Saturday, February 20, 2010

Someone has to be teaching all these small time crooks how to “Have Fun and Make Huge Profits in the emerging Identity Theft Industry!” If I teach my security students how to steal Identities (because they need to understand the techniques they will face) is it my fault that they express their appreciation by occasionally send me 10% of their take?

NM: MASSIVE ID THEFT RING BUSTED: DA: Thieves ‘Used Every Trick in Book’

February 19, 2010 by admin

It started out last month with a man and woman getting busted breaking into cars at the Kohl’s department store on Paseo del Norte NE.

By Thursday, a dozen people were in custody in what authorities are calling the largest identity theft ring in the city’s history.

Officials have identified Robert Rivera as the ringleader of a group who allegedly used an elaborate computer system to make bogus checks, fake credit cards and IDs. The suspects are accused of using the checks and credit cards to defraud Walmart, Maloof Distributing, Paul Allen Homes, Albertsons grocery stores and Bank of the West.

“We believe this is going to be the largest, most high-profile identity theft ring the city has ever encountered,” said Pat Davis, spokesman for the District Attorney’s Office. “That’s because this is not a group that used a single method — these weren’t just burglaries and thefts. They literally used every trick in the book to obtain bank records, IDs and account information of their victims, then turned around and used every tactic they could to quickly convert that into cash.”

Read more from McClatchy-Tribune Information Service.

“Bad decisions never die, nor do they fade away.” Douglas McGeek

Official: FBI probing Pa. school webcam spy case

February 19, 2010 by Dissent

MaryClaire Dale reports that the school spycam case has not been ratcheted up a notch:

The FBI is investigating a Pennsylvania school district accused of secretly activating webcams inside students’ homes, a law enforcement official with knowledge of the case told The Associated Press on Friday.

The FBI will explore whether Lower Merion School District officials broke any federal wiretap or computer-intrusion laws, said the official, who spoke on condition of anonymity because the official was not authorized to discuss the investigation.

Read more on Forbes.

[From the article:

Days after a student filed suit over the practice, Lower Merion officials acknowledged Friday that they remotely activated webcams 42 times in the past 14 months, but only to find missing student laptops. They insist they never did so to spy on students, as the student's family claimed in the federal lawsuit.

Families were not informed of the possibility the webcams might be activated in their homes without their permission in the paperwork students sign when they get the computers, district spokesman Doug Young said.

… The Pennsylvania case shows how even well-intentioned plans can go awry if officials fail to understand the technology and its potential consequences, privacy experts said. Compromising images from inside a student's bedroom could fall into the hands of rogue school staff or otherwise be spread across the Internet, they said.

(Related) It's difficult to get users to read all of the feature documentation that comes with an operating system (because no documentation comes with the operating system?) So you have to rely on some geek finding the “feature” and not keeping it in his secret list of hacks.

Windows 7 Can Create Rogue Wi-Fi Access Point

Posted by timothy on Friday February 19, @06:35PM

alphadogg writes

"Windows 7 contains a 'SoftAP' feature, also called 'virtual Wi-Fi,' that allows a PC to function simultaneously as a Wi-Fi client and as an access point to which other Wi-Fi-capable devices can connect. The capability is handy when users want to share music and play interactive games. But it also can allow on-site visitors and parking-lot hackers to piggyback onto the user's laptop and 'ghost ride' into a corporate network unnoticed."

While this means a bit more policing for networks meant to be locked down, it sounds like a good thing overall. Linux users, meanwhile, have had kernel support (since 2.6.26) for 802.11s mesh networking, as well as Host AP support for certain chipsets.

How much information is available?

More “lawful spying” guides available on the web

February 20, 2010 by Dissent has posted more guides for law enforcement requesting subscribers’ information. The latest batch of guides posted includes Facebook, AOL, Skype, Cox Communications, Ning, myYearbook, Stickam, two from the US Postal Service, and Yahoo’s Records Preservation Letter. The guides indicate what types of information the entity collects and retains on users and in some cases, the retention period for data or costs of services provided to law enforcement.

There is something compelling about the writings of an angry judge. They seem to cut directly to the heart of their argument and express themselves in very clear, non-technical (and highly quotable) language,

Chief Judge Alex Kozinski writes scathing dissent in Fourth Amendment case

February 19, 2010 by Dissent

When a judge called for United States v. Lemus to be reheard en banc, the majority of judges in the Ninth Circuit Court of Appeals did not vote to rehear the case. Chief Judge Alex Kozinski wrote an absolutely blistering dissent to that denial. With Judge Paez joining in the dissent, he wrote:

This is an extraordinary case: Our court approves, without blinking, a police sweep of a person’s home without a warrant, without probable cause, without reasonable suspicion and without exigency—in other words, with nothing at all to support the entry except the curiosity police always have about what they might find if they go rummaging around a suspect’s home. Once inside, the police managed to turn up a gun “in plain view”—stuck between two cushions of the living room couch—and we reward them by upholding the search.

Did I mention that this was an entry into somebody’s home, the place where the protections of the Fourth Amendment are supposedly at their zenith? The place where the “government bears a heavy burden of demonstrating that exceptional circumstances justif[y] departure from the warrant requirement.” United States v. Licata, 761 F.2d 537, 543 (9th Cir. 1985). The place where warrantless searches are deemed “presumptively unreasonable.” Payton v. New York, 445 U.S. 573, 586 (1980).


