Saturday, June 13, 2009

Quote of The Day: Don Franke

"PC security is no longer about a virus that trashes your hard drive. It's about botnets made up of millions of unpatched computers that attack banks, infrastructures, governments. Bandwidth caps will contribute to this unless the thinking of Internet providers and OS vendors change. Because we are all inter-connected now."

- Don Franke, writing on the ISC(2) Blog.


Off Beat: Judge Rules Terrorist Can Sue Over Torture Memos

An AP newswire article by Don Thompson, via The Boston Globe, reports that:

A convicted terrorist can sue a former Bush administration lawyer for drafting the legal theories that led to his alleged torture, ruled a federal judge has ruled who said he was trying to balance a clash between war and the defense of personal freedoms.

The order by U.S. District Judge Jeffrey White of San Francisco is the first time a government lawyer has been held potentially liable for the abuse of detainees.

White refused to dismiss Jose Padilla's lawsuit against former senior Justice Department official John Yoo on Friday. Yoo wrote memos on interrogation, detention and presidential powers for the department's Office of Legal Counsel from 2001 to 2003.

Padilla, 38, is serving a 17-year sentence on terror charges. He claims he was tortured while being held nearly four years as a suspected terrorist.

White ruled Padilla may be able to prove that Yoo's memos "set in motion a series of events that resulted in the deprivation of Padilla's constitutional rights."

More here.

U.S. Developer: China's Green Dam Steals Our Code

Richard Koman writes on ZDNet Government:

This Green Dam story just keeps getting weirder. First, China issues this mandate that all new PCs will have to have software called Green Dam-Youth Escort preinstalled. It’s claimed the software is just a porn filter, even though China runs the powerful Great Firewall of China, already.

Then researchers reported that the software’s data files contain long lists of political keywords. A lawsuit was filed in China to stop the edict.

Now, net nanny developer Solid Oak says Green Dam includes pieces of its Cybersitter software, apparently purloined by Jinhui Computer System Engineering Co., the government-aligned developer. This has been confirmed by University of Michigan researchers, the Wall Street Journal reports. Solid Oak says it will go to U.S. court to stop computer makers from shipping with Green Dam.

More here.

Pentagon Cyber Unit Prompts Questions

Ellen Nakashima writes in The Washington Post:

The Pentagon's development of a "cyber-command" is prompting questions about its role in the larger national strategy to protect government and private-sector computer networks and whether privacy can be protected. And the command is fueling debate over the proper rules to govern a new kind of warfare in which unannounced adversaries using bits of computer code can launch transnational attacks.

Defense officials are creating the command to defend military networks and develop offensive cyber-weapons, based on a strategy that brings together the military's cyber-warriors and the National Security Agency, the organization responsible for electronic espionage.

The launching of the command, which could be announced as early as next week, reflects the Pentagon's determination to respond urgently to the growing sophistication of other nations' abilities to penetrate the military's global data networks and obtain or alter sensitive information.

More here.

Friday, June 12, 2009

U.S. Toll in Iraq, Afghanistan


Iraq and Afghanistan statistics via The Boston Globe (AP).

As of Friday, June 12, 2009, at least 4,311 members of the U.S. military had died in the Iraq war since it began in March 2003, according to an Associated Press count.

The figure includes nine military civilians killed in action. At least 3,453 military personnel died as a result of hostile action, according to the military's numbers.

The AP count is three fewer than the Defense Department's tally, last updated Friday at 10 a.m. EDT.

As of Friday, June 12, 2009, at least 632 members of the U.S. military had died in Afghanistan, Pakistan and Uzbekistan as a result of the U.S. invasion of Afghanistan in late 2001, according to the Defense Department. The department last updated its figures Friday at 10 a.m. EDT.

Of those, the military reports 466 were killed by hostile action.

More here and here.

And as always, the Iraq Coalition Casualty Count keeps the grim watch on their website here.

Honor the Fallen.

Privacy May Be a Victim in Cyber-Defense Plan

Thom Shanker and David E. Sanger write in The New York Times:

A plan to create a new Pentagon cybercommand is raising significant privacy and diplomatic concerns, as the Obama administration moves ahead on efforts to protect the nation from cyberattack and to prepare for possible offensive operations against adversaries’ computer networks.

President Obama has said that the new cyberdefense strategy he unveiled last month will provide protections for personal privacy and civil liberties. But senior Pentagon and military officials say that Mr. Obama’s assurances may be challenging to guarantee in practice, particularly in trying to monitor the thousands of daily attacks on security systems in the United States that have set off a race to develop better cyberweapons.

Much of the new military command’s work is expected to be carried out by the National Security Agency, whose role in intercepting the domestic end of international calls and e-mail messages after the Sept. 11, 2001, attacks, under secret orders issued by the Bush administration, has already generated intense controversy.

There is simply no way, the officials say, to effectively conduct computer operations without entering networks inside the United States, where the military is prohibited from operating, or traveling electronic paths through countries that are not themselves American targets.

More here.

Off Beat: Ancient Mass Grave Found on U.K. Olympics Site

A Reuters newswire article by Stefano Ambrogi, via MSNBC.com, reports that:

An ancient burial pit containing 45 severed skulls, that could be a mass war grave dating back to Roman times, has been found under a road being built for the 2012 British Olympics.

Archaeologists, who have only just begun excavating the site, say they do not yet know who the bones might belong to.

"We think that these dismembered bodies are likely to be native Iron Age Britons. The question is — how did they die and who killed them," said dig head, David Score, of Oxford Archaeology.

"Were they fighting amongst themselves? Were they executed by the Romans? Did they die in a battle with the Romans?

"The exciting scenario for us possibly is that there were skirmishes with the invading Romans and that's how they ended up chopped up in a pit," he told Reuters.

More here.

'Spam King' Sanford Wallace Could Face Criminal Charges in Facebook Case

Elinor Mills writes on C|Net News:

In a move that could land Sanford Wallace in jail if convicted, a federal judge on Friday referred a lawsuit Facebook filed against the "spam king" to the U.S. Attorney's office for possible criminal proceedings.

A written ruling from Judge Jeremy Fogel in U.S. District in San Jose, Calif., is expected early next week, a court clerk said. The action came at a hearing on a Facebook motion that Wallace be found in criminal contempt for allegedly continuing to send spam on Facebook.

Facebook sued Sanford and two others in February alleging they used phishing sites or other means to fraudulently gain access to Facebook accounts and used them to distribute phishing spam throughout the network.

More here.

U.S. Cyber Chief: Feds Need to Work Better With Companies

Grant Gross writes on ComputerWorld:

The U.S. government has significant work to do before it can better cooperate with the private sector and other governments to better protect cybersecurity, a government cybersecurity expert said.

The U.S. government needs to build trust with private companies so that they will share information about security risks, said Melissa Hathaway, the U.S. National Security Council's cybersecurity chief and author of a recently completed 60-day review of the nation's cybersecurity readiness.

U.S. businesses have a perception that if they share information with the government, it might not stay confidential, said Hathaway, speaking Friday at the Center for Strategic & International Studies (CSIS), a Washington, D.C., think tank.

"We need improved dialogue in the public-private partnership," Hathaway said. "We need to start to build toward trust ... in this area where I think there's not enough trust."

More here.

Former Principal Scientist at VeriSign Blasts U.S. Control of DNSSEC Root Signing

Brenden Kuerbis writes on the Internet Governance Project Blog:

Phillip Hallam-Baker, an Internet security pioneer and most recently Principal Scientist at VeriSign, has criticized current DNSSEC root signing arrangements in his comments to the Dept of Commerce as a "profoundly destabilizing technology" for the Internet.

Recognizing that "ICANN represents the only viable mechanism for coordination and control of the Internet" and identifying the political tensions that could emerge surrounding USG oversight of the DNS root, Hallam-Baker explains how the current ability to, if necessary, reroute root servers to a different DNS provides an "opportunity of exit" for other governments. He argues this possibility is a "safety valve that keeps ICANN and US control of ICANN in check."

More here.

Italian Police: Hacker Stole Phone Time From AT&T, Others

Philip Willan writes on ComputerWorld:

An Italian magistrate has issued an international arrest warrant for a Filipino hacker suspected of causing millions of dollars of losses to telecommunications multinationals, and Italian police have arrested five Pakistani nationals accused of exploiting the hacker's work to defraud the telecom companies, officials in the northern city of Brescia said Friday.

The Filipino hacker allegedly penetrated the IT systems belonging to customers of major telephone companies, including AT&T, to steal access codes for international phone calls that he then sold to the group of Italy-based Pakistanis who ran a network of public phone centers. Police declined to identify the hacker by name, saying only that he was a 27-year-old male living in the Philippines.

Police identified Zamir Mohammad, 40, the manager of a phone center in Brescia, as the principal buyer of the Filipino's allegedly illegally acquired access codes. Mohammad was responsible for exploiting the codes and selling them on to other telephone service operators in Italy and Spain, police said. On Friday the U.S. Department of Justice unsealed an indictment charging Mohammad ahmoud Nusier, 40, Paul Michael Kwan, 27, and Nancy Gomez, 24, all currently residing in the Philippines, with unauthorized computer access and wire fraud.

More here.

New Scientist Tech: The Inside Story of the Conficker Worm

Jim Giles writes on New Scientist Tech:

A hotel bar in Arlington, Virginia, 23 October 2008. A group of computer security experts has spent the day holed up with law enforcement agencies. It is an annual event that attracts the best in the business, but one the participants like to keep low-key - and under the radar of the cybercriminals they are discussing.

That evening, conversation over drinks turned to a security update Microsoft had just released. Its timing was suspicious: updates usually came once a month, and the next was not due for two weeks. "I remember thinking I should take a look at this," recalls Paul Ferguson, a researcher at Trend Micro, a web security company in Cupertino, California.

He did. So did the rest of the computer security industry. In fact, they talked, puzzled and worried about little else for months after. The update heralded the birth of the Conficker worm - one of the most sophisticated pieces of malignant software ever seen.

Despite an unprecedented collaboration against them, Conficker's accomplished creators have been able to bluff and dodge to gain control of machines inside homes, universities, government offices and the armed forces of at least three nations, establishing a powerful and lucrative network of "zombie" computers. New Scientist has pieced together the sobering details of that cat-and-mouse fight.

More here.

Thursday, June 11, 2009

Classic xkcd: Latitude


Click for larger image.


We love xkcd. It's just awesome.

- ferg

DoD Official Indicted for Giving Secrets to China

An AP newswire article by Matthew Barakat, via The Boston Globe, reports that:

A Pentagon official initially accused of unknowingly supplying secrets to China had actually been aware for some time that he was dealing with an agent for Beijing, according to a new indictment issued Thursday.

Initial charges last month against James W. Fondren Jr. suggested that he was sucked into a "false flag" operation -- that is, he disclosed secrets to an agent he thought worked for Taiwan who was actually working for China.

Thursday's indictment, though, said he had been aware for roughly a decade that the agent had deep ties to the regime in Beijing. At times, Fondren even bypassed his handler and directly gave information to the Chinese government, according to the indictment.

Fondren, 62, who held top secret clearances as deputy director of the Washington liaison office for U.S. Pacific Command, last month became the second Pentagon official charged with giving classified documents to Tai Shen Kuo. Kuo, a New Orleans furniture salesman, pleaded guilty to spying for Beijing and was sentenced last year to nearly 16 years in prison.

More here.

Firefox 3.0.11- Now Available

Get it.

Fixed in Firefox 3.0.11:

MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

Spear-Phishing Gang Resurfaces, Nets Big Catch

Brian Krebs writes on Security Fix:

A prolific phishing gang known for using sophisticated and targeted e-mail attacks to siphon cash from small to mid-sized business bank accounts appears to be back in operation after more than a 5-month hiatus, security experts warn.

