Saturday, July 26, 2008

Local: Gilroy Garlic Festival

In full swing!

Check out The Gilroy Garlic Festival (going on right now, this weekend).

- ferg

Verizon-Maintained 911 Service Failures in Northern Virginia

Ben Hubbard writes in The Washington Post:

A 14-year-old boy had passed out in a Prince William County swimming pool and was sinking to the bottom of the deep end. A nearby swimmer yelled for help, and a lifeguard dived in to save him. Two people grabbed phones and called 911. Then called again. And again.

The boy was still breathing when lifeguards pulled him out of the pool, but he appeared dazed and couldn't speak, witnesses said. Several minutes had passed, but there was still no answer at the county's public safety communications center.

The county's 911 system experienced an emergency of its own, fire officials told county leaders last week. In the past two months, they said, the 911 system had four periods when service was disrupted and callers were unable to get through. The number has now grown to five with the July 11 pool incident, which fire officials said they were not aware of until it was brought to their attention.

The disruptions in service, between May 28 and July 12, occurred after Verizon, which maintains the county's 911 equipment, upgraded the system May 28, Fire Chief Kevin J. McGee told the Board of County Supervisors on Tuesday. Each disruption sprang from a different technical issue, he said. McGee could not say how long each disruption lasted, saying the problems are still being investigated.

More here.

Gary McKinnon Facing 60 Years in U.S. Prison After Hacking Into Pentagon

Gary McKinnon

Jamie Doward writes in The Guardian:

When he wakes up this morning, Gary McKinnon will be 72 hours from learning whether he is on the fast track to a 60-year prison sentence, thanks to his obsession with aliens.

McKinnon, 42, from Enfield in north London, is accused by American prosecutors of illegally accessing top-secret computer systems in what they claimed in one legal document was 'the biggest military computer hack of all time'.

The self-taught IT expert insists he was simply looking for information the US government had on UFOs and is adamant that he never damaged any of its computer systems. This argument, however, cuts little ice with the Americans, who are trying to extradite him.

Five years after being told by British police that he would probably get a six-month community service order for his exploits, McKinnon finds himself still wanted by the US authorities. A 2006 High Court ruling granted the extradition request, and on Wednesday the House of Lords will decide on McKinnon's appeal against that ruling.

More here.

New Zealand Botnet Hacker Basks in The Spotlight

Carolyne Meng-Yee writes in The New Zealand Herald:

Owen Walker says he was surprised and relieved to be discharged without conviction for his part in an international cyber-crime ring that attracted the attention of the FBI.

Speaking for the first time, the self-confessed "geek" told the Herald on Sunday he had expected to be sentenced to community service and was quietly enjoying the media spotlight.

"It was cool in a way," he says. "I never thought the story would have got so big but I guess being a first of its kind in New Zealand gave it a bit of a boost."

More here.

Hackers Breach Connecticut College Library System

Via The Hartford Courant.

A Connecticut College library system was breached by hackers apparently looking to set up chat rooms or send spam e-mails, the school reported Friday.

The hackers broke into two servers holding data for a consortium of Connecticut College, Wesleyan University and Trinity College. The servers are located at the consortium's headquarters at Wesleyan.

The database includes the names, addresses and Social Security or driver's license numbers of approximately 2,800 Connecticut College library patrons, 12 Wesleyan University patrons and three from Trinity.

More here.

Hat-tip: lyger

AS Number Change Could Affect Internet Routing Beginning January 1st 2009


Regional Internet Registries (RIRs), including the RIPE NCC (Network Coordination Centre), have warned that routers and network management software should be upgraded ahead of the increased distribution of four-byte (also known as 32-bit) Autonomous System (AS) numbers.

AS numbers are a vital part of the Internet’s core routing system, the Border Gateway Protocol (BGP). With existing two-byte AS numbers predicted to run out in early 2011, RIRs will issue four-byte AS numbers by default (unless otherwise specifically requested) beginning 1 January 2009, as the next phase of a transition from two- to four-byte numbers. Following a globally coordinated policy, RIRs began allocating four-byte AS numbers by request only in January 2007; January 2009 marks the transition to allocating four-byte AS numbers by default...

Without timely support from vendors, network operators risk having routers and network administration systems that won’t accept the expanded four-byte number format. As such, the RIRs urge operators to verify their vendors’ routers will support four-byte AS numbers.

More here.

Additional resource: RIPE NCC: ASN32 (32-bit, or 4-byte, ASN) FAQ. -ferg

Happy 65th Birthday, Mick Jagger

Happy 65th Birthday, Sir Mick.

Keep on Rockin'.

- ferg

Friday, July 25, 2008

U.S. Toll in Iraq, Afghanistan

Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, July 25, 2008, at least 4,124 members of the U.S. military have died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes eight military civilians killed in action. At least 3,360 died as a result of hostile action, according to the military's numbers.

The AP count is three fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Friday, July 25, 2008, at least 488 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures July 19 at 10 a.m. EDT.

Of those, the military reports 345 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Quote of The Day: Carey Greenberg-Berger

"Great news, minimum wage workers: if you spend the next year working without getting sick or, um, going on vacation, you'll make $13,624! Uncle Sam's $0.70 minimum wage hike is the second of three to take effect before next summer, but the meager raise is hardly a godsend for the working poor."

- Carey Greenberg-Berger, writing on The Consumerist. More here.

Black Hat Webcast With Dan Kaminsky is Now Online


Our second webcast was very well attended and full of great information from Kaminsky about the DNS Vulnerability that's all over the news these days. If you weren't able to make it to the live event, you can catch up now online.

To view a synced online replay, follow this link.

To download the mp3, follow this link.

More here.

FCC Poised to Punish Comcast For Traffic Blocking

An AP newswire article by John Dunbar, via The Boston Globe, reports that:

A majority of members of the Federal Communications Commission have cast votes in favor of punishing Comcast Corp. for blocking subscribers' Internet traffic, an agency official said Friday.

Comcast, the nation's largest cable company, was accused of violating agency principles that guarantee customers open access to the Internet.

Three commissioners have voted in favor of an order reaching agreement with the finding, enough for a majority on the five-member commission. But the decision will not be final until all five members have cast their votes. The commission is scheduled to take up the issue at its Aug. 1 meeting.

More here.

Maryland State Police Superintendent 'Troubled' By Methods Used To Probe Activists

Julie Bykowicz writes in The Baltimore Sun:

The Maryland State Police superintendent said today that he is "troubled" by methods used to infiltrate and monitor peace activists and anti-death penalty groups and pledged that such tactics "will not be a part" of his agency.

Undercover agents secretly joined the Baltimore Pledge of Resistance, a peace group; the Baltimore Coalition Against the Death Penalty; and the Committee to Save Vernon Evans, a death row inmate, according to documents that ACLU obtained through a Maryland Public Information Act lawsuit.

The agents spent 288 hours monitoring and recording peaceful protest activities and recorded no evidence of potentially illegal activity, the documents show.

More here.

San Francisco DA Discloses City's Network Passwords

Robert McMillan writes on

In its bid to protect the city from one computer security risk, the San Francisco District Attorney's Office may very well have created another.

The office of San Francisco District Attorney Kamala Harris has made public close to 150 usernames and passwords used by various departments to connect to the city's virtual private network. The passwords were filed this week as Exhibit A in a court document arguing against a reduction in US$5 million bail in the case of Terry Childs, who is accused of holding the city's network hostage by refusing to give up administrative networking passwords. Childs was arrested July 12 on charges of computer tampering and is being held in the county jail.

Though they placed the passwords in the public record, city prosecutors do seem to think that they are sensitive.

More here.

Security Fix: Man Gets 4 Years for ID Theft, Software Piracy

Brian Krebs writes on Security Fix:

A 23-year-old Oregon man was sentenced this week to four years in federal prison for using computer viruses to steal financial data from dozens of consumers. Investigators say the man used the information to set up multiple eBay and PayPal accounts, which helped him sell more than $1 million worth of pirated software.

Jeremiah Joseph Mondello, of Eugene, Ore., admitted distributing keystroke logging programs via online instant message networks. Investigators say he then used bank account credentials stolen from victims to set up more than 40 online auction accounts in the victims' names.

More here.

Secunia: RealPlayer SWF Frame Handling Buffer Overflow - UPDATE


Secunia Research has discovered a vulnerability in RealPlayer, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a design error within the handling of frames in Shockwave Flash (SWF) files and can be exploited to cause a heap-based buffer overflow.

Successful exploitation may allow execution of arbitrary code.

More here.

UPDATE: 15:59: RealNetworks has releases a patch, so please do so. -ferg

Thursday, July 24, 2008

U.S. Air Force Missile Launch Crew 'Asleep On The Job' - Literally

An AP newswire article, via, reports that:

Three ballistic missile crew members in North Dakota fell asleep while holding classified launch code devices this month, triggering an investigation by military and National Security Agency experts, the Air Force said Thursday.

The probe found that the missile launch codes were outdated and remained secure at all times. But the July 12 incident comes on the heels of a series of missteps by the Air Force that had already put the service under intense scrutiny.

More here.

Escapee 'Spam King' Dead in Apparent Murder-Suicide

Ryan Naraine writes on the ZDNet "Zero Day" Blog:

Convicted spammer Eddie Davidson, who escaped from federal prison over the weekend, killed his wife and 3-year-old daughter before killing himself in what is being described as a murder-suicide.

Colorado’s said the tragic end of the man known as the “Spam King” was confirmed by the U.S. Attorney’s Office.

More here.

Kaminsky (Finally) Provides DNS Flaw Details

Robert Vamosi writes on C|Net News:

In his first public comments since his Domain Name System (DNS) cache poisoning flaw was made public, Dan Kaminsky said in a conference call on Thursday he doesn't want to parse who said what when. He just wants everyone to understand that they must patch their systems now.

Speaking during the second pre-Black Hat security conference Webinar, Kaminsky, who's director of penetration testing for IOActive, provided the most information to date about the DNS flaw he found earlier this year but only disclosed in public on July 8.

More here.

Clarifications Sought on U.S. Government Data Mining

Ben Bain writes on

Clarification is needed for the definition of data mining and the rules governing it, civil libertarians and academics said today.

Several experts at a Homeland Security Department conference on implementing privacy protections in government data mining expressed concerns that the meaning of data mining was misunderstood, or had not been fully explained, thus leading to confusion or potential violations of privacy rights.

In the legislation that established DHS, Congress required the department to “establish and utilize…a secure communications and information technology infrastructure, including data mining and other advanced analytical tools, in order to access, receive and analyze data.” However, according to some experts, there's confusion over what constitutes data mining, causing misperceptions.

More here.

Researchers Could Face Legal Risks For TOR Network Snooping

Chris Soghoian writes on the C|Net "surveill@nce st@te" Blog:

A group of researchers from the University of Colorado and University of Washington could face both civil and criminal penalties for a research project [.pdf] in which they snooped on users of the Tor anonymous proxy network. Should federal prosecutors take interest in the project, the researchers could also face up to 5 years in jail for violating the Wiretap Act.

The team of two graduate students and three professors neither sought legal review of the project, nor ran it past the Human Subjects Committee at their university, putting them in a particularly dangerous position.

More here.

US-CERT: DNS Cache Poisoning Public Exploit Code Available


US-CERT is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver's clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker's control.

US-CERT strongly urges administrators to patch affected systems immediately. Please review the following US-CERT documents for further details:

US-CERT will provide additional information as it becomes available.

More here.

Childs Rigged 'Crazyquilt' Private Network

Richard Koman writes on ZDNet Government:

The prosecution unveiled more details on the lunacy in San Francisco in court filings that urged the judge to keep rogue network administrator Terry Childs’ bail at $5 million. The Chronicle reports that prosecutors say that Childs had over 1,000 modems secreted around the city, forming his own private network of access points only he could use.

Not only that but those codes he personally gave the mayor? It was first reported that the password didn’t work as advertised and that when Mayor Newsom called back, Childs’ lawyer said there were some additional “protocols” needed to use it.

More here.

Speculation Over Back Door in Skype

Via heise Security News UK.

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary's press spokesman was brief, "Skype does not comment on media speculation. Skype has no further comment at this time." There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

More here.

.06% Opt Out: NebuAd Hides Link in 5,000-Word Privacy Policy

Nate Anderson writes on ARS Technica:

The ISPs that use NebuAd's boxes routinely argue that they provide robust notification to customers before deploying the gear, and that any customer not thrilled about having her browsing data routed through a third-party ad-serving box can opt out with just a single click.

But what happens when you're "robust notice" takes the form of two paragraphs buried inside a 5,000-word privacy policy and you don't even e-mail your users to point out the change? Well, now we know: only 15 of 26,000 people opt out.

More here.

Wednesday, July 23, 2008

Mark Fiore: McCainerly Hillbillies

More Mark Fiore brilliance.

Via The San Francisco Chronicle.


- ferg

Exposing Bush's Historic Abuse of Power

Tim Shorrock writes on

The last several years have brought a parade of dark revelations about the George W. Bush administration, from the manipulation of intelligence to torture to extrajudicial spying inside the United States. But there are growing indications that these known abuses of power may only be the tip of the iceberg.

Now, in the twilight of the Bush presidency, a movement is stirring in Washington for a sweeping new inquiry into White House malfeasance that would be modeled after the famous Church Committee congressional investigation of the 1970s.

More here.

Why is Google Earth Hiding Dick Cheney's House?

Sharon Weinberger writes on Danger Room:

What the heck is so special about Dick Cheney's official residence that Google feels the need to obscure it? Oh, must the be that secret bunker allegedly built underneath it. But if that's indeed the case, why then is the vice president's home at the Naval Observatory crystal clear on Yahoo Maps?

WIn an article this month for Discover, I looked at how widely available commercial imagery has affected national security. While governments typically can't force companies to restrict imagery, it's certainly possible for them to coerce or persuade services like Google Earth from posting sensitive images. There have been a number of articles, for example, hinting that Google is trying to avoid stepping on the toes of China's government, which is concerned about sensitive images of its military installations available on Google Earth. But even in the United States, Google may be looking to avoid conflicts with the Pentagon. Google has a growing federal business, including contracts with the Defense Department, and antagonizing your customer is never a good idea.

More here.

Quote of The Day: Bruce Schneier

"Stop assuming that systems are secure unless demonstrated insecure; start assuming that systems are insecure unless designed securely."

- Bruce Schneier, writing on Wired's "Security Matters".

DNS Exploit in the Wild

Kim Zetter writes on Threat Level:

Well it took a little longer than expected so it's not quite a zero-day exploit, but the anticipated attack code to exploit the critical Kaminsky DNS cache-poisoning flaw is now in the wild (assuming there wasn't one already out there).

Let's call it a .5-day exploit.

HD Moore, creator of the Metasploit Framework research and hacking tool, pinged me that he's just released the code. System administrators who dragged their feet over updating their DNS servers have lost the race . . . so to speak. But that doesn't mean it's too late to patch your system.

More here.

US-CERT: NAT/PAT Affects DNS Cache Poisoning Mitigation


US-CERT released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately.

A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver.

US-CERT encourages users to consider one of the following workarounds:

  • Place the nameserver outside of the NAT/PAT device in the network infrastructure.
  • Configure the NAT/PAT device to perform source port randomization.
  • Configure the NAT/PAT device to preserve the source port assigned by the nameserver.

Additional information can be found in US-CERT Vulnerability Note VU#800113.

More information will be provided as it becomes available.

More here.

UK: Asprox Virus Infects Key Government and Consumer Websites

Alexi Mostrous writes on The Times Online:

Cyber-criminals have attacked key government and consumer websites, allowing them to steal the personal details of anyone browsing the sites, The Times has learnt.

Eastern European hackers are suspected of placing the Asprox virus on more than a thousand British websites, including those run by the NHS and a local council, in the past two weeks.

Experts described the Asprox virus as an alarming departure from commonplace viruses, which tend to be spread through rogue e-mails and unregulated websites.

Unlike other viruses, Asprox sits undetected on mainstream sites, with any visitor at risk of being infected. The virus automatically installs itself on a visitor's computer, allowing a hacker to access financial information.

More here.

SF Tech Stays Jailed - Prosecutors Say He Rigged Network to Implode

Jaxon Van Derbeken writes in The San Francisco Chronicle:

A judge refused today to lower the $5 million bail for a San Francisco computer engineer accused of hijacking the city's network, after prosecutors said he had rigged the system to melt down during routine maintenance.

The ruling by Superior Court Judge Lucy Kelly McCabe came two days after the defendant, Terry Childs, 43, gave up passwords to the system he had been keeping secret. Childs handed over the access codes in a jailhouse meeting with Mayor Gavin Newsom.

Childs, a five-year employee of the city Technology Department, has been in custody since his arrest July 13 on four counts of tampering with the city's network. Authorities say he refused for more than a week to supply the passwords for other administrators to gain access to the system, which holds payroll documents, sensitive law enforcement records, officials' e-mail and other data.

Prosecutor Conrad del Rosario said Childs had arranged the system so that key programs were held in temporary memory files that would evaporate when the network was shut down during routine maintenance or any unexpected power failure.

More here.

Report: Banking Websites Full of Online Design Flaws

An AP newswire article by Jordan Robertson, via USA Today, reports that:

Many U.S. banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, research shows.

The result is that even the most security-conscious Web surfers could find themselves the victims of identity theft because they have been conditioned to ignore potential clues about whether the banking site they're visiting is real — or a bogus site served up by hackers.

That's the conclusion by University of Michigan researchers who found design flaws in 76% of the 214 U.S. financial institution websites they studied.

The study, to be presented Friday at a security conference, examined the sites of top banks and smaller institutions alike. The researchers aren't detailing which banks had problems, however.

More here.

Microsoft's DNS Fix Leads to More Problems

Jabulani Leffall writes on Enterprise Systems:

The blogosphere is awash with talk about the possible overall weakness of the Domain Name System (DNS) architecture. For its part, Microsoft's released a DNS fix in its patch slate for July, but Redmond seems to have problems just getting it to end users. Moreover, some users of the DNS fix have experienced additional difficulties.

So far, since Microsoft's DNS fix was issued on July 10, there have been two separate problems associated with its installation.

The software giant disclosed last week, in a technical posting on its SBS services blog, that some users experienced interruptions in the Exchange Server services component of application stacks sitting on various Windows operating systems.

More here.

FISMA: Protecting Government Agencies from Hackers

Judi Hasson writes on CIO Today:

Many agencies have yet to lock down their systems under the Federal Information Security Management Act. During the 1990s, the government transitioned from mainframe computers to networked computing, connecting federal employees to one another as well as to the public. Agencies also began to create Web sites to present information to the public and offer new ways to access services.

But the new networked government also opened up databases to hackers with malicious intent, as well as federal employees who were inclined to snoop through private data. Agencies rarely included plans to secure data or deploy applications that could monitor intrusions or detect whether employees were accessing forbidden files when they began to develop a system or network.

That basically left federal systems wide open to cyberattacks, which increased in intensity for years.

More here.

Exploit Published For Buffer Overflow In BEA WebLogic

Via heise Security News.

A hacker known as KingCope has discovered a potential buffer overflow in BEA WebLogic which can at least trigger system crashes, but may also be exploited to remotely inject and execute arbitrary code. The flaw is caused by Apache Connector which appears not to check certain POST requests sufficiently.

According to comments the published exploit is "broken" and doesn't function properly. Nevertheless, security providers FrSIRT and Secunia have rated the vulnerability as critical and highly critical respectively. According to Secunia, versions 5 to 10 are affected. No patch has so far become available. The only protection currently available is to filter the server's network traffic in order to minimise the risk of an attack.

More here.

McAfee: SMBs Underestimate Cyber Crime Risks

Jeremy Kirk writes on InfoWorld:

The latest survey from security vendor McAfee has found that small to medium-size businesses wrongly conclude their revenue is too low to draw the attention of cybercriminals.

SMBs are in fact rich hunting ground for hackers, McAfee said. Although there may be less money or data to steal, the attacks are also less likely to gain the attention of law enforcement organizations such as the U.S. Federal Bureau of Investigation.

"Lots of small attacks add up to large amounts of revenue," according to the survey, which polled 500 companies in the U.S. and Canada. There are an estimated 7.4 million SMBs in North America.

More here.

UK 'Spying' Requests Exceed 500,000

Via The BBC.

More than 500,000 official "spying" requests for private communications data such as telephone records were made last year, a report says.

Police, security services and other public bodies made requests for billing details and other information.

Interception of Communications Commissioner Sir Paul Kennedy said 1,707 of these had been from councils.

A separate report criticises local authorities for using powers to target minor offences such as fly-tipping.

More here.

'Drive-By Download' Attacks Menace

Jon Leyden writes on The Register:

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.

Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day – or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.

Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.

More here.

Romanian Phisher Confesses To Scam Targeting Financial Giants

Dan Goodin writes on The Register:

A Romanian man has admitted he took part in a sophisticated phishing scam that targeted PayPal and at least nine other financial institutions by tricking their customers into giving up their account credentials.

Ovidiu-Ionut Nicola-Roman, 22, of Craiova, Romania, pleaded guilty in federal court in Bridgeport, Connecticut, on Tuesday to one count of conspiracy to commit fraud. He faces a maximum of five years in prison and a fine of $250,000, although prosecutors agreed to recommend a reduced sentence if he complies with the terms of his plea agreement.

In an indictment filed in January, Nicola-Roman and six other Romanians were accused of running a well-organized operation that involved a combination of social engineering and computer hacking. An email purporting to come from the Brattleboro Savings & Loan Ass'n, for instance, informed customers their online accounts were temporarily unavailable while administrators upgraded the system.

More here.

Tuesday, July 22, 2008

xkcd: A Geek Looks at Hurricanes

Yes, we absolutely love xkcd.


- ferg

Summer Flashback: 'All Summer Long'

This makes me recall my summer fun in Northern Wisconsin a few weeks ago. Much, much fun.


- ferg

Is Government Data Sharing Stopping Terrorists? Who knows.

An AP newswire article by Christine Simmons, via The Boston Globe, reports that:

Nearly seven years after 9/11, the government still can't measure how well an office created to improve information sharing on terrorism may be helping prevent attacks, congressional investigators say.

The Information Sharing Environment was formed partly in response to criticism that a lack of information-sharing among government agencies was one reason the U.S. didn't prevent the 9/11 terrorist attacks on Washington and New York.

A Government Accountability Office report obtained Tuesday by The Associated Press says the ISE has "begun to develop some performance measures, but they focus on counting activities accomplished rather than results achieved."

For example, the investigators said the ISE is able to determine the number of organizations that have procedures for acquiring and processing reports on suspicious activities, but the ISE does not measure what difference such information is making in helping prevent terrorist attacks.

More here.

San Francisco Network Admin Hands Over Passwords to Mayor Newsom

Jaxon Van Derbeken writes in The San Francisco Chronicle:

The San Francisco computer engineer accused of withholding access codes to the city's network surrendered the password during an unusual jailhouse visit by Mayor Gavin Newsom, authorities said Tuesday.

Newsom came away with the access codes Monday night after talking with Terry Childs, 43, of Pittsburg, who has been held since July 13 on four felony counts stemming from what prosecutors describe as an effort to block administrative access to the network that handles 60 percent of the city's information, including sensitive law enforcement, payroll and jail booking records.

Childs had given officials what turned out to be bogus passwords and then had refused to give the correct ones, even when threatened with arrest, authorities say. But Monday, Childs' defense attorney Erin Crane contacted the mayor's office, setting in motion the secret visit.

The visit was so secret that the mayor did not tell District Attorney Kamala Harris' office or police about it. Newsom decided on his own to accept Crane's invitation, mayoral spokesman Nathan Ballard said.

More here.

With DNS Flaw Now Public, Attack Code Imminent

Robert McMillan writes on PC World:

One day after a security company accidentally posted details of a serious flaw in the Internet's Domain Name System (DNS), hackers are saying that software that exploits this flaw is sure to pop up soon.

Several hackers are almost certainly already developing attack code for the bug, and it will most likely crop up within the next few days, said Dave Aitel, chief technology officer at security vendor Immunity. His company will eventually develop sample code for its Canvas security testing software too, a task he expects to take about a day, given the simplicity of the attack. "It's not that hard," he said. "You're not looking at a DNA-cracking effort."

The author of one widely used hacking tool said he expected to have an exploit by the end of the day Tuesday. In a telephone interview, HD Moore, author of the Metasploit penetration testing software, agreed with Aitel that the attack code was not going to be difficult to write.

More here.

Internet Father Vint Cerf Says Telcos Harming National Interest

Tom Foremski writes on Silicon Valley Watcher:

I interviewed Mr Cerf at the Fortune Brainstorm conference in Half Moon Bay. He often speaks about net neutrality. In this interview he says that companies such as Verizon misquoted him in full page adverts in major newspapers.

He says the Telcos are acting like little kids in a tantrum. "I'm not going to build this system unless you give me three scoops of ice cream and a pony. My reaction to this is quite negative. It's harmful to the national interest to behave in this way."

More here.

Pentagon Slices and Dices DARPA Budget

Sharon Weinberger writes on Danger Room:

The Pentagon's storied research and development arm turned 50 years old this year, and its birthday present appears to be another $100 million in budget cuts, according to a Defense Department document provided to DANGER ROOM.

The Defense Advanced Research Projects Agency (DARPA) is having a tumultuous financial year: in June, DARPA faced a $32 million cut because it was "underexecuting", leading the agency's director, Tony Tether, to strike back by saying the Pentagon's "comptroller apparently does not believe in accountability."

More here.

Convicted Spammer Walks Away From Colorado Prison Camp


Edward “Eddie” Davidson, age 35, also known as the “spam king,” walked away from a federal prison camp in Florence on Sunday, July 20, 2008. Davidson, who was sentenced to serve 21 months in federal prison, is now officially in “escape” status. He was last seen in Lakewood . U.S. Marshals are leading the search for Davidson. The FBI, IRS, and the Rocky Mountain Safe Streets Task Force are aiding in the search.

Davidson was housed in a minimum security facility. Minimum security institutions, also known as Federal Prison Camps (FPCs), have dormitory housing, a relatively low staff-to-inmate ratio, and are work and program-oriented. FPCs are generally located adjacent to larger institutions, where inmates help serve the labor needs of the larger institution.

On April 28, 2008, Davidson was sentenced by U.S. District Court Judge Marcia S. Krieger to serve 21 months (just under 2 years) in federal prison. Judge Krieger also ordered him to pay $714,139 in restitution to the IRS. As part of the restitution, Davis has agreed to forfeit property he purchased, including gold coins (which the IRS is selling today), with the ill gotten proceeds of his offense. At the time of sentencing Judge Krieger ordered Davidson to report to a facility designated by the Bureau of Prisons on May 27, 2008. He pled guilty before Judge Krieger on December 3, 2007. Davidson was indicted by a federal grand jury on June 5, 2007.

More here.

Top Spammer Sentenced to Nearly Four Years

Nancy Gohring writes on PC World:

The "spam king" was sentenced on Tuesday to 47 months in prison, with a ruling that the court hopes sends a message to other online criminals.

Robert Soloway, the man known as the spam king for the massive volume of spam he sent out, pleaded guilty to fraud, spamming and tax evasion after being indicted in May 2007. After an unusually long sentencing hearing lasting two-and-a-half days, Judge Marsha Pechman handed down her sentence in the U.S. District Court for the Western District of Washington in Seattle.

More here.

Valuable Lesson Emerges From DNS Flaw Handling

Dennis Fisher writes on Search Security:

Let us now praise the efforts of noble men. Dan Kaminsky, Paul Vixie, CERT and nameless dozens of engineers and admins at ISPs and backbone providers around the world did a tremendous job pulling together a massive, coordinated response to the DNS vulnerability Kaminsky found recently. The kind of big, distributed effort that was required to mitigate this threat is a rare thing indeed.

The right people were notified quietly, the problem was explained, a fix was devised and the patch was applied in all the critical spots in an astonishingly short amount of time. And while Kaminsky took heat for overhyping the severity of the problem in the hopes of pumping up the attendance at his Black Hat talk, other researchers who had been briefed on the problem came forward and said, Look, this is a serious problem. Go patch. Right now. It looked like everything had worked smoothly and the furor was starting to die down as the community waited for Kaminsky to release the gory details next month.

And then in the space of a few hours on Monday, all hell broke loose.

More here.

Monday, July 21, 2008

Bank Back On Hook For Data Theft At BJ's Wholesale

Paul McDougall writes on InformationWeek:

A federal appeals court last week reversed a lower court's order that credit card processor Fifth Third Bancorp did not have to pay for new credit cards for some cardholders whose data was stolen during a 2004 hacking incident at BJ's Wholesale Club.

In ruling, the United States Court of Appeal upheld a challenge to the lower court's decision brought by the Pennsylvania State Employees Credit Union.

Fifth Third provided credit card processing services to BJ's. In its initial complaint, PSECU argued that Fifth Third bore some liability for the data breach because it failed to properly train the retailer's staff in proper security procedures.

The breach led to the pilfering of the names and credit card numbers of thousands of BJ's Wholesale customers and led to millions of dollars in theft-related losses.

More here.

Registrars Turn Blind Eye to Sites Selling Illegal Steroids

Dan Goodin writes on The Register:

Next time you see websites brazenly pushing anabolic steroids, thank GoDaddy, Dynadot and a half-dozen other US-based registrars, which allow them to operate even though they're illegal, claims a new report.

Released Monday, the report catalogs 156 websites offering steroids without a prescription or verifying that the would-be buyer is over 18 years old. Such practices are a violation of laws in the US and in many other countries and a violation of the terms of service the registrars impose on their customers. All eight of the registrars are, concludes the report, turning a blind eye to the practice.

More here.

E-Gold Pleads Guilty to Money Laundering

Grant Gross writes on PC World:

E-Gold, an Internet-based payment service, and three owners have pleaded guilty to criminal charges related to money laundering, the U.S. Department of Justice said Monday.

E-Gold, based in Nevis, West Indies, and corporate affiliate Gold & Silver Reserve each pleaded guilty in U.S. District Court for the District of Columbia to conspiracy to engage in money laundering and conspiracy to operate an unlicensed money-transmitting business.

Douglas Jackson, 51, of Melbourne, Florida, the principal director of E-Gold and CEO of Gold & Silver Reserve, pleaded guilty to the charges, the DOJ said in a statement.

E-Gold's other two senior directors, Barry Downey, 48, of Baltimore, and Reid Jackson, 45, of Melbourne, each pleaded guilty to felony violations of District of Columbia law relating to operating a money transmitting business without a license. E-Gold, Gold & Silver Reserve and the three company directors were charged in an indictment returned by a federal grand jury in April 2007.

More here.

U.S. Travelers Start Applying For Pocket-Sized Passport

An Arizona Republic article by Sean Holstege, via USA Today, reports that:

People who chafe at the cost of a passport or worry about carrying one to the beach soon will have a cheaper, easier option.

The government is on the cusp of releasing passport cards that fit in a wallet and cost half the price of a new passport. About 350,000 Americans have applied for the new card, the latest step toward ratcheting up border security.

One concern for privacy advocates is that each passport card will contain an embedded radio transmitter chip. Known as RFID, the technology is controversial because critics fear that data from the chips could unknowingly be lifted by remote readers, in what's called "skimming."

More here.

Image source: U.S. State Department via Gannett News Service (USA Today)

Report: Freedom of Information Standards Failed by 38 States

Via Government Technology.

The Freedom of Information Acts (FOI) allowing public access to government records is described as a "haphazard construction" among the states according to a recent study undertaken by the Better Government Association (BGA) and the National Freedom of Information Coalition (NFOIC).

The study went on to report that 38 of the 50 states have a grade of "F" in overall responses to FOI requests.

More here.

Kaspersky Lab's Malaysian Web Site Hacked

Jeremy Kirk writes on PC World:

Russian security company Kaspersky Lab's Web site for Malaysia was defaced on Saturday along with one of its online shopping sites, according to Zone-H, an organization that documents such attacks.

The attacker, nicknamed "m0sted," wrote that the site was compromised through SQL injection, wrote Roberto Preatoni on a Zone-H posting.

The attack involves inputting code into a form on a Web page in an attempt to get the back-end database to respond. It can enable the hacker to gain control over the Web site.

Kaspersky has since locked down the site, which is apparently running Microsoft's Internet Information Services Web server. The site is no longer open to the public and requires a user name and password for access.