Read the rest of his dissenting opinion here.

Friday, February 19, 2010

Update. School District says “We can, but we didn't. Trust us!”

Pa. school district denies spying on students with MacBooks

February 19, 2010 by Dissent

A school district responds to a lawsuit alleging that students were spied on in their own homes by district-issued laptops by saying that the surveillance was a security feature.

Kreg Keizer reports:

A suburban Philadelphia school district yesterday denied it spied on students by remotely activating the cameras on their school-issued MacBook laptops.

In a statement released late Thursday, Christopher McGinley, the superintendent of Lower Merion School District of Ardmore, Pa., admitted that the MacBooks’ cameras could be turned on without the user’s knowledge, but said that the functionality was part of a security feature.

“Laptops are a frequent target for theft in schools and off-school property,” said McGinley. “The security feature was installed to help locate a laptop in the event it was reported lost, missing or stolen so that the laptop could be returned to the student.” When switched on, the feature was limited to taking snapshots of whomever was using the notebook and capturing the computer’s current screen.

Read more on Computerworld.

[From the article:

McGinley confirmed that the district had disabled the camera activation feature Thursday, and would not switch it back on without the written consent of students and families.

The new economics? Increase profits by inventing new charges to impose on customers?

Privacy Assist’ My Eye, Class Tells BofA

February 18, 2010 by Dissent

Maria Dinzeo reports:

Bank of America takes money from customers’ accounts to pay for services they didn’t order and don’t want, a class action claims in Federal Court. The class claims the bank charges for “Privacy Assist” services without informing them, and refuses to refund the money when customers catch on.

The class claims Bank of America has been withdrawing $8.99 from their accounts every month for “Privacy Assist,” which includes credit monitoring and free access to online credit reports.

Read more on Courthouse News. A copy of the complaint can be found here.

[From the article:

Privacy Assist Premier offers identity theft insurance for $12.99 a month, and Privacy Assist Complete includes anti-virus software for $18.99.

Silly me. I assumed that anything that law enforcement could access would automatically be available to the defense. (Eventually even federal wiretaps)

Indicted Cop Challenges Facebook’s Privacy Rights

February 18, 2010 by Dissent

Joe Harris reports:

A judge is weighing whether Facebook’s right to privacy trumps a man’s rights to discovery for his defense in a criminal trial.

At issue is a motion from the attorney for former St. Louis City police Officer Bryan Pour, who authorities say used his department-issued pistol to shoot Jeffrey Bladdick in a bar parking lot. The motion seeks disclosure from Facebook of 23 individual user profiles and the actions of a Facebook group called “Jeff Bladdick is a bulletproof badass” going back to the day before the Nov. 9, 2008 incident.

Madison County Associate Judge James Hackett said he needed more time after hearing arguments from both sides Wednesday.

Pour’s attorney Albert Watkins said an anonymous tipster informed him of the group, which he believes included several officers involved in the investigation.

Watkins argued that his client’s constitutional rights fall within exceptions of the 2000 Electronic Communications Privacy Act and said that law enforcement regularly accesses the same records for its own investigations.

Pour faces up to 30 years in prison if convicted.

“If law enforcement is entitled to those records, it seems inherently flawed to not allow a criminally accused person who’s looking at 30 years in prison to the same information when it is clear that something was said,” Watkins said.

Read more on Courthouse News.

So, what does the government watch, and why?

How closely does the government watch the files on your web site?

February 19, 2010 by Dissent

Does the government need any warrant or additional legal authority to view or collect information from publicly available web sites? A recent DHS memo received some guffaws on mail lists where people wondered why DHS would need to issue detailed privacy impact memos or justification that it was reading sites that are publicly available to everyone. And from a national security perpsective, don’t we want the government finding what is out there for everyone else to find?

John Young of seems to think that the government does need some authorization to monitor publicly available web sites. Cryptome received an email from the Coast Guard about a file available on his site that indicated that as part of a “DHS wide pre-audit of public facing internet sites,” the Coast Guard was contacting “owners of CG web sites identified” that might contain inappropriate material. The email referred to a file on his site that was marked FOUO (For Official Use Only).

After confirming that the email was for real, Young replied, in part:

If you are legitimately and with authorization acting on behalf of the Coast Guard and DHS, you are overreaching governmental authority to monitor public web sites for “inappropriate material” unless you have a court order to do so or that the President has issued an executive order for such invasive action.

If you are doing this in secret or without appropriate authority, that is an even greater violation

Young has now filed a FOIA request to obtain more information about the Coast Guard conducting “pre-audit reviews.”

Any lawyers care to chime in on the situation? I don’t see anything particularly wrong with the government scanning publicly available web sites for files that they deem as important to national security, although I do appreciate John’s response about FOUO designation.

(Related) Not actually seizure, they just downloaded a copy of his child porn files.

Feds Can Search, Seize P2P Files Without Warrant

… The defendant, however, claimed he had a reasonable expectation of privacy because he thought he had turned off LimeWire’s share feature.

The new economics. “We love our customers, just not as much as we love money!” You never purchased your games, soon even the packaging will be worthless. Perhaps soon, you will only be able to play games in the cloud, where game manufacturers will have more control over their product.

Sony Joins the Offensive Against Pre-Owned Games

Posted by Soulskill on Friday February 19, @06:11AM

BanjoTed writes

"In a move to counter sales of pre-owned games, EA recently revealed DLC perks for those who buy new copies of Mass Effect 2 and Battlefield: Bad Company 2. Now, PlayStation platform holder Sony has jumped on the bandwagon with similar plans for the PSP's SOCOM: Fireteam Bravo 3. '[Players] will need to register their game online before they are able to access the multiplayer component of the title. UMD copies will use a redeemable code while the digital version will authenticate automatically in the background. Furthermore ... anyone buying a pre-owned copy of the game will be forced to cough up $20 to obtain a code to play online." [All used games just lost $20 of market value. Bob]

(Related) Can you say “Massive security threat?”

Valve's Battle Against Cheaters

Posted by Soulskill on Friday February 19, @03:13AM

wjousts writes

"IEEE Spectrum takes a look behind the scenes at Valve's on-going efforts to battle cheaters in online games: 'Cheating is a superserious threat,' says [Steam's lead engineer, John] Cook. 'Cheating is more of a serious threat than piracy.' The company combats this with its own Valve Anti-Cheat System, which a user consents to install in the Steam subscriber agreement. Cook says the software gets around anti-virus programs by handling all the operations that require administrator access to the user's machine. So, how important is preventing cheating? How much privacy are you willing to sacrifice in the interests of a level playing field? 'Valve also looks for changes within the player's computer processor's memory, which might indicate that cheat code is running.'"

Yet another Internet service? Massive data centers require massive amounts of power. If you play in that market, arbitrage and hedging come naturally. (and wholesale beats retail any day.)

Google Gets US Approval To Buy and Sell Energy

Posted by timothy on Friday February 19, @04:32AM

An anonymous reader writes

"The US Federal Energy Regulatory Commission (FERC) on Thursday granted Google the authority to buy and sell energy on a wholesale basis. Google applied for the authorization last December through a wholly owned subsidiary called Google Energy. 'We made this filing so we can have more flexibility in procuring power for Google's own operations, including our data centers,' Google spokeswoman Niki Fenwick said via e-mail. But the authorization also raises the prospect that Google may start to buy and sell energy as a business."

Reader angry_tapir supplies a link to the approval document itself (PDF).

[Interesting reader comment:

Presumably Google have found a way to tag each electron with targeted advertising.

Plug your washing machine into a Google Energy supply and your shirts will come out of the machine covered in ad-words suggestions.

Tools & Techniques For Hacking and e-Discovery (is there a difference?)

Alternative routes to identifying “anonymous” online users

February 19, 2010 by Dissent

TJ McIntyre writes:

David Robinson and Harlan Yu have posted a superb series of posts on Freedom to Tinker (1,2,3) about tactics which might be used to identify anonymous internet posters, even in cases where IP addresses might not have been logged by the site which hosts the comment. The key insight is that sites typically embed multiple external services (such as advertising, stats counters and video hosting) which may either individually or in combination enable the identity of particular users to be pinned down…

Read more on IT Law in Ireland.

For da getting smarter bid'ness. (Perhaps I should convert my Blog into a scholarly journal?)

February 18, 2010

Open Access Scholarly Journals Gather Support and Opposition

Chronicle of Higher Education: "This is a strong vehicle for academic freedom," says Mr. Willinsky, whose Public Knowledge Project offers free journal-publishing software to academics. In a world where subscriptions to some medical journals can cost more than $10,000 a year, and many colleges in developing countries cannot afford more than a handful of scholarly publications, publishing enabled by this kind of tool is plugging many academics into research and discourse as never before."

Tools & Techniques Assemble your own toolkit.

Combine Multiple ISO Images To Burn A Single Bootable ISO Image File

I love lists (that someone else took the time to assemble)

30 Useful (and Unknown) Web Apps You Need to Bookmark

Posted 02/18/10 at 06:27:16 PM by Alex Castle

[Some I find interesting:


Rather than torture yourself trying to explain to a clueless relative how to perform a simple computer task, use ScreenToaster to capture a video of yourself doing it and automatically upload it to the web. You can also record an audio track for your tutorial. Best of all, you don’t have to install any software, and the whole


FillAnyPDF is a fairly simple web app which allows you to upload a PDF file, then easily write on it wherever you want. ... You can also share your blank form with others, so you can collect forms from a group easily. FillAnyPDF also supports electronic signatures and has a repository of free forms.


Vuvox is a rich media creation app that allows you to quickly turn your photos and audio into a moving web collage. A set of simple editing tools allow you to crop and rotate your pictures and when you’re done you can embed your collage into any webpage, or share links to a larger version on Vuvox’s website.

Thursday, February 18, 2010

Louisiana takes Identity Theft seriously!

La. man gets 309 years in prison for ID theft scam

February 17, 2010 by admin

The Associated Press reports:

A Louisiana man whom prosecutors said was the ringleader of an identity theft scheme with dozens of victims has been sentenced to 309 years in prison.

U.S. Attorney David Dugas said the sentence handed down Wednesday to 43-year-old Robert Thompson, of Zachary, is the longest prison sentence for any white-collar crime in the history of his Baton Rouge-based office’s jurisdiction.


Thompson, also known as John Lawson, allegedly used the identities and financial information of 61 individuals, churches, financial institutions and businesses to steal more than $200,000 worth of cash and goods.

Read more on WXVT15.

Employees are a security hole – get rid of them whenever you can!

Broad New Hacking Attack Detected

February 17, 2010 by admin

Siobhan Gorman reports:

Hackers in Europe and China successfully broke into computers at nearly 2,500 companies and government agencies over the last 18 months in a coordinated global attack that exposed vast amounts of personal and corporate secrets to theft, according to a computer-security company that discovered the breach.

The damage from the latest cyberattack is still being assessed, and affected companies are still being notified. But data compiled by NetWitness, the closely held firm that discovered the breaches, showed that hackers gained access to a wide array of data at 2,411 companies, from credit-card transactions to intellectual property.

Read more on WSJ.

[From the article:

The hacking operation, the latest of several major hacks that have raised alarms for companies and government officials, is still running and it isn't clear to what extent it has been contained, NetWitness said. Also unclear is the full amount of data stolen and how it was used.

… Starting in late 2008, hackers operating a command center in Germany got into corporate networks by enticing employees to click on contaminated Web sites, email attachments or ads purporting to clean up viruses, NetWitness found.

In more than 100 cases, the hackers gained access to corporate servers that store large quantities of business data, such as company files, databases and email.

Something your Security Manager can look forward to? Are your backups complete? The last couple of paragraphs in the article are gibberish, so I'll have to wait for more details. Comments suggest this could be the “push update” from Microsoft that resulted in a “blue screen of death” on so many systems...

Time Bomb May Have Destroyed 800 Norfolk City PCs' Data

Posted by timothy on Wednesday February 17, @02:20PM

krebsonsecurity writes

"The City of Norfolk, Virginia is reeling from a massive computer meltdown in which an unidentified family of malicious code destroyed data on nearly 800 computers citywide. The incident is still under investigation, but city officials say the attack may have been the result of a computer time bomb planted in advance by an insider or employee and designed to trigger at a specific date, according to 'We don't believe it came in from the Internet. We don't know how it got into our system,' the city's IT director said. 'We speculate it could have been a time bomb waiting until a date or time to trigger. Whatever it was, it essentially destroyed these machines.'"

[From the article:

Cluff added that city employees are urged to store their data on file servers, which were largely untouched by the attack, but he said employees who ignored that advice and stored important documents on affected desktop computers may have lost those files.

IT specialists for the city found that the system serving as the distribution point for the malware within the city’s network was a print server that handles printing jobs for Norfolk City Hall. However, an exact copy of the malware on that server may never be recovered, as city computer technicians quickly isolated and rebuilt the offending print server. [Repair must come after identification and isolation of the malware! Bob]

Good news for the asymmetric attackers; bad news for the US.

Mock Cyber Attack Shows US Unpreparedness

Posted by timothy on Wednesday February 17, @03:44PM

An anonymous reader writes with word that the outcome of the large-scale cyberattack simulation promised a few days ago isn't too rosy. From the Help Net Security article:

"During the simulated cyber attack that took place yesterday in Washington and was recorded by CNN, one thing became clear: the US are still not ready to deflect or mitigate such an attack to an extent that would not affect considerably the everyday life of its citizens. The ballroom of the Washington's Mandarin Oriental Hotel was for this event transformed into the White House Situation Room, complete with three video screens displaying maps of the country, simulated updates and broadcasts by 'GNN,' an imaginary television network 'covering' the crisis."

Take heart! Even Security “experts” can grasp the obvious.

Rogue PDFs Behind 80% of Exploits In Q4 '09

Posted by CmdrTaco on Wednesday February 17, @09:30AM

CWmike writes

"Just hours before Adobe is slated to deliver the latest patches for its popular PDF viewer, ScanSafe announced that by its counting, malicious Adobe Reader documents made up 80% of all exploits at the end of 2009. In the first quarter of 2009, malicious PDF files made up 56% of all exploits tracked by ScanSafe. That figure climbed above 60% in the second quarter, over 70% in the third and finished at 80% in the fourth quarter. Mary Landesman, a ScanSafe senior security researcher, said, 'Attackers are choosing PDFs for a reason. It's not random. They're establishing a preference for Reader exploits.' Exactly why hackers choose Adobe as their prime target is tougher to divine, however. 'Perhaps they are more successful,' she said. 'Or maybe it's because criminal attackers are human, too. We respond when we see a lot of people going after a particular product... We all want to go after that product, too. In the attacker arena, they might be thinking, 'Gee, all these reports of Adobe Reader zero-days, maybe I should get in on them too.'"

We can, therefore we must!” Can't wait to hear about the results of e-discovery. Photographs of children doing homework in their bedrooms have a high probability of looking like Child Porn. Did no one consider that?

PA: Big Brother Is Here: Families Say Schools Snoop in Their Homes With District-Issued Laptops & Webcams

February 18, 2010 by Dissent

Jeff Schreiber reports:

A federal class action claims a suburban school district has been spying on students and families through the “indiscriminant use of and ability to remotely activate the webcams incorporated into each laptop issued to students,” without the knowledge or consent of students or parents. The named plaintiffs say they learned that Big Brother was in their home when an assistant principal told their son that the school district knew he “was engaged in improper behavior in his home, and cited as evidence a photograph from the webcam embedded in minor plaintiff’s personal laptop issued by the school district.”

Read more about the lawsuit on Courthouse News. Newsolio also covers the story.

A copy of the complaint can be found here.

Now here's the dilemma: If the intent was to gather for fun in the snow (isn't a snowball fight fun?) what would the city 'flag' as a potential crime?

Philly authorities target Facebook, Twitter after snowball fight turns ugly

by Caroline McCarthy February 17, 2010 1:29 PM PST

Two members of Philadelphia's city council are considering legal action against Facebook, Twitter, and MySpace in the wake of a "flash mob" earlier this week that turned violent, according to a letter sent to the city's mayor and obtained by CNET. They claim that social-media sites don't do enough to keep tabs on violence that could be organized through their communication channels.

Perhaps now is the time to start leaking the horrors of a “global copyright agreement?”

ACTA Document Leaks With Details On Mexico Talks

Posted by CmdrTaco on Wednesday February 17, @10:50AM

An anonymous reader writes

"A brief report from the European Commission authored by Pedro Velasco Martins (an EU negotiator) on the most recent round of ACTA negotiations in Guadalajara, Mexico has leaked, providing new information on the substance of the talks, how countries are addressing the transparency concerns, and plans for future negotiations. The document notes that governments are planning a counter-offensive to rebut claims of iPod-searching border guards and mandatory three-strikes policies."

A couple of thoughts occur: This technique will require more bandwidth (almost all new communications techniques do) and any hesitation in the connection will result in dropping game players – great way to ensure loyalty.

Ubisoft's Constant Net Connection DRM Confirmed

Posted by Soulskill on Thursday February 18, @02:26AM

A few weeks ago we discussed news of Ubisoft's DRM plans for future games, which reportedly went so far as to require a constant net connection, terminating your game if you get disconnected for any reason. Well, it's here; upon playing review copies of the PC version of Assassin's Creed 2 and Settlers VII, PCGamer found the DRM just as annoying as you might expect. Quoting:

"If you get disconnected while playing, you're booted out of the game. All your progress since the last checkpoint or savegame is lost, and your only options are to quit to Windows or wait until you're reconnected. The game first starts the Ubisoft Game Launcher, which checks for updates. [More “push” updates. Bob] If you try to launch the game when you're not online, you hit an error message right away. So I tried a different test: start the game while online, play a little, then unplug my net cable. This is the same as what happens if your net connection drops momentarily, your router is rebooted, or the game loses its connection to Ubisoft's 'Master servers.' The game stopped, and I was dumped back to a menu screen — all my progress since it last autosaved was lost."

Ah! The latest “We gotta do something!”

TSA to swab airline passengers’ hands in search for explosives

February 18, 2010 by Dissent

Jeanne Meserve and Mike M. Ahlers report:

To the list of instructions you hear at airport checkpoints, add this: “Put your palms forward, please.”

The Transportation Security Administration soon will begin randomly swabbing passengers’ hands at checkpoints and airport gates to test them for traces of explosives.

Previously, screeners swabbed some carry-on luggage and other objects as they searched for the needle in the security haystack — components of terrorist bombs in an endless stream of luggage.

Read more on CNN.

'cause I have readers who are interested in this kind of stuff!

Announcing My New Book on e-Discovery and How to Buy it at a Discount

This could be fun. Now I could have a “We don't need no stinking badges” ringtone (if I had a cellphone...) - Create Ringtones From YouTube Videos

A simple app if I ever saw one, Tube2Tone is also quite useful and (most of all) very, very easy to get to grips with. You see, through this site you will be capable of taking any video hosted on YouTube and have it processed so that it becomes a ringtone.

Wednesday, February 17, 2010

Medical Identity Theft doesn't need to be large to have an impact. “This is your Insurance Company. We're denying your claim for an appendectomy, since our records show you've already had two...”

FL: Man wracks up $100,000 in medical expenses with fake identification

By Dissent, February 16, 2010 1:04 pm

A man who twice checked himself into the hospital and wracked up more than $100,000 in medical expenses with a fake insurance identification has been arrested.

Police said Giovanni Mangino has been charged with organized scheme to defraud, committing fraud to a healthcare provider, grand theft, and identity theft.

Read more on CBS12 News.

Interesting numbers, to say the least.

February 16, 2010

Security Labs Report Jul 2009-Dec 2009 Recap

Security Labs Report Jul 2009-Dec 2009 Recap - "This report has been prepared by the M86 Security Labs team. It covers key trends and developments in Internet security over the last six months, as observed by the security analysts at M86 Security Labs. M86 Security Labs is a group of security analysts specializing in Email and Web threats, from spam to malware.

Key Points of this report:

  • Spam volumes increased dramatically in 2009, to over 200 billion per day with the vast majority sent through Botnets of infected computers. In the second half of 2009, 78% of all spam originated from the top 5 botnets alone by volume.

  • Malicious spam dramatically increased in volume, reaching 3 billion messages per day, compared to 600 million messages per day in the first half of 2009.

  • Even with adequate protection from Antivirus software, Zero Day Vulnerabilities left users vulnerable to potential attacks 40% of the time (in the 2nd half of 2009)."

My students love me!

Student’s Facebook Tirade Against Teacher Is Protected Speech

By David Kravets February 16, 2010 5:02 pm

… The latest ruling, which supports the student, concerned a former Florida high senior who was reprimanded for “cyberbullying” a teacher on Facebook. Katherine Evans, now 20, was suspended two years ago after creating a Facebook group devoted to her English teacher.