From Feb. 2007 to Jan 2009, analysts at Sterling, Va., based security intelligence firm iDefense tracked 38 separate phishing campaigns from am Eastern European gang they simply call "Group A." iDefense believes this group was one of two responsible for a series of successful phishing attacks that spoofed the U.S. Better Business Bureau (BBB), the U.S. Department of Justice, the IRS, as well as Suntrust and payroll giant ADP. Last summer, authorities in Europe and Romania are thought to have arrested most members of a rival BBB phishing gang that iDefense called Group B.

While the type of tricks that Group A employs once victims are hooked have grown more sophisticated, the initial lure used to snare people hasn't changed: In each attack, the scammers send out "spear phishing" e-mail messages (so called because they use the victim's name in the message) and urge the recipient to click on an attachment.

The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks. If the victim logs in to a bank that requires so-called two-factor authentication -- such as the input of a one-time pass phrase or random number from a supplied hardware token -- the Trojan re-writes the bank's Web page on the fly, inserting a form that requests the information. The attackers typically begin initiating wire transfers out of the victim accounts shortly after the credentials are stolen, said iDefense analyst Mike LaPilla.

More here.

Quote of The Day: Dave Jevans

"The Internet was designed to be a self-healing network that can come back and re-route traffic in case parts of the network go down. It seems like these properties also apply to electronic crime networks for spam, phishing and malware. A self-healing electronic crime grid."

- Dave Jevans, CEO of IronKey & Chairman of the Anti-Phishing Working Group (APWG), writing on his blog regarding the FTC shutdown of Pricewert/3FN/APS Telecom.


ICANN Sends Notice of Breach to Registrar

Via ICANN.org.

ICANN sent a notice of breach [.pdf] to ICANN-accredited registrar Lead Networks Domains Pvt. Ltd. based on Lead Networks Domains Pvt. Ltd.'s failure to comply with the Uniform Domain Name Dispute Resolution Policy ("UDRP") and Registrar Accreditation Agreement ("RAA"). Specifically, Lead Networks Domains Pvt. Ltd. failed to comply with the Rules for UDRP, Rule 16(a) (Communication of Decision to Parties) and RAA Section 3.4 (Retention of Registered Name Holder and Registration Data); despite repeated requests by ICANN.

These rules require registrars to communicate plans to implement UDRP Provider decisions, maintain records make these records available to ICANN upon reasonable notice.

More here.

Attacks on SHA-1 Made Even Easier

Via The H Security.

Australian researchers have described a new and faster way of provoking collisions of the SHA-1 hash algorithm. With their method, a collision can be found using only 252 attempts. This makes practical attacks feasible and could have an impact on the medium-term use of the algorithm in digital signatures.

SHA-1 is used to verify data authenticity in many applications. To reduce the complexity of the collision process, the researchers combined a boomerang attack with the search for differential paths.

Towards the end of 2008, researchers demonstrated how to use 200 PlayStation 3 game consoles to forge SSL Certificate Authority certificates through finding MD5 hash collisions. SHA-1 could soon be in a similar position. However, successful exploits still require the attacker to have control of both hash messages. Pre-image attacks, in which attackers attempt to generate a new valid message using the hash of an already existing message, remain impossible.

The first method for speeding up the collision process was developed in early 2005, when Chinese researchers only needed 269 instead of 280 attempts to find two different records with the same hash value. A few months later, the complexity was reduced to 263 attempts.

More here.

Vint Cerf: 'The Internet is Incomplete'

Patrick Thibodeau writes on ComputerWorld:

The co-designer of the Internet's basic architecture, Vinton Cerf, said the Internet "still lacks many of the features that it needs," particularly in security, in a blunt talk to a tech industry crowd here.

Cerf, who is a vice president and chief Internet evangelist at Google Inc., co-designed with Robert Kahn the TCP/IP protocols that underpin the Internet. That was in 1973. And despite becoming operational in 1983, and commercially available in 1989, the Internet remains incomplete, he said.

Cerf is influential because of his accomplishments, but he may be even more so today because of his affiliation with Google. President Obama's administration has appointed a number of Google employees, including CEO Eric Schmidt, to important positions.

One of the most critical needs is authentication, Cerf said, and he told the crowd at a TechAmerica gathering Wednesday that anyone who performs transactions over the Internet - which is everyone - should "should be deeply concerned about that technology."

More here.

Wednesday, June 10, 2009

Mark Fiore: Stimulate This, Bro!



More Mark Fiore brilliance.

Via The San Francisco Chronicle.

Enjoy!

- ferg

ACLU Seeks Records About Laptop Searches At The Border

Via ACLU.org.

United States Customs and Border Protection (CBP) policy permits officials to search the laptops and other electronic devices of travelers without suspicion of wrongdoing, according to a Freedom of Information Act (FOIA) request filed today by the American Civil Liberties Union. The ACLU filed the FOIA request with CBP, a component of the Department of Homeland Security (DHS), to learn how CBP's suspicionless search policy, first made public in July 2008, is impacting the constitutional rights of international travelers.

"Based on current CBP policy, we have reason to believe innumerable international travelers – including U.S. citizens – have their most personal information searched by government officials and retained by the government indefinitely," said Larry Schwartztol, staff attorney with the ACLU National Security Project. "The disclosure of these records is necessary to better understand the extent to which U.S. border and customs officials may be violating the Constitution."

In July 2008, CBP issued its "Policy Regarding Border Search of Information," which permits CBP to subject travelers to suspicionless searches of information contained in documents and electronic devices, including laptop computers.

According to the ACLU's request, giving the government unchecked authority to search travelers' personal documents and electronic devices is a violation of Fourth Amendment privacy rights and the First Amendment freedoms of speech, inquiry and association.

More here.

Hero of The Day: Lee Ermey


Via The Missoulian Online (Missoula, Montana).

When Don Luke saw a tall former Marine Corps drill instructor walk into the Wells Fargo Bank on Russell Street on Monday, a light clicked on.

“He looked very familiar,” Luke said. “I watch the History Channel a ton.”

Sure enough, it was R. Lee Ermey, star of the network's “Mail Call,” with a line of movie credits that stretches back to the 1970s.

Ermey, in Missoula this week to shoot a segment for his upcoming series “Locked and Loaded,” had been driving with crew member Harlan Glenn to a Fort Missoula museum when he spotted something black lying on the blacktop.

On closer examination, it turned out to be a bank deposit bag. Ermey stopped the car and picked it up.

“We look in there and - Lord have mercy,” he said.

The bag contained a pile of dough: cash and checks that looked like they were meant for deposit in an American Indian fund of some sort.

“Just on one deposit slip alone was, like, $3,700, and another one for $2,800,” Glenn said. “There was easily $8,000 in cash, and the rest in checks.”

Ermey said his first thought was: “Some poor guy, right now, is probably getting fired, probably having the worst day of his life.

“So what we did was we went right down to the Wells Fargo bank and deposited it for him.”

More here.

Props: Op For

Experts: U.S. Needs to Spend More on Cyber Security R&D

Grant Gross writes on ComputerWorld:

The U.S. government needs to spend more money on cybersecurity research and development and on education programs in order to fight a rising tide of attacks against government and private groups, cybersecurity experts told U.S. lawmakers.

The U.S. government has a 2009 R&D budget of about $143 billion, and only about $300 million will go to cybersecurity research, said Liesyl Franz, vice president of information security and global public policy at TechAmerica, a trade group. Funding for cybersecurity R&D and for training security professionals "requires immediate and sustained attention," she told the House of Representatives Research and Science Education Subcommittee today.

Franz said there needs to be more formal ways that private industry can work with the government on cybersecurity research. Private organizations are generally asked about a project in the last stages of development, she said.

The federal government also needs to pump more money into the training of cybersecurity professionals because there aren't enough available to fight the growing problems with data theft, added Anita D'Amico, director of the secure decisions division at Applied Visions, a Northport, N.Y., software developer. The U.S. government also needs to launch a marketing campaign to make the general public better understand cybersecurity risks, she said.

More here.

MAAWG: ISPs Report Success in Fighting Malware-Infected PCs

Jeremy Kirk writes on PC World:

Computers infected with malicious software remain a big headache for ISPs, but two companies have designed systems that have made the problem much more manageable.

When a PC gets infected with malicious software, it's often used for sending spam. It makes the ISP look bad as well as sucking up bandwidth, making networks more congested.

True Internet, one of Thailand's largest ISPs, had been hit by an ever-increasing number of malware-infected computers on its network. The spam and malware traffic was so severe that its customers -- most of whom are still on dial-up connections -- were complaining of slow speeds, said Tanapon Chadavasu, head of True Internet's network operations.

The problem was also costing the company money, since bandwidth is expensive in the area, and more hardware was needed to keep the network running, Chadavasu said during a presentation Wednesday at the Messaging Anti-Abuse Working Group Meeting in Amsterdam.

More here.

Tuesday, June 09, 2009

Capital One Says Its e-Mail 'Too Important to be Spam'

Bob Sullivan writes on the MSNBC "Red Tape Chronicles" Blog:

Kevin, a 40-year-old from Sacramento, Calif., likes to keep a tidy inbox. He's very deliberate about removing himself from mailing lists and anything else that might clog up his e-mail. So recently, when he received a marketing pitch from his credit card company, Capital One, he quickly asked to be removed from its list. The response he got surprised him.

"We bring these offers to customers as part of our customer agreement and therefore do not provide a means to prevent this valuable information from reaching them," the firm responded.

In other words: "No."

Kevin, who requested that we withhold his last name for privacy reasons, was surprised and disappointed by the rejection.

"They seem to be reserving the right to waste money by annoying me ... while my feelings about opting out make clear that I am not a valuable target of their marketing," he said.

Because Capital One has an established business relationship with Kevin, it has the right to contact him via e-mail under the terms of the CAN-SPAM Act.

More here.

Note: And people wonder why phishing is successful. Yikes. -ferg

Microsoft Patches 31 Windows, IE, Office Security Holes

Ryan Naraine writes on the ZDNet "Zero Day" Blog:

Microsoft’s batch of patches this month is a big one: 10 bulletins covering a total of 31 documented vulnerabilities affecting the Windows OS, the Internet Explorer browser and the Microsoft Office productivity suite (Word, Works and Excel).

Five of the 10 bulletins are rated “critical,” Microsoft’s highest severity rating. Among the patches this month are fixes for a pair of IIS WebDav flaws that were publicly disclosed last month and cover for the CanSecWest Pwn2Own vulnerability that was used to exploit Internet Explorer on Windows 7.

More here.

Adobe Patches 13 Critical Reader, Acrobat Vulnerabilities

Ryan Naraine writes on the ZDNet "Zero Day" Blog:

Adobe has issued its first ever scheduled quarterly update for its Reader/Acrobat product line, a mega-patch covering 13 documented security vulnerabilities.

The patches address “critical vulnerabilities” in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. “These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system,” Adobe warned in an advisory.

The company also acknowledged it has silently fixed several security problems that are not being publicly documented.

More here.

UK Business Fear ICANN Domain Changes Will Fuel Crime

John E. Dunn writes on TechWorld.com:

A high percentage of UK businesses have no idea that the Internet's top-level domains (TLDs) are to be liberalised next year and some of those who do fear it will simply put them at the mercy of cybersquatters, an in-depth survey for domain outfit Gandi has found.

The survey of over 1,000 UK-based respondents, including 100 large retail and SME business managers, found a degree of frustration with the current domain naming structure, which restricts businesses and individuals to buying names from a limited number of possibilities, such as .com, .net. and .co.uk. Twenty-eight percent of respondents said they had to settle for domain names or extensions other than the ones they wanted, for instance.

It might be assumed, then, that ICANN's (The Internet Corporation for Assigned Names and Numbers) proposed 2010 expansion of domain names to include new structures such as geographical names (.London and .Paris), company names (.Nike, .Coke), and even themed names (.God) would meet with unqualified approval.

As has proved the case with the wider business and technical community during ICANN's consultation period in the last year, the survey found a mixed picture.

More here.

