Tuesday, July 11, 2006

July 11, 2006

http://michaelzimmer.org/2006/07/09/anonymity-in-cyberspace-finding-the-balance/

Anonymity in Cyberspace: Finding the Balance

Posted on Sunday, July 9th, 2006 at 10:05 am

Earlier this year, the International Association of IT Lawyers (IAITL) organized the First International Conference on Legal, Privacy and Security Issues in Information Technology in Hamburg, Germany. The conference covered a broad range of topics, such as electronic signatures, e-commerce, artificial intelligence, data protection, electronic payments, security, and so on. The papers presented provided an excellent insight into the current policies, perspectives, influences and challenges in the area of IT Law.

I was unable to attend this conference, but found this paper online, which seems especially relevant to aspects of my research: “Anonymity in Cyberspace: Finding the Balance” by Mohamed Chawki.

... Firstly, it starts by presenting the concept and several types of anonymity. Secondly, it focuses on the Internet and how it can be achieved, and why it is an essential tool for free speech. The paper will also describe proposals to outlaw anonymity over the Internet, since it has often been tied to criminal activity by law enforcement bodies. Finally, the paper concludes that total anonymity may be possible through the use of privacy-enhancing technologies such as those offered by Anonymizer.com and Freenet. Moreover, educated legislators can criminalize most true anonymity in cyberspace and still pass security.



http://www.govtech.net/magazine/story.php?id=100134

Officers to Receive Training in Identity Theft Investigation

July 10, 2006 News Release

Michigan law enforcement officers will be better equipped to investigate identity theft, credit fraud and counterfeiting complaints thanks to a new training course offered by the Identity Theft Teams of the Michigan State Police (MSP) in conjunction with the Michigan Association of Chiefs of Police (MACP) and the Michigan Sheriff's Association (MSA).



Perhaps we could translate this into 'American'

http://www.infoworld.com/article/06/07/10/HNspamguidelines_1.html?source=rss&url=http://www.infoworld.com/article/06/07/10/HNspamguidelines_1.html

Guidelines to enable UK spam data sharing

University of Cambridge research project uses traffic analysis, not content, to determine whether e-mail is legitimate

By Jeremy Kirk, IDG News Service July 10, 2006

A new set of guidelines may pave the way for dozens of U.K. ISPs (Internet service providers) to participate in a University of Cambridge research project into the problem of spam, estimated to comprise 60 percent or more of the world's e-mail traffic.

The guidelines concern how ISPs should deal with sensitive issues such as customer privacy and data-protections laws, while cooperating to shut down machines propagating spam, said Martin Hutty, head of public relations for the London Internet Exchange (LINX), a group of around 220 ISPs and network providers.

... The end result will be a real-time list of e-mail sources that ISPs can use to investigate misuse. Through heuristic analysis, an ISP should be alerted to odd behavior, such as if one of their customers starts sending 10 times the number of e-mails as in the previous week.

The guidelines can be viewed at the LINX Web site.



http://www.gigalaw.com/news/2006/07/treasury-departments-website-lacks.html

Treasury Department's Website Lacks Security, Analysts Say

A government Web site that sells bonds to the public is lacking a number of basic security features, analysts and investors say. TreasuryDirect, which is operated by the Treasury Department's Bureau of the Public Debt, has taken some steps to beef up security in recent months and is planning further improvements. Yet the site, which has become much more popular with individual investors since expanding its offerings late last year, is still missing some safeguards typically offered by bank and brokerage Web sites.



New term

http://www.infoworld.com/article/06/07/10/HNvoipphishingscam_1.html

Phishers tap VoIP in new scam

Scheme uses VoIP numbers as credit card or financial services information

By Grant Gross, IDG News Service July 10, 2006

A new kind of identity theft scam, with thieves using easy-to-obtain VOIP (voice over Internet Protocol) telephone numbers to trick Internet or telephone users, is beginning to pop up, said a cybersecurity vendor.

... In the new scam, which Secure Computing calls "vishing," identity thieves ask potential victims to call a phone number attached to a VOIP account, easily obtained online through services such as Skype or through retailers reselling VOIP products such as Vonage Holdings Corp., Henry said.

