Saturday, May 12, 2007

Tracking Himself: The 'Orwell Project'

Jessica Dawson writes in The Washington Post:

Soon after the attacks of Sept. 11, 2001, the U.S. government mistook Hasan Elahi for a terrorist. On a return trip from Europe, the Bangladesh-born, New York-raised artist was flagged at the airport and interrogated. To prove his whereabouts, Elahi showed them his Palm PDA, a device that yielded enough information -- from calendar notes of appointments and classes he teaches at Rutgers University -- to placate his interrogators.

But shaking off the feds would not be easy. In the months after the first round of questioning, the FBI subjected Elahi to more interviews and to a lie-detector test. Though he passed the test, his paranoia grew.

The artist hatched a plan. If Big Brother wanted proof of his coordinates, why not surveil himself? Recording his own moves could, theoretically, seal his alibi. And, when conceived of as art project, the action might satirize federal intelligence gathering.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Saturday, May 12, 2007, at least 3,391 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,761 died as a result of hostile action, according to the military's numbers.

The AP count is nine higher than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Friday, May 11, 2007

Goshen College Reports Computer Security Breach

Via GoshenNews.com.

From May 5 to 7, a Goshen College [Indiana] computer was remotely accessed by a “hacker” with the suspected motivation of using the system to send spam e-mails, Goshen College officials said Friday.

The improper access involved a database containing information on about 7,300 current or prospective students, from fall 2003 to the present, as well as some of their parents.

The breach of the college’s computer security systems may have allowed a hacker to view the names, addresses, birth dates, Social Security numbers and phone numbers of students and some information on some parents.

Upon discovery of the attack, law enforcement was notified. While no data loss is suspected, Goshen College officials sent letters to students and parents who may have been affected.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Friday, May 11, 2007, at least 3,386 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,761 died as a result of hostile action, according to the military's numbers.

The AP count is four higher than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

U.S. House Backs FISA Court on Eavesdropping Issues

Bob Deans writes on The Atlanta Journal-Constitution's "Window on Washington":

Pushing back against the White House on warrantless wiretaps, the House early Friday approved a measure saying that court-issued warrants offer “the exclusive means” by which officials may eavesdrop on private conversations as a way to gather foreign intelligence information.

At issue is the administration’s practice of listening in - without receiving a warrant - on conversations between people in this country and abroad, when the administration has reason to suspect one party could have ties to a terrorist group.

President Bush has said the practice - which began shortly after the attacks of Sept. 11, 2001, but came to public light in late 2005 - is necessary to help the National Security Agency collect information that could help capture dangerous terrorists or head off another attack.

Civil liberties advocates have protested, however, insisting that the administration abide by the terms of the Foreign Intelligence Surveillance Act (FISA) of 1978.

More here.

10,000 Workers Go On Strike at Deutsche Telekom

An AP newswire article, via The Mercury News, reports that:

Some 10,000 employees of Deutsche Telekom AG walked off their jobs Friday, starting the first major strike against Europe's biggest telecommunications company since it was privatized more than a decade ago.

The move was the first of what could ultimately involve more than 20,000 employees of the Bonn-based company, which has seen its earnings fall amid a customer exodus from its fixed-line systems even as it moves to expand its cell phone and Internet access base both in Germany and abroad.

More here.

ICANN-RegisterFly Update

Kieren McCarthy writes on The ICANN Blog:

ICANN’s motion for civil contempt against RegisterFly has been granted by the court.

That means that ICANN is able, with the assistance of a law enforcement official, to enter RegisterFly’s premises and seize all its customers’ registration data, as well as gain access to RegisterFly’s books and records in order to carry out a full audit.

The Court also ordered the personal appearance of Kevin Medina and RegisterFly’s general counsel to show cause why further contempt sanctions should not be imposed. That hearing will take place later this month.

More here.

1.4 Million Chinese Infected Over Holiday Week

Via Virus Bulletin News.

Chinese computers, in heavy use with many people off work for the Labour Day holiday week, have suffered a major surge in malware infections, as a surge in the number of people browsing the web, shopping online, sharing files and playing online games has led to a similar surge in virus, trojan and spyware activity.

Local security and anti-virus company Kingsoft has reported over 1.4 million infections discovered, an alarming rise of over 30% on the same period last year, and the company's spokesman warned of a variety of malicious programs stealing banking and gaming details.

China is renowned for the huge popularity of online gaming among its citizens, with money to be made from hacked accounts making it a draw for hackers, and widespread use of filesharing and massive online file repositories make fertile ground for file-infectors like Fujacks.

More here.

AusCERT Ditches Annual e-Crimes Survey Due to Lack of Funding

Munir Kotadia writes on ZDNet Australia:

The Australian Computer Emergency Response Team (AusCERT) will not be publishing its annual e-crimes survey this year because the government has given funding to the Australian Institute of Criminology (AIC) instead.

In a statement received by ZDNet Australia today, an AusCERT spokesperson said the survey had been scrapped because funding from the Attorney General's office had been given to the AIC instead.

More here.

Schneier: Is Big Brother a Big Deal?

Bruce Schneier:

Big Brother isn't what he used to be. George Orwell extrapolated his totalitarian state from the 1940s. Today's information society looks nothing like Orwell's world, and watching and intimidating a population today isn't anything like what Winston Smith experienced.

Data collection in 1984 was deliberate; today's is inadvertent. In the information society, we generate data naturally. In Orwell's world, people were naturally anonymous; today, we leave digital footprints everywhere.

