems, pushing the balance between using and protecting personal data “to the breaking point,” according to Richard Purcell, President of The Privacy Projects (TPP), a non-profit research institute that launches today.

The Privacy Projects ( intends to fund academic research into “evidence-based” privacy to enhance policies, practices and tools necessary to meet the power of the new technologies. “We intend to support advances in the ways companies collect, store, use, share and manage customer information,” said Purcell. “We encourage the digital human represented by the data to be more respected and better protected.”


The new group’s first research paper, written by UC Berkeley Professor Paul M. Schwartz, focuses on how six global corporations control cross-border data flows to meet customer needs while complying with multiple, local regulation. TPP will present the paper at the upcoming workshop of the Organization of Economic Co-operation and Development in Paris. Additional research — four or five are planned each year, according to Purcell — will expand on the ways in which data policies, practices, and technology tools can evolve to meet the current needs of all players.

Read the entire press release here.

Lawsuit challenges California’s mandatory DNA collection at arrest

October 7, 2009 by Dissent Filed under Court, Legislation, Surveillance, U.S.

A lawsuit filed today by the ACLU of Northern California seeks to stop California’s policy of mandating that DNA is collected from anyone arrested for a felony, whether or not they are ever charged or convicted. The ACLU opposes this law because it violates constitutional guarantees of privacy and freedom from unreasonable search and seizure, and because of the harmful impact on communities of color.

… In March 2009, Lily Haskell attended a peace rally in San Francisco and was arrested. She was not charged with a crime and was quickly released, but not before being required to provide a DNA sample.

“When your DNA is taken after an arrest at a political demonstration, it can have a silencing effect on political action,” said Haskell “Now my genetic information is stored indefinitely in a government database, simply because I was exercising my right to speak out.”

People like Haskell who are innocent and were never even charged with a crime may seek to have their DNA sample expunged [Like an 'Opt out' clause... Bob] from the state database, but the process is cumbersome and requires a long wait until the statute of limitations to bring charges has run out–at least three years and, in some cases, much longer.

… “Automatically collecting DNA from people who are merely arrested ignores the presumption of innocence. It blurs the line between being suspected of a crime and being convicted,” said Peter C. Meier, attorney with Paul, Hastings, Janofsky & Walker LLP, which is litigating the case with ACLU-NC on a pro bono basis.

… The case (No. 09-04779) is filed in the United States District Court for the Northern District of California in San Francisco.—-Related: Complaint in Haskell v. Brown (Oct. 7, 2009)

See? Practice does make perfect. Sony is getting quite good at this.

Sony Sued Over Bricked PS3s

Posted by Soulskill on Wednesday October 07, @01:41PM from the sony's-pr-department-must-be-pleased dept.

Zarrot writes

"If Sony's recent 3.00 PS3 firmware update bricked your console, you may now have legal recourse thanks to a class action suit against Sony. The complaint alleges that thousands of users (PDF) were affected by the update, and in some cases the PS3 hardware itself was damaged. It continues, 'For owners who sustained hardware damage from the Sony-required update, Sony is charging a $150 repair fee per unit. Sony, responding to the numerous complaints about the unacceptable effects of the defective update, released a further, optional update that it claimed "improves system stability" — yet performance problems continued, and the new update did nothing to remedy the systems of users who sustained hardware damage."'"

Perhaps this logic will eventually be imported...

Creator of Winny file-sharing program found innocent in copyright violation case

October 8, 2009 by Dissent Filed under Court, Internet, Non-U.S.

The Asahi Shimbun reports an interesting court decision in Japan:

Setting a new guideline for criminal responsibility using new technology, the Osaka High Court ruled Thursday that the creator of the Winny peer-to-peer file-sharing program was not guilty of helping users violate copyrights.

Presiding Judge Masazo Ogura overturned a Kyoto District Court ruling, saying Isamu Kaneko, 39, was innocent because he did not promote illegal activities using the Winny software, even though he was aware of the risks of copyright violations.

Ogura also said the software “has various uses and the technology should be considered value neutral.” He concluded that the provision of a skill or technology alone does not constitute abetment.

Read more in Asahi Shimbun.

Okay, this one is silly, but it isn't unusual for businesses to expect employees to act “correctly.” Where is Emily Post when we need her?

