Saturday, March 22, 2008

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Saturday, March 22, 2008, at least 3,996 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,253 died as a result of hostile action, according to the military's numbers.

The AP count is five more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

The Great Outdoors: A Day on Mt. Diablo, Northern California

Click for larger image.


We make sure that we get outside as often as we can and enjoy our Mother -- Mother Nature.

And this first weekend of Spring 2008 was a perfect weekend to do it here in Northern California.

Above is a view from the hiking trail on the way up to the summit of Mt. Diablo (in Contra Costa County, California), not far from the South Bay.

It was absolutely gorgeous today -- the weather was phenomenal, and I don't think we could have asked for a better day. We even took some food (and the dogs) and had a picnic.

Mt. Diablo State Park is one of the best kept secrets of the San Francisco Bay area, and we plan to do some camping up there later in the summer.

Cheers,

- ferg

Yahoo! Denies Posting Web Photos of Tibetan Protesters

An AFP newswire article, via PhysOrg.com, reports that:

US Internet giant Yahoo! denied Saturday posting on its websites pictures of 19 people wanted by the Chinese authorities for protesting in the Tibetan capital Lhasa.

"Contrary to media reports, Yahoo! Inc. is not displaying images on its web sites of individuals wanted by Chinese authorities in connection with the recent unrest in Tibet," it said in a statement sent to AFP in Paris.

"We are looking into this matter with Alibaba Group, the company that controls China Yahoo!," the company said.

China on Friday released a list and photos of what it called the 19 most-wanted Lhasa rioters as it vowed to punish those responsible for last week's violence in the Tibetan capital.

The photos, which appeared on top websites in China, were taken from grainy footage shot during the unrest which exploded through the city on March 14.

More here.

Vermont Banks Move to Protect Hannaford Breach Victims

An AP newswire article, via The Boston Globe, reports that:

Vermont banks are scurrying to help consumers put at risk by a supermarket chain's data breach, reissuing cards and monitoring account activity in hopes of protecting them from fraud.

Some are automatically reissuing cards, others are more actively monitoring account activity, using information obtained from Visa and MasterCard about which customers shopped at 14 Hannaford Bros. Co. grocery stores in Vermont.

More here.

Friday, March 21, 2008

New York Turf War Between NYPD and FBI

Dafna Linzer writes in The Washington Post:

Not long after Sept. 11, 2001, as New York City began to build a counterterrorism effort to rival those of most nations, Police Commissioner Raymond W. Kelly decided to put an end to the department's reliance on the FBI for classified data coming in from Washington.

Kelly, who was working to protect the city against another attack, wanted his own access to the stream of threat reporting concerning New York. The solution was to install a classified-information vault, like the FBI's, at the headquarters of the New York City Police Department.

Kelly made the request in the spring of 2002 and waited six years for an answer. After questions from The Washington Post for this story, the FBI said it has decided to approve the vault, a specially designed, guarded room known as a Sensitive Compartmented Information Facility.

No other police department in the United States has responded to the threats of terrorism in quite the same way as the NYPD -- or clashed as sharply with the nation's primary counterterrorism agency, the FBI.

More here.

Absurdity Theater: White House Says It Tossed Computer Hard Drives

An AP newswire article by Pete Yost, via WTOP.com, reports that:

Older White House computer hard drives have been destroyed, the White House disclosed to a federal court Friday in a controversy over millions of possibly missing e-mails from 2003 to 2005.

The White House revealed new information about how it handles its computers in an effort to persuade a federal magistrate it would be fruitless to undertake an e-mail recovery plan that the court proposed.

"When workstations are at the end of their lifecycle and retired ... the hard drives are generally sent offsite to another government entity for physical destruction," the White House said in a sworn declaration filed with U.S. Magistrate Judge John Facciola.

More here.

Hannaford Supermarket Breach Calls PCI Compliance Into Question

Andrew Conry-Murray writes on InformationWeek:

The latest exposure of millions of credit and debit card numbers by Hannaford Bros., a grocery chain with 271 locations in New England and Florida, raises new questions about the value of the credit card industry's controversial security rules, known as PCI. The Payment Card Industry Data Security Standard was put in place by major card brands, including Visa and MasterCard, to ensure that retailers take sufficient steps to protect customers' financial data. More than 3,600 U.S. retailers comply with--or are working to come into compliance with--the PCI program.

But retailers and security vendors know that PCI compliance is a slippery concept in terms of determining who is, and is not, up to par. And the Hannaford breach--in which 4.2 million credit and debit card numbers were exposed even as the company's Web site states that it "has been certified as compliant" with PCI--demonstrates to the rest of the world just how fluid this concept really is.

Bottom line, PCI compliance is mutable. While a compliance certification is valid for one year, a retailer may perform actions, or fail to perform actions, that take it out of compliance. On the one hand, this is sensible. PCI rules are like the dietary guidelines a doctor issues to a patient. It's not the physician's fault if someone with through-the-roof cholesterol ignores advice and eats like Homer Simpson.

More here.

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, March 21, 2008, at least 3,993 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,253 died as a result of hostile action, according to the military's numbers.

The AP count is two more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Friday, March 21, 2008, at least 419 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures March 15 at 10 a.m. EST.

Of those, the military reports 287 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Connecticut Man Pleads Guilty to Spam and Phishing Charges

Via The U.S. Attorney's Office, District of Connecticut.

Kevin J. O’Connor, United States Attorney for the District of Connecticut, today announced that DANIEL MASCIA, 24, of West Haven, pleaded guilty yesterday, March 17, before United States Magistrate Judge Donna F. Martinez in Hartford to one count of conspiracy to commit fraud in connection with access devices and one count of fraud in connection with electronic mail. The charges relate to a “phishing” and “spamming” scheme that targeted AOL subscribers.

According to documents filed with the Court and statements made in court, MASCIA and his co-defendants conspired to “harvest” email addresses of AOL subscribers from the Internet. The defendants then spammed thousands of AOL subscribers with counterfeit emails purporting, for example, to convey an electronic greeting card. If an AOL subscriber attempted to view the greeting card, the subscriber’s computer would be infected with a software trojan preventing the subscriber from accessing AOL without entering information including the subscriber’s name, address, Social Security account number, credit card number, bank account number, and personal identification number. The defendants used the information to produce counterfeit debit cards, which they used at ATM machines, online, and at retail outlets to obtain money, goods, and services.

In pleading guilty, MASCIA admitted that, during a two-day period in January 2006, he sent thousands of fraudulent emails from his home to AOL subscribers.

MASCIA is scheduled to be sentenced on June 4, 2008, by United States District Judge Alvin W. Thompson in Hartford. On the charge of conspiring to commit fraud in connection with access devices, MASCIA faces a maximum term of imprisonment of seven and one-half years and a fine of up to $250,000. On the charge of committing fraud in connection with electronic mail, a law enacted as part of the CAN-SPAM Act of 2003, MASCIA faces a maximum term of imprisonment of five years and a fine of up to $250,000.

More here.

Note: Background here. -ferg

UK Government's Plans for Cyber-Crime 'Half-Baked'

Jonathan Richards writes on The Times Online:

The Government has severely underestimated the threat the country faces from cyber-crime and risks having its own networks breached by foreign spies if it doesn't devote more resources to the problem, the security industry has said.

The Prime Minister's new security strategy, outlined yesterday. didn't do nearly enough to address what security companies called the "shockingly low" awareness of cyber-crime among both businesses and individuals, according to security experts. They said the strategy also underplayed the threat posed by foreign governments intent on bringing down UK networks.

More here.

Passport Scandal Leads to Virginia Contractors

An NBC News "Deep Background" investigative article by Jim Popkin and Libby Leist, via MSNBC.com, reports that:

Two of the government contractors who accessed Sen. Barack Obama's passport records worked for a Virginia-based firm called Stanley, Inc., the company said in a statement. A third contractor who looked at passport information for Sen. Obama and Sen. John McCain worked for a company called The Analysis Corporation, the State Department said.

"Two Stanley subcontractor employees were involved in the unauthorized access of Senator Barack Obama's passport files," a Stanley, Inc., spokeswoman said. "In each of these instances the employee was terminated the day the unauthorized search occurred."

"While this is a rare occurrence, we regret the unauthorized access of any individual's private information," Stanley spokeswoman Joelle Pozza added.

Stanley, Inc., is headquartered in Arlington, Va. The State Department awarded it a contract for $164 million in 2006, to print and mail millions of new U.S. passports. Stanley announced on Monday that it was awarded an additional $570 million contract to "continue support of the U.S. Department of State, Bureau of Consular Affairs/Passport Services Directorate."

More here.

Thug Life: Anthony Pellicano Trial Reveals His Ways And Means

Andrew Murr writes on Newsweek.com:

With an office on Sunset Boulevard and a well-advertised baseball bat in his trunk, Anthony Pellicano honed a reputation as the gumshoe to the Hollywood stars. Over 20 years, the private eye cultivated a client list that ranged from Tinseltown A-listers like one-time superagent Mike Ovitz and actor Chris Rock to top divorce attorneys and business tycoons. He burnished an image as a high-tech audio surveillance whiz with an edge that was part Sicilian menace, part confidential servant to the showbiz elite.

But his federal trial on wiretapping, bribery and conspiracy charges, which opened earlier this month, is putting a major dent in that carefully nurtured image. The trial is exposing methods of intimidation more reminiscent of skid row than the silver screen—ranging from telephone threats to amateurish harassment of adversaries on the streets. His behavior with some clients seems equally bad, looking less like gallant Philip Marlowe and more like a grifter with money problems, willing to leech off vulnerable clients, such as a divorcing woman who forked over nearly $1 million to him, including her diamond-and-pearl earrings.

More here.

U.S. Air Force to Enlist AT&T For MPLS VPN

Doug Beizer writes on GCN.com:

An Air Force agency has tapped AT&T Inc. to supply it with a secure data network under a new four-year, $16.5 million contract.

The Air Force Services Agency provides a range of support programs, such as troop support, dining facilities, libraries and fitness centers.

AT&T will deploy a secure IP virtual private network that works with Multiprotocol Label Switching. The network will enable the Air Force to integrate all 107 locations, including 22 outside the United States, into a single, streamlined IP communications platform with consistent standards and capabilities.

AT&T’s network-based security will help the Air Force securely process millions of non-appropriated funds that are moved through the agency’s banking system daily, the company said.

More here.

Passport Records Breach Highlighted by Targets' Prominence

Jaikumar Vijayan writes on ComputerWorld:

It's largely because Sens. Barack Obama (D-Ill.), Hillary Clinton (D-N.Y.) and John McCain (R-Ariz.) are prominent public figures that the illegal access to their passport records by three contract workers at the U.S. Department of State has come to light.

If the same workers had decided to access the passport records of old girlfriends or were stalking less prominent people, chances are high that they might never have been caught, according to the Center for Democracy and Technology (CDT).

"There's clearly no privacy controls in place other than an alert that comes after the fact for well-known people," said Ari Schwartz, deputy director at the CDT, a Washington D.C-based rights advocacy group. "In my opinion, this sort of violation of the Privacy Act is happening all the time. We only find out about the celebrities and politicians."

More here.

Yahoo! and MSN Assisting China in Identifying Tibetan Rioters - UPDATE


Via IndyBay - South Bay Newswire.

Yahoo China pasted a "most wanted" poster across its homepage today in aid of the police's witch-hunt for 24 Tibetans accused of taking part in the recent riots. MSN China made the same move, although it didn't go as far as publishing the list on its homepage.

The "most wanted" poster has been published on several Chinese portals like Sina.com and news.qq.com. It reads "The Chinese police have issued a warrant for the arrest of suspected rioters in Tibet" and offers rewards for web users who are willing to help. Along with the text are photos of Tibetans taken during the riots. Of the 24 on the list, two have already been caught.

Yahoo's human rights values have been under fire since it was revealed that the company helped the Chinese police in its inquiry over the journalist Shi Tao, who had an email account with Yahoo. He was sentenced to ten years in prison in 2005 for "divulging state secrets". After that case, it was also found out that Yahoo had provided evidence against at least three other Chinese dissidents. Following the allegations, the company had to offer an explanation to the American congress. It defended itself by explaining that the management of its operational arm in China had been delegated to Alibaba.

More here.

Image source: IndyBay - South Bay Newswire

UPDATE: 22 March 2008, 15:11 PDT: Yahoo! states that it did not post this "wanted" list on their website properties in China. Details here. - ferg

Alabama: Two Sentenced for 'High-Tech' ATM Thefts

Val Walton writes in The Birmingham News:

A federal judge ordered a Birmingham woman who helped steal thousands of dollars from automatic teller machines to serve one month in prison instead of the 18-month prison term handed down earlier Thursday.

Prosecutors said James Real, 43, stole a database from Compass Bank that contained names, account numbers and customer passwords, while Laray Byrd, 29, bought a credit-card encoder and software to encode the information onto blank cards.

In a five-hour sentencing hearing, U.S. District Judge Virginia Hopkins varied from the sentence she first gave to Byrd, 29, after expressing a desire to give her a chance to continue working to take care of her two small children.

Hopkins ordered the ringleader, Real, a former computer programmer for Compass, to serve 42 months in prison for the bank fraud scheme that netted $32,740 from ATMs in Alabama, Mississippi, Georgia and Tennessee.

The investigation turned up more than 200 bogus debit-type cards and the recovery of at least a million stolen accounts.

More here.

Hat-tip: Pogo Was Right

Comcast's Creepy Experiment Puts Cams Inside DVRs to Watch You

Travis Hudson writes on Today @ PC World:

In a scene straight out of 1984, Comcast said it will begin placing actual cameras in DVR units to track data for who is watching the digital television.

This statement is so farfetched I almost don't believe it, but it came out of the mouth of Gerard Kunkel, the senior vice president of user experience for Comcast. At the Digital Living Room conference he said that Comcast is already experimenting embedding cameras into DVR boxes that actually watch the television watchers. Big Brother, anyone?

Comcast is shilling this as a type of customization features. The camera would be capable of recognizing specific individuals and therefore loading a user's favorite channels and on the other hand block certain content as well. Stop the schtick, Comcast. Nobody, and I mean nobody would ever voluntarily allow you to place a camera in a household, for any purpose. It's a shame that I can already imagine the headlines when Comcast does this involuntarily.

More here.

Passport Records of Clinton, McCain, Obama All Inappropriately Accessed

Via MSNBC.com.

The passport files of the three major presidential candidates have all been breached, officials said Friday.

Just hours after firing two contract employees and disciplining a third for inappropriately examining the passport file of Democratic presidential candidate Sen. Barack Obama, Secretary of State Condoleezza Rice told Sen. Hillary Rodham Clinton that her passport file was also breached in 2007.

NBC News also learned Friday that Sen. John McCain, the Republican candidate for president, had his file breached — this time by one of the same individuals who had examined Obama's records.

More here.

RFID Dust in The News Again: Clandestine Surveillance

(L) Hitachi's infamous mu chip, once heralded as the world's smallest RFID tag, (R) Hitachi's new "weaponized" RFID powder will be used and abused. It is 64 times smaller than the mu chip, measures in at just .05 X.05 mm, but can still hold a unique 38-digit number.


Sharon Gaudin writes on ComputerWorld:

An employee looking to steal confidential information from his employer sneaks into what should be a secure back room after hours. He pulls charts and files from a top-level financial meeting and slides them into his briefcase before heading back out.

What the insider doesn't know is that his shoes picked up hundreds of tiny radio frequency identification (RFID) chips that had been scattered across the floor. As he passes by an RFID reader near the front door of his office building, security will be alerted that he had accessed a secure area. The evidence is all over the soles of his shoes.

Nox Defense, an arm of SimplyRFID Inc., said it has created an invisible perimeter-defense system designed to track things and people in real time -- all without their knowledge. The system that is made up of several technological pieces -- RFID chips the size of grains of sand and an RFID and video camera surveillance system.

More here.

Image source: Pink Tentacle

Hat-tip: Danger Room

Clinton's Office Says Her Passport Files Also Breached

Via CNN.com.

Secretary of State Condoleezza Rice on Friday told Sen. Hillary Clinton that the security of her passport file were breached in 2007, according to Clinton's Senate official.

The revelation came shortly after Rice said she had apologized to Clinton's Democratic presidential rival Sen. Barack Obama for the unauthorized viewing of his passport file by contractors working for the State Department.

Two contractors were fired and a third was disciplined after they accessed Obama's file, State Department spokesman Sean McCormack said Thursday.

Rice told reporters on Friday that she had apologized to Obama and that the breaches would be investigated.

More here.

Thursday, March 20, 2008

Does The PCI Security Council Understand Security?

Ed Adams writes on StorefrontBacktalk:

The PCI Security Standards Council is made up of seemingly smart folks from the credit card brands and security industry. Unfortunately, this group of misfits is saddled with a myriad of competitive conflicts of interest and, worst of all, a complete misunderstanding of how to best protect card data and consumer identity.

The PCI DSS does an adequate job of defining audit procedures around policy, network segmentation, access controls, and perimeter defenses such as firewalls. It is woefully inadequate, however, in addressing the biggest risk to cardholder data: the application layer. Sure, there are some new requirements that are slated to take effect in June for web-facing applications, but those new requirements were rushed into the standard and obviously not well thought out.

More here.

Quote of The Day [2]: Me

"Imprudent Curiosity? Sorry, I don't buy it."

"And even it it was a case 'Imprudent Curiosity', this isn't Britney Spears and UCLA Medical Staff we're talking about here -- this is, perhaps, the next President of The United States, and a 'trusted' organization led by Condolezza Rice."

"Amazingly twisted trusted."

- Me. What a 'Charlie Foxtrot'.

U.S. State Dept to Olympic Tourists: Don’t Expect Privacy

Via China Digital Times.

The U.S. Department of State has just issued a fact sheet for travelers visiting China during the Olympics. The language is dry, but it covers everything from terrorism and protests to counterfeit goods and the occasional blocking of U.S. State Department web pages. It offers visitors some interesting advice both before going to China and once you’re there. For example:

PRIVACY & SAFETY: All visitors should be aware that they have no reasonable expectation of privacy in public or private locations. All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences and offices may be accessed at any time without the occupant’s consent or knowledge. . . .


In other words, don’t be surprised if your room is bugged or searched.

More here.

FBI Opens Probe of Hackers In China

Ellen Nakashima and Colum Lynch write on The Washington Post:

The FBI has opened a preliminary investigation of a report that China-based hackers have penetrated the e-mail accounts of leaders and members of the Save Darfur Coalition, a national advocacy group pushing to end the six-year-old conflict in Sudan.

The accounts of 10 members were hacked into between early February and last week, and the intruders also gained access to the group's Web server and viewed pages from the inside, the group said yesterday.

The intruders, said coalition spokesman M. Allyn Brooks-LaSure, "seemed intent on subversively monitoring, probing and disrupting coalition activities." He said Web site logs and e-mails showed Internet protocol addresses that were traced to China.

The allegation fits a near decade-old pattern of cyber-espionage and cyber-intimidation by the Chinese government against critics of its human rights practices, experts said. It comes as calls for a boycott of the 2008 Beijing Olympics have been mounting since China's crackdown on Tibetan protesters last week.

More here.

More Hannaford Background: Victim of Breach Speaks

Via The Boston Globe.

A New Hampshire woman says that she was one of thousands of Hannaford Supermarkets customers who had their credit card numbers stolen.

The Portsmouth woman, who asked not to be identified, said Thursday she discovered foreign transaction fees and charges from Bulgaria on this month's credit card statement.

The charges totaled $1,500 and happened on March 3 and 4, about a week after her last visit to a Hannaford in Farmington.

More here.

Breaking: Breach of Obama's Passport Information Leads to Firings at U.S. State Dept. - UPDATE

Via MSNBC.com.

Two contract employees of the State Department were fired and a third person was disciplined for accessing passport records of Sen. Barack Obama "without a need to do so," State Department officials confirmed to NBC News.

The three people who had access to Obama's passport records were contract employees of the department's Bureau of Consular Affairs, NBC News has learned. The unauthorized activity concerning Obama's passport information occurred in January.

"A monitoring system was tripped when an employee accessed the records of a high-profile individual,” a department official told NBC News. "When the monitoring system is tripped, we immediately seek an explanation for the records access. If the explanation is not satisfactory, the supervisor is notified."

More here.

UPDATE: 19:02 PDT: Additional coverage in The Washington Times here. -ferg

Russia: Government Computers Face Anti-Espionage Restrictions

Matt Siegel writes on The Moscow Times:

President Vladimir Putin has signed a pair of executive orders designed to protect secrets carried on government computer networks from sabotage by insiders by restricting connections between international and domestic computer networks.

The measures, signed Wednesday, restrict the ability of computers with access to "state or official secrets" to connect with networks that travel outside of the country, a move welcomed by computer security analysts.

Alexander Gostev, senior virus analyst at Kaspersky Computer Security in Moscow, praised the law, which he said contained the type of measures his company would recommend to its own clients.

"Filters might solve the problem of attacks from outside hackers but not the problems posed by insiders," Gostev said.

More here.

Note: The U.S. Government would be wise to implement a similar policy -ferg

No Surprises Here: San Francisco Video Cameras Don't Deter Crime

Heather Knight writes on The San Francisco Chronicle:

A new UC Berkeley study of San Francisco's 68 security cameras appears to indicate what many city officials have long suspected: The controversial devices perched at the city's roughest street corners don't have much of an effect on violent crime.

The researchers examined 59,706 crimes occurring within 1,000 feet of the cameras between Jan. 1, 2005 and Jan. 28, 2008. While homicides within 250 feet of the cameras were down, they spiked in the areas 250 to 500 feet from the cameras - indicating people just moved down the street to kill each other.

Other violent crimes had no change. The only cameras' only positive effect appears to be the 22 percent drop in property crime within 100 feet of the cameras, though people broke into cars parked near the cameras at the same rate as they did before the cameras were installed, according to the study released today.

More here.

Quote of The Day: Ed Felten

"The bottom line is clear. An investigation is needed — an independent investigation, done by someone not chosen by Sequoia, not paid by Sequoia, and not reporting to Sequoia."

- Ed Felten, writing on "Freedom to Tinker".

UK Security Threat From Cyber Crime

Christopher Hope writes on The Telegraph.co.uk:

Last September it emerged that up to 10 Whitehall departments are being regularly targeted by computer hackers from countries such as China and Russia who want to find out state secrets.

Hackers from China’s People’s Liberation Army were said to have attacked the IT systems of the Foreign Office and other government departments.

Beijing is reported to be engaged in a battle to achieve “electronic dominance” over each of its global rivals by 2050, particularly the US, Britain, Russia and South Korea.

The strategy says that Britain “does remain subject to high levels of non-military activity by foreign intelligence organisations.

“A number of countries continue to devote considerable time and energy trying to obtain political and economic intelligence.”

More here.

Hannaford Breach Raises New Fears

An AP newswire article, via CNBC.com, reports that:

At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain.

But the specifics of the crime, revealed this week, included some troubling twists that might expose big holes in the payment industry's security standards.

For one thing, Hannaford said this sensitive data were exposed when shoppers swiped their cards at checkout line machines and the information was transmitted to banks for approval.

While thieves have commonly pilfered payment card data sitting in databases maintained by merchants or card processors, the Hannaford episode appears to represent a new line of attack: the first large-scale piracy of card data while the information was in transit.

More here.

Proposed NY Law Would Limit the Tracking of Web Surfers’ Clicks

Louise Story writes in The New York Times:

After reading about how Internet companies like Google, Microsoft and Yahoo collect information about people online and use it for targeted advertising, one New York assemblyman said there ought to be a law.

So he drafted a bill, now gathering support in Albany, that would make it a crime — punishable by a fine to be determined — for certain Web companies to use personal information about consumers for advertising without their consent.

And because it would be extraordinarily difficult for the companies that collect such data to adhere to stricter rules for people in New York alone, these companies would probably have to adjust their rules everywhere, effectively turning the New York legislation into national law.

More here.

Cyber-Crime Cops Attempt To Get Organized


Via Technovelgy.com.

The Strategic Alliance Cyber Crime Working Group is a special task force of international cyber cops; they met in London this month to fight cyber crime.

The global law enforcement community has been building operational partnerships as the need arose; this is just the latest initiative to share intelligence. The group was first formed in 2006.

Some of their activities and accomplishments:

  • Collectively developed a comprehensive overview of the transnational cyber threat—including current and emerging trends, vulnerabilities, and strategic initiatives for the working group to pursue (note: the report is available only to law enforcement);
  • Set up a special area on Law Enforcement Online, the FBI’s secure Internet portal, to share information and intelligence;
  • Launched a series of information bulletins on emerging threats and trends (for example, we drafted a bulletin recently describing how peer-to-peer, or P2P, file sharing programs can inadvertently leak vast amounts of sensitive national security, financial, medical, and other information);
  • Began exploring an exchange of cyber experts to serve on joint international task forces and to learn each other’s investigative techniques firsthand; and
  • Shared training curriculums and provided targeted training to international cyber professionals.

The group will meet in a three-day conference this May; this meeting will be hosted by the FBI.

The cyber-cops are going to have to work hard to keep up; cyber thieves are sharpening their knives and using the Internet to distribute tools.

More here.

Image source: FBI.gov

Pro-Tibet Groups Bombarded With Abusive Calls, Viruses

An AFP newswire article, via NASDAQ.com, reports that:

Pro-Tibet activists said Wednesday they have been bombarded with abusive phone calls and virus emails as they try to contact witnesses in Tibet and nearby amid a clampdown following anti-Chinese riots.

Matt Whitticase, from the Free Tibet Campaign, said he had received calls every two minutes from 4:00 am to 7:00 am Tuesday in London to his mobile number and also at his work number.

"Of course I have no way of saying who the calls were from, but a variety of callers (from British mobile numbers) had Chinese accents," he said in an email.

"The content was crude, abusive and highly anti-Tibetan in nature. The calls also contained the sort of patriotic Chinese music you used to hear on Chinese trains and in public places.

"It seemed that the intention was to stop me from working and from making calls."

Lhadon Tethong, director of Students for a Free Tibet, told AFP that their New York office had also received abusive calls from people speaking Chinese, and added that they had received viruses via email.

"We are getting virus attacks that are just shameless...claiming to be desperate people inside Tibet. The emails are well-written and emotional, pleading for us to open the images," she told AFP.

Tashi Choephel, a researcher at the India-based Tibetan Center for Human Rights and Democracy, said their email system was unusable because of attacks.

More here.

Lasell College Says Hacker Accessed Personal Data

Via The Boston Globe.

Lasell College says a hacker accessed data containing personal information on about 20,000 current and former students, faculty, staff and alumni.

The college told The Boston Globe on Wednesday it has no evidence that the information, which included names and Social Security numbers, has been misused. But it has sent an e-mail notice to the people who may be affected.

College officials say they discovered the breach on Feb. 6 and notified law enforcement and officials in the states where those affected live. Lasell says the hacker is believed to be an employee.

mkMore here.

Microsoft Buys Rootkit Detection Startup

Ryan Naraine writes on eWeek:

Looking to beef up the anti-malware protection capabilities in its enterprise and consumer security products, Microsoft has inked a deal to acquire Komoku Inc., a U.S. government-funded startup that specializes in finding malicious rootkits.

Financial terms of the deal were not released.

Komoku, of College Park, Md., took in about $2.5 million in funding from DARPA, the Department of Homeland Security and the U.S. Navy to built out a suite of hardware and software-based anti-rootkit products.

The hardware-based product, called CoPilot, is a high-assurance PCI card capable of monitoring the hosts memory and file system at the hardware level. It is specifically geared toward high-security servers and computers. On the software side, Komoku's Gamma is aimed at businesses looking for a low-assurance utility to pinpoint operating system abnormalities that may be linked to malicious rootkit activity.

More here.

EFF Urges Court to Rule National Security Letters Unconstitutional

Via The EFF.

The Electronic Frontier Foundation (EFF) along with the National Security Archive urged a federal appeals court Wednesday to strike down the National Security Letter (NSL) provision of the Electronic Communications Privacy Act.

The federal surveillance law, as expanded by the PATRIOT Act, allows the FBI to use NSLs to get private records about people's communications without any court approval, as long as it claims the information could be relevant to a terrorism or espionage investigation. The FBI also has broad discretion to place recipients of NSLs under indefinite gag orders, barring them from saying anything about the demands.

A federal judge has already found that the NSL statute is unconstitutional, but the government appealed the ruling. In an amicus brief filed Wednesday, EFF and the National Security Archive argue that the excessive secrecy surrounding the use of NSLs undermines government accountability and enables widespread misuse of authority.

More here.

Vietnam: 95% of PCs Infected With Malware

Kelly Jackson Higgins writes on Dark Reading:

Is Vietnam the next haven for cybercrime? The country is apparently facing a major Internet security crisis, with some 95% of its PCs infected with viruses and 40% of its stock brokerages vulnerable to attack, according to officials there.

Officials from Vietnam’s Public Security Ministry told attendees at a security conference held there this week that security and data protection are at risk due to limited investment and spending on IT and security, as well a lack of awareness among users of Internet security threats, according to the People’s Daily Online.

“The risk of data and network security breaches is at an alarming rate. According to reports of BKIS (a leading local network security center in Vietnam) and VNCERT (Vietnam Computer Emergency Response Team) under the country’s Ministry of Information and Communications, in 2007, some 25 percent of major Vietnamese Websites are vulnerable to hackers’ attacks, and 95 percent of personal computers were infected with viruses,” said Dang Van Hieu, deputy minister of public security at the conference.

More here.

Sequoia's Website Targeted by Hackers

Elizabeth Montalbano writes on InfoWorld:

The Web site for a company whose e-voting machines have come under fire from election officials in New Jersey was hacked Thursday morning, according to an computer scientist who was asked to investigate voting-machine discrepancies in the state's primary election.

The "Ballot Blog" portion of the Sequoia Voting Systems Web site had no content early Thursday afternoon Eastern Standard Time (EST), and earlier in the day, there were messages on the page that it had been hacked, Princeton computer science professor Edward Felten told the IDG News Service Thursday. Felten, a critic of e-voting systems, had been asked by a group representing New Jersey county clerks to examine Sequoia machines used in a Feb. 5 New Jersey presidential primary election.

More here.

Adding Insult to Injury: Consumers Get Tangled In Terrorist Watchlist

Ellen Nakashima writes in The Washington Post:

One man went into a Glen Burnie, Md., Toyota dealership to buy a car, only to be told that a name check revealed he was on a U.S. Treasury Department watchlist of suspected terrorists and drug dealers. He had to be "checked for tattoos," he said, to make sure he wasn't the suspect.

An 18-year-old found he could not open an account to accept credit card payments for his fledgling technology consulting business because his name was similar to that of a Libyan official on the watchlist.

A former U.S. Navy officer who served in the Persian Gulf and whose father was killed in the Korean War when he was a child, found himself locked out of his PayPal account because his name was similar to one on the watchlist.

More American consumers have gotten caught up in a special brand of watchlist purgatory because their names are similar to ones on OFAC's list of "specially designated nationals," according to e-mails and other documents released under court order yesterday. By law, businesses are barred from conducting transactions with anyone on the list. Yesterday's court-ordered release of documents to the Lawyers Committee for Civil Rights of the San Francisco Bay Area, offers a window into the kinds of disruptions suffered by those ensnared in the process, as well as the difficulty of clearing their names.

More here.

FBI Posts Fake Hyperlinks to Snare Child Porn Suspects - UPDATE

Declan McCullagh writes on the C|Net "The Iconoclast" Blog:

The FBI has recently adopted a novel investigative technique: posting hyperlinks that purport to be illegal videos of minors having sex, and then raiding the homes of anyone willing to click on them.

Undercover FBI agents used this hyperlink-enticement technique, which directed Internet users to a clandestine government server, to stage armed raids of homes in Pennsylvania, New York, and Nevada last year. The supposed video files actually were gibberish and contained no illegal images.

A CNET News.com review of legal documents shows that courts have approved of this technique, even though it raises questions about entrapment, the problems of identifying who's using an open wireless connection--and whether anyone who clicks on a FBI link that contains no child pornography should be automatically subject to a dawn raid by federal police.

More here.

UPDATE: 24 March 2008, 19:31 PDT: Why is this important? See "Click A Link, Go To Jail". -ferg

Sequoia Blocks e-Voting Security Audit With Legal Threats

Ryan Paul writes on ARS Technica:

New Jersey election officials have scrapped plans for an independent audit of Union County voting machines because the vendor, Sequoia Voting Systems, says that unauthorized third-party security reviews would violate the county's license agreement.

Sequoia threatened the county with legal action when it learned that election officials were planning to send the machines to a respected Princeton University computer scientist for analysis.

More here.

Wednesday, March 19, 2008

Late Night Flashback: The Verve - Lucky Man



Enjoy.

- ferg

In Passing: Ivan Dixon


Ivan Dixon
April 6, 1931 - March 16, 2008

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Wednesday, March 19, 2008, at least 3,992 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,251 died as a result of hostile action, according to the military's numbers.

The AP count is four more than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Google 'May' Share User Info With U.S. Government

Via ZDNet.co.uk.

During his flying visit to Sydney, ZDNet.com.au asked Schmidt whether, if Google was sharing information with the US government, the company would admit to it.

"That's a good question," Schmidt said. "The US government has attempted to get us to give them information and we have a very strong legal system in the US — as you do — and that legal system is really important, in terms of limiting random explorations by governments."

"The technical answer is that we do not collaborate with governments unless they are following their normal course of business; they have to actually follow all of their procedures. In that case, if that were occurring, they would have had to follow all of their procedures."

More here.

The Insecure Internet: The Turducken Problem

Sean Michael Kerner writes on internetnews.com:

Douglas Crockford, the creator of JSON (JavaScript Object Notation) and a senior JavaScript Architect at Yahoo is convinced that the Web is broken.

During a keynote at AjaxWorld conference here, Crockford launched a polemic against the Web as it is exists today.

"The question is not should we fix the Web but can we," Crockford asked the crowded conference room. "The browser was not state of the art when it was introduced. It was intended as a document presentation platform and is not intended for applications."

Crockford argued that browsers were not designed to do all 'all of this Ajax stuff' and the fact that Ajax works is because people found ways to do Ajax in spite of the limitations. That said he noted that Ajax development is unnecessarily difficult today and it has a major problem.

More here.

Schneier: Inside the Twisted Mind of the Security Professional

Bruce Schneier writes on Wired News:

Security requires a particular mindset. Security professionals -- at least the good ones -- see the world differently. They can't walk into a store without noticing how they might shoplift. They can't use a computer without wondering about the security vulnerabilities. They can't vote without trying to figure out how to vote twice.

They just can't help it.

More here.

New FBI Washington Intelligence Head Named

Via UPI.

The director of the Federal Bureau of Investigation has named a new special agent in charge of intelligence for the Washington field office.

FBI Director Robert Mueller announced Michelle Jupina has been appointed to the intelligence post replacing Timothy Healy, who officials say has been named the new deputy assistant director of the Directorate of Intelligence at FBI headquarters, the FBI reported.

As SAC of Intelligence in Washington, Jupina will oversee the intelligence division's operations in Washington. Jupina has a long history of intelligence work including working on investigations in cyber, white-collar crime, criminal and counterintelligence matters.

More here.

More Anti-Terror Idiocy: U.S. Terror List Eyes Venezuela

Carmen Gentile writes for UPI:

Two U.S. representatives from Florida introduced legislation seeking to designate Venezuela a state sponsor of terror, a move that could hurt the country's oil sector and U.S. relations in the region.

Ileana Ros-Lehtinen and Connie Mack, both Republicans, made their request amid allegations Venezuela pledged $300 million in funding to Colombia's leading leftist rebel group, the Revolutionary Armed Forces of Colombia, or FARC.

A recent memo released by the lawmakers to the media also notes Venezuela's expressed "willingness to cooperate" with Iran on proposed joint nuclear-energy projects. Iran is already on the U.S. State Department's list of state sponsors of terrorism. Other members are Cuba and North Korea.

More here.

White House Taps Tech Entrepreneur For Cyber Defense Post

Brian Krebs writes in The Washington Post:

The Bush administration is planning to tap a Silicon Valley entrepreneur to head a new inter-agency group charged with coordinating the federal government's efforts to protect its computer networks from organized cyber attacks.

Sources in the government contracting community said the White House is expected to announce as early as Thursday the selection of Rod A. Beckstrom as a top-level adviser based in the Department of Homeland Security. Beckstrom is an author and entrepreneur best known for starting Twiki.net, a company that provides collaboration software for businesses.

The new inter-agency group, which will coordinate information sharing about cyber attacks aimed at government networks, is being created as part of a government-wide "cyber initiative" spelled out in a national security directive signed in January by President Bush, according to the sources, who asked to remain anonymous because they did not have permission to talk publicly about the information.

More here.

Consumers of Hannaford Brothers Co. Supermarkets File Class Action Suit

Via PRNewswire.

On March 19, 2008, the law firm of Berger & Montague, PC filed a class action suit in the U.S. District Court for the District of Maine on behalf of all consumers in the United States whose credit card or debit card data was stolen from the computer network of Hannaford Brothers Co. ("Hannaford") supermarkets.

The complaint alleges that Hannaford was negligent for failing to maintain adequate computer data security of customer credit and debit card data, which was accessed and stolen by a computer hacker.

More here.

Hat-tip: FIRST.org Global Security News

Five Years In: 150 Arrested in San Francisco Anti-War Protests


Via The San Francisco Chronicle.


Protesters briefly clashed with San Francisco police several times today as officers tried to clear Market Street of hundreds of demonstrators marking the fifth anniversary of the start of the Iraq war.

About 150 people had been arrested by mid-afternoon in incidents at several downtown locations.

One scuffle took place after about two dozen demonstrators staged a "die-in" in the intersection of Market and New Montgomery streets about 12:15 p.m. and were surrounded by 80 police officers in riot gear. After more than two hours of protests - and about 100 arrests - authorities finally cleared the intersection and reopened Market Street to traffic at 2:30 p.m.

More here.

Image source: Kurt Rogers / San Francisco Chronicle

Insecure Branch Servers Suspect in Hannaford Breach

Robert Vamosi writes on the C|Net "D3F3NS3 1N D3PTH" Blog:

Details remain sketchy regarding Monday's announcement of 4.2 million credit card and debit cards exposed at a Maine-based supermarket chain. However, public comments made by Ronald Hodge, CEO of Hannaford Supermarkets, suggest that even with recent improvements in payment card transaction security, there may be holes.

The standards organization, PCI Security Standards International, was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. In October 2007, they implemented the PCI Data Security Standard (PCI DSS), which includes, among other things, network specifications. Dr. Neal Krawetz of Hacker Factor Solutions said that PCI DSS allows for the storage of card numbers and expiration dates on a branch server. And that's what may be been compromised in this case.

More here.

Next Hacker Target: Wells Fargo's 'Online Vaults'

An AP newswire article by Michael Liedtke, via The Star Tribune, reports that:

Recognizing not all banking customers want a safe deposit box, Wells Fargo & Co. plans to sell online vaults as a secure and convenient alternative for storing vital records.

When the service rolls out this summer, Wells Fargo believes it will be the first major U.S. bank to offer an Internet alternative to the safe deposit boxes that have been an industry staple for decades.

Because it can't store jewelry, cash and many other precious assets, Wells Fargo's online version isn't likely to replace the traditional safe deposit box. It's more likely to replace shoe boxes and home filing cabinets, said Jim Smith, who oversees the bank's Internet products.

More here.

Pennsylvania Pulls Plug on Voter Site After Data Leak

Robert McMillan writes on InfoWorld:

With voting in Pennsylvania's presidential primary just a month away, the state was forced to pull the plug on a voter registration Web site Tuesday after it was found to be exposing sensitive data about voters in the state.

The problem lay in an online voter registration application form that was designed to simplify the task of registering to vote. State residents used it to enter their information on the Web site, which then generated a printable form that could be mailed to state election officials. Pennsylvania's Department of State disabled the registration form late Tuesday after being informed of the vulnerability by IDG News Service.

Because of a Web programming error, the Web site was allowing anyone on the Internet to view the forms, which contained data such as the voter's name, date of birth, driver's license number, and political party affiliation. On some forms, the last four digits of Social Security numbers could also be seen.

More here.

DOE IG: Energy's Websites Lack Security

Wade-Hahn Chan writes on FCW.com:

Visitors to Energy Department Web sites should not be redirected to pornography, the department’s Inspector General’s Office said in a report.

But that has happened, the oversight office found. DOE sites suffered 60 security incidents on public servers in the past three years, with some 22 incidents occurring in the past year, the report states.

More than half of those attacks resulted in defaced home pages, including the changing of the home page of Brookhaven National Laboratory’s Web site to route visitors to pornographic links.

The IG report also found that some sites had lax controls on publicly accessible information, resulting in eight incidents in which personally identifiable information was exposed. It noted that some of the sites did not meet National Institute of Standards and Technology standards for securing public Web servers.

More here.

States Hand Over the DNA of Newborns to DHS

Via Personal Health Information Privacy.

Unknown to most new parents, or those who became parents in the last ten or so years, DNA of newborns has been harvested, tested, stored and experimented with by all 50 states. And all 50 states are now routinely providing these results to the Homeland Security Department.

No doubt we can all see the benefits in testing for genetic disorders or genetic traits and tendencies that could be more adequately dealt with, in some cases actually deterring the onset of life-time illness, but that seems not to be the real thrust of these programs. It may have been initially...but not now.

As with all good things, there are always those who seek the more evil path, in essence turning what should have been a life saving tool, a preventative measure into something insidious and inhumane. This is what has happened to this national effort.

More here.

Help Wanted: Why Can't Bush Fill Two Top Terror Jobs? - UPDATE

Michael Isikoff and Mark Hosenball write on Newsweek.com:

The Bush administration has been rebuffed in its efforts to find a high-profile candidate to fill the top White House counterterrorism post.

The failure to find a successor to Frances Fragos Townsend, who resigned last January as assistant to the president for homeland security and counterterrorism, has frustrated White House aides, given the significance the Bush administration has attached to the job. The position involves coordinating antiterrorism and homeland security efforts throughout the government and chairing the Homeland Security Council, a domestic counterpart to the National Security Council that President Bush created after the September 11 attacks.

More here.

UPDATE: 14:32 PDT: The Associated Press reports that one of these positions has now been filled. And as this Reuters article points out, he has a "wiretap background." -ferg

UK Police Chief: Cyber Crime Is Everywhere

Nick Heath writes on silicon.com:

The head of e-crime for the Serious Organised Crime Agency (SOCA), Sharon Lemon, has warned e-crime is so widespread it now plays a role in nearly every criminal investigation.

Lemon said that with computers widely used by criminals it was essential for each of the UK's 43 police forces to be able to tackle e-crime.

She said: "It needs more awareness and in the year 2008 e-crime is not a specialist crime anymore, it is something that is spreading out to take in all of organised crime.

"These people find each other over the internet, they use encryption to protect their data. It is about making sure that everybody in law enforcement understands that e-crime is part of their daily business."

Lemon warned that the internet was fuelling a rise in global credit card fraud and that the UK and the US were the targets.

More here.

UK Citizens Don't Trust Government With Personal Data

Via Computerworld UK.

Nine out of 10 adults in the UK don't trust the government with their personal data, an online survey has revealed.

Yet the survey of over 1,000 people, conducted by IT security supplier Data Encryption Systems (DES), found that 74 percent were willing to share personal information with banks, employers and friends.

The level of trust in the government, at 10 percent, is just one percentage point higher than trust in online retailers.

More here.

Russia: Super Spy Agency in the Works

Matt Siegel writes in The Moscow Times:

The government is close to creating a centralized body along the lines of the FBI in the United States, as part of a major restructuring of the investigative departments of multiple state security and law enforcement agencies, a report said Tuesday.

The new Federal Investigative Service, or FSR, will absorb the investigative arms of the so-called power agencies -- a plan with a long history -- to streamline the chaotic and often counterproductive process of conducting multiple criminal investigations, RBK Daily reported.

"The decision to create the FSR was simply settled and passed down after the presidential elections," an Interior Ministry source told the newspaper. "The remaining organizational details will be finalized in the summer, and the new agency will emerge by September."

The idea has been bandied about for nearly a decade, since at least 1999, when Dmitry Kozak, then a member of the presidential administration, proposed similar reforms. At present, many bodies within the security apparatus maintain their own investigators, creating friction and conflicts of interest.

Some of the agencies reportedly being brought into the new body are the Investigative Committee of the Interior Ministry, the Federal Security Service and the Federal Drug Control Service.

The FSB, Prosecutor General's Office and the Investigative Committee all refused to comment for this article.

More here.

Hat-tip: Michael Tanji

Botnet Farmers Play the International Exchange Game

John Leyden writes on Channel Register:

Spyware authors are prepared to pay botnet farmers or webmasters much more for infecting PCs in the UK or Australia than machines in continental Europe.

Selling "installs" is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

More here.

Tuesday, March 18, 2008

Arizona County Accused of Ballot Breach

Andrea Kelly writes on The Arizona Daily Star:

The Arizona secretary of state says Pima County has been allowing a "fundamental security breach" by letting party officials take home ballots during required testing before elections.

Recent testimony at the Legislature from Libertarian and Democratic party representatives indicated ballots were taken "off-site" by the parties during "logic and accuracy" testing of vote-counting machines, Secretary of State Jan Brewer, told Pima County Board of Supervisors Chairman Richard Elías in a letter Monday.

More here.