Saturday, January 20, 2007

Hackers Attack Gorbachev's Website

An AP newswire article, via The Boston Globe, reports that:

Hackers attacked the Web site of a foundation run by former Soviet leader Mikhail Gorbachev, accusing him of brutally suppressing a pro-independence demonstration in Soviet Azerbaijan in 1990.

The perpetrators posted photographs of the suppressed rally on the Web site and published an open letter to the former leader, blaming him for the deaths of more 130 people — a tragedy known in Azerbaijan as the Black January.

The site was down by Saturday afternoon.

More here.

Friday, January 19, 2007

Credit Card Data, A Hack, And A Rush To Contain The Damage

Larry Greenemeier writes on InformationWeek:

TJX was refreshingly forthcoming about last month's computer hack, but the company's troubles may be just beginning as it works with investigators to sort out what happened. The retailer could face penalties under Visa's and MasterCard's Payment Card Industry data security standard, which stipulates that cardholder information must be protected.

Given TJX's size--its assets include 826 T.J. Maxx, 751 Marshalls, and 271 HomeGoods locations--the security breach into the portion of its computer network handling credit card, debit card, check, and merchandise return transactions is proportionately worrisome. The company knows some customer information was stolen but admitted in a statement that the extent of the theft is unknown.

More here.

Local: Wireless Silicon Valley Project Getting Closer to Roll-Out?

Sarah Jane Tribble writes in The Mercury News:

When IBM's Brent Grotz gets asked how soon Silicon Valley's much-anticipated wireless network will be built, the project leader holds up his hands as if to fend off more questions.

He doesn't want to be rushed.

"It's like building a house,'' Grotz said while speaking Friday at a national Wireless Communications Association meeting in San Jose. "You have to get the foundation down right and if you don't get that right then walls will fall down on you.''

Once completed, the network will span 40 cities in four counties and give residents free access to the Internet from their laptop computers or other portable devices. The network is being built to work outside but may work inside some homes close to the wireless access points. Internet access at higher speeds would be available for a fee.

Since Silicon Valley leaders picked IBM and Cisco Systems in September as part of a team that will build the network, few details have been released about how the nuts and bolts of the foundation will be built. Leaders from the 40 participating cities and the technology team, which also includes Azulstar and non-profit SeaKay, have been hashing out a model agreement in closed-door meetings.

More here.

Picture of the Day: The U.S. Constitution

Click for larger image.


"We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America."

Full text can be found here.

It's not just a piece of paper. And that goes for you, too.

Toon: Meet the New Ma Bell

Image source: Gizmodo


University of Texas at Dallas Network Breach Worse Than First Thought

Holly K. Hacker writes on WFAA.com:

A computer attack at the University of Texas at Dallas was worse than officials first thought.

They now say Social Security numbers and other personal information may have been exposed for up to 35,000 faculty, current and former students, staff and others, putting them at risk of identify theft.

More here.

(Props, Pogo Was Right.)

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Friday, Jan. 19, 2007, at least 3,030 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,434 died as a result of hostile action, according to the military's numbers.

The AP count is 11 higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Hackers Steal $35K From Customers of Federal Savings Plan

Linda Rosencrance writes on ComputerWorld:

Hackers stole $35,000 from two dozen users of the Thrift Savings Plan (TSP), a retirement savings and investment plan for federal employees.

In late December, the computers of several TSP participants were infected with keylogging software that allowed criminals to record all keystrokes made by participants without their knowledge. The hackers also retrieved the customers' TSP personal identification number and other account information, according to a statement on the TSP Web site. However, the TSP's system was not breached, the company said.

More here.

U.S. Lawmaker Demands Answers from DoJ Over FBI Leak Probe

Josh Gerstein writes in The New York Sun:

The ranking member of a House committee is demanding answers from the Justice Department about recent reports in The New York Sun that intelligence agencies failed to cooperate with FBI investigations into leaks of classified material and that the FBI's files on some leak probes have disappeared.

The top Republican on the House Committee on Oversight and Government Reform, Rep. Thomas Davis of Virginia, said he was troubled by the Sun's report last week that FBI documents showed at least three leak investigations appeared to have been closed after case agents repeatedly complained about a lack of cooperation from the "victim agency."

More here.

NY Court: FBI May Have Coerced Filmmaker - UPDATE

Robert Loblaw writes on the Decision of the Day Blog:

This Second Circuit appeal involves a modern-day "War of the Worlds" - an online video depicting plans for a military takeover of Times Square. But Michael Zieper’s video isn’t nearly as well-known, perhaps because the government’s strong-arm tactics convinced his internet host to disable access to the video due to fears that it might incite a riot.

Zieper and his internet host sued, alleging among other things that an FBI Counter-Terrorism agent and an Assistant U.S. Attorney violated their First Amendment rights by coercing them to take down the video.

More here.

Update: 17:45 PST: More details here.

Lawsuits, Questions Follow NSA Surveillance Approval

K.C. Jones writes on InformationWeek:

If Americans were illegally spied on, the federal government's recent revelation that it has gained court approval for the National Security Agency's (NSA) terrorist surveillance program doesn't undo the harm.

Several lawsuits claiming the government broke laws by investigating people without warrants are continuing to wind their way through courts throughout the country. The details of the approval have not been released. U.S. leaders are citing security reasons for not providing information about standards for deciding whether to investigate someone -- then or now.

At least one group involved in one of the lawsuits targeting the NSA said that many questions remain.

More here.

Microsoft Case Lawyers Claim Violation

An AP newswire article by David Pitt, via The Washington Post, reports that:

The plaintiffs in Iowa's class-action antitrust lawsuit against Microsoft Corp. claim they have uncovered information that indicates the software company is violating its 2002 agreement with the U.S. Department of Justice.

The alleged misconduct surrounds Microsoft's duty to share software hooks known as application programming interfaces, or APIs, which let disparate programs work together. The Iowa plaintiffs' attorneys have alleged that Microsoft has not disclosed certain APIs to other software developers who want to make programs compatible with Microsoft software.

More here.

UK: Pipex Loses 30,000 Bulldog Customers

Richard Thurston writes on ZDNet UK:

Pipex, the ISP that bought the customer base of its troubled rival Bulldog, has revealed that it actually acquired 30,000 fewer customers than it expected.

Bulldog had a base of 110,000 users when the deal was agreed last September, but Pipex said on Tuesday that once the transfer was completed it had only gained 80,000 more customers. It appears that the remaining 30,000 left Bulldog, which has suffered a litany of technical and support problems over the last couple of years, culminating in an Ofcom inquiry.

More here.

Defense Tech: China Knows How Much America Has to Lose

Richard Spencer writes on The Telegraph.co.uk:

There is probably no better way to get China's nationalists to demand a Great Leap Forward in military spending than to tell them they are two decades behind the United States.

Yet that is what happened after Beijing's use of a ground-based missile to take out a redundant weather satellite was revealed to the world on Thursday night. The United States, experts pointed out, carried out this sort of test in the 1980s, and abandoned them because they made too much mess.

When it comes to its strategic interests, Beijing does not care much about making a mess, particularly 530 miles up in space.

More here.

Vermont State Web Site a Road Map for ID Thieves

An AP newswire article by David Gram, via The Boston Globe, reports that:

A prominent state legislator was not happy Friday when someone called him, told him his Social Security number was on a Web site maintained by the secretary of state's office and then read it to him.

"That's a little disturbing, I guess," said the lawmaker, whose name was withheld from this story to protect him from identity theft.

A Vermont law took effect last July 1 directing state and local government agencies to redact Social Security numbers from public records. The numbers are considered gold for identity thieves, who can use them to gain access to a variety of business transactions, including obtaining credit in the theft target's name.

Asked how he thought the new law was working, the lawmaker said, "It doesn't appear very well. If my Social Security number is on the World Wide Web, it seems like there must be a glitch in the system somewhere. I certainly would like to hear from the secretary of state on why this is happening."

More here.

Stephen Colbert Explains the Whole AT&T Thing!

Click to watch.

(Hat-tip, Woody.)

GPS Devices Lead to Suspects' Home

An AP newswire article, via SFGate.com, reports that:

Three thieves who allegedly stole 14 global positioning system devices didn't get away with their crime for long. The devices led police right to their home.

Town officials said the thieves didn't even know what they had: they thought the GPS devices were cell phones, which they planned to sell.

According to Suffolk County police, the GPS devices were stolen Monday night from the Town of Babylon Public Works garage in Lindenhurst. The town immediately tapped its GPS system, and it showed that one of the devices was inside a house. Police said that when they arrived there, Kurt Husfeldt, 46, had the device in his hands.

More here.

Telecom Italia Embroiled in New Espionage Scandal

Philip Willan writes on InfoWorld:

Milan magistrates have arrested four Telecom Italia employees for alleged illegal espionage activities, bringing a fresh wave of scandal crashing down onto the former national carrier.

The suspects were identified as Fabio Ghioni, the head of information security at Telecom Italia; his assistant, Rocco Lucia; and Guglielmo Sasinini, a former journalist who had been hired by the company to conduct country risk analyses for the Middle East region, according to a 230-page arrest warrant signed by Judge Giuseppe Gennari and widely cited in newspaper reports Friday.

A fourth warrant was served in prison on Giuliano Tavaroli, the former head of security at Telecom Italia, who had already been incarcerated on illegal espionage charges as a result of a separate investigation.

The four men are accused of using Telecom Italia’s resources to spy on Vittorio Colao, the former executive chief executive officer of the Rizzoli Corriere della Sera (RCS) publishing group, and on Massimo Mucchetti, the deputy director of the Corriere della Sera newspaper, as part of an elaborate intelligence operation that has all the hallmarks of a spy thriller, according to wire reports Thursday and newspaper articles Friday.

More here.

'Blogger is Borked Right Now...'


...and on the heels of the Technorati bork, the "old" Blogger went borked for about an hour this afternoon, too. (Click for larger image.)

Let's hope it stays up for a while. :-)

- ferg

'Technorati is Borked Right Now...'



Technorati having some problems, but I thought this was pretty funny. (Click on image for larger view...)


U.S. Government to Greatly Expand DNA Database

Richard Willing writes in USA Today:

The federal government could add DNA from tens of thousands of immigration violators, captives in the war on terrorism and others accused but not convicted of federal offenses to the FBI's crime-fighting database under a plan being finalized by the Justice Department.

Erik Ablin, a Justice Department spokesman, confirmed the plan, which hasn't been publicly disclosed, and said details are expected to be completed soon.

Proponents of the plan, including U.S. Sen. Jon Kyl, R-Ariz., and Maricopa County, Ariz., Sheriff Joe Arpaio, say taking DNA from federal detainees would solve many crimes committed by illegal immigrants and make it easier to identify and track potential terrorists.

Opponents, such as Caroline Fredrickson, director of the American Civil Liberties Union's Washington office, say such mass seizures of DNA violate privacy and do little to improve law enforcement.

More here.

The New IED? Satellite Killer's Big Impact

Via Defense Tech.

There's been immediate fallout -- both physical and political -- from China's satellite killer test.

Debris from the orbital collision has already been spotted, the M-T Milcom blog notes. "As of this writing NORAD has officially cataloged 32 objects... that now pollute a vital area of space (sun-synchronous polar orbit)."

"There are over 125 satellites that operate in this portion of space," the M-T blog observes. Those include reconnaissance satellites, like the Lacrosse and Advanced Keyhole orbiters, as well as weather-monitors, like the Defense Meteorological Satellites Program series. In other words, this test directly affects the American military's ability look for terrorist hideouts, and survey a potential battlefield.

More here.

26 IRS Tapes Missing in Kansas City

Lynn Horsley writes in The Kansas City Star:

Twenty-six IRS computer tapes containing taxpayer information are missing after they were delivered to City Hall months ago.

Kansas City is one of hundreds of governmental entities that share taxpayer information back and forth with the Internal Revenue Service. City officials use the federal tax return information to enforce their collection of the 1 percent city earnings tax, which is paid by people who live or work in Kansas City.

City and IRS officials on Thursday either would not or could not say exactly what information is on the tapes or the number of taxpayers whose information is on the tapes.

But the information potentially could include taxpayers’ names, Social Security numbers and bank account numbers, or they could contain employer information.

More here.

(Props, Pogo Was Right.)

Massachusetts AG has Credit Card Info Stolen a Week Before Taking Office

Andrew Ryan writes in The Boston Globe:

Martha Coakley got a first-hand lesson about what it is like to be a victim the week before she took the oath as the new state attorney general.

Rushing to leave for a ski trip before taking office, Coakley got a phone message at home from Dell computers early last week to confirm a $1,200 purchase on her Visa card. The order was about to be shipped to an address in Texas.

More here.

Belgian Newspapers Target Yahoo! After Forcing Google to Bend on Linking

Eric Bangeman writes on ARS Technica:

Long known for making the best beer in the world, Belgium has also become known for applying its copyright laws to news aggregators that summarize and link to the country's newspapers. The latest tiff comes courtesy of Yahoo and Copiepresse, Belgium's copyright enforcement group.

Yahoo, like other news aggregators, publishes summaries and links to news articles all over the Internet. This isn't a problem in most places, but Belgian publishers aren't fans of the practice. Bernard Magrez, a lawyer for the Belgian copyright watchdog, has accused Yahoo of publishing articles without authorization. As a result, Copiepresse has sent a "cease and desist" letter to Yahoo, requesting that they stop linking to articles on the newspapers' websites.

More here.

Questionable Conviction of Connecticut Teacher in Pop-up Porn Case

Lindsay Beyerstein writes on AlterNet:

Julie Amero, a 40-year-old substitute teacher from Connecticut is facing up to 40 years in prison for exposing her seventh grade class to a cascade of pornographic imagery. Amero maintains that she is a victim of a malicious software infestation that caused her computer to spawn porn uncontrollably.

Adware, spyware and other infectious software are known hazards to security and privacy -- and when lax cybersecurity meets anti-porn hysteria, a mailware infection can even land you in jail. Malicious coders are getting more sophisticated all the time, but law enforcement and the criminal justice system aren't keeping up. A criminal conviction can hang on the difference between a deliberate mouse click and an involuntary redirect on an infested computer. Too often, even so-called experts can't tell the difference.

More here.

Swedish Bank Loses $1.1M to Online Fraud - UPDATE

Via The BBC.

Internet fraudsters have stolen around 8m kronor ($1.1m; £576,000) from account holders at Swedish bank Nordea.

The theft, described by Swedish media as the world's biggest online fraud, took place over three months.

The criminals siphoned money from customer's accounts after obtaining login details using a malicious program that claimed to be anti-spam software.

Nordea said it had now refunded the lost money to all 250 customers affected by the scam.

More here.

UPDATE: 12:54 PST: Russians are now being fingered for this - more details here.

'Storm Worm' Rages Across the Globe

Dawn Kawamoto writes on C|Net News:

"Storm Worm," one of the larger Trojan horse attacks in recent years, is baiting people with timely information about a deadly, real-life front, security researchers said Friday.

Over an eight-hour period Thursday, malicious e-mails were sent across the globe to hundreds of thousands of people, said Mikko Hypponen, chief research officer for F-Secure.

People who open the attachment then unknowingly become part of a botnet. A botnet serves as an army of commandeered computers, which are later used by attackers without their owners' knowledge.

Storm Worm carries the subject line "230 dead as storm batters Europe," Hypponen said, noting the unusual twist to the e-mail.

"The e-mail was started 15 hours ago, when the storm was peaking in Central Europe," Hypponen said. "This is unusual in that it was very timely."

More here.

Chavez Hints U.S. Using Telecom to Spy on Him

An AP newswire article, via CNN, reports that:

Venezuelan President Hugo Chavez on Friday accused his nation's main telecommunications company of spying on him and suggested it was at the bidding of the United States.

Chavez, addressing 10 South American leaders at a summit of the Mercosur trade bloc, gave no additional details.

The accusation came less than two weeks after Chavez announced he would nationalize CA Nacional Telefonos de Venezuela, known as CANTV.

More here.

Thursday, January 18, 2007

Homeland Security Watch: Needs a PaPa

Wow. A good opportunity for someone to step in an keep a great blog afloat...

Via Homeland Security Watch.

When I started this blog 14 months ago, I didn’t know what to expect. I thought there was a need for a site like this to bring together different parts of the professional homeland security community. And I had just learned that my employer, IBM, allowed employees to create and develop blogs, consistent with the company’s corporate guidelines. So I dove in, figured out how to create a site (first on blogspot, then directly at hlswatch.com), and started posting.

1,238 posts and 1.3 million hits later, I need to end my active involvement with this site, effective immediately. The reason: I’ve given a notice of separation to IBM and have accepted a job offer to join the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee (HSGAC), chaired by Sen. Joe Lieberman. I feel honored to have an opportunity to join the staff of this committee, which sets a very high standard for solid work and bipartisan spirit in the U.S. Congress. I’m looking forward to getting into the trenches and working on the same range of critically important homeland security issues that I’ve written about here.

As for this site, I hope that I can pass it off to people who want to carry it forward - ideally multiple contributors - and am working on this already. If anyone reading is interested in this opportunity, drop me a line to hlswatch@gmail.com. I’m also willing to consider other types of proposals regarding the site. In the meantime, the links to other homeland security blogs and sites are still there on the right-hand column.

More here.

Off Topic: Shame of Our Nation

Egads.

I deplore the fact that our government has completely lost touch with the principles that founded this nation.

An AP newswire article, via MSNBC, reports that:

The Pentagon has drafted a manual for upcoming detainee trials that would allow suspected terrorists to be convicted on hearsay evidence and coerced testimony and imprisoned or put to death.

According to a copy of the manual obtained by The Associated Press, a terror suspect's defense lawyer cannot reveal classified evidence in the person's defense until the government has a chance to review it.

The manual, sent to Capitol Hill on Thursday and scheduled to be released later by the Pentagon, is intended to track a law passed last fall by Congress restoring President Bush's plans to have special military commissions try terror-war prisoners. Those commissions had been struck down earlier in the year by the Supreme Court.

More here.