More here.

Bank Tech: SWIFT Bucks Down Trend With Hiring Boom

Orla O'Sullivan writes on Bank Systems & Technology:

While most Americans fears layoffs, SWIFT continues to increase its staff in the Americas, especially in New York, it emerged from a recent press briefing by the body that sends payments and messages about them around the world.

SWIFT increased its staff in the America's region by 10 percent last year, while New York alone has added 10 percent each year from 2005 through 2007. Meanwhile, in the economy overall, the unemployment rate rose to a psychologically significant 5 percent for the first time in over two years.

More here.

Sunday, July 20, 2008

Certegy DBA Gets Jail Time For Data Thefts

Jaikumar Vijayan writes on ComputerWorld:

A former database administrator at Certegy Check Services Inc. who admitted that he stole and then sold the personal data of about 8.5 million consumers was sentenced to 57 months in prison by a federal judge in Florida this month.

In addition, the judge ordered William G. Sullivan to pay almost $4 million in restitution to consumers victimized by the data thefts.

Sullivan pleaded guilty to felony fraud charges last November, four months after the thefts were disclosed by Fidelity National Information Services Inc., Certegy's parent company.

According to court records, Sullivan stole a variety of personal data from the company's databases over a five-year period that started in February 2002. The information was sold to data brokers through an intermediary, which paid Sullivan a total of $580,000.

More here.

Recommended: Recount

Awesome flick -- see it if you can. How George W. Bush stole the 2000 Presidential election...

- ferg

Cybersecurity Will Take A Big Bite of the Budget

Walter Pincus writes in The Washington Post:

President Bush's single largest request for funds and "most important initiative" in the fiscal 2009 intelligence budget is for the Comprehensive National Cybersecurity Initiative, a little publicized but massive program whose details "remain vague and thus open to question," according to the House Permanent Select Committee on Intelligence.

A highly classified, multiyear, multibillion-dollar project, CNCI -- or "Cyber Initiative" -- is designed to develop a plan to secure government computer systems against foreign and domestic intruders and prepare for future threats. Any initial plan can later be expanded to cover sensitive civilian systems to protect financial, commercial and other vital infrastructure data.

More here.

Relay Server Attack Tactic Dupes Auto-Reporting

John Leyden writes on Channel Register:

Sysadmins have begun noticing a coordinated attack on servers with open SSH ports that tries to stay under the radar by only attempting to guess a password three times from any compromised machine. Instead of mounting an attack form a single compromised host, hackers have worked out a means to relay a brute force attack between multiple assault machines.

IT consultant and developer Nazar Aziz picked up on the attack, which started around the beginning of July, when he noticed a pattern of assaults on a small bank of dedicated Linux servers he manages.

More here.

Ongoing Polictical DDoS in Georgia - UPDATE

Jose Nazario writes on the Arbor Networks blog:

The website for the President of Georgia, a former Soviet republic, has come under DDoS (hat tip: Shadowserver team). This attack appears to have a political motivation. One of the messages in the floods (HTTP, SYN, ICMP) reads “win+love+in+Rusia”. Tensions between Russia and Georgia appear to be running high lately.

I do not know who exactly is behind the attacks, if they are acting alone or if they are associated with a political outfit anywhere.. The Georgian presidential website is still inaccessible (possibly firewalled to thwart the attack, possibly still under attack by additional botnets). The C&C server is located in the US, and I’ve alerted various parties to try and get some traction on the attack to discover who it is. This botnet is somewhat recent to us in its activities, but uses a codebase we’re familiar with (Machbot).

More here.

UPDATE: 20:49: More details available here on the ThreatExpert blog. -ferg

UK: Another MoD Laptop Stolen

Via The Guardian.

The Ministry of Defence tonight confirmed another laptop with "sensitive information" on has been stolen while one of their officials checked out of a hotel.

An MoD spokesman said the theft from the Britannia Adelphi hotel in Liverpool city centre on Thursday brought the total of laptops stolen to 659.

On Friday the MoD admitted that 658 of its laptops had been stolen over the past four years - nearly double the figure previously claimed.

The department also said 26 portable memory sticks containing classified information had been either stolen or misplaced since January.

More here.

Social Engineering 101: Mitnick And Other Hackers Show How It's Done

Elinor Mills writes on C|Net News:

Kevin Mitnick knows that the weakest link in any security system is the person holding the information.

As a young fugitive hacker, he went to jail for breaking into computer networks, mostly by using his cunning and persuasion than his tech skills. He was an early master of the science of social engineering--manipulating people into doing what you want, such as giving out passwords and other information that unlocks sensitive information on networks.

Mitnick and a panel of other hackers discussed their social engineering pranks and gave live demonstrations at the Live HOPE (Hackers on Planet Earth) conference late on Saturday.

More here.