Avatars To Have Business Dress Codes By 2013

Posted by samzenpus on Thursday October 08, @01:25AM from the no-flaming-hair-at-pretend-work dept.

nk497 writes

"With businesses increasingly using digital tech like virtual worlds and Twitter, their staff will have to be given guidelines on how they 'dress' their avatars, according to analysts. 'As the use of virtual environments for business purposes grows, enterprises need to understand how employees are using avatars in ways that might affect the enterprise or the enterprise's reputation,' said James Lundy, managing vice president at Gartner, in a statement. 'We advise establishing codes of behavior that apply in any circumstance when an employee is acting as a company representative, whether in a real or virtual environment.'"

Even a warped perspective can be useful.

October 07, 2009

European Commission: The Future of the Internet and Europe's Digital Agenda

Viviane Reding, Member of the European Commission in charge of Information Society and Media, The Future of the Internet and Europe's Digital Agenda - Brussels, 6 October 2009

  • "In less than 10 years, [Everyone knows that Al Gore invented the Internet more than 10 years ago... Bob] the internet has grown from being a novel technical gadget application into becoming central to the economic systems of the developed world. This is because of its horizontal nature, it is everywhere, used throughout industry, economy and society whether for business or for leisure. It has driven more than half of the productivity gains in both the EU and the USA. It is the medium through which Information and Communication technologies can be exploited leading to innovation in business and a wide range of economic and societal benefits to citizens and consumers... One issue that is getting my full attention is the protection of privacy and of personal data in the online environment."

It's free, it's fully indexed, why aren't we doing something usefull with it?

Questions (and Answers!) About the Federal Register

by Carl Malamud

… As many of you saw, the Office of the Federal Register announced that source code for the Federal Register is now available in bulk—for free—and has been converted to XML. Ed Felten's shop at Princeton created a site called to see what you can do with the data and Public.Resource.Org helped the Government Printing Office in testing early stages of the XML work.

For the Surgical Technology students. Perhaps we could morph on the head of your favorite celebrity – “Today we will carve up Jay Leno's chin.”

Virtual Autopsy On a Multi-Touch Table Surface

Posted by Soulskill on Wednesday October 07, @12:17PM from the over-my-dead-body dept.

An anonymous reader writes

"Engadget points out one of the more interesting ways to use a multitouch table surface so far. Researchers at Norrkoping Visualization Centre and the Center for Medical Image Science and Visualization in Sweden have fitted such a device with stunning, volume-rendered visualizations of high-resolution MRI data. If you've ever wondered what the inside of a human being really looks like, but lacked the grit or credentials to watch an autopsy in the flesh, check it out."

This video should capture the attention of my Small Business students

Everything You Wanted To Know About Startup Building But Were Afraid To Ask

by Michael Arrington on October 7, 2009

… Last night I saw a 45 minute presentation by Mint CEO Aaron Patzer at a startup competition event called Juice Pitcher on the Microsoft campus. The event, which is put on by TheFunded and, put a handful of new startups on stage to show their stuff and compete for a top prize. Between pitches, Patzer took the stage and told the story of Mint, in detail. His company just sold for $170 million to Intuit.

Patzer takes the audience (and now you) from the beginning of Mint, and gives some incredibly useful device. He talks about the early days of Mint, where he lived on $30,000/yr and hired engineers at just a little more salary by offering them significant equity. He also says that, as a rule of thumb, every engineer in a pre-revenue startup adds $500,000 in valuation. Every business guy lowers the valuation by $250,000, he half jokingly quipped. In its earliest days, Mint was burning $150,000/year, he says, for 2 founders and 1 engineer/contractor.

For my Disaster Recovery students

October 07, 2009

Google Flu Trends expands to 16 additional countries

Official Google Blog: "If you're like us, you're probably thinking a lot about how this year's flu season might affect you and your community. To help you out, we at are excited to announce the expansion of Google Flu Trends to 16 additional countries, including much of Europe. We've also made the site available in 37 languages. Flu is a global threat, affecting millions worldwide each year, so we're pleased to make this tool available in more regions and languages."

Global Warming! Global Warming!

Loveland Ski Area is first in North America to open its slopes, resort says

October 7, 2009 3:01 pm

… Colorado Gov. Bill Ritter Jr. congratulated Loveland on its earliest opening in 40 years


Season begins as skiers hit Loveland slopes

… the earliest opening day in the ski area's history.

Wednesday, October 07, 2009

It never fails, as the Privacy Foundation gets ready to put on a seminar on HIPAA Privacy, someone obliges us by providing a great “bad example” for analysis and discussion.

850,000 doctors could be hit by potential data breach from insurer’s stolen laptop

October 6, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Of Note, Theft, U.S.

