Friday, April 04, 2008

U.S. State Dept. 'Replaces' Top Passport Official

Via MSNBC.com.

Two weeks after it was revealed that State Department employees were found snooping on five different occasions in the passport files of all three Presidential candidates, a State Department official tells NBC that the top official for Passport Services is being replaced.

The department intends to name a new acting Deputy Assistant Secretary of State for Passport Services to replace Ann Barrett who will be stepping aside.

The official declined to offer an explanation as to why Barrett is being replaced, but the timing comes in the midst of a State Department Inspector General investigation into the passport breaches.

The individual set to take over as acting Deputy Assistant Secretary is Lawrence Baer. State Department phone records indicate Baer is currently in a management position in the Consular Affairs bureau.

More here.

Hat-tip: Pogo Was Right

Canada: Human Rights Commission Accused of Hijacking Woman's Wireless Internet to Log on to Hate Sites

Via CBC.ca.

A complaint to police alleges that federal human-rights investigators used an unwitting woman's wireless Internet connection to log on to white supremacist websites and make postings to chat groups.

The complaint to the RCMP and Ottawa police was made this week by Toronto resident Mark Lemire, who runs a website that has been the subject of a long-standing hate case before the Canadian Human Rights Commission.

Among other things, Lemire's complaint alleges that commission investigators breached sections of the Criminal Code by "wilfully and with malicious intent" using the woman's connection without authorization and "committed theft of telecommunication service."

The sections makes it an offence to wilfully interfere with the lawful use of data, fraudulently obtain a computer service, or fraudulently use any telecommunication facility or telecommunication service.

More here.

Hat-tip: Flying Hamster

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, April 4, 2008, at least 4,012 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,273 died as a result of hostile action, according to the military's numbers.

The AP count is the same as the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Friday, April 4, 2008, at least 422 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures March 29 at 10 a.m. EDT.

Of those, the military reports 289 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Companies Struggle As Safari Pops Up on Networks

Robert McMillan writes on CIO.com:

Network administrators are complaining that Apple's recent decision to offer users its Safari Web browser as part of an iTunes and QuickTime update has made their lives harder, as they struggle to remove the software from PCs on their networks.

For Cody Wilson, the trouble began a few weeks ago, when he noticed that Safari had popped up as a download option with his Apple Software Update, the program that is used to update iTunes and QuickTime.

Wilson, a network administrator with Soy Capital Bank and Trust in Decatur, Illinois, soon found out that many of the users on his network had installed the software without realizing it. "I went into work the next day and I scanned my network, and my inventory software said I have Safari on 30 PCs," he said.

More here.

Clueless: Most Pentagon Cyber Attackers Lone Hackers

Via UPI.

The preponderance of cyberattacks against the U.S. military still comes from individual hackers, not nation-states, a senior defense official said.

Robert Lentz, deputy assistant secretary for information and identity assurance at the Pentagon, spoke this week to a federal computer security conference in Washington.

His comments on challenges facing the Defense Department in the Information Age were reported by Government Technology news.

Despite the rising threat of attempted intrusions and other attacks from potential nation-state adversaries, Lentz told the FOSE conference, it was hard to ascertain the origin of most attacks against the Department of Defense, which he called the "No. 1 target" among U.S. government agencies.

Nonetheless, individual "hackers are still the preponderance of network issues seen day to day," he said.

More here.

Note: I personally think Mr. Lentz is either (a) woefully underestimating the situation, (b) has been given partial or incorrect information, (c) is politically spinning the situation, or perhaps (d) is in denial. -ferg

Failure to Patch Flaw Exposes Data on 60,000 at Antioch

Jaikumar Vijayan writes on ComputerWorld:

Windows systems may be the most frequently attacked by malicious hackers, but they certainly are not the only targets.

Serving as the latest reminder of that fact is Antioch University in Yellow Springs, Ohio, which recently disclosed that Social Security numbers and other personal data belonging to more than 60,000 students, former students and employees may have been compromised by multiple intrusions into its main ERP server.

The break-ins were discovered Feb. 13 and involved a Sun Solaris server that had not been patched against a previously disclosed FTP vulnerability, even though a fix was available for the flaw at the time of the breach, university CIO William Marshall said today.

More here.

FBI Keeping Close Tabs on Sentinel

Alice Lipowicz writes on Washington Technology:

The FBI is on track to deploy the second phase of its Sentinel case file management system within weeks, said FBI Director Robert Mueller.

Lockheed Martin Corp. is developing Sentinel under a six-year contract for $335 million, Muller said. Full costs may be as high as $425 million, however, because the FBI is using a spiral-development strategy allowing for incremental changes and adjustments to new technologies along the way, he said.

Mueller said the FBI is satisfied with the Phase One products developed thus far, including a Web-based portal and work boxes that summarize cases and leads. But the products are likely to be used more frequently by FBI employees once Phase Two is implemented, he said.

Full capabilities are expected to be available by 2010. But the FBI also may develop some phases more quickly than expected through the use of spiral development and push those improvements out to the field.

More here.

Legal Questions Surround Surreptitious DNA Gathering

Amy Harmon writes on The New York Times:

The two Sacramento sheriff detectives tailed their suspect, Rolando Gallego, at a distance. They did not have a court order to compel him to give a DNA sample, but their assignment was to get one anyway — without his knowledge.

Recently, the sheriff’s cold case unit had extracted a DNA profile from blood on a towel found 15 years earlier at the scene of the murder of Mr. Gallego’s aunt. If his DNA matched, they believed they would finally be able to close the case.

On that spring day in 2006, the detectives watched as Mr. Gallego lit a cigarette, smoked it and threw away the butt. That was all they needed.

The practice, known among law enforcement officials as “surreptitious sampling,” is growing in popularity even as defense lawyers and civil liberties advocates argue that it violates a constitutional right to privacy. Mr. Gallego’s trial on murder charges, scheduled for next month, is the latest of several in which the defense argues that the police circumvented the Fourth Amendment protection against unreasonable search and seizure.

More here.

Hat-tip: Privacy.org

Random Search Stops $600 Million In Trade Secrets Bound For China

Thomas Claburn writes on InformationWeek:

A former software engineer for a telecommunications company based near Chicago was indicted for allegedly stealing trade secrets worth an estimated $600 million and trying to take the documents to China.

The FBI said Wednesday that Hanjuan Jin of Schaumburg, Ill., a naturalized U.S. citizen who was born in China, was stopped at Chicago's O'Hare International Airport on Feb. 28, 2007, in a random search.

According to an affidavit filed by FBI special agent Michael R. Diekmann, Jin was traveling on a one-way ticket to Beijing at the time. She declared that she had $10,000 in U.S. currency in her carry-on luggage. Customs and Border Protection officers found about $30,000 in cash.

More here.

Thursday, April 03, 2008

xkcd: Venting Your Blog Spleen


Click for larger image.

We simply love xkcd.

- ferg

Navajo Nation to Lose Internet Signal

An AP newswire article by Felicia Fonseca, via Salon.com, reports that:

The thousands of Navajo Nation residents who rely on the Internet to work, study and communicate across their 27,000-square-mile reservation will be out of luck Monday, if their service provider is shuttered as planned.

"It's going to be a sad day," said Ernest Franklin, director of the tribe's Telecommunications Regulatory Commission.

A tribal audit last year revealed that Utah-based provider OnSat Network Communications Inc. may have double-billed the tribe, and it raised questions about how the tribe requested bids for the Internet contract.

Those discoveries led the Universal Service Administration Co., which administers the service under the Federal Communications Commission's E-rate program, to tell the tribe March 28 that it would withhold $2.1 million from OnSat.

More here.

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Thursday, April 3, 2008, at least 4,012 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,272 died as a result of hostile action, according to the military's numbers.

The AP count is one more the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Mark Fiore: McCain Iraq 2008



More Mark Fiore brilliance.

Via The San Francisco Chronicle.

Enjoy.

- ferg

419 Watch: Nigerian 'Yahoo Boys' Rounded Up By Crimes Commission

Gary Warner writes on Cyber Crime & Doing Time:


Cyber Cafes in Akure in the state of Ondo, and Onitsha, in the state of Anambra were raided today. The locals have a term for the type of cyber criminal who lurks in these cafes. They call them "Yahoo Boys".

In Akure, agents of the EFCC (Economic and Financial Crimes Commission), acting as customers, mingled about the crowd, bought airtime, and began using computers themselves while observing the activities of those around them. Once their suspicions were confirmed, they rose and identified themselves, requiring each of the users of the cafe to remain on site until they had confirmed what email addresses they had been using, and what activities those email addresses had been performing.

"This Day" in Lagos reports that at least one Yahoo Man jumped out the window when the raid began. This Day reports that the following day the cyber cafes were nearly empty, "leaving only those with serious business".

More here.

From New Zealand to The UK: Banking Customers On The Hook For Out-of-Date Software

Via OUT-LAW.com.

The banking industry has re-affirmed a policy that makes online banking customers responsible for losses if they have out of date anti-virus or anti-phishing protection. New Banking Codes for consumers and businesses took effect on Monday.

The Banking Code produced by the British Bankers' Association (BBA), and followed by most banks, makes it clear that banks will not be responsible for losses on online bank accounts if consumers do not have up to date anti-virus, anti-spyware and firewall software installed on their machines.

"If you act without reasonable care, and this causes losses, you may be responsible for them," says the Code. "This may apply, for example, if you do not follow section 12.5 or 12.9."

Section 12.9 says: "Keep your PC secure. Use up-to-date anti-virus and spyware software and a personal firewall."

The BBA said that it was not aware that any bank had ever invoked that clause of the Code to avoid covering a consumer's online banking losses. The new Code came into effect at the beginning of this week. The latest edition of the Business Banking Code took effect the same day.

More here.

Note: Background on the exact same issue in New Zealand here. -ferg

FBI Reports Record Financial Losses to Cybercrime

Kelly Jackson Higgins writes on Dark Reading:

The U.S. economy may be tanking, but the cybercrime economy is booming, according to the latest report [.pdf] from the FBI’s Internet Crime Complaint Center.

Dollar losses to cybercrime increased to $240 million in 2007, a $40 million jump from 2006, according to the IC3's newly released 2007 Internet Crime Report. The IC3 received 206,884 reports of Internet crime last year, 90,000 of which were then picked up by law enforcement, according to the report.

And that’s not including the cybercrimes that went unreported to the IC3.

More here.

When VoIP Vulnerabilities and SCADA Security Worlds Collide

Brian Krebs writes on Security Fix:

But lest anyone think VoIP vulnerabilities are nothing to be concerned about, consider the rather shocking tidbit shared last month at the Black Hat hacker conference in Washington, D.C. by Jerry Dixon, former head of the Department of Homeland Security's National Cyber Security Division. Dixon warned that VoIP vulnerabilities are opening dangerous new avenues of exposure for the companies that own and operate our nation's most critical networks, such as those that support the electric power, water and manufacturing systems.

To lower costs and increase efficiency, most utilities these days use the Internet to keep tabs on and manage their far-flung substations and networks. These control networks, known as supervisory control and data acquisition (SCADA) networks, naturally expose these very sensitive and complex systems to extreme risk of degradation or destruction if they are not properly secured. One important aspect of securing SCADA systems involves separating them the administrative networks that utility employees use for everyday work, such as e-mail and browsing the Web.

Dixon said that while a great many SCADA operators he has spoken with claim they carefully segregate their SCADA and administrative networks, far too many have gone ahead and set up their VoIP systems on the same network that manages their SCADA systems.

More here.

Patch Tuesday Heads-Up: Critical IE, Office, Windows Patches on Deck

Ryan Naraine writes on eWeek:

Microsoft plans to release eight security bulletins on April 8 to patch multiple security vulnerabilities affecting Windows, Microsoft Office and Internet Explorer users. As part of its pre-release advance notice mechanism, the Redmond, Wash., software vendor said five of the eight bulletins will be rated "critical," Microsoft's highest severity rating.

The remaining three bulletins will be rated "important."

More here.

U.S. Secret Service Agent To Lead DHS Cyber Division

Brian Krebs writes on Security Fix:

A cybercrime investigator at the U.S. Secret Service has been named to head the Department of Homeland Security's National Cyber Security Division, Security Fix has learned.

Cornelius F. Tate, a graduate of University of Mississippi, currently heads up the Technical Security Division at Secret Service. Tate also is a member of the Electronic Crimes Special Agent Program, a Secret Service team made up of agents who conduct forensic analysis of computer systems. DHS established the NCSD to serve as a 24/7 watch center to share information between the private sector and the government about the latest cyber attacks.

More here.

U.S. to Scale Back High-Tech 2010 Census Plans

Anne Broache writes on the C|Net News Blog:

Department of Commerce Secretary Carlos Gutierrez plans to tell Congress on Thursday that the next constitutionally mandated count of the U.S. population will be taking place, once again, via old-fashioned pencil and paper, according to a report by National Journal's NextGov blog.

Census officials had been hoping to introduce handheld computers into the process of collecting and transmitting data, but numerous glitches along the way have stymied those plans.

That means, in part because of "recent increases in gas prices, postage, and printing" and the need to hire more Census workers, Congress will need to allocate as much as $3 billion in additional taxpayer dollars for the 2010 Census, Gutierrez was expected to tell a House of Representatives subcommittee that oversees such spending matters. That means the entire pricetag for the decennial process could climb as much as $14.5 billion.

More here.

UK: Tories Issue Cyber-Crime Warning

Via The BBC.

The government has seriously underestimated the threat to the UK posed by cyber-crime, the Tories say.

Shadow Home Secretary David Davis said the risk of cyber-attack by criminals, foreign governments and terrorists was "serious, strategic and long-term".

But he accused ministers of treating it as a "second order" risk in their security strategy released last month.

He said the Tories would appoint a dedicated cyber-crime minister and a new police unit to fight e-crime.

More here.

Secret Memo Raises New Questions on Domestic Spying

Justin Rood writes on ABC News' "The Blotter" Blog:

Shortly after the Sept. 11, 2001 attacks, the Bush administration concluded constitutional protections against unreasonable searches did not apply if they were done as part of “domestic military operations,” the Wall Street Journal reports this morning.

The American Civil Liberties Union, which unearthed that tidbit, called it a "radical interpretation" of the Fourth Amendment. A Justice Department spokesman said the administration has since changed its thinking on the matter. However, the legal reasoning was in place from 2001 until possibly as late as 2006, the Journal says.

The reasoning is contained in a still-classified 37-page memo dated Oct. 23, 2001, from the Justice Department Office of Legal Counsel. Another document, recently obtained by the ACLU, mentioned the October 2001 memo’s findings on the Fourth Amendment.

That secret memo has appeared before, however.

More here.

Wednesday, April 02, 2008

Late Flashback: Siouxsie and the Banshees - Cities in Dust



Somehow so very apropos.

Enjoy.

- ferg

Chinese Spy, Chi Mak, 'Slept' In U.S. for 2 Decades

Joby Warrick and Carrie Johnson write in The Washington Post:

Prosecutors called Chi Mak the "perfect sleeper agent," though he hardly looked the part. For two decades, the bespectacled Chinese-born engineer lived quietly with his wife in a Los Angeles suburb, buying a house and holding a steady job with a U.S. defense contractor, which rewarded him with promotions and a security clearance. Colleagues remembered him as a hard worker who often took paperwork home at night.

Eventually, Mak's job gave him access to sensitive plans for Navy ships, submarines and weapons. These he secretly copied and sent via courier to China -- fulfilling a mission that U.S. officials say he had been planning since the 1970s.

Mak was sentenced last week to 24 1/2 years in prison by a federal judge who described the lengthy term as a warning to China not to "send agents here to steal America's military secrets." But it may already be too late: According to U.S. intelligence and Justice Department officials, the Mak case represents only a small facet of an intelligence-gathering operation that has long been in place and is growing in size and sophistication.

More here.

Fresh Air: In 'Bush's Law,' Secret Surveillance Efforts Revealed

Via NPR.org.

In 2005, The New York Times revealed that the National Security Agency had initiated wiretaps and other forms of surveillance without court orders. It was a story the Bush administration hoped to keep under wraps, says Eric Lichtblau, one of the two reporters who pushed for the publication of the story.

Lichtblau's new book, Bush's Law: The Remaking of American Justice, details how the administration used the "war on terror" to push for controversial surveillance programs.

Lichtblau is a Washington correspondent for The New York Times. In 2006, he won a Pulitzer Prize for his coverage of domestic spying.

More here.

PayPal Debit Card Glitch Blocks Transactions

Jon Brodkin writes on NetworkWorld:

PayPal seems to be having technical difficulties with a debit card that allows users instant access to the money in their PayPal accounts, as multiple users are reporting they are unable to activate the cards or they are being denied transactions.

The problems seem to go back at least a month, based on message board postings on eBay, which owns PayPal. One user on March 5 reported debit card transactions being denied over the phone, online and in-person “for vague security reasons.” Several other users have reported similar problems.

More here.

Schneier: The Difference Between Feeling and Reality in Security

Bruce Schneier writes on Wired.com:

People are more likely to realistically assess these incidents if they don't contradict preconceived notions about how the world works. For example: It's obvious that a wall keeps people out, so arguing against building a wall across America's southern border to keep illegal immigrants out is harder to do.

The other thing that matters is agenda. There are lots of people, politicians, companies and so on who deliberately try to manipulate your feeling of security for their own gain. They try to cause fear. They invent threats. They take minor threats and make them major. And when they talk about rare risks with only a few incidents to base an assessment on — terrorism is the big example here — they are more likely to succeed.

More here.

Web 2.0 Security Hangover

From the "I-Told-You-So" Dept:

Brian Prince writes on eWeek:

Web 2.0 applications have certainly made the user experience more interactive, but organizations need to be mindful of their impact on Web site security.

Certainly, there are a number of reasons Web sites become an attractive target for hackers; sometimes sites are built prior to an attack being known about, or the developers were in a hurry. Still, some researchers say the Web 2.0 rush has had an impact on security as well, opening up new possibilities for attackers.

"The Web used to be a very static delivery method," said Mary Landesman, senior security researcher at ScanSafe. "All we could do is go to a site and read it. We couldn't interact with it."

But in today's dynamic Web 2.0 environment, there is a lot of give-and-take of information, from visitors leaving comments to third-party advertising being pushed in by affiliate ad programs, Landesman said.

"There's a lot of Web applications that are now involved," she said. "It just opens the door for exploits, either within the Web application, or through social engineering or by a hostile person inserting themselves at some point in this chain of affiliate relationships."

More here.

Note: Not to seem self-congratulatory, but I think many of us were saying this almost a year ago. - ferg

UCLA Staffer Looked Through Farrah Fawcett's Medical Records

Charles Ornstein writes in The Los Angeles Times:

Months before UCLA Medical Center caught its staffers snooping in the medical records of pop star Britney Spears, '70s TV icon Farrah Fawcett learned that a hospital employee had surreptitiously gone through records of her cancer treatments there, documents and interviews show.

Fawcett's lawyers said they are concerned that the information was subsequently leaked or sold to tabloids, including the National Enquirer.

Shortly after UCLA doctors told Fawcett that her cancer had returned -- and before she had told her son and closest friends -- the Enquirer posted the news on its website. Indeed, alarming headlines regularly cropped up in the Enquirer and its sister publication, the Globe, within days of Fawcett's treatments at the UCLA hospital.

More here.

TJX Could Pay Mastercard $24M Over Breach

An AP newswire article by Mark Jewell, via MSNBC, reports that:

Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers.

The pact came as a group that tracks U.S. data breaches reported the number of cases in the first three months of this year was more than double the total in last year's first quarter.

