Friday, June 13, 2008

'I'm Voting Republican'



...and so can you. Not.

Hat-tip: Threat Level.

- ferg

Gapingvoid: Now What?



Via gapingvoid.com.

Enjoy.

- ferg

Weak Evidence Links Congressmen's Cyber Attacks to China, Experts Say

Robert McMillan writes on ComputerWorld:

U.S. House members who say that China may have been responsible for attacks on their computers have provided little evidence to back up their claims, according to computer security experts.

The two Republican congressmen, Reps. Frank Wolf of Virginia and Christopher Smith of New Jersey, disclosed Wednesday that computers in their offices were hacked in late 2006 and early 2007. Both men have been critical of China's human rights record and said that the attacks raised concerns that they were being targeted for their support of Chinese dissidents.

More here.

In Passing: Tim Russert


Tim Russert
May 7, 1950 – June 13, 2008

South Africa: US$1.852 Million Cyber Theft Foiled

Via Dispatch.co.za.

The Eastern Cape government is under attack from a syndicate of cyberspace hackers who have already swindled millions of rands from its provincial coffers.

An attempt by the syndicate using cyber spyware to steal R15million [US$1.852M] from the Housing, Local Government and Traditional Affairs in Bhisho was foiled just two days ago.

Details of the attempted hi-tech computer scam emerged yesterday, a day after government revealed it had identified at least 26 cases of a syndicate swindling government departments in four provinces, including the Eastern Cape, of over R199m in the past three years.

Provincial Treasury spokesperson Cecile Greyling confirmed that someone had hacked into the system and tried to transfer funds from the Housing Department’s basic account system.

The Daily Dispatch has learnt that the scam involved channelling payments to existing suppliers into bogus accounts.

The attempted theft was stopped in time by an alert computer systems controller.

More here.

Hat-tip: InfoSec News

Thursday, June 12, 2008

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Thursday, June 12, 2008, at least 4,098 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,338 died as a result of hostile action, according to the military's numbers.

The AP count is one higher than the Defense Department's tally, last updated Thursday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Programming Note: Light Posting Day

Greets.

I'll be tied up in meetings all afternoon up in Menlo Park, so posting to the blog will be non-existent until later tonight.

Thanks for reading!

- ferg

Wednesday, June 11, 2008

Mark Fiore: Lord Petro



More Mark Fiore brilliance.

Via The San Francisco Chronicle.

Enjoy!

- ferg

Cybercrime Outranks Other Crimes on Europeans' Worry List

Tim Wilson writes on Dark Reading:

The European Network Information Security Agency (ENISA) last week warned that increasing cybercriminal activity threatens the economic interests of the European Union, according to a report.

The agency estimates that as many as six million computers in the European Union are infected by, and connected to, botnets, and that spam is costing businesses 65 billion Euros.

Antivirus vendor AVG Technologies supported ENISA's findings with the results of a newly published study that took a look at attitudes toward cybercrime in seven different countries. A total of 7,000 PC users were polled.

Twenty-two percent of the respondents to the AVG survey said they had experienced some form of cybercrime. Italians fared worst -- 32 percent of users said they have been affected. U.K. users were close behind, with 31 percent affected.

More here.

FISA Court Repeatedly Questions FBI Wiretap Network

Ryan Singel writes on Threat Level:

Does the FBI track cellphone users' physical movements without a warrant? Does the Bureau store recordings of innocent Americans caught up in wiretaps in a searchable database? Does the FBI's wiretap equipment store information like voicemail passwords and bank account numbers without legal authorization to do so?

That's what the nation's Foreign Intelligence Surveillance Court wanted to know, in a series of secret inquiries in 2005 and 2006 into the bureau's counterterrorism electronic surveillance efforts, revealed for the first time in newly declassified documents.

More here.

Cyber Criminals Find Loophole in Verification Systems

Dinah Greek writes on ComputerAct!ve:

Fraudsters have hijacked a system designed to help protect retailers and consumers from credit card fraud, according to fraud protection specialists the 3rd Man.

The company claims that a serious flaw in the Address Verification System (AVS) used by retailers to check the identity and billing address of a card holder allows fraudsters to fake verification.

AVS is often used by internet retailers to check that the billing address the credit card holder gives matches the address on file at the credit card company.

It works by matching the house number and postcode numbers for each card issued. For example, 43 Crooks Close, B10 7GB would result in an AVS number of 43107.

But a 3rd Man investigator discovered that criminals are getting around this check to make fraudulent transactions look genuine.

More here.

UK: Gary McKinnon's Extradition Appeal Reaches Law Lords


Ambrose McNevin writes on Computing:

The fate of UK hacker Gary McKinnon will be considered next week when he appears before the House of Lords on Monday (16 June).

In a case going back to 2002, McKinnon is appealing against his extradition to the US under hacking charges.

McKinnon told Computing he is fighting the extradition, despite claiming that he would have voluntarily presented himself to a US court were it not for the high-pressure tactics used by the Americans.

He claimed that US authorities verbally offered him a plea bargain with the minimum sentence of four years, but that they refused to confirm it in writing and have now said they want to prosecute him to the maximum level. McKinnon said one US prosecutor said the US wants to see him “fry”.

Former home secretary John Reid signed the extradition order on McKinnon, who has not denied hacking into US computer systems, including some of those mentioned in the American indictment. But he claims he was never a threat to security as he broke into NASA and US defence computers to look for evidence of the existence of UFOs.

More here.

California Obscenity, Florida Conviction: Max Hardcore

Kevin Fayle writes on The Register:

A federal jury in Tampa, Florida convicted a pioneer of gross-out "gonzo" porn last week on obscenity charges stemming from the delivery of his movies over the Internet, despite the fact that he lives and works entirely in California.

Paul Little creates porn in Altadena under the names of "Max Hardcore" and "Max Steiner." Unfortunately for him, the company that hosts his websites has servers in Tampa. Federal prosecutors jumped on this fact to prosecute him in the Sunshine State.

The reason for this move has to do with the dynamic between obscenity law and the First Amendment in the US. Speech is generally protected in America, but not all speech gets full First Amendment benefits, and obscene speech can be outlawed entirely.

More here.

Northern California: On Fire Again



Unfortunately, this fire is very close to home in the nearby Santa Cruz mountains. We can see the smoke on the surrounding ridges from the Santa Clara valley and San Jose.

I guess it's that time of year -- it's been a very dry spring, with no measurable rain for several months. :-(

- ferg

Image source: NBC11.com

Security Fix: Malware Silently Alters Wireless Router Settings

Brian Krebs writes on Security Fix:

A new Trojan horse masquerading as a video "codec" required to view content on certain Web sites tries to change key settings on the victim's Internet router so that all of the victim's Web traffic is routed through servers controlled by the attackers.

According to researchers contacted by Security Fix, recent versions of the ubiquitous "Zlob" Trojan (also known as DNSChanger) will check to see if the victim uses a wireless or wired hardware router. If so, it tries to guess the password needed to administer the router by consulting a built-in list of default router username/password combinations. If successful, the malware alters the victim's domain name system (DNS) records so that all future traffic passes through the attacker's network first. DNS can be thought of as the Internet's phone book, translating human-friendly names like example.com into numeric addresses that are easier for networking equipment to handle.

More here.

California Man Sentenced on Computer Hacking Charges

Via the U.S. Departent of Justice.

United States Attorney Karen P. Hewitt announced that Jon Paul Oson was sentenced today to serve more than five years’ imprisonment on federal computer hacking charges. Mr. Oson was convicted following a jury trial in August 2007 of two counts of intentionally damaging protected computers.

The 63-month sentence imposed by the Honorable Thomas J. Whelan, United States District Judge, represents one of the longest sentences imposed for computer hacking in the United States. In addition to the custodial sentence, Oson was ordered to pay $144,358.83 in restitution to the Council of Community Health Clinics (“CCC”) and $264,979.00 in restitution to the North County Health Services Clinic (“NCHS”).

More here.

'Several' U.S. Government Computers Attacked by Chinese Hackers

Sandhya Somashekhar writes in The Washington Post:

Rep. Frank R. Wolf (R-Va.) today called for better measures to protect government computers and cellphones from cyber attacks by foreign governments, after revealing that computers in his office and those of "several others" on Capitol Hill have been targeted by hackers in China.

Wolf, a champion for human rights in China and elsewhere, said in a news conference today that authorities investigated the attacks on four of his computers in August 2006 and traced them to a computer in China. The hackers, he said, gained access to sensitive information about the identities and locations of Chinese dissidents, among other data.

Rep. Christopher H. Smith (R-N.J.), another vocal critic of China's human rights record who appeared with Wolf to announce the breach and some companion legislation, said he was targeted by Chinese hackers twice and that the sophistication of the attacks and the kind of information retrieved suggests that the government may have been behind them.

More here.

UK: Secret Terror Files Left On Train

Via The BBC.

Police are investigating a "serious" security breach after a civil servant lost top-secret documents containing the latest intelligence on al-Qaeda.

The unnamed Cabinet Office employee apparently breached strict security rules when he left the papers on the seat of a train.

A fellow passenger spotted the envelope containing the files and gave it to the BBC, who handed them to the police.

Home Secretary Jacqui Smith now faces demands for an official inquiry.

Keith Vaz MP, chairman of the powerful Home Affairs select committee told the BBC: "Such confidential documents should be locked away...they should not be read on trains."

More here.

More Meta Data Gaffes: Corn Farmers Take Anti-Google Fight to Washington

Declan McCullagh writes on the C|Net "Iconoclast" Blog:

If you think there's something a little odd about a bunch of corn farmers lobbying Congress to hold hearings on the details of a Google-Yahoo advertising deal, you may be right.

A letter [.pdf] that the American Corn Growers Association and other farmers' groups sent to the U.S. Congress on Monday appears to be linked to a Washington, D.C., lobby group that does work for cable providers, some of Google's most potent political adversaries.

The letter warned Senate and House committee chairmen that any such deal would "create a monopolistic concentration of power in the market for online search and related advertising."

An examination of the metadata in the PDF version of the letter shows that the author was Alexandra Esser. That's the name of a staffer at a secretive Washington, D.C., lobby organization called the LawMedia Group, which currently counts the National Cable and Telecommunications Association as a client and counted AT&T as one in the past.

More here.

Researchers Link Storm Botnet to Illegal Pharmaceutical Sales

Tim Wilson writes on Dark Reading:

Botnets are hopped up on Viagra.

That's the conclusion of a new report being issued by researchers at IronPort, Cisco Systems's email security unit, who have identified a link between originators of malware, such as the Storm botnet, and illegal pharmaceutical supply chain businesses that recruit the botnets to send spam promoting Viagra and many other prescription drugs on their Websites.

By converting spam into high-value pharmaceutical purchases, IronPort says, these supply chain enterprises allow the "monetization" of spamming botnets, providing an enormous profit motivation for botnet attacks.

"Our previous research revealed an extremely sophisticated supply chain behind the illegal pharmacy products shipped after orders were placed on botnet-spammed Canadian pharmacy Websites. But the relationship between the technology-focused botnet masters and the global supply chain organizations was murky until now," said Patrick Peterson, vice president of technology at IronPort and a Cisco fellow.

"Our research has revealed a smoking gun that shows that Storm and other botnet spam generates commissionable orders, which are then fulfilled by the supply chains, generating revenue in excess of $150 million per year."

More here.

SCADA Watch: Security Hole Exposes Utilities to Internet Attack


An AP newswire article by Jordan Robertson, via Wired.com, reports that:

Attackers could gain control of water treatment plants, natural gas pipelines and other critical utilities because of a vulnerability in the software that runs some of those facilities, security researchers reported Wednesday.

Experts with Boston-based Core Security Technologies, who discovered the deficiency and described it exclusively to The Associated Press before they issued a security advisory, said there's no evidence anyone else found or exploited the flaw.

Citect Pty. Ltd., which makes the program called CitectSCADA, patched the hole last week, five months after Core Security first notified Citect of the problem.

But the vulnerability could have counterparts in other so-called supervisory control and data acquisition, or SCADA, systems. And it's not clear whether all Citect clients have installed the patch.

More here.

Tuesday, June 10, 2008

xkcd: Apply Yourself


Click for larger image.

Yes, we love xkcd.

Enjoy!

- ferg

Is It Really This Bad? UK Government Turns to Prisoners to Tackle IT Skills Shortages

Bryan Glick writes in Computing:

Prisoners are to be trained in networking and cable installation to help tackle a skills shortage for suitably-skilled IT professionals.

Prisons minister David Hanson and skills minister David Lammy launched the new vocational learning academy at Wandsworth prison in London.

According to Cisco, one of the co-founders of the initiative, demand for data and network cabling experts outstrips supply by 20 per cent in the UK – equivalent to 61,000 jobs.

Criminals who complete the training will be interviewed by BeOnsite, a not-for-profit training company owned by scheme co-founder Bovis Lend Lease, and successful candidates will be employed when they are released from prison.

More here.

Quote of The Day [3]: Markos Moulitsas

"I find it hilarious that McCain's campaign thinks that some astroturf copy-and-paste comments would do anything more than spark some vicious mocking."

- Markos Moulitsas, of the DailyKos, quoted on the news of the McCain blogger strategy to target the comments sections of liberal blogs.

Quote of The Day [2]: Juergen Trittin

"The credibility of democracy in the world has suffered dramatically because of Bush's double standards."

- Juergen Trittin, Head of Germany's Green Party, quoted in this UPI article, commenting on the effects of eight years of the Bush Administration.


Registrars Release Suspended Domains to Attackers

Mary Landesman writes on the ScanSafe STAT Blog:

A new outbreak of SQL attacks began on the 8th. Not that they ever really go away, but new waves replace the old ones. The attackers are using a much larger number of domains than seen in previous months. Just 11 days into June, and already 54 of these domains have been observed. Many of these are previously suspended domains that registrars have released back to the attackers.

The end result, some of the domains involved in the late May and early June attacks are now active again. Thus not only newly compromised sites are foisting the malware, but any sites previously compromised that have not cleaned up their pages (and properly parameterized their SQL queries) will now once again be serving as conveyor belts for password stealing trojans.

More here.

Note: This is exactly illustrative of the problem that are enormous in the entire domain registration process, and how criminals are continually gaming the domain registration process without fear of retribution or punishment. This has got to change -- these domain registration policy loopholes must be closed -- before we can even to begin to have an impact on the criminal manipulation of the domain registration process. -ferg

SCADA Watch: No Chinese Hackers Found in Florida Outage Either

Kevin Poulsen writes on Threat Level:

A recent report from the National Journal cited computer security executives and U.S. intelligence officials blaming Chinese government hackers for two major U.S. power outages. We already debunked the claim with respect to the massive 2003 northeast blackout.

Now the Florida Reliability Coordinating Council has released its preliminary report [.pdf] on the February 26th 2008 Florida outage, and -- no surprise -- human error, not cyber terrorism, is to blame.

More here.

Safari 'Carpet Bomb' Attack Code Released

Robert McMillan writes on PC World:

A hacker has posted attack code that exploits critical flaws in the Safari and Internet Explorer Web browsers.

The source code, along with a demo of the attack, was posted Sunday on a computer security blog. It can be used to run unauthorized software on a victim's machine, and could be used by criminals in Web-based computer attacks, security experts say.

Now that there is a public example of the attack code, Safari users running the Windows operating system should be concerned, said Eric Schultze, chief technical officer at Shavlik Technologies. "This is a bad thing. If you've got Safari, you're in trouble," he said.

More here.

Man Pleads Guilty to Attacking CastleCops

Robert McMillan writes on PC World:

A Fairfield, California, hacker has pleaded guilty to launching a Valentine's Day 2007 computer attack that nearly knocked an anti-phishing Web site offline.

Gregory King, 21, pleaded guilty Tuesday in federal court to two counts of "transmitting code to cause damage to a protected computer," for launching distributed denial of service (DDOS) attacks against the Castlecops anti-phishing Web site and Killanet, an online forum for gamers and graphic designers.

He was arrested on Oct. 1 as part of the U.S. Federal Bureau of Investigation's Operation Bot Roast. As agents knocked on his door, King stashed his laptop computer in his backyard, but it was eventually recovered, according to the U.S. Department of Justice (DoJ).

More here.

Quote of The Day: Ben Worthen

"Michael Markulec, Lumeta’s COO, tells the Business Technology Blog that his company’s maps have revealed something else: The equipment in the middle of the Internet is owned by about half as many companies as a decade ago. Back then, about 50 companies around the world owned and operated a substantial chunk; today that’s down to 25."

- Ben Worthen, writing in the WSJ Business Technology Blog article "A Look at the Internet, Then and Now."

QuickTime Update Plugs More Holes

Brian Prince writes on eWeek:

Apple has released a new version of QuickTime to fix five security issues that could allow hackers to take control of a system via malicious movie or image files.

The QuickTime 7.5 update comes roughly two months after Apple released Version 7.45 to plug 11 security holes in the application. This time around, the update addresses a series of buffer overflows, URL-handling flaws and memory corruption issues affecting Mac OS X and Windows XP and Vista users.

More here.

Another UK Police Website Hacked

John Ozimek writes on The Register:

This is starting to get a little tedious. The Bedfordshire Police website has just been taken down after it was discovered that every page had been replaced by an animated man carrying a Tunisian flag. Underneath, according to the BBC, was a green symbol and a Muslim prayer written in Arabic. Don’t bother clicking on the link: as at mid-day, it is still not back up.

However, if you would like to see what Bedfordshire Police WERE saying until they were so rudely interrupted, you could try the Google cache version.

Here you can read the answer to such vital questions as “Is Your Computer Safe Online?”, which warns rather ironically: “Hackers can get in, take what they want, and even leave open a ‘back door’ so they can access your computer anytime you're online and use it to attack other computers.”

Moreover, “Every minute that your computer is connected to the Internet, it is at risk”. What a shame that Beds Police don’t appear to have read their own website. Particularly the bit that starts: “Where Can I Get A Personal Firewall?”

More here.

Cyber-Fraudsters Strike Gold at South African Government

John Oates writes on The Register:

The South African government has lost more than £12m (199m Rand) over the last three years thanks to a cybercrime syndicate using spyware.

The scam has been running since 2005 and is still going on despite the arrest of 32 people. Thieves have targeted various government departments in four provinces. A number of civil servants have also been sacked.

Crooks are using corrupt government officials and suppliers to fix a small piece of kit the size of a memory stick to PCs. This can then access saved and unsaved information, according to South Africa's Mail & Guardian.

More here.

UK: 38,000 Credit Card Details Stolen in Web Hack

Via The BBC.

The credit card details of up to 38,000 customers of clothing firm Cotton Traders were stolen following a hack of its website, BBC News has learned.

The firm has not confirmed the size of the breach but it has acknowledged the site was attacked earlier this year.

It said Barclaycard was contacted as soon as it learned of the attack, and most cards were stopped.

Cotton Traders was founded by ex-England rugby captains Fran Cotton and Steve Smith.

In a statement, Cotton Traders said all of its customers' credit card data was encrypted on the website.

More here.

Monday, June 09, 2008

When Government Lies: Your DNA Is On The Line

Rose Connors writes on The Cape Cod Voice:

In February, 2005, District Attorney Michael O’Keefe was asked what would become of DNA collected in the now-infamous Truro sweep.

“It will be destroyed,” he promised.

It wasn’t, says the state’s crime lab where the samples were sent.

On November 21, 2006, O’Keefe’s office issued a press release informing “anyone who voluntarily gave a DNA sample” during “the so-called DNA Sweep” that it could be retrieved “by calling the District Attorney’s office … and indicating whether you would like to come in or have it mailed to a particular address.”

The clear implication was that the DA’s office had physical custody of the specimens. It didn’t, the state lab reported a year later.

The DA’s press release went on to state that samples unclaimed after December 20, 2006, “will be destroyed at an appropriate facility.”

They weren’t, the lab disclosed.

More here.

Hat-tip: Rich

General Dynamics Unit to Upgrade DHS Network

Via Washington Technology.

General Dynamics One Source has won a five-year contract potentially worth $62 million from the Homeland Security Department to upgrade DHS' Homeland Security Information Network (HSIN), which shares sensitive but unclassified data among federal, state, local and private sector organizations.

The HSIN Next Generation (NextGen) will be a secure and trusted national platform for information management, collaboration capabilities and search services with enhanced capabilities, DHS said in a statement. The department also said the upgraded network will help users meet their collaboration and information-sharing needs.

DHS’ plans to consolidate the more than 100 aging Web portals on the legacy HSIN into the new enterprise collaboration Web portal.

More here.

U.S. ISPs Agree to Block Access To Child Porn Sites, Newsgroups

Steven Musil writes on the C|Net News Blog:


Internet service providers Verizon, Sprint, and Time Warner Cable have agreed to block Internet newsgroups and Web sites nationwide that disseminate child pornography, The New York Times reported on its Web site Monday.

The move--part of an agreement with New York Attorney General Andrew Cuomo expected to be announced Tuesday--will affect customers across the country, the newspaper reported. Negotiations are reportedly continuing with other ISPs.

Part of the plan is to shut down access to Usenet newsgroups known to traffic such images, as well as Web sites that host child pornography.

More here.

Quote of The Day: Mary Landesman

"Some products are more marketing than muscle. The most recent example of this is Haute Security, which is slated to be bundled with Opera 9.5 allegedly to 'protect consumers from next-generation Web-based threats'."

"Peek under the hood of Haute Security and amidst the bold claims you find nothing more than blacklisting supplemented with community-based reporting. Hardly something that can be described as 'reinventing Web-based threat detection' - yet that's exactly how its being branded in press releases."

- Mary Landesman, writing on the ScanSafe STAT blog.

Facing Reality: Online Crooks Up The Ante

Karen Dearne writes on Autralian IT:

Internet service providers and the industry need to do more to secure consumers' PCs, as experts concede strong passwords, regular patching and antivirus software are now of limited value.

With the AusCERT Home Users Computer Survey finding nearly one in four PCs have been infected by malicious software, security heavyweights concede ordinary users can no longer deal with the threats.

AusCERT general manager Graham Ingram said 92 per cent of respondents to the survey believed internet service providers should inform customers when they become aware a user's machine had been infected.

More here.

TSA Airport Screeners Leaving in Large Numbers

Stephen Losey writes in the Federal Times:

More than one out of five airport screeners quit their jobs last year, according to a new report by the Transportation Security Administration.

The attrition rate of 21.2 percent was slightly above the 2006 rate of 20.9 percent, TSA said. But that is still less than the 23.7 percent attrition rate TSA recorded in 2005, the first year it implemented its new pay-for-performance system, called the Performance Accountability and Standards System.

The National Treasury Employees Union said today that the report shows TSA is in trouble, and called on Congress to investigate how PASS may be affecting attrition.

"With roughly 8,000 of the approximately 40,000-member TSA work force leaving each year, TSA is incurring astronomical and unnecessary costs of training and retaining, recruiting and hiring and loss of productivity due to this revolving door," NTEU President Colleen Kelley said in a statement. "It is alarming that such a critical work force is in a constant state of flux."

More here.

EU: Cyber-Crooks Hit One in Five Europeans

Robert Jaques writes on vnunet.com:

Over one in five European computer users have fallen victim to cyber-crime, according to new research.

Some 22 per cent of 7,000 PC users surveyed by Ipsos for AVG Technologies had experienced some form of cyber-crime.

Italians fared worst with 32 per cent of users affected, closely followed by the UK with 31 per cent.

The study noted that more Europeans believe that they are likely to experience cyber-crime (34 per cent) than burglary (22 per cent), assault (19 per cent) or robbery (25 per cent).

Almost half of all Germans believe that they are likely to be a victim of cyber-crime (47 per cent). No other crime accounted for more than 20 per cent.

More here.

Sunday, June 08, 2008

U.S. Toll in Iraq


Via The Boston Globe (AP).

As of Sunday, June 8, 2008, at least 4,094 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,332 died as a result of hostile action, according to the military's numbers.

The AP count is three more than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

More here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

xkcd Goes To The Airport


Click for larger image.

Yes, we love xkcd.

Enjoy!

- ferg

U.S. Government Sought Customer Book Purchasing Records from Amazon.com

Via NaturalNews.com.

Recently unsealed court records shed more light on the federal government's attempts to secure the online book purchase records of 24,000 Amazon.com customers.

In 2006, federal prosecutors investigating Robert D'Angelo, a Madison, WI official accused of fraud and tax evasion, subpoenaed online book retailer Amazon.com for transaction records on anyone who had purchased books from him through Amazon Marketplace since 1999. Prosecutors said they were hoping to find witnesses to testify against D'Angelo.

Amazon agreed to tell prosecutors what books D'Angelo had sold, but refused to turn over information on the buyers, citing its customers' First Amendment rights to privacy. The government came back with a request for only 120 customers, but Amazon still refused. The case went before U.S. Magistrate Judge Stephen Crocker, who ruled in June to strike down the subpoena on First Amendment grounds.

More here.

Hat-tip: Pogo Was Right

Security Fix: Revisiting the Safari Vulnerability on Windows

Brian Krebs writes on Security Fix:

A little over a week ago, I wrote about a security advisory from Microsoft warning that Apple's Safari Web browser for Windows introduces new vulnerabilities. Specifically, Microsoft said it allows automatic downloading of files to the Windows desktop, files that in some cases could be run without the user's knowledge.

Over the weekend, I heard from a noted security researcher who has put together a proof-of-concept exploit for this vulnerability that suggests it is more of a design flaw in Windows rather than any problem with Safari.

More here.

UK: MPs Slam Government's Obsession With Collecting Personal Data

Leo King writes on Computerworld UK:

The Home Affairs Committee has urged the government to stop creating large databases on citizens without first proving they are necessary.

The call for a reduction in citizen data collection comes just weeks after the government shortlisted five IT suppliers on its ID card project and after plans were revealed that it wanted to make a database of all phone calls and emails in the UK.

Last week, IT industry commentators speaking to Computerworld UK said the government should also urgently reconsider the £12.4 billion NHS IT programme for a centralised database of patient records. And last year, HM Revenue & Customs lost 25 million child benefit records.

More here.