1984's police state was centralized; today's is decentralized. Your phone company knows who you talk to, your credit card company knows where you shop and NetFlix knows what you watch. Your ISP can read your email, your cell phone can track your movements and your supermarket can monitor your purchasing patterns. There's no single government entity bringing this together, but there doesn't have to be. As Neal Stephenson said, the threat is no longer Big Brother, but instead thousands of Little Brothers.

More here.

Massachusetts Man Indicted In Cisco Fraud Case

Via NBC11.com.

A Massachusetts man has been indicted by a San Jose grand jury on 30 felony counts of wire fraud and money laundering, federal prosecutors have announced.

Michael Daly, 53, allegedly engaged in a scheme to defraud Cisco Systems, Inc., of millions of dollars worth of equipment between June 2003 and February 2007.

Daly allegedly used phony identities, business names and addresses in 39 states to obtain equipment from the company without payment and then resold it, according to the U.S. Attorney's Office.

More here.

Google: 1 in 10 Webpages Contain Malware

Via The BBC.

One in 10 web pages scrutinised by search giant Google contained malicious code that could infect a user's PC.

Researchers from the firm surveyed billions of sites, subjecting 4.5 million pages to "in-depth analysis".

About 450,000 were capable of launching so-called "drive-by downloads", sites that install malicious code, such as spyware, without a user's knowledge.

A further 700,000 pages were thought to contain code that could compromise a user's computer, the team report.

To address the problem, the researchers say the company has "started an effort to identify all web pages on the internet that could be malicious".

More here.

Thursday, May 10, 2007

U.S. Government Working on Plan to Prevent Chaos in Wake of Nuclear Bombing of Major City

James Sterngold writes in The San Francisco Chronicle:

As concerns grow that terrorists might attack a major American city with a nuclear bomb, a high-level group of government and military officials has been quietly preparing an emergency survival program that would include the building of bomb shelters, steps to prevent panicked evacuations and the possible suspension of some civil liberties.

Many experts say the likelihood of al Qaeda or some other terrorist group producing a working nuclear weapon with illicitly obtained weapons-grade fuel is not large, but such a strike would be far more lethal, frightening and disruptive than the attacks of Sept. 11, 2001. Not only could the numbers killed and wounded be far higher, but the explosion could, experts say, ignite widespread fires, shut down most transportation, halt much economic activity and cause a possible disintegration of government order.

More here.

IRS Leans On Auction Sites to Spill Customer Information

Lisa Vaas writes on eWeek:

Would you trust eBay to keep your name, address and taxpayer identification number safe? What about uBid.com, or what about an obscure online broker you've never heard of?

The Center for Democracy and Technology is raising a red flag over the prospect after language appeared in the President Bush's budget that would require brokers of personal property—including online auction houses and consignment stores—to collect personal data from customers and to share it with the Internal Revenue Service.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Thursday, May 10, 2007, at least 3,383 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,761 died as a result of hostile action, according to the military's numbers.

The AP count is one higher than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

SEC Warns Wall St. to Look Out for Impostors

A Reuters newswire article, via USA Today, reports that:

Should the Securities and Exchange Commission call you, be wary of who's on the other end of the line, the investor protection agency said in an impostor alert Thursday.

The SEC sent the message out to Wall Street, saying that unknown people have contacted securities companies by phone, identified themselves as SEC staffers and demanded immediate access to confidential information.

More here.

Google Shareholders Vote Against Anti-Censorship Proposal

Erik Larkin writes on PC World:

A majority of Google shareholders today voted against an anti-censorship proposal that took aim at the way the search giant conducts its business in China and other countries that engage in active censorship.

The company received a large amount of criticism last year on news that its Chinese search engine, Google.cn, engages in self-censorship. Patrick Doherty, who introduced the proposal on behalf of the New York City pension funds and the Office of the Comptroller of New York City, referred to Google's congressional testimony from last year (listed on Google's site), which acknowledged that "the requirements of doing business in China include self-censorship--something that runs counter to Google's most basic values and commitments as a company."

The proposal would have required that Google not engage in self-censorship of its products, Doherty said, and also that the company clearly disclose when any censorship had occurred.

More here.

Hackers Hijack Windows Update's Downloader

Gregg Keizer writes on InfoWorld:

Hackers are using Windows Updates' file transfer component to sneak malicious code downloads past firewalls, Symantec researchers said Thursday.

The Background Intelligent Transfer Service (BITS) is used by Microsoft's operating systems to deliver patches via Windows Update. BITS, which debuted in Windows XP and is baked into Windows Server 2003 and Windows Vista, is an asynchronous file transfer service with automatic throttling -- so downloads don't impact other network chores. It automatically resumes if the connection is broken.

"It's a very nice component and if you consider that it supports HTTP and can be programmed via COM API, it's the perfect tool to make Windows download anything you want," said Elia Florio, a researcher with Symantec's security response team, on the group's blog. "Unfortunately, this can also include malicious files."

Florio outlined why some Trojan makers have started to call on BITS to download add-on code to an already compromised computer. "For one simple reason: BITS is part of the operating system, so it's trusted and bypasses the local firewall while downloading files."

More here.

The Ultimate Insider: FBI Analyst Steals National Secrets

Sharon Gaudin writes on InformationWeek:

On the morning of Aug. 5, 2005, an FBI intelligence analyst sat at his desk and accessed the agency's main database. He downloaded a classified document, copied it onto a disc and dropped it into a bag beside his desk.

Leandro Aragoncillo -- a career Marine who had served under two vice presidents in the White House -- was stealing information in an attempt to foster a political coup in the Philippines, his home country. He knew he had no authorization to take or pass along the information, but, so far, it had been so easy.

What Aragoncillo didn't know was that on this particular morning, after nearly four years of espionage, the feds were spying on the spy. Agents were watching him at his desk via video surveillance. At the end of the workday, the man who was set up as the perfect inside threat, took the bag with the disc inside and left the office. Agents tailed him as he drove home and took the bag, with the stolen classified information, inside.

More here.

FBI Gets One Year Stay in Electronic Surveillance Suit

Via The FOIA Blog.

Judge Colleen Kollar-Kotelly of the District Court for the District of Columbia has granted the FBI a one year stay in processing the Electronic Frontier Foundation's ("EFF") request to it for information on the electronic surviellance systems known as DCS-3000 and Red Hook.

The FBI had sought a stay of twenty seven months. However the Court knocked a full year off of its stay even though the Court found that the FBI had established exceptional circumstances that allowed it a stay to process the FOIA request. There are some interesting findings in the case. Initially, the Court found that EFF's failure to narrow its request wasn't to be held against it becasue EFF had argued that it didn't get adequate information from the FBI in order to narrow the request. The Court also found that litigation deadlines at the FBI weren't a reason to establish exceptional circumstances allowing for a stay.

More here.

Phishing, Brandjacking and Little Progress on User Awareness

Via Real-Time Messaging & Web Security.

A recent survey by MarkMontior finds phishing and kiting (quickly registering and dropping domain names similar to those of legitimate sites) is not suprisingly on the rise. The study tracked the worlds top 25 brands along with others from eight industrial groups from early March to early April. The numbers make it clear how bad the problem is:

"MarkMonitor found major brands suffered, on average, 286,000 examples of cybersquatting during over the four-week long survey, far and away the most common abuse detected."

"Clickfraud—or siphoning off consumers via fake pay-per-click ads—was identified 50,743 times, while e-commerce fraud occurred 21,093 times and kiting 11,015. These figures represent the four-week average for each brand. "

More here.

California Jury Finds Chinese-Born U.S. Citizen Guilty of Stealing Military Data

An AP newswire article, via MSNBC, reports that:

Jurors convicted a Chinese-born engineer Thursday of conspiring to export U.S. defense technology to China, including data on an electronic propulsion system that could make submarines virtually undetectable.

Chi Mak also was found guilty of being an unregistered foreign agent. Prosecutors had dropped a charge of actually exporting defense articles.

More here.

Coalition Against Domain Name Abuse


Via CADNA.org.

The Coalition Against Domain Name Abuse (CADNA) is a registered 501(c)(6) non-profit organization dedicated to facilitating dialogue, affecting change, and spurring action on the part of policymakers to close a loophole that enables massive domain name abuse and to decrease occurrences of cybersquatting in all of its forms through the revision of current anti-cybersquatting legislation.

With pro-abuse groups already organized in Washington and the recent election of new leadership in both houses of Congress, the time to act is now.

By educating the public, lobbying the relevant agencies of jurisdiction in the United States government, and promoting new legislation in Congress, CADNA aims to effectively exert pressure on the Internet Corporation for Assigned Names and Numbers (ICANN) to close the 5-day add/drop grace period loophole, and take decisive action on related abuses by registrars and domain name registrants.

The prohibition of the tactics used by cybersquatters is an important first step in CADNA’s fight against domain name abuse, but it is not the only step. CADNA will also act to amend existing laws to more effectively deter cybersquatting in all its forms.

In keeping with its commitment to combat domain name abuse and abusers, CADNA will propose draft legislation to Congress to increase the statutory damages set forth in the Anti-Cybersquatting Consumer Protection Act (ACPA) and close other loopholes presently being exploited under current law.

More here.

(Props, DomainTools Blog.)

Teen Charged in AOL Hacks is a Fall Guy, Says Crime Mentor

Kevin Poulsen writes on Threat Level:

Mike "Virus" Nieves the 17-year-old Staten Island kid charged in New York last month for a massive AOL hacking spree, is taking the rap for a lot of AOL hijinks that he had nothing to do with, says "Smokey", a self-professed ringleader in the AOL hax0ring scene who claims to have tutored the teen in the company's arcane systems.

"I was there step by step, telling him everything to do all the way," says Smokey, 21, a New Yorker himself, and the proprietor of AOLGang.com. "He's only been doing this for two years, and I've been doing this since … I was 13 or 14."

Nieves is charged with four felonies and a misdemeanor for allegedly hacking into 60 different AOL employee and contractor accounts using an e-mailed Trojan horse, gaining access, according to the complaint, to "internal AOL computer networks and databases, including customer billing records, addresses and credit card information."

More here.

Fear Of Identity Theft Discourages Consumers From Banking Online

Deena M. Amato-McCoy writes on Bank Systems & Technology:

For fear of becomming the next victim of identity theft, 150 million U.S. consumers don't bank online, according to experts. But the banking industry could improve profitability by as much as $8.3 billion per year if banks build consumers' confidence in online security, according to the TriCipher Consumer Online Banking Study, conducted by Javelin Strategy & Research (Pleasanton, Calif.) for TriCipher, a Los Gatos, Calif.-based authentication solutions provider.

The study, which was based on online survey responses from 3,349 U.S. adult consumers, reports that 31 million customers would feel safe enough to begin banking online and another 39 million online users would increase their online banking activity if their banks offered free identity protection software. Further, while only 6 percent of survey respondents have been victims of identity theft or fraud, 41 percent -- which translates to more than 88 million U.S. online banking customers -- would change banks or reduce their online service usage if their individual institution was compromised by a data breach, the study says, making identity protection a significant competitive differentiator.

More here.

Sweden: Fraudsters Hijack 10,000 SEB Credit Cards

Via The Local (Sweden).

Credit and debit card numbers belonging to at least 10,000 SEB customers could have been hijacked by fraudsters, the bank has admitted.

"Other banks are hit by this too," bank spokeswoman Kerstin Ottosson said.

Eurocard announced on Tuesday that 1,000 customers were hit by a similar fraud attempt.

SEB received the first indications that something was amiss about ten days ago. The bank says that hackers broke into a national computer system handling card payments for shops, hotels and other retailers.

Ottosson said that card information should never be stored by payment systems, but said in this case it had been.

"That's a criminal act, pure and simple," she said.

The card numbers allowed the frausters to buy goods over the internet and to forge new cards.

More here.

(Props, Pogo Was Right.)

Wednesday, May 09, 2007

BBC Raises Concerns Over Internet Child Porn Inquiry

Via The BBC.

A BBC investigation has raised concerns about the way the UK's biggest internet child porn inquiry was conducted.

Operation Ore focused on a list of over 7,000 people who used credit cards to buy illegal porn from a US website.

Lawyers and computer experts have told BBC Radio 4's 'The Investigation' that many of those arrested may have been innocent victims of credit card fraud.

Police say some on the list may have been fraud victims, but deny that any of them were subsequently prosecuted.

More here.

SCADA Systems Vulnerabilities Exposed

Matt Hines writes on the InfoWorld "Zero Day Security" Blog:

Ironically, as I was busy piecing-together Tuesday's story on infrastructure systems security trends, I missed the fact that researchers were reporting what are believed to be the first remotely-exploitable vulnerabilities in so-called Supervisory Control And Data Acquisition (SCADA) systems.

In essence, the research forwards tangible proof of remotely exploitable flaws in products used to manage facilities such as oil and gas refineries, electrical power grids and nuclear power plants.

According to researchers with industrial security specialists Neutralbit, based in Barcelona, Spain, the company has uncovered five different problems in the OPC protocol -- the OLE (Object Linking and Embedding) for Process Control industry standard -- which is used to help foster communication of plant data between control devices made by different manufacturers.

The vulnerabilities, present in a number of systems, could allow for a range of different performance-sapping or denial-of-service type attacks on affected SCADA operations, Neutralbit reported.

More here.

Spying in the Death Star: The AT&T Whistle-Blower Tells His Story

Ryan Singel writes on Wired News:

Mark Klein, a retired AT&T technician, sits quietly at the center of a high-profile legal storm hitting the nation's largest telecommunications companies for allegedly helping the government spy on American citizens' phone and internet communications without court approval.

In 2006, Klein stepped forward and handed sensitive AT&T documents to the Electronic Frontier Foundation, a civil liberties group that was preparing a class-action lawsuit against the telecommunications giant. That case and more than 50 similar suits have been consolidated into five master complaints that are now proceeding in a federal court in San Francisco. This summer, the 9th U.S. Circuit Court of Appeals will hear AT&T's appeal of a key ruling that rejected the government's national security concerns and allowed the suit to continue.

More here.

Chinese Business Leaders Agree to Buy $4.3 Billion in U.S. Technology

Michael Liedtke writes in The Washington Post:

A delegation of Chinese business leaders on Wednesday committed to buying $4.3 billion in U.S. technology, hoping to soften a political backlash to the massive trade imbalance dividing two of the world's economic powers.

The agreements were trumpeted at a ceremony staged two weeks before the scheduled start of government talks in Washington, where leaders will try to tackle the United States' $232 billion trade deficit with China and other prickly issues.

More here.

Cisco Accused of Employee Discrimination

Sara Jane Tribble writes in The Mercury News:

Cisco Systems, one of Silicon Valley's biggest employers, has been accused by a federal agency of discriminating against minority job candidates.

The U.S. Equal Employment Opportunity Commission has determined after reviewing five separate 2005 job applicant complaints that Cisco "demonstrated an ongoing pattern and practice of not hiring qualified, minority candidates based on their race, color and national origin," according to EEOC letters released to the Mercury News.

None of the applicants are from the Bay Area; four are from Texas, and the fifth is from Tennessee. Four are African-American and one is Asian American.

On Wednesday, the San Jose company denied the allegations - particularly the assertion about an ongoing pattern of discrimination.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, May 9, 2007, at least 3,380 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,751 died as a result of hostile action, according to the military's numbers.

The AP count is eight higher than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Java Security Traps Reportedly Getting Worse

Lisa Vaas writes on eWeek:

A year ago at JavaOne, Fortify Software Founder and Chief Scientist Brian Chess gave a presentation titled "12 Java Technology Security Traps and How to Avoid Them."

A year later, how far have we come in addressing those inherent vulnerabilities, which include XSS (cross-site scripting), SQL injection and native methods that allow the import of C or C++ code—along with its bugs? Not a smidge—unless you count going backwards.

It's gotten worse, Chess said in an interview with eWEEK, "and I've got evidence to prove it."

Fortify, which markets source-code analysis technology, has access to a large database of common Java programming errors and vulnerabilities, gleaned not only from its customers but also from a year of running the Java Open Review project.

More here.

Note: I agree: Java and JavaScript, while "enabling the Web 2.0 revolution" is alos making the Internet a much more dangerous place. - ferg

Yet Another High Tech Company With Spambots: Intel

Rick and Adam:

Question: Do bots affect high tech companies too? Answer: Yes, even high tech companies fall prey to these crimes. Today we have Intel squirting out botspam with the best of 'em, in a very recent infection somewhere on their network.

A trio of IP addresses, all with no reverse DNS, have been firing off stock pump and dump, viagra, and home loan spam the past few days - the first of this run being spotted on April 29th.

All are routed via origin AS 4983 INTEL-SC-AS - Intel Corporation - the first being domestic, and the later two routing to approximately Haifa, Israel.

More here.

Quote of the Day: Paul Vixie

"In rough terms, it makes everything we thought was bad, a thousand times worse. It can be exploited by any greedy Estonian teenager with a $300 Linux machine."

- Paul Vixie, quoted in a SecurityFocus interview on the recent IPv6 Type 0 Routing Header (RH0) "vulnerability".

Use BitTorrent in Germany, Get Your Internet Disconnected

Via TorrentFreak.

Last night, heads of the international music industry had ‘crisis’ talks with Chancellor Angela Merkel in Berlin, centering on the International Federation of the Phonographic Industry’s claim that the German music market has declined 50% since 2002. Demands came for more assistance to help the industry against piracy and measures to make ISPs take action against their own customers when the music industry feels they may be trading copyright material.

Indeed, the IFPI have something specific in mind. They would like to ‘introduce an obligation on ISPs to terminate service to subscribers abusing the service to make infringing content available’. Potentially, that means terminating your internet access if you’re caught uploading one track. But if you prefer to take it literally, ‘making available’ means that a track sitting in your shared folder that you have never uploaded to anyone, could cost you your internet connection. Quite a punishment. To make matters worse, uploading is built into the BitTorrent protocol so using torrents and not falling foul of these demands becomes almost impossible.

More here.

UK: Virgin Media Loses Nearly 50k Customers in 3 Months After Spat with Sky

No Jack Bauer for Virgin customers.

Via The Daily Mail.

Virgin Media today revealed the cost of its spat with rival BSkyB as it reported a loss of 46,900 customers in the first three months of the year.

The company, rebranded from NTL after the cable operator bought Virgin Mobile and Telewest last year, said only 184,300 customers had signed up in the first quarter compared with 213,500 in the previous three months.

BSkyB withdrew its basic channels at the end of February when the two groups failed to agree on contract renewal terms.

Virgin Media's net customer loss, which takes into account the number of new customers, less those leaving the group, was compounded by poor performance within its fixed line telephone offering and increased competition in the market.

More here.

Cyber Crime Update: Is Organized Crime Moving Into Cyber Space?

The answer, in my opinion, is an unqualified "Yes." - ferg

Bob Brown writes on NetworkWorld:

As if FBI special agent Tim O’Brien and his cybercrime fighting comrades don’t already have their hands full with bot herders, virus writers and other loosely-aligned crooks, now people are wondering when more traditional organized crime will grab a piece of the action.

Following his presentation at CIO Forum, O’Brien was asked by one technology pro about whether the real-life Tony Sopranos of the organized crime world have caught the cybercrime bug.

“I don’t think traditional organized crime in this country is involved the cybersphere yet, but that’s certainly a possibility,” he says. “A lot of it’s benign crime…it goes under the radar and most people don’t know anything about it. It’s not murder, it’s not racketeering, it’s stuff that’s not going to make a headline. The chances of making a tremendous amount of money off that without getting caught are much higher than going out and murdering your enemies.”

More here.

Ex-Sept. 11 Panel Chiefs Eye Privacy Board

Via UPI.

The former leaders of the U.S. Sept. 11 Commission have questioned the record of the first year of the White House Privacy and Civil Liberties Oversight Board.

"What civil liberties have been specifically protected or enhanced by your actions? What corrections in policies, procedures or regulations have you achieved?" the commission chairman, former New Jersey Republican Gov. Tom Kean, and his deputy, former Rep. Lee Hamilton, wrote in a politely worded but skeptical letter to the board.

Kean and Hamilton wrote that their letter was a response to the board's 49-page report to Congress last month detailing its activities since the administration established it in March 2006.

More here.

Court: Googling an Employee's Name is Not a Federal Offense

Linda Rosencrance writes on ComputerWorld:

A panel of three federal judges uphed a decision by the Merit Systems Protection Board (MSPB) that says a fired federal employee wasn't harmed when a federal official used the Google search engine to research his prior work history.

The decision by the federal judges stemmed from the 2005 firing of David M. Mullins, an employee of the U.S. Commerce Department. Mullins was fired for misusing a government vehicle and credit card and falsifying travel documents.

After he was fired, Mullins appealed to the MSPB, a Washington-based independent quasi-judicial agency established to ensure adequate protection for employees against abuses by agency management.

More here.

Report Alleges Child Porn, Virtual Sex Ring Found in Second Life

Via CBC News.

German authorities are probing the online virtual world Second Life after the release of a television news report that alleges some members are involved in a simulated child sex ring that trades real child pornography.

Police are seeking to identify members of the Second Life group who traded and paid for sex with child-styled avatars or digital representations of people, BBC and Deutsche Welle news services said after the allegation was reported Tuesday by the SWR public broadcaster's Report Mainz television news magazine.

More here.

Sprint Nextel Files Lawsuit Against Alleged 'Traffic Pumping'

Kelly Hill writes on RCR Wireless News:

Sprint Nextel Corp. has joined the cadre of telecom companies who have sued small Iowa operators and Internet calling services for alleged “traffic pumping,” while the small companies themselves have formed a coalition to formally oppose the telcos’ efforts.

Sprint Nextel’s complaints virtually mirrored those of earlier filings by AT&T Inc. and Qwest Communications International Inc. The carrier said that rural local exchange companies in Iowa have been partnering with companies that offer free conference or international calls and adult chat lines.

More here.

Six in California Indicted for Online Bank Fraud

Dan Goodin writes on The Register:

Six California men accused of breaking in to online bank accounts and funneling out the proceeds have been indicted for bank and wire fraud and money laundering. The 53-count indictment could carry a sentence of as much as 30 years in prison and a fine of $1m.

The defendants, all from Fresno, allegedly netted $383,000 in the scheme, which ran from November 2003 to July 2004, according to the indictment, which is surprisingly vague on some key details about how they pulled it off. Two of them "acquired a software program from a free online source which allowed them to scan/surf the Internet for shared resources on other computers and which allowed the defendants to access those computers for its program backup files."

More here.

Some Profit Off Virginia Tech Domain Names

An AP newswire article by Kristen Gelineau, via USA Today, reports that:

When Fred McChesney heard about the Virginia Tech shooting spree on April 16, he was appalled. But what he did next has appalled many others. Within hours of the rampage, the Phoenix man began buying dozens of domain names — CampusKillings.com, VirginiaTechMurders.com, SlaughterInVirginia.com — in the hopes of selling them later to the highest bidder.

McChesney, 48, said he saw it as an opportunity to show his contempt for firearms by featuring anti-gun content on the domains he is selling.

He also saw it as an opportunity to cash in.

"Everyone is profiting off of this," McChesney said. "I'm not hurting anyone."

More here.

Convergence of Physical and IT Security is Becoming a Necessity

William Jackson writes on GCN.com:

Physical attacks increasingly will be accompanied by cyber attacks that will magnify the impact of the assault or hamper response, according to analysts with the U.S. Cyber Consequences Unit.

"In the future, we will see that cyber vulnerabilities will determine where physical attacks will take place," Scott Borg, director and chief economist of the US-CCU said Wednesday at the GovSec conference being held in Washington.

Combining physical and IT security will be necessary to provide adequate protection to the nation's critical infrastructure, he said. "Physical security is becoming utterly dependent on cyber security," Borg said. “And cyber security is becoming utterly dependent on physical security. Handling these things separately is not going to be possible for very much longer and do a good job.”

The Cyber Consequences Unit is a government-funded independent research organization that looks at real world vulnerabilities and consequences of security breaches. Much of the research is done with on-site examinations of facilities.

More here.

Bogus Computer Expert Goes From Witness To Federal Prison

Sharon Gaudin writes on InformationWeek:

A so-called computer forensics expert who has served as an expert trial witness has pleaded guilty in federal court to falsifying his credentials.

James Earl Edmiston, 36, of Long Beach, Calif., pleaded guilty before a U.S. District judge in Fresno, Calif. to two counts of perjury. He faces a maximum of 10 years in prison and a fine of $500,000.

Edmiston admitted in a plea agreement that he had been retained by two Fresno-based criminal defense attorneys to provide computer forensic analysis in several child exploitation prosecutions. As part of his work on those cases, Edmiston prepared and executed several declarations under penalty of perjury between April 3, 2006, and July 19, 2006, according to a release from the U.S. Attorney's Office.

More here.

Five ISPs Hosting One-Third of All Malware?

Via StopBadware.org.

StopBadware.org [...] today released comprehensive data detailing the five companies that host the largest number of websites listed in its Badware Website Clearinghouse. These five companies combined host a large number of websites that have been identified as distributing malicious software to Internet users.

This announcement is the latest in a series of reports and analyses released by Harvard Law School's Berkman Center for Internet & Society and Oxford University's Oxford Internet Institute as a part of an ongoing effort to battle "badware" - malicious applications such as malware, spyware, or deceptive adware that fundamentally disregard the choices Internet users make about their own computers.

"Badware used to be something that you downloaded onto your computer," said John Palfrey, co-director of StopBadware.org and Executive Director of the Berkman Center for Internet & Society at Harvard Law School. "Today, badware can infect your computer when you just visit a website. This list of web hosting companies, pulled from our database of sites that are infected with badware, shows some companies that host a large number of sites that may suffer from unaddressed security issues. These security flaws mean that webmasters who use these hosting services may be more at risk of their sites being hacked."

More here.

EFF Files Suit Against 'Paranormalist' Uri Geller - UPDATE

Via The EFF.

The Electronic Frontier Foundation (EFF) filed suit Tuesday against Uri Geller -- the "paranormalist" famous for seemingly bending spoons with his mind -- on behalf of a YouTube critic who was silenced by Geller's baseless copyright claims.

EFF's client, Brian Sapient, belongs to a group called the "Rational Response Squad," which is dedicated to debunking what it calls irrational beliefs. As part of their mission, Sapient and others post videos to YouTube that they say demonstrate this irrationality. One of the videos that Sapient uploaded came from a NOVA program called "Secrets of the Psychics," which challenges the performance techniques of Geller.

More here.

UPDATE: 16:43 PDT: Apparently, there's a second lawsuit that has now been filed by Mr. Geller's company now, too.

Escaping the 'Data Panopticon': Computers Must Learn to Forget

Nate Anderson writes on ARS Technica:

The rise of fast processors and cheap storage means that remembering, once incredibly difficult for humans, has become simple. Viktor Mayer-Schönberger, a professor in Harvard's JFK School of Government, argues that this shift has been bad for society, and he calls instead for a new era of "forgetfulness."

Mayer-Schönberger lays out his idea in a faculty research working paper called "Useful Void: The Art of Forgetting in the Age of Ubiquitous Computing," where he describes his plan as reinstating "the default of forgetting our societies have experienced for millennia."

Why would we want our machines to "forget"? Mayer-Schönberger suggests that we are creating a Benthamist panopticon by archiving so many bits of knowledge for so long. The accumulated weight of stored Google searches, thousands of family photographs, millions of books, credit bureau information, air travel reservations, massive government databases, archived e-mail, etc., can actually be a detriment to speech and action, he argues.

More here.

Cisco Security Advisory: Multiple Vulnerabilities in the IOS FTP Server

Via Cisco Systems.

Multiple vulnerabilities exist in the Cisco IOS File Transfer Protocol (FTP) Server feature. These vulnerabilities include Denial of Service, improper verification of user credentials and the ability to read or write any file in the device's filesystem, including the device's saved configuration, which may include passwords or other sensitive information.

The IOS FTP Server is an optional service that is disabled by default. Devices that are not specifically configured to enable the IOS FTP Server service are unaffected by these vulnerabilities.

This vulnerability does not apply to the IOS FTP Client feature.

More here.

Toon: Bogged Down


Click for larger image.


Tuesday, May 08, 2007

Germans Wary of Security Measures

Jeffrey Fleishman writes in The Los Angeles Times:

Depending upon one's political persuasion or level of anxiety, German Interior Minister Wolfgang Schaeuble is either a dogged defender against terrorism or a man out to strip away civil liberties by hacking into computers and bank accounts in pursuit of militants.

Since Sept. 11, 2001, governments around the world have confronted the balance between individual rights and national security, but that dilemma is particularly sensitive in this nation, where spying during the Nazi era and the Cold War left bitter memories of state interference.

Opposition lawmakers say Schaeuble, who told a German magazine recently that suspected militants should be denied the presumption of innocence, is exploiting Germans' fear of terrorism to expand the powers of police and intelligence services. Some officials here view the debate as similar to the one in the U.S. over constitutional questions raised by the Patriot Act.

More here.

Leahy, Others Speak Out Against New ID Standards


Ellen Nakashima writes in The Washington Post:

Senate Judiciary Committee Chairman Patrick J. Leahy (D-Vt.), citing concerns about Americans' privacy, signaled yesterday that he will push to repeal a provision of a 2005 law aimed at creating new government standards for driver's licenses.

Leahy, who has co-sponsored bipartisan legislation to repeal the provision, spoke out as the debate intensified over the Real ID Act, which requires states to create new tamper-proof driver's licenses in line with rules recently issued by the Department of Homeland Security. States must begin to comply by May 2008 but can request more time. After 2013, people whose IDs do not meet those standards will not be allowed to board planes or enter federal buildings.

A similar Democrat-backed bill to repeal the provision is pending in the House. At least seven states have passed laws or resolutions opposing implementation of Real ID. Fourteen states have legislation pending. By yesterday, the DHS had received more than 12,000 public comments in response to the rules.

More here.

Quote of the Day: Michael Hampton

"We are all unique people. Allowing this stupidity to go forward is just one of many steps towards suppressing that uniqueness and moving us all toward the democratic ideal of mindless automatons who always follow the rules, never question our masters, and never, never express our individuality."

- Michael Hampton, writing over on Homeland Stupidity, about a bill introduced by U.S. Sen. Ted Kennedy (D-Mass.) regarding parties who perpetrate "hoax" terror threats.

Analysis: Airlines Will Take Fingerprints

Shaun Waterman writes for UPI:

U.S. airlines are "apoplectic" about Department of Homeland Security plans to make them collect fingerprints to verify the identity of departing international visitors, according to a senior lawmaker.

Rep. John Mica, R-Fla., the ranking member of the House Aviation Subcommittee, said he had spoken with representatives of the airlines about the proposal, and "They are apoplectic."

Mica told United Press International he himself had "significant concerns" about the plans for the so-called exit component of U.S.-VISIT, the Homeland Security system that biometrically verifies the identity of many foreign visitors to the United States.

Airline-industry representatives declined to comment to UPI, saying they did not have enough information about the plan.

More here.

Union Sues TSA Over Personal Data Loss

An AP newswire article by Michael J. Sniffen, via The Washington Post, reports that:

Airport security screeners filed suit Tuesday to expand the Transportation Security Administration's response to its loss of Social Security numbers, bank data and payroll information for about 100,000 employees.

If the data, which was contained on a lost computer hard drive, "were to fall into the wrong hands, false identity badges easily could be created in order to gain access to secure areas," said John Gage, president of the American Federation of Government Employees.

"A Department of Homeland Security agency that cannot even shield its own employee data is not reassuring."

More here.

University of Missouri Computer Attack Leaves 22,000 Vulnerable

Sara Semelka writes in The Columbia Tribune:

A recent attack on the University of Missouri system computer database allowed an unknown hacker, or several hackers, to retrieve 22,396 names and Social Security numbers of individuals associated with the university.

The people affected by the security breach are employees of any campus in the UM system during the 2004 calendar year who were also current or former students at the Columbia campus.

The hacker accessed the information through a Web page used to make queries about the status of trouble reports to the information technology help desk, based in Columbia.

According to the university, the information from 2004 had been compiled for a report and the resulting data was not removed from the computer system. The information has been removed since the attack was discovered late last week.

More here.

(Props, attrition.org.)

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, May 8, 2007, at least 3,378 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,750 died as a result of hostile action, according to the military's numbers.

The AP count is seven higher than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Programming Note

So I spent all day rebuilding my laptop hard drive, and I think I'm relatively good to go (finally). I should be back posting regularly to the blog later tonight, or at least in the morning.

Thanks for your patience!

- ferg

Monday, May 07, 2007

Comcast Porn Gaffe: Not The Disney Channel

Adam Nichols writes in The New York Daily News:

Some New Jersey tots got an adult education yesterday when a cable TV giant replaced a Disney cartoon with hardcore pornography.

The "Handy Manny" cartoon on Playhouse Disney was abruptly interrupted yesterday morning when Comcast honchos mistakenly aired the porno in sections of Jersey.

"What are they doing?" a 5-year-old boy asked his parents when an explicit sexual scene showed up on his TV screen.

The boy's father, Paul Dunleavy, was appalled.

"It was two people doing their thing, it was full-on and it was disgusting," said Dunleavy, who asked that his son not be named. "It wasn't something you'd expect to see on Cinemax, never mind Disney."

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Monday, May 7, 2007, at least 3,376 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,747 died as a result of hostile action, according to the military's numbers.

The AP count is nine higher than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Homeland Security's Own Privacy Panel Declines to Endorse Real ID

Ryan Singel writes on Threat Level:

The Department of Homeland Security's outside privacy advisors explicitly refused to bless proposed federal rules to standardize states' driver's licenses Monday, saying the Department's proposed rules for standardized driver's licenses -- known as Real IDs -- do not adequately address concerns about privacy, price, information security, redress, "mission creep", and national security protections.

The 18-member Data Privacy and Integrity Advisory Committee began looking at the proposed rules at the request of Hugo Teufel IIl, DHS's chief privacy officer. According to Teufel's instructions, the group was asked to provide very specific comment on how to implement the rules, which civil liberties groups and libertarian-leaning states want repealed, not reformed.

More here.

First Person: Fraud Hits Home -- My Front Porch!

Charles Ornstein writes in The Los Angeles Times:

When it comes to protecting myself against identify theft, I like to think that I'm pretty savvy.

I pay most of my bills online, and every day or two I check the transactions in my bank and credit card accounts. Once a year, I request personal reports from all three credit bureaus. And I always shred credit card solicitations, ATM withdrawal slips and receipts bearing my signature.

So when I received an answering machine message early last month from a woman named Josephine who claimed to work for Bank of America Corp., I thought I knew just what was going on.

This was one of those "phishing" scams, I thought, in which a thief pretends to be a bank representative and gathers personal information from unsuspecting victims.

I wasn't going to take the bait.

But as it turned out, I already had been had.

More here.

Canadian 'Remembrance Day' Coin Has U.S. Army Seeing Spies

An AP newswire article by Ted Bridis, via USA Today, reports that:

An odd-looking Canadian quarter with a bright red flower was the culprit behind a false espionage warning from the Defense Department about mysterious coins with radio frequency transmitters, The Associated Press has learned.

The harmless "poppy quarter" was so unfamiliar to suspicious U.S. Army contractors traveling in Canada that they filed confidential espionage accounts about them. The worried contractors described the coins as "filled with something man-made that looked like nano-technology," according to once-classified U.S. government reports and e-mails obtained by the AP.

The silver-colored 25-cent piece features the red image of a poppy — Canada's flower of remembrance — inlaid over a maple leaf. The unorthodox quarter is identical to the coins pictured and described as suspicious in the contractors' accounts.

More here.

Criminal Checks Needed for Domain Name Tasting, Kiting, Spying

Monika Ermert writes on CircleID:

International organisations should step in to prevent the “tasting,” “kiting” and “spying” related to Internet domain names, say representatives from the US telecommunications and trademark industries.

These new activities are dramatically altering online commerce and impacting legitimate businesses, and the United States Federal Trade Commission (FTC), World Intellectual Property Organization (WIPO) and the Internet Corporation for Assigned Names and Numbers (ICANN) should take action, they say.

The US Anti-Cybersquatting Consumer Protection Act (ACPA) had too many loopholes given the actual trends in the domain name secondary market, said Sarah Deutsch, vice president and associate general counsel for Verizon, and Marilyn Cade, former AT&T lobbyist and now consultant on Internet and technology issues.

“That law is ripe for updating,” Deutsch told Intellectual Property Watch. “We would propose that Congress hold hearings on a number of ways to create deterrents for domain name tasters.”

More here.

Journalists Intend to Sue Hewlett-Packard Over Surveillance

Damon Darlin writes in The New York Times:

In an unusual step for the news media, three journalists whose private phone records were scrutinized by investigators working for Hewlett-Packard intend to sue the company for invasion of privacy.

The dispute stems from an investigation of Hewlett-Packard’s directors initiated under the company’s former chairwoman, Patricia C. Dunn. To try to uncover leaks from board members, private investigators examined the phone records of nine journalists who covered the company, as well as the records of some of their relatives.

While the dispute revolves around the issue of how the journalists’ careers may have been damaged by having their phone records examined, the threat to sue also raises the question whether it is proper for a news organization or its reporters to sue a company they cover. It is certainly not common.

More here.

Programming Note

I'm still down & out without my primary computer due to a disk crash, so posting will be light for the next couple of days.

Apologies.

- ferg

Sunday, May 06, 2007

User Friendly: HD-DVD Sudoku

Via UserFriendly.org.



Click for larger image.


Estonia Arrests Suspect Over 'Cyber-Attacks'

An AFP newswire article, via PhysOrg.com, reports that:

Police arrested Saturday a 19-year-old Tallinn resident who is suspected of involvement in a wave of attacks against Estonian computer servers.

"The criminal police have detained the first person who stands accused in involvement in the recent cyber-attacks against Estonian servers," Kristiina Herodes, spokeswoman for the Estonian prosecutor's office, told AFP.

"Dmitri was posting on Internet forums calls to organise mass attacks against Estonian servers, called the DdoS attacks," Herodes said.

"He collected addresses of crucial Internet sites in Estonia and passed them in various Internet forums, instructing users to attack servers in Estonia," she said.

More here.