Thursday, July 05, 2012

The “appearance” of security is not sufficient? (Is that what they are saying?) What a precedent!
Update: Federal appeals court raps U.S. bank over shoddy online security
July 5, 2012 by admin
Jeremy Kirk reports the latest twist in a long-running lawsuit by a construction firm against its bank over fraudulent wire transfers:
A U.S. construction company may stand a greater chance of recovering some of the $345,000 it lost in fraudulent wire transfers that it blames on poor online banking practices of its bank.
Patco Construction Company, based in Sanford, Maine, sued Ocean Bank, now called People’s United Bank, after fraudsters made six wire transfers using the Automated Clearing House (ACH) transfer system amounting to more than $588,000 in May 2009. About $243,000 was recovered.
In its suit, Patco alleged among other claims that Ocean Bank’s online security was not commercially reasonable under Article 4A of the Uniform Commercial Code (UCC), a federal code governing contractual disputes that has been adopted into most U.S. states’ laws.
The UCC does not allow claims such as negligence, fraud and breach of contract. The code makes it potentially costly for small businesses to sue financial institutions over cybercrime-related fraud. Even if a small business wins a lawsuit, under the code the financial damages are limited only to the money stolen plus interest.
In a significant twist, a three-judge federal appeals court panel found on Tuesday that Ocean Bank’s online security measures were not “commercially reasonable,” reversing a lower court ruling from May 2011.
Read more on Computerworld.

A useful tool and a serious security concern? “If we cut through the wall right here, we can walk right into the bank vault!” (a line from too many movies to count)
Just in time for the Olympic games, Google is bringing its indoor maps to the UK. This Google Maps feature is currently available on Android devices, and lets us users navigate our way and get walking directions not only in the street, but inside building as well. There are currently over 40 venues in the UK featured on indoor maps, including the British Museum, King’s Cross Station, the O2 Arena and most big airports.

Suggesting a new iPhone advertising campaign?
Security firm: Android malware pandemic by year's end
Android malware levels are rising at an alarming rate, according to antivirus maker Trend Micro.
The security firm said at the start of the year, it had found more than 5,000 malicious applications designed to target Google's Android mobile operating system, but the figure has since risen to about 20,000 in recent months.
By the coming third-quarter, the firm estimates there will be around 38,000 malware samples, and close to 130,000 in the fourth-quarter.
Forced cleanup. Has there ever been a non-technical equivalent? (300,000 Typhoid Mary's?)
"The FBI is set to pull the plug on DNSChanger servers on Monday, leaving as many as 300,000 PCs with the wrong DNS settings, unable to easily connect to websites — although that's a big improvement from the 4m computers that would have been cut off had the authorities pulled the plug when arresting the alleged cybercriminals last year. The date has been pushed back once already to allow people more time to sort out their infected PCs, but experts say it's better to cut off infected machines than leave them be. 'Cutting them off would force them to get ahold of tech support and reveal to them that they've been running a vulnerable machine that's been compromised,' said F-Secure's Sean Sullivan. 'They never learn to patch up the machine, so it's vulnerable to other threats as well. The longer these things sit there, the more time there is for something else to infect.'"
[Check you computer here:

(Related) Perhaps the FBI will nuke 'em? If making laws is similar to making sausage, how should we explain “diplomacy?”
Wikileaks starts publishing two million 'Syria Files' emails
Whistleblowing organisation Wikileaks has begun publishing more than two million emails from Syrian political figures, ministries, and associated companies.
Wikileaks says the data derives from 680 Syria-related entities or domain names, including those from the Ministry of Presidential Affairs, Foreign Affairs, Finance, Information, Transport, and Culture Ministries.
Today's publication of dozens of emails mark the first cache released, with more to be published over the coming months. A number of media outlets are working in partnership with Wikileaks, including the Associated Press.
Wikileaks founder Julian Assange said the Syrian government will not be the only ones facing criticism from the fallout of today's announcement.

Reading other people's mail... In an effort to stamp out wasting time on Facebook, you might expose all your communications.
New submitter jetcityorange tipped us to a nasty security flaw in Cyberoam packet inspection devices. The devices are used by employers and despotic governments alike to intercept communications; in the case of employers probably for relatively mundane purposes (no torrenting at work). However, the CA key used to issue fake certificates so that the device can intercept SSL traffic is the same on every device, allowing every Cyberoam device to intercept traffic that passed through any other one. But that's not all: "It is therefore possible to intercept traffic from any victim of a Cyberoam device with any other Cyberoam device - or, indeed, to extract the key from the device and import it into other DPI devices, and use those for interception. Perhaps ones from more competent vendors."

If Congress asked for a report, can an attempt at new laws be far behind?
July 04, 2012
CRS - Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions
Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions. Eric A. Fischer, Senior Specialist in Science and Technology, June 29, 2012
  • "For more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised. The complex federal role in cybersecurity involves both securing federal systems and assisting in protecting nonfederal systems. Under current law, all federal agencies have cybersecurity responsibilities relating to their own systems, and many have sector-specific responsibilities for critical infrastructure. More than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place. While revisions to most of those laws have been proposed over the past few years, no major cybersecurity legislation has been enacted since 2002."

(Related) In the UK they reported on the cost. We apparently don't care what it costs...
July 04, 2012
Paper - Measuring the Cost of Cybercrime
Via the 11th Annual Workshop on the Economics of Information Security - Measuring the Cost of Cybercrime - Ross Anderson, Chris Barton, Rainer Rainer Bohme, Richard Clayton, Michel J.G. van Eeten, Michael Levi, Tyler Moore, Stefan Savage
  • "In this paper we present what we believe to be the first systematic study of the costs of cybercrime. It was prepared in response to a request from the UK Ministry of Defence following scepticism that previous studies had hyped the problem. For each of the main categories of cybercrime we set out what is and is not known of the direct costs, indirect costs and defence costs both to the UK and to the world as a whole. We distinguish carefully between traditional crimes that are now 'cyber' because they are conducted online (such as tax and welfare fraud); transitional crimes whose modus operandi has changed substantially as a result of the move online (such as credit card fraud); new crimes that owe their existence to the Internet; and what we might call platform crimes such as the provision of botnets which facilitate other crimes rather than being used to extract money from victims directly. As far as direct costs are concerned, we find that traditional offences such as tax and welfare fraud cost the typical citizen in the low hundreds of pounds/Euros/dollars a year; transitional frauds cost a few pounds/Euros/dollars; while the new computer crimes cost in the tens of pence/cents. However, the indirect costs and defence costs are much higher for transitional and new crimes. For the former they may be roughly comparable to what the criminals earn, while for the latter they may be an order of magnitude more. As a striking example, the botnet behind a third of the spam sent in 2010 earned its owners around US$2.7m, while worldwide expenditures on spam prevention probably exceeded a billion dollars. We are extremely ineffi cient at fighting cybercrime; or to put it another way, cybercrooks are like terrorists or metal thieves in that their activities impose disproportionate costs on society. Some of the reasons for this are well-known: cybercrimes are global and have strong externalities, while traditional crimes such as burglary and car theft are local, and the associated equilibria have emerged after many years of optimisation. As for the more direct question of what should be done, our figures suggest that we should spend less in anticipation of cybercrime (on antivirus, firewalls, etc.) and more in response - that is, on the prosaic business of hunting down cyber-criminals and throwing them in jail."

They must teach this in that Law School class titled “Invent your own logic” .
"In a stretch of the meaning of 'free speech' that defies the most liberal interpretation, Verizon defends throttling your data speed."
In its continuing case to strike down the FCC net neutrality regulations, Verizon is arguing that Congress has not authorized the FCC to implement such regulations, and therefore the FCC is overstepping its regulatory bounds, but (from the article): "Verizon believes that even if Congress had authorized network neutrality regulations, those regulations would be unconstitutional under the First Amendment. 'Broadband networks are the modern-day microphone by which their owners [e.g. Verizon] engage in First Amendment speech,' Verizon writes." They are also arguing that "... the rules violate the Fifth Amendment's protections for private property rights. Verizon argues that the rules amount to 'government compulsion to turn over [network owners'] private property for use by others without compensation.'"

Perhaps a reaction to Treaties negotiated in secret? Or maybe it's just a bad idea?
European Parliament Kills Global Anti-Piracy Accord ACTA
The European Parliament on Wednesday declared its independence from a controversial global anti-piracy accord, rejecting the Anti-Counterfeiting Trade Agreement.
The vote, 478-39, means the deal won’t come into effect in European Union-member nations, and effectively means ACTA is dead.
Its fate was also uncertain in the United States. Despite the Obama administration signing its intent to honor the deal last year, there was a looming constitutional showdown on whether Congress, not the administration, held the power to sign on to ACTA.
Overall, not a single nation has ratified ACTA, although Australia, Canada, Japan, Morocco, New Zealand, Singapore and South Korea last year signed their intent to do so. The European Union, Mexico and Switzerland, the only other governments participating in ACTA’s creation, had not signed their intent to honor the plan.

For my Ethical Hackers
… when UK Internet service provider BT blocked The Pirate Bay, the block was only in effect for a few minutes before The Pirate Bay bypassed it.
Topics covered:
How Websites Are Blocked
How Websites Bypass Blocks
Legal System Slowness
Other Ways to Bypass Blocks
The Streisand Effect

No comments: