Saturday, July 16, 2011

Not only a waste of time and money, but now a constitutional waste of time and money.

DC Circuit Holds that New Airport Screening Security Measures Comply With the Fourth Amendment

July 15, 2011 by Dissent

Orin Kerr writes:

The new airport screening measures involving millimeter wave technology and backscatter technology — together with the opt-out of a pat-down — have received a great deal of public attention. Back when the new measures were first widely introduced, I blogged about why a Fourth Amendment challenge to the new practices was an uphill battle. Today, the DC Circuit handed down an opinion in EPIC v. Department of Homeland Security holding that the new practices comply with the Fourth Amendment.

Read more on The Volokh Conspiracy, and see Eugene Volokh’s post on the administrative law aspects of the decision.

For its part, EPIC has a more optimistic headline, Federal Appeals Court: TSA Violated Federal Law, Must Take Public Comment on Body Scanners.

Win a battle, lose a war. They want Google (News) to pay if they link to news on their site, but they don't want Google (Search) to stop linking...

Belgian Newspapers Delisted On Google

"After being ordered by the Belgian courts to 'remove from its and sites, and in particular, cached links visible on Google Web and the Google News service, all articles, photographs and graphics of daily newspapers published in French and German by Belgian publishers,' Google had removed all traces of the newspapers in question from all its search services. The newspapers, however, are crying foul, and alleged that it was done in retaliation for being sued for copyright violations."

[From Article 2:

The newspapers filed a lawsuit against Google in 2006 claiming the web giant had no right to post links to their articles on Google News without payment or permission. They won, and a Belgian appeals court upheld their victory in May.

Time to re-thing “Copyright lawsuits for fun and profit?” The fine is trivial in relation to an hour of law firm billing.

Judge Fines Righthaven $5,000

A Las Vegas federal judge has sanctioned copyright troll Righthaven to the tune of $5,000 for making misrepresentations to the court.

U.S. District Judge Roger Hunt of Nevada last month ordered Righthaven to explain why Hunt should not sanction it for trying to “manufacture standing.” (.pdf)

You don't have to be a master of strategy to know getting out your message (Army good, budget cuts bad) is worth while. It is also a way to find those little packets of dissent that you could fan into the next “Arab Spring”

Pentagon Wants a Social Media Propaganda Machine

You don’t need to have 5,000 friends of Facebook to know that social media can have a notorious mix of rumor, gossip and just plain disinformation. The Pentagon is looking to build a tool to sniff out social media propaganda campaigns and spit some counter-spin right back at it.

On Thursday, Defense Department extreme technology arm Darpa unveiled its Social Media in Strategic Communication (SMISC) program. It’s an attempt to get better at both detecting and conducting propaganda campaigns on social media. SMISC has two goals. First, the program needs to help the military better understand what’s going on in social media in real time — particularly in areas where troops are deployed. Second, Darpa wants SMISC to help the military play the social media propaganda game itself.

Friday, July 15, 2011

Yet another indication that “crafty” is not an adequate level of security.

Class Slams Michaels for Data Breach

July 14, 2011 by admin

Chris Fry reports on yet another potential class action lawsuit against Michael’s Store – and it includes a timeliness of notification claim:

Michaels Stores took almost 3 months to warn customers that their debit cards’ PIN numbers may have been stolen by skimming devices in at least 20 states, a class action claims in Passaic County Court.

The class claims that between Feb. 8 and May 6 this year “an unidentified third-party or third-parties tampered with Michaels payment processing equipment and gained access to the extremely sensitive financial information of thousands of Michaels consumers in at least twenty states.”

The class claims the company “failed to take any commercially reasonable steps to safeguard its customers’ nonpublic, sensitive, personal and financial account information … making its consumers an easy target for third-party skimmers.”

And, the class adds: “After the security breach occurred, Michaels further harmed its customers by delaying notifying them for almost three months after the security breach began. … On May 5, 2011, almost three months after the security breach occurred, the company sent the belated email alert to some of its customers.”

What’s more, the email alert was less than honest, the class claims: “Despite knowing of the data breach for weeks, if not months, Michaels stated in the email alert, ‘Michaels has just learned that it may have been victim of PIN pad tampering in the Chicago area and that customer credit and debit card information may have been compromised.’”

Read more on Courthouse News. The New Jersey case is Rosenfeld v. Michaels Stores

(Related) And new victims are being recruited every day...

Ankeny police: Review debit-card statements for fraud

July 14, 2011 by admin

And yet more reports of fraud coming from Iowa:

The Ankeny Police Department is asking area residents to review their bank statements for fraudulent charges related to use of debit cards and PIN numbers.

Ankeny police said in a news release Wednesday that although they cannot determine the exact date or time debit card and PIN numbers were compromised, use of this stolen information occurred last weekend. Credit cards were not involved in this scam, officials said.

Ankeny police have recorded nearly 60 reported incidents and financial institutions in the city are collectively reporting several hundred customers affected.


The Michael’s arts and crafts chain has said its Ankeny store was one of 84 nationwide where PIN terminals were tampered with, and at least two people who shopped there from February to May have said they recently noticed fraudulent spending or withdrawals from southern California. Ankeny police did not link their release to the Michael’s case, however.

Read more in the Des Moines Register.

Fortunately for them, they are under no obligation to inform customers. Neither do they need to retaliate? When does a Cyber-attack reach the level of “an act of war?”