Seattle: Port Police Officers Sent Explicit e-Mails

Eric Nalder and Lewis Kamb write in The Seattle Post-Intelligencer:

Thirty-two current and former Port of Seattle police officers -- nearly a third of the department's sworn force -- have been caught exchanging or receiving racist, sexist and sexually explicit e-mails since the end of October 2004, department records obtained by the Seattle P-I show.

For 16 months, no one in the department reported the smut-laced e-mails to top-level managers or internal investigators, even though the field-level supervisors joined line officers spending hours on their shifts viewing the material. The behavior wasn't discovered until a woman accused one officer of harassment, and internal investigators looked at his computer.

Records obtained by the P-I show such behavior has been going on in the department for years, including a case in 1997 that involved a prominent sergeant who is now a lieutenant and SeaTac city councilman.

More here.

Toon: Character Witness


Click for larger image.


Feds Out for Hacker Blood

Declan McCullagh writes on C|Net News:

Adrian Lamo, the hacker best known for illegal pranks aimed at companies like Yahoo, Microsoft and The New York Times, is free once again.

But his legal battles over handing over a DNA sample to the federal government are just beginning.

After pleading guilty to breaking into the paper's internal computer network in January 2004, the terms of Lamo's probation had confined him to the eastern district of California, which includes his parents' home near Sacramento where he is living. That probation, which included mandatory "computer-monitoring software and filtering equipment," expired Monday.

What isn't over is Lamo's refusal to give federal authorities a sample of his blood, which he says violates his religious convictions. He has offered to give a cheek swab as an alternative, a practice used by a number of states including California--but not the federal system.

More here.

FBI Sends Citizens Terrorism Alerts by e-Mail

Chitra Ragavan writes on U.S. News & World Report:

The FBI has sent out 600,000 E-mail alerts to a base of 14,000 subscribers, the bureau tells U.S. News.

The E-mail alert program was launched in October to provide the public, businesses, and law enforcement agencies with timely information on everything from terrorists to fugitives, scammers, and crooks, as well as updated information on terrorist threats. John Miller, FBI chief spokesman, said the system can also be used for crisis communication during a disaster or terrorist attack.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Thursday, Jan. 18, 2007, at least 3,029 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,434 died as a result of hostile action, according to the military's numbers.

The AP count is 10 higher than the Defense Department's tally, last updated Thursday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Number of People in U.S. with Traditional Landline Phones Drops Sharply

An AP newswire article, via SiliconValley.com, reports that:

The number of Americans with traditional landline telephones has declined sharply over the past three years -- a trend with ramifications for phone surveys that inform policy and market research.

About one in eight households did not have a landline telephone in the first half of 2006, according to data the Centers for Disease Control and Prevention collected in its National Health Interview Survey. Three years earlier, it was about one in 20.

The percentage of adults using cell phones only was increasing 1 percentage point every six months from 2003 through 2005 but jumped 2 points in the most recent study, Stephen Blumberg, a senior scientist at the CDC, said Thursday.

Among all adults, 9.6 percent had only a cell phone in the first half of 2006, compared with 7.7 percent in the preceding six months. The overall number without landlines -- 13.2 percent -- includes those who have no phone at all.

More here.

Microsoft to Build $550 Million Data Center in San Antonio

An AP newswire article, via SiliconValley.com, reports that:

Microsoft Corp. announced Thursday that will build a $550 million data center here to house its growing online services.

The 400,000-square-foot facility will be the software giant's first major data center in Texas.

The data center will house tens of thousands of computers to host Internet services like Microsoft's Windows Live offerings, which include everything from instant messaging to e-mail, said Mike Manos, Microsoft senior director of data centers.

More here.

KB Home Warns 2,700 of ID Theft Risk

Kristy Eppley Rupon writes on The State (South Carolina):

Thousands of KB Home customers are being warned of the risk of identity theft after one of the home builder’s computers was stolen from a Charleston sales office.

The company sent letters to 2,700 people Friday advising them to put a fraud alert on their credit reports and to monitor their credit for the next couple of years.

Ken Fenchel, who bought his Lexington home from KB Home in May, is irritated the company is not offering to do more to help the customers avoid identity theft.

“At a minimum they should (pay for) one year of fraud protection” for those customers, Fenchel said. “I’m not sure what else you can do.”

As a precautionary measure, KB Home officials say, they sent the letter to more people than they believe were affected.

Gee, how big of them...

More here.

(Props, Flying Hamster.)

Attorney General to Talk Data Retention with New Congress

Anne Broache writes on C|Net News:

The Bush administration plans to approach Congress again this year about the possibility of new rules requiring Internet service providers to retain information about their subscribers for a certain period of time.

Attorney General Alberto Gonzales said Thursday that he is continuing to explore such legislation, pertaining not to "data retained by government, but (to) data retained by ISPs that could be accessed with a court order."

More here.

DHS Pays for Wired News FOIA Lawsuit

Image source: 27B Stroke 6

Kevin Poulsen writes on 27B Stroke 6:

The Department of Homeland Security has been ordered to pay the Stanford Law School Cyberlaw Clinic $66,861.39 in attorneys' fees for its failure to comply with the Freedom of Information Act while stonewalling my request for records on the Zotob virus' infiltration of its computers.

Alert readers will recall my year-long battle to learn the details of an August 2005 failure of the $400 million US-VISIT system. Highlights include the DHS's Bureau of Customs and Border Protection asking me to drop the matter, then losing the paperwork, and finally denying the request in its entirety, all to avoid revealing that it made mistakes in leaving the border screening system open to attack.

More here.

TJX Intrusion Highlights Pursuit of Corporate Data

Matt Hines writes on eWeek:

The potentially massive data theft reported by discount retail conglomerate TJX Companies illustrates the continued efforts of hackers to rob businesses of their most valuable information.

On Jan. 17, the company, based in Framingham, Mass. which operates a handful of North American and European retail chains including T.J. Maxx, Marshalls, HomeGoods and A.J. Wright, reported that a computer systems intrusion may have compromised the personal data of an undetermined number of customers.

More here.

U.S. Internet Firms Repond to China Critics

Jonathan Birchall and Richard Water write in The Financial Times:

Google, Yahoo, Microsoft and Vodafone have announced an agreement with human rights groups, internet freedom activists and others to establish a set of principles covering how they deal with censorship and other restrictions that could harm human rights in China and elsewhere.

The move comes in the wake of public criticism of big US online companies last year over their activities in China. It echoes other voluntary “multi-stakeholder” initiatives that have emerged in recent years in response to public protest, covering issues such as the use of local security forces by oil and mining companies, and conditions in the clothing and footwear supply chains.

The four companies have agreed to work with non-governmental organisations to “seek solutions to the free expression and privacy challenges faced by technology and communications companies doing business internationally”, according to a statement on Thursday.

More here.

Port Scanning Precursor to Attempted SCADA Attacks?

Via The SANS Internet Storm Center's Daily Handler's Dairy.

We've been noticing a fair amount of activity on port 20000/TCP over the last month or so.

http://isc.sans.org/port.html?port=20000

UPDATE:
A number of people wrote in with information about recent alerts for activity targeting the DNP protocol or systems running DNP services. DNP is used in SCADA systems in the electric and water utilities industry for process control.

http://en.wikipedia.org/wiki/DNP3

DNP scanning activity was first reported in Oct 2006 with alerts in late Nov 2006. Significant scanning has been observed in late Dec. 2006 and is ongoing. A reader also contributed details of a system infection recently where port 1901/TCP and 20000/TCP were both used. Some reports have suggested a relationship between these DNP scans and scanning activity for port 10000/TCP (NDMP, Webmin).

Without more information on the scanning sources or full packet captures it is difficult to pinpoint/pigeonhole the current activity.

More here.

UK: ID Theft Nets £85,000 a Head, Says Study

Via OUT-LAW.com:

Identity fraud can net criminals £85,000 for each identity stolen, research has found. That is the average amount which criminals can expect to gain from impersonating a person in the UK according to anti-ID theft company Garlik.

Garlik was founded by Tom Ilube and Mike Harris, who founded internet bank Egg, and it commissioned research from consultancy 1871 Ltd which uncovered the value of a single fake identity. It also discovered that lawyers are a main target of ID fraudsters.

The research found that most people's perceptions of how identity fraud works are wrong. The fraudster commonly does not empty bank accounts but applies for new credit as another person so that that person may not discover for some time that they are being impersonated.

More here.

Phisher Empties £3000 From UK Man's Bank Account

Gordon Thomson writes on The Evening Times (UK):

A businessman's bank account was emptied after he was targeted by computer hackers.

But Bank of Scotland bosses today pledged to refund every penny to Steven Watson, who lost more than £3000.

Mr Watson, who runs Scotia Boiler Services, discovered that £3109 he'd put aside for VAT payments had been stolen from his account.

Bank chiefs say online accounts are secure and believe hackers targeted Mr Watson's home computer, then monitored his internet use to get his personal details.

He's believed to have been a victim of "phishing", where fraudsters copy a genuine business webpage - such as a bank - to fool customers into revealing their sign-in details, including user name and password.

More here.

(Props, Flying Hamster.)

Newspaper Publisher Tries to Thwart First Amendment

Via EFF Deep Links.

The Santa Barbara News-Press needs a lesson in the First Amendment. Insisting that an anonymous comment posted for a few hours on a news blog skewed a labor unionization vote, the publisher of the newspaper is demanding that Google disclose the blogger's account information.

It all started last September. Three months after several editors walked off the job amid allegations that News-Press owner and co-publisher Wendy McCaw had improperly interfered in editorial decisions, the employees that remained were struggling to form a union to negotiate with McCaw. McCaw did not take kindly to the unionization effort or even commentary about it--in fact, she has sued two newspapers based on their coverage of the labor dispute and threatened defamation suits against individual citizens who posted pro-union signs in their windows. The legal campaign has made headlines around the country.

Enter pseudonymous blogger Sara de la Guerra. Sara reports and comments on current events in Santa Barbara and has been critical of McCaw's anti-union tactics. In early September, a third party submitted a comment advocating various acts of cybersabotage against News-Press management. The comment was taken down within hours, but News-Press later issued a press release quoting and complaining about the comment.

When the employees then voted to form a union, News-Press filed objections with the National Labor Relations Board, arguing that the comment had influenced the election. Three months later, just a few days before the hearing on the objections, News-Press issued a subpoena to Google seeking information relating to Sara's account.

More here.

Quote of the Day: Noah Shachtman

"China has shown it can destroy a satellite in orbit. What could the U.S. do to stop Beijing, if it decided to attack an American orbiter next? Short answer: nothing."

- Noah Shachtman, writes over on DefenseTech.org. Background here.

Off Beat: Internet Pirate Charged in Toilet Bombings Plans to Plead Guilty

File this under "bizarre story of the day"...

An AP newswire article by John Christoffersen, via The Boston Globe, reports that:

A Weston man once called one of the Internet's most notorious pirates of music and movies plans to plead guilty to a federal charge that he blew up a portable toilet last year, according to court records filed Thursday.

Bruce Forest was charged last year with seven counts of using explosives to destroy property and seven counts of discharging a firearm in connection with a series of toilet explosions in 2005 and 2006.

No one was injured.

More here.

NIST IPv6 Profile to Detail U.S. Federal Requirements

Jason Miller writes on GCN.com:

The National Institute of Standards and Technology will release the federal government’s Internet Protocol version 6 profile by the end of the month to help agencies and vendors understand the government’s technical requirements.

Peter Tseronis, the Education Department’s director of network services and co-chairman of the IPv6 working group, yesterday said the NIST profile will be out for public comment for about a month and then NIST will issue the first version of the profile.

The profile, which will be released in the Federal Register, recommends a technology acquisition approach for common IPv6 devices, Tseronis said.

More here.

RFID Tattoos for Tracking Cows... And People


Thomas Ricker writes over on Engadget:

Did you know that Saint Louis based Somark Innovations successfully tested an "RFID tattoo" on cows and rats?

Yes indeed, tattoo, not the ol' RFID chip found in passports, dogs, and Dutch VIP clubbers. Somark's system uses an array of needles to inject a passive RFID ink which can be read through the hair on your choice of beast.

The ink can be either invisible or colored but Somark is keeping mum as to its exact contents. They only say that it doesn't contain any metals and is 100% biocompatible and chemically inert. The tattoo can be applied in 5 to 10 seconds with no shaving involved and can be read from up to 4 feet away -- the bigger the tattoo, the more information stored.

More here.

Cisco Security Advisory: SSL/TLS Certificate and SSH Public Key Validation Vulnerability

Via Cisco.com.

The Cisco Security Monitoring, Analysis and Response System (CS-MARS) and the Cisco Adaptive Security Device Manager (ASDM) do not validate the Secure Sockets Layer (SSL)/Transport Layer Security (TLS) certificates or Secure Shell (SSH) public keys presented by devices they are configured to connect to.

Malicious users may be able to use this lack of certificate or public key validation to impersonate the devices that these affected products connect to, which could then be used to obtain sensitive information or misreport information.

More here.

CIBC Loses Info on 470,000 Canadians

Sinclair Stewart writes in The Globe and Mail:

The personal information of nearly half-a-million customers at a CIBC mutual fund subsidiary has gone missing, prompting fears of a potential security breach and inciting an investigation from Canada's federal privacy commissioner.

A backup computer file containing application data for 470,000 investors at Montreal-based Talvest Mutual Funds disappeared in transit on the way to Toronto recently, the bank said in a news release Thursday.

The file contained everything from client names and addresses to signatures, birth dates, bank account numbers and Social Insurance Numbers. Officials at CIBC Asset Management Inc., a division of the Canadian Imperial Bank of Commerce, said there is no evidence of fraud, nor is there any indication that any data on this hard drive has been accessed. The company did not explain how it lost the drive.

Privacy Commissioner Jennifer Stoddart, who launched a probe of CIBC following a faxing snafu two years ago, said she has determined there are grounds for another investigation in the Talvest matter, even though the bank brought the problem to her attention.

More here.

U.S. Senators Question Gonzales on Domestic Spying - UPDATE

An AP newswire article, via MSNBC, reports that:

Senators demanded details Thursday from Attorney General Alberto Gonzales about new orders putting the government's domestic spying program under court review -- and questioned why it took so long to do so.

Meanwhile, the presiding judge of the Foreign Intelligence Surveillance Court said she had no objection to disclosing legal orders and opinions about the program that targets people linked to al-Qaida, but the Bush administration would have to approve release of the information.

Gonzales and National Intelligence Director John Negroponte said it was uncertain whether the court orders and details about the program will be disclosed.

More here.

UPDATE: 11:08 PST: DefenseTech.org has some really good first-hand accounts of the congressional hearing and some astute observations - here.

UPDATE 12:14 PST: Another pragmatic observation of some of the dubious issues involved here.

UPDATE 13:03 PST: Ryan Singel has more over at 27B Stroke 6.

Four Families Suing MySpace Over Assaults

An AP newswire article, via MSNBC, reports that:

Four families have sued News Corp. and its MySpace social-networking site after their underage daughters were sexually abused by adults they met on the site, lawyers for the families said Thursday.

The law firms, Barry & Loewy LLP of Austin, Texas, and Arnold & Itkin LLP of Houston, said families from New York, Texas, Pennsylvania and South Carolina filed separate suits Wednesday in Los Angeles Superior Court, alleging negligence, recklessness, fraud and negligent misrepresentation by the companies.

“In our view, MySpace waited entirely too long to attempt to institute meaningful security measures that effectively increase the safety of their underage users,” said Jason A. Itkin, an Arnold & Itkin lawyer.

More here.

Wednesday, January 17, 2007

Defense Tech: China Tests Satellite Killer?

Via Defense Tech.

"U.S. intelligence agencies believe China performed a successful anti-satellite (asat) weapons test" last week, according to Aviation Week. In the trial, a ballistic missile, armed with a non-explosive warhead, "destroy[ed] an aging Chinese weather satellite target" over 500 miles above the Earth.

The news comes just a few months after reports of China testing high-powered lasers to temporarily blind American orbiters. "If the test is verified it will signify a major new Chinese military capability."

More here.

Student Sues UCLA for Taser Incident

Eric Stern writes in The Sacramento Bee:

The UCLA student who was shocked repeatedly with a Taser gun in November by campus police filed a federal lawsuit Wednesday in Los Angeles against the university.

"I suffered an unprovoked act of police brutality," said Mostafa Tabatabainejad, 24, in a statement issued by his attorney. "I hope that no one else will ever have this experience at UCLA or anywhere else again."

Tabatabainejad, who grew up in the Sacramento area, said his civil rights were violated in the Nov. 14 incident at the campus library that was captured on a cell phone camera and broadcast over the Internet. Tabatabainejad - heard screaming in pain in the video as students crowded in and jeered police - is seeking unspecified damages.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, Jan. 17, 2007, at least 3,028 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,430 died as a result of hostile action, according to the military's numbers.

The AP count is 13 higher than the Defense Department's tally, last updated Wednesday at 10 a.m. EST.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

XM and Sirius: FCC Breaks Satellite Hearts

Jack Kapica writes on The Globe and Mail:

The rumoured radio romance involving a merger of Sirius and XM appears to be over.

The competing satellite radio companies saw their shares plunge after Kevin Martin, chairman of the U.S. Federal Communications Commission, cut the flirtation short by announcing Wednesday Afternoon that "There is a prohibition on one entity owning both of these businesses. The ban was written in 1997 when the companies were licensed."

In reaction, shares tumbled by 6.99 pert cent for Sirius Satellite Radio Inc. and by 9.86 per cent for XM Satellite Radio Holdings Inc.

The stocks of both companies had plunged more than 40 per cent last year, resulting in talks between them of creating a merged entity.

More here.

UK: Patients' Details Stolen in Hospital Computer Theft

Via the Daily Mail.

Computers containing patients' details have been stolen from a disused hospital site, health officials have said.

About 30 new computers were taken from a storeroom at the now-closed Lymington Infirmary in Lymington, Hants, earlier this month.

A Hampshire Primary Care Trust spokeswoman said the equipment did not have complete patient records on them but could contains details of names and addresses of those who had visited the site.

More here.

(Props, Techdirt.)

Networks Disrupted By Taiwan Earthquake Struggle To Recover

W. David Gardner writes on InformationWeek:

An undersea earthquake struck off the coast of Taiwan on Wednesday, complicating efforts to repair six submerged cables that were severed by a stronger quake nearly four weeks ago.

The most recent temblor measured 5.0 on the Richter scale. Taiwan's Central Weather Bureau reported no immediate damage or casualties. This after a magnitude-6.7 earthquake killed two people and crippled the region's network traffic on December 26.

The events are likely to have a long-term impact as telecommunications firms gradually come to grips with the damage, one observer said.

"We're heading towards the fourth week after the earthquake and not a single cable has been repaired," said Todd Underwood of Internet and communications traffic monitoring firm Renesys in an interview Wednesday. "It's a tough situation " deep water, rough seas, and not many boats available."

More here.

Wrong Flight on Wrong Airline (Otherwise, Trip Went Well) - UPDATE

Further proof of the failures of security theater...

Kathleen McGrory writes in The Miami Herald:

As the plane rolled down the runway, one passenger was bewildered when a flight attendant welcomed travelers aboard the Milwaukee-bound flight.

Milwaukee!?

He thought he was going to New York.

Turns out, he had accidentally boarded the wrong flight -- on the wrong airline.

And in today's post-9/11 climate, that's the sort of thing that can cause airport security to break out in hives.

More here.

UPDATE: 15:54 PST: Oh, wait! Here's another one...

Quote of the Day: Ari Melber

"Just before its implosion last November, the Republican Congress passed the Military Commissions Act (MCA), one of the worst legislative setbacks to human rights policy since World War II."

"The law dilutes restrictions against torture; provides new immunity for war criminals; eliminates habeas corpus, the sacrosanct right to go to court and challenge government detention, for US residents; and authorizes rigged military trials for people captured on and off the battlefield, without any oversight by American courts."


"But the public barely noticed because Congress approved the sweeping legislation with no hearings in a seven-day rush before the midterm elections."

- Ari Melber, writing in The Nation.

U.S. Air Force Cyber Command to Create Innovation Center

Mary Mosquera writes on GCN.com:

The Air Force plans to establish a Global Cyberspace Innovation Center by summer to speed the process of turning around new technologies, said Lt. Gen. Robert Elder Jr., who heads the Cyber Command, part of the 8th Air Force, headquartered at Barksdale Air Force Base in Louisiana.

The proposed center, which is just a concept now, aims to bring in academia and industry to collaborate with Air Force and service partners on technologies critical for the cyberspace command. Air Force has added cyberspace as another domain in warfighting with air and space. Elder also is working with the Air Force Research Lab on how to accelerate its technologies.

More here.

U.S. Set to Push Ahead with Wire Transfer Database Plan

Via Finextra.com.

The US government is set to force through a proposal that would require the country's top banks to report details of their international wire transfers under initiatives to track money laundering and terrorist funding.

The news comes as US Treasury division Financial Crimes Enforcement Network (Fincen) delivers a report stating that the reporting of cross-border wire transfer data by financial institutions is "technically feasible" and may be valuable to efforts to "combat money laundering and terrorist financing".

But according to news reports the database scheme would be limited to banks that directly transmit or receive an international wire transfers. Eric Kringel, senior policy adviser at Fincen, told reporters that this would effectively limit the requirement to around a dozen large financial institutions.

Last year the American Bankers' Association (ABA) called for the US government to drop the scheme and claimed the Treasury Department didn't have the resources to administer such a programme adequately.

More here.

TJX Companies Victimized by Computer Systems Intrusion

Via Businesswire.

The TJX Companies, Inc. today announced that it has suffered an unauthorized intrusion into its computer systems that process and store information related to customer transactions.

While TJX has specifically identified some customer information that has been stolen from its systems, the full extent of the theft and affected customers is not yet known.

This intrusion involves the portion of TJX’s computer network that handles credit card, debit card, check, and merchandise return transactions for customers of its T.J. Maxx, Marshalls, HomeGoods and A.J. Wright stores in the U.S. and Puerto Rico, and its Winners and HomeSense stores in Canada, and may involve customers of its T.K. Maxx stores in the U.K. and Ireland.

The intrusion could also extend to TJX’s Bob’s Stores in the U.S. The Company immediately alerted law enforcement authorities of the crime and is working closely with them to help identify those responsible. TJX is also cooperating with credit and debit card issuers and providing them with information on the intrusion.

More here.

(Props, RMS.)

Gapingvoid: Love and Hate

Via gapingvoid.com. Enjoy!

DHS to (Finally) Launch Traveler Redress Inquiry Program

Via DHS.gov.

The Department of Homeland Security (DHS) announced today it will launch the DHS Traveler Redress Inquiry Program (DHS TRIP), an easy to use, single point of inquiry for travel-related issues.

DHS TRIP was developed to provide a central gateway to address watch list misidentification issues, situations where individuals believe they have faced screening problems at immigration points of entry, or have been unfairly or incorrectly delayed, denied boarding or identified for additional screening at our nation’s transportation hubs.

More here.

Some background here and here.

Your ISP is the IFPI's Next Target

Grant Robertson writes on Digital Music:

According to the IFPI's "Digital Music Report 2007", your residential ISP is the their next front in the war on piracy.

The report spells out in pretty stark language exactly what the IFPI expects from the ISP who's services you pay for, "We should not be doing this job alone. With cooperation from ISPs we could make huge strides in tackling internet piracy globally. It is very unfortunate that it seems to need pressure from governments or even action in the courts to achieve this, but as an industry we are determined to see this campaign through to the end."

It's unclear exactly what the IFPI wants ISPs to do but, it is pretty clear that they want it done now.

More here.

DHS Report: TSA Needs to Secure Financial Systems

Alice Lipowicz writes on GCN.com:

The Transportation Security Administration has inadequate computer security controls on its financial systems, according to a new report released today by Homeland Security Department Inspector General Richard L. Skinner.

The special report is a letter from KPMG LLP accounting firm on IT matters related to TSA’s fiscal 2005 financial statements. KPMG was hired to audit the TSA’s finances; however, it did not complete its audit because it did not receive final financial statements from the agency. The letter was released in a redacted form with sensitive portions blacked out.

The accounting firm examined both TSA and Coast Guard systems because the Coast Guard’s IT systems host key financial applications for the TSA.

More here.

To Credibility: FISA Court to Govern Wiretapping Plan

So, I guess this akin to saying "Okay, we won't break the law anymore..."

Dan Eggen writes in The Washington Post:

The Justice Department announced today that the National Security Agency's controversial warrantless surveillance program has been placed under the authority of a secret surveillance court, marking an abrupt change in approach by the Bush administration after more than a year of heated debate.

In a letter to the Senate Judiciary Committee, Attorney General Alberto R. Gonzales said that orders issued on Jan. 10 by an unidentified judge puts the NSA program under the authority of the Foreign Intelligence Surveillance Court, a secret panel that oversees most intelligence surveillance in the United States.

Gonzales also wrote that the current NSA program will effectively be abandoned after its current authorization expires in favor of the new approach.

More here.

Note: The Bush administration, and specifically Attorney General Alberto Gonzales, is sending mixed messages. As mentioned in this MSNBC/Associated Press article, Gonzales also says that "...federal judges are unqualified to make rulings affecting national security policy."

Checks and balances? What checks and balances...

Defense Tech: Northrop Opens First U.S. Laser Weapons Plant

A Reuters newswire article, via InformationWeek, reports that:

Northrop Grumman Corp. Tuesday opened the first U.S. production facility for high-energy laser weapons, saying it hoped to benefit from rapid growth in the new class of weapons that are cheaper to operate than traditional missiles.

"We see this capability emerging very quickly. The government is moving in this direction," Mike McVey, president of Northrop's directed energy systems business, told a teleconference. "We're positioning ourselves to be ready when they want more capability."

McVey declined to say how much the new facility in Redondo Beach, Calif., cost but said it could be used to build three 100-kilowatt lasers at the same time, and could also do classified work for the military. He gave no further details.

More here.

DARPA Satellite Research Deal to be Headed by BAE

Doug Beizer writes on GCN.com:

The next phases of the Defense Advanced Research Projects Agency’s Novel Satellite Communications program will be headed by BAE Systems, which will lead a team of companies in a $10.3 million contract.

The deal could be worth as much as $14.3 million, if all options are exercised, the company said.

Novel Satellite Communications will protect uplink signals to satellites against hostile jamming using advanced signal processing techniques to enable uninterrupted communications.

More here.

Defense Tech: Homeland Security 2.0?

Via Businessweek.com.

Few if any of the 68,000 rabid Philadelphia Eagles fans arriving for last Sunday's National Football League playoff game against the New York Giants knew that they had been scanned by one of the latest high-tech anti-terrorism tools.

Pennsylvania security officials deployed radiation probes at the gates of Lincoln Financial Field to stop terrorists from sneaking in a homemade nuclear device that could kill thousands. Personnel on the grounds carried even more-sensitive equipment.

More here.

Hawking: Climate Change Worse Than Terror

An AP newswire snippet, via CBS News, reports that:

Scientist Stephen Hawking described climate change Wednesday as a greater threat to the planet than terrorism.

Hawking made the remarks as other prominent scientists prepared to push the giant hand of its Doomsday Clock _ a symbol of the risk of atomic cataclysm _ closer to midnight. The move will mark the fourth time since the end of the Cold War that the clock has ticked forward and Hawking warned that "as citizens of the world, we have a duty to alert the public to the unnecessary risks that we live with every day."

More here.

Off Topic: Whacked Out NorCal Weather


Here's something you don't see every day in San Jose: snow-capped mountains with palm trees in the foreground.

I took this picture from the window of my office this morning in San Jose...

Enjoy. :-)

- ferg

Keeping ID Theft Victims in the Dark

Annys Shin writes on The Checkout:

In the midst of the big headlines, however, one tidbit about pretexting seems to have gone unnoticed. The eagle-eyed folks at HearUsNow.org have come across a letter [.pdf] from the Justice Department to the Federal Communications Commission, which is working on regulations regarding pretexting.

The letter makes a pitch for, of all things, a way to delay notifying consumers when they have been victims of pretexting.

More here.

ACLU Throws Support Behind Shareholder Challenge to AT&T on Illegal NSA Spying

Via The ACLU.

The American Civil Liberties Union today announced its support for an effort by AT&T shareholders to force the company to disclose more about its role in the recent National Security Agency (NSA) illegal spying scandal and to tighten its policies to better protect customer privacy.

The shareholder effort consists of a proposed resolution to be considered at AT&T's April stockholder meeting, which would require management to take the relatively modest step of issuing a report on the issues surrounding cooperation with the NSA, what steps the company could take to "further ensure" customer privacy, and the company's expenditures related to the program. It is being spearheaded by the As You Sow Foundation, an investor activist group.

More here.

ACLU Report Shows Widespread Pentagon Surveillance of Peace Activists

Via The ACLU.

The American Civil Liberties Union today released a new report revealing that the Pentagon monitored at least 186 anti-military protests in the United States and collected more than 2,800 reports involving Americans in an anti-terrorist threat database.

The ACLU report reviews hundreds of pages of Defense Department documents obtained through a Freedom of Information Act lawsuit filed last year. The documents revealed that the surveillance of peace groups and anti-war activists was more widespread than previously known.

More here.

Computer Privacy in Distress

Jennifer Granick writes on Wired News:

My laptop computer was purchased by Stanford, but my whole life is stored on it. I have e-mail dating back several years, my address book with the names of everyone I know, notes and musings for various work and personal projects, financial records, passwords to my blog, my web mail, project and information management data for various organizations I belong to, photos of my niece and nephew and my pets.

In short, my computer is my most private possession. I have other things that are more dear, but no one item could tell you more about me than this machine.

Yet, a rash of recent court decisions says the Constitution may not be enough to protect my laptop from arbitrary, suspicionless and warrantless examination by the police.

More here.