The MasterCard agreement, which follows a similar $40.9 million pact in November with Visa Inc., hinges on banks that issue MasterCards agreeing to waive rights to sue TJX in exchange for being paid for breach-related costs.

More here.

Quote of The Day: Mike Rothman

"If security professionals think that an audit makes them secure, they are idiots."

- Mike Rothman, writing in The Daily Incite, on "Does PCI create a false sense of anything?"


Coming Up: The Fingerprint-Grabbing Keylogger

Dan Goodin writes on The Register:

A British researcher has developed a biometric keylogger [.pdf] of sorts that can capture fingerprints required to unlock building doors or gain access to computer networks or other restricted systems.

For now, the Biologger is a proof-of-concept aimed at showing the insecurity of many biometric systems, according to Matthew Lewis, who demonstrated the tool at last month's Black Hat Amsterdam conference. But the researcher, who works for Information Risk Management, warns the attack could become commonplace if current practices don't change and could be used to log images of retinas, facial features and any other physical characteristics used by biometric systems.

More here.

Democratic Lawmaker Vouches for Bush Administration's Secret Plan to End Cyber War

Kevin Poulsen writes on Threat Level:

You'd think by this point House Democrats would be a little leery when the Bush administration comes up a new threat that it says can only be combated by a secret, warrantless NSA surveillance program requiring assistance from the private sector.

But it's official: TCP is the new WMD, and at least one prominent Democratic lawmaker is now eager to help the intelligence community prevent Cybarmageddon.

In a jointly-authored op-ed in today's Wall Street Journal, intelligence director Mike McConnell joins with Congresswoman Anna Eshoo (Calif.), a subcommittee chair on the House Intelligence Committee, to warn that "a cyber attack could be more devastating economically than Sept. 11."

More here.

MLB.TV: The Heathrow T5 of Online Sports Offerings

Juan Carlos Perez writes on PC World:

Major League Baseball's MLB.TV online broadcasting service encountered serious technical difficulties for the second straight day on Tuesday, as affected paying subscribers fumed about missing games.

At around 7 p.m. Eastern Time, minutes prior to the start of Tuesday's first games, MLB disabled its Mosaic media player, the application that gives premium-level MLB.TV subscribers the advanced viewing features they pay for.

Mosaic remained unavailable for about three hours, but even after it became operational again, an undetermined number of subscribers still were unable to watch games due to technical problems affecting MLB.TV's log-in process.

MLB on Wednesday didn't immediately respond to a request for comment about the outstanding technical issues affecting MLB.TV, whose premium-level subscription costs either $19.95 per month or $119.95 per year. A lower-level subscription tier costs $14.95 per month or $89.95 per year.

More here.

FTP Sites Vulnerable to Data Breaches

Peter Piazza writes on CIO Today:

What do the U.S. Army Corps of Engineers and video-game giant Sega have in common? The answer is that both exposed sensitive data via their File Transfer Protocol (FTP) sites. While the impact on Sega was only to force the company to release information on a new game earlier than it wanted to, in the former case it could have cost the lives of soldiers in Iraq.

FTP may be a dinosaur these days, but it's being used -- or, perhaps, misused -- regularly by employees who are simply trying to do their jobs, but who lack the adequate tools, according to John Thielens, vice president of technology for Tumbleweed, a vendor of content-security solutions.

More here.

Credit Card Scam Requires No Credit Card

Maxine Bernstein writes on The Oregonian:

Before heading out for a weekend trip to Seattle with his wife, Aaron Reed checked his bank account online.

Puzzled by a credit card authorization from the Lloyd Center shop Things Remembered, Reed walked to the bedroom to ask his wife whether she had bought any jewelry or gifts lately. By the time he returned to his computer, more unusual transactions had popped up: a $15 Broadway cab fare and $270 for five nights in an Econo Lodge Motel.

"It weirded me out because I had my card," said Reed, 35. "It wasn't like I had lost my card."

The thief didn't need Reed's bank or debit cards, financial records, mail or credit card receipts. She hit on his account number by chance.

Like mathematicians searching for the right formula, such thieves painstakingly try out combinations of 16 digits until they come up with a series that fits someone's card number.

More here.

Hat-tip: Even Schuman

'Deep Throat Fight Club' to Pummel Web Filters With Pr0n - UPDATE

Ellen Messmer writes on NetworkWorld:

It could end up as a technology bar brawl.

Untangle, a company that makes a security gateway based on open source, next Wednesday plans what it's calling the "Deep Throat Fight Club" in a San Francisco bar to beat on Web filters of six competing vendors.

At the Thirsty Bear in downtown San Francisco at about noon next Wednesday, Untangle says it will pummel six Web filters with test scripts to show how well the filters can block porn sites. Untangle says the six Web filters selected to undergo this rough treatment are from WatchGuard, SonicWall, Fortinet, Barracuda, WebSense and ScanSafe.

It won't be pretty, says Raul Mujica, Untangle's vice president of marketing. In fact, anyone attending will need to sign a waiver explaining they could be seeing some pretty awful porn.

More here.

UPDATE: 10 April 2008, 09:23 PDT: The results of this contest can be found here. -ferg

Davidson Cos. Sued for Negligence in Data Breach

Tim Wilson writes on Dark Reading:

Security pros, take heed: If you don't do your job, you may not only be fired -- you may end up in court.

A Billings, Mont., law firm has filed a class-action lawsuit in federal court against Davidson Companies, claiming the company was negligent when it allowed a hacker to penetrate its systems, resulting in a data security breach and the exposure of some 226,000 customer records, according to a report.

The breach, which was revealed in January, occurred when a hacker broke into a Davidson Companies database and obtained the names and Social Security numbers of virtually all of the Montana-based financial services company's clients. Details on how the hacker accessed the database weren't published.

More here.

FBI Unveils Nationwide N-Dex Deployment

Wilson P. Dizard III writes on GCN.com:

The FBI's Criminal Justice Information Service today unveiled the long-planned first increment of the National Data Exchange information sharing web.

"N-DEx will enable all law enforcement agencies to share incident reports, correlate crime data and collaborate on criminal justice investigations on a national basis," according to a Raytheon press announcement cleared by the bureau.

The bureau's Criminal Justice Information Division, based in Clarksburg, W.Va., sponsored the system. The network is intended to enable law enforcement agencies at the federal, state and local level to collaborate on their investigative work by sharing information held in one another's data systems.

The FBI and prime contractor Raytheon have relied on advice from the fledgling system's prospective users in law enforcement agencies nationwide to set the priorities of the N-DEx capabilities that will be progressively rolled out over the next three years.

More here.

Council of Europe Asks ISPs to Help Battle Cyber Crime

Via SecurityFocus.com.

The Council of Europe plans to vote this week on drafted guidelines that call for more cooperation from Internet service providers (ISPs) in combatting online attacks.

During the Council of Europe's Octopus 2008 Conference on Cybercrime -- which is taking place in Strasbourg, France -- participants will be asked to adopt a set of guidelines to speed response to cyberattacks and share more information, especially between Internet service providers and government agencies. The guidelines have been proposed by Estonia and other nations following the attacks on the northern European country last spring.

"The draft guidelines build upon the existing Council of Europe Convention on Cybercrime -- to which many countries in Europe and beyond have acceded -- and call for formal partnerships between Internet service providers (ISPs) and law enforcement," the Council of Europe said in a statement published about the conference.

More here.

Hackers Targeted Syrian Media During Damascus Summit

Via Menassat.com.

Journalists covering the Arab summit from the Damascus media center on Saturday morning were astonished to find access to many official Syrian websites blocked. Access was denied to the official Syrian news agency, SANA, newspapers like al-Thawra and Tishrine and news websites such as Syria News, Sham Press and Zaman al-Wasel.

Rumors quickly spread among journalists that Syria was under a computer attack, probably originating in France, Turkey or Lebanon. Officials at the Ministry of Communications preferred not to divulge the source of the hacking, instead releasing an official statement saying, "The attack on the websites hosted by foreign companies came from outside the Syrian territories with no specific source."

The Ministry later said that the Telecommunications Institution and the Syrian Scientific Association were collaborating with the host companies to solve the problem and put the websites back online. Backup copies of the websites were being transported to the Syrian Scientific Association in anticipation of another attack.

More here.

Hat-tip: InfoSecNews.org

Pentagon Analyst Admits Spying For China

Via The BBC.

A US defence department analyst has admitted giving classified information about military communication systems to a businessman working for China.

Gregg Bergersen, 51, pleaded guilty to a charge of conspiracy to disclose national defence information "to persons not entitled to receive it".

Mr Bergersen faces up to 10 years in prison when he is sentenced on 20 June.

Correspondents say his admission comes amid growing concern in Washington about the activities of Chinese spies.

Four others were arrested in separate case last month for allegedly passing secret details about the space shuttle and other US aerospace programmes to China.

More here.

Tuesday, April 01, 2008

Fusion Centers Tap Into Personal Databases

Robert O'Harrow Jr. writes in The Washington Post:

Intelligence centers run by states across the country have access to personal information about millions of Americans, including unlisted cellphone numbers, insurance claims, driver's license photographs and credit reports, according to a document obtained by The Washington Post.

One center also has access to top-secret data systems at the CIA, the document shows, though it's not clear what information those systems contain.

Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues.

Though officials have publicly discussed the fusion centers' importance to national security, they have generally declined to elaborate on the centers' activities. But a document that lists resources used by the fusion centers shows how a dozen of the organizations in the northeastern United States rely far more on access to commercial and government databases than had previously been disclosed.

More here.

FBI Seeking More Funding For Counter-Terrorism

Terry Frieden writes on CNN.com:

FBI Director Robert Mueller on Tuesday heard sharp complaints from lawmakers about the bureau's past failures but found no opposition to plans for a big budget increase.

House Appropriations Committee Chairman David Obey, D-Wisconsin, led criticisms of the FBI's serious errors in issuing secret "national security letters."

Obey and other Democrats on the House panel expressed disappointment that the FBI did not appear to have fully fixed how the sensitive letters -- sent to financial institutions, Internet service providers and other businesses that hold private citizen information -- are issued.

"Is this the last time we're going to hear about NSL violations?" Obey demanded.

"That is my hope and expectation," Mueller replied.

More here.

¡ʇno pǝddılɟ s,looɟ lıɹdɐ

˙ooʇ 'uʍop ǝpısdn ʇxǝʇ ɹnoʎ dılɟ oʇ ʍoɥ ʇno puıɟ oslɐ uɐɔ noʎ 'ʇno dılɟ noʎ ǝpɐɯ ǝʌɐɥ sʞuɐɹd ʎɐp s,looɟ lıɹdɐ ǝɥʇ ɟo llɐ ɟı

¡ǝɹǝɥ ʍoɥ ʇno puıɟ

ƃɹǝɟ-

Cyber-Sabotage in Counterfeit Hardware

Via Defense Tech.

Recent events have raised the concerns about hidden backdoors and malicious code inside of counterfeit hardware -- all the way down to the integrated circuit level.

In fact, a 2005 report by the Pentagon's Defense Science Board addresses this issue. While this report assessed the problem, recent events have now raised the anxiety over cyber sabotage in bogus hardware. In fact, many consider the use of compromised counterfeit hardware as a strategic tactic in cyber warfare.

In January of 2008, a joint task force seized $78 million of counterfeit Cisco networking hardware. This international effort resulted in over 400 seizures of counterfeit networking hardware that was shipped between China, Canada and the United States. This international effort between the Federal Bureau of Investigations (FBI), U.S. Immigration and Customs Enforcement (ICE), US Customs and Border Protection (CBP), the Royal Canadian Mounted Police (RCMP) and supported by other agencies within the Department of Homeland Security (DHS) clearly shows the criminal efforts that are underway.

More here.

Documents Confirm Lack Of Oversight Of Military's Domestic Surveillance Powers

Via ACLU.org.

On the heels of an internal report criticizing the FBI for abusing its power to issue National Security Letters (NSLs), newly unredacted documents released today as a result of an American Civil Liberties Union and New York Civil Liberties Union lawsuit reveal that the Department of Defense (DoD) is using the FBI to circumvent legal limits on its own NSL power and may have overstepped its authority to obtain private and sensitive records of people within the United States without court approval.

The previously withheld records also reveal that the military is secretly accessing these private records without providing training, guidance, or any real record keeping.

More here.

Monday, March 31, 2008

Cybercrime Book Excerpt: Zero Day Threat

Byron Acohido and Jon Swartz write on Wired.com:

When a shadowy Nigerian national with the nickname Mr. O finagled his way into the vast files of data broker ChoicePoint in 2003, he struck a mother lode of confidential information -- by internal ChoicePoint estimates, records of up to 4.3 million individuals.

By the time ChoicePoint publicly disclosed what was then the largest data-security breach, the FBI and Los Angeles police were investigating, lawmakers demanded hearings, and ChoicePoint vowed to remake itself. Some privacy advocates insisted the incident would underscore the dangers of data theft and ID fraud.

And yet, data breaches got bigger and broader in the intervening years, as Internet-based commerce and social networking inexorably expand. Since ChoicePoint, online scammers have repeatedly victimized corporations and their customers. The most audacious was the theft of records of as many as 94 million credit card transactions from giant retailer TJX, parent of 2,500 TJ Maxx and Marshall's stores.

Amid the wholesale rip-off of consumer data through cybercrime, USA Today reporters Byron Acohido and Jon Swartz began investigating the evolution of hacking from harmful pranks to a $100 billion-per-year criminal enterprise worldwide. Their resulting book, Zero Day Threat, examines the con men and cybercrooks who are exploiting security holes in online banking and shopping services.

Much more here.

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Monday, March 31, 2008, at least 4,011 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,264 died as a result of hostile action, according to the military's numbers.

The AP count is eight more than the Defense Department's tally, last updated Monday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

New Zealand Teen Botmaster Found Guilty

Martin Hodgson writes on The Guardian.co.uk.

A New Zealand teenager accused of leading an international ring of computer hackers which skimmed millions of dollars from bank accounts was today convicted of illegal computer hacking.

Owen Thor Walker, 18, pleaded guilty yesterday to six charges related to using computers for illegal purposes. Police allege that he led a group of hackers who took control of 1.3m computers around the world without their owners' knowledge.

Hackers routinely send out viruses, worms and malicious Trojan horse programs which allow them to take control of a victim's machine. Linked through the internet to form a "bot-net" network, the infiltrated computers are used to access personal bank accounts, steal credit card details or bombard users with spam.

Police alleged that Walker wrote software that evaded normal computer anti-spyware systems, and then sold his skills to criminals around the world.

More here.

Advanced Auto Parts Notifies Customers of Network Breach

Brian Prince writes on eWeek:

Advance Auto Parts, a leading auto parts retailer, has begun sending letters to customers impacted by a data breach that may have exposed financial information of up to 56,000 people.

The retailer reported Monday that a "network intrusion" had exposed financial information and was the subject of a criminal investigation. Fourteen of the retailer's stores, including locations in Georgia, Ohio, Louisiana, Tennessee, Mississippi, Indiana, Virginia and New York, are believed to have been affected.

Advance Auto Parts did not specify how customer financial information had been revealed or how access had been gained to its network. In response to the incident, the company notified its credit, debit and check processors.

Customers of the 14 locations listed in an advisory who do not receive a letter can call a toll-free-number provided by the company to find out if they were affected, according to the company.

More here.

Australia: Daylight Saving Change Causes IT Chaos

Via ZDNet Australia.

The NSW government's decision to delay the daylight saving time change by a week has caused widespread IT chaos, with Telstra, the RTA, Qantas, and radio station 2GB all reporting problems.

The NSW State Government has extended daylight saving this year by one week in a move to make next Sunday's change in time uniform across Australia.

Consumers noticed the change when the software on their phones switched back an hour at 2am on Sunday. Telstra spokesperson Peter Taylor said the changes had affected many Telstra phones.

More here.

HSBC e-Payments System Goes Missing Over Weekend

Richard Thurston writes on The Register:

Angry retailers have launched a tirade against HSBC after its e-payments system fell over on Friday and stayed down for the whole weekend.

Retailers were unable to sell anything online for over 48 hours, and have started calling for compensation.

HSBC's e-payments system has proved particularly attractive for retailers because of the relative speed in which the money is transferred into their bank account.

More here.

Sunday, March 30, 2008

Canada: RCMP Computer Security Breached, Documents Revealed

Via The Vancouver Sun.

The security of RCMP computers used to process evidence for a looming multimillion-dollar trial was breached from outside the agency, exposing sensitive files to the possibility of theft and tampering, Crown documents reveal.

The police computers were also used to view pornography and download music and illegal software, a letter from senior Kamloops Crown prosecutor Don Mann states.

The three-page letter, obtained by the Kamloops Daily News Thursday, was provided to four men accused of being part of a national auto-theft ring during a court hearing Wednesday.

The information in the letter relates to six computers that handled the massive volumes of Project Eau evidence.

The computers, which stored and processed more than 250,000 pieces of evidence, were exposed to viruses and the possibility of tampering after an officer with the investigating unit hooked the computers to the Internet, contrary to orders.

More here.

xkcd: A Convincing Pickup Line




We love xkcd.

Enjoy.

- ferg

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Sunday, March 30, 2008, at least 4,010 members of the U.S. military have died since the beginning of the Iraq war in March 2003, according to an Associated Press count. The figure includes eight military civilians. At least 3,261 died as a result of hostile action, according to the military's numbers.

The AP count is 10 more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Canadian Health Agency Crippled by Malware Last Year

Via CTV.ca.

The federal agency that helps protect Canadians against epidemics came down with a devastating case of computer cramps last year that could have put lives at risk.

Hundreds of computers at the Public Health Agency of Canada fell victim to a "worm,'' a bit of malicious software that nearly brought operations to a halt.

The infection began with just a few computers but spread like a Prairie grass fire, eventually knocking out 1,308 work stations in three cities and taking more than a month to eradicate, say newly released documents.

The "worm'' also spread to Health Canada when infected agency computers tapped into the bigger department's data network, disabling 543 additional work stations in five of Health Canada's Ottawa-area offices.

More here.

Hat-tip: Pogo Was Right

Hackers Access Information Sent to Irish Jobs Agency

Via The Irish Times.

Personal information supplied by job applicants to online recruitment agency Jobs.ie has been illegally accessed by internet hackers, writes Olivia Kelly .

CVs submitted by the applicants were downloaded in bulk through a non-Irish web address last Thursday.

Jobs.ie would not say how many of its clients had been affected, but said it had now fixed the security breach.

The clients whose information was taken are at risk from identity fraud and "phishing", where criminals, often posing as a well-known, legitimate company, use the information gleaned to try to extract further personal and financial information from their victims.

It is understood that the hackers used an illegally obtained log-in and password given to employers who are registered with Jobs.ie to access the job applications area of the site. They then downloaded personal information from CVs submitted, along with job applications.

More here.

Hat-tip: Pogo Was Right

Islamic Jihad Says It Hacked Israeli Websites

Roee Nahmias writes on ynetnews.com:

Islamic Jihad operatives have been able to hack into several Israeli websites, the London-based Arabic-language newspaper al-Sharq al-Awsat reported Sunday.

"The electronic surveillance unit of the media warfare division has been able to hack into several Israeli websites and take them over," said a statement by the al-Quds Brigades, quoted by the paper.

According to the report, the operatives were able to plant images of Hassan Shakura, the former head of the Jihad's media warfare division in Gaza, who was killed by the IDF, on the sites; along with other images and Jihad videos.

Hacking "Zionist websites," said the statement "was part of our response to the elimination of the head of the media warfare office in Gaza, as well as a token of our allegiance to the blood of our troops."

More here.