Pentagon Discloses Massive Data Theft, Lays Out New Security Strategy

A targeted attack on a defense contractor in March of this year resulted in the theft of 24,000 files by an unknown attacker, according to Defense Department officials. The attack, which officials say was the work of a foreign government, would represent one of the more serious known attacks on the department and its contractors.

In a speech Thursday in which he unveiled the Department of Defense Strategy for Operating in Cyberspace, William J. Lynn, deputy defense secretary, said that the attack was just one of thousands such intrusions that the government and its contractors suffer every year.

A typical inadequate (and therefore unmanageable) security procedure...

MT: Yellowstone County website hacked

July 14, 2011 by admin

Katrina Heser reports:

The State of Montana Technology Department told Yellowstone County [because Yellowstone had no clue anything happened. Bob] today their website has been hacked.

It’s possible that taxpayers who paid property taxes by electronic bank transfer may have had their account number exposed to the hacker. This does not include taxpayers who made payments by paper check or debit/credit cards. The county system has been taken off line at this time.

The extent of the intrusion has not yet been determined. [We have no clue what happened Bob]

Read more on KTVQ

[From the article:

County personnel are consulting with forensic security personnel to evaluate the extent of the intrusion. Information may or may not have been compromised. [We have no logs to tell us what was accessed. Bob]

...thus reducing the cost of computer security – think of it as your insurance policy against HUGE (Sony-like) bad publicity.

Capitalizing on Privacy Practices – Study Indicates Consumers Will Pay for Privacy

July 14, 2011 by Dissent

Nicole Friess writes:

Consumers are more likely to purchase products from online retailers who are protective of consumer privacy, according to researchers at Carnegie Mellon University. The study, entitled “The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study” found that the availability and accessibility of information regarding online retailers’ privacy practices can affect consumers’ decisions to purchase products online.

Read more on InformationLawGroup.

(Related) Speaking of which...

Sony Network chief calls PSN outage a "great experience"

The four-week long PSN outage was a "great experience," according to president of Sony Network Entertainment Tim Schaaff. The claim, made during an interview with VentureBeat on Wednesday at the MobileBeat conference, argued that the pressure of the breach made the PlayStation service stronger. Customers were also at least as interested as they were before.

"We're back online, everything's live again around the world, and the amazing thing through all of this is that the customers have all come back, and network performance is better than ever, sales are better than ever, and we've been very, very pleasantly surprised by the experience," Schaaff said. [I'll bet Bob]

This is what we used to call “Targeting Information”

Undersea Cable Map Shows Where The Data Pipes Are

overThruster writes with a report from TechCentral that

"Greg Mahlknecht has built a free map showing the world's submarine telecommunications cable systems. The map, which took Mahlknecht several months to complete, is free of charge and will remain so.'"

(At least until it gets shut down as a security threat.)

Fodder for my Ethical Hackers!

Vodafone Femtocells Rooted, Secret Keys Exposed

"Hackers have discovered the root password for Vodafone femtocells, devices that provide the user with a mobile phone signal piggybacked onto their home broadband. The root password was 'newsys.' [Wow thet must have taken Cyber-years to break.. Bob] Once root access is obtained, phones can be forced to connect to the cell and private keys captured, allowing the user to spoof the victim's phone and potentially make calls or send texts on their account, not to mention eavesdrop."

It is interesting when articles like this return a “404” Perhaps they will fix it when they get back from Guantanamo?

Meet the 'Keyzer Soze' of Global Phone-Tracking

(Posted on Wired: Politics at Fri, Jul 15, 2011 at 11:00AM)

Chances are you've never heard of TruePosition. If you're an AT&T or T-Mobile customer, though, TruePosition may have heard of you. The company can tell the cops where you are without you knowing. And now, it's starting to let governments around the world in on the search. (visit source article)

Look how easily you can “Big Brother” anyone! (Takes a bit of Social Engineering) - Monitor Your Children On Facebook

Facebook is not really the kind of place to let your children roam freely, but as a contemporary father you just have to [You do? Bob] end up letting them create an account there to interact with all their friends who are already social network users. But that doesn't mean you are not going to keep a good watch on what they are doing once they have their own accounts up and running. There are applications that let parents discreetly monitor all that their children do on Facebook. And this is one of these.

Named CreepSquash, it can take care of delivering email alerts to parents when their children befriend new people, and also of highlighting communications that include inappropriate language. Additionally, CreepSquash can take care of notifying them whenever their children have been tagged on a photograph.

And CreepSquash can do something really interesting, which is determining which users are really genuine by looking at how many photos they have been tagged in. Those who have actually been tagged in images by others have what is termed a social proof quotient that goes into (somehow) ensuring who they are.

Is it possible that the FBI could be mentioned in headlines like those in the UK? If so, they you bet they are looking into it. (Reprinting this story increases the probability that the investigation will be “major”)

FBI investigating News Corp.?

July 14, 2011 by Dissent

Tom Hays of Associated Press reports:

A law enforcement official says the FBI has opened an investigation into allegations that media mogul Rupert Murdoch’s News Corp. sought to hack into the phones of Sept. 11 victims.

The official spoke Thursday on condition of anonymity because he was not authorized to speak publicly.

Read more on Mercury News.

What would mainstream media do without all these anonymous sources? Was this “law enforcement official” an FBI official? How are we to evaluate the credibility of this report?

Something to start the discussion in my e-Commerce class.