Emil Berry reports on a recent breach that was originally described as affecting “tens of thousands” of people. Now it appears that the breach was much bigger:

A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Assn. employee. It is not yet known whether any identity theft has resulted from the data breach.

The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors, Jeff Smokler, spokesman for the Chicago-based Blues association, said Oct. 6. That number represents every physician who is part of the BlueCard network, which allows Blues members to access networks in other states, Smokler said.

Some 16% to 22% of those physicians listed — as many as 187,000 — used their Social Security numbers as a tax ID or NPI number, Smokler said.


An unidentified employee downloaded the unencrypted file onto his personal computer to work on it at home, a practice that is against company policy, he said. [But apparently there was no mechanism to actually prevent or detect this violation. Bob]


[From the article:

Smokler said Oct. 5 that he didn't know exactly when the laptop was stolen. He said the organization "became aware of it" about three weeks ago.


TN: 68 Blue Cross Blue Shield hard drives stolen

October 6, 2009 by admin Filed under Breach Incidents, Healthcare Sector, Of Note, Theft, U.S.

Yet another Blue Cross Blue Shield breach in the news this week, although it’s not clear yet whether any PII or PHI are involved. Joe Legge reports:

Monday, Blue Cross Blue Shield workers noticed something missing here at their Eastgate offices. Dozens of computer hard drives weren’t where they were supposed to be. 68 drives to be exact.

Authorities say a burglar alarm went off Friday… but Blue Cross didn’t report the possible theft until making a visual inspection days later. Sgt. Jerri Weary with the Chattanooga Police Department says “they could have been taken anytime during the weekend.”


A Blue Cross spokesperson says she doesn’t know if the missing drives contain private patient information.

Read more on WDEF news. Cross-posted from

[From the article:

Blue Cross tells WDEF News 12 the "alarm" that was triggered was not something that made a *sound.*

Their computer systems generated a notice that there was an issue with the servers. [Not so much a burglar “alarm” as a burglar “Tweet” “I am now breaking into the building...” Bob]

Update: Someone is eventually going to say “Yes”

Hannaford breach case not over yet

October 7, 2009 by admin Filed under Business Sector, Commentaries and Analyses, Hack, ID Theft, Of Note, U.S.

Trevor Maxwell reports:

Just as a potential class-action lawsuit against Hannaford Bros. appeared dead, there’s a glimmer of hope this week for consumers who hope to recover damages from the Scarborough-based grocer for a massive electronic data theft in late 2007 and early 2008.

The federal judge overseeing the case plans to ask Maine’s highest court its opinion on a legal question that has no precedent in this state: Do Hannaford shoppers who had to be reimbursed by their banks and went through other hassles associated with stolen account numbers have the right to seek damages for their effort and lost time?

Read more in the Portland Press Herald.

We can, therefore we must! (I can't help it, this article reads like a straight-line generator.)

Airport developments: strip searches, Clear program

October 7, 2009 by Dissent Filed under Govt, Surveillance, U.S. notes:

The Transportation Security Administration (TSA) has plans to greatly expand its use of whole body imaging machines at airports around the country. The x-ray machines, which each cost over $100,000, capture detailed, graphic images of passengers’ naked bodies. In June, the House of Representatives overwhelmingly passed a measure that would restrict TSA’s use of these machines. The measure is pending in the Senate. The Privacy Coalition has urged the Department of Homeland Security to suspend the program until privacy and security risks can be fully evaluated. EPIC has also filed Freedom of Information Act requests for the contracts with the vendor Rapiscan.

Also affecting airport travelers: Scott Powers reports in the Chicago Tribune that three companies are bidding to take over the Clear Registered Travel program.

But now at least three companies, including FLO Corp., which ran a separate registered traveler program in Reno, Nev., are bidding to buy Clear’s customer lists and re-establish the service. Orlando International, which was the first Clear airport in 2005 and hosted the most registered travelers, may be the location the companies want most.

“It’s the plum,” FLO managing partner Fred Fischer said. “It’s the peach.”

FLO, a Delaware corporation; Henry Inc. of California; and at least one other bidder that has not been publicly identified have made formal pitches to Morgan Stanley, which gained control of the assets after Clear’s parent company, Verified Identity Pass, shut down June 22.

Where does whistle blower end and “Hacker enabler” begin?

Man banished from PayPal for showing how to hack PayPal

Some hacking tools more equal than others

By Dan Goodin in San Francisco Posted in Security, 6th October 2009 23:03 GMT

If it quacks like a duck...

