Saturday, December 16, 2006

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Saturday, Dec. 16, 2006, at least 2,945 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,359 died as a result of hostile action, according to the military's numbers.

The AP count is 10 higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Time Magazine's Person of the Year: You

Image source:

You betcha. It makes complete sense.

An AP newswire article by Larry McShane, via Yahoo! News, reports that:

Congratulations! You are the Time magazine "Person of the Year."

The annual honor for 2006 went to each and every one of us, as Time cited the shift from institutions to individuals — citizens of the new digital democracy, as the magazine put it. The winners this year were anyone using or creating content on the World Wide Web.

"If you choose an individual, you have to justify how that person affected millions of people," said Richard Stengel, who took over as Time's managing editor earlier this year. "But if you choose millions of people, you don't have to justify it to anyone."

More here.

Theater of the Absurd at the TSA

Randall Stross writes in The New York Times:

For theater on a grand scale, you can’t do better than the audience-participation dramas performed at airports, under the direction of the Transportation Security Administration.

As passengers, we tender our boarding passes and IDs when asked. We stand in lines. We empty pockets. We take off shoes. We do whatever is asked of us in these mass rites of purification. We play our assigned parts, comforted in the belief that only those whose motives are good and true will be permitted to pass through.

Of course, we never see the actual heart of the security system: the government’s computerized no-fly list, to which our names are compared when we check in for departure. The T.S.A. is much more talented, however, in the theater arts than in the design of secure systems. This becomes all too clear when we see that the agency’s security procedures are unable to withstand the playful testing of a bored computer-science student.

In late October, Christopher Soghoian, a Ph.D. student in the School of Informatics at Indiana University, found his attention wandering during a lecture in his Cryptographic Protocols class. While sitting in class, he created a Web site he called "Chris’s Northwest Airlines Boarding Pass Generator."

More here.

FBI Website to Aid UCLA Hacker Probe

Rebecca Trounson writes in The Los Angeles Times:

The FBI on Friday asked those who have learned that their names are in a recently compromised UCLA database — and who have reason to believe they may be victims of identity theft — to contact a special FBI website to submit a report.

UCLA announced this week that hackers had gained access to a central database containing information on about 800,000 people, including current and former students, faculty and staff members. Others potentially affected include some student applicants and some parents of students or applicants who filed paperwork for financial aid.

More here.

Data Mining Won't Catch Terrorists

James Gilden writes in The Los Angeles Times:

In the screening process, Homeland Security has analyzed such seemingly innocuous information as passengers' travel histories, frequent flier miles, number of bags checked, number of one-way tickets booked, e-mail addresses and even voluntary and involuntary upgrades. With that data, the department has assigned risk assessment scores to millions of travelers.

The program "mines," or analyzes, the data in the same way direct mail companies do to decide who gets catalogs or other solicitations.

But unlike direct mail, critics say, this type of passenger data analysis is not only ineffective, it may be illegal.

More here.

Showdown Looms Over Domestic Spying Program

An AP newswire article by David Kravets, via The Houston Chronicle, reports that:

Federal agents continue to eavesdrop on Americans' electronic communications without warrants a year after President Bush confirmed the practice, and experts say a new Congress' efforts to limit the program could trigger a constitutional showdown.

High-ranking Democrats set to take control of both chambers are mulling ways to curb the program Bush secretly authorized a month after the Sept. 11 attacks. The White House argues the Constitution gives the president wartime powers to eavesdrop that he wouldn't have during times of peace.

"As a practical matter, the president can do whatever he wants as long as he has the capacity and executive branch officials to do it," said Carl Tobias, a legal scholar at the University of Richmond in Virginia.

Lawmakers could impeach or withhold funding, or quash judicial nominations, among other measures.

More here.

White House Tightens Publishing Rules for USGS Scientists

An AP newswire article, via, reports that:

The Bush administration is clamping down on scientists at the U.S. Geological Survey, who study everything from caribou mating to global warming, subjecting them to controls on research that might go against official policy.

New rules require screening of all facts and interpretations by agency scientists. The rules apply to all scientific papers and other public documents, even minor reports or prepared talks, according to documents obtained by The Associated Press.

More here.

Friday, December 15, 2006

Executive Sentenced in Child Pornography Case

A Reuters newswire article, via The New York Times, reports that:

A former chief executive of a financial printing company was sentenced yesterday to 15 months in prison for possessing child pornography and erasing thousands of seedy computer files when he learned he was under investigation.

The executive, Robert M. Johnson, 61, downloaded the pornography onto a company computer while chief executive of Browne & Company. He pleaded guilty to possessing at least two child pornography images in August.

Mr. Johnson, who had been publisher of Newsday, in Melville, N.Y., from 1986 to 1994, resigned from Browne and gave up his seat on New York’s state education board in July 2004 when learning of the investigation.

Mr. Johnson, who also admitted using a program to try to erase the files on the computer, made a tearful plea to Judge Richard J. Holwell of the Federal District Court in Manhattan, saying the pressure of being Browne’s chief executive made him severely depressed.

More here.

Microsoft Wins Ruling to Ban Spam List Sales


Microsoft has stopped a man from selling lists of email addresses which were being used for spam. A court has granted a summary judgment against Paul Martin McDonald, stopping him from selling the lists.

Microsoft owns and runs Hotmail, a free, web based email service. It sought a summary judgment from the English courts to stop McDonald from operating his Bizads business, which offered for sale lists of email addresses of people which were used as the basis of spam by those who purchased the lists.

More here.

Toon: The Three Wise Men

Click for larger image.

Personal Data on 17,500 at Risk in CU-Boulder Security Breach


University of Colorado at Boulder officials today announced that a server in the campus's Academic Advising Center was the subject of a computer attack.

CU-Boulder officials said they had begun the process of notifying 17,500 individuals that their personal information - including names and Social Security numbers - might have been exposed in the attack. CU-Boulder officials are continuing to determine the extent of information exposed.

Employees with CU-Boulder's Information Technology Services office discovered the attack on Dec. 8 and, following CU guidelines, began an investigation to determine how the system compromise occurred.