July 14, 2011

New FTC Video Helps Businesses Comply with CAN-SPAM Rule

News release: "Say “spam” and most business executives think of annoying e-mail messages, like the ones that hold out a phony offer to split $50 million that’s sitting in a foreign bank. Of course, this type of message is covered by the Federal Trade Commission’s CAN-SPAM Rule, which is designed to protect consumers from deceptive commercial e-mail. But CAN-SPAM covers e-mails from legitimate businesses, too, such as e-mail notifying customers about a new product line or a special sale. To help explain what the CAN-SPAM Rule covers, the FTC has produced a new video for businesses with a seven-point checklist for sending commercial e-mail messages. For example, e-mail marketers must use accurate headers and subject lines and provide a method for consumers to stop getting e-mails. In addition to the video, the FTC also offers a brochure, The CAN-SPAM Act: A Compliance Guide for Business."

Keeping up with my vocabulary lessons...

Jargon Watch: Gladvertising, Photonic Hyperhighway, Quebecol, Flyjin

Gladvertising n. Outdoor advertising that uses cameras and facial-recognition software to read a consumer’s mood, then pushes products relevant to the target’s emotional state. The term was coined by the UK’s Centre for Future Studies, which predicts that flatscreen gladverts will begin to appear next year.

Photonic hyperhighway n. The future Internet, as envisioned by the British government. Researchers will devise ways to optimize fiber optics, aiming to create a network that’s 1,000 times speedier than today’s fastest broadband—even if hyperhighwaysounds like a leap back to the ’90s.

Quebecol n. A chemical compound discovered in Canadian maple syrup. Touted as the latest cancer-fighting agent by the Federation of Quebec Maple Syrup Producers—which funded the research—the supposed antioxidant has been ridiculed by a Vermont newspaper as nationalist hype.

Flyjin n. Japanese term of derision for foreigners (gaijin) who fled Japan to avoid the risk of exposure to radiation. Returning flyjin face ostracism by Japanese colleagues who place loyalty above personal safety.

Slide shows made easy..

Slide Staxx - Create Slideshows of Your Web Findings

Slide Staxx is a new service that allows you to create slideshows using videos, images, and webpages that you have found or created. To create a slideshow with Slide Staxx you simply specify the URLs for the content that you want to include in each of your slides. Each slide can contain a video, an image, or a webpage. You can caption each slide or let the slides speak for themselves. You can rearrange the sequence of your slides by simply dragging and dropping them into the order you like. Your finished Slide Staxx slideshow can be embedded into your blog or website.


Knovio - Sync Your Slides to a Video Presentation

Knovio is a new service for delivering presentations online. To use Knovio you upload your slides to the site then use your webcam to record a video of yourself talking about the slides. When you're finished your video and slides will be synchronized and displayed side-by-side. Knovio presentations can be embedded into your blog or website. Knovio is currently in a private beta stage so you do have to register and wait for an invitation to the service.

Knovio appears to be similar to Slide Six and Slideshare's Zipcast service.

Thursday, July 14, 2011

A safe type of fraud for the discerning criminal...

140,000 children could be identity fraud victims

July 13, 2011 by admin

For most people, the thought of their children being victims of identity fraud is even more chilling than being a victim themselves.

While children are less at risk for identity fraud than adults, when it happens it can be much more devastating because the fraudulent activity can go undetected for years, making it all that much harder to restore the victim’s good name.

A study from ID Analytics found that 140,000 identity frauds are perpetrated on minors each year.

Read more on Help Net Security.

“It's only fair” is probably not admissible in court, but then even the banks won't connect this to Michael's...

Iowans report fraud from stolen Michael’s store PINs

July 13, 2011 by admin

Another rash of card fraud as a result of the Michael’s Store breach months ago? It seems that it may be. Adam Belz of the Des Moines Register reports:

Bankers contacted by the Register were not willing to connect any recent debit-card fraud to the Michael’s in Ankeny. So while all customers who used debit cards at the store in the late winter and spring could potentially have compromised debit or credit cards, it’s not clear all bank customers have been notified of the breach.

Kramer said it’s only fair to assume that recent reported debit card fraud in the metro area is connected to the Michael’s in Ankeny. The chain’s other three Iowa locations where the PIN pad was compromised are in Coralville, Davenport and Marion.

“That is the only known fraud that we have seen in this area at this time,” Kramer said.

Read more on the Des Moines Register.

Interesting TED talk.

Rebecca MacKinnon: Let's take back the Internet!

Rebecca MacKinnon describes the expanding struggle for freedom and control in cyberspace, and asks: How do we design the next phase of the Internet with accountability and freedom at its core, rather than control? She believes the internet is headed for a "Magna Carta" moment when citizens around the world demand that their governments protect free speech and their right to connection.

“We keep some things from the Colonial days – Big Brother, for instance.”

Skype and Google asked to cooperate with India surveillance

July 14, 2011 by Dissent

John Ribeiro reports:

The controversy over India’s demand that it be allowed to monitor online and mobile communications resurfaced again on Wednesday, with an Indian minister telling reporters that the government had asked Skype, Google and several other companies to give it access.

Google said that it had not received any communication on the issue from the government. “Thereby we are unable to comment on it,” a spokeswoman said. Skype was not immediately available for comment.

Read more on Computerworld UK.

My favorite government boondoggle strikes again.