Monday, June 08, 2009

T-Mobile Confirms Hackers' Info is Legit

Bob McMillan:

The information posted over the weekend by hackers who claimed to have hacked T-Mobile is legit, T-Mobile now says. But, it's not clear that the hackers have the full access to T-Mobile systems they claim.

On Saturday, hackers posted what appear to be logfiles taken from T-Mobile's networks to the Full Disclosure mailing list, claiming to have hacked the carrier "We have everything, their databases, confidential documents, scripts and programs from their servers, financial documents up to 2009." they wrote.

Earlier today T-Mobile said it was investigating the hack, but they've now updated their statement, saying that they've identified the file that was copied, but noting that the fact that the hackers got this file doesn't necessarily mean that they have "everything," as claimed.

More here.

Bullion and Bandits: The Improbable Rise and Fall of E-Gold

Kim Zetter writes on Threat Level:

In a sparsely decorated office suite two floors above a neighborhood of strip malls and car dealerships, former oncologist Douglas Jackson is struggling to resuscitate a dying dream.

Jackson, 51, is the maverick founder of E-Gold, the first-of-its-kind digital currency that was once used by millions of people in more than a hundred countries. Today the currency is barely alive.

Stacks of cardboard evidence boxes in the office, marked “U.S. Secret Service,” help explain why, as does the pager-sized black box strapped to Jackson’s ankle: a tracking device that tells his probation officer whenever he leaves or enters his home.

“It’s supposed to be jail,” he says. “Only it’s self-administered.”

Jackson, whose six-month house arrest ends this month, recently met with Wired.com for his first in-depth interview since pleading guilty last year to money laundering-related crimes, and to operating an unlicensed money transmitting service. His tale is one of countless upstarts and entrepreneurs who approached the internet with big dreams, only to be chastened by sobering realities. But his rise and fall also offers a unique glimpse at the web’s frontier halcyon days, and the wilderness landscape that still covers much of the unregulated and un-policed web, where fraud artists prospect for riches alongside pioneers, and sometimes stake, and win, a claim on their territory.

More here.

Sunday, June 07, 2009

Op-Ed: Cyber Attacks Must Be Characterized as a Criminal Offense

Shukhrat Khakimov writes on New Blaze:

Humanity has entered into an era of cyberwarfare. The word "cyber" only 60 years old and it corresponds to the name of Norbert Wiener. It involves new technologies and their progress. The word "war" is already known to mankind for thousands of years. A consistent definition of war has given Carl von Clausewitz in his book "On War" a sound perspective.

According to von Clausewitz, "War is an instrument of policy; it must inevitably have a political nature. Therefore, the conduct of wars in its main outlines is the very policies that replaced the stylus on the sword." He writes - "War is an act of violence intended to compel the enemy to fulfill our will.

To crush the enemy, we must match our efforts with the strength of his resistance; the latter represents the result of two non-factors: the amount of funds the enemy holds and the force of his will.

"War - as an act of violence, is understandable to all. The question is, can "cyberspace attacks" be called "violence"?

It turns out, they can, very simply and seriously. Violation of the normal functioning of government mechanisms is violence.

In modern times, where many of the processes are managed by computers, cyberspace is quite vulnerable.

More here.

Quote of The Day: John Dvorak

"Once a vacation hotspot. Now a charming hell hole."

- John Dovorak, prefacing news of the Mexican drug war violence spilling over into the streets of Acapulco.


PayPal's Security 'Flawed'

Via Stuff.co.nz.

A security flaw in the online payment service PayPal means sensitive information is at risk and customers could lose control of their accounts, according to an Auckland software developer.

Ewart MacLucas says the flaw means customers who have not registered a credit card or bank account to their PayPal account need only supply a street address or phone number to change their password information that can be easily obtained by others.

Once an account is accessed, people can see details of financial transactions and change account settings so a customer could be locked out of their own account, he says.

PayPal spokeswoman Kelly Stevens confirmed that for PayPal accounts not tied to a credit card or bank account and which have "little to no remaining balance", customers can reset their password by providing "personal information like a phone number and street address".

More here.