Saturday, July 21, 2007

Brazilian Radar Outage Forces Flights Back to U.S.

An AP newswire article, via MSNBC, reports that:

A radar failure over the Amazon forced Brazil to turn back or ground a string of international flights Saturday, deepening a national aviation crisis just hours after the president unveiled safety measures prompted by the country’s deadliest air disaster.

Further shaking Brazilians’ confidence, authorities said they had mistaken a piece of the fuselage from Tuesday’s accident for the flight recorder and sent it to a laboratory for analysis.

The radar outage from midnight to 2:30 a.m., which Brazilian media said was apparently caused by an electrical problem, forced numerous planes heading to Brazil to return to their points of origin and make unscheduled landings at airports from Puerto Rico to Chile.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Saturday, July 21, 2007, at least 3,631 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,977 died as a result of hostile action, according to the military's numbers.

The AP count is 10 more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Building in Dubai is Now the World's Tallest


An AP newswire article by Barbara Surk, via The Boston Globe, reports that:

Developers of a 1,680-foot skyscraper still under construction in oil-rich Dubai claimed Saturday that it has become the world's tallest building, surpassing Taiwan's Taipei 101 which has dominated the global skyline at 1,667 feet since 2004.

The Burj Dubai is expected to be finished by the end of 2008 and its planned final height has been kept secret. The state-owned development company Emaar Properties, one of the main builders in rapidly developing Dubai, said only that the tower would stop somewhere above 2,275 feet.

When completed, the skyscraper will feature more than 160 floors, 56 elevators, luxury apartments, boutiques, swimming pools, spas, exclusive corporate suites, Italian fashion designer Giorgio Armani's first hotel, and a 124th floor observation platform.

More here.

Image source: AP / Kamran Jebreili

Africa, Offline: Waiting for the Web


Ron Nixon writes in The New York Times:

Attempts to bring affordable high-speed Internet service to the masses have made little headway on the continent. Less than 4 percent of Africa’s population is connected to the Web; most subscribers are in North African countries and the republic of South Africa.

A lack of infrastructure is the biggest problem. In many countries, communications networks were destroyed during years of civil conflict, and continuing political instability deters governments or companies from investing in new systems. E-mail messages and phone calls sent from some African countries have to be routed through Britain, or even the United States, increasing expenses and delivery times. About 75 percent of African Internet traffic is routed this way and costs African countries billions of extra dollars each year that they would not incur if their infrastructure was up to speed.

Africa’s only connection to the network of computers and fiber optic cables that are the Internet’s backbone is a $600 million undersea cable running from Portugal down the west coast of Africa. Built in 2002, the cable was supposed to provide cheaper and faster Web access, but so far that has not happened.

More here.

Hacker Accesses Personal Information in University of Michigan Databases

Jennifer Dixon writes in The Detroit Free Press:

The University of Michigan has notified 5,500 current and former students that a hacker gained access to personal information on two School of Education databases.

University technology administrators noticed suspicious activity on a server on July 3 and the letters went out July 16.

Kelly Cunningham, a university spokeswoman, said Saturday that the databases contained no financial information, such as credit card numbers, nor did they contain students’ grades. The databases, however, did have names, addresses, some Social Security numbers and some birth dates, and in some cases, the school districts where former students were teaching.

More here.

Quote of the Day: Michael Hampton

"The most important thing to remember is that being innocent will not protect you."

- Michael Hampton, writing on the Homeland Stupidity blog, about "How to stay out of government databases."

Friday, July 20, 2007

Turkish Hackers Deface Ontario's Special Investigations Unit Website

Via CANOE News.

Ontario Special Investigations Unit (SIU) staff in Toronto were working to fix the agency's hacked web site yesterday.

The usual beige, blue and white of the SIU site was replaced by a series of images with the words "Ayyildiz Team" and "Hacked."

SIU spokesman Kaia Werbus said the entire server was affected by the cyber attack. She said the agency was hoping to have the web site operating again last night.

More here.

Gang Kidnaps Gamer to Get Password Using Fake Orkut Date

Jesus Diaz writes on Gizmodo:

An armed gang of four kidnapped one of the world's top RPG gamers after one criminal's girlfriend lured him into a fake date using Orkut, Google's social network. After sequestering him in Sao Paulo, they held a gun against the victim's head for five hours to get his password, which they wanted to sell for $8,000. And yes, the story gets even better.

Surprisingly enough, after five hours the hostage wasn't talking. The group leader had a gun against his head all that time but the guy didn't say a word. At that point, the crooks gave up and decided to let him go. The brazilian police then caught the four suspects, aged 19 to 27.

More here.

Fifty Cent Sues Advertizer Over Internet Ad


A Reuters newswire article, via TVNZ, reports that:

Rapper 50 Cent on Friday sued Internet advertising company Traffix Inc. for using his image without permission in the graphic Shoot the Rapper ad, which he says promotes violence and threatens his safety.

The lawsuit, filed in New York State Court seeks a minimum of $1 million in damages.

The Internet ad features a cartoon representation of 50 Cent and the message "shoot the Rapper and you will WIN $5,000 or 5 RINGTONES GUARANTEED," the lawsuit says.

The ad invites the user to use his or her computer mouse to aim and fire at the rapper, a well-known victim of gun violence. If the user fires successfully, the screen becomes bathed in red and the user is redirected to the Traffix website, the lawsuit says.

More here.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Friday, July 20, 2007, at least 3,630 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,977 died as a result of hostile action, according to the military's numbers.

The AP count is nine more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Many Jihadist Websites Hosted in U.S.

Via UPI.

Many anti-American jihadist Web sites are hosted by servers in the United States, an Israeli expert said this week.

"Islam makes great use of the Internet," Yigal Carmon, president of the Middle East Media Research Institute, a pro-Israel think tank in Washington, told a press conference on Capitol Hill. Carmon previously served as a senior intelligence official in the Israeli Defense Forces for 20 years and as a top counter-terrorism adviser to Israeli prime ministers Yitzhak Shamir and Yitzhak Rabin.

Terrorists in all three of the recent botched terrorist attacks -- the London car bombs, the JFK airport fuel line and the Fort Dix military base in New Jersey -- were inspired by jihadist Web sites, according to MEMRI.

Carmon said that there are countless Web sites, like the one with a caption atop its main page saying "Kill Americans everywhere," that are hosted by American servers in Pennsylvania, Michigan, Texas, Minnesota, Washington and New Jersey.

More here.

SEC Suspends 'Terrorist' Watch List Web Tool

Karey Wutkowski writes for Reuters:

The U.S. Securities and Exchange Commission on Friday suspended its online search tool to help investors identify companies active in "sponsors of terrorism" countries after lawmakers and business groups criticized the site as unfair to some companies.

SEC Chairman Christopher Cox said the agency would revamp the Web site tool so it would more accurately reflect a company's activities in the countries.

The site generated "exceptional public interest" with more than 150,000 hits from June 25 to July 16, and the SEC received both positive and negative comments about it, Cox said in a statement.

Before the tool was removed from the SEC Web site, it could be used to search for companies whose annual reports contained references to business related to Sudan, Syria, North Korea, Iran and Cuba. The countries are designated as "state sponsors of terrorism" by the U.S. State Department.

More here.

Nigerian Kids Browse Porn on Donated Laptops

Future 419'ers?

A Reuters newswire article, via MSNBC, reports that:

Nigerian schoolchildren who received laptops from a U.S. aid organization have used them to explore pornographic sites on the Internet, the official News Agency of Nigeria (NAN) reported Thursday.

NAN said its reporter had seen pornographic images stored on several of the children’s laptops.

“Efforts to promote learning with laptops in a primary school in Abuja have gone awry as the pupils freely browse adult sites with explicit sexual materials,” NAN said.

More here.

Tracking Terrorists with Bio-Goo & Lasers?


Kent Garber writes on Danger Room:

It’s tough keeping track of stuff – especially for the military. Osama is still MIA; missiles are turning up in junk yards; and whatever happened to those damn WMDs?

The Air Force’s proposed fix: Mark those people and things with “taggants” of biological goo – and track 'em with lasers and airplanes.

More here.

Note: That RFID Powder stuff still scares the bajesus out of me, to be honest...

EEE Will Produce Both 40, 100 Gbps Ethernet Specs

Rick Merritt writes on EE Times:

Engineers struck a consensus this week to pave a road map to both 40 and 100 Gbit/second options for Ethernet networking. The IEEE is expected to set up an official task group to start writing specifications for the data rates starting in March.

In meeting in San Francisco, the IEEE Higher Speed Study Group decided to support one effort that will draft specifications for 40 and 100 Gbit/s Ethernet. The 100 Gbit/s spec will include versions at 40 and 10 kilometers over single mode fibre, 100 meters over multimode fibre and 10 meters over copper cables.

The 40 Gbit/s proposal mainly backed by companies making data center equipment was the more controversial part of the decision. Just days ago, telecom and networking engineers were at loggerheads over the idea of 40 Gbit/s Ethernet.

More here.

Simpsons Spam and Potter Worms Flood the Web


Rene Millman writes on ITPro Security News:

Spammers and cybercriminals are exploiting movie-goers with junk emails and viruses riding on the back of this summer's blockbusters.

While news of Harry Potter spoilers circulate the internet, spammers are also exploiting interest in the Simpsons Movie out next week. Spam is flooding recipients' inboxes with offers of a $500 (£250) gift voucher to fill out a Simpson's related online survey.

The email features a picture of Homer sat on his couch wearing a Superman top and underpants. A caption on the picture reads: "Will you go see the movie The Simpsons? Take our short survey now."

More here.

Homeland Insecurity Tech: The Nuclear Loophole: U.S. Still at Risk - UPDATED


Brian Ross reports on ABC News' "The Blotter":

Despite the more than $2 billion spent by the Department of Homeland Security on radiation detection devices, leading scientists tell ABC News the country remains wide open to terrorists who might try to smuggle nuclear material into the country.

In a familiar scene at the port of Los Angeles today, senior U.S. officials demonstrated yet another new, expensive machine that supposedly can detect nuclear material hidden in shipping containers.

The DHS has claimed this device is 95 percent accurate, and today Homeland Security Secretary Michael Chertoff had high praise for it.

Despite Chertoff's praise, a government investigation by the Government Accountability Office (GAO) concluded the new machines "fell far short of the 95 percent level of performance."

More here.

UPDATED: 17:52 PDT: "Radiation Detectors: The Latest Homeland Security Boondoggle".

Is Winning on a Faulty Slot Machine a Crime?!?


An AP newswire article, via Yahoo! News, reports that:

Prosecutors are considering criminal charges against casino gamblers who won big on a slot machine that had been installed with faulty software.

The machine at Caesars Indiana credited gamblers $10 for each dollar they inserted because the software wasn't designed for U.S. currency, state police said. More than two dozen people played the machine before one gambler alerted Caesars employees.

Caesars lost $487,000 on the machine during that time, state police said.

A decision on whether to bring criminal charges could come in a couple of weeks, said John Colin, chief deputy prosecutor for Harrison County. He said "criminal intent" may be involved when people play a machine they know is faulty.

More here.

(Props, /.)

Follow-Up: Duke's iPhone Mystery Reportedly Resolved - UPDATE

John Cox writes on NetworkWorld:

The Duke University wireless problem involving a few Apple iPhones has been resolved, according to Apple. But so far, neither Apple nor Duke has released any details about the cause of, or solution to, a problem that ignited a tidal wave of interest among IT professionals and bloggers on the Internet.

A Duke spokesperson, via e-mail, says “We are still trying to get details about this ourselves.” Whether the “we” referred to Duke’s IT staff or the PR staff was not clear. E-mails to Duke’s CIO and deputy CIO had not yet received a reply. Confirmation of the resolution came via a short e-mail from an Apple spokesperson.

More here.

UPDATE: 16:52 PDT: Cisco confirmed that the networking problem Duke University experienced involving Cisco's wireless network and Apple's iPhone was caused by a Cisco network issue. Cisco says it has worked closely with Duke and Apple to identify the source of the problem.

Quote of the Day: Randy Abrams

"It's not a bad idea. It's just a worthless one."

- Randy Abrams, Director of Technical Education at ESET, commenting on Google's new "cookie expiration policy".


Federal Prosecutor: Cybercrime Is Funding Organized Crime

Sharon Gaudin writes on InformationWeek:

For months now, the feds have said organized crime was moving into the realm of cybercrime, using hackers to run scams and break into systems.

But Assistant U.S. Attorney Erez Liebermann, chief of the computer hacking and intellectual property section in New Jersey's U.S. Attorney's Office, says cybercrime has been so profitable for organized crime that they're now using it to fund the rest of their underground operations.

"In terms of the risks and rewards, there's a higher chance of getting more, financially, using the world of computer crime. Organized crime is realizing this," he said. "We have suspicions of organized crime being behind some cybercrime that we're investigating here. The Attorney General has issued reports about organized crime and terrorist links using computer crime, hacking and intellectual property crimes as a way of raising revenue. It's being used to fund organized crime."

More here.

Newsmaker: DCT, MPack Developer

Robert Lemos writes on SecurityFocus:

In June 2006, three Russian programmers started testing a collection of PHP scripts and exploit code to automate the compromise of computers that visit malicious Web sites.

A year later, the MPack kit has become an increasingly popular tool, allowing data thieves and bot masters to take control of victims' systems and steal personal information. The MPack infection kit has been blamed for hundreds of thousands of compromised computers. And, it's malicious software with a difference: The creators have offered a year of support to those clients from the Internet underground who purchase the software for anywhere from $700 to $1,000.

In late June, SecurityFocus answered an online advertisement for the MPack infection kit, sending an ICQ message to the identifier listed in the ad. A few days later, a person contacted SecurityFocus through ICQ and identified themselves as "DCT," one of the developers of the MPack infection kit. What follows is the result of two weeks of interviews that took place in late June and early July.

More here.

Japan: Policeman Fired After Accidently Leaking Police Records on P2P Network

Iain Thomson writes on vnunet.com:

A Japanese policeman has been fired after inadvertently leaking thousands of police records over the internet.

The officer, who worked for Tokyo's Metropolitan Police Department, installed a copy of the Winny file sharing application on his work computer.

By not limiting the sharing of files he allowed 6,600 police documents onto the P2P network, including interrogation reports and classified locations of automatic license plate readers.

The authorities have been trying to enforce a ban following a number of similar embarrassing incidents in the past.

More here.

SAIC Warns of Possible Data Breach

An AP newswire article by Donna Borak, via The Washington Post, reports that:

Pentagon contractor SAIC Inc. may have compromised personal information about more than half a million military personnel and their relatives because it did not encrypt data transmitted online.

SAIC said Friday it has not found any evidence that the information _ names, addresses, birth dates, Social Security numbers and health information _ was accessed by unauthorized people.

"But we can't rule that possibility out," said Melissa Koskovich, a spokeswoman for SAIC.

SAIC provides technical services for a health benefits program used by active military personnel, retirees and their families.

This is not SAIC's first cyber-security problem.

More here.

(Props, Pogo Was Right.)

Thursday, July 19, 2007

xkcd: Runtime GOTO:


Click for larger image.


We love xkcd.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Thursday, July 19, 2007, at least 3,628 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,975 died as a result of hostile action, according to the military's numbers.

The AP count is 10 more than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Hackers Trip Up Virgin America's First Day of Ticketing

Michael Martinez writes in The Mercury News:

Virgin America's first day of ticket sales Thursday was slowed by apparent hackers flooding the start-up airline's Web site, but officials said they still did a good business with consumers looking to book flights when the carrier takes off next month.

"It's exceeding all our expectations," said spokeswoman Abby Lunardini, who didn't have specific figures on how many bookings were made by day's end.

She said the airline's Web site began to slow around noon, making it difficult for users to purchase tickets online. The airline directed users to call its toll-free number.

More here.

Australia: Turkish Hackers Bring Down Insurer's Site


Asher Moses writes in The Sydney Morning Herald:

Customers of one of Australia's largest insurance companies fear their account information may have been compromised, after its website was hacked by "turkish defacers" this morning.

AAMI, which offers general insurance, is scrambling to find out how a group calling itself the "Ay Yildiz Team" hijacked its website, replacing it with an anti-Israel message.

As of this morning the site was pulled offline for reasons unknown.

"We are Turkish defacers," part of the message read. "Hey Israel don't kill our children."

Searching the group's name, including the name of its apparent leader, "kerem125", reveals a litany of their other hacks, few of which targeted Australian websites.

When contacted at around 10:15am this morning, an AAMI spokesman said he did not know what had happened.

More here.

Note: This illustrates how the issue of weak website implementations continue to be a target for the unscrupulous.

Truthiness of the Day: Colbert Puts a Happy Face on the Iraq War



Colbert assumes the role of Tony Snow for the evening and tells us how very well things are really going in Iraq.

Via Crooks and Liars.

FEMA Suppressed Health Warnings for Workers, Katrina Victims


Spencer S. Hsu writes in The Washington Post:

The Federal Emergency Management Agency has suppressed warnings from its own Gulf coast field workers since the middle of 2006 about suspected health problems that may be linked to elevated levels of formaldehyde gas released in FEMA-provided trailers, lawmakers said today.

At a hearing this morning of the House Oversight and Government Reform Committee, investigators released internal e-mails indicating that FEMA lawyers rejected environmental testing out of fear that the agency would then become legally liable if health problems emerged among as many as 120,000 families displaced by Hurricane Katrina who lived in trailers.

More here.

Into The World Of XSS Worms

Rahul Mohandas writes on the McAfee Avert Labs Blog:

XSS worms are becoming more and more sophisticated. Lately there’s been a lot of attention on this POC worm which goes by the name Nduja. The worm spreads by exploiting cross-site scripting vulnerabilities in 4 leading webmail providers.

The life cycle of Nduja worm is similar to a classic e-mail worm and is capable of:

  1. Harvest e-mails present in the Inbox.
  2. Collecting the contacts email addresses from address book.
  3. Self Propagate to the contacts.

Recent advancement towards this side is the creation of a hybrid worm which involves client side and server side component. The technology uses XSS tunneling. Portcullis Computer Security have published a whitepaper [.pdf] describing in detail about XSS tunneling.

More here.

China's Security Syndrome

Larry Greenemeier writes on InformationWeek:

Chinese businesses have a lot of catching up to do, which might explain why the average percentage of IT budget spent on information security is a whopping 19% in China, as compared to 12% in the U.S. "That's quite an astonishing figure," MacWillson says, adding that the Chinese companies who responded to the survey clearly understand that China is far behind in terms of IT security and are spending to catch up to where they need to be.

This is likely to continue to change as the country's companies seek to do more business internationally. Bank of China, for example, "wants to adopt international standards across everything they do, so they need to adopt the control features of a Western bank," MacWillson says. Chinese businesses are already seeing the effects of this move into mainstream global markets, as 32% of Chinese respondents report having been the victim of a publicized data breach or data loss within the past 12 months, as compared with 6% of U.S. respondents.

More here.

Wednesday, July 18, 2007

Toon of the Day: TUMS

Click for larger image.



Congress to Examine Google-DoubleClick Deal

Miguel Helft writes in The New York Times:

Google executives are expected to be called to testify before House and Senate subcommittees about the company’s planned $3.1 billion acquisition of DoubleClick, a deal that is already facing close scrutiny from federal antitrust regulators.

Within days of the deal’s announcement in April, companies including Microsoft, AT&T and some in the advertising industry, began to complain that the merger of Google and DoubleClick would limit competition in the online advertising market. Privacy groups, meanwhile, voiced concerns about the deal’s impact on consumer privacy. In May, the Federal Trade Commission began an investigation into the proposed merger.

Now, a subcommittee of the Senate Judiciary Committee is planning to call a hearing to explore the antitrust and privacy issues raised not only by the Google deal but also by recent consolidation in the online advertising market, according to a person familiar with the planned hearing.

More here.

Truth of the Day: As Presented by Tom Tomorrow


Via Salon.com.

Quote of the Day: Brian Trent

"Terrorism will never destroy America. It will come from within. From fear-addicts who have raped the U.S. so much that they should be drawn up on charges of treason. The cowards who want a nanny state to coddle them, hug them, and ultimately contain them in a little crib with bars and monitors and cameras..."

- Brian Trent, writing on Disinformation.

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Wednesday, July 18, 2007, at least 3,620 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,973 died as a result of hostile action, according to the military's numbers.

The AP count is four more than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

U.S. Panel is Expected to Pass Broadcast Indecency Bill

Jim Puzzanghera writes in The Los Angeles Times:

The battle over dirty words shifts back to Congress on Thursday.

A committee is expected to pass legislation authorizing regulators to enforce a nearly zero-tolerance policy on the broadcast of certain expletives that was struck down last month.

The bill would give the Federal Communications Commission explicit authority to make "a single word or image" indecent. The FCC ruled in March 2006 that almost any use of the "F word" or "S word" was indecent, even in live, unscripted instances.

Broadcasters sued, saying the FCC had contradicted a long history of exempting so-called "fleeting" uses of the words and were infringing on their First Amendment rights. The 2nd U.S. Circuit Court of Appeals overturned the policy, ruling narrowly that the FCC had failed to justify it.

Sen. John D. Rockefeller IV, D-W.Va., who has been outspoken about the cleaning up the airwaves, wrote the bill to overcome the court ruling.

More here.

All Spammers Go to Hell


Gregory Mone writes on the PopSci Blog:

At a security conference in London this week, a former professional spammer talked about his five-year stint dodging email filters, pushing through unwanted advertisements for porn, casinos and more. The man, who identified himself as “Ed” but says he also goes by the name SpammerX, says he made between $10,000 and $15,000 a week in the dirty business—nearly half-a-million dollars in a single year. And yes, he does think he’s going to hell for his actions.

He revealed a few details about how he worked his way around different security systems, tricking them with images that made his emails seem legit, for instance. But the more chilling revelation was his outlook for the future. Unfortunately, he does not think spam is going away.

More here.

FBI Unit That Lied To Get Phone Records Now Wants $5 Million To Pay Snooping Telecoms

Ryan Singel writes on Threat Level:

An FBI unit reportedly facing a criminal investigation for abusing the Patriot Act is asking Congress for $5.3 million in 2008 to continue paying three telecommunications companies to store Americans phone and internet records for years and to provide instantaneous access. The Justice Department has long been pushing telecommunications companies to retain phone and internet records for longer periods of time, and the contracts largely achieve the FBI's goals.

The contracts, which originally included AT&T, Verizon and MCI, were first revealed after the Justice Department's Inspector General put out a report showing that a key anti-terrorism office were getting phone records from telecoms with letters that included knowingly false statements. Verizon purchased MCI in 2006, and the identity of the third phone company is not public. The Justice Department has refused to respond to Wired News' open government request for the contracts.

The Telecommunications Data Collection Center now wants to pay each company $1.8 million annually to develop databases that keep "at least two years' worth of network calling records." Additionally, the funds would guarantee that each company would "provide a dedicated on-site employee to process the exigent lawful requests for data."

More here.

Security Weaknesses Jeopardize DHS Financial Data

Alice Lipowicz writes on Washington Technology:

Continued weaknesses in IT controls at the Homeland Security Department are threatening efforts to maintain the integrity of financial data within the department, according to a new report [.pdf] released by the department’s Inspector General Richard L. Skinner.

The 154-page Information Technology Management Letter for the fiscal 2006 DHS Financial Statement Audit is a redacted version of an audit of IT control systems in the financial processing environment at DHS.

More here.

Another Crack in the RFID Armor

Allan Holmes writes on GovExec:

More criticism of Radio Frequency Identification (RFID) technology comes today in an article posted by EETimes, the electronics industry's newspaper. The article takes the Homeland Security Department to task for using RFID technology for its Pass Card, which people crossing the Canadian and Mexican borders will eventually use as outlined under the Western Hemisphere Travel Initiative. Readers will be able to read the card up to 30 feet away.

"DHS plans to offer 'privacy protection' by placing a unique ID number on the card and using the number to retrieve personal information (a photograph and demographic information) from a central database when the card is used at a border crossing," according to the article. "This effectively means that Pass Card holders' identification number can be stolen from a distance with relative ease. A stolen ID number can be programmed on a blank chip or programmed in an RFID reader, with the reader then acting like a chip by spitting out the false ID number."

At least one government agency, the U.S. Army, seems to be having second thoughts about the value RFID, as Government Executive's Bob Brewin reported last week.

More here.

Key Senate Committees Threatening to Shelter Telcos for Illegal Spying

Via EFF DeepLinks.

With your help, we've made significant progress in pressuring Congress to scrutinize the NSA spying program. But the fight is far from over -- in fact, the the chairmen of the Senate Intelligence and Judiciary Committees are reportedly considering proposals that could let telco giants like AT&T off the hook for their role in the surveillance. Take action now and help stop the illegal spying.

In January 2006, EFF filed suit against AT&T for violating its customers' privacy and helping the NSA spy on millions of Americans' telephone and Internet communications. Recently, Congress finally made some strides towards checking the president's power, with the Senate Judiciary Committee issuing subpoenas to the Bush Administration for critical information about the surveillance program last month.

But now the Senate Judiciary and Intelligence Committees are in negotiations with the Administration about legislation that could shelter the telcos and threaten cases like ours. This article in The Hill suggests that a bill may start to move forward soon.

Telecommunications carriers' adherence to the law is the biggest practical check that we have against illegal government surveillance, and EFF strongly opposes any legislation that would deprive Americans of the remedies to which they are entitled.

More here.

Concerns Surface Over Computer System Used to Fight Meth

An AP newswire article by Samira Jafari, via the Star-Telegram.com, reports that:

Detective Brian Lewis returns to his desk after lunch, scanning e-mails he missed.

One catches his eye: It says a suspected member of a methamphetamine ring bought a box of Sudafed at 1:34 p.m. at a CVS pharmacy.

Minutes later, Lewis is in his truck, circling the parking lot, searching for the woman.

Lewis did not find her that day, but the scenario illustrates the way law enforcement is increasingly relying on computerized tracking systems in their fight against meth, an illegal drug that is often brewed in makeshift labs and has become a particular scourge in Appalachia and the Midwest.

More here.

(Props, Pogo Was Right.)

Media Activists Express Concern Over New Thai Cyber Law

An AFP newswire article, via Yahoo! News, reports that:

Thai police will be able to seize computers from homes and businesses under a new cyber-crime law that came into force Wednesday, which authorities say will help crack down on Internet pornography.

The Computer-related Crimes Act allows authorities to seize computers if they suspect they will be used illegally, but media rights activists say the law will allow the government to invade people's privacy.

More here.

ChoicePoint: The Private Spy Among Us

Shane Harris:

To help the government track suspected terrorists and spies who may be visiting or residing in this country, the FBI and the Defense Department for the past three years have been paying a Georgia-based company for access to its vast databases that contain billions of personal records about nearly every person -- citizens and noncitizens alike -- in the United States.

According to federal documents obtained by National Journal and Government Executive, among the services that ChoicePoint provides to the government is access to a previously undisclosed, and vaguely described, "exclusive" data-searching system. This system in effect gives law enforcement and intelligence agents the ability to use the private data broker to do something that they legally can't -- keep tabs on nearly every American citizen and foreigner in the United States.

More here.

UK: Police Gain Data Protection Exemption for London Surveillance

Via OUT-LAW.com.

Police in London have been granted exemption from the Data Protection Act to track the city's motorists. The Home Office has granted The Metropolitan Police full, real time access to surveillance footage from London's congestion system cameras.

In order to operate the congestion charge which operates in central London there is a ring of cameras in the city centre fitted with automatic number plate recognition (ANPR) technology.

Police were previously able to request specific footage from those cameras for reasons of national security. The Home Office has just said that police can monitor that footage and vehicle movement in real time without their activities being subject to the Data Protection Act (DPA).

Home Secretary Jacqui Smith has signed a certificate of exemption from the DPA that allows congestion system operator Transport for London (TfL) to pass data on to the police as long as it is for the protection of national security. The Act contains provisions for exemptions for the safeguarding of national security.

More here.

Pinch: The Trojan Creator


Luis Corrons writes on the PandaLabs Blog:

Some time ago, we talked to you about malware prices, HTTP botnets, etc. Today I will show you the level Trojan creators have reached and the way in which some of them launch their creation ‘builders’, authentic centers for designing and creating totally customizable Trojans. And this is where Pinch comes in.

It is a tool for creating Trojans which allows: defining the actions for the Trojan to take, packing the executable file to make its detection more difficult, disabling specific ‘annoying’ services such as those of antiviruses…

Among the tools for creating viruses, Trojans, etc. this might be the most commonly used, distributed and sold, given its ease of use due to a very intuitive interface. This allows malicious attackers to have an executable ready to infect, steal, spread, etc. in a few minutes. Consequently, it causes victims serious problems without them even realizing, until it is too late and they have to face the financial consequences.

More here.

Image source: PandaLabs

Courts Should Shield Web and E-Mail Data From Nosy Cops

Jennifer Granick writes on Wired:

For much of human history, we have been able to conduct our private lives separately from our public ones. Upstanding, productive citizens during the day, we were free to be seditious, depressed or kinky by night. However, the computers we use in our homes during those private hours create and preserve evidence of our interests, relationships and beliefs, blurring the line between private and public.

Congress and the courts have responded by giving privacy protection to the contents of communications, including phone calls and e-mail messages, but denying strong protection to transactional information like phone numbers dialed and websites visited. Two recent Fourth Amendment cases illustrate that we need to understand that internet-use records are more like mind readers than phone bills if we are to retain any privacy in our communications.

More here.

FBI's Secret Spyware Tracks Down Teen Who Made Bomb Threats

Kevin Poulsen writes on Wired News:

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

More here.

Chinese Internet Censors Blamed for Internet Disruptions

Via Reuters.

Internet users and company officials in China on Wednesday blamed a series of disruptions to cross-border email traffic on adjustments to the country's vast Internet surveillance system.

IT company executives offered varying explanations for the email disruptions, but agreed they were not a result of standard technical problems.

China is in the midst of a highly publicized campaign to rein in "unhealthy content" in its rapidly growing Internet, whose rapid spread of information regarding incidents of government corruption and rural unrest not reported in conventional media has alarmed China's stability-obsessed leaders.

More here.

Tuesday, July 17, 2007

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Tuesday, July 17, 2007, at least 3,616 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,969 died as a result of hostile action, according to the military's numbers.

The AP count is three more than the Defense Department's tally, last updated Tuesday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

Ma Bell: Meet the New Boss, Same as the Old Boss


Richard Martin writes on the Over the Air Blog:

Yesterday AT&T said it is ramping up and expanding its bundled landline-plus-wireless service -- known as the Unity Plan, which sounds like the latest Iraq strategy from the Bush White House – to add more rollover minutes and decrease the service requirements on the plan. That sounds great, but a quick look at the week's news indicates that "the new AT&T" looks a lot like the old Ma Bell in terms of crappy customer service.

Kevin Drum, blogger at the Washington Monthly, has an infuriating-but-hilarious post on his tribulations once he discovered that AT&T had slapped on a bunch of new features to his home phone service: "To recap: AT&T switched my service without telling me; added some new features I didn't want; hung up the first two times I called; was flatly unable to figure out who in their vast empire I needed to talk to on the third try; eventually told me there was no way to eliminate a feature unless I wanted to pay more; and then told me that sometime soon I wouldn't be able to use my fax machine anymore."

More here.

Google Changes Cookie Policy But Privacy Effect is Small

Ryan Singel writes on Threat Level:

Google is modifying how it keeps track of users via cookies, by setting cookies to expire in two years if a user doesn't return and auto-extending cookie length for active users, according to a policy change announced by Google's Global Policy Counsel Peter Fleischer on Monday. Currently Google sets their cookies to expire sometime in the 2030s, a time period which Fleischer said was chosen to keep users from losing preferences such as how many search results to see on a page at a random time.

In reality, the change doesn't make much of a difference. People who go two years between Google searches on a given browser will have their old queries de-linked from their new ones. Google users who do not occasionally destroy their cookies will continue to have their entire search history recorded for posterity and potential subpoenas.

More here.

Note: I post this because I'm sick of people saying this is a major privacy "win"... it is not.

Off Beat: TSA Doesn't Like The Looks of iPod Recharger


Via Boing Boing.

Damon Burke wanted to use the recharger he built from a Minty Boost kit to juice up his iPod so he could watch movies on a long flight, but the TSA was afraid it was a bomb designed to blow up the homeland:

I tell him it is a battery charger for my iPod. He asks if I made it myself, to which I reply that I purchased a kit over the internet. He says that he can't let me on the plane with it. I explain to him that I have flown with it 4-6 times a month for a year now and nobody has questioned it. He says, "Not on my watch and not with my people."

He swabs the device and runs it through the calorimeter. Again, no residue.

I ask why it can't be taken on the plane and he said, "Because it looks like an IED."


More here.

Image source: Boing Boing

Intelligence Designs: Able Danger

Shane Harris:

In the spring of 2000, a year and a half before the 9/11 attacks, Erik Kleinsmith made a decision that history may judge as a colossal mistake.

Then a 35-year-old Army major assigned to a little-known intelligence organization at Fort Belvoir in Virginia, Kleinsmith had compiled an enormous cache of information -- most of it electronically stored -- about the Al Qaeda terrorist network. It described the group's presence in countries around the world, including the United States.

It was of great interest to military planners eager to strike the terrorists' weak spots. And it may have contained the names of some of the 9/11 hijackers, including the ringleader, Mohamed Atta.

The intelligence data totaled 2.5 terabytes, equal to about 12 percent of all printed pages held by the Library of Congress. Neither the FBI nor the CIA had ever seen the information. And that spring, Kleinsmith destroyed every bit of it.

Why did he do that? And how did a midlevel officer in a minor intelligence outfit obtain that information in the first place? Those questions lie behind the latest phase of a simmering controversy in Washington: whether something could have been done to prevent the terror attacks of September 11.

More here.

Note: Shane Harris writes feature and investigative stories about intelligence, homeland security, and counterterrorism. He is a staff correspondent for National Journal, and writes for other national publications and frequently speaks to the public and the news media. More here.

U.S. House Proposal Would Imprison SSN Fraudsters

Anne Broache writes on the C|Net News Blog:

A sweeping attempt at curbing use of Social Security numbers by the government and the private sector has just emerged in the U.S. Congress.

Reversing a frequent trend of new bills sitting around for a while, this one is already scheduled to go up for a preliminary vote in the House of Representatives Ways and Means Committee on Wednesday. The idea, framed as necessary to reduce instances of identity theft, is nothing new.

More here.

Data-Stealing Trojan Disclosure Frustrates Researchers, Vendors, and Law Enforcement

Larry Greenemeier writes on InformationWeek:

There are two questions in the realm of IT security that simply won't go away: Can cybercrooks successfully attack at will, and are those who report the details of these attacks causing more harm than good?

The revelation earlier this week by a security vendor and research firm that a Trojan-horse may have stolen sensitive information from hundreds of businesses and government entities has revived this heated debate.

More here.

Breach, Undetected Since 2005, Exposes Data on 27k Kingston Customers

Jaikumar Vijayan writes on ComputerWorld:

A September 2005 security breach that remained undetected until "recently" may have compromised the names, addresses and credit card details of roughly 27,000 online customers of computer memory vendor Kingston Technology Company Inc.

The Fountain Valley, Calif.-based company began sending letters to affected customers informing them of the incident last week.

According to a spokesman, Kingston's IT team "detected irregularities" in the company computer systems at some unspecified point in time and -- along with a team of forensic computer experts -- began investigating the issues. It was not until after that probe was completed and a final report released on May 22 that Kingston could confirm the scope of the intrusion and its impact.

More here.

Quote of the Day: Andy Borowitz




"Elsewhere, China announced plans to send a new brand of rat poison to the United States under the name 'Delicious Cupcakes'."

- Andy Borowitz, writing in his regular satirical column on Newsweek.com.


Denial of Service Attacks: Diverting Dangerous Traffic

Jessica Twentyman writes on FT.com:

When it comes to dealing with denial of service (DoS) attacks, Adrian Asher is an expert. As head of security at online gaming company BetFair, he has successfully thwarted numerous attempts to bring down the company's website with the vast floods of bogus traffic associated with DoS attacks - but the cost of that achievement, he says, has been considerable.

"We've invested huge amounts in security and availability, in everything we need to ensure that uptime for our site is as close to 100 per cent as possible," he says. "We've got multiple levels of firewall, enormous amounts of network bandwidth and numerous highly specialised devices designed to alert us to, and protect us from, denial of service attacks."

Mr Asher also has a "huge" team of in-house security specialists at his disposal, who spend their working lives analysing internet traffic, identifying deviations from the norm and dealing with them immediately. While he declines to say exactly how many people are in that team, he claims that it is bigger than IT security teams at some of the big banks he has worked at in the past.

More here.

Image of the Day: More Cowbell



Via Military Motivator.

Microsoft Patents The Mother of All Adware Systems

John McBride writes on ARS Technica:

It's such a tremendously bad idea that it's almost bound to succeed. Microsoft has filed another patent, this one for an "advertising framework" that uses "context data" from your hard drive to show you advertisements and "apportion and credit advertising revenue" to ad suppliers in real time. Yes, Redmond wants to own the patent on the mother of all adware.

The application, filed in 2006, describes a multi-faceted, robust ad-delivering system that lives on a "user computer, whether it's part of the OS, an application or integrated within applications."

More here.

Be The Bot: Spoofing Googlebot

Sean Michael Kerner writes on internetnews.com:

It crawls the Web without malice seeking out every possible bit of content. It's name is Googlebot, and sometimes it gets to see things on the Web that the rest of don't.

Unless of course you pretend to be Googlebot.

Superficially spoofing Googlebot, Google's Web crawler, is not a difficult thing to do and was recently the subject of a very popular post on the Digg site. Since at least September of 2006 however, Google has made efforts to help webmasters protect themselves against spoofed Googlebots. That doesn't mean people still aren't trying to be Googlebot, if the popularity of the Digg post is any indication.

More here.

Hackers Breach Western Union Database

Chuck Bennett and C.J. Sullivan write in The New York Post:

Hackers raided a poorly secured Western Union database and stole the personal data of more than 20,000 customers, including 1,300 New Yorkers, the wire-transfer company admitted yesterday.

The thieves got names, addresses, phone numbers and complete credit-card information after a breach sometime in late May, according to a letter sent to customers by James Keese, Western Union's privacy officer.

The data was held in an "offline" file not accessible through westernunion.com, said company spokeswoman Sherry Johnson.

"We are not aware of any ID theft or any kind of fraudulent use that was made from this information," she said and added that the FBI is investigating the incident.

The company began sending out letters warning customers of the breach on July 6.

More here.

(Props, Pogo Was Right.)

Hackers Steal Government, Corporate Data from PCs


Via Reuters.

Hackers stole information from the U.S. Department of Transportation and several U.S. corporations by seducing employees with fake job-listings on ads and e-mail, a computer security firm said on Monday.

The list of victims included several companies known for providing security services to government agencies.

They include consulting firm Booz Allen, computer services company Unisys Corp., defense contractor L-3 communications, computer maker Hewlett-Packard Co. and satellite network provider Hughes Network Systems, a unit of Hughes Communications Inc., said Mel Morris, chief executive of British Internet security provider Prevx Ltd.

Hewlett-Packard declined comment, while officials with other companies couldn't be reached for comment. A Department of Transportation spokeswoman said the agency couldn't find any indication of a security breach.

More here.

Monday, July 16, 2007

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Monday, July 16, 2007, at least 3,616 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes seven military civilians. At least 2,969 died as a result of hostile action, according to the military's numbers.

The AP count is three more than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

More here.

And as always, cryptome.org keeps a very, very extensive list here, as does the Iraq Coalition Casualty Count website here.

DHS: Lasers and Heart Sensors in the Future of Anti-Terror Screening


Ryan Singel writes on Threat Level:

The cutting-edge tech folks at Homeland Security don't like screening lines that have x-ray machines any more than you do. That's because they seek x-rays as something shoe salesmen used to use measure your foot size. X-rays aren't sexy. Lasers are cooler. Add some machine learning and you might get close to cool enough for these guys.

That’s why the Advanced Research Project Agency (HSARPA) wants to build a system that fuses information from remote eye, heart, breath and brain sensors and lasar radar to decide if you are a terrorist before letting you on that flight to LAs Vegas. The fuser will be the brains of the Future Attribute Screening Technology Project.

And HSARPA wants the fuser to be a wicked smart learner. The group is so intent on bringing on the future, it is currently soliciting information from outside groups in hopes of making it show up faster.

More here.

Engineers Close in on Source of ISS Computer Crash


Tariq Malik writes on Space.com:

NASA engineers and their Russian counterparts are closing in on the source of a major computer glitch that afflicted the International Space Station (ISS) during last month's shuttle mission to the orbital laboratory.

ISS engineers are eyeing odd readings in cables, as well as corrosion in an electronics box, as a potential culprit for last month's failure of control and navigation computers in the station's Russian segment during NASA's STS-117 construction mission.

"We know something is definitely anomalous in these areas," said Kirk Shireman, NASA's deputy ISS program manager, in a recent mission briefing. "Is that the only problem? We're still looking at that."

The targeted cables and electronics box, known as a BOK 3 unit, both feed into the station's six-computer network governing Russian control and navigation systems, Shireman said.

More here.

Infrastructure Protection: IPhones Flooding WLAN at Duke University

John Cox writes on NetworkWorld:

The Wi-Fi connection on Apple’s recently released iPhone seems to be the source of a big headache for network administrators at Duke University.

The built-in 802.11b/g adapters on several iPhones periodically flood sections of the Durham, N.C. school’s pervasive wireless LAN with MAC address requests, temporarily knocking out anywhere from a dozen to 30 wireless access points at a time. Campus network staff are talking with Cisco, the main WLAN provider, and have opened a held desk ticket with Apple. But so far, the precise cause of the problem remains unknown.

More here.

Picture of the Day: Homer Ring Toss



Props, Boing Boing.

UK: T-Mobile Must Open Wireless Network to Truphone

Via The BBC.

A court has stepped into a row between mobile phone network operator T-Mobile and wi-fi phone firm Truphone.

Truphone had accused T-Mobile of hindering its service, by blocking calls made to numbers owned by the fledgling mobile operator.

In the High Court on Monday Truphone was granted an injunction to force T-Mobile to put the calls through.

In court documents T-Mobile had said it had offered Truphone a deal to route its calls, but that had been rejected.

More here.

Quote of the Day: Nicholas von Hoffman

"Children from low-income families are either going to have to accustom themselves to drinking gasoline or learn to sing 'No Milk Today'."

- Nicholas von Hoffman, writing in "Why Milk Costs More Than Gas".

UK: Watchdog Warns Over Number Plate Snooping

Richard Norton-Taylor writes in The Guardian:

Cameras that automatically record car number plates, a weapon in the fight against crime and terrorism, could breach human rights and privacy laws, the government's surveillance watchdog warned today.

Sir Christopher Rose, the chief surveillance commissioner, said that evidence obtained by the cameras could be challenged if used in court.

Though he did not spell out his concerns in his first annual report published today, he said his position was "the same" as that of his predecessor, namely that new legislation was needed to resolve issues "arising from enhanced technological capability".

The problem is that automatic photographing of number plates, with information passed on to the Highways Agency, can be classed as covert surveillance. However, it is not covered by existing laws regulating the use of covert surveillance.

More here.