The group was called “Ms. Sarah Phelps is the worst teacher I’ve ever met!,” and featured a photograph of the teacher and an invitation for other students to “express your feelings of hatred.”

“It was an opinion of a student about a teacher, that was published off-campus, did not cause any disruption on-campus, and was not lewd, vulgar, threatening, or advocating illegal or dangerous behavior,” Magistrate Barry Garber of Florida ruled Friday.

They had all that research backwards!

Driving Distracts Cellphone Users

By Bruce Bower, Science News February 16, 2010 7:28 pm

No matter what the actual composition of their employees, someone is going to cry foul.

Google, Apple Call Workers' Race & Gender Trade Secrets

Posted by kdawson on Tuesday February 16, @11:24PM

theodp writes

"The Mercury News reports that Google, whose stated mission is to make the world's information universally accessible, says the race and gender of its work force is a trade secret that cannot be released. So do Apple, Yahoo, Oracle, and Applied Materials. The five companies waged a successful 18-month FOIA battle with the Merc, convincing federal regulators who collect the data that its release would cause 'commercial harm' by potentially revealing the companies' business strategy to competitors. Law professor John Sims called the objections — the details of which the Dept. of Labor declined to share — 'absurd.' Many industry peers see the issue differently — Intel, Cisco, eBay, AMD, Sanmina, and Sun agreed to allow the DOL to provide the requested info. 'There's nothing to hide, in our view,' said a spokesman for Intel. Some observers note it's not the first time Google has declined to put a number on its vaunted diversity — in earlier Congressional testimony, Google's top HR exec dodged the question of how many African-American employees the company had."

The new, long-tail economics.

New Riddick Movie Made Possible By Games?

Posted by Soulskill on Wednesday February 17, @01:37AM

Hugh Pickens writes

"Scott Harris writes on Moviefone that the economics of Hollywood are often baffling, as DVD sales, broadcast fees and merchandising tie-ins balance against advertising costs and pay-or-play deals to form an accounting maze. The latest example is the untitled sequel to The Chronicles of Riddick, released in 2004 to a slew of negative reviews and general viewer indifference. Despite its hefty $105 million budget, most of which was spent on special effects, the film topped out at a paltry $57 million domestically. So how can a sequel be made if the movie lost money? The answer has to do with ancillary profits from revenue streams outside the box office. While the combined $116 million worldwide probably still didn't cover distribution and advertising costs, it likely brought the film close to even, meaning DVD sales and profits from the tie-in video game franchise may have put the movie in the black. In addition, Riddick itself was a sequel to Pitch Black, a modestly budgeted ($23 million) success back in 2000. Extending the franchise to a third film may help boost ancillary profits by introducing the Pitch Black and Chronicles of Riddick DVDs and merchandise to new audiences, meaning that the new film may not even need to break even to eventually turn a profit for the studio."

For my Computer Security students

Hackers at Pwn2Own to compete for $100K in prizes

Contest targets to include iPhone, Droid and BlackBerry, IE, Firefox and Chrome

By Gregg Keizer February 16, 2010 07:06 AM ET

Computerworld - A hacking contest next month will award cash prizes of $15,000 to anyone who can break into an iPhone, BlackBerry Bold, Droid or Nokia smartphone.

(Related) It's not like it hasn't been done before.

Apple bans hackers from App Store

by Dong Ngo February 16, 2010 2:16 PM PST

After a long battle with hackers who have been successful at jailbreaking the iPhone from one version of the OS to another, Apple is now taking a more personal approach to locking down the device. It's been reported that known iPhone jailbreaking/unlocking hackers have had their Apple IDs banned from Apple's App Store.

For my Computer Security class.

Do You Know What The Internet Knows About You?

By Tina on Feb. 16th, 2010

… Are you curious to find out What The Internet Knows About You? Then visit that link and see whether the information displayed is vaguely familiar. My result revealed that I had visited 65 of the 5,000 most popular internet websites.

And there is more. Did You Watch Porn? If your significant other checks your browser(s), he’d better find this:

I'm fairly certain this is a logical conclusion, but one I don't see explained in the literature. How much water will be held in the atmosphere? Enough to off-set the rise of sea levels? Will the increase in clouds (water in the atmosphere) reflect enough sunlight to cause global cooling?

A Warming Planet Can Mean More Snow

Posted by kdawson on Tuesday February 16, @09:31PM

Ponca City, We love you writes

"NPR reports that with snow blanketing much of the country, the topic of global warming has become the butt of jokes; but for scientists who study the climate, there's no contradiction between a warming world and lots of snow. 'The fact that the oceans are warmer now than they were, say, 30 years ago means there's about on average 4 percent more water vapor lurking around over the oceans than there was... in the 1970s,' says Kevin Trenberth, a prominent climate scientist. 'So one of the consequences of a warming ocean near a coastline like the East Coast and Washington, DC, for instance, is that you can get dumped on with more snow partly as a consequence of global warming.' Increased snowfall also fits a pattern suggested by many climate models, in which rising temperatures increase the amount of atmospheric moisture, bringing more rain in warmer conditions and more snow in freezing temperatures."


Utah Assembly Passes Resolution Denying Climate Change

Posted by kdawson on Wednesday February 17, @08:14AM

cowtamer writes

"The Utah State Assembly has passed a resolution decrying climate change alarmists and urging '...the United States Environmental Protection Agency to immediately halt its carbon dioxide reduction policies and programs and withdraw its "Endangerment Finding" and related regulations until a full and independent investigation of climate data and global warming science can be substantiated.' Here is the full text of H.J.R 12."