Women Arrested For Refusing TSA Search of Children

"A Tennessee mother was arrested for refusing to allow TSA screening clerks to subject her child to a body scan or patdown. This comes in the wake of a promise by the TSA Administrator to make repeated attempts at non-physical screening of children, after which another video of a child patdown surfaced. This event may signify a tipping point in the public's willingness to tolerate invasive and inappropriate security procedures at airports." [I doubt it Bob]

It is silly to worry about size. Data is increasingly global, so don't think anything larger than a neighborhood is inherently evil. Worry about how the data will be misused. Worry that the FBI is asking anyone who gathers biometric data to share it with them in a classic example of mission creep. Also, I've never liked the argument that having a terrorist in this type of database would “reduce (or prevent) terrorist activities.”

The FBI’s Next Generation Identification: Bigger and Faster but Much Worse for Privacy

July 14, 2011 by Dissent

Jennifer Lynch writes:

This week, the Center for Constitutional Rights (CCR) and several other organizations released documents from a FOIA lawsuit that expose the concerted efforts of the FBI and DHS to build a massive database of personal and biometric information. This database, called “Next Generation Identification” (NGI), has been in the works for several years now. However, the documents CCR posted show for the first time how FBI has taken advantage of the DHS Secure Communities program and both DHS and the State Department’s civil biometric data collection programs to build out this $1 billion database.

Unlike some government initiatives, NGI has not been a secret program. The FBI brags about it on its website (describing NGI as “bigger, faster, and better”), and both DHS and FBI have, over the past 10+ years, slowly and carefully laid the groundwork for extensive data sharing and database interoperability through publicly-available privacy impact assessments and other records. However, the fact that NGI is not secret does not make it OK. Currently, the FBI and DHS have separate databases (called IAFIS and IDENT, respectively) that each have the capacity to store an extensive amount of information—including names, addresses, social security numbers, telephone numbers, e-mail addresses, fingerprints, booking photos, unique identifying numbers, gender, race, and date of birth. Within the last few years, DHS and FBI have made their data easily searchable between the agencies. However, both databases remained independent, and were only “unimodal,” meaning they only had one biometric means of identifying someone—usually a fingerprint.


So why should we be worried about a program like NGI, which the FBI argues will “reduce terrorist and criminal activities”? Well, the first reason is the sheer size of the database. Both DHS and FBI claim that their current biometrics databases (IDENT and IAFIS, respectively) are each the “largest biometric database in the world.” IAFIS contains 66 million criminal records and 25 million civil records, while IDENT has over 91 million individual fingerprint records.

Read more on EFF.

(Related) Like GPS tracking, which is a substitute for enough police officers to manually track suspects (and persons they suspect might someday be suspects) this technology replaces the need for police officers to memorize mug shots (or irises and fingerprints) but offers nothing truly new.

Police tapping iPhone for facial recognition

Some law-enforcement agencies are preparing to deploy a mobile facial-recognition tool, The Wall Street Journal reported today.

According to the Journal, about 40 law-enforcement agencies across the U.S. will be making the handheld product available to their officers in the field as early as September. The device, which has been developed by Massachusetts-based BI2 Technologies, allows officers to take a photo of a person from a distance of five feet or less. That photo is then compared with a database of images of people with criminal records to see if there is a match. The device is also capable of scanning a person's iris.

(Related) Coming from no records at all to a “Big Brother knows everything” database, perhaps they can more easily see the problems?

To Track Militants, U.S. Has System That Never Forgets a Face

… With little notice and only occasional complaints, the American military and local authorities have been engaged in an ambitious effort to record biometric identifying information on a remarkable number of people in Afghanistan and Iraq, particularly men of fighting age.

… In Afghanistan and Iraq, there are some complaints — but rarely on grounds recognizable to Americans as civil liberties issues.

Afghanistan, in particular, is a nation with no legacy of birth certificates, driver’s licenses or social security numbers, and where there is a thriving black market in forged national identity papers. Some Afghans are concerned that in the future the growing biometric database could be abused as a weapon of ethnic, tribal or political retaliation — a census of any particular group’s adversaries. Even Afghan officials who support the program want to take it over themselves, and not have the Americans do it.

Amazing the questions the law has never addressed, let alone answered.

Texas and Taxes: Is a Server a Business Presence?

"Does having a server in a data center give you an official business presence in the state where the data center is located – invoking the requirement to collect state taxes? Not in Texas anymore, thanks to a new bill, which clarified a ruling that would have required hosting companies leasing servers in Texas to collect state sales tax from their customers. That's a big deal, since Texas is home to many of the industry's largest hosting companies — including Rackspace and SoftLayer, who have comments on the issue."

Under the stringent (self-)regulations, members who fail to follow the guidelines must suffer the dreaded “tisk tisk” of shame!

Tracking the Trackers: Early Results

July 13, 2011 by Dissent

Jonathan Mayer writes:

Over the past several months researchers at the Stanford Security Labhave been developing a platform for measuring dynamic web content. One of our chief applications is a system for automated enforcement of Do Not Track by detecting the myriad forms of third-party tracking, including cookies, HTML5 storage, fingerprinting, and much more. While the software isn’t quite polished enough for public release, we’re eager to share some unexpected early results on the advertising ecosystem. Please bear in mind that these are preliminary findings from experimental software; our primary aims at this stage are developing the platform and validating the approach to third-party tracking detection. Many thanks to Jovanni Hernandez and Akshay Jagadeesh for their invaluable research assistance.

Some of the surprising early findings:

1. At least two NAI members are taking overt steps to respect Do Not Track.
2. Over half of the NAI members we tested did not remove their tracking cookies after opting out.
3. At least eight NAI members promise to stop tracking after opting out, but nonetheless leave tracking cookies in place.
4. At least ten NAI members go beyond their privacy policies and remove their tracking cookies.

Read more and get the details on CIS.

“That's a really cool scam! Let us collect the money for you.”

Phone Customers Pay $2B Yearly In Bogus Fees

"CNN reports that a one-year study by the Commerce, Science and Transportation Committee shows about $2 billion a year in 'mystery fees' show up on the landline phone bills of Americans. Known as cramming, the extra charges include:long distance service, subscriptions for Internet-related services, access to restricted websites, entertainment services with a 900 area code, collect calls, and club memberships. The Commerce Committee's report says phone companies receive a small fee — often just a dollar or two — for allowing charges from third-party vendors to appear on their bills but due to the large number of customers the charges eventually add up. Illinois Attorney General Lisa Madigan told the panel people are unaware their phone numbers can be charged almost like a credit card and her investigations indicate customers are not even getting services in return. 'My office has yet to see a legitimate third-party charge on a bill,' says Madigan, who added most customers don't detect the charges on their bills. Senator Jay Rockefeller says Congress needs to pass legislation to protect customers from unauthorized third-party charges on their phone bills because the telephone industry has failed to prevent the practice. 'It's pretty obvious at this point that voluntary guidelines aren't solving this problem,' says Rockefeller. 'It's time for us to take a new look at this problem and find a way to solve it once and for all.'"

Here's an interesting Net Neutrality argument... Are there Internet based (Cloud based) services that – if terminated without notice, would harm a user? (Think health monitors, smoke alarms, “I've fallen and I can't get up,” baby monitors, etc.)

Comcast Bans Seattle Man From Internet for His Cloudy Ways

The end of the internet comes not with a bang or a procession of four lolcats of the apocalypse, but just with two blinking lights on a modem.

At least that’s how it came for Andre Vrignaud, a 39-year-old gaming consultant in Seattle, when Comcast shut him off from the internet Monday for using too much data.

Vrignaud, it seems, committed the foul of using more than 250 GB of data on Comcast two months in a row, triggering the company’s overage policy that results in a year-long ban from using its services.

“It’s one of those things I never thought would hit me,” Vrignaud said. “They didn’t even call. I just got double blinking lights on my modem.”

“If I’d been foolish enough to depend on something like Skype or some other VOIP service for 911, I would have been hosed,” Vrignaud said, arguing that internet service has become a utility much like water and electricity — services that can’t easily be turned off, due to regulations.

For my traveling geeks...

MaryFi Lets You Share Your Windows 7 Internet Connection Wirelessly

Sometimes we have to share USB internet connection with other devices like tablets or smartphone, especially when we are travelling. In these cases you can use MaryFi. MaryFi is a free tool for Windows 7 which lets you share your internet connection wirelessly with other devices! It utilizes the exact procedure like Wireless adhoc connection feature in Windows 7 and Windows Vista. When the connection is established, other Wi-Fi devices like laptops, smart phones, music players, and gaming systems can also join the Maryfi hotspot exactly like any other Wi-Fi hotspot. You Wi-Fi connection is secured by a password-protected WPA2 Encryption.

Download MaryFi

Definitely something to share with my “Intro to IT” students Make that, all my students. Even though it's not exactly “Miss Manners”

Thursday, July 14, 2011

eEtiquette - 101 Guidelines for the Digital World

eEtiquette is a simple site that exists for the purpose of sharing electronic etiquette tips. The tips cover everything from email etiquette to social network etiquette to cell phone etiquette. Although the title says there are 101 guidelines there are actually more than 101 guidelines on the site now. Some of the best etiquette guidelines are available on a free poster that you can download from eEtiquette.

Wednesday, July 13, 2011

Somehow I knew this was the case...

Reports: U.K. paper paid police to 'ping' phones

The scandal surrounding Rupert Murdoch's News of the World is growing, with new allegations that his papers bribed police to use cell phone-tracking technology to find the exact whereabouts of news subjects, as well as to obtain information about the royal family, and also targeted former Prime Minister Gordon Brown, according to reports.

Two former News of the World journalists said the practice of using the illicit cell phone tracking was known as "pinging" in the newsroom, according to The New York Times. The technology, for which one reporter said the News of the World paid nearly $500 each time it was used, is supposed to be restricted to law enforcement and security officials, a former senior Scotland Yard official said. A former News of the World editor told The New York Times that the Murdoch paper also tracked people by hacking into their credit card details to see where the latest charge was made.

If real, why plaintext passwords (or were they decrypted?)

Toshiba Hacked?

July 12, 2011 by admin

The message on the first Pastebin post said:

Toshiba HACKED BY V0iD

More To Come….

What followed was a list of 11 admins’ email addresses from the TACP database with associated plaintext passwords and ID number. The admin with superuser status was noted.

There were also 333 users’ email addresses and plaintext passwords.

The message on the second Pastebin post said:

Toshiba HACKED BY V0iD

More To Come….

Some Info:
>_ There is total 14 “user”-lists. Who the fuck knows where they go?
That’s not the purpose; try with facebook, email, paypal and other
crap. Have Fun? In Part 2:
>_ Service Places. These are a small list of Toshiba resellers. They all
Have passwords.
More E-mails+Passwords from tabel “Public_Users”

There were 451 email addresses and plaintext passwords posted from the users’ table.

If there’s a part 3, it hasn’t been posted yet.

No statement appears on Toshiba’s site at this time about the breach claimed by VOiD.

Everyone should secure their wifi like they taught an Ethical Hacking class...

Wi-Fi–Hacking Neighbor From Hell Sentenced to 18 Years

A Minnesota hacker prosecutors described as a “depraved criminal” was handed an 18-year prison term Tuesday for unleashing a vendetta of cyberterror that turned his neighbors’ lives into a living nightmare.

Barry Ardolf, 46, repeatedly hacked into his next-door neighbors’ Wi-Fi network in 2009, and used it to try and frame them for child pornography, sexual harassment, various kinds of professional misconduct and to send threatening e-mail to politicians, including Vice President Joe Biden.

His motive was to get back at his new neighbors after they told the police he’d kissed their 4-year-old son on the lips.

… Ardolf’s attorney, Kevin O’Brien, said in a telephone interview that “it was a lengthy sentence for a first time offender.” The defendant also forfeited his house and computer gear.

Ardolf had no criminal record, but an investigation revealed that he’d also hijacked the Wi-Fi of other neighbors, and terrorized them as well.

A father of two, Ardolf had turned down a 2-year plea agreement last year to charges related to the Biden e-mail. After that, the authorities piled on more charges, including identity theft and two kiddie-porn accusations carrying lifetime sex-offender registration requirements. He pleaded guilty to them all last year.

Local definitely worth following!

Encryption defense attorney fights DOJ demands (Q&A)

The U.S. Department of Justice is determined to make sure that a case in Colorado will set a legal precedent allowing it to force Americans accused of crimes to decrypt their computers' hard drives.

Phil Dubois is equally determined not to let that happen. The Colorado Springs-based attorney is representing Ramona Fricosu, accused of a mortgage scam, who is refusing to divulge the passphrase to an encrypted laptop found in her bedroom.

Dubois, who specializes in criminal defense and Internet law, says requiring Fricosu to decrypt the hard drive would be a clear violation of his client's Fifth Amendment right to remain silent. The case is currently before U.S. District Judge Robert Blackburn, and Dubois says if he loses, he'll appeal.

It's not Dubois' first encounter with encryption and threats of criminal prosecution. In the 1990s, he represented PGP creator Phil Zimmermann when the programmer was being investigated for allegedly exporting the encryption utility by posting it publicly online. The charges were dropped in 1996.

The US polices the world! And don't you forget it...

Feds Defend Internet Domain Seizure in Piracy Crackdown

Federal prosecutors are asking a judge not to return the domain names of one of Spain’s most popular websites, seized as part of a major U.S. crackdown on internet piracy.

The legal filing over represents the government’s first legal response to a lawsuit challenging “Operation in Our Sites.”

Commenced last year, U.S. Immigration and Customs Enforcement has seized as many as 208 domains the authorities claim are linked to intellectual-property fraud. The court-ordered seizures are aimed at web sites that sell counterfeited goods, as well as sites that facilitate illegal music, film and broadcast piracy.

The Rojadirecta .com and .org domains were seized in January along with eight others connected to broadcasting pirated streams of professional sports.

Every port is a potential avenue for hackers...

Patched MS Bluetooth Flaw Exposes Even Disconnected PCs

"Among the 22 security holes Microsoft issued updates to fix yesterday is a critical kernel-level Bluetooth flaw that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network. An attacker could use the bug to gain access to any unpatched, Bluetooth-enabled Windows Vista or Win7 computer within 100 meters (or much further with specialized tools), all before the target system even gets an alert that another computer is requesting a Bluetooth connection."

Encryption is easy.

DOWNLOAD Lockdown: Secure Your Files With TrueCrypt

To really keep your data safe, you need to encrypt it. Not sure how to start? You need to read “Lockdown: Secure your Files With TrueCrypt”, by author Lachlan Roy.

DOWNLOAD Lockdown: Secure Your Files with TrueCrypt or Read now on Scribd

Tuesday, July 12, 2011

“Can you hear me now?” At some point, organizations are going to realize these hacktivists are serious (and their security isn't)

Anonymous Leaks 90,000 Military Email Accounts in Latest #AntiSec Attack

July 11, 2011 by admin

Sam Biddle reports:

Booz Allen Hamilton is a massive American consulting firm that does a substantial amount of work for the Pentagon. This means they’ve got a lot of military business on their servers—which Anonymous hacked. Today they’ve leaked it.

The leak, dubbed ‘Military Meltdown Monday,’ includes 90,000 logins of military personnel—including personnel from US CENTCOM, SOCOM, the Marine Corps, various Air Force facilities, Homeland Security, State Department staff, and what looks like private sector contractors. Their correspondences could include exchanges with Booz Allen’s highly brassy staff of retired defense folk: current execs include three former Directors of National Intelligence and one former head of the CIA. Anon was also kind enough to gut 4 GB of source code from Booz Allen’s servers. Anon cites the firm’s alleged complicity in the SWIFT financial monitoring program as at least partial motive for the attack.

Read more on Gizmodo.

Over on ReadWriteWeb, Dan Rowinski writes:

In terms of what Anonymous found in the Booz Allen Hamilton servers, there are certainly items that will get people fired. One of the bigger items is Boox Allen Hamilton’s association with security company HBGary. Booz Allen Hamilton and HBGary Federal proposed software for a sophisticated program (dubbed Metal Gear by Anonymous) that would allow security teams to control “sock puppet” online identities in social media spheres that would attempt to steer conversation about certain topics. One way or another because of this program, Anonymous claims that all U.S. military personnel will now have to change their passwords.

“And thanks to the gross incompetence at Booz Allen Hamilton probably all military [p]ersonnel of the U.S. will now have to change their passwords,” Anonymous wrote.

[From the ReadWriteWeb article:

… gained access to 90,000 military emails, four gigabytes of source code (which was erased from the Booz Allen Hamilton servers) along with login credentials and other sources of information that Anonymous can hack along the intelligence community's digital infrastructure.

Hacktivists again...

German police hacked, suspect tracking data stolen

July 12, 2011 by admin

Darren Paul reports on another hack revealed last week:

Usernames, passwords, and coordinates stolen in data haul.

Hackers have broken into the German Federal Police and swiped location data used to track suspects.

The attack launched by the left-wing n0-N4m3 Cr3w hacking group compromised a server used by the country’s customs service.

It then published the contents including location coordinates, license plate and telephone numbers, police usernames and passwords, and a GPS application.

Read more on CRN

Isn't Google correct?

Google Seeks Immediate Appeal of Street View Wiretap Ruling

Google is demanding a federal judge grant it permission to appeal a decision that approved a federal wiretapping lawsuit over its interception of unencrypted Wi-Fi traffic.

The Mountain View, California, media giant responded late Friday to a Silicon Valley federal judge’s June 29 decision in nearly a dozen combined lawsuits seeking damages from Google for eavesdropping on open, unencrypted Wi-Fi networks from its Street View mapping cars. The vehicles, which rolled through neighborhoods across the country, were equipped with Wi-Fi–sniffing hardware to record the names and MAC addresses of routers to improve Google location-specific services. But the cars also secretly gathered snippets of Americans’ data.

Google claims it is was not a breach of the Wiretap Act to intercept data from unencrypted, or non-password-protected Wi-Fi networks. Google said open Wi-Fi networks are akin to “radio communications” like AM/FM radio, citizens’ band and police and fire bands, and are “readily accessible” to the general public — a position rejected by U.S. District Judge James Ware.

… It was the first ruling (.pdf) of its kind, and Google wants the 9th U.S. Circuit Court of Appeals to review Ware’s decision “before forcing it to proceed with protracted litigation at the district court,” Ruben wrote.

Google said it didn’t realize it was sniffing packets of data on unsecured Wi-Fi networks in about a dozen countries over a three-year period until German privacy authorities began questioning last year what data Google’s Street View cars were collecting. Google, along with other companies, use databases of Wi-Fi networks and their locations to augment or replace GPS when attempting to figure out the location of a computer or mobile device.

“It's for the children!” After all, the Post Office keeps a copy of every letter you mail... Oh, no – I mean the phone company records all your calls... No, forget that. None of that stuff happens.

Unhappy meal: Data retention bill could lure sex predators into McDonalds, libraries

July 11, 2011 by Dissent

Chris Soghoian writes:

On Tuesday, the Republican-controlled House Judiciary Committee will hold a hearing in support of mandatory data retention legislation. The bill that they have proposed requires that Internet Service Providers, such as Comcast and Time Warner, save records of the IP addresses they assign to their customers for a period of 18 months.

Data retention is a controversial topic and loudly opposed by the privacy community. To counter such criticism, the bill’s authors have cunningly (and shamelessly) named it the Protecting Children from Internet Pornographers Act of 2011. This of course means that anyone who opposes data retention must go on record as opposing measures to catch sexual predators.

Read more on Ars Technica.

For the Ethical Hackers...

10 Privacy Tools To Browse The Web Anonymously

Monday, July 11, 2011

Bold, but legal? They did nothing to the websites they dropped, they simply will no longer return them as part of their search results. No doubt some legitimate sites are now cut off too, but then you get what you pay for...

Google pulls subdomains from search, brings our global malware nightmare to an end

Google's been on a creative tear lately, rolling out new products and revamping older ones. But there's a reason the phrase "search giant" is synonymous with Big G, and it's always working to return better results. Sometimes that means tweaking its algorithm to prevent SEO-gaming; other times it means dropping over 11 million sites from search results, as the company just did in blocking the subdomain. Google classifies it as a "freehost" -- it belongs to a Korean company that provides free or cheap domains, often bulk-registered -- and after automated scanning revealed a high percentage of malware-hosting sites, decided to scrub the entire lot from its results. Of course, this is something like using a nuclear weapon against cockroaches: it causes a lot of collateral damage, while your real target scurries to its next hideout. Still, we wish Google well in its bravely quixotic mission.

“No problem. We'll just make Europe “off limits”

July 10, 2011

EPIC: European Parliament Takes Stance Against Airport Body Scanners

Follow up to previous postings on whole body scanning at airports, via EPIC: The European Parliament has adopted a resolution that sets out strict safeguards for airport body scanners. The resolution requires that Member States only "deploy technology which is the least harmful for human health" and establish substantial privacy protection. The resolution prohibits the use of body scanners that use ionizing radiation. New guidelines also state that airport body scanners "must not have the capabilities to store or save data." EPIC currently is pursuing a lawsuit to suspend the use of body scanners in the United States, citing several federal laws and the US Constitution. EPIC has called the US airport body scanner program "invasive, ineffective, and unlawful." For more information, see EPIC: EPIC v. DHS (Suspension of Body Scanner Program) and EPIC: Whole Body Imaging Technology."

This caught my eye because I sometimes feel “advocates” treat “the environment” more like a religion than a science. But here they seem to treat it like “Intelligent Design” – Okay, we'll mention it, now go away.

July 10, 2011

A National First: Maryland Students Must Be 'Green' to Graduate'

Education Week: "Maryland has become the first state in the country to require students to be "environmentally literate" in order to graduate from high school. The June 2011 vote by the Maryland board of education requires that students get a "comprehensive, multi-disciplinary environmental education" before receiving a diploma. Districts will have to develop plans for coursework that meets state standards in environmental literacy and have their plans approved by the state superintendent of schools. They will also have to develop ways to assess students' mastery of the material in order to determine if they are eligible for graduation. The action today follows a decision by the board last summer to require that students get a bigger dose of environmental literacy than they had been getting in typical science classes. There was some confusion, however, about whether that action actually made environmental literacy a graduation requirement. Today's vote was intended to clear up that confusion and make the requirement official."

(Related) Note: Advocates. Squeeze it into existing courses. Don't measure the students understanding. Is that education?

Environment to be added to state curriculum

September 21, 2010

… The Chesapeake Bay Foundation, which had advocated for making environmental studies a part of the curriculum, had hoped for stronger requirements than what was passed by the board, but the nonprofit advocacy group said the board's action was a "partial victory."

Under the new regulation, high school students will not need to take any additional courses, but environmental education will be added into existing courses, such as biology. Every five years, school districts will have to report to the state on whether they have environmental subject matter in courses that every student must take.

"The onus needs to be on the school system, not on the students" to prove that courses have been taken, said Donna Hill Staton, a board member.

For my Computer Forensics and Ethical Hacking students

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

This can't be true, can it? If new technologies caused accidents, wouldn't the number (rate) of accidents shoot up each time a technology was introduced? (Perhaps someone should explain that 25% is not a “vast majority”)

Cell phones and texting cause most road accidents

New research offered up by non-profit organisation the Governors Highway Safety Association (GHSA) has revealed that mobile device use while behind the steering wheel is responsible for the vast majority of accidents on U.S. roads.

With the seriousness of such incidents ranging from light injury through to fatality, the report said cell phones and other mobile electronic devices amount for up to 25 percent of all vehicular crashes.

… The GHSA study collated its results by scrutinising more than 350 related scientific papers published since the turn of the millennium.

Sunday, July 10, 2011

This has nothing to do with new infrastructure. It simply creates an “anonymity free zone” where you have to prove your identity before doing anything. Individual hosts (e.g. your bank) attempt to do this today, but with widely varying levels of success.

Former CIA Director: Build a new Internet to improve cybersecurity

... Unlike .com, .xxx and other new domains now proliferating the Internet, .secure would require visitors to use certified credentials for entry and would do away with users' Fourth Amendment rights to privacy. Network operators in the financial sector, for example, would be authorized to scan account holders' traffic content for signs of trouble.

… "This doesn't have to be complicated or even mandatory," he said on the Senate floor in November 2010. "The most important value of a dot-secure domain is that, like dot-gov and dot-mil, now we can satisfy consent under the Fourth Amendment search requirements for the government's defenses to do their work within that domain, their work of screening for attack signals, botnets and viruses."

I don't think this means Facebook actively participated, rather someone noticed the protest being organized (and wouldn't any country want to monitor Facebook after “Arab Spring”) and found an easily accessible list of “trouble makers.”

Facebook Helps Israel Blacklist Air Travellers

"According to a report by the Associated Press, protesters have been stopped in their tracks after Facebook aided Israel in cracking down on the group of activists from the UK, France, and Belgium who planned their event using the popular social networking site. Facebook allowed government agents to track the activists activities and then create a black-list of people who participated in the planning of the protests. The black-listed group was then forwarded to airlines with instructions to prevent the activists from boarding air flights to Israel. Over 200 activists were prevented from flying after being added to the airlines terrorism watch list, [Not really terrorists – are they now banned from flying anywhere? Bob] according the the AP report. Was Julian Assange correct, when he warned that Facebook was a giant, 'appalling spy machine'?"

Say goodbye to the the privacy of your kitchen? A taste of things to come? “We know you bought avocados – here are 649 guacamole recipes.”

Feast Your Eyes On Recipe Curation Site Gojee

There’s no shortage of food recipe sites on the web for virtually any kind of food. In fact, trying to find a recipe online can be overwhelming with all of the options available. Enter recently launched foodie favorite Gojee, which curates recipes from food bloggers around the web in a visually beautiful way.

On Gojee, you can search for recipes by ingredient, either via ‘cravings’ or by one ingredient you have in your pantry. You can also input your dislikes or allergies and Gojee will make sure to surface recipes without these ingredients.

… Gojee is also attempting to make your life easier by allowing you to import your rewards card info from your grocery store of choice, and the site will give you recipes based on the items you have purchased. Unfortunately, the feature is only integrated with New York grocery store chain D’Agostino but the startup hopes to add more stores in the near future.

Other than being able to say “I came at your request...” what disadvantage is there to waiting for the subpoena? You know they are out to get you either way... (The comments are interesting.)

Google Chairman To Testify At Antitrust Hearing

"Following a threat of subpoena, Google chairman Eric Schmidt will be testifying at a Senate antitrust subcommittee in September. Google has denied acting anticompetitively and cites its success as the cause of the increased scrutiny. The Federal Trade Commission and European Commission have both launched antitrust investigations into the company, and the Justice Department is also conducting a criminal probe into their acceptance of ads from rogue web pharmacies, an investigation Google has set aside $500 million to settle."

For my Math students

Sooeet: All In One Unit Conversion & Calculation Site

Finally there is an all in one unit conversion and calculation website that covers all units used in our daily life...

Similar tools: Converticious, Conversion Tool and Unit Converter.