Court Rules For Software Ownership Over Licensing

Posted by kdawson on Wednesday October 07, @01:32AM from the broke-it-you-bought-it dept.

valderost writes

" reports on a finding of the US District Court for the Western District of Washington, in favor of an individual reselling Autodesk's AutoCAD software in 'his claim that he owned the software and had the right to sell it on.' The decision hinges on some technicalities in the Autodesk license and conflicting precedents involving a Vanessa Redgrave film, but it's good news for the idea that a software purchase is just that. 'The Court said that it had to follow [the film] case's precedent because it was older than another conflicting ruling, and that it could not choose a precedent based on the most desirable policy. "The court's decision today is not based on any policy judgment. Congress is both constitutionally and institutionally suited to render judgments on policy; courts generally are not," the Court ruled. "Precedent binds the court regardless of whether it would be good policy to ignore it."'" [...and often, good logic. Bob]

Interesting read...

Q&A: Amit Yoran talks cybersecurity

by Elinor Mills October 7, 2009 4:00 AM PDT

West Point graduate Amit Yoran went from security work in the Air Force, the Defense Department, and private industry before being tapped as director of cybersecurity for the Department Homeland Security.

He joined DHS in September 2003 and left about a year later, the first of several cybersecurity directors to have a short tenure.

What is the state of cybersecurity today?

Yoran: The organized crime, the criminal element today, is organized. They've got capability and because there is money on the line they've got phenomenal intent and focus and persistence. Last year, the FBI director said that more money was made using online cybercrime than by drug trafficking in the U.S. It's a mind-boggling number to people who aren't familiar with it... About 30 percent of the cybercrime today uses anti-forensic techniques, so you're literally not going to find them even if you know to look for them... The FBI also said that over 100 foreign governments have structured offensive cyberwarfare organizations as part of their network security and intelligence infrastructure. So the industry and the IT world is getting decimated by the cybercriminals and the nation-state activity is even more advanced than that. The technologies we're using to protect ourselves, that we're relying on, the dirty secret within the IT security world is that they're incapable almost by definition of dealing with the advanced threats of cybercrime or nation states.

The challenge faced by the government departments and agencies is 98 or 99 percent similar to the challenge faced by enterprise IT environments which is very blatantly the IT security industry is not equipped to deal with the advanced threats. If we think we're monitoring systems and if we think we're protecting our systems using the products we have then we're uninformed about the threat, or misleading ourselves or just plain loony.

Passwords are not adequate security, example 4,999,852 How lazy can you be? This is on an unrestricted system. What controls has your organization implemented to prevent useless passwords like this?

Most Common Hotmail Password Revealed!

By Kim Zetter October 6, 2009 1:15 pm

A researcher who examined 10,000 Hotmail, MSN and passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.

Forty-two percent of the passwords used lowercase letters from “a to z”; only 6 percent mixed alpha-numeric and other characters.

Big Brother – the home game! NOTE TO SELF: Reporting a crime might be a crime since it's illegal to look a cameras via the Internet, so can I get TWO rewards?

UK site offers cash for online CCTV snooping

October 6, 2009 by Dissent Filed under Featured Headlines, Internet, Non-U.S., Surveillance

Marc Chacksfield reports:

A new website is offering a £1,0000-a-month reward for spotting crimes captured on live CCTV cameras.

The initiative asks users to monitor random cameras across the country and report back on any dodgy behaviour. If you successfully report a crime, then you could be in for a cash reward.

On the Internet Eyes website ( the online snooping system is described as: “uniquely designed to be proactive in detecting crime as it happens… The general public can watch CCTV camera’s anywhere, and instantly alert the camera owner when a crime is committed.”

Looking at CCTV feeds on the internet breaches the UK’s Data Protection Act. ITPro has handily picked out a piece of legislation which highlights this, explaining that, when it comes to using CCTV images, “it would not be appropriate to disclose images of identifiable individuals to the media for entertainment purposes or place them on the internet.”

Read more on TechRadar.

As the technology make this easier...

October 06, 2009

Study Says Employers Increasingly Monitoring Outbound Emails

National Law Journal: "The economy has employers extra jittery about company secrets getting out, so nervous that they're hiring staff just to monitor outbound e-mails. That's the conclusion of a recent study by Proofpoint, an Internet security and data loss prevention company, which found that 38 percent of large U.S. employers are monitoring outbound e-mail to prevent data leaks, up from 29 percent in 2008."


Survey: Over half of U.S. workplaces block social networks

by Caroline McCarthy October 6, 2009 4:32 PM PDT

A majority of U.S. workplaces block access to social-networking sites like Facebook and Twitter, new survey results commissioned by consulting firm Robert Half Technology indicate. Fifty-four percent block social networks "completely," while another 19 percent only permit it "for business purposes."

Only 10 percent of companies surveyed permit social-network use on the job for any kind of personal use; 16 percent allow "limited" personal use, according to the results released Tuesday.

Interesting in that there is no interpretation or commentary on the laws, just the law itself. Why this update required “many hours of hard work” is beyond me.

October 06, 2009

Intelligence Community Legal Reference Book 2009

Intelligence Community Legal Reference Book, Office of the Director of National Intelligence (Published Summer 2009 - 949 pages, PDF, declassified), released Summer 2009.

  • Robert S. Litt, General Counsel: "The Intelligence Community draws much of its authority and guidance from the body of law contained in this collection. We hope this proves to be a useful resource to professionals across the federal government. This new edition is the result of many hours of hard work. I would like to extend my thanks to those across the Community who assisted the Office of General Counsel in recommending and preparing the authorities contained herein. I hope you find this book a valuable addition to your library and a useful tool as you carry out your vital mission."

Wow! I didn't see this one coming... Now my iPhone-phreak buddy can remove his hack.

AT&T To Allow VoIP On iPhone

Posted by Soulskill on Wednesday October 07, @08:47AM from the writing-on-the-wall dept.

Toe, The writes

"On Tuesday, AT&T announced it will allow Apple to enable Voice over Internet Protocol applications, such as Skype, to run on its 3G wireless data network. Apple stated, 'We will be amending our developer agreements to get VoIP apps on the App Store and in customers' hands as soon as possible.' And Skype, while happy over the move, also stated, 'the positive actions of one company are no substitute for a government policy that protects openness and benefits consumers.'"

Retaliation in the age of the Internet. Lots of good examples of bad lawsuits?

Hey, kids! Hate school? Don't tell Facebook!

The First Amendment right to insult one's school increasingly challenged

By Helen A.S. Popkin updated 7:06 a.m. MT, Tues., Oct . 6, 2009

… Even schools you elect to attend, for example, the Salon Professional Academy of Elgin, Ill., can also act as an oxygen vortex. At least that’s the opinion of a Nicholas Blacconiere, an academy student under legal fire for enshrining his negative opinions and those of others on a private page he posted on the world’s most popular social networking site.

Global Warming! Global Warming! Why is everything tied to Global Warming! Wouldn't these log books be interesting by themselves?

Captain Bligh's Logbooks To Yield Climate Bounty

Posted by kdawson on Tuesday October 06, @09:02PM from the ball-bearing-ink-smears dept.

Pickens writes

"The BBC reports that researchers are digitizing the captains' logs from the voyages of Charles Darwin on HMS Beagle, Captain Cook from HMS Discovery, Captain Bligh from The Bounty, and 300 other 18th and 19th century ships' logbooks to provide historical climate records for modern-day climate researchers who will use the meteorological data to build up a picture of weather patterns in the world at the beginning of the industrial era. The researchers are cross-referencing the data with historical records for crop failures, droughts and storms and will compare it with data for the modern era in order to predict similar events in the future. 'The observations from the logbooks on wind force and weather are astonishingly good and often better than modern logbooks,' says Climatologist Dr. Dennis Wheeler from the University of Sunderland. 'Of course the sailors had to be conscientious. The thought that you could hit a reef was a great incentive to get your observations absolutely right!' The logbooks will be online next year at the UK's National Archives."

(Related) One of my students observed that since Al Gore invented the Internet and then discovered Global Warming!, we can safely conclude that the Internet causes Global Warming!

For my Statistics class. Correlation is not causation. (Post hoc, ergo propter hoc?)

Are married white men in convertibles doomed to deafness?

by Elizabeth Armstrong Moore October 6, 2009 5:13 PM PDT

I'm not sure how many of my students have iPhones, but some do. Do you suppose Apple would give me one for testing? (Some of these apps run on PCs too)

Useful educational iPhone apps for students

by Don Reisinger October 6, 2009 3:46 PM PDT

For the Swiss Army folder, in case I need to type War & Peace in the original Russian.

Just funny

Dilbert's plan to correct inequalities in pay.