The resolution has no force of law. The Guardian article includes juicy tidbits from its original, far more colorful, version.

Tuesday, February 16, 2010

Another months-long leak that no one noticed? First deny it, then claim you fixed it.

Massive security breach suspected at Latvian tax office

February 15, 2010 by admin

The State Revenue Service (VID) in Latvia admitted Monday that its electronic security systems may have been breached and that millions of confidential documents could have been hacked.

The Latvian television news programme De Facto said Sunday night that 120 gigabytes of data consisting of 7.4 million individual documents had been leaked from VID’s database as a result of a data ‘hole’ in an electronic tax declaration system.


In a statement, VID said only that there was ‘a suspicion of a security incident involving possible data loss from the VID information system.’

The hole appeared to have been created in the system intentionally by a senior figure within VID, claimed representatives of a hackers’ group calling themselves the Fourth Awakening People’s Army (4ATA), which De Fact said obtained the information over a three-month period.

Read more on Monsters & Critics.

[From the article:

The incident represented the biggest data breach in Latvia's history and included information on businesses, individuals and public figures, De Facto claimed, and said it could vouch for the accuracy of the leaked data, which it said included the programme makers' tax codes and rates of pay.

… Despite the scandal surrounding the data breach, on Monday morning the official VID website was still encouraging businesses to declare their tax online and claimed the system was safe.

[Finance minister] Repse told reporters Monday that the data leak was 'extremely serious' but had been plugged.

Another breach, or a bug, or a company trying to reach 'quotas?”

Japan probes Apple's iTunes over bogus credit bills

Yesterday, 06:50 am

Japanese authorities plan to summon Apple officials this week over complaints that its iTunes online store has billed customers for downloads they never made, officials said Monday.

So easy, even a world-class athlete can do it?

Tour de France Champion Accused of Hacking

Posted by kdawson on Tuesday February 16, @08:13AM

ub3r n3u7r4l1st writes

"A French judge has issued a national arrest warrant for US cyclist Floyd Landis in connection with a case of data hacking at a doping laboratory, a prosecutor's office said. French judge Thomas Cassuto is seeking to question Landis about computer hacking dating back to September 2006 at the Chatenay-Malabry lab, said Astrid Granoux, spokeswoman for Nanterre's prosecutor's office. The laboratory near Paris had uncovered abnormally elevated testosterone levels in Landis' samples collected in the run-up to his 2006 Tour de France victory, leading to the eventual loss of his medal."

The same software tools are available (from multiple vendors) in the US. Only the aggregation seems to rise to the level of notice.

Mobile Spy Web-site Shuts Down Among Privacy Concerns, Crime Allegations

February 16, 2010 by Dissent

Tamar Khurtsia reports:

Mobile spyware web-site was withdrawn by its owner Saturday after young lawyers [Age is negatively correlated to tech savvy? Bob] warned that using the service is a violation of privacy and thus a crime. offered widely-used smartphone spy software which allows you to silently record SMS text messages and GPS locations. It can be downloaded from its webpage and installed in Symbian-based handsets and its results are displayed in the private online accounts of clients.


Tamar Kordzaia of the Georgian Young Lawyers Association (GYLA) said that’s service is illegal and both its owners and users are committing a crime under the Criminal Code of Georgia.

“When a site offers us the chance to intercept someone’s correspondence and mobile phone communication this is an invasion of someone’s private life. The inviolability of private life is guaranteed by the Constitution of Georgia, which is the supreme law of the country,” Kordzaia noted.

Read more in The Georgian Times.

Now your online browsing can be tied to your “loyalty card” purchases at the local supermarket.

Yahoo! deal with Nectar will link online ads with offline purchases

February 15, 2010 by Dissent

Shoppers will have internet adverts displayed to them based on their offline shopping habits in a new scheme being developed by internet publisher Yahoo! and customer loyalty scheme Nectar.

The two companies will link their databases in a bid to better target consumers with relevant adverts and to improve the tracking of ads’ effectiveness in persuading consumers to buy goods.


The system is an opt-in one, meaning that consumers have to actively choose to allow their data to be used in this way. [Want to bet? Bob] Nectar is offering some of its points as an incentive for consumers to participate and 20,000 have already signed up, according to press reports.


I suspect this will translate for Cloud Computing in other areas as well...

February 15, 2010

New on Ethics of Legal Outsourcing White Paper - Ethics of Legal Outsourcing White Paper: The practical reality for US and UK attorneys engaging in or contemplating Legal Process Outsourcing (LPO) is that the outsourcing of both core legal and support services across the legal profession is nothing new. What is different today with the emergence of the LPO industry is that both core legal and legal support related services are being outsourced to lawyers, law firms and corporations located offshore in countries such as India, South Africa and the Philippines . Mark Ross analyzes how the outsourcing of legal work by a law firm or legal department to a legal outsourcing company or an entity located offshore raises specific issues pertaining to the outsourcing lawyer's ethical obligations to his or her client.

(Related) Isn't it similar to counting pigeons in Times Square?

Is it Ethical to Harvest Public Twitter Accounts without Consent?

