Friday, April 20, 2007

Australia: HSBC Customers Outraged by Bank's Handling of Security Breach

Sandra Rossi writes on Computerworld.com.au:

HSBC Australia account holders are outraged that the bank didn't bother to contact a single customer in the wake of a serious security breach which exposed banking details, names and home addresses, as well as other financial information.

Customers labelled the bank's handling of the breach a "disgrace" accusing HSBC of favouring commercial interests over privacy protection.

HSBC did not advise customers of the breach even though more than 100 account holders were exposed. As reported in Computerworld last month, the sensitive documents were left on a peak hour train in Sydney by a HSBC employee.

Information exposed included approval letters for mortgages which listed property values, repayment information, account details and even deposits with six digit cheques that had been photocopied.

More here.

U.S. Database Exposes Social Security Numbers

Ron Nixon writes in The New York Times:

The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.

More here.

Disgruntled Techie Attempts Californian Power Blackout

Lewis Page writes on The Register:

A cheesed-off American IT worker was seized by an FBI Joint Terrorism Task Force on Wednesday for attacking the Californian electric power grid.

Lonnie Charles Denison, of Sacramento, allegedly meddled with computers at the California Independent System Operator (ISO) agency. He is also accused of making a malicious bomb threat against the organisation. ISO controls the state's power transmission lines and runs its energy trading markets.

According to the feds, Denison became upset last week after a dispute with his employer, Science Applications International. Science Applications provides IT services to ISO.

Denison first attempted a remote attack against the ISO data centre on Sunday, but this was unsuccessful. He then reverted to simpler means, and entered the facility physically using his security card key late on Sunday night. Once inside, he smashed the glass plate covering an emergency power cut-off, shutting down much of the data centre through the early hours of Monday morning. This denied ISO access to the energy trading market, but didn't affect the transmission grid directly. Nor did his emailed bomb threat, delivered later on Monday, though it did lead to the ISO offices being evacuated and control passed to a different facility.

More here.

Programming Note: Beijing

A slice of Beijing, from my hotel room.


So, as you may have noticed, posting to the blog has been kind of sporadic for the past week, due to the fact that I've been traveling and wrapped up with meetings, etc.

Last week, it was Tokyo, and this weekend, it's Beijing -- I just arrived last night.

I'll be back in the Silicon Valley area early next week, and posting to the blog should get back to normal (until next time).

Cheers from Beijing!

- ferg

Wednesday, April 18, 2007

Chinese Official Blames Internet for Youth Crime

Via Reuters.

Most youth crime in China can be blamed on negative influences from violent or pornographic Web sites, a police spokesman said on Thursday, justifying the country's latest crackdown on the Internet.

"In recent years from the cases we have discovered, the proportion of young people guilty of cheating, rape or robbery who are given to using the Internet or have been corrupted by online filth, is very high," spokesman Wu Heping said.

More here.

Large Enterprises Still Serving Up Spam

Matt Hines writes on InfoWorld:

Well-known enterprise companies are still having their IT systems hijacked by spammers despite investing in many different types of technologies aimed at stopping the problem.

Last week, researchers at network security company Support Intelligence isolated an IP address within insurance giant Aflac that was being used by spammers to distribute mass amounts of e-mail messages, most of which were related to erectile dysfunction.

Over the course of a 24-hour period beginning on April 10, researchers at Support Intelligence and the SenderBase project estimated the volume of spam being distributed from the affected Web server, much of which included a pharming attack, jumped by more than 750 percent.

Once informed of the problem, representatives at Aflac said they began work to shut down the rogue spam source, but researchers said that the incident further illustrates the problems that many enterprises are still facing in battling spam.

As spammers have begun tapping into botnets controlled by other parties and found new methods for distributing their work via hijacked computers, the issue has only intensified, said Rick Wesson, chief executive of Support Analysis.

More here.

Hackings at State, Commerce Draw House Subcommittee's Attention

Jason Miller writes on FCW.com:

The House Homeland Security Committee’s Emerging Threats, Cybersecurity and Science and Technology Subcommittee wants more information from at least two agencies on recent network break-ins.

In letters to State Department Secretary Condoleezza Rice and Commerce Department Secretary Carlos Gutierrez, committee Chairman Rep. Bennie Thompson (D-Miss.) asked them to answer eight questions regarding each agency’s recent cyberattack.

The subcommittee will hold a hearing April 19 on this subject with Jerry Dixon, director of the National Cyber Security Division in the Homeland Security Department’s National Protection and Programs Directorate; David Jarrell, manager of Commerce’s Critical Infrastructure Protection Program; Don Reid, senior coordinator for security infrastructure in State’s Bureau of Diplomatic Security; and Greg Wilshusen, the Government Accountability Office’s director of information security issues.

More here.

Details About U.S. State Department Computer Compromise Surfaces

An AP newswire article by Ted Bridis, via MSNBC, reports that:


A break-in targeting State Department computers worldwide last summer occurred after a department employee in Asia opened a mysterious e-mail that quietly allowed hackers inside the U.S. government's network.

In the first public account revealing details about the intrusion and the government's hurried behind-the-scenes response, a senior State Department official described an elaborate ploy by sophisticated international hackers. They used a secret break-in technique that exploited a design flaw in Microsoft software.

Consumers using the same software remained vulnerable until months afterward.

Donald R. Reid, the senior security coordinator for the Bureau of Diplomatic Security, also confirmed that a limited amount of U.S. government data was stolen by the hackers until tripwires severed all the State Department's Internet connections throughout eastern Asia. The shut-off left U.S. government offices without Internet access in the tense weeks preceding missile tests by North Korea.

More here.

IRS: No Late Fees For E-Filers After Server Crash

Via IRS.gov.

Taxpayers who were unable to e-file their tax returns Tuesday using Intuit Inc. software products have until midnight on Thursday, April 19, to file their returns, the Internal Revenue Service announced Wednesday.

Potentially up to several hundred thousand last-minute tax filers were affected by company server problems on Tuesday evening, and they or their accountants may have been unable to electronically file returns. Intuit confirmed Wednesday that those problems had been resolved, and it was successfully accepting e-file returns on Wednesday.

The company said affected taxpayers and tax professionals include those using “TurboTax,” “ProSeries,” “Lacerte” and Intuit’s Free File offering,“TurboTax Freedom.”

Intuit product users who were unable to file their returns through the company’s servers Tuesday should e-file as soon as possible. The IRS will not apply late filing penalties to taxpayers who were affected by this problem.

More here.

U.S. Intelligence Chiefs Want to Absolve Spying Telcos

Ryan Singel writes on Threat Level:

Never let it be said that spy snoops don't remember their friends. In fact the nation's top spy proposes to hand a "get out of jail free" card to any telecommunications company that helped spy on Americans in the last 6 years.

The provision would retroactively immunize telecoms that are being sued with some success for allegedly turning over whole databases of domestic phone call records and helping the govenrment spy on Internet traffic and cross-border phone calls in violation of the nation's privacy laws.

More here.

UCSF Computer Server With Research Subject Information is Stolen

Via The University of California, San Francisco.


A computer file server containing research subject information related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office on March 30, 2007.

The server contained files with names, contact information, and social security numbers for study subjects and potential study subjects. For some individuals, the files also included personal health information.

A notification process to those involved in this incident is taking place. There is no specific evidence that data on the server was accessed or is being used by any unauthorized person, emphasize UCSF officials. Notification is taking place as a precautionary measure to alert these individuals to the signs of identity theft and the steps that can be taken to protect personal information.

Notification letters were sent Monday, April 16, to about 3,000 individuals. Using backup files, UCSF officials are conducting an extensive analysis of the server data to determine as quickly as possible all the names involved in this incident.

More here.

(Props, Pogo Was Right.)

Chinese Couple Sues Yahoo! for Man's Imprisonment

Adam Tanner writes for Reuters:

A Chinese couple sued Yahoo and its Chinese affiliates on Wednesday, alleging the Internet firms provided information that helped the Chinese government prosecute the man for his Internet writings.

Wang Xiaoning was sentenced to ten years in prison last year for "incitement to subvert state power" after he e-mailed electronic journals advocating democratic reform and a multi-party system.

His house and computer were searched in 2002.

In the complaint filed in U.S. District Court for Northern California, Wang and his wife Yu Ling charged the Internet firms turned over details to prosecutors that helped identify him to authorities.

More here.

Opinion: Banks Must Come Clean on ID Theft

Chris Jay Hoofnagle writes in The San Francisco Chronicle:

Two separate studies recently reached conflicting conclusions: While one found that identity theft is on the rise significantly, the other reported that it is on the decline.

So which is it?

There's no way to know because banks do not report to the public how often identity theft occurs, or how it happens. As long as the public is kept in the dark about the scope and evolution of identity theft, this form of fraud will thrive.

More here.

Beijing Blocks Baidu.com's Japan Website

A Bloomberg News article, via The International Herald Tribune, reports that:

Baidu.com, operator of the most-used Chinese Internet search engine, said its Japan Web site, which has links to pornography and critics of the Chinese government, has been blocked in mainland China.

The Japan site has not been accessible within mainland China for two days, Wei Fang, a Baidu spokesman, said Wednesday, declining to provide a reason. The site, which carries advertising from small and medium-sized Chinese companies, can be accessed from outside the mainland.

Wang Lijian, a spokesman for the Chinese Ministry of Information Industry, the nation's Internet regulator, declined to comment.

The blockage highlights the challenge of operating in a market where the government bans criticism against the state and denies access on the mainland to Web sites like the one for Amnesty International.

More here.

Oracle Updates Leave Critical Windows Flaw Unpatched

Robert McMillan writes on NetworkWorld:

Some Oracle customers using the Windows operating system will have to wait another two weeks to receive a critical software update to their database software, thanks to a glitch that came up in testing the company's latest patches.

On Tuesday, Oracle unveiled its quarterly release of software patches, fixing not only database flaws, but also bugs in a host of other applications. In total, the patches fix 36 vulnerabilities, 13 of which relate directly to the database.

More here.

BlackBerry Suffers Widespread Outage

John Blau writes on NetworkWorld:

The BlackBerry wireless e-mail service from Research In Motion Ltd. appears to have suffered a widespread outage starting Tuesday evening in the U.S.

Customers on the BlackBerry Forums discussion board complained of having no service starting at about 5.15 p.m. Pacific Time on Tuesday.

Callers to the BlackBerry U.S. technical support line were still greeted with the following message early Wednesday morning: "We are currently experiencing a service interruption that is causing delays in sending or receiving messages. We apologize for the inconvenience and will provide updates as soon as they become available."

New York television news channel NewsChannel4 reported Tuesday night that the problem affected "all users in the Western hemisphere." Postings to BlackBerry Forums indicated that the problem may be limited to North America, however.

More here.

ICANN Granted Temporary Restraining Order Against RegisterFly

Via the ICANN Blog.

RegisterFly has been ordered to hand over to ICANN current and accurate data for all of its domain names. ICANN’s application for a temporary restraining order (TRO) against RegisterFly was granted on Monday by US Federal Court Judge, Manuel J. Real.

Under the TRO, RegisterFly is also obliged to provide this data every seven days, plus immediately allow ICANN staff access to the company’s records and books in order to perform an audit.

More here.

Tuesday, April 17, 2007

New Zealand: Internet Outage Hits Tens of Thousands

Helen Twose writes on The New Zealand Herald:

Broadband customers across the country were left hanging for five hours after a routine overnight upgrade to Telecom's internet network crashed the system.

Telecom estimate tens of thousands of customers lost access to broadband at about 5.30 this morning until service was restored at 10.35am.

A second 20-minute outage occurred between about 11.20am and 11.40am when Telecom restarted its broadband systems.

Telecom spokesperson Sarah Berry said they were still investigating the source of the fault which affected customers nationwide.

"We suspect it is a fault with a router in Auckland," said Berry.

More here.

xkcd: Snopes and Black Helicopters


Click for larger image.


We love xkcd.

Vonage Says That It May Face Bankruptcy

A Reuters newswire article, via The New York Times, reports that:

The Internet phone service provider Vonage Holdings, which a federal court found had infringed on three patents owned by Verizon Communications, said its legal woes could lead to bankruptcy, according to a regulatory filing.

The filing yesterday with the Securities and Exchange Commission also detailed other risks from continuing litigation. They include the possible interruption of service, an inability to repay its debt and a decline in its stock that could lead to the delisting from the New York Stock Exchange.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, April 17, 2007, at least 3,309 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,689 died as a result of hostile action, according to the military's numbers.

The AP count is two higher than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Wireless Problems Played Part in Chaos at Virginia Tech

Wayne Rash writes on eWeek:

The inability of students and others at Virginia Tech in Blacksburg, Va., to make cell phone calls during the April 16 shooting tragedy added to the chaos surrounding the events of the day, students and others have reported in media interviews.

Many students reported being unable to gain access to the wireless phone system either to place a voice call or to send text messages. The reason appeared to be due to a massive increase in wireless call volume, according to carriers serving the Virginia Tech campus.

More here.

UK ISP Disconnects Security Researcher for Revealing Vulnerability

Dan Goodin writes on The Register:

A 21-year-old college student in London had his internet service terminated and was threatened with legal action after publishing details of a critical vulnerability that can compromise the security of the ISP's subscribers.

BeThere took the retaliatory action four weeks after subscriber Sid Karunaratne demonstrated how the ISP's broadband routers can be remotely accessed by anyone curious enough to look for several poorly concealed backdoors. The hack makes it trivial to telnet into a modem and sniff users' VPN credentials, modify DNS settings and carry out other nefarious acts.

Alas, Karunaratne's February 22 posting originally included the specific password needed to carry out the attack - a tack from the "full disclosure" school of vulnerability reporting that is considered a no-no in many security circles. Less than 48 hours later, he removed the password information, but that didn't stop the ISP from exacting its retribution.

More here.

NY Attorney General Cuomo Slams Verizon Service

Via Reuters.

New York Attorney General Andrew Cuomo criticized telecommunications company Verizon Communications on Tuesday for "chronically poor" telephone repair service in the state.

Cuomo's comments come as the No. 2 phone company is trying to convince regulators and consumers that it can offer better service than cable companies. Verizon is expanding its fiber-optic network to offer high-speed Internet and video services, along with phone services, to compete with cable.

Cuomo said he had called on the New York State Public Service Commission (PSC), which regulates Verizon, to set stricter standards and require rebates for inadequate service.

More here.

Virginia Tech Tragedy: Sadness & Outrage



FOIA Fun - Or - How Phishers Hacked Into Indiana University

Christopher Soghoian writes on Slight Paranoia:

This post should probably be called Indiana Public Records Act Fun - but that doesn't quite roll off the tongue.

I signed up for an Indiana University email account in March or so of 2006. Between signing up and the start of school in September, I'd never used the email address for anything, and a Google query at the time for the address came back negative.

In mid June of 2006, I received a phishing email claiming to be from the IU credit union. The Indiana Daily Student later covered this incident. The article merely mentioned that phishing emails targetting the credit union had been sent out, and that a bunch of students had typed in their info. The article didn't explain how the phishers had learned the email addresses of the students, nor who had launched the attack.

More here.

'Reverse Hacker' Case Gets Costlier for Sandia Labs

Jaikumar Vijayan writes on ComputerWorld:

A wrongful termination lawsuit against Sandia National Laboratories that resulted in a jury award of more than $4.7 million in damages to Shawn Carpenter, a former security analyst at the organization, may be getting even more costly for the labs.

A district court judge in the state of New Mexico where the case was heard recently awarded a 15% per year post-judgment interest on the original award as allowed under state law. The amended final judgment means that interest in the amount of almost $60,000 per month is accumulating while Sandia's appeal against the jury award works it way through the courts.

More here.

Hacker, Thieves Obtain Ohio State University ID Data

Bill Bush writes on the Columbus Dispatch:

A hacker broke into an Ohio State University computer two weekends ago and stole the names, Social Security numbers, employee ID numbers and birth dates of more than 14,000 current and former faculty and staff members, the university said today.

And in a separate incident, the same information about 3,500 OSU chemistry students dating back a decade — including Social Security numbers and grades — were on two laptops stolen from the home of a professor in late February, the university said.

Ohio State apologized in letters sent Saturday to the staff and students whose information was stolen, university spokesman Jim Lynch said. Those affected will be offered a year of free credit protection from a private company to help them guard against the criminal misuse of their identities, he said.

In the case of the staff's information, Lynch said, someone using a foreign Internet address broke through a computer firewall the weekend of March 31-April 1 and accessed more than 14,000 records from an Office of Research database of about 190,000 current and former university employees.

More here.

(Props, Flying Hamster.)

House to Vote on Bill to Ban Web Site Names That Resemble Those of U.S. Agencies

David Cay Johnston writes in The New York Times:

Daniel M. O’Donnell, president of the San Francisco company that owns the Web site irs.com, is to ring the bell that begins trading on the American Stock Exchange this morning. Hours later, in Washington, the House is scheduled to vote on legislation that clarifies the law barring for-profit companies from using names that sound like official government agencies.

Twice in the last three weeks, the Internal Revenue Service commissioner, Mark W. Everson, has warned about confusion over the official Web site of his agency and commercial firms playing off that confusion.

A Web industry trade group, the Computer and Communications Industry Association, issued a statement last week warning consumers that Web sites like irs.com, irs.org and irs.net “make money by offering services that, in many cases, taxpayers could get for free through the I.R.S.’s official Web site, irs.gov.”

Intersearch.com, the firm that owns the irs.com Web site, says that it is fully complying with the law and that it sees no reason to inform shareholders of the pending legislation, said Jennifer Faye Drimmer, its legal counsel.

More here.

Europe: Spying on Employees' e-Mail is Illegal

Via The BBC.

A new ruling, which said a college had breached a woman's privacy by secretly monitoring her emails, means employers cannot spy on staff, say legal experts.

Lynette Copland, who works at Carmarthenshire College in west Wales, successfully sued her employer for breaching the Human Rights convention.

She was awarded more than £6,000 by the European Court of Human Rights.

Employment law solicitor Alison Love said if employers were going to monitor emails they must tell their employees.

More here.

Monday, April 16, 2007

DNS Showing Signs of Stress From Financial Maneuverings

Patrick Thibodeau writes on ComputerWorld:

Cybersquatting — the practice of registering Internet domain names that poach well-known trademarks — is profitable for just about everybody involved. Money is made off of registration fees and advertising, and even the regulator of the Domain Name System gets a piece of the action.

But it’s not so lucrative for corporate officials like Lynn Goodendorf, who heads global privacy at InterContinental Hotels Group PLC.

The Windsor, England-based company owns seven hotel chains, including Holiday Inn and Crowne Plaza, with more than 3,700 properties worldwide. Each day, Goodendorf gets about 100 e-mail alerts concerning potential trademark infringements from three different domain monitoring services.

More here.

Profiteers (And Perhaps Criminals?) Snap Up Virginia Tech Domains - UPDATE

Luke O'Brien writes on Threat Level:

The domains that were immediately purchased within 20 mins of the shooting are:

  • virginiatechshooting.com
  • virginiatechmassacre.com
  • vtmassacre.com
  • vtshooting.com

More here.

UPDATE: 13:47 17 April 2007: More details here.

UPDATE [2]: 17:33 17 April 2007: And yet more details emerge here.

Vonage Admits It Has No Workaround

Stephen Lawson writes on InfoWorld:

Vonage has acknowledged it has no workaround for technology that was found to infringe Verizon Communications patents and does not know if one is feasible.

The disclosure came Friday when the VoIP service provider made public additional information from an April 6 filing to the U.S. Court of Appeals for the Federal Circuit. The filing requests a permanent stay on the injunction issued March 23 in the U.S. District Court for the Eastern District of Virginia, which would prevent Vonage from signing up new customers. The appeals court granted Vonage a temporary stay the same day.

Vonage has said it was developing workarounds, or other ways of accomplishing the same tasks, to steer clear of the technology that it has been found to be infringing. The company is still working on those techniques, spokeswoman Brooke Schulz said Monday.

But in a section of the April 6 filing made newly public on Friday at the court's request, the company confirmed it has no such technique.

More here.

Lenders Misusing Student Database

Amit R. Paley writes in The Washington Post:

Some lending companies with access to a national database that contains confidential information on tens of millions of student borrowers have repeatedly searched it in ways that violate federal rules, raising alarms about data mining and abuse of privacy, government and university officials said.

The improper searching has grown so pervasive that officials said the Education Department is considering a temporary shutdown of the government-run database to review access policies and tighten security. Some worry that businesses are trolling for marketing data they can use to bombard students with mass mailings or other solicitations.

More here.

IPv6 is for Porn?

Todd Underwood writes on The Renesys Blog:

I've written about IPv6 in the past—mostly to point out how little traction it has been getting and how unlikely it has become that IPv6 will be the next network layer protocol. A new project hopes to change all that. A hint of how is available by noting that the same content can be found at http://www.ipv6porn.com/. The project describes it as follows:

"We're taking 10 gigabytes of the most popular 'adult entertainment' videos from one of the largest subscription websites on the Internet, and giving away access to anyone who can connect to it via IPv6. No advertising, no subscriptions, no registration. If you access the site via IPv4, you get a primer on IPv6, instructions on how to set up IPv6 through your ISP, a list of ISPs that support IPv6 natively, and a discussion forum to share tips and troubleshooting. If you access the site via IPv6 you get instant access to 'the goods'."

The founders of the project acknowledge one key IPv6 adoption barrier: the lack of content. There's a chicken-and-egg cycle between content and users.

More here.

Attack Code Raises Windows DNS Zero-Day Risk - UPDATE

Joris Evers writes on C|Net News:

The public release of computer code that exploits a yet-to-be-patched Windows security hole increases the possibility of widespread attacks, security experts have warned.

At least four exploits for the vulnerability in the Windows domain name system, or DNS, service were published on the Internet over the weekend, Symantec said in an alert Monday. In response, the Cupertino, Calif., company raised its ThreatCon to level 2, which means an increase in attacks is expected.

The security vulnerability affects Windows 2000 Server and Windows Server 2003. Microsoft last week warned that it had already heard of a "limited attack" exploiting the flaw. However, exploit code wasn't yet publicly available. Exploits may help miscreants craft malicious code that uses the vulnerability to compromise Windows systems.

More here.

UPDATE: 15:56 PDT: It would appear that at least one active exploit is now active in the wild. The SANS ISC says: "New Rinbot scanning for port 1025 DNS/RPC".

Sunday, April 15, 2007

Programming Note

Skyline, somewhere in Shinjuku, Tokyo, Japan.


So, I'm headed back to Tokyo today, and then on to Beijing for a couple of days, so posting will be kind of on & off for a few days...

Be well, thanks for reading, and be good to one another. - ferg