Saturday, May 26, 2007

Blast from the Past: Planet of the Apes

Charleton Heston in "The Planet of the Apes" (1968).

I had almost forgotten how fantastically great the first, original "Planet of the Apes" movie really was.

Thanks to the History Channel for showing it again tonight. It is truly a great piece of work!

- ferg

Gapingvoid: Religion

Via gapingvoid.com. Enjoy!



UK: Police to Get Tough New Terror Powers

David Cracknell writes in The Sunday Times:

New anti-terrorism laws are to be pushed through before Tony Blair leaves office giving “wartime” powers to the police to stop and question people.

John Reid, the home secretary, who is also quitting next month, intends to extend Northern Ireland’s draconian police powers to interrogate individuals about who they are, where they have been and where they are going.

Under the new laws, police will not need to suspect that a crime has taken place and can use the power to gain information about “matters relevant” to terror investigations.

If suspects fail to stop or refuse to answer questions, they could be charged with a criminal offence and fined up to £5,000. Police already have the power to stop and search people but they have no right to ask for their identity and movements.

More here.

Memorial Day Remembrances: 1 Picture > 1k Words





Off Beat: U.S. Mint Not Happy With 'Silver Surfer' Coin


An AP newswire article by Sandy Cohen, via The Seattle Post-Intelligencer, reports that:

A Marvel Comics hero is giving George Washington some company on the quarter, but the U.S. Mint doesn't think the stunt is so super.

To promote the upcoming film "Fantastic Four: Rise of the Silver Surfer," 20th Century Fox and The Franklin Mint altered 40,000 U.S. quarters to feature the character.

The U.S. Mint said in a news release Friday that it learned of the promotional quarter this week and advised the studio and The Franklin Mint they were breaking the law. It is illegal to turn a coin into an advertising vehicle, and violators can face a fine.

More here.

Image source: Seattle-PI / AP / 20th Century Fox

New Targets For ID Theft: Your Children

Via CBS News.

It might seem as if children and teens are unlikely victims of identity theft, but the Federal Trade Commission has estimated that about 400,000 children have their identity stolen each year.

Youth are targets because, unlike many adults, they have clean credit records. Because kids aren't applying for credit or jobs or renting an apartment until at least their mid-teens, chances are no one is checking their credit reports, so thieves can get away with exploiting kids' IDs for years. Eventually, older teens will run into a problem when applying for a driver's license, a bank account, credit card, student loan, or that first apartment.

More here.

Off Beat: New Museum Says Dinosaurs Were on Noah's Ark

Andrea Hopkins writes for Reuters:

Like many modern museums, the newest U.S. tourist attraction includes some awesome exhibits -- roaring dinosaurs and a life-sized ship.

But only at the Creation Museum in Kentucky do the dinosaurs sail on the ship -- Noah's Ark, to be precise.

The Christian creators of the sprawling museum, unveiled on Saturday, hope to draw as many as half a million people each year to their state-of-the-art project, which depicts the Bible's first book, Genesis, as literal truth.

While the $27 million museum near Cincinnati has drawn snickers from media and condemnation from U.S. scientists, those who believe God created the heavens and the Earth in six days about 6,000 years ago say their views are finally being represented.

More here.

Happy 100th Birthday: John Wayne - An American Institution



John Wayne
May 26, 1907 – June 11, 1979

An American Institution

Laptop Containing Register.com Customer Credit Card Info Stolen

Via The Inquirer.

Big Hosting and domain name firm register.com sent an email to its customers saying a notebook containing credit card information was stolen.

The firm said that around two per cent of its customers were affected. The data on the laptop was password protected and the credit card number encrypted. In a letter it said: "We also believe that the laptop was stolen for its inherent value and not the data itself."

The firm said the notebook was stolen last Thursday but didn't say from where. It said that it had reported the theft to the cops.

It is also offering an Equifax credit watch silver identity theft protection service for 12 months. It said customers should also tell issuers of the credit card about the potential breach of security and check carefully statements for unusual activity.

More here.

Friday, May 25, 2007

Memorial Day Remembrances


Click for larger image.


China Launches Crackdown on Kids Books

Death Note Comics

An AP newswire article, via The New York Times, reports that:

China has launched a crackdown on scary children's stories including the popular Japanese ''Death Note'' comic book series, state media said Saturday.

Authorities are ordered to seize ''illegal terrifying publications'' from vendors ahead of China's Children's Day on June 1, the Xinhua News Agency and China Daily newspaper reported.

Communist authorities regularly launch sweeps to seize publications deemed pornographic or socially harmful. They are especially concerned about the influence of foreign books, movies and other pop culture on Chinese children.

One target in the latest crackdown is ''Death Note,'' a Japanese series of comic books about a notebook that can kill people whose names are written in it.

The story ''misleads innocent children and distorts their mind and spirit,'' said Wang Song, an official of the National Anti-piracy and Anti-pornography Working Committee, quoted by the China Daily.

''Death Note'' publications have been seized in Shanghai and areas across central and southern China, the newspaper said.

More here.

Note: Interestingly enough, there is an entire thread on this topic from "Death Note" comics affectionados over on ComiPress here. Enjoy.

Mother Earth Tech: U.S. Rejects G-8 Climate Proposal


Juliet Eilperin writes in The Washington Post:

U.S. officials have raised a second round of unusually bluntly worded objections to a proposed global-warming declaration that Germany prepared for next month's Group of Eight summit, according to documents obtained by The Washington Post.

Representatives from the world's leading industrial nations met the past two days in Heiligendamm, Germany, to negotiate over German Chancellor Angela Merkel's proposed statement, which calls for limiting the worldwide temperature rise this century to 3.6 degrees Fahrenheit and cutting global greenhouse gas emissions to 50 percent below 1990 levels by 2050.

Bush administration officials, who raised similar objections in April, rejected the idea of setting mandatory emissions targets as well as language calling for G-8 nations to raise overall energy efficiencies by 20 percent by 2020.

More here.

IHOP Upgrades Credit Card Security After Outside Hack

Via The State Journal-Register Online.

The owner of a Springfield [Illinois] restaurant said today hackers who broke into the restaurant's computer network and compromised debit-card information were from outside the business, and that security has been upgraded.

Gene Rupnik, who owns the International House of Pancakes on Dirksen Parkway, confirmed the restaurant was the source of some of the debit-card alerts that have gone out from local banks in the past week.

He also said, as far as he knows, none of the customers suffered financial losses as a result of the security breach.

"I am assured now we are completely and totally protected," said Rupnik, who also owns the Day's Inn and Microtel Inn & Suites in Springfield.

Rupnik said, while this is the first time it has happened to one of his businesses, authorities have advised him they are looking into the possibility the problem goes beyond his restaurant, and perhaps beyond Springfield.

More here.

(Props, Pogo Was Right.)

Microsoft Sues Alleged Stock Scammers

Robert McMillan writes on InfoWorld:

Hoping to tackle the growing problem of pump-and-dump stock scams Microsoft has quietly filed lawsuits against at least three alleged perpetrators who it says used its MSN Hotmail networks to promote stocks.

Hotmail has "received large volumes of unsolicited commercial e-mail messages" promoting stocks for such companies as Distributed Power, TGC Ventures, China Biolife Enterprises, and Irwin Resources, according to court documents filed during April and May in King County Superior Court in Seattle.

Microsoft charges the defendants with violating the federal CAN-SPAM act as well as Washington state consumer protection laws and is seeking unspecified damages, according to the filings.

More here.

NC DOT Security Breach Affects 25,000 Employees

Via WRAL.com.

A computer server holding the names and Social Security numbers of about 25,000 North Carolina Department of Transportation employees, contractors and other state employees had a security breach, officials announced Friday.

The breach affects employees who were issued identification badges from 1997 until 2006. Officials have no evidence that the personal information was accessed, according to the DOT.

People who used their employee identification number instead of their Social Security number are not at risk. The department is working to contact the affected individuals by mail, and the State Bureau of Investigation has also been notified.

Individuals who detect a problem with any of the personal information listed above should notify local law enforcement and contact one of the three credit bureaus to place a 90-day fraud alert on their credit report.

More here.

(Props, Pogo Was Right.)

CableCARD: Countdown to 'Seven-Oh-Seven'

Jeff Baumgartner writes on Cable Digital News:

T-minus five weeks and counting.

U.S. cable operators, big and small, are hustling to comply with a quickly approaching mandate from the Federal Communications Commission (FCC) that will ban MSOs from buying and deploying set-tops with integrated security. That ban comes into effect July 1, 2007.

When the ban becomes active, cable operators will be prohibited from purchasing or deploying any new set-tops with the security embedded in the device.

After June 30, 2007, any newly purchased and deployed digital set-top purchases must have separable security. More often than not, this separation will occur at the set-top via a special interface that houses the CableCARD, a removable module that contains the conditional access keys necessary to authorize digital cable services.

More here.

A Look At The Pitfalls In Online Banking

Via NBC5.com.

An Indiana woman says she has 26,500 reasons you should pay attention to what happened to her online bank account -- and don't let it happen to yours.

"Nobody called me. Nobody ever questioned the transaction. And I only found out about it when I got my bank statement," Marci Shames-Yeakal told Target 5.

The transaction she referred to was $26,500 transferred from Shames-Yeakal's line of credit into her business account, then wired to Hawaii.

"They found out that the wire was sent to a bank in Hawaii, to an account in Hawaii, and then the next day, people went into that account and took the money and wired it out to Austria and it was gone," she said.

Gone for good.

Shames-Yeakal said she got that news in a letter from her bank, Citizens Financial Bank of Indiana and the south suburbs. Her Munster, Ind., branch told her that she had signed an agreement stating that the bank "will have no liability to you for any unauthorized payment of wire transfer using your password."

The same letter stated that the bank's "security procedures were commercially reasonable."

More here.

(Props, Flying Hamster.)

U.S. Missile Defense Test Aborted

An AP newswire article, via USA Today, reports that:

A test of the nation's long-range missile defense system was aborted Friday when a target rocket failed to fly high enough to trigger the interceptor missile, officials said.

The dummy warhead, launched from Alaska, fell into the Pacific Ocean. The interceptor missile was at least eight minutes from launch in California and never fired, the Air Force said.

The interceptor was supposed to try to collide with the old intercontinental ballistic missile high over the Pacific.

The cause of the target failure, the first in the test program, was unknown.

More here.

U.S. Dept. of Energy Reports Losing 1,400 Laptops in Six Years

Patience Wait and Joab Jackson write on GCN.com:

The Energy Department notified Congress yesterday that it has lost 1,427 laptop PCs over the past six years. The department said none of the laptops contained classified information.

The figure represents approximately two percent of its current inventory of laptop computers, or approximately 71,874 units used either by agency personnel or contractors.

The Energy Department statement broke down the missing laptops by year, with 144 reported missing for 2001, 248 in 2002, 256 in 2003, 258 in 2004, 223 in 2005 and 205 in 2006. Another 81 laptops were identified as missing, though the years those went missing were not disclosed. The agency revealed the information in response to a Freedom of Information Act request filed by WTOP, a Washington, D.C., news radio station.

More here.

EU: Google Defends Data Collection Policy

A Reuters newswire article, via CNN, reports that:

Google will tell Brussels it needs to hold on to users' search data for up to two years for security and commercial reasons after being warned it could be violating European privacy laws by doing so.

The world's top Internet search engine on Friday said it would respond by June 19 to a letter from a European Union data protection advisory group expressing concern it was keeping information on users' searches for too long.

More here.

Australia: One in Three Porn Viewers are Women

Adele Horin writes in The Sydney Morning Herald:

Record numbers of Australians are visiting pornographic websites, including sexually explicit dating sites - and one in three of them is a woman.

Surprising new figures show more than one-third of internet users visited an adult website at least once in the first three months of this year.

Almost one in five was under 18, and 5 per cent were 65 or over.

The data, provided to the Herald by Nielsen Net Ratings/NetView, a world leader in internet analysis, reveals 4.3 million Australians viewed pornography or visited a sex-oriented matchmaker site on the internet at least once in the quarter ending in March. This was 35 per cent of all those who used the internet in that period.

In March alone, 2.7 million Australians went to an online adult website, an increase of half a million in 18 months, or 23 per cent. The richer people were, the more likely they were to have viewed a pornographic site.

More here.

Vandals 'Bomb' Second Life Island

The ABC Island on Second Life after the attack with an inset of how it used to look.
Image source: Stuff.co.nz



Via Stuff.co.nz.


Miscreants have hacked into the ABC Island inside the virtual reality world of Second Life, reducing the two-month-old facility to rubble.

The vandalism, which wiped out months of painstaking work, was discovered this morning.

Linden Labs, the San Francisco-based company which operated the virtual world, completed a "rollback" late this afternoon, a procedure that has restored most of what was on the island before the attack.

The head of ABC Innovation, Abigail Thomas, told the abc.net.au website that the facility had been "bombed".

"We will now be looking closely at security measures, investigating how the hackers breached the existing security and, of course, making changes to protect the Island's future development," Ms Thomas said in a statement.

These types of attacks are not uncommon in Second Life.

More here.

UK Database Theft Hurts Customers

Via The BBC.

Cable & Wireless has served an injunction against a former executive following the theft of a 100,000 customer database, the BBC has learned.

The injunction orders Seemab Zafar to hand over any part of the database of former subsidiary Bulldog, including names, addresses and financial details.

Ms Zafar, from London, denies that she holds any part of the database.

A BBC investigation has established that the database had been illegally used by call centres in Pakistan.

The call centres tricked customers into handing over credit card details.

More here.

Mexico to Boost Tapping of Phones and e-Mail With U.S. Aid

Sam Enriquez writes in The Los Angeles Times:

Mexico is expanding its ability to tap telephone calls and e-mail using money from the U.S. government, a move that underlines how the country's conservative government is increasingly willing to cooperate with the United States on law enforcement.

The expansion comes as President Felipe Calderon is pushing to amend the Mexican Constitution to allow officials to tap phones without a judge's approval in some cases. Calderon argues that the government needs the authority to combat drug gangs, which have killed hundreds of people this year.

Mexican authorities for years have been able to wiretap most telephone conversations and tap into e-mail, but the new $3-million Communications Intercept System being installed by Mexico's Federal Investigative Agency will expand their reach.

More here.

Thursday, May 24, 2007

Nissan Warns U.S. Cellphones Can Disable Car Keys

Via Reuters.

Nissan North America has a warning for customers: placing your electronic key too close to your cellphone could leave you stranded.

The automaker is asking customers driving new models of two of its flagship sedans to keep their car keys and cellphones at least an inch apart to avoid disabling the "intelligent keys."

Cellphones kept near Nissan's I-Keys -- wireless devices designed to allow drivers to enter and start their cars at the push of a button -- can erase the electronic code on the keys, rendering them unable to unlock or start the cars.

The problem has occurred on the 2007 Nissan Altima and Infiniti G35 sedans -- two of their top-selling models, the company said on Thursday.

More here.

Off Beat: Charlie Manson Manson 'Still a Danger'

Chales Manson, ca. 1969.

Via The Scotsman.

Charles Manson, one of the United States' most notorious mass murderers, has failed in his 11th bid to be freed.

California's parole board said that Manson, 72, "continues to pose an unreasonable danger to others and may still bring harm to anyone he would come in contact with".

Manson and his "family" were sentenced to death for the 1969 murders of Leno and Rosemary LaBianca, the pregnant actress Sharon Tate - director Roman Polanski's wife - and four others. Manson believed the Beatles song Helter Skelter warned of a war between blacks and whites and hoped to spark such a conflict by killing whites in such a manner blacks would be blamed.

Manson, whose sentence was commuted to life in 1977, can interact with only 17 other inmates, including Senator Robert Kennedy's assassin, Sirhan Sirhan.

More here.

California Senate Clears Groundbreaking RFID Bill

Via EFF DeepLinks.

Today, a landmark bill that would require tough privacy and security safeguards for Radio Frequency Identification tags in state-issued IDs sailed through the California Senate on a 33-2 bipartisan vote.

Without proper protections, RFIDs in IDs can broadcast your private information to anyone and leave you vulnerable to tracking and identity theft. That's why EFF, the ACLU, the Privacy Rights Clearinghouse, and other groups have been working hard to get the Identity Information Protection Act (SB 30) passed.

Last year, California's legislature passed a similar version of this bill, but Governor Arnold Schwarzenegger issued a shortsighted veto. The Senate sent a clear message today that the Governor should not forgo another opportunity to give Californians control over the personal information on their own drivers' licenses, library cards, and other important ID cards.

More here.

Stronger Credit Card Security Prevails In Minnesota, Fails In Texas

Larry Greenemeier writes on InformationWeek:

It looks like Texas won't be the first state to pass a law that codifies the personal data protections outlined in the Payment Card Industry (PCI) data security standard.

As the Texas state Senate was this week shooting down a bill that would require businesses that collect personal information to use PCI to secure sensitive personal data, the Minnesota legislature passed its Plastic Card Security Act.

Minnesota becomes the first state to create a law that shifts the costs associated with data breaches from financial institutions to the retailers who mishandle consumers' private financial data. The law, which passed by votes of 122-4 and 63-1 in the House and Senate, respectively, also gives retailers added incentive to protect consumers' information.

More here.

Quote of the Day: Noam Eppel

"A person can go to his/her local computer store and purchase an expensive new computer, plug it in, turn it on and go get a coffee. When he/she returns the computer could already be infected with a trojan and being used in a botnet to send out spam, participate in phishing attacks, virus propagation, and denial-of-service attacks, etc."

- Noam Eppel, writing in "Security Absurdity: The Complete, Unquestionable,
And Total Failure of Information Security
."

EU Probes Google Grip on Data

Maija Palmer writes on FT.com:

European data protection officials have raised concerns that Google could be contravening European privacy laws by keeping data on internet searches for too long.

The Article 29 working party, a group of national officials that advises the European Union on privacy policy, sent a letter to Google last week asking the company to justify its policy of keeping information on individuals’ internet searches for up to two years.

The letter questioned whether Google had “fulfilled all the necessary requirements” on data protection.

The data kept by Google includes the search term typed in, the address of the internet server and occasionally more personal information contained on “cookies”, or identifier programs, on an individual’s computer.

This is separate to the personal information Google has begun collecting over the past two years from people who give the group explicit permission to do so.

More here.

Gapingvoid: A Crushing Adventure

Via gapingvoid.com. Enjoy!

Secret FOIA Bill Hold Redux?

Rebecca Carr writes on The Atlanta Journal-Constitution's "Window on Washington":

Yes, it has happened again for all of you who remember Sen. Ted Stevens, R-Alaska, putting a hold on making earmarks public last fall.

This time it is with legislation that promises to overhaul the 41-year-old Freedom of Information Act so that it is easier for you, the public, to learn more about your government without the notorious delays from Washington bureaucrats.

Senate Judiciary Committee Chairman Patrick Leahy, D-Vt., reports that an unnamed senator has secretly invoked a parliamentary maneuver to keep the bill from hitting the floor in the Senate before the Memorial Day recess.

The measure, introduced by Leahy and Sen. John Cornyn, R-Texas, has already cleared the House and the Senate Judiciary Committee.

More here.

GAO: Critical FBI Network Full of Security Holes

Ryan Singel writes on Threat Level:

A critical FBI communications network containing sensitive law enforcement and investigative data is rife with security flaws and is vulnerable to attacks from outsiders and insiders alike, according to an audit released Thursday by the Government Accountability Office.

The unnamed network is part of the long delayed and scandal plagued Trilogy system that the FBI wants to replace its network of computers and networks, which for years was so bad that agents reportedly couldn't email one another.

System administrators have failed to keep obsolete software off the network, patch computers quickly, ensure passwords and data are strongly encrypted, log and audit security events and prevent insiders from having more privileges than necessary for their job, according to the audit. The report explicitly refers to rogue former agent Robert Hannsen, who misused his insider access to sell government secrets for years to the Soviets.

More here.

Off Beat: The Truth About Lie Detectors

Christopher Wanjek writes on LiveScience:

Washington is a city of lies, so perhaps it is no surprise that those in the nation's capital wishing to expose the truth have been fooled by lies about a polygraph's usefulness.

According to White House spokesman Tony Snow, earlier this month, the White House will consider administering a polygraph to Clinton-era National Security Adviser Sandy Berger, who pleaded guilty to lifting documents from the National Archives in 2002 and 2003. Some say the documents, now nowhere to be found, might point to failures of the Clinton administration to uncover the 9/11 terrorist plot.

Politics aside (it was 18 Republican congressmen who wrote to Attorney General Alberto Gonzales in January requesting that Berger take a polygraph, but that was before allegations of certain falsehoods on Gonzales' part made the request a little awkward), the polygraph is no way to get to the truth.

More here.

New Database Debunks Terrorism Myths

Jeanna Bryner writes on LiveScience:

The majority of terrorist attacks result in no fatalities, with just 1 percent of such attacks causing the deaths of 25 or more people.

And terror incidents began rising some in 1998, and that level remained relatively constant through 2004.

These and other myth-busting facts about global terrorism are now available on a new online database open to the public.

The database identifies more than 30,000 bombings, 13,400 assassinations and 3,200 kidnappings. Also, it details more than 1,200 terrorist attacks within the United States.

The unclassified Global Terrorism Database (GTD) will give anyone interested the opportunity to peruse through the actual details of global terror attacks. The online terror rap sheet is expected to be a critical tool for researchers and policy-makers who can use it to improve responses to terrorism.

More here.

If You're Tagged as a Spammer, It's Hard to Get Off the Blacklist

Karen J. Bannan writes in The International Herald Tribune:

About a year ago, Scott Madlener, a marketing executive, e-mailed a client several times but his messages were not getting through.

"It raised a red flag immediately," said Madlener, executive vice president for interactive strategies at the Performance Communications Group of Chicago. "We asked our system administrator to look at what was happening, and he came back to me with some bad news: We had been blacklisted."

Blacklisting is an annoyance for big companies, but one that a dedicated technology staff can eventually remedy. For many smaller businesses, having messages blocked or shuttled into a spam folder by an Internet service provider or e-mail administrator can mean lost revenue.

More here.

Note: There are several "spam blacklisting" services on The Web that you check to see if you've been blacklisted, however there are a couple that will check all of them for you. One of the better ones is located here at robtex.com.

Brinkster.com User Accounts Compromised

Dan Goodin writes on The Register:

Web host Brinkster.com is requiring customers to change their account passwords because some of them may have been compromised, according to people who say they've received security bulletins. If confirmed, the breach is the latest example of sensitive information being lost en masse as a result of security lapses by a large service provider.

"Brinkster has reason to believe some User Names and Passwords may have been Compromised," the company warned in an email sent recently to its customers. "To ensure website security, we mandate that you change your password for your account. If you do not change your password, Brinkster will automatically change it for you."

More here.

Why Are CC Numbers Still So Easy To Find?

Via Slashdot.

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online.

He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles.

More here.

The Move To Web 2.0 Increases Security Challenges

Sharon Gaudin writes on InformationWeek:

Web 2.0 technologies -- the kinds that promote interactivity and community-building and made MySpace and YouTube household names -- are starting to gain a foothold on more conventional Web sites. Web 2.0 largely is about user-generated content. Corporate executives and marketing heads like the idea of having their customers be participants and sharing information, rather than just getting information off the site. An automobile maker, for instance, might start a social network or blog for customers to write about their experiences with their vehicles or to post pictures or videos from their favorite road trips.

But the advantages of creating these communities and enriched Web sites also come with the same risks that plague the Web 2.0 giants. A worm planted in a MySpace page infected more than 1 million users. Hackers and spammers can join MySpace to create their own pages, riddled with malicious code, to infect their social-networking peers. And hackers are beginning to target vulnerabilities in Ajax applications, which help make the Web 2.0 Web sites so dynamic.

More here.

Estonian Attacks Raise Concern Over Cyber 'Nuclear Winter'

Larry Greenemeier writes on InformationWeek:

As NATO technical assistance this week begins to flow into the cyberwar-torn Estonia, additional details are surfacing about the cyberattacks launched during the first two weeks of May against the Baltic nation. Thoughts also are turning to how future attacks might be averted.

The cyberattacks against Estonia, mainly in the form of Distributed Denial of Service (DDoS) attacks, primarily targeted the Estonian government, banking, media, and police sites. "Private sector banking and online media were also heavily targeted and the attacks affected the functioning of the rest of the network infrastructure in Estonia," the European Network and Information Security Agency, or ENISA, reported Thursday on its Web site. As a result, the targeted sites were inaccessible outside of Estonia for extended periods in order to subdue the attacks and to maintain services within the country.

DDoS attacks are particularly difficult to prevent and require a lot of coordination to contain the damage when multiple sites are hit. In order to weather the 128 separate strikes launched against its cyber infrastructure, Estonia sought help from not only its own Computer Emergency Readiness Team, established late last year, but also the Trans-European Research and Education Networking Association (pdf) and CERTs from other countries, including Finland and Germany, according to ENISA.

While cyberattacks against governments are nothing new, the Estonian attacks were particularly damaging, as the country had to shut down key computer systems for their own protection.

More here.

MySpace Reportedly Labels Innocent Woman as Sex Offender

Kevin Poulsen writes on Threat Level:

Jessica Davis, a 29-year-old University of Colorado senior, found herself falsely branded a sex offender and kicked off MySpace last weekend, ABC News reports.

There is no registered sex offender by her name in Colorado. But when Davis availed herself of MySpace's appeals process, the results were less than satisfactory.

More here.

NIST Botches Smart Card Evaluation, Group Charges

Alice Lipowicz writes on GCN.com:

The National Institute of Standards and Technology hasn’t sufficiently evaluated a set of technologies about to be used in border-crossing identification cards, charges a smart card industry group.

The group, the Smart Card Alliance, believes that NIST certified the Generation 2 Radio Frequency Identification card architecture for the People Access Security Services (PASS) Card without using “the appropriate standards and best practices relevant to human identity applications,” wrote Smart Card Alliance Executive Director Randy Vanderhoof in a May 17 letter to NIST Director William Jeffrey. The alliance is a trade association representing companies that make identification cards and related systems.

Furthermore, the institute did not properly evaluate whether the Gen2 RFID technology choice is appropriate for the context in which it will be used in the Pass Card, Vanderhoof contended. “NIST has, for the first time, endorsed a technology without exploring its use in the context of the government mission and presenting the pros and cons of that technology offering for that mission,” Vanderhoof wrote.

More here.

House Intelligence Committee to Probe Phone Companies Cooperation with NSA Wiretapping

Michael Roston writes on The Raw Story:

The House Intelligence Committee has announced that it will investigate the cooperation of telephone companies with the National Security Agency's warrantless wiretapping activities.

"One of [Director of National Intelligence Mike McConnell's] proposals is to grant immunity to individuals who and companies that facilitated electronic surveillance activities that were part of the NSA surveillance program disclosed by the President in December 2005," said Rep. Silvestre Reyes (D-TX), Chairman of the House Permanent Select Committee on Intelligence in a press release sent to RAW STORY. "Before granting immunity for any activities, it will be important to review what those activities were, what was the legal basis for those activities, and what would be the impact of a grant of immunity."

A number of lawsuits have been filed against telecommunications companies for their alleged cooperation with the NSA's domestic eavesdropping program. The lawsuit filed by the Electronic Freedom Foundation against AT&T exemplifies the kind of cases that the Director of National Intelligence is seeking to keep out of court.

More here.

(Props, Pogo Was Right.)

Wednesday, May 23, 2007

Personal Note: This is NOT News...


MSNBC should be ashamed at making this their banner headline news story.

It's just pathetic.

- ferg

DKIM: A Solution Only If It's Deployed

Stephen Withers writes on iTWire.com.au:

DomainKeys Identified Mail (DKIM), a proposal for authenticating the source of email messages, has received preliminary backing from the Internet Engineering Task Force (IETF), the body that determines the protocols used on the Internet.

The proposed standard involves mail servers digitally signing outgoing messages. Receiving mail servers would check the signature on each incoming message by using DNS (domain name server system) to fetch the public key for the originating domain name.

How does this stop spam, phishing and other forms of bogus email? It doesn't prevent them being sent, but it will interfere with their delivery - but only when so many legitimate mail servers have implemented DKIM that people are prepared to accept that messages failing DKIM checks will not be delivered.

More here.

Picture of the Day: DDoS Warrior



We love it! We also hate it.

(Props, Arms Control Otaku.)

Off Beat: A Bird in The Hand, er... Whatever

Click for larger image.


So, we wake up this morning to a bird nesting in our Staghorn Fern hanging in our doorway.

Yes, it's real. Yeah, the bird and the fern (we brought it with us from Texas last year).

We call her "Lady Bird" -- original, huh?

Surprise! It's Spring, right? :-)

- ferg

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, May 23, 2007, at least 3,431 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,801 died as a result of hostile action, according to the military's numbers.

The AP count is seven higher than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

New Zealand: IP Upgrade for Power Grid

Steven Deare writes on ZDNet Australia:

Power grid operator Transpower New Zealand will install an IP-based communications network to help manage New Zealand's national electricty grid.

Transpower has awarded Alcatel-Lucent a five-year contract to install and maintain the network, which will link 192 sites across the country.

Transpower owns and operates the National Grid, New Zealand's electricity transmission network, which links generators to distributors and industry.

The work will see the company's legacy systems migrated to an IP/MPLS system over a fibre and microwave radio network, according to Alcatel-Lucent. The network will provide Voice over IP, wireless LAN, digital microwave and LAN switching capabilities.

The network will be based on technology from a number of vendors.

The value of the deal was not disclosed.

More here.

Let's hope that it is not connected to the Internet in any way, shape, or form -- for the sake of New Zealand's infrastructure security. - ferg

Outside View: Terror, Crime Go Digital

Rachel Ehrenfeld and John Wood write on UPI's Outside View:

Emerging digital technologies to move money instantaneously and anonymously open up new possibilities for criminals and terrorists, while regulatory and law-enforcement agencies are limping far behind.

On May 3, at the release of the 2007 Money Laundering Strategy, the U.S. Treasury spokesperson was pleased to note: "Focusing on well-established money laundering methods and emerging trends identified in the Assessment, we have created a robust strategy for combating money laundering, deterring criminals, and addressing areas vulnerable to exploitation."

Yet the latest digital advances open to criminals and terrorists -- mobile phones or other mobile devices to secretly transfer money globally, or M-payments; gambling; and transfer of virtual money through online role-playing games, or RPGs -- are missing from this long-awaited government strategy.

More here.

Spy Lasers?


Noah Shachtman writes on Danger Room:

Forget the spy cameras, scent-detectors, and data-mining algorithms. An Oak Ridge National Laboratory group is looking to build a laser-based surveillance system to "automatically detect millimetre-scale changes to a scene."

"Rather than detecting intruders or monitoring people, it keeps track of static objects in a scene. This is done by attaching tags to important items, which reflect laser light, allowing a connected sensor to monitor their location precisely," New Scientist observes. "If one of the tags is moved, or disturbed even slightly, this will be revealed by the laser reflection."

More here.

Wow. Combine this with RFID Powder and we're all screwed. :-)

Websense: Audi's Taiwan Website Compromised


Yet another example of a trend that has gotten to be epidemic.

Via Websense Security Labs.

- ferg

Australia: Interference Claim on ABC Program That Questions Global Warming

Wendy Frew, Jewel Topsfield and Katharine Murphy write on TheAge.com.au:

The ABC board has been accused of pressuring the national broadcaster to show a controversial British documentary questioning the science behind climate change.

The ABC announced this week that it would screen in July The Great Global Warming Swindle, which argues the main cause of warming is not human activity but changes in radiation from the sun.

The program caused a storm when it was aired on Britain's Channel 4 in March, with accusations by scientists — including some of those featured in the film — that its makers used fabricated data, half-truths and misleading statements.

ABC science journalist and broadcaster Robyn Williams, who advised the TV division not to buy the program, yesterday accused the broadcaster of "verging on the irresponsible" over its decision to air something that was "demonstrably wrong".

More here.

Google to Acquire Feedburner for $100 Million

Via BetaNews.

Sources say Google and Feedburner have agreed to a deal where the Mountain View, Calif. company would pay cash for the company, with the deal closing within two to three weeks. However, neither company had responded to requests for comment on the deal as of press time.

Feedburner provides RSS management services for blogs and websites, and has seen tremendous growth in the past several months. Such an acquisition would fit nicely with Blogger, the web log service Google acquired in early 2003. Details of the deal were first reported by technology web log TechCrunch on Wednesday.

More here.

Slovak Secret Agents Revealed

Via Zone-H News.

Another embarrassing incident happened last weekend in Slovakia.

The announced posting of complete telephone book on popular website Zoznam.sk from all phone operators during weekend turned to a serious security incident. One of the phone-numbers-databases provided by T-Mobile contained also numbers that should have been classified (on customer's wish), and among them there were also more than 700 mobile phone numbers of Slovak secret service SIS.

Slovak newspaper SME informed about this incident during the weekend on his web edition.

Customers, who found their classified numbers published, immediately called the operator but, in spite of this, such numbers had been accessible for more than 24 hours. Considering the reactions of SIS officials, it was clear they were surprised and astonished. Sure. How could they be less than surprised?

Not only Classified mobile phone numbers were revealed, but also secret service agents’ number were disclosed – this could be a real disaster.

More here.

Cyber Crooks Hijack Activities of Large Web-Hosting Firm

Brian Krebs writes on Security Fix:

Organized crime groups have modified a significant share of the Web sites operated by one of the Internet's largest Web hosting companies to launch cyber attacks against visitors, Security Fix has learned.

Last month, Phoenix-based IPOWER Inc. was featured prominently in an unflattering report by StopBadware.org, a joint effort by Google, Harvard Law School's Berkman Center for Internet & Society and Oxford University's Internet Institute. StopBadware has identified more than 90,000 sites that attempt to install malicious software on visitors' computers via Internet browser security holes or programming tricks. When a user tries to click on one of these sites after they appear as Google search results, Google posts a warning page stating that the site has been spotted trying to attack previous visitors.

John Palfrey, a professor of Internet law at Harvard, said the report showed that about 90 percent of the sites flagged as serving "badware" appeared to be otherwise legitimate sites that had been hijacked by criminals.

StopBadware found that about 10 percent of the sites in its database were operated by IPOWER. Security Fix found that the problem at IPOWER may be far worse than StopBadware indicated.

More here.

Yet More Bad News: MasterCard Security Breach

David MacAnally writes on WTHR.com:

MasterCard is warning it's member banks about a rash of thefts from the bank accounts of card holders, some here in Central Indiana.

Kristin is good about checking her checking account. "I check the account online every day."

And good thing. When she logged on Tuesday she found it had insufficient funds.

"I was like, what's going on?" Kristin said.

Kristin has a MasterCard debit card and her bank, Sky Bank, blames a security breach at MasterCard.

"We were notified very late last week that a member merchant of Master Card had a data breach and account numbers were compromised," said Mike Newbold, Regional President of Sky Bank Indianapolis.

More here.

(Props, Pogo Was Right.)

P2P Networks Hijacked for DDoS Attacks

Via Netcraft.

Peer-to-peer networks are being hijacked to launch an increasing number of distributed denial of service (DDoS) attacks on web sites, according to security researchers and network service providers. In these attacks, large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

These type of attacks had been discussed in papers by security researchers last year, but began appearing on the Internet in early 2007 and have accelerated in recent weeks, according to Prolexic Technologies, which specializes in DDoS defense. In a May 14 advisory, Prolexic reported an increase in the number and frequency of attacks. "The rash of large P2P attacks we have seen in the last month is a perfect example of how the DDoS problem constantly evolves," said Darren Rennick, CEO of Prolexic. "Until January of this year we had never seen a peer-to-peer network subverted and used for an attack. We now see them constantly being subverted."

The company said as many as 100,000 machines had been used in some of the attacks. The peer-to-peer DDoSes may be attractive to attackers, as they don't require the use of an existing "botnet" of compromised computers.

Prolexic said many of the recent attacks exploited dc++ open source peer-to-peer client for Windows machines using the Direct Connect file-sharing protocol. On their blog, the developers of dc++ acknowledge that the software is being used in DDoS attacks, and note that recent updates have addressed the security holes.

More here.

Tuesday, May 22, 2007

Gapingvoid: Security Creed of Reality

Via gapingvoid.com. Enjoy!


.travel Registry Near Death

Edward Hasbrouck reports on The Practical Nomad:

"In a quarterly report filed with the Securities and Exchange Commission last week, theglobe.com said management does not think the company can fund its operations beyond this month unless it receives more money. As of May 4, the company had a cash balance of $480,000. Last quarter it reported a net loss of $2.8 million on revenues of $431,742...."

"The company's finances took a big hit in April when it paid $2.55 million to settle allegations that it sent 400,000 spam e-mail messages to users of MySpace, the popular social networking Web site..."

More here.

U.S. May Be Target in Gambling Dispute

An AP newswire article by Bradley S. Klapper, via The Washington Post, reports that:

The Caribbean nation of Antigua and Barbuda is seeking compensation from the United States over its restrictions on Internet gambling sites based overseas, and on Tuesday asked other countries to join in as it targets Washington over its failure to comply with global trade rules.

The World Trade Organization ruled that the restrictions were illegal.

Antigua, the smallest country to successfully litigate a case in the WTO's 12-year-history, also threatened to target U.S. trademarks, copyrights and telecommunications companies after the WTO on Tuesday formally adopted a landmark decision reached in March on the gambling restrictions.

More here.

Proposed National Database Raises Privacy Concerns

Brian Prince writes on eWeek:

Experts point out the security risks of the nationwide database of workers' personal information that would be required under an immigration bill expanding the Employee Eligibility Verification System.

The mammoth database system that would be needed under an immigration bill currently being discussed by Congress has security experts thinking about procedures, privacy and protection.

The Secure Borders, Economic Opportunity and Immigration Reform Act of 2007 [.pdf] is a controversial compromise reached by a bipartisan group of senators. The proposed legislation already has many opponents across party lines, and has been criticized by groups such as the American Civil Liberties Union. Proponents, however, argue that the bill includes vital changes to immigration law in the United States.

One of the provisions in the sweeping bill has given some IT policy and security analysts pause—the expansion of the EEVS (Employee Eligibility Verification System). Employers would be required to submit identifying information provided by all members of the American work force—roughly 150 million people, the U.S. Department of Labor's Bureau of Labor Statistics estimates— to the U.S. Department of Homeland Security. Data from prospective employees would be submitted as well. The data would be checked against database records, and anyone who failed that check would essentially be out of a job.

More here.

Google Wants Still More Personal Data on its Users

Via HSToday.us.

Google wants to maximize the personal information it is capable of capturing – and storing indefinately - on its users. The company even envisages a day when it can tell people what jobs to take and how they might spend their days off.

Eric Schmidt, Google’s chief executive, said gathering more personal data is key for Google’s expansion and believes it is the logical extension of the company’s stated mission to organise the world’s information.

But privacy rights advocates are concerned that the personal information Google is capturing and storing can also be used to compile a detailed portrait of a person’s behavior.

Indeed. HSToday.us first reported that Google reputedly has been working with the US Intelligence Community – with whom it has long enjoyed a close relationship and which helped the then fledging company get off the ground – to provide it with search engine user data which, in conjunction with other datamining efforts, is used to identify suspected terrorists.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, May 21, 2007, at least 3,422 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,801 died as a result of hostile action, according to the military's numbers.

The AP count is two lower than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Cisco's Watching You (Again)

Phil Harvey writes on Light Reading:

Cisco Systems Inc. is moving further along in the world with its purchase of BroadWare Technologies Inc., announced last night at 11:59 p.m. ET.

BroadWare, which is not a women-only software firm, makes IP-based video surveillance software. The acquisition price wasn't revealed, but BroadWare is an established firm, founded in 1995, with 38 employees and offices in Santa Clara, Calif. and McLean, Va.

Last year, Cisco agreed to pay $51 million in cash and options for SyPixx Networks Inc., a Waterbury, Conn.-based firm that was also in the video surveillance game.

But while SyPixx focused on hardware and appliances, BroadWare is a pureplay IP software company. The combination of the two firms will give Cisco an opportunity in dozens of vertical markets (casinos, retail, defense agencies) that benefit from networked video surveillance, says Steve Collen, director of product marketing for Cisco's physical security team.

More here.

Converged Physical and IT Security Isn’t Just a Trend, It’s a Necessity

William Jackson writes on GCN.com:

Cyberattacks increasingly will be used to magnify the effect of physical attacks or hamper responses to them, said analysts from the U.S. Cyber Consequences Unit. “In the future, cybervulnerabilities will determine where physical attacks will take place,” said Scott Borg, director and chief economist of the US-CCU, in a GovSec presentation.

The US-CCU is a government-funded, independent research organization established in 2004 with a shoestring, four-month budget of $200,000 from the Homeland Security Department.

More here.

Bank of America Sues Identity Theft Victim

Chuck Bennett writes in The New York Post:

After identity thieves wiped out a Bronx mom's life savings, her neighborhood bank sprung into action - by slapping her with a lawsuit.

Bank of America hit Gloria Carlo, 51, a single mom from the South Bronx, with a lawsuit demanding $23,312.04. It's money the bank claims she overdrew in a two-month home-shopping spending spree after already exhausting $38,000 from her own savings.

More here.

(Props, techdirt.com.)

U.S. Politicians Weigh Renewal of Net Access Tax Ban

Anne Broache writes on C|Net News:

With only months left on a moratorium restricting state governments from taxing Internet access, the U.S. House of Representatives on Tuesday began a debate over whether the ban should be made permanent or allowed to lapse.

At issue is the scheduled expiration on November 1 of a law, initially enacted in 1998, that says local governments generally cannot tax Internet access, including DSL (digital subscriber line), cable modem and BlackBerry-type wireless transmission services. The law also prohibits governments from taxing items sold online in a different manner than those sold at brick-and-mortar stores, but it does not deal with sales taxes on online shopping.

That's the way it should remain, some politicians said at a brief hearing here convened by a House of Representatives panel on commercial and administrative law.

More here.

UK: Telegraph Floored by DDoS Attack

John Leyden writes on The Register:

The website of UK broadsheet the Daily Telegraph is returning to normal after a sustained denial of service attack left the site intermittently unavailable over the last two days.

Unknown hackers bombarded the telegraph.co.uk with thousands of spurious requests from around 9am yesterday morning. The site was largely unavailable but returned to service at around 11am today before dropping offline at 2pm and returning later this afternoon. Such a pattern is not unusual for denial of service attacks as hackers vary patterns of attack while defenders establish defences designed to offload spurious traffic.

More here.

Computer Hacker Gains Access To University of Colorado Students' Personal Info

Via TheDenverChannel.com.

The names and Social Security numbers of thousands of students at the University of Colorado Boulder have been exposed by a computer hacker, the university announced Tuesday.

A school official in Boulder say a computer worm attacked a computer server used by the College of Arts and Sciences. The hacker was then able to have access to the vital information for 45,000 students who were enrolled at CU Boulder from 2002 to the present.

IT security investigators said they do not believe the hacker who launched the worm was looking for personal data, but rather was attempting to take control of the machine to allow it to infiltrate other computers both on-and-off campus.

CU said a series of human and technical problems led to the security breach. All students whose information was exposed are being notified by letters sent to their homes.

The hack was discovered May 12. IT security investigators said that the worm entered the server through a vulnerability in its Symantec anti-virus software, which had not been properly patched by Arts and Sciences Advising Center IT staff.

More here.

(Props, Data Loss Mailing List.)

UK: Spammers Plunder Plusnet e-Mail

Via The BBC.

Customers of UK net provider Plusnet have been told to change the password for their account following a break-in by malicious hackers.

In the attack, the hackers gained control of a Plusnet's mail server and stole a list of e-mail addresses.

Spammers used the list to deluge Plusnet customers with junk mail. Some customers may also have been exposed to a computer virus.

Plusnet shut down its webmail system while it tried to remedy the problem.

Some customers of Plusnet started getting a lot more junk e-mail in mid-May following the successful attack early in the month.

More here.

Monday, May 21, 2007

Gapingvoid: Job One

Via gapingvoid.com. Enjoy!

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Monday, May 21, 2007, at least 3,422 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,780 died as a result of hostile action, according to the military's numbers.

The AP count is 20 higher than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Score Card on ICANN Board and How DotCom Savvy They Are

Jay Westerdal writes on the Domain Tools Blog:

The ICANN Board controls the Internet. So you would think they were more DotCom savvy but that is not the case. We looked at the Board Member’s names and found that most of the board didn’t even own their own name. There were a few exceptions but overall we gave the board a grade of “D” on being DotCom Savvy.

Joichi Ito (AKA “Joi Ito”) was the most dotcom savvy person on the board, He owns his last name dotcom and his firstname+lastname+dotcom, I think Joi picked up his name in a pool .com drop auction. I would safely say Ito understands domain names far better then most of his fellow board members.

As of this post, every last name of a board member is gone. However while researching for this story I registered the last names of Wodelet, Getschko, and Rionge. I gave those board members failing marks because their last name was available and they had failed to register it. (As a side note, they are free to have their name from me, I just wanted to safe gaurd it before posting).

I gave failing grades to Vint Cerf and Paul Twomey because a domainer, Paul Gordon, bought their names and pointed them to ICANN Watch. I have to say that is funny but also sad. Francisco da Silva also got a failing grade because his name is currently being Domain Tasted.

More here.

Off Beat: Leaked British Plan Would Turn Doctors, Social Workers Into Police Informants

Andrew Heining writes on csmonitor.com:

The British government is weighing a plan that would require civil servants – including social workers and doctors – to report people deemed likely to commit acts of violence in the interest of stopping crimes before they are committed, according to a leaked official document.

The Times of London reports that the British Home Office's internal document on "multi-agency information sharing" – which the newspaper received from a senior British official – would allow government agencies better access to information on potential threats.

More here.