February 16, 2010 by Dissent

Michael Zimmer has posted another ethical question this week:

While participating in the workshop on Revisiting Research Ethics in the Facebook Era: Challenges in Emerging CSCW Research, the question arose as to whether it was ethical for researchers to follow and systematically capture public Twitter streams without first obtaining specific, informed consent by the subjects. Many in the room felt that consent was not necessary since the tweets are public, a conscious choice made by the user to allow the whole world see her activity. In short, by not restricting access to one’s account, there is no expectation of privacy.

You can read the entire entry here. As Michael reiterates in a comment in the discussion section, “the issue isn’t about having individual tweets reposted, but whether it is ethical for researchers to systematically follow and scrape them, without undergoing IRB review or gaining informed consent.”

Many commenters on Michael’s blog seem to think this is a non-issue and that there is no expectation of privacy in public tweets. But researchers often have additional ethical obligations that the general public does not have. So, for example, a psychologist who wishes to conduct research that involves observing people on the street or under naturalistic conditions without their knowledge needs to take the proposal before an institutional review board (IRB) who will consider whether there is any risk posed to the unwitting participants in the study that needs to be addressed. When it comes to running things by an IRB, my position has always been that it’s pretty much always of value for uni-based researchers to seek IRB input and approval – not just for liability reasons but to gain others’ perspectives on the ethics of your design and methods.

Whether Tweeters have any right to control the use of their tweets is not the same question as asking whether researchers have an obligation to ask.

You don't suppose this might be connected to the “cost cutting” newspapers are doing? Fewer investigative journalists equals less transparent government? Perhaps they are not yet able to analyze the blogs and tweets coming from insiders – any good intelligence service can.

February 15, 2010

Some News Organizations Persist in Using FOIA, and Prevail

New York Times: "Some big companies, like Hearst and The Associated Press, have been quietly ramping up their legal efforts, by doing more of the work in-house — and saving costs by not hiring outside lawyers — and being more aggressive in states where they can recoup legal fees and at the federal level, which also allows plaintiffs in such access cases to sue for legal fees when they win. At Hearst, the company’s top lawyer says it has never had more First Amendment lawsuits in courtrooms around the country than it does now. At The A.P., a cooperative owned by its member newspapers, in-house lawyers say they are becoming more aggressive on a number of fronts. In 2009, the agency was party to 40 lawsuits, moderately up from four years ago, when the number of lawsuits was in the low 30s, according to Dave Tomlin, associate general counsel for The A.P.... But The A.P. has been vastly more assertive in appealing denied Freedom of Information Act, or F.O.I.A., requests from the federal government under the Obama administration, which came to power promising to operate a more open government and alter what some media lawyers complained was a trend toward more government secrecy in the wake of the 9/11 terrorist attacks."

  • News release: "The John S. and James L. Knight Foundation has approved a new $2 million, three-year grant to the National Freedom of Information Coalition to launch the Knight FOI Fund and support state open government groups. The Knight FOI Fund will provide up-front costs such as court costs, filing and deposition fees, if attorneys are willing to take on a pro-bono basis cases that otherwise would go unfiled." [Attention law schools! Bob]

Part of Computer Security – does the software do what it claims to do?

February 15, 2010

Investigative Resources, Due-Diligence Tips and Useful War Stories For Doing Business in a Complex World

Investigative Resources, Due-Diligence Tips and Useful War Stories For Doing Business in a Complex World - Eight Lessons from Recent Due-Diligence Background-Checking Gone Wrong. James Mintz Group, Global Fact Finding, Issue Five, February 2010

  • "The unmasking of Bernard Madoff has made many business people uneasy about the ventures they invest in, and the new partners and new hires they take on. This mega-scandal is certainly instructive about the need for proper and timely due diligence about those with whom we do business. The missed opportunities to recognize Madoff’s criminality have been discussed ad infinitum over the last year... But more obscure recent cases provide other lessons about due-diligence checking that you might want to do as a matter of routine. The war stories below are real and scary, but the lessons they teach us can reduce the chances of deception, and the risks to reputation and investment."

Competition in the digital age. Multiple proprietary standards cost more to support than one open standard.

Five Years of YouTube and Forced Evolution

Posted by ScuttleMonkey on Monday February 15, @04:46PM

NakNak writes to mention that the DailyMaverick has a feature looking back at five years of YouTube, some of the massive changes that have been forced through as a result of its overwhelming popularity, and what changes might be necessary going forward.

"Google, which bought YouTube less than two years after it was founded for what was then considered outrageously expensive $1.65 billion, does not want Microsoft or Apple (or anybody else) to own the dominant video format. So it has become the biggest early tester of HTML5. Your browser doesn't support HTML5? Google launches its own browser, Chrome. Need to use Internet Explorer at work because that's all your IT department supports? Google launches a Chrome framework that effectively subverts IE and makes it HTML5-compatible. The final blow will be the day that YouTube switches off Flash and starts streaming only to HTML5 browsers. On that day all browsers will be HTML5 compatible or they will perish in the flames of user outrage."

Free is good, despite what the RIAA says.

Movski: Watch Movies Online Without Downloading Anything

Similar Tools: SurfTheChannel, Watch-Movies, and Free-Horror-Movies

A “real life” example for my Math students.

Leftover Valentine’s Chocolate? Use It to Measure the Speed of Light

Toward Star Treks' Tricorder?

GE's Vscan puts ultrasound tech in docs' pockets