Saturday, February 09, 2008

FBI, CIA Recruiting Among Terrorist Sympathizers?

Michael Hampton writes on Homeland Stupidity:

Are you an American terrorist sympathizer but don’t know how to strike back at the Great Satan? Afraid of getting arrested while your plot to blow up something or other is still half-baked?

You don’t have to worry anymore. Now, the Federal Bureau of Investigation and Central Intelligence Agency want to hire you.

More here.

Late Night Flashback: Pink Floyd - Money

The root of all evil.

- ferg

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Saturday, Feb. 9, 2008, at least 3,959 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,220 died as a result of hostile action, according to the military's numbers.

The AP count is five higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

'Surveillance-Industrial Complex' Turbo-Charging Government Monitoring

Via the Science Blog.

The government is rapidly increasing its ability to monitor average Americans by tapping into the growing amount of consumer data being collected by the private sector, according to a major report released today by the American Civil Liberties Union.

"The U.S. security establishment is reaching deeper and deeper into our private lives by forcing the corporate sector to inform on the activities of individuals," said Anthony D. Romero, Executive Director of the ACLU. "The government has always recruited informers to help convict criminals, but today that recruitment is being computerized, automated, and used against innocent individuals on a massive scale that is unprecedented in the history of our nation."

The release of the 38-page report, entitled "The Surveillance-Industrial Complex: How the American Government is Conscripting Businesses and Individuals in the Construction of a Surveillance Society," marks the launch of the ACLU's Surveillance Campaign, which is designed to regain consumers' personal privacy rights by mobilizing people to contact prominent companies - such as drugstore chains, insurance companies and retailers - to ask them to take a "no-spy pledge" to defend their customers' privacy against government intrusion. A list of suggested companies for consumers to contact is available online at

More here.

Tech, Media, Telco Companies Stink At Security

David Utter writes on Security Pro News:

The Deloitte survey of technology, media, and telecommunication companies around the world found a distressing mix of overconfidence and underpreparedness for disaster.

And here you thought it was just the New England Patriots showing those tendencies in the Super Bowl.

In the survey, Deloitte found 46 percent of companies did not have any formal information security strategy in place. Yet nearly 70 percent felt very or extremely confident about being ready for external security challenges.

One would think the epic breaches at TJX or CardSystem Solutions would have dispelled overconfident thinking over the past couple of years. Obviously those fiascoes have not made the impact we expected.

More here.

UK: Law Enforcers Call for Central e-Crime Unit

Phil Muncaster writes on SC Magazine Australia/NZ:

Scotland Yard police chief adds voice to growing calls for a new NHTCU-style agency.

A leading internet crime police chief has renewed calls for a dedicated UK police unit to tackle web security threats, reach out to industry and liaise with international law enforcement agencies.

Speaking at the annual Retail Business Show in London this week, detective superintendent Charlie McMurdie, head of e-crime at the Met, argued that policing has not kept up with the rapid pace of change in internet use.

More here.

Friday, February 08, 2008

Late Night Flashback: Tom Petty - You Wreck Me


- ferg

OpenID: Saviour or Fraud?

I don't usually try to be as controversial as this may first appear, but given all of the hoopla over OpenID lately, I'm more than a little alarmed.

Password management has long been the subject of discussion in the security community, and rightly so -- it is important.

It remains the primary "credential" for access to "protected" data. Your data.

Personally, I use RoboForm (in the USB variety) to protect my various passwords, and I use -- what I would consider -- strong passwords: randomized text and numeric values that ensure that they have relatively low chances of being brute-force dictionary cracked.

I highly recommend RoboForm, and by the way, I have no affiliation other than being a satisfied customer. I love it.

Back to OpenID.

What really bothers me (scares me?) about this proposal is the centralized management of access control to your data.

Centralized "management" is bad, when it comes to your sensitive personal data.


Because it can be mismanaged, improperly secured, or secretly divulged to third-parties without your knowledge.

Do you really trust some "trusted" organization with your access control data? Would you give the key of your home to the Post Office (probably a bad example, but you get the idea)?

This just strikes me as a stunningly bad idea all around, regardless of what the popular trade press and it's proponents suggest.

Just a couple of thoughts.

I won't be using it. I don't trust the "powers" in charge of it to "do the right thing".

It makes it easier for the vendors, at the detriment & risk of the consumer.

Most of these vendors have already shown that they cannot be trusted with your personal data.

Until there is a double-blind, cryptographically strong method for password management, forget about it.

- ferg

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, Feb. 8, 2008, at least 3,958 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,220 died as a result of hostile action, according to the military's numbers.

The AP count is four higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

As of Friday, Feb. 8, 2008, at least 414 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Tuesday at 10 a.m. EST.

Of those, the military reports 282 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Time Warner, Yahoo! Team Up to Cybersquat

Via Domain Name Wire.

Time Warner’s Road Runner internet service has teamed up with Yahoo to typosquat on millions of unregistered domain names.

The feature from the two companies is called “Web Address Error Redirect Service” and automatically sends web users to a page full of search ads if they type in a web address that does not exist. It appears to override customer’s own preferences in their browsers for what to do if an address doesn’t exist.

Road Runner isn’t the first ISP to do this. Verizon already does it for some of its customers. Yes, this is hypocritical given that Verizon has sued typosquatters that own misspelled versions of its trademarks.

Major computer manufacturers including Gateway and Dell have similar programs with Google but are managed at the browser level.

Both Dell and Verizon are members of The Coalition of Domain Name Abuse, an organization whose charter is to stop typosquatting and cybersquatting. Yes, that’s hypocritical too.

More here.

Shocker: Bush Administration Appeals Patriot Act Ruling

David Kravets writes on Threat Level:

The Bush administration on Friday appealed a federal court decision [Ferg: again?] declaring as unconstitutional a central provision of the Patriot Act, which Congress quickly adopted after the Sept. 11 terror attacks.

At issue is a September ruling by an Oregon judge who said the Patriot Act gave too much power to the government when it came to snooping on suspected criminals in the United States -- a violation of constitutional search-and-seizure rules.

The administration is asking the San Francisco-based, 9th U.S. Circuit Court of Appeals to overturn U.S. District Judge Ann Aiken. The judge ruled that the Patriot Act made it too easy for the government to secure warrants against criminal suspects from a secret court designed to help the authorities monitor and gather intelligence on terror suspects.

More here.

Ciscso, Harris Team on SMArT-1

Trudy Walsh writes on Washington Technology:

Harris and Cisco are teaming up to speed the installation of Type 1 secure wireless networks for federal intelligence and civilian agencies, company officials announced this week. Type 1 wireless devices meet federal requirements for data confidentiality, user and device authentication and intrusion detection.

The companies will join forces on the Secure Mobile Architecture Type 1 (SMArT-1), a project that will increase the ability of federal agencies to view and share classified data over wireless networks, company officials said.

More here.

ComScore Says 'Researchware' Isn't 'Spyware'

Thomas Claburn writes on InformationWeek:

ComScore chairman and co-founder Gian Fulgoni believes there's a distinction between overt and covert data gathering. Market researchers, he suggests, rely on "researchware," in contrast to criminal researchers who employ "spyware."

"Market research tracking software (we have dubbed it 'researchware') needs to be differentiated from 'adware,' 'spyware,' and 'malware' and should not be treated in the same way as these intrusive and potentially harmful applications," Fulgoni said in a blog post Wednesday. "We must not let the purveyors of spyware -- the rotten apples -- give market researchers a bad name."

Such name calling has significant implications for ComScore's business: using "researchware" to track the actions of its 2 million-person panel of Internet users and mining that data for salable market intelligence. As the company warns in a third-quarter 2007 SEC filing, "Concerns over the potential unauthorized disclosure of personal information or the classification of our software as 'spyware' or 'adware' may cause existing panel members to uninstall our software or may discourage potential panel members from installing our software."

To critics, Fulgoni's attempt to separate "researchware" from "spyware" looks like an effort to divide conjoined twins.

More here.

If it looks like a duck, and walks like a duck, and... -ferg

U.S. Pro Soccer's Online Shoppers Get Kicked By Security Breach

Jaikumar Vijayan writes on ComputerWorld:

A series of SQL injection attacks on servers hosted by a third-party service provider has compromised the personal data of an unspecified number of individuals who had shopped on Major League Soccer's Web site.

The compromised information included names, addresses, credit and debit card data, and passwords, MLS President Mark Abbott said in a letter sent to affected individuals on Feb. 1. is the soccer league's official online store.

The incident was first reported by, a blog that tracks data breaches. The blog site also posted a link to a notice that was sent by to the office of New Hampshire's attorney general, informing the AG of the breach and saying that it affected 169 New Hampshire residents.

More here.

Connecticut Police Sergeant Charged With Computer Crime

Frank Washkuch Jr. writes on SC Magazine US:

A Hartford, Conn., police sergeant has been charged with a computer crime after he allegedly disclosed information from a national law enforcement database to a female friend.

Sgt. Reginald Allen, a 17-year veteran of the city's police force, was arrested Monday and charged with committing a computer crime in the third degree, a felony, by disclosing information he obtained from the National Crime Information Center, a network for federal, state and local law enforcement authorities.

Allen's associate then reportedly used to information to harass her ex-boyfriend's pregnant girlfriend by leaving messages on her work and mobile phones and placing a letter in her mailbox. On one occasion, the woman in possession of the sensitive data claimed to have friends in the Hartford Police Department, according to published reports.

More here.

The Day The Wiretaps Go Dead

Chris Soghoian writes on C|Net's "surveill@nce st@te" Blog:

With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.

While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent Americans may soon be made useless - forcing them to go back to the old school (and labor intensive) black bag job.

More here.

House Leaders Unite to Oppose Immunity for Telecoms


Today, a formidable trio of House Committee Chairmen sent a stern letter to their colleagues urging them to oppose immunity for phone companies that assisted in the NSA's warrantless wiretapping program.

The White House is demanding that immunity for the telecoms be included in Foreign Intelligence Surveillance Act (FISA) legislation pending in Congress. But in today's letter -- written by John Dingell, Chairman of the House Committee on Energy and Commerce; Ed Markey, Chairman of the House Subcommittee on Telecommunications and the Internet; and Bart Stupak, Chairman of the Subcommittee on Oversight and Investigations -- the congressmen argue that the president is creating a "false choice" for lawmakers.

More here.

DHS Appoints Cyber Security Official with Poor Security Record

Kim Zetter writes on Threat Level:

The Department of Homeland Security has appointed an official to head a top cybersecurity position charged with overseeing a new multi-million-dollar national protection plan despite the official's poor security record and ongoing investigations by the FBI and the DHS inspector general into events that occurred previously under his watch, according to Government Executive.

Scott Charbo was formerly the chief information officer for the DHS before his new appointment. Last year the House Homeland Security Committee investigated how he and his staff responded to breaches under his watch and found that he not only failed to properly address threats that occurred but also failed to manage a contractor, Unisys, that is now under investigation for criminal fraud and failure to protect DHS computers from intrusions.

More here.

Gartner Report: Banks Pushing Consumers To Less-Secure Payment Methods

Evan Schuman writes on StorefrontBacktalk:

The major credit card brands—and the banks they work with—do a fine job talking up security when they're at podiums or writing news releases. But when it's a choice between consumer security and lower transaction fees? Faggedaboutit. Fees win out every time.

At least that's one of the core conclusions from a report released Thursday from technology analysis firm Gartner Inc.

With "signature fraud rates ten times higher than PIN debit as of the first quarter 2007," Gartner analyst and report author Avivah Litan said, the banks pushing for the signature-based options has solely a money-making purpose. And consumers, according to the report, aren't buying it.

More here.

Thursday, February 07, 2008

Late Night Flashback: Steve Winwood - Higher Love

Strive for something higher.


- ferg

Verizon Message Service FUBAR

Andrea Chang writes in The Los Angeles Times:

Couldn't get to your voice mail at home or work Wednesday or Thursday -- or leave a message on some phones?

Neither could any other California customers with voice mail on their Verizon Communications Inc. land lines.

A database error in a central server in Ontario froze the software for all 740,000 land-line customers subscribing to Verizon's voice mail early Wednesday, and the state's second-largest telephone company couldn't say late Thursday when the problem would be fixed.

"Unfortunately, it's a huge file and it's taking a long time," said Verizon spokesman Jonathan Davies. "All our resources are deployed, and we'll have it back up as soon as possible."

Most of Verizon's 3 million land-line customers are in Southern California's affluent beach communities and the Inland Empire. The outage did not affect Verizon Wireless customers.

More here.

Quote of The Day: Neal Krawetz

"That Franklin guy was a real troublemaker; he would never get past TSA today."

- My friend and colleague, Dr. Neal Krawetz, writing on the issues surrounding the growing complaints by U.S. citizens and immigrants of excessive or repeated screenings by U.S. Customs and Border Protection agents.

Security Update: Firefox

Get it.

Fixed in Firefox

MFSA 2008-11 Web forgery overwrite with div overlay
MFSA 2008-10 URL token stealing via stylesheet redirect
MFSA 2008-09 Mishandling of locally-saved plain text files
MFSA 2008-08 File action dialog tampering
MFSA 2008-06 Web browsing history and forward navigation stealing
MFSA 2008-05 Directory traversal via chrome: URI
MFSA 2008-04 Stored password corruption
MFSA 2008-03 Privilege escalation, XSS, Remote Code Execution
MFSA 2008-02 Multiple file input focus stealing vulnerabilities
MFSA 2008-01 Crashes with evidence of memory corruption (rv:

- ferg

Republican Lies: The Biggest FISA Bullshit Video EVER

I'm just speechless at the underhanded falsehoods in this RNC sponsored YouTube video, but somehow, I'm not surprised.

It should make you very, very angry at the lies propagated by these people.

My God. They know no shame.

- ferg

Hat-tip: Threat Level

'Server in The Sky' Update: FBI Cheers the Mountaineers

Jill R. Aitoro writes on GovExec's "Tech Insider" Blog:

The Federal Bureau of Investigations is teaming up with West Virginia University in national security efforts using biometric technology. According to a press announcement released yesterday, WVU will serve as the academic arm of the FBI's Biometric Center of Excellence, providing biometrics research support to the FBI and its law enforcement and national security partners.

The center will coordinate biometric and identity management activities within the FBI and partner with other U.S. government agencies to develop and train users on biometric technologies and systems. The goal is to leverage biometric technology in the fight against terrorism and intelligence efforts.

More here.

Antivirus Company's Website Downloads... A Virus

Robert McMillan writes on InfoWorld:

The Web site for Indian antivirus vendor AvSoft Technologies has been hacked and is being used to install malicious software on visitors' computers, security researchers said Thursday.

The download section of AvSoft's S-cop Web site hosts the malicious code, according to Roger Thompson, chief research officer with security vendor AVG. "They let one of their pages get hit by an iFrame injection," he said. "It shows that anyone can be a victim.... It's hard to protect Web servers properly."

The technique used on the site has been seen in thousands of similar hacks over the past few months. The attackers open an invisible iFrame Window within the victim's browser, which redirects the client to another server. That server, in turn, launches attack code that attempts to install malicious software on the victim's computer.

More here.

Distraction: Fergie's Tech Blog 1-2-3 - UPDATE [2]

Threat Level pal Ryan Singel has now sucked me in (involuntarily, I might add) to this "1-2-3 book" meme, which is being described as "...the most annoying thing since email chain letters."

Gee, it's not like I don't have better things to do, Ryan.

But in Ryan's defense, he rightly blames on the folks over at Danger Room for sucking him in.

Only the NSA knows for sure from whence this evil originated...

Here's the deal.

We have been instructed to open the nearest book to page 123, go down to the 5th sentence, and type up the 3 following sentences (or else).

From my bookshelf, I chose Chalmers Johnson's "Nemesis: The Last Days of The American Republic":

"These numbers are probably a significant underestimate. Using methods I shall describe below, the London Times, CBS News's 60 Minutes, and other sources were able to identify at least 600 flights of CIA airplanes to forty different countries, including 30 trips to Jordon, 19 to Afghanistan, 17 to Morocco, 16 to Iraq, with stops in Egypt, Libya, and Guantanamo. Aircraft known to be involved in CIA rendition operations have landed at British airports at least 210 times since 9/11."

And in true "chain letter" tradition, I have to "tag" five people:

I feel completely dirty now.

- ferg

UPDATE: 17:44 PST: Chronicles of Dissent follows suit... -ferg

UPDATE: 17:51 PST, 8 February 2008: Thoughts of a Technocrat ditto. -ferg

RIAA Says Copyright Filters Could Be Put In Anti-Virus Software

Mike Masnick writes on

It's been fairly amazing to watch the entertainment industry act as if every other industry is responsible for protecting its obsolete business model. Amazingly, it's been successful in convincing AT&T that this makes sense, despite the fact that doing so will almost certainly do more harm to AT&T.

However, to its credit, Cary Sherman of the RIAA has said he doesn't think that ISPs should be forced by law to provide these filters. Instead, however, it looks like he's trying to convince other industries to step up and help the entertainment industry as well. His latest, as pointed out by Broadband Reports, is that one possibility would be for anti-spyware/anti-malware applications to also watch for the transfer of unauthorized copyright material. Sherman suggests that this would be one way to get around the question of people simply encrypting traffic to avoid ISP filters.

What's not entirely clear, however, is why security firms would ever want to do such a thing, as it would almost certainly annoy their customers to no end.

More here.

The Storm Worm's Family Tree

Brian Krebs writes on Security Fix:

New research suggests that the infamous Storm worm has its roots in a computer worm that first surfaced as early as 2004, two-and-a-half years prior to Storm's widely-recognized birthday.

The findings come from security researchers at Damballa, a start-up in Atlanta that monitors activity from botnets, large groupings of hacked, remotely-controlled computers that criminals use for spamming and other online illegal activity.

According to the researchers, Storm was born from the ashes of the "Bobax worm," one of the most successful botnet-related computer worms of the past few years. Bobax spread by exploiting various vulnerabilities in the Microsoft Windows operating system, and turned infected machines into spam-spewing zombies. By early 2005, Bobax had spread to hundreds of thousands of PCs, after a highly successful spam campaign that used infected e-mail attachments disguised as pictures purportedly showing Saddam Hussein or Osama Bin Laden captured or dead.

More here.

Clarity Sought on Electronics Searches: U.S. Agents Seize Travelers' Devices

Ellen Nakashima writes in The Washington Post:

Nabila Mango, a therapist and a U.S. citizen who has lived in the country since 1965, had just flown in from Jordan last December when, she said, she was detained at customs and her cellphone was taken from her purse. Her daughter, waiting outside San Francisco International Airport, tried repeatedly to call her during the hour and a half she was questioned. But after her phone was returned, Mango saw that records of her daughter's calls had been erased.

A few months earlier in the same airport, a tech engineer returning from a business trip to London objected when a federal agent asked him to type his password into his laptop computer. "This laptop doesn't belong to me," he remembers protesting. "It belongs to my company." Eventually, he agreed to log on and stood by as the officer copied the Web sites he had visited, said the engineer, a U.S. citizen who spoke on the condition of anonymity for fear of calling attention to himself.

More here.

Also: The Asian Law Caucus (ALC) and Electronic Frontier Foundation (EFF) filed suit today against the U.S. Department of Homeland Security (DHS) for denying access to public records on the questioning and searches of travelers at U.S. borders. Filed under the Freedom of Information Act, the suit responds to growing complaints by U.S. citizens and immigrants of excessive or repeated screenings by U.S. Customs and Border Protection agents.

Late Night Flashback: Alice Cooper - Elected

Man, I loved these guys back in the day.

- ferg

Wednesday, February 06, 2008

White Paper - Internet-Based Counter Intelligence

A White Paper [.pdf] by the Consultants of Matta Security.

A short brief on the easily obtained open-source intelligence methods to obtain information on CIA targets.

Hat-tip: Global Security News

Mark Fiore: Budget Basic Training

By Mark Fiore, via

Enjoy. -ferg

Middle East Internet Submarine Cable Outages Now Affect 85 Million

Tim Conneally writes on

With FLAG telecom now reporting damages to the FALCON undersea cable that actually occurred on January 23, one week before the four publicized cable cuts, experts are now beginning to paint a picture of just how expansive the disruptions have been.

The severence of undersea cables FLAG Europe-Asia and SEA-ME-WE 4 about 8.3 km off the coast of Alexandria, Egypt, affected at least 60 million users in India, 12 million in Pakistan, 6 million in Egypt, and 4.7 Million in Saudi Arabia, according to DU telecom Executive Director Mahesh Jaishanker, in a statement to the United Arab Emirates-based Khaleej Times.

More here.

A Win For Internet Anonymity: California Court Bars Unmasking of Web Critic

Via Reuters.

A California appeals court on Wednesday said an anonymous Internet poster does not have to reveal his identity after being sued for making "scathing verbal attacks" against executives at a Florida company on a Yahoo! Inc message board.

The Sixth Appellate District in Santa Clara County reversed a trial court ruling that would have allowed a former executive at SFBC International Inc to subpoena Yahoo! for the names of her critics.

More here.

Quote of the Day: Stacey Higginbotham

"Personally, my bets are on an angry Kraken."

- Stacey Higginbotham, blogging on GigaOM, regarding the myriad conspiracy theories swirling around so many submarine cable problems in such a short period of time.

Apple Plugs QuickTime Malware Installation Hole

Ryan Naraine writes on eWeek:

The company acknowledges the bug could lead to drive-by malware installations on Windows and Mac machines.

Apple has issued a patch for a high-profile vulnerability in its flagship QuickTime media player, acknowledging that the bug could lead to drive-by malware installations on Windows and Mac machines.

With QuickTime 7.4.1, the company provides cover for a heap buffer overflow in QuickTime's handling of HTTP responses when RTSP (Real Time Streaming Protocol) tunneling is enabled.

Apple warned that malicious hackers could use booby-trapped Web pages to "cause an unexpected application termination or arbitrary code execution."

More here.

CIA Monitors YouTube For Intelligence

Thomas Claburn writes on InformationWeek:

In keeping with its mandate to gather intelligence, the CIA is watching YouTube.

U.S. spies, now under the Director of National Intelligence (DNI), are looking increasingly online for intelligence; they have become major consumers of social media.

"We're looking at YouTube, which carries some unique and honest-to-goodness intelligence," said Doug Naquin, director of the DNI Open Source Center (OSC), in remarks to the Central Intelligence Retirees' Association last October. "We're looking at chat rooms and things that didn't exist five years ago, and trying to stay ahead. We have groups looking at what they call 'Citizens Media': people taking pictures with their cell phones and posting them on the Internet."

More here.

Websense: Streamlined Anti-CAPTCHA Operations by Spammers on Microsoft Windows Live Mail

Via The Websense Security Labs Threat Blog.

Websense Security Labs ThreatSeeker™ technology has discovered that Windows Live Mail accounts have been targeted in recent spammer tactics. In these recent attacks, spammers have managed to create bots that are capable of signing up and creating random Live Mail accounts that could be used for a wide range of subsequent attacks.

Windows Live Mail is a part of the Microsoft Windows Live portfolio of services. It is a free webmail service by Microsoft. It was first announced on November 1, 2005 as an update to the Microsoft MSN Hotmail service. Its worldwide release was on May 7, 2007, and roll-out to all existing users was completed in October 2007.

Websense believes that there are three main advantages to this approach for the spammers. First, the Microsoft domain is unlikely to be blacklisted. Second, they are free to sign up. And third, it may be hard to keep track of them as there are millions of users worldwide using the service.

More here.

FBI's Custom 'CIPAV' Spyware Taken to Secretive Surveillance Court

Kevin Poulsen writes on Threat Level:

The FBI sought approval to use its CIPAV spyware program from the secretive Foreign Intelligence Surveillance Court in terrorism or foreign spying cases, THREAT LEVEL has learned.

As first reported by, the software, called a "computer and internet protocol address verifier," is designed to infiltrate a suspect's computer and collect various information, including the IP address, Ethernet MAC addresses, a list of open TCP and UDP ports, running programs, operating system type and serial number, default browser, the registered user of the operating system and the last visited URL, among other things.

That information is sent covertly to an FBI computer in Quantico, Virginia. The CIPAV then monitors and reports on all the target's internet use, logging every IP address to which the machine connects.

The FBI's use of the technology surfaced in July when Wired discovered an affidavit in an investigation into a series of high school bomb hoaxes in which the bureau traced the culprit using the program.

More here.

Defense Tech: Cyber Sabatoge

Kevin Coleman writes on Defense Tech:

Cyber Sabotage is yet another new wrinkle in the emerging threats from cyber space. Whether delivered over the internet or purposefully installed during the manufacturing process, contaminated hardware or software is now a concern. Sabotage is defined as deliberate and malicious acts that result in the disruption of the normal processes and functions or the destruction or damage of equipment or information.

The Department of Defense operates and estimated 3.5 million PCs and 100,000 local-area networks at 1,500 sites in 65 countries. In one study a common piece of network equipment sold by a US company was found to have nearly 70 percent of the components produced by foreign suppliers. This equipment is critical to our security as well as our economy. If we cannot trust the computer equipment out of the box, then where are we? At this point it would be impractical to validate each and every computer before we place it into operations.

More here.

Adobe Ships Silent Fix for Critical PDF Reader Flaw

Ryan Naraine writes on eWeek:

Adobe patched a gaping code execution hole in Reader but, inexplicably, has issued no public documentation on the risk severity.

Adobe has released a software fix for what's described simply as "security vulnerabilities" in its ubiquitous Adobe Reader program, but has not issued public documentation on the risk severity.

The absence of a bulletin with details and severity ratings has raised eyebrows in the security research community.

The patch, included in Adobe Reader 8.1.2, plugs at least one known critical issue that allows rigged PDF files to be used in code execution attacks, says Kostya Kortchinsky, a vulnerability researcher at Miami, Florida-based Immunity.

More here.

U.S. Intelligence Officials Need to 'Get a First Life'

Robert O'Harrow Jr. writes in The Washington Post:

U.S. intelligence officials are cautioning that popular Internet services that enable computer users to adopt cartoon-like personas in three-dimensional online spaces also are creating security vulnerabilities by opening novel ways for terrorists and criminals to move money, organize and conduct corporate espionage.

Over the last few years, "virtual worlds" such as Second Life and other role-playing games have become home to millions of computer-generated personas known as avatars. By directing their avatars, people can take on alternate personalities, socialize, explore and earn and spend money across uncharted online landscapes.

Nascent economies have sprung to life in these 3-D worlds, complete with currency, banks and shopping malls. Corporations and government agencies have opened animated virtual offices, and a growing number of organizations hold meetings where avatars gather and converse in newly minted conference centers.

Intelligence officials who have examined these systems say they're convinced that the qualities that many computer users find so attractive about virtual worlds -- including anonymity, global access and the expanded ability to make financial transfers outside normal channels -- have turned them into seedbeds for transnational threats.

More here.

Note: Really? I can think of hundreds of more pressing intelligence issues that need attention, guys. Get a First Life. Really. -ferg

Tuesday, February 05, 2008

Off Topic, Right Message: Hold No Level of Fear

Hat-tip: John Hodgman. See also: his Wikipedia entry here. -ferg

Industry Giants Lobby to Kill Pro-Consumer Data-Breach Legislation

Chris Soghoian writes on the C|Net "surveill@nce st@te" Blog:

In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate.

The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney general to post a copy of each report to its Web site--so that consumers, members of the press, and academics would have a single place to go to in order to find out about data breaches.

At a State Senate committee meeting this morning, lobbyist after lobbyist criticized the provision.

More here.

DHS Official Moots Real ID Rules For Buying Cold Medicine

Dan Goodin writes on The Register:

A senior US Department of Homeland Security official has floated the idea of requiring citizens to produce federally compliant identification before purchasing some over-the-counter medicines.

"If you have a good ID ... you make it much harder for the meth labs to function in this country," DHS Assistant Secretary for Policy Stewart Baker told an audience last month at the Heritage Foundation. Cold medicines like Sudafed have long been used in the production of methamphetamine. Over the past year or so, pharmacies have been required to track buyers of drugs that contain pseudoephedrine.

His comment came five days after the agency released final rules implementing the REAL ID Act of 2005 that made no mention of such requirements. It mandates the establishment uniform standards and procedures that must be met before state-issued licenses can be accepted as identification for official purposes.

Beyond boarding airplanes and entering federal buildings or nuclear facilities, there are no other official purposes spelled out in the regulations. And that's just what concerns people at the Center for Democracy and Technology. They say Baker's statement underscores "mission creep," in which the scope and purpose of the REAL ID Act gradually expands over time.

More here.

Federal Buildings Become Real ID Zones

Declan McCullagh and Anne Broache write on C|Net News:

The nation's capital attracts more than 15 million visitors a year, mostly leisure travelers who often make their way to the city's official visitor center, which is conveniently located downtown in a corner of the Ronald Reagan building.

Or was that inconveniently located? Starting May 11, Americans living in states that don't comply with new federal regulations could be barred from entering Washington D.C.'s visitor center and collecting the complimentary maps and brochures--unless they happen to bring a U.S. passport or military ID with them.

That not-very-welcoming rule is part of a 2005 law called the Real ID Act, which takes effect in just over three months. It says that driver's licenses from states that have not agreed to Real ID mandates from the Department of Homeland Security, or which have not requested a deadline extension, can no longer be used to access "federal facilities."

More here.

Image source:

UK: Online Tax System Too Insecure For Rich and Powerful

Robert Winnett writes on The

The security of the online computer system used by more than three million people to file tax returns is in doubt after HM Revenue and Customs admitted it was not secure enough to be used by MPs, celebrities and the Royal Family.

Thousands of "high profile" people have been secretly barred from using the online tax return system amid concerns that their confidential details would be put at risk.

This provoked anger from consumer groups and accountants who said the same levels of security should be offered to all taxpayers regardless of their perceived fame.

More here.

Hat-tip: Schneier on Security

WordPress Ships 'Urgent' Security Update

Ryan Naraine writes on eWeek:

A security hole in the XML-RPC implementation allows unauthorized third parties to edit WordPress-powered blogs.

Blogging software provider WordPress has shipped an "urgent" security update to fix an XML-RPC implementation flaw that allows unauthorized third-party editing of blog posts.

With WordPress 2.3.3, the open-source company patches a bug that could let attackers use specially crafted requests to edit posts of any other user on that blog. An attacker would need valid user credentials to edit posts by another user on the blog, WordPress said in an advisory.

More here.

The Spying Truth: Drift Nets To Be Legalized

Ryan Singel writes on Threat Level:

In a speech decrying an amendment that would require the government to discard non-emergency evidence from spying efforts that violate the law, Senator Jay Rockefeller (D-West Virginia) inadvertently made plain that the proposed changes to the nation's spying laws radically expand how the government wiretaps inside the United States.

The changes aren't about making it easier for the National Security Agency to listen in on a particular terrorism suspect's phone calls. The changes are about letting the nation's spooks secretly and unilaterally install filters inside America's phone and internet infrastructure.

More here.

UK Government Denounces 'Holocaust' e-Mail As Hoax

Via Computerworld UK.

The UK government is taking unprecedented steps to combat an email that has been widely distributed online.

The "Holocaust Ban" email hoax claims that the Holocaust is no longer going to be studied in UK schools because of fears of offending Muslims. Ed Balls, the UK’s secretary of state for children, schools and families, yesterday issued a statement to media and embassies worldwide denouncing the email as a hoax.

Balls said he wanted to "put an end once and for all to the myth" spread by the email. He said teaching the Holocaust remains "non-negotiable” in UK schools.

Part of the chain letter email claims: “This week [the] UK removed The Holocaust from its school curriculum because it ‘offended’ the Moslem population which claims it never occurred. This is a frightening portent of the fear that is gripping the world and how easily each country is giving into it.”

More here.

Super Tuesday: Vote!

Click for larger image.

Get out and Vote!

- ferg

SEC Could Shelve Nacchio Case Due To 'National Security Matters'

Raymond McConville writes on Light Reading:

Federal Magistrate Judge Craig Shaffer has recommended to the Securities and Exchange Commission (SEC) that it drop the civil fraud charges against five former Qwest Communications International Inc. executives including former CEO Joseph Nacchio.

The recommendation comes because the case involves government state secrets -- evidence that's not admissible in a civil court because it would jeopardize national security.

The SEC has agreed to Judge Shaffer's recommendations and now has 30 days to review the case. It could decide to dismiss the case altogether or narrow the charges to Qwest's transactions with private companies.

The information in question involves Qwest's alleged use of capacity swaps to fraudulently boost revenues. The SEC says two thirds of the capacity Qwest purchased in these swaps was not needed. But Nacchio has maintained he had knowledge of lucrative classified government contracts that Qwest was going to land which would have made the excess capacity necessary.

More here.

Note: In other words, the Bush Administration doesn't want Nacchio to upset the apple cart by divulging that his company, Qwest Communications, was approached (and refused to participate without a judicial mandate) to participate in the illegal NSA wiretapping activities which are now being challenged in the courts. -ferg

Dell Suit Reveals Lucrative Domain-Name Trade

Jeremy Kirk writes on PC World:

A civil suit filed in Florida by Dell and its Alienware subsidiary is giving insight into the enormous sums of money that can be made by creating Web pages full of advertising links.

In October, Dell sued a group of domain registrars, alleging the companies bought more than 1,100 domain names with trademark-infringing characteristics, such as "" in order to put advertising links on the pages.

The practice, known as typosquatting, is illegal. It's intended to draw unwitting Web surfers to pages with URLs (uniform resource locators) that are similar to legitimate sites, and then redirect them to other sites. The owners of these Web sites get revenue from advertising referral programs every time a link is clicked.

The defendants -- Belgiumdomains, Capitoldomains, Domaindoorman, Netrian Ventures,, Juan Pablo Vazquez and 10 unnamed defendants -- deny the claims. Dell contends the businesses, most of which are registered outside the U.S., are shell companies engaged in collusion.

More here.

Quote of The Day: Chronicles of Dissent

"Our veterans deserve better than what they’ve gotten."

- The Chronicles of Dissent, on the Bush Administration's efforts to fight a proposed class action suit on behalf of 320,000 to 800,000 veterans or their survivors over mental health care for the veterans returning home from Afghanistan and Iraq.

Monday, February 04, 2008

Late Night Flashback: The Rolling Stones - Far Away Eyes

Rolling into Super Tuesday, this just seems so apropos.


- ferg

Quote of The Day: Kevin Poulsen

"Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure."

- Kevin Poulsen, writing on Threat Level.

In Passing: Last Marine In Iwo Jima Flag Photo Dies In Redding, CA


Raymond Jacobs, believed to be the last living Marine photographed during the original flag-raising on Iwo Jima during World War II, has died. He was 82.

Jacobs died Jan. 29 of natural causes at a Redding hospital, his daughter, Nancy Jacobs, told The Associated Press.

Jacobs spent his later years working to prove that he was the radio operator photographed gazing up at the American flag as it was being raised by other Marines over Mount Suribachi on Feb. 23, 1945.

Newspaper accounts from the time show he was on the mountain during the initial raising of a smaller American flag, though he had returned to his unit by the time a more famous AP photograph was taken of a flag-raising re-enactment later the same day.

More here.

Image of The Day: Getting Past Security

Via The Daily WTF.

Abracadabra! Bush Makes Privacy Board Vanish

Ryan Singel writes on Wired News:

The Bush administration has failed to nominate any candidates to a newly empowered privacy and civil-liberties commission. This leaves the board without any members, even as Congress prepares to give the Bush administration extraordinary powers to wiretap without warrants inside the United States.

The failure rankles Sens. Joe Lieberman (I-Connecticut) and Susan Collins (R-Maine), respectively chairman and ranking minority member of the Senate's Homeland Security Committee.

"I urge the president to move swiftly to nominate members to the new board to preserve the public’s faith in our promise to protect their privacy and civil liberties as we work to protect the country against terrorism," Lieberman said in a statement.

"The White House's failure to move forward with appointing the new board is unacceptable, and I call on the administration to do so as quickly as possible to prevent a gap in this vital mission," Collins said in a statement.

More here.

'Server in The Sky' - FBI Wants Palm Prints, Eye Scans, Tattoo Mapping

Kelli Arena and Carol Cratty write on

The FBI is gearing up to create a massive computer database of people's physical characteristics, all part of an effort the bureau says to better identify criminals and terrorists.

But it's an issue that raises major privacy concerns -- what one civil liberties expert says should concern all Americans.

The bureau is expected to announce in coming days the awarding of a $1 billion, 10-year contract to help create the database that will compile an array of biometric information -- from palm prints to eye scans.

More here.

Programming Note: Light Posting Today


- ferg

Sunday, February 03, 2008

U.S. Toll in Iraq

Via The Boston Globe (AP).

As of Sunday, Feb. 3, 2008, at least 3,945 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,209 died as a result of hostile action, according to the military's numbers.

The AP count is three higher than the Defense Department's tally, last updated Friday at 10 a.m. EST.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Late Night Flashback: Three Dog Night - Eli's Coming

Congratulations, Eli!

We knew you could do it!

- ferg

User Friendly: The Coming Multi-Layered Doom