More here.

(Props, Pogo Was Right.)

Sturdier Botnets Mean More Spam In 2007

Gregg Keizer writes on InformationWeek:

The late-2006 appearance of durable botnets was a tipping point in the back-and-forth battle against spammers, an industry analyst said Friday, who predicted that spam will continue to gain ground on defenses.

Assembled by a Trojan called SpamThru, the new botnets are tougher to bring down, says Paul Wood, senior analyst with MessageLabs, a message security and filtering service. "The advent of Trojans like SpamThru makes it possible for each bot in the net to learn about the location of other bots. When a bot goes down or the command and control channel is compromised, the other bots know about it."

In SpamThru's techniques, if a control server is shut down, the spammer can easily update the rest of the bots with the location of a new server as long as he controls at least one bot in the net. And if a specific bot is shut down, its spam load can be quickly shifted to another, as-yet-undiscovered, bot.

More here.

Hackers Selling Vista Zero-Day Exploit

Ryan Naraine writes on eWeek:

Underground hackers are hawking zero-day exploits for Microsoft's new Windows Vista operating system at $50,000 a pop, according to computer security researchers at Trend Micro.

The Windows Vista exploit—which has not been independently verified—was just one of many zero-days available for sale at an auction-style marketplace infiltrated by the Tokyo-based anti-virus vendor.

In an interview with eWEEK, Trend Micro's chief technology officer, Raimund Genes, said prices for exploits for unpatched code execution flaws are in the $20,000 to $30,000 range, depending on the popularity of the software and the reliability of the attack code.

Bots and Trojan downloaders that typically hijack Windows machines for use in spam-spewing botnets were being sold for about $5,000, Genes said.

More here.

Full disclosure: Trend Micro is my employer...

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Friday, Dec. 15, 2006, at least 2,942 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,359 died as a result of hostile action, according to the military's numbers.

The AP count is seven higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

USPS Quietly Cancels 18-Year Network Outsourcing Deal

Carolyn Duffy Marsan writes on NetworkWorld:

The U.S. Postal Service has quietly terminated an 18-year, multibillion-dollar network services contract with Lockheed Martin that was to provide all of its data, voice, video and wireless services.

Dubbed Universal Computing Connectivity (UCC), the contract was awarded to Lockheed Martin with much fanfare in October 2004. UCC had an estimated value of between $3 billion and $6 billion.

USPS terminated the UCC contract in July 2006.

More here.

Engineer Indicted in Alleged Plot to Sell Military Trade Secrets

An AP newswire article by Jordan Robertson, via The San Diego Union-Tribune, reports that:

A Silicon Valley engineer stole trade secrets from a San Jose software company and tried to sell them to foreign governments, prosecutors alleged Thursday.

Xiaodong Sheldon Meng, 42, a Chinese national with Canadian citizenship, was indicted on 36 felony counts, including economic espionage to benefit a foreign government and violations of military technology export laws.

Prosecutors say Meng stole the underlying code for software made by Quantum3D Inc. that is used to train military fighter pilots, and tried to sell it to the Thai and Malaysian air forces and a company with ties to China's military.

No foreign government or agent was named as a conspirator in the case.

More here.

Websense: A Humorous Look at 2007 Security Threats

Via The Websense Threat Blog.

Image source: Websense

A couple days ago we did our annual 2007 security predictions for what we believe will come in the following year, today we are releasing a "tongue and cheek" look 20 years into the future with our 2027 predictions. Enjoy !

More here.

Stalemate Keeps AT& T-BellSouth Merger Off of FCC's Agenda

Alan Sipress writes in The Washington Post:

Federal Communications Commission Chairman Kevin J. Martin said yesterday he did not know how soon it would consider AT&T's proposed $86 billion acquisition of BellSouth after the deal was left off the agenda for Wednesday's meeting because of a continuing stalemate between the commission's Republican and Democratic members.

Martin, an advocate of the merger, told reporters he was "anxious" to set a date for the vote, which would create the country's largest provider of telephone, wireless and broadband services. AT&T and BellSouth have waited more than seven months for the commission to act despite Martin's efforts earlier this year to win quick approval of the transaction without conditions.

The FCC has repeatedly delayed voting on the merger in recent months because of a stalemate between Republican supporters of the deal and their Democratic counterparts, who want to impose safeguards meant to protect consumers and ensure competition within the industry.

One of the main obstacles is disagreement over whether to require a "net neutrality" condition that would bar AT&T from asking different Internet services to pay different prices for using its lines.

More here.

Why Cellphone Outage Reports Are Secret

Bob Sullivan writes on The Red Tape Chronicles:

Consumers have no idea how reliable their cell phone service will be when they buy a phone and sign a long-term contract. The Federal Communications Commission could offer some guidance, but it won't. The agency refuses to make public a detailed database of cell phone provider outages that it has maintained since 2004.

A federal Freedom of Information Act request for the data, filed in August by, has been rejected by the agency. The stated reasons: Release of the information could help terrorists plan attacks against the United States, and it would harm the companies involved.

More here.

U.S. Tally of Data Breach Victims Tops 100M

Robert McMillan writes on InfoWorld:

A stolen laptop at The Boeing Co. has pushed a widely watched tally of U.S. data breach victims past the 100 million mark.

That disclosure pushed the total number of data breach victims on the Privacy Rights Clearinghouse Web site to 100,152,801, said Beth Givens, director of the consumer advocacy group.

Privacy Rights Clearinghouse has been tracking data breaches since February 2005, when ChoicePoint disclosed that thieves had stolen information on 163,000 victims from the company's database.

More here.

Man Gets Jail Time for Disrupting Wireless Internet Services

Grant Gross writes on InfoWorld:

A Utah man who brought down the wireless Internet services offered by a former employer has been sentenced to two years in prison, the U.S. Department of Justice (DOJ) announced Thursday.

Ryan Fisher, 24, of Vernal, Utah, caused 170 customers of SBT Internet and another carrier to lose their wireless Internet connections for up to three weeks, the DOJ said. One customer was relying on e-mail for news of an organ donor, the DOJ said.

Judge Paul G. Cassell of the U.S. District Court for Utah also sentenced Fisher to three years of probation on the charge of intentionally damaging a protected computer. Fisher, a former employee of SBT, must also pay $65,000 in restitution, the DOJ said. Fisher was charged on Feb. 16.

More here.

Programming Note

I've been under the weather the past couple of days, and as you might expect, posting has come to a standstill. I'm feeling slightly better today, but still kind of queasy, so I hope to begin posting lightly a little later this morning.



- ferg

Wednesday, December 13, 2006

ACLU Fighting Justice Department Over Secret Document

Josh Gerstein writes on The New York Sun:

A Justice Department demand for the return of a classified document sent to the American Civil Liberties Union is triggering a First Amendment battle that could have wide-ranging implications for journalists and others who track national security matters.

The ACLU disclosed yesterday that it is fighting a federal grand jury subpoena that seeks "any and all copies" of a 3 1/2 page document, marked "secret," that was sent by e-mail to the group in October by a source whom ACLU officials declined to identify.

"This is the first time in our knowledge in the ACLU's 86-year history that we've been asked to make a document disappear from our files," the group's executive director, Anthony Romero, told reporters yesterday. "We resist such an effort as a matter of principle and as a matter of right."

On Monday, the ACLU moved to quash the subpoena, which was issued on November 20. Judge Jed Rakoff has put aspects of the dispute under seal, but the civil liberties group said he agreed yesterday to make the subpoena and some of the legal filings public.

More here.

USGS Scientists Concerned About Being Muzzled

An AP newswire article by John Heilprin, via MSNBC, reports that:

The Bush administration is clamping down on scientists at the U.S. Geological Survey, the latest agency subjected to controls on research that might go against official policy.

New rules require screening of all facts and interpretations by agency scientists who study everything from caribou mating to global warming. The rules apply to all scientific papers and other public documents, even minor reports or prepared talks, according to documents obtained by The Associated Press.

Top officials at the Interior Department’s scientific arm say the rules only standardize what scientists must do to ensure the quality of their work and give a heads-up to the agency’s public relations staff.

More here.

Sounds like bullshit to me, given that this has also occurred to NOAA scientists who have spoken out on global warming, etc.

Personal Info of 6,000 at Risk in U.T. Dallas Hack

An AP newswire article, via Yahoo! News, reports that:

Hackers might have obtained the personal information of 6,000 people who worked for, applied to or attended the University of Texas at Dallas, school officials said Wednesday.

The information includes names and Social Security numbers, the school said. In some cases, addresses, e-mail addresses and telephone numbers also might have been obtained.

There is no indication that the information has been distributed or used, school officials said.

The information suspected of being exposed belongs to staff and faculty members employed from January 1999 through August 2005, and to students and faculty members of the Erik Jonsson School of Engineering and Computer Science. Applicants to the Jonsson school dating to 1993 also were affected.

The school discovered the intrusion Sunday, officials said. The university has been contacting affected people.

More here.

Severe Space Storm Headed for Earth

This ultraviolet view from the Solar and Heliospheric Observatory shows a flare bursting from sunspot 930 on the sun. The sunspot unleashed an X-3 flare on Wednesday, sending a radiation storm toward Earth.
Image source: MSNBC / SOHO via AFP / Getty Images

A article by Robert Roy Britt, via MSNBC, reports that:

Space weather forecasters revised their predictions for storminess after a major solar flare erupted overnight, threatening damage to communication systems and power grids.

"We're looking for very strong, severe geomagnetic storming" to begin probably around midday Thursday, Joe Kunches, lead forecaster at the NOAA Space Environment Center, told Wednesday afternoon.

The storm is expected to generate aurorae or northern lights as far south as the northern United States on Thursday night. Astronauts aboard the international space station are not expected to be put at additional risk, Kunches said.

Radio communications, satellites and power grids could face potential interruptions or damage, however.

More here.

Some background here and here.

User Friendly: Sparkly Blue Lights


Click for larger image.

Computers 'Could Store Your Entire Life by 2026'

Nic Fleming writes on The

A device the size of a sugar cube will be able to record and store high resolution video footage of every second of a human life within two decades, experts said yesterday.

Researchers said governments and societies must urgently debate the implications of the huge increases in computing power and the growing mass of information being collected on individuals.

Some fear that the advent of "human black boxes" combined with the extension of medical, financial and other digital records will lead to loss of privacy and a dramatic expansion of the nanny state.

More here.

Quote of the Day: David Pogue

"So after five years, how is Windows Vista? Microsoft's description, which you will soon be seeing in millions of dollars' worth of advertising, is 'Clear, Confident, Connected.' But a more truthful motto would be 'Looks, Locks, Lacks.'"

- David Pogue, in an article in The International Herald Tribune.

'Give Back to Those Who Give It All'

"I'll be home for Christmas, if only in my dreams..."
Image source: / John Moore / AP


Beginning this holiday season and continuing throughout 2007, the Military Channel and will spotlight a different military-focused charity through monthly on-air and online promotions.

United under one banner, will serve as a portal to all charities in the program, and provide the tools people need to make a difference in the military community.

More here.

(Props, Defense Tech.)

TSA Approves Scanner That Will Let Fliers Who Pay Keep Their Shoes On

Laura Meckler writes in The Wall Street Journal:

The U.S. government approved new technology that will automatically scan shoes and boots for bombs, and promises that travelers will soon be spared the trouble of scurrying through security in their socks.

But the new machines will be available only to travelers who pay to join a special program, at least at first.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, Dec. 13, 2006, at least 2,939 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,357 died as a result of hostile action, according to the military's numbers.

The AP count is six higher than the Defense Department's tally, last updated Wednesday at 10 a.m. EST.

More here.

And as always, keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Internet2 and National LambdaRail Not Merging Any Time Soon

Nate Anderson writes on ARS Technica:

Why won't the nation's two main operators of high-speed academic networks get together? According to Polley Ann McClure, a VP for Information Technologies at Cornell, the problem isn't a technical one. McClure advised both Internet2 and National LambdaRail as they held discussions about merging, but the talks now appear scuttled, something McClure attributes to personalities and poor management.

Many large academic institutions in the US belong to a private, high-speed network. Both the Internet2 consortium (which just celebrated its 10th anniversary) and National LambdaRail (which Internet2 helped to start) provide access to such networks, which are generally used for scientific and medical applications, along with network research. Internet2 has leased its network from Qwest (though this is currently changing), while NLR controlled its own fiber. Dealing with two separate groups required more work for administrators and researchers, though, so there was relief when Internet2 and NLR announced that they were in merger talks.

Those talks stalled earlier this year over unspecified "governance issues," according to the Chronicle of Higher Education. Now the talking has broken off completely.

More here.

Shocker: California Voters Don't Trust Politicians To Design Election System


According to a new political survey from San Jose State University, voters are fed up with the current election system and they want change, which could mean good news for Gov. Arnold Schwarzenegger.

The poll, involving 600 active voters statewide, found that California voters don't trust politicians to design their own election system, NBC11's Mike Luery reported.

"We haven't had a single seat in the legislature change parties in the last four years, out of 200 district elections," said David Lesher of the New American Foundation.

More here.

European Citizens Have More Privacy Rights in U.S. Tracking System Than U.S. Citizens

Ryan Singel writes on 27B Stroke 6:

There's been a long-standing and typically European bureaucratic battle between the United States and the European Union over having airline passenger records sent from flights originating in E.U. countries that are headed to the United States. It's mostly crap that revolves around the Europeans having a stricter data protection law that they never enforce, but like to pretend is better than U.S. rules.

But they did strike a deal that gives E.U. citizens some measures of protection and limitations that U.S. citizens do not enjoy when it comes to the Automated Targeting System. (I won't bore you with the details of the negotiations, but the most recent agreement simply continues the original 2004 agreement.)

In short, U.S. Customs and Border Patrol get fewer fields of data on E.U. citizens, can't get at data that could show ethnicity, racial origin, health problems, political affiliation or union membership, can't share the data very widely with other law enforcement and intelligence agencies, and must destroy the data in years rather than four decades.

DHS spokesman Jarrod Agen declined to comment on why that E.U. citizens have significantly higher data protection rights than U.S. persons, since he disagreed with the characterization.

More here.

Local: Authorities Looking for Suspect Pointing Laser at Approaching Aircraft in San Jose

Connie Skipitares writes in The Mercury News:

Someone is shining lasers at jetliners as they approach Mineta San Jose International Airport, and local and federal authorities want to know who it is.

"I would say it's somebody who's just playing around, but this is still serious," said Santa Clara County Sheriff's spokesman Deputy Serg Palanov.

The sheriff's department is joining the Federal Aviation Administration in investigating incidents involving someone in the area of Highways 85 and 87 shining a green laser at airliner cockpits as planes approach landing. Officials do not view the incidents as acts of terrorism, Palanov said.

The latest incident was Monday night about 7 p.m. Over a span of one to two hours, four or five airliners reported a light shining into their cockpits, Palanov said. Pilots were able to land planes without a problem.

More here.

Nessus Vulnerability Scanner Gets SCADA Hooks

Robert Lemos writes on SecurityFocus:

Tenable Network Security released on Tuesday 32 plugins to allow its free--but no longer open-source--Nessus vulnerability scanner the ability to search for flaws in common supervisory control and data acquisition (SCADA) systems.

The plugins allow systems administrators to scan the computer systems that run critical infrastructure, such as power networks and water-treatment facilities, for vulnerabilities. The updates, which can be used with Nessus 3, are the fruit of a four-month partnership between Tenable and infrastructure security firm Digital Bond.

More here.

Demand For Elmo Doll Downs Wal-Mart Site

Antone Gonsalves writes on InformationWeek:

Wal-Mart Stores' online shopping site suffered a brief outage Wednesday when an unexpectedly high number of anxious Christmas shoppers flocked to the site looking for the hard-to-find Elmo T.M.X. doll.

The retail company didn't disclose details, but said in an e-mail that experienced an "incredibly high traffic volume" when the doll went on sale. It was sold out within a matter of minutes.

"This higher-than-expected traffic spike caused a brief site outage," Wal-Mart spokeswoman Amy Colella said.

Wal-Mart apologized to customers for the inconvenience and said it had corrected the problem to avoid a similar outage in the future. The hugely popular Elmo T.M.X would be available again at various times Thursday and Friday, Wal-Mart said.

More here.

This is the second time in less than a month that Wal-Mart's website has been "overwhelmed by traffic" -- also happened on Black Friday.

U.S. Senators Propose Repeal of National ID Card Law

Via The Center for Democracy and Technology (CDT).

A pair of Senators last week proposed legislation to repeal a controversial law mandating the creation of a national identification card. Senators Daniel Akaka (D-Hawaii) and John Sununu (R-N.H.) proposed the bill on the last day before the 109th Congress adjourned for good, but are likely to reintroduce it in 2007.

The Real ID Act -- approved in 2005 without hearings or debate -- was intended to standardize state drivers' licenses and create a national network of databases of personal information. Since then, it has become increasingly apparent that REAL ID is so fraught with privacy and security concerns that it requires fundamental reevaluation.

CDT supports the bill and urges Sens. Akaka and Sununu to reintroduce it in the 110th Congress.

More here.

Perhaps this is also a good time to mention

Defense Tech: U.S. Air Force Closer to 'On-Demand' Satellites

Via UPI.

Raytheon delivered the first payload for a satellite series that can be custom built for the U.S. Air Force for specific missions within less than a week.

The rapid-development space-optical payload produced for the Air Force Research Laboratory is part of ARTEMIS, a $14 million program that is developing an experimental payload for detection of enemy troop positions and equipment in a world trouble spot.

The ARTEMIS -- it stands for "Advanced Responsive Tactically Effective Military Imaging Spectrometer" -- payloads would be kept at the ready so they can be quickly assembled to the particular mission specs and then moved quickly to the launch site.

More here.

U.S. Military Remains on Heightened Cyber Alert

Via UPI.

The U.S. military remains on heightened cyber-alert as the holiday season approaches, following at least one intrusion by suspected Chinese military hackers.

The Joint Task Force for Global Network Operations, a part of U.S. Strategic Command, raised the U.S. military's global cyber-alert level, or "Information Condition," from InfoCon 5 to InfoCon 4 on Nov. 17, and had no plans to lower it, Strategic Command Spokeswoman Capt. Caroline Wellman told United Press International.

"We don't discuss specific details of InfoCon levels, nor why they are raised or lowered," Wellman said, adding only that they were adjusted from time to time, in part "depending upon world-wide social and political events and activities."

The heightened alert came the day after the decision of the Navy Cyber Defense Operations Command to take the computer network at the Naval War College in Newport, R.I., offline following an intrusion.

More here.

U.S. Navy Chooses Struggling BearingPoint for Network Transition

Paul McDougall writes on InformationWeek:

Troubled consulting and systems integration firm BearingPoint says it has won a contract to help the United States Navy move some of its technical operations onto a service-wide intranet.

Under the one-year, $5.9 million deal, BearingPoint will move the Navy's Network Warfare Command and U.S. Fleet Forces Command on to the Navy Marine Corp Intranet, a massive data network that was built by Electronic Data Systems at a cost of more than $6 billion.

More here.

Russian Expert: Terrorists May Try Cyberattacks

Jeremy Kirk writes on ComputerWorld:

A Russian computer security expert predicts that terrorists could seek to target the country's critical infrastructure through electronic warfare, a strategy that could raise the stakes in how Russia handles computer crime.

While terrorists aren't believed to currently have the know-how to disrupt critical infrastructure, it would be "very dangerous" if they start learning, said Valery Vasenin, head of the Computer Security Department at the Institute for Information Security Problems (IISP) at Moscow State University.

Russian's energy grid is a possible target, which could cause widespread blackouts. The air transportation or fuel distribution systems are other possible targets, Vasenin said.

More here.

'Logic Bomb' Saboteur Sentenced to 8 Years

An AP newswire article, via Yahoo! News, reports that:

A former UBS PaineWebber systems administrator was sentenced Wednesday to eight years and one month in prison for attempting to profit by detonating a "logic bomb" program that prosecutors said caused millions of dollars in damage to the brokerage's computer network in 2002.

Roger Duronio also was ordered to pay $3.1 million in restitution to his former employer, now known as UBS Financial Services Inc., part of the Swiss banking company UBS AG.

Duronio, 64, of Bogota was put under house arrest by U.S. District Judge Joseph A. Greenaway Jr. until he is assigned to a prison. He had been free on $1 million bond.

The term was the maximum under sentencing guidelines, which pleased U.S. Attorney Christopher J. Christie.

More here.

U.S. Warns of Threat to Satellites - UPDATE

An AP newswire article, via USA Today, reports that:

The Bush administration warned Wednesday against threats by terrorist groups and other nations against U.S. commercial and military satellites, and discounted the need for a treaty aimed at preventing an arms race in space.

Undersecretary of State Robert G. Joseph also reasserted U.S. policy that it has a right to use force against hostile nations or terror groups that might try to attack American satellites or ground installations that support space programs. President Bush adopted a new U.S. space policy earlier this year.

More here.

UPDATE 12/13 15:05: Defense Tech has some interesting tidbits on this here.

Happy 370th Birthday, U.S. National Guard


What is a few years younger than the Mayflower Compact (1620); a lot older than the Declaration of Independence (1776) and U.S. Constitution (1787); predates the U.S. Army, Navy and Marine Corps by 139 years; and is 311 years older than the Air Force?

Answer: The National Guard.

Known originally as the militia, the National Guard turns 370 years young today.

It all started in 1636 when the General Court of the Massachusetts Bay Colony, which functioned as the colony's legislature, ordered existing militia companies from the towns surrounding Boston to form into three regiments: North, South and East.

More here.

Citizen Groups Cry Foul Over FCC Vote

Roy Mark writes on

Five consumer and public-interest groups wrote the Federal Communications Commission (FCC) Tuesday opposing Commissioner Robert McDowell's participation in the AT&T-BellSouth merger vote expected this month.

McDowell, a former lobbyist for a trade group opposed to the $80 million merger, recused himself from the vote in order to avoid the appearance of a conflict of interest. But at Chairman Kevin Martin's request, the agency's lawyers have cleared McDowell to vote.

The Consumers Union, Consumer Federation of America, Free Press, Public Knowledge and U.S. PIRG said in their letter that Martin's attempt to reverse McDowell's recusal "is a violation of the public trust, sacrificing a valid process of good-faith negotiations among participating commissioners for political expediency and the convenience of the merging parties."

The groups said they wrote the letter because the FCC asked AT&T and BellSouth for their views on McDowell's participation but did not ask for public input. Both AT&T and BellSouth said they are not opposed to McDowell's participation.

More here.

66% Think U.S. Spies on Its Citizens

Dan Eggen writes in The Washington Post:

Two-thirds of Americans believe that the FBI and other federal agencies are intruding on privacy rights as part of terrorism investigations, but they remain divided over whether such tactics are justified, according to a Washington Post-ABC News poll released yesterday.

The poll also showed that 52 percent of respondents favor congressional hearings on how the Bush administration has handled surveillance, detainees and other terrorism-related issues, compared with 45 percent who are opposed. That question was posed to half of the poll's 1,005-person random sample.

Overall, the poll -- which includes questions that have been asked since 2002 and 2003 -- showed a continued skepticism about whether the government is adequately protecting privacy rights as it conducts terrorism-related investigations.

More here.

Personal Data of 380,000 at Risk in Boeing Laptop Theft

An AP newswire article, via Yahoo! News, reports that:

A Boeing Co. laptop containing the names and Social Security numbers of 382,000 workers and retirees has been stolen, putting the employees at risk for identity theft and credit-card fraud.

The theft, which was confirmed Tuesday, was the third such incident at Boeing in just over a year.

Files on the computer also contained home addresses, phone numbers and birth dates. Some of the files listed salary information.

The laptop was stolen earlier this month when an employee left it unattended, [Boeing spokesman Tim] Neale said. He would not reveal where the theft happened, but said no proprietary, customer or supplier data were on the computer.

The computer was turned off when it was stolen and a password is needed to log onto the desktop, Neale said Wednesday.

More here.

Tuesday, December 12, 2006

Skype’s Free Phone Call Plan Will Soon Have Annual Fee

Matt Richtel writes in The News York Times:

Skype, the Internet calling service owned by eBay, said Tuesday that as of Jan. 1 it would begin charging $30 a year for unlimited calls to landline and mobile phones within the United States and Canada. Those calls had been free since last spring.

The new annual fee for unlimited calling, while still nominal compared with other Internet calling plans, is part of a broader strategy by eBay to expand Skype’s product offerings and revenue.

More here.

Microsoft Patches 133 Critical and Important Vulnerabilities in 2006

Image source: McAfee Avert Labs

Monty Ijzerman writes on the McAfee Avert Labs Blog:

The top graph shows that Microsoft almost hit one hundred critical vulnerabilities for 2006.

The year is not over and Microsoft may provide out-of-cycle patches for the current 0-Day Word vulnerabilities.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, Dec. 12, 2006, at least 2,939 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,357 died as a result of hostile action, according to the military's numbers.

The AP count is six higher than the Defense Department's tally, last updated Tuesday at 10 a.m. EST.

More here.

And as always, keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

UK: Baby DNA Idea Sparks New Concerns

Via The BBC.

Civil liberties campaigners have expressed concerns over a senior policeman's idea that taking DNA from babies could help solve crimes.

Commander Dave Johnston, giving a personal point of view, said that samples could also be taken from people renewing passports and from migrants.

However, human rights group Liberty has warned of turning Britain into a "nation of suspects".

The UK's DNA database currently has just over 3.6 million samples in it [...or 5% of the entire UK population. - ferg].

Commander Johnston said that he thought extending the amount of DNA being held would also help prevent crime.

More here.

The Pirate Bay Bans Swedish ISP In Protest Move

Scott Gilbertson writes on Monkey Bites:

Swedish website The Pirate Bay (TPB) has decided to block the Swedish ISP Perspektiv Broadband’s users from accessing the TPB’s website. The move comes in response to ISP Perspektiv’s decision to block its users from accessing the Russian website,

One interesting thing to note is that the allofmp3 is legal under Swedish law. There is no legal reason for Perspektiv to block traffic to allofmp3, rather the broadband provider elected to do so, according the The Pirate Bay, after meeting with Swedish and Danish anti-piracy organizations.

The Pirate Bay claims that Perspektiv Bredband “clearly states in their press release that it is a moral and not legal standpoint.” I can’t read Swedish, so I can’t confirm that Perspektiv did in fact say that, but either way, given that is not illegal in Sweden, Perspektiv’s move to block the site is a bit odd at the least.

More here.

Defense Tech: UK Signs Deal on Joint Strike Fighter

Rupert Cornwell writes on The Independent (UK):

Britain has signed up for the next phase of the US-led Joint Strike Fighter programme, after settling a dispute over technology transfers and gaining what it says will be "complete operational sovereignty" over the 150 aircraft it plans to buy.

The deal came days before the JSF, or F-35, is to make its maiden flight in Texas - the next step in the Pentagon's biggest ever procurement programme, with an estimated total price of $275bn (£140bn). Britain has put over £600m into the demonstration and development phase. Yesterday's move means it will be committing a further £34m to the initial production of the stealth multi-role plane.

More here.

Texas Legislature to Consider Shield Law for Reporters

An AP newswire article, via News 8 Austin, reports that:

Journalists in Texas would get some protection against being forced to reveal confidential sources under a bill to create a shield law.

The so-called Free Flow of Information Act, or HB 382, was filed Tuesday in Austin by Rep. Aaron Pena, D-Edinburg.

The plan would allow judges and prosecutors to require reporters to reveal privileged information only in certain circumstances.

The Texas House Judiciary Committee has scheduled a hearing for Wednesday.

Thirty-one states and the District of Columbia have shield laws.

More here.

The Keyser Söze of Phishing: Rock Phish

Robert McMillan writes on InfoWorld:

The first thing you need to know about Rock Phish is that nobody knows exactly who, or what, they are.

Wikipedia defines the Rock Phish Kit as "a popular tool designed to help nontechnical people create and carry out phishing attacks," but according to security experts, that definition is not correct. They say that Rock Phish is actually a person, or perhaps a group of people, who are behind as much as one-half of the phishing attacks being carried out these days.

No one can say for sure where Rock Phish is based, or if the group operates out of a single country.

More here.

AT&T Still Investigating DSLAM Explosion

Phil Harvey writes on Light Reading:

AT&T Inc. is still searching for the real killer of its Houston DSLAM cabinet, which exploded back in late October, flattening an old man's fence and sending shrapnel hurtling as far away as 50 feet down the street.

The spokesman says AT&T has assembled a strong forensic team and is working with "one of the world's top independent technical analysis firms" to gather evidence and probe the mysterious circumstances surrounding its broadband flambé. He adds that tests are time consuming and the company can't talk about the details of the investigation while it's ongoing.

More here.

Identify Information of 130,000 Aetna Customers at Risk

Anthony Gottschlich writes in The Dayton Daily News:

A lockbox holding personal information on approximately 130,000 Aetna health insurance members was stolen Oct. 26 when thieves broke into an office building occupied by an Aetna vendor, Aetna officials said Tuesday.

The lockbox, housed by Naperville, Ill.-based Concentra Preferred Systems, contained computer backup tapes of medical claim data for Aetna and several other Concentra health plan clients, Aetna spokeswoman Cynthia Michener said.

More here.

Also, this is not the first time that Aetna has been in the news on this topic. Background here.

(Props, Pogo Was Right.)

U.S. Indicts 21 Over Romanian-Based Internet Fraud

Via Reuters.

U.S. officials on Tuesday announced the indictment of 21 people accused of bilking eBay bidders out of $5 million through an Internet fraud scheme that originated in Romania.

The operation contacted people who had unsuccessfully bid on items for sale on the online auction site, telling them they had a second chance to obtain the items if they wired money to addresses in the Chicago area where the seller's agent would complete the transaction.

The money was divided between operatives in the United States and Romania and the buyers got nothing in return.

More here.

Local: Former USF Dean Pleads Guilty In Child Porn Case


A former dean of education at the University of San Francisco pleaded guilty in federal court Tuesday to a count of possessing child pornography obtained on the Internet.

William Garner, 66, is expected to be sentenced to five years and three months in prison under a plea agreement.

U.S. District Judge Vaughn Walker, who accepted the guilty plea, will sentence him in San Francisco on March 27. The plea agreement also calls for restitution of $50,000 payable to the San Francisco Child Abuse Prevention Center.

More here.

The Secret List of ID Theft Victims

Bob Sullivan writes on MSNBC:

Linda Trevino, who lives in a Chicago suburb, applied for a job in 2004 at a local Target department store, and was denied. The reason? She already worked there — or rather, her Social Security number already worked there.

Follow-up investigation revealed the same Social Security number had been used to obtain work at 37 other employers, mostly by illegal immigrants trying to satisfy government requirements to get a job.

Trevino is hardly alone. research and government reports suggest hundreds of thousands of American citizens are in the same spot — unknowingly lending their identity to illegal immigrants so they can work. And while several government agencies and private corporations sometimes know whose Social Security numbers are being ripped off, they don't notify the victims — at least not until they come after them for back taxes or unpaid loans owed by the imposter.

More here.

New Zealand Teen Defrauds Bank Customers

Lane Nichols writes on

A New Zealand teenager who was sent on a computer training course as part of a police rehabilitation program has admitted to hacking into internet banking accounts and stealing nearly $NZ50,000

The 16-year-old from Upper Hutt appeared in court yesterday facing 26 fraud charges over hacking incidents that took place in August and September.

Police say he posted a computer virus on an internet message board and used it to capture details from people's personal computers.

Customers of Westpac, ANZ and ASB were all hit. The biggest transaction involved $US6323, but the banks agreed to reimburse the losses.

More here.

(Props, paperghost.)

$9B Navy Computer System: Behind Schedule and Performing Poorly

Via UPI.

A new GAO report says a 10-year, $9.3 billion computer information system created for the Navy and Marine Corps is behind schedule and performing poorly.

Through the Navy Marine Corps Intranet (NMCI) the Navy is buying network, application and hardware and software at a fixed price per unit for 550 sites from Electronic Data Systems.

After more than six years and $3.7 billion spent, the system is still not fully deployed. The initial plan laid out in October 2000 called for 412,000 "seats" operational by 2004. But by 2006, there were just 303,000 seats set up at 550 sites.

Those systems that are in place are not fully functional, according to the Government Accountability Office.

More here.

Patch Tuesday: Microsoft's Monthly Patch Release Plugs 11 Security Holes - UPDATE

Brian Krebs writes on Security Fix:

Microsoft Corp. today released software updates to fix at least 11 security holes in various versions of its Windows operating system and other products. Windows users can download the free updates manually from Microsoft Update or via Automatic Updates.

This month's patch batch includes an unscheduled update to remedy two vulnerabilities in Windows Media Player that criminals could use to install software on Windows PCs just by convincing users to open a specially crafted Windows Media Player file. Microsoft added this update at the last minute, not long after "proof-of-concept" code demonstrating how to exploit the flaw was posted online.

Another update fixes four separate security holes in Internet Explorer that an attacker could use to break into or steal data from affected PCs just by coaxing the user into visiting a Web site or opening an e-mail designed to take advantage of the flaw.

More here.

UPDATE 12/12 12:49: The SANS ISC folks have a great wrap-up here.

Four Million UK Users Hit by ID Theft

Iain Thomson writes on

Figures released by Sainsbury's Bank have shown that 4.1 million Britons have fallen victim to identity theft.

The research, carried out by Taylor Nelson Sofres, polled over 1,000 UK residents and found that nine per cent claimed to have had their identity stolen at some point.

The average cost of the theft was £3,039, and six per cent claimed to have lost more than £10,000.

More here.

UK: Tesco in Customer Receipt Security Breach

John Leyden writes on The Register:

An administrative blunder left thousands of customers of UK supermarket chain Tesco open to identity fraud.

Store receipts - containing names and full credit card details - have been found carelessly discarded in a south-east England depot where they'd been taken to be destroyed. The haul would have made a big payday for bin raiding crooks, who might have been able to use the information to complete fraudulent transactions.

The papers were taken to the Christian Salvesen recycling depot in plastic carrier bags - instead of secure containers - and left unattended, The Sun reports.

More here.

Phishing Scams Soared in October

Brian Krebs writes on Security Fix:

The number of phishing Web sites set up to impersonate banks and steal people's financial and personal data skyrocketed in October to 37,444, the highest on record, according to stats released this week.

The Anti-Phishing Working Group reports [.pdf] that 52 percent more phishing sites were recorded on the Internet than a month earlier and nine times as many as were spotted in October 2005. The steep increase coincides with a massive spike in the volume of spam circulating on the Internet.

More here.

Picture of the Day: FSM Nativity

Via Church of the Flying Spaghetti Monster.


Qualcomm Loses Patent Infringement Ruling by Trade Panel

A Bloomberg News article, via The New York Times, reports that:

Qualcomm, a maker of cellphone chips, is infringing a Broadcom Corporation patent on a way to conserve handset battery power, a United States trade panel has found, upholding an administrative judge’s earlier finding.

The United States International Trade Commission will decide on a remedy by Feb. 9 for Qualcomm’s use of the technology without permission, Broadcom, a maker of chips for consumer electronic devices, said in a statement yesterday.

More here.

Hacker Attack at UCLA Affects 800,000 People

An AP newswire article, via CNN, reports that:

Officials at the University of California Los Angeles alerted about 800,000 current and former students, faculty and staff on Tuesday that their names and certain personal information were exposed after a hacker broke into a campus computer system.

The attacks on the database began in October 2005 and ended November 21 of this year, when computer security technicians noticed suspicious database queries, according to a news release posted on a school Web site set up to answer questions about the theft.

Acting Chancellor Norman Abrams said in a letter to those affected, posted on the site, that while the database includes Social Security numbers, home addresses and birth dates, there is no evidence any data have been misused.

More here.

Monday, December 11, 2006

Hackers For Hire

Amanda Bower writes on

Jim Stickley and his accomplice, Dayle Alsbury, adjust their fake fire-inspector uniforms, then saunter into a brown brick credit-union building. Their walkie-talkies are blaring with a recorded dispatcher's voice, downloaded from the Internet and transmitted from their getaway car.

After they flash their homemade badges, the two men are waved behind the tellers' counters and into the inner sanctum of the credit union. Within just half an hour, they have gained access to the entire computer network, security system and customer data--unbeknownst to any employee on the premises.

Thankfully, they're not genuine bad guys.

More here.

Offbeat: A Charlie Brown Christmas — The Alternate Ending

Via 10 Zen Monkeys.

Charlie Brown:
"I guess you were right, Linus. I shouldn’t have picked this little tree... isn’t there anyone who knows what Christmas is all about?"

Linus: "When we were babies, our parents made a conscious decision to deceive us. They created a bunch of fairy tales like Santa Claus and baby Jesus to give us kids false hope, and to comfort themselves as they approached death. And Linus is just getting warmed up. It’s all a bunch of bullshit. When we die, our bodies lie rotting in the earth, and worms and bugs eat at our remains, and shit us out into little bits of nothing."


States Side with SF Chronicle Reporters on Protecting Sources

An AP newswire article, via, reports that:

Two dozen states filed a brief on behalf of two San Francisco Chronicle reporters, telling a federal appeals court that public interest demands the recognition of a journalist's right to protect confidential sources.

In papers filed with the 9th U.S. Circuit Court of Appeals on Thursday, the states, led by New York, challenged a federal judge's order to imprison the reporters who refused to testify about who leaked them secret grand jury testimony of Barry Bonds and other athletes.

Most all of the two dozen states have some type of media shield law. They urged the court to adopt a reporter's privilege in federal court, where one does not exist.

More here.

ID Theft Tech: Credit Monitoring Services Ineffective?

Well, so much for credit monitoring services...

Eric Dash writes in The News York Times:

Melody Millett was shocked when her car loan company asked her if she was the wife of Abundio Perez, who had applied for 26 credit cards, financed several cars and taken out a home mortgage using a Social Security number belonging to her actual husband.

Beyond her shock, Mrs. Millett was angry. Five months earlier, the Milletts had subscribed to a $79.99-a-year service from Equifax, a big financial data warehouse, that promised to monitor any access to her credit records. But it never reported the credit activity that might have signaled that they were victims of identity theft.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Monday, Dec. 11, 2006, at least 2,934 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,357 died as a result of hostile action, according to the military's numbers.

The AP count is eight higher than the Defense Department's tally, last updated Monday at 10 a.m. EST.

More here.

And as always, keeps a very, very extensive list here, as does the Iraq Coalition Casuality Count website here.

Berkeley: 1st U.S. City To Regulate Nanotechnology


The use of subatomic materials as microscopic building blocks for thousands of consumer products has turned into a big business so quickly that few are monitoring the so-called nanotechnology's effects on health and the environment.

So Berkeley intends to be the first city to step into the breach and attempt to regulate the nascent but fast-growing industry.

The City Council is expected Tuesday to amend its hazardous materials law to compel researchers and manufacturers to report what nanotechnology materials they are working with and how they are handling the tiny particles.

More here.

Sources: Cisco Rejects Optical Bids

Craig Matsumoto writes on Light Reading:

Cisco Systems Inc. isn't that anxious to drop out of the optical networking business. Two Light Reading sources say Cisco has turned down, in recent months, two possible buyers for the networking giant's optical portfolio.

One Silicon Valley source went further, saying Cisco thought the offers were too low. Cisco says it doesn't comment on rumors and speculation.

Layoffs, restructuring, and shuffled execs have led many to believe optical networking is becoming a second-class citizen at Cisco. Some believe the company isn't heavily promoting its DWDM boxes and multiservice provisioning platforms, instead focusing its optical energy on IP-over-DWDM.

More here.

New Google VP Busted Kevin Mitnick Back in the Day

Kevin Poulsen writes on 27B Stroke 6:

Google's new vice president and general counsel is no stranger to search. As a federal prosecutor in 1995, he oversaw the manhunt that tracked down then-fugitive hacker Kevin Mitnick.

Kent Walker has served as deputy general counsel of eBay, and associate general counsel at Netscape, among other Silicon Valley posts.

But if you set the way-back machine for 1995, you'll find him an assistant U.S. attorney in San Francisco specializing in cybercrime. He issued the subpoenas that helped federal agents, and Tsutomu Shimomura, trail Mitnick to his North Carolina hideout.

More here.

User Friendly: The Yugo of Operating Systems


Click for larger image.

Kaspersky Predicts Vista Security Holes

Tom Espiner writes on ZDNet Australia:

Antivirus experts from Kaspersky Labs have predicted that 90 percent of current malware will run on Microsoft's latest operating system, Windows Vista.

Although at the moment Vista appears to be more secure than previous Windows operating systems, Kaspersky researchers warned last week that as Vista becomes more popular, it will increasingly become a target for hackers.

"We're not asking whether vulnerabilities will be found, but when," said Alexander Gostev, principal antivirus researcher for Kaspersky.

More here.