In one vishing case, scammers targeted Paypal users by including a telephone number in a spam e-mail. In the other case, the criminals configured an automatic telephone dialer to dial phone numbers, and when the phone was answered, played an automated recording saying their credit card has had fraudulent activity.



http://techdirt.com/articles/20060710/1444245.shtml

Lawsuit Says Kentucky Can't Ban State Employees From Reading Blog

from the banning,-rather-than-facing,-criticism dept

A few weeks back, a story spread around the news about how the state of Kentucky had started blocking access to a political blog critical of the governor of Kentucky from state computers (while still allowing access to plenty of other sites). Greg Beck, from Public Citizen, has written in to let us know that his organization has now filed a lawsuit against the state, claiming it violates the First Amendment. The lawsuit notes that the state can ban certain activities, but cannot selectively pick and choose what reading material is allowed based on content.



http://techdirt.com/articles/20060710/1720231.shtml

Judge Explores Why Telco Mergers Were Allowed

from the asking-some-questions dept

A few weeks ago we noted that famous anti-trust lawyer Gary Reback was pushing the courts to look into whether or not the big telcos broke the law in getting their various mergers approved. It appears those efforts have paid off. Federal District Judge Emmet Sullivan has now asked the Department of Justice for more info, noting that to his untrained eyes, the mergers definitely seem harmful to competition and the market -- so he'd like some more info on why they were approved. This could certainly get interesting pretty quickly. While it seems unlikely that he'd be able to turn back the clock and break up the mergers, it could lead to additional restrictions on the companies. Unfortunately, that might be the worst of both worlds, with the companies merged, but with the government (or the courts) trying to come up with the best way to create competition.



http://blog.washingtonpost.com/securityfix/2006/07/citibank_phish_spoofs_2factor_1.html

Security Fix Brian Krebs on Computer Security

Citibank Phish Spoofs 2-Factor Authentication

By Brian Krebs July 10, 2006; 4:24 PM ET

Security experts have long touted the need for financial Web sites to move beyond mere passwords and implement so-called "two-factor authentication" -- the second factor being something the user has in their physical possession like an access card -- as the answer to protecting customers from phishing attacks that use phony e-mails and bogus Web sites to trick users into forking over their personal and financial data.

These methods work, however, only so long as the bad guys don't fake those as well. Take this latest phish, spotted by the people over at Secure Science Corp. It uses an impressively crafted Web-based e-mail that targets users of Citibank's Citibusiness service, which -- as its name suggests -- caters to businesses. Citibusiness also requires customers who want to log into their accounts online to use a supplied token in addition to their user name and password. The small device generates an additional password that changes every minute or so.

The scam e-mail says someone (a nice touch added here -- the IP address of the imaginary suspect) has tried to to log in to your account and that you need to "confirm" your account info. Not a whole lot that's revolutionary there, but when you click on the link, you get a very convincing site that looks identical to the Citibusiness login page, complete with a longish Web address that at first glance appears to end in "Citibank.com," but in fact ends at a Web site in Russia called "Tufel-Club.ru."

The site asks for your user name and password, as well as the token-generated key. If you visit the site and enter bogus information to test whether the site is legit -- a tactic used by some security-savvy people -- you might be fooled. That's because this site acts as the "man in the middle" -- it submits data provided by the user to the actual Citibusiness login site. If that data generates an error, so does the phishing site, thus making it look more real.

Update, 4:41 p.m. ET: I forgot to mention that while this phishing site was active late last week and during the weekend, it has since been shut down.



http://www.informationweek.com/story/showArticle.jhtml?articleID=190301898&cid=RSSfeed_IWK_All

FBI Warns Job Hunters Of Online Scams

Be extra careful when looking for work in cyberspace. The FBI is investigating some cases that involve fake job interviews and offers of employment that are actually ways to lure people into helping crime rings.

By K.C. Jones TechWeb.com Jul 10, 2006 03:38 PM

Job candidates should be cautious when seeking employment online, according to the FBI.

The FBI has released a warning, saying it is investigating several "online employment scams. The FBI outlined several schemes and told candidates to protect their information and be skeptical of some prospective employers.

... Some of the cases under investigation involve fake job interviews or offers of employment that are actually ways to lure people into helping crime rings.

According to the warning, fake recruiters are pretending to do background checks or set up bank accounts for direct deposit. Instead of getting a job, the candidates become victims of identity theft or owners of empty bank accounts.

In other cases, job ads for correspondence managers or import/export specialists are ruses to get people to ship items " purchased illegally online " using stolen credit cards, to Nigeria and other places.

No comments: