Greek Forensics Community (GFC)

Android Forensics

2011-08-05T01:03:00.001-07:00

SSD firmware destroys digital evidence, researchers find Forensic analysis of drives by investigators now uncertain

2011-03-09T00:25:00.000-08:00

By John E Dunn | Techworld
Published: 10:48 GMT, 01 March 11

A technology built into many new solid state drives (SSDs) to improve their storage efficiency could inadvertently be making forensic analysis at a later date by police forces and intelligence agencies almost impossible to carry out to legally safe standards, researchers have discovered.

The detailed findings contained in Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Discovery? by Graeme B. Bell and Richard Boddington of Murdoch University in Perth, Australia, will make unsettling reading for professionals in the digital forensics field and beyond.

After conducting a series of experiments comparing a sample Corsair 64GB SSD with a conventional Hitachi 80GB magnetic hard drive (HDD), the team found a layer cake of data recovery problems caused by the ‘garbage collection’ or purging algorithms used in SSDs to keep them at peak performance.

After examining an SSD for traces of data after it had been quick formatted, the team expected the purging routines to kick in around 30-60 minutes later, a process that must happen on SSDs before new data can be written to those blocks. To their surprise, this happened in only three minutes, after which only 1,064 out of 316,666 evidence files were recoverable from the drive.

Going a stage further, they removed the drive from the PC and connected a ‘write blocker’, a piece of hardware designed to isolate the drive and stop any purging of its contents. Incredibly, after leaving this attached for only 20 minutes, almost 19 percent of its files had been wiped for good, a process the researchers put down the ability of SSDs to initiate certain routines independent of a computer.

.... MORE HERE

WPA Cracker

2010-07-20T00:15:00.001-07:00

http://www.wpacracker.com/

WPA Cracker is a cloud cracking service for penetration testers and network auditors who need to check the security of WPA-PSK protected wireless networks.
WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17.

Facebook to launch child safety 'panic button'

2010-07-12T00:19:00.001-07:00

Facebook has announced it is to launch a "panic button" application on its social networking site.

The button, aimed at children and teenagers, will report abuse to the Child Exploitation and Online Protection Centre (Ceop) and Facebook.
The application will also appear on their homepage to say that "they are in control online".
The launch follows months of negotiation between Ceop and Facebook, which initially resisted the idea.
Ceop, the government law enforcement agency tasked with tracking down online sex offenders, called for a panic button to be installed on social networking sites last November.
Bebo became the first network to add the button with MySpace following suit, but Facebook resisted the change, saying its own reporting systems were sufficient.
Pressure mounted on Facebook following the rape and murder of 17-year-old Ashleigh Hall by a 33-year-old convicted sex offender, posing as a teenage boy, who she met on Facebook.
Forty-four police chiefs in England, Wales and Scotland, signed a letter backing Ceop's call for a panic button on every Facebook page.
'Reassurance for parents' The agreement to launch a child safety application is the culmination of months of negotiation between Ceop and Facebook.
Jim Gamble, Ceop's chief executive, said in a statement: "Our dialogue with Facebook about adopting the ClickCeop button is well documented - today however is a good day for child protection.
"By adding this application, Facebook users will have direct access to all the services that sit behind our ClickCeop button which should provide reassurance to every parent with teenagers on the site."
Facebook's head of communications in the UK, Sophy Silver, told BBC News that the new app would integrate reporting into both Facebook and Ceop's systems.
"Both sides are happy of where we have got to," she said.
"We still have the Facebook reporting system and by having a pre-packaged application that users play an active part in, you not only help keep them safe, it makes all of their friends aware too, and acts as a viral awareness campaign.
"Ultimately though, this makes for a safer environment for users and that's the most important part," she added.
In addition to the online reporting application, a new Facebook/Ceop page is being set up, with a range of topics that, it is hoped, will be of interest to teenagers - such as celebrities, music and exams - and will link these subjects to questions about online safety.

http://news.bbc.co.uk

Quantum teleportation achieved over ten miles of free space

2010-05-20T06:01:00.000-07:00

Quantum teleportation has achieved a new milestone or, should we say, a new ten-milestone: scientists have recently had success teleporting information between photons over a free space distance of nearly ten miles, an unprecedented length. The researchers who have accomplished this feat note that this brings us closer to communicating information without needing a traditional signal, and that the ten miles they have reached could span the distance between the surface of the earth and space.
"Quantum teleportation" is quite different from how many people imagine teleportation to work. Rather than picking one thing up and placing it somewhere else, quantum teleportation involves entangling two things, like photons or ions, so their states are dependent on one another and each can be affected by the measurement of the other's state.
When one of the items is sent a distance away, entanglement ensures that changing the state of one causes the other to change as well, allowing the teleportation of quantum information, if not matter. However, the distance particles can be from each other has been limited so far to a number of meters.
Teleportation over distances of a few hundred meters has previously only been accomplished with the photons traveling in fiber channels to help preserve their state. In this particular experiment, researchers maximally entangled two photons using both spatial and polarization modes and sent the one with higher energy through a ten-mile-long free space channel. They found that the distant photon was still able to respond to changes in state of the photon they held onto even at this unprecedented distance.
However, the long-distance teleportation of a photon is only a small step towards developing applications for the procedure. While photons are good at transmitting information, they are not as good as ions at allowing manipulation, an advancement we'd need for encryption. Researchers were also able to maintain the fidelity of the long-distance teleportation at 89 percent— decent enough for information, but still dangerous for the whole-body human teleportation that we're all looking forward to.

By Casey Johnston
Science, 2010. DOI: 10.1038/NPHOTON.2010.87 (About DOIs).

Single group did 66% of world's phishing

2010-05-14T00:41:00.000-07:00

A single criminal operation was responsible for two-thirds of all phishing attacks in the second half of 2009 and is responsible for a two-fold increase in the crime, a report published this week said.
The Avalanche gang is believed to have risen out of the ashes of the Rock Phish outfit, which by some estimates was responsible for half the world's phishing attacks before fizzling out in late 2008. Driving the success of both groups is their use of state-of-the-art technology for mass-producing imposter websites and distributing huge amounts of crimeware for automating identity theft.

"Avalanche uses the Rock's techniques but improved upon them, introducing greater volume and sophistication," the report, released by the Anti-Phishing Working Group, stated.

Central to Avalanche's success is its use of fast-flux botnets to host phishing sites. The use of peer-to-peer communications makes it impossible for a single ISP or hosting provider to to pull the plug on the infrastructure. The gang also excels at launching attacks from a relatively small number of domain names that often appear confusingly identical to each other, such as 11f1iili.com and 11t1jtiil.com. Those abilities also fuel the success.
There were 126,697 phishing attacks during the second half of 2009, more than double the number in the first half of the year or from July through December of 2008, the APWG report said. Avalanche, which was first identified in December of 2008, was responsible for 24 percent of phishing attacks in the first half of 2009 and for 66 percent in the second half. From July through the end of the year, Avalanche targeted the more than 40 major financial institutions, online services, and job search providers.
Curiously, Avalanche may turn out to be a victim of its own success.
"During an Avalanche campaign, it was not unusual for the target institutions, the relevant domain name registrar(s), a domain name registry, and other responders and service providers to all be aware of the campaign and working on mitigation at the same time," the report stated. "As a result, Avalanche attacks had a much shorter average uptime than non-Avalanche phishing attacks, and community efforts partially neutralized the advantage of the fast-flux hosting."
White hats briefly shut down the Avalanche infrastructure in mid November, and ever since then phishing attacks generated by the group have dropped precipitously. Last month, the gang launched just 59 attacks, each one with a separate domain.

A PDF of the report is here. ®
By Dan Goodin

Thieves Flood Victim’s Phone With Calls to Loot Bank Accounts

2010-05-14T00:25:00.000-07:00

Bank thieves have rolled out a new weapon in their arsenal of tactics — telephony denial-of-service attacks that flood a victim’s phone with diversionary calls while the thieves drain the victim’s account of money.

A Florida dentist lost $400,000 from his retirement account last year in this manner, and the FBI said the attacks are growing.

A spokeswoman for the Communication Fraud Control Association — a telecom industry organization — told Threat Level that although fraudulent transfers have been halted in a number of cases, the losses are increasing.

“I know it’s in the millions,” said Roberta Aranoff, executive director of the CFCA. “It has exceeded a million dollars easily.”

Last November, Robert Thousand Jr., a semi-retired dentist in Florida, received a flood of calls to several phones. When he answered them, he heard a 30-second recording for a sex hotline, according to the St. Augustine Record.

In December, he discovered that $399,000 had been drained from his Ameritrade retirement account shortly after he’d received the calls. About $18,000 was transferred from his account on Nov. 23, with a $82,000-transfer following two days later. Five days after that, another $99,000 was drained, followed by two transfers of $100,000 each on Dec. 2 and 4. The thieves withdrew the money in New York.

Thousand’s son, who shares his name, received similar harassing calls, though his financial accounts were not touched. Thousand did not respond to a request from Threat Level for comment.

The FBI says the calls were a diversionary tactic, meant to tie up Thousand’s line so that Ameritrade couldn’t reach him to authenticate the money transfer requests. FBI spokesman Bryan Travers said AT&T, Thousand’s phone carrier, contacted the agency’s New Jersey office to help investigate the matter. The agency has since seen at least 16 similar cases since November, most of them occurring in the last few weeks.

In some cases, the victims simply heard dead air when they answered their phone or heard a brief advertisement or other recorded message. Some victims had to change their phone numbers to halt the harassing calls.

The perpetrator who targeted Thousand created a number of VoIP accounts, which were used with automated dialing tools to flood the dentist’s home, business and cellphone with calls.

Generally in these cases, Travers said, the thief obtains the victim’s account information through some other means — perhaps through a phishing attack or other method — and then contacts the financial institution to change the victim’s contact information. In this way, the institution will call the thief instead of the victim to verify a money transfer request.

Many banks, however, now contact customers at their previous phone number when contact information on their account has changed.

But with these attacks, the institution’s calls are prevented from reaching the victim, whose phone is tied up with a flood of diversionary calls.

AT&T spokesman Marty Richter told Threat Level that the perpetrators then generally contact the financial institution posing as the victim to complain that a requested money transfer hasn’t gone through. When the institution discloses that it tried unsuccessfully to contact the victim to authenticate the transfer, the perpetrator says he’s been having phone troubles and verifies that the transfer should proceed.

Richter says that other telecommunication companies have been alerted to the problem and are warning customers when they call to complain about harassing calls that the issue may be related to their financial accounts. The victims are warned to place fraud alerts on their financial and credit bureau accounts and block any electronic fraudulent money transfers that may be in the works.

“This may appear to some people that they’re just having a connect issue with their phone carrier,” he said, “and we want to alert them that this may not be the case.”

Travers said that in most cases so far, the victims have acted quickly enough to prevent money from being drained from their accounts, but he says there may be many other cases that haven’t yet been reported to the FBI. He urged consumers who may have been victims to contact the FBI.

Read More http://www.wired.com/threatlevel/2010/05/telephony-dos/#ixzz0nt0tgdrn
By Kim Zetter

German court orders wireless passwords for all

2010-05-13T00:45:00.000-07:00

BERLIN (AP) -- Germany's top criminal court ruled Wednesday that Internet users need to secure their private wireless connections by password to prevent unauthorized people from using their Web access to illegally download data.

Internet users can be fined up to euro100 ($126) if a third party takes advantage of their unprotected WLAN connection to illegally download music or other files, the Karlsruhe-based court said in its verdict.

"Private users are obligated to check whether their wireless connection is adequately secured to the danger of unauthorized third parties abusing it to commit copyright violation," the court said.

But the court stopped short of holding the users responsible for the illegal content the third party downloads themselves.

The court also limited its decision, ruling that users could not be expected to constantly update their wireless connection's security - they are only required to protect their Internet access by setting up a password when they first install it.

The national consumer protection agency said the verdict was balanced.

Spokeswoman Carola Elbrecht told the German news agency DAPD it made sense that users should install protection for their wireless connection and that at the same time it was fair of the court not to expect constant technical updates by private users.

The ruling came after a musician, who the court did not identify, sued an Internet user whose wireless connection was used to illegally download a song which was subsequently offered on an online file sharing network.

But the user could prove that he was on vacation while the song was downloaded via his wireless connection. Still, the court ruled he was responsible to a degree for failing to protect his connection from abuse by third parties.

About 26 million homes in Germany have wireless Internet access, according to Bitkom, the German Association for Information Technology, Telecommunications and New Media.

© 2010 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.

PDF Exploits Explode, Continue Climb in 2010

2010-04-30T00:54:00.000-07:00

Exploits of Adobe's PDF format jumped dramatically last year, and continue to climb during 2010, a McAfee security researcher said Wednesday.

Microsoft , meanwhile, recently said that more than 46% of the browser -based exploits during the second half of 2009 were aimed at vulnerabilities in Adobe's free Reader PDF viewer.

According to Toralv Dirro, a security strategist with McAfee Labs, the percentage of exploitative malware targeting PDF vulnerabilities has skyrocketed. In 2007 and 2008, only 2% of all malware that included a vulnerability exploit leveraged an Adobe Reader or Acrobat bug. The number jumped to 17% in 2009, and to 28% during the first quarter of 2010.

"In the last three years, attackers have found PDF vulnerabilities more and more useful, for a couple of reasons," Dirro said. "First of all, it's increasingly difficult for them to find new vulnerabilities with the operating system and within browsers that they can exploit across the different versions of Windows. And second, Reader is one of the most widely deployed applications that allows files to be accessed or opened within the browser."

Other factors for the jump in PDF exploits, argued Dirro, range from user belief that PDFs are safe to open, or at least safer to open than Microsoft Office documents, to the age of Adobe's code. "Quite a lot of PDF code was written years ago, and attackers are finding new security problems that no one thought of then," Dirro said. "That makes it difficult for Adobe to clean it up."

A recent discovery illustrated Dirro's point. Earlier this month, Belgium researcher Didier Stevens demonstrated how malicious PDFs could use a by-designed feature of the PDF specification to run attack code hidden in the file, and how to modify a warning message that Adobe Reader displays to further trick users into opening the document. Although some of what Stevens revealed has been publicly known for at least eight months, the technique has only been picked up by hackers in the last several weeks.

A major malware campaign using Stevens' tactics began Tuesday, with malicious PDFs attached to messages masquerading as instructions from companies' network administrators.

Microsoft also recently reported that PDF exploits remains a potent part of hackers' arsenals. In its newest Security Intelligence Report , Microsoft said that nearly half of all browser-based exploits in the second half of 2009 targeted Adobe's Reader. Three Reader vulnerabilities -- which were patched in May 2008, November 2008 and March 2009 -- accounted for more than 46% of all browser attacks.

McAfee rival Symantec has also tracked an explosion in PDF-based attacks. According to Symantec's latest Internet Security Threat Report , published last week, malicious PDFs were responsible for 49% of all Web-based attacks in all of 2009, compared to just 11% in 2008.

Like McAfee, Symantec also recorded a surge in reported Adobe Reader vulnerabilities. Of all browser plug-in bugs logged last year, 15% were in Reader's add-on for Internet Explorer, Firefox, Chrome and other Windows browsers. That was almost a four-fold increase from the 4% in 2008. And two of 2009's top five exploited vulnerabilities were in Adobe Reader.

Adobe declined to comment specifically about McAfee's and Microsoft's statistics on Reader vulnerabilities. Instead, a spokeswoman forwarded a statement the company has used before. "Given the relative ubiquity and cross-platform reach of many of our products, in particular our clients, Adobe has attracted -- and will likely continue to attract -- increasing attention from attackers," she said in an e-mail. "The majority of attacks we are seeing are exploiting software installations that are not up-to-date on the latest security updates."

The company's latest security move attempts to address the update issue; on April 13, Adobe switched on a service that silently updates customers' copies of Reader and Acrobat.

Adobe may be working on other ways to beef up Reader and Acrobat. According to one security researcher, Adobe will add sandboxing defenses to its PDF software this year. Sandboxing, perhaps best known as a technique used by Google 's Chrome browser, isolates processes from each other and the rest of the machine, preventing or hindering malicious code from escaping an application to wreak havoc or infect the computer with malware.

Adobe has acknowledged it will add sandboxing to Flash -- another of its products that is frequently targeted by exploits -- and has it at the top of its to-do list, according to Paul Betlem, senior director of Flash Player engineering.

Reader may, or may not, get sandboxing as well. When asked about the reports that Reader 10 would include sandboxing defenses, a company spokeswoman said Adobe had no announced plans but was "investigating how to get different features to work in a sandbox."

McAfee's Dirro said adding sandboxing to Adobe Reader would be a smart move. "It's one of the most useful ways to address a lot of different vulnerabilities," he said. "Sandboxing had proven to be fairly efficient at stopping attacks."

by Gregg Keizer
http://www.pcworld.com

Analysis of Attack on Google: Aurora Botnet Command Structure

2010-04-07T02:28:00.001-07:00

Analysis of Attack on Google: Aurora Botnet Command Structure

Kneber_Spearphishing_Crimeware

2010-04-07T02:27:00.001-07:00

kneber_spearphishing_crimeware-1

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

2010-04-07T02:25:00.000-07:00

SHADOWS IN THE CLOUD: Investigating Cyber Espionage 2.0

Conducting Cybersecurity Research Legally and Ethically

2010-04-07T02:24:00.000-07:00

Abstract

The primary legal obstacles to conducting cybersecurity are not outright prohibitions but rather the difficulty of determining which of a large set of complex statutes might regulate a given research project. Privacy, computer abuse, tort, and contract law are all potentially applicable. Moreover, even when the law permits a research activity, researchers may wonder whether it is ethically permissible. This paper seeks to clarify these issues by explaining the areas of law that are most generally applicable to cybersecurity researchers and offering guidelines for evaluating ethical issues that arise in this area of research.

http://www.usenix.org/event/leet08/tech/full_papers/burstein/burstein_html/

Wi-Fi 'Finders' Helping Thieves Locate and Steal Laptops

2010-03-04T05:20:00.000-08:00

We don't recommend leaving your laptop in the car for any reason, but, if you must, make sure you turn off the Wi-Fi signal first. According to Network World, thieves are using devices meant to locate Wi-Fi networks to detect laptops and steal them. Apparently, just closing the screen won't prevent your laptop from being detected, either. Wi- Fi disconnection must be done manually, as it can take as long as a half-hour for a laptop to go into sleep mode.

The Wi-Fi "finders" that crooks use are often cheap and easily accessible. For less than $20, a start-up thief can purchase a ballpoint pen with a built-in Wi-Fi detector. Of course, the cheaper models aren't as accurate when locating the signals. (Using one in a full parking lot would be akin to searching for a needle in a haystack.) But for $50, you could purchase this Wi-Fi finder (pictured), which makes finding a laptop stuffed in the trunk of a car easy as pie.

What's our advice? Keep those laptops close at hand and make sure you only turn on the Wi-Fi signal when you'll be using it. [From: Network World]

Leaked intelligence documents:Facebook,Comcast, Microsoft

2010-03-02T01:49:00.000-08:00

Leaked intelligence documents: Here's what Facebook and Comcast will tell the police about you!!!

Leaked Microsoft intelligence document: Here's what Microsoft will reveal to police about you

FTC: Identity Theft Is No. 1 Consumer Complaint

2010-03-02T01:14:00.000-08:00

Are you really you? It’s hard to say.

That’s because identity theft was the top consumer complaint for 2009, the Federal Trade Commission reported Wednesday.

It was also the top complaint from the year before, although 5 percent fewer consumers reported it in 2009, the commission said.

Overall, of the 1.3 million complaints the agency received last year, 21 percent were for identity theft. Debt collection agencies ranked second, with 9 percent of complaints, according to the Consumer Sentinel Network Data Book released Wednesday.

Credit card fraud was the top complaint when it comes to identity theft, followed by fraud related to government benefits, utilities, phones and loans.

The FTC did not verify the complaints lodged with it. It said 72 percent of those reporting identity theft also notified a police department.

The complete 101-page report (.pdf) is available here.

By David Kravets

New Russian botnet tries to kill rival

2010-02-11T01:21:00.001-08:00

'Kill Zeus' removes rival software from PCs, giving Spy Eye access to usernames, passwords

IDG News Service - An upstart Trojan horse program has decided to take on its much-larger rival by stealing data and then removing the malicious program from infected computers.

Security researchers say that the relatively unknown [Spy Eye toolkit] added this functionality just a few days ago in a bid to displace its larger rival, known as Zeus.

The feature, called "Kill Zeus," apparently removes the Zeus software from the victim's PC, giving Spy Eye exclusive access to usernames and passwords.

Zeus and Spy Eye are both Trojan-making toolkits, designed to give criminals an easy way to set up their own "botnet" networks of password-stealing programs. These programs emerged as a major problem in 2009, with the U.S. Federal Bureau of Investigation estimating last October that they have caused $100 million in losses.

Trojans such as Zeus and Spy Eye steal online banking credentials. This information is then used to empty bank accounts by transferring funds to so-called money mules -- U.S. residents with bank accounts -- who then move the cash out of the country.

Sensing an opportunity, a number of similar Trojans have emerged recently, including Filon, Clod and [Bugat], which was discovered just last month.

Spy Eye popped up in Russian cybercrime forums in December, according to Symantec Senior Research Manager Ben Greenbaum.

With its "Kill Zeus" option, Spy Eye is the most aggressive crimeware, however. The software can also steal data as it is transferred back to a Zeus command-and-control server, said Kevin Stevens, a researcher with SecureWorks. "This author knows that Zeus has a pretty good market, and he's looking to cut in," he said.

Turf wars are nothing new to cybercriminals. Two years ago a malicious program called Storm Worm began attacking servers controlled by a rival known as Srizbi. And a few years before that, the authors of the Netsky worm programmed their software to remove rival programs Bagle and MyDoom.

Spy Eye sells for about $500 on the black market, about one-fifth the price of premium versions of Zeus. To date, it has not been spotted on many PCs, however.

Still, the Trojan is being developed quickly and has a growing list of features, Greenbaum said. It can, for example, steal cached password information that is automatically filled in by the browser, and back itself up via e-mail. "This is interesting in its potential, but it's not currently a widespread threat at all," he said.

By Robert McMillan
http://www.computerworld.com

Facebook ‘Cash Scam’ Continues to Grow Even Bigger

2010-02-10T00:22:00.000-08:00

Over the past few years social networking sites such as Facebook and Twitter have given unprecedented access to people’s private lives. More and more personal information is revealed through photos, status updates and conversations that are all being documented online. Last week, the Serious Fraud Office of London (SFO) warned that Facebook and Twitter are being used to harvest users’ personal financial details,

“The public should be aware of the predatory nature of fraudsters and be careful about revealing personal information on social-networking sites, as this has become a primary method of harvesting information and targeting victims,” SFO said.

In a joint venture between London police and Financial Services Authority, over 10,000 people were notified that their names were on a “master list” that contained a range of personal information, that might include: names, address, phone number, place of business, income and relationship status. While this is the only reported list, it’s quite possible thousands more were already victims of this latest cash scam.

Facebook users may not mention all that personal information on their Facebook page, however, they may have it listed on a combination of networking sites. For example, a Facebook user will list their name and location along with photos on Facebook. The scammer can take that information and then look you up on LinkedIn and Twitter to find out your personal website, job, position, average income, number of years employed, education level and parlay all that information into a “cash scam.”

Fraudsters are using this information to set up “boiler rooms” and contact people on this master list. Boilers rooms look to employ high pressure sales tactics to push unwanted, over priced, or sometimes non-existent stock to unsuspecting buyers. Boiler rooms are nothing new, but using Facebook to gather leads and target people is becoming a serious problem.

The FSA is clearly trying to stay ahead of the scam, “By writing to people now, we can raise awareness of this type of fraud and help protect people from losing money to these criminals,” FSA said. While multiple efforts are being taken to stop these criminals, these cash scam continue to grow and more boiler rooms continue to operate off shore. It’s up to the individual to be aware of such fraud and report any phone calls that you suspect could be criminal.

In the mean time, keep your friends close, your Facebook account closed to outsiders, and don’t allow just anyone to view your personal details on your Facebook page.

posted by Mr.404

Census of Files Available via BitTorrent

2010-02-03T01:28:00.000-08:00

BitTorrent is popular because it lets anyone distribute large files at low cost. Which kinds of files are available on BitTorrent? Sauhard Sahi, a Princeton senior, decided to find out. Sauhard's independent work last semester, under my supervision, set out to measure what was available on BitTorrent. This post, summarizing his results, was co-written by Sauhard and me.

Sauhard chose a (uniform) random sample of files available via the trackerless variant of BitTorrent, using the Mainline DHT. The sample comprised 1021 files. He classified the files in the sample by file type, language, and apparent copyright status.

Before describing the results, we need to offer two caveats. First, the results apply only to the Mainline trackerless BitTorrent system that we surveyed. Other parts of the BitTorrent ecosystem might be different. Second, all files that were available were equally likely to appear in the sample -- the sample was not weighted by number of downloads, and it probably contains files that were never downloaded at all. So we can't say anything about the characteristics of BitTorrent downloads, or even of files that are downloaded via BitTorrent, only about files that are available on BitTorrent.

With that out of the way, here's what Sauhard found.

File types

46% movies and shows (non-pornographic)
14% games and software
14% pornography
10% music
1% books and guides
1% images
14% could not classify

Movies/Shows

For the movies and shows category, the predominant file format was AVI, and other formats included RMVB (a proprietary format for RealPlayer), MPEG, raw DVD, and some multi-part RAR archives. Interestingly, this section was heavily biased towards recent movies, instead of being spread out evenly over a number of years. In descending order of frequency, we found that 60% of the randomly selected movies and shows were in English, 8% were in Spanish, 7% were in Russian, 5% were in Polish, 5% were in Japanese, 4% were in Chinese, 4% could not be determined, 3% were in French, 1% were in Italian, and other infrequent languages accounted for 2% of the distribution.

Games/Software

For the games and software category, there was no clearly dominant file type, but common file types for software included ISO disc images, multi-part RAR archives, and EXE (Windows executables). The games were targeted for running on different architectures, such as the XBOX 360, Nintendo Wii, and Windows PC’s. In descending order, we found that 74% of games and software in the sample were in English, 12% were in Japanese, 5% were in Spanish, 4% were in Chinese, 2% were in Polish, and 1% were in Russian and French each.

Pornography

For the pornography category, the predominant encoding format was AVI, similar to the movies category. However, there were significantly more MPG and WMV (Windows Media Video) files available. Also, most pornography torrents included the full pornographic video, a sample of the video (a 1-5 minute extract of the video), as well as posters or images of the porn stars in JPEG format. Also, as these videos are not typically dated like movies are, it is difficult to make any remarks regarding the recency bias for pornographic torrents. Our assumption would be that demand for pornography is not as time-sensitive as demand for movies, so it is likely that these pornographic videos constitute a broader spectrum of time than the movies do. In descending order, we found that 53% of pornography in our sample was in English, 16% was in Chinese, 15% was in Japanese, 6% was in Russian, 3% was in German, 2% was in French, 2% was unclassifiable, and Italian, Hindi, and Spanish appeared infrequently (1% each).

Music

For the music category, the predominant encoding format for music was MP3, there were some albums ripped to WMA (Windows Media Audio, a Microsoft codec), and there were also ISO images and multi-part RAR archives. There is still a bias towards recent albums and songs, but it is not as strongly evident as it is for movies—perhaps because people are more willing to continue seeding music even after it is no longer new, so these torrents are able to stay alive longer in the DHT. In descending order, we found that 78% of music torrents in our sample were in English, 6% were in Russian, 4% were in Spanish, 2% were in Japanese and Chinese each, and other infrequent languages appeared 1% each.

Books/Guides

The books/guides and images categories were fairly minor. We classified 15 torrents under books and guides—13 were in English, 1 was in French, and 1 was in Russian. We classified 3 image torrents—one was a set of national park wallpapers, one was a set of pictures of BMW cars (both of these are English), and one was a Japanese comic strip.

Apparent Copyright Infringement

Our final assessment involved determining whether or not each file seemed likely to be copyright-infringing. We classified a file as likely non-infringing if it appeared to be (1) in the public domain, (2) freely available through legitimate channels, or (3) user-generated content. These were judgment calls on our part, based on the contents of the files, together with some external research.

By this definition, all of the 476 movies or TV shows in the sample were found to be likely infringing. We found seven of the 148 files in the games and software category to be likely non-infringing—including two Linux distributions, free plug-in packs for games, as well as free and beta software. In the pornography category, one of the 145 files claimed to be an amateur video, and we gave it the benefit of the doubt as likely non-infringing. All of the 98 music torrents were likely infringing. Two of the fifteen files in the books/guides category seemed to be likely non-infringing.

Overall, we classified ten of the 1021 files, or approximately 1%, as likely non-infringing, This result should be interpreted with caution, as we may have missed some non-infringing files, and our sample is of files available, not files actually downloaded. Still, the result suggests strongly that copyright infringement is widespread among BitTorrent users.

One in four children sent pornography, says surveyOne in four children have sent or been sent inappropriate material including pornography via email,

2010-02-02T04:34:00.000-08:00

Photo: GETTY

One in four children have sent or been sent inappropriate material including pornography via email, according to a survey.
The research also found that one in 20 children, aged between six and 15, had communicated with a stranger via webcam and one in 50 have actually met a stranger they first contacted online.

The report, which surveyed 500 children, found that many children are getting away with behaviour online that they wouldn’t get away with in the real world, largely because of their parents’ lack of understanding and awareness of their internet habits and of safety precautions.
More than six out of 10 children (62 per cent) said they lie to parents about what they have been looking at online and over half (53 per cent) delete the history on their web browser so their parents can’t see what they have been looking at.

The survey, by TalkTalk, the broadband provider, also found that and one in nine (11 per cent) have either bullied someone online or been bullied online themselves.

In December, the Government announced that every primary schoolchild in the country will be taught about the dangers of the internet and how to safely surf online.

The “Click Clever, Click Safe’ campaign comes in response to a report by Prof Tanya Byron, the child psychologist and broadcaster, who was asked by the Government to consider how to protect children online.

Prof Tanya Byron, who oversaw the TalkTalk research, said: “It’s crucial that parents educate themselves about what’s going on online and what their kids are doing there.”

By Urmee Khan, Digital and Media Correspondent

2010-02-02T03:29:00.001-08:00

A story in yesterday's London Sunday Times that will not amuse the Chinese government says that the UK security service MI5 is claiming that undercover intelligence officers from the Chinese People’s Liberation Army and the Ministry of Public Security have approached UK businessmen at trade fairs and exhibitions with the offer of "lavish gifts" such as cameras and not so lavish gifts such as memory sticks that contain malware meant to remotely access their computers.

The Times says that the information is in a 14-page MI5 document it has seen. According to the Times, the document states that the Chinese government "represents one of the most significant espionage threats to the UK," and that, "Any UK company might be at risk if it holds information which would benefit the Chinese."

The Times also says that the Chinese are also targeting UK businessmen the good old fashion way as well - i.e., through offers of sex and money.

Accepting free memory sticks at trade fairs - international or otherwise - is pretty dumb, and I am surprised that companies at trade fairs even offer them any more because of the obvious risk. You may recall that a few years ago, thumb drives with malicious code were found lying around the US Department of Justice just waiting for some curious person to plug them into the DOJ's network.

I suppose that some people just can't pass up something that is "free."

POSTED BY: Robert Charette
http://spectrum.ieee.org/

Security researchers blast credit card verification system

2010-01-29T04:36:00.001-08:00

Some credit card companies use a system called 3-D Secure (3DS) that adds an extra step to transactions that are carried out on the Internet. Visa and MasterCard tout their security, but researchers are questioning their efficacy.

When making a purchase, online shoppers are confronted with a validation check that requires them to supply a password—in addition to the standard security code that is on the card itself—in order to prove that they are the real owner of a credit card. Systems built on 3DS are better known by their brand names, which include Verified by Visa and MasterCard SecureCode.

Security researchers say that these validation systems—which are used by over 200 million cardholders—suffer from serious security deficiencies. Although the failings of 3DS and its lack of conformance with best practices are well-documented, it has still been widely adopted by online retailers because it allows them to deflect the liability for fraud back to the credit card companies.

Some of the credit card companies take advantage of 3DS by wrapping their implementations of the validation system in draconian terms of service that force users to agree to accept full liability for credit card fraud. To make matters worse, some retailers don't allow consumers to opt out. The 3DS Activation During Shopping (ADS) functionality often ropes in users and gets them to sign up without fully realizing that they are doing.

In a paper presented at the Financial Cryptography conference, researchers Ross Anderson and Steven Murdoch reveal the dark underbelly of 3DS and show how the service is detrimental to consumers.

"From the engineering point of view, [3DS] does just about everything wrong, and it's becoming a fat target for phishing," wrote Anderson in an entry at the University of Cambridge security research blog. "This is yet another case where security economics trumps security engineering, but in a predatory way that leaves cardholders less secure."

The standard method of integrating 3DS verification in a website involves using HTML iframes. This is highly problematic, because it means that users won't be able to rely on the security features of their browser—such as certificate highlighting in the browser URL bar—to easily distinguish between phishing sites legitimate 3DS verification. The inability to visually ascertain whether the certificate is valid exposes users to the possible risk of man-in-the-middle attacks.

Another problems with 3DS that is highlighted in the report is that it fails to specify a consistent mechanism for verification. Individual implementors are free to determine the means for verification on their own, and often make really poor choices. For example, the report says that one bank requires cardholders to enter their ATM PIN during the verification process. This is a pretty shoddy security practice that encourages consumers to engage in risky practices that will expose them to significant risk from phishing scams.
Fixing the problems

The widespread and growing adoption of 3DS is difficult to combat because it offers built-in incentives for merchants and banks by making it easy for them to shift liability to the consumer. The researchers say that the time has come for better technology and regulatory intervention.

Financial institutions have aggressively embraced the concept of electronic passwords in some countries—such as the UK—because passwords aren't covered by the laws that protect consumers from the consequences of transactions that are carried out with forged signatures. The security researchers say that the banks should only get to shift the liability to the consumer when transactions are validated by a trustworthy payment device—a piece of hardware, similar to a CAP calculator, that connects to the user's computer and implements a two-factor authentication model.
Further reading

* Paper (PDF) (cl.cam.ac.uk)
* PCWorld (news.yahoo.com)

By Ryan Paul
http://arstechnica.com

How Unique is your browser

2010-01-28T02:23:00.000-08:00

Is your browser configuration rare or unique? If so, web sites may be able to track you, even if you limit or disable cookies.

Panopticlick tests your browser to see how unique it is based on the information it will share with sites it visits. Click below and you will be given a uniqueness score, letting you see how easily identifiable you might be as you surf the web.

Only anonymous data will be collected by this site.
Check HERE

Pentagon Searches for ‘Digital DNA’ to Identify Hackers

2010-01-28T02:20:00.001-08:00

One of the trickiest problems in cyber security is trying to figure who’s really behind an attack. Darpa, the Pentagon agency that created the Internet, is trying to fix that, with a new effort to develop the “cyber equivalent of fingerprints or DNA” that can identify even the best-cloaked hackers.

The recent malware hit on Google and other U.S. tech firms showed once again just how hard it is to pin a network strike on a particular person or group. Engineers are pretty sure the attack came from China, and it sure was sophisticated enough to come from a state military like China’s. But it’s hard to say conclusively that the People’s Liberation Army launched the strike.

It’s the kind of problem Darpa will try to solve with its “Cyber Genome” project. The idea “is to produce revolutionary cyber defense and investigatory technologies for the collection, identification, characterization, and presentation of properties and relationships from collected digital artifacts of software, data, and/or users,” the agency announced late Monday.

These “digital artifacts” will be collected from “traditional computers, personal digital assistants, and/or distributed information systems such as ‘cloud computers’,” as well as “from wired or wireless networks, or collected storage media. The format may include electronic documents or software (to include malicious software - malware).”

Ultimately, Darpa wants to develop the “digital equivalent of genotype, as well as observed and inferred phenotype in order to determine the identity, lineage, and provenance of digital artifacts and users.”

“In other words,” The Register’s Lew Page notes, “any code you write, perhaps even any document you create, might one day be traceable back to you - just as your DNA could be if found at a crime scene, and just as it used to be possible to identify radio operators even on encrypted channels by the distinctive ‘fist’ with which they operated their Morse keys. Or something like that, anyway.”

The Cyber Genome project kicks off this week with a conference in Virginia.

[Photo: NASA]

By Noah Shachtman

2010-01-21T06:31:00.000-08:00

Imperva, a data security firm, said it had analysed around 32 million passwords that had been exposed in a recent hack of the RockYou website.

In December last year a hacker breached the site's company database and gained access to the unencrypted usernames and passwords of all its 32 million users.
After studying the security breach Imperva has come up with a list of the most commonly used passwords which website users should avoid.

“Everyone needs to understand what the combination of poor passwords means in today’s world of automated cyber attacks: with only minimal effort, a hacker can gain access to one new account every second—or 1000 accounts every 17 minutes,” said Amichai Shulman, Imperva’s chief technical officer.

“Employees using the same passwords on Facebook that they use in the workplace bring the possibility of compromising enterprise systems with insecure passwords, especially if they are using easy to crack passwords like ‘123456’,” he added.

“The problem has changed very little over the past 20 years. It’s time for everyone to take password security seriously; it’s an important first step in data security.”

The ten most commonly used passwords analysed in the study were:

1. 123456

2. 12345

3. 123456789

4. Password

5. iloveyou

6. princess

7. rockyou

8. 1234567

9. 12345678

10. abc123

The Internet is about to get a lot safer!

2010-01-21T01:10:00.000-08:00

DNS, the Domain Name System, is one of the major pillars of the Internet. It’s a critical service, and without it we would all have to use IP addresses instead of handy domain names like “Pingdom.com” when we want to visit websites, send emails, and so on.

However, DNS has a huge flaw. Because DNS lacks security features it has been relatively easy for hackers to trick DNS servers with false information. By tricking DNS servers, hackers have been able to hijack entire websites. Needless to say, attacks such as these are a security nightmare and can be used for a large variety of malicious purposes such as site defacement, phishing, malware installations, and more.

For example, last December (on the 17th) visitors to Twitter.com were redirected to a completely unrelated website for over an hour. All because of compromised DNS servers.

In a step to counter these kinds of threats, a set of security extensions called DNSSEC have been developed. However, actually deploying these security extensions and making them part of the Internet’s DNS infrastructure has proven a long and arduous process with many delays. DNSSEC adoption today is in all practicality pretty much non-existent.

DNS security, the story so far

DNSSEC stands for Domain Name System Security Extensions, and just as its name implies, it adds a layer of security on top of the otherwise unsecure DNS. DNSSEC protects the integrity of DNS data and makes sure that it comes from a verified source.

With DNSSEC, site owners like for example Twitter can certify that they are the true originator of the Twitter.com domain and are therefore a credible source, and end users looking up domain names can verify that the result they get back is from a trusted source (e.g. the real Twitter).

One of the main problems so far has been that for DNSSEC to be a practical viability, it needs to be incorporated in the root zone, in the DNS root servers of the Internet. They are the core DNS servers that all other DNS servers depend on, like the roots of a tree or the foundation of a building. This so far hasn’t been the case.

But next week, this important step is finally about to happen. Or rather, it will start to happen,

DNS security extensions in the root zone

Next week we will enter a testing phase where ICANN, the main organizing body of the Internet, and Verisign, the registry of .com and .net, start adding DNSSEC to the various DNS root servers on the Internet.

Since the root servers are so critical the rollout will be incremental and is planned to last well into May, with plenty of testing of the results in the meantime to make sure that there are no problems. After all, breaking the root zone would essentially break the entire Internet.

Fortunately there isn’t any one single point of failure. There are 13 sets of root servers, numbered from A to M. In total there are about 200 root servers, spread all over the world.

Above: Map of root server locations. (From root-servers.org.)

Providing the testing goes well, the security changes to Internet’s DNS root servers will be made permanent on July 1. At this point security in the root zone will be switched on and we will have taken a big step toward a more secure Internet.

This is actually Big News. There will still be a lot of work to be done to get the entire DNS infrastructure to properly support DNSSEC on all levels, and this will take time, but once DNSSEC is included in the root zone, DNSSEC adoption is predicted to get a huge boost.

Posted in Main on January 19th, 2010 by Pingdom

Would You Have Spotted the Fraud?

2010-01-18T01:24:00.000-08:00

Pictured below is what’s known as a skimmer, or a device made to be affixed to the mouth of an ATM machine and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but thieves are constantly improving them, and the device picture below is a perfect example of that evolution.

This particular skimmer was found Dec. 6, 2009, attached to the front of a Citibank ATM in Woodland Hills, Calif. Would you have been able to spot this?

This is fairly professional job: Notice how the bulk of the electronics fit into the flap below the card acceptance slot. Also, check out the tiny pinhole camera (pictured below), ostensibly designed to switch on and record the victim’s movements as he or she enters their PIN at the ATM.

Also check these pics:

http://twitpic.com/4pko1
http://twitpic.com/4pknu

found on http://www.krebsonsecurity.com

UPDATE:Police catch Facebook-taunting fugitive

2010-01-15T04:01:00.001-08:00

LONDON - An escaped British convict whose online antics drew an international Internet fan base has been caught after nearly four months on the run, police said Wednesday.

Craig "Lazie" Lynch, 28, was caught by Scotland Yard in southern England on Tuesday night. The force confirmed only that he had been arrested and gave few other details.

Lynch was serving time for burglary at a minimum security prison in Suffolk, eastern England. He escaped on Sept. 23 and has spent much of his time since posting defiant photos of himself mocking the police on the Internet.

The ensuing media attention drew as many as 40,000 fans to his Facebook page and other associated fan sites, spawning T-shirts and even a tribute song.

Lynch's page could not be located Wednesday.

Suffolk Constabulary said that Lynch had been charged with escaping from custody and was due to appear in court later Wednesday.

Online scammers try to hijack Haiti donation bandwagon

2010-01-15T01:10:00.000-08:00

People are rushing to help out the millions affected by this week's Haitian earthquake. Scammers are also rushing to take advantage of that generosity.

News of the this week's devastating earthquakes in Haiti spread quickly across the Internet as people looked for ways to help in the recovery efforts from home. As usual, scammers have seized the opportunity to take advantage of search engine trends by setting up fake charity sites and sending out spam soliciting donations that will go anywhere but Haiti.

Scammers pop up anytime something significant happens, whether it's a natural disaster or the death of a celebrity, trying to redirect users to their just-registered domains to infect people with malware. Disasters such as the Haiti quakes, though, have the added benefit of concerned citizens wanting to donate money—indeed, as we learned during Hurricane Katrina, large numbers of ignorant Internet users were duped by fake donation sites and ended up sending their money to those with ill intentions instead of charities that could help those in need. And not all of them are obvious scams, either—one e-mail circulating in the UK claims to come from the British Red Cross and even displays the real Red Cross address in London, but directs users to a different domain when they try to click through.

It's bad enough that several organizations have issued warnings this time around, urging those looking to donate to do their research and choose reputable charities. For example, the Better Business Bureau has a quick guide on what to look for when donating money to Haiti recovery efforts. The Federal Bureau of Investigation also has a fraud alert on its site, warning people to be wary of unsolicited e-mails, those soliciting on social networking sites, and those who claim to be making donations to a charity on your behalf. The takeaway from both the BBB and the FBI is to only donate to charities that you know and trust, and if you need help, there's a list where you can research relief organizations that are accredited by the BBB.

If you don't have time or energy to do the research, however, we'll provide a few suggestions for you. The most obvious choice is to donate to the Red Cross, which has told various news outlets that it has already exhausted all of its supplies in Haiti and that there are far more people in need of help. However, the Red Cross website isn't the only place you can donate anymore—the organization says you can donate a quick $10 just by texting the word "Haiti" to 90999. There's also Doctors Without Borders/Médecins Sans Frontières, an international organization created by doctors that provide relief efforts around the world.

There are a number of other donation memes spreading around Facebook and Twitter, most of which ask you to SMS something to a number to donate $5 or $10. We caution you, however, to be wary of these unless you hear it directly from a reputable organization (such as the Red Cross, as mentioned above)—there's no telling how much you're actually charging back to your own phone bill or what services you may inadvertently sign up for.

While you wait for your donations to go through, you can head over to Google Maps to catch updated satellite images of the destruction areas. Google is also offering a KML overlay for Google Earth as part of its partnership with GeoEye.

1 in 6 Massachusetts Residents Estimated Affected By Data Breaches from 2008 Through 2009

2010-01-08T06:14:00.001-08:00

The Boston Globe had a sobering story over the weekend where it estimated that 1 in 6 Massachusetts residents were affected by some type of data breach over the past two years.

According to the Globe, its review of state recorded data breaches showed that at least 1 million state residents had their data compromised through credit card theft, unauthorized medical information disclosures, or other types of confidential data breaches. The Globe story also provides a list of some of the more prominent data breaches reported to the state from June to November 2009 - there were 13 of them affecting over 88,000 residents.

In 2007, Massachusetts passed a law requiring institutions such as banks, stores, universities, etc., must inform consumers and state regulators about security breaches that might result in identity theft. Since then, some 807 data breaches have been reported to state officials by the end of November 2009 the Globe says.

The Globe said that 60% of the disclosed data breaches were caused by criminal acts, while 40% were due to negligence.

However, the Massachusetts disclosure law has some loopholes that were exposed by the Hannaford episode in 2008 which may result in an under reporting of unauthorized data disclosures.

In addition, according to this paper by Sasha Romanosky et al. at the Heinz School of Public Policy and Management at Carnegie Mellon University, disclosure laws such as the one in Massachusetts don't do much in the way of reducing identify theft.

Given the number of data breaches, it is almost a certainty that someone in Massachusetts has had their personal data disclosed more than once. If anyone has had this happen to them, I would be very interested in hearing about it.

The Globe also writes that, "On March 1, new state regulations will require organizations to take stronger measures to ensure data security. Institutions that hold such personal data will have to write an official security program and train employees to follow it. In addition, organizations will have to encrypt all personal data stored on laptops, flash drives, or other portable devices, or that is transmitted over the public Internet or wireless networks."

It will be interesting to see how long after the 1st of March it will be before a data breach is disclosed to state officials that violates these new rules. I would be surprised if it takes more than 3 months

POSTED BY: Robert Charette

New airport scanners break child porn laws

2010-01-05T00:11:00.000-08:00

A 12-month trial at Manchester airport of full body scanners only went ahead last month after under-18s were exempted. Photograph: Paul Ellis/AFP/Getty Images

The rapid introduction of full body scanners at British airports threatens to breach child protection laws which ban the creation of indecent images of children, the Guardian has learned.

Privacy campaigners claim the images created by the machines are so graphic they amount to "virtual strip-searching" and have called for safeguards to protect the privacy of passengers involved.

Ministers now face having to exempt under 18s from the scans or face the delays of introducing new legislation to ensure airport security staff do not commit offences under child pornography laws.

They also face demands from civil liberties groups for safeguards to ensure that images from the £80,000 scanners, including those of celebrities, do not end up on the internet. The Department for Transport confirmed that the "child porn" problem was among the "legal and operational issues" now under discussion in Whitehall after Gordon Brown's announcement on Sunday that he wanted to see their "gradual" introduction at British airports.

A 12-month trial at Manchester airport of scanners which reveal naked images of passengers including their genitalia and breast enlargements, only went ahead last month after under-18s were exempted.

The decision followed a warning from Terri Dowty, of Action for Rights of Children, that the scanners could breach the Protection of Children Act 1978, under which it is illegal to create an indecent image or a "pseudo-image" of a child.

Dowty told the Guardian she raised concerns with the Metropolitan police five years ago over plans to use similar scanners in an anti-knife campaign, and when the Department for Transport began a similar trial in 2006 on the Heathrow Express rail service from Paddington station.

"They do not have the legal power to use full body scanners in this way," said Dowty, adding there was an exemption in the 1978 law to cover the "prevention and detection of crime" but the purpose had to be more specific than the "trawling exercise" now being considered.

A Manchester airport spokesman said their trial had started in December, but only with passengers over 18 until the legal situation with children was clarified. So far 500 people have taken part on a voluntary basis with positive feedback from nearly all those involved.

Passengers also pass through a metal detector before they can board their plane. Airport officials say the scanner image is only seen by a single security officer in a remote location before it is deleted.

A Department for Transport spokesman said: "We understand the concerns expressed about privacy in relation to the deployment of body scanners. It is vital staff are properly trained and we are developing a code of practice to ensure these concerns are properly taken into account. Existing safeguards also mean those operating scanners are separated from the device, so unable to see the person to whom the image relates, and these anonymous images are deleted immediately."

But Shami Chakrabarti, of Liberty, had concerns over the "instant" introduction of scanners: "Where are the government assurances that electronic strip-searching is to be used in a lawful and proportionate and sensitive manner based on rational criteria rather than racial or religious bias?" she said.

Her concerns were echoed by Simon Davies of Privacy International who said he was sceptical of the privacy safeguards being used in the United States. Although the American system insists on the deletion of the images, he believed scans of celebrities or of people with unusual or freakish body profiles would prove an "irresistible pull" for some employees.

The disclosures came as Downing Street insisted British intelligence information that the Detroit plane suspect tried to contact radical Islamists while a student in London was passed on to the US.

Umar Farouk Abdulmutallab's name was included in a dossier of people believed to have made attempts to deal with extremists, but he was not singled out as a particular risk, Brown's spokesman said.

President Barack Obama has criticised US intelligence agencies for failing to piece together information about the 23-year-old that should have stopped him boarding the flight.

Brown's spokesman said "There was security information about this individual's activities and that was shared with the US authorities."

by
Alan Travis, home affairs editor
guardian.co.uk

Escaped prisoner taunts police on Facebook

2009-12-24T02:28:00.001-08:00

An escaped prisoner, Craig Lynch, has set up a Facebook page and is using it to taunt police by posting messages about his whereabouts.

Craig "Lazie" Lynch vanished from Hollesley Bay Prison in Suffolk in September this year close to the end of a seven-year sentence for aggravated burglary.

Instead of hiding away from police Lynch has set up a Facebook account complete with a photograph sticking his middle finger up and boasts about eating 12lb steaks and his home being so warm it feels like the Caribbean.

The burglar has become prolific Facebooker with 199 friends and has even posted when he is going round to friend's homes and attending parties and events.

In a status update via mobile phone on Monday, Lynch said: "Craig 'Lazie' Lynch just had bundles of fun on the ice in me motor. Pure a--- out action, but well controlled."

In another at the weekend he said: "Craig 'Lazie' Lynch just nearly wrote my motor off again. Ice everywhere I went round the corner and ended up halfway on someone's driveway!!"

While Lynch should be doing porridge he boasted about tucking into extravagant meals: "Craig 'Lazie' Lynch mmm I just had a 12lb venison steak. Roasted veg and chips, bangin meal."

And instead of languishing in a prison cell he taunted police by saying his home is so warm it is tropical.

He said: "That's on already if it gets any colder durin xmas we'll have to stick the sun bed on as an extra heater we did it the other night it felt like the Caribbean in the bedroom ha ha."

The 28-year-old, who has links to Edgware and north east London, escaped from the open prison on September 23 and has not been seen since although, according to his Facebook page, police could find him at a New Year's Eve party in Lowestoft or another event in Norwich in February.

In a section with information about him Lynch states: "Life is what you make it, live fast, die young!!!" The criminal is also thought to have posted messages on local newspaper websites asking if there is a reward for his recapture.

John Gummer, MP for Suffolk Coastal, criticised the Government for using the open prison as a dumping ground.

He added: "I think it's very dangerous to assume the police could easily locate someone through a social networking site. We all know that one of the problems of a virtual world is that people can be very difficult to track down in the real world.

"However once again it does show that Hollesley Bay is being used for detaining people who should not be in an open prison because of a shortness of prison places that the Government seems unwilling to admit."

A Prison Service spokesman said the search for Lynch is a police matter and added that only prisoners who are assessed to be a low risk to the public are given places in an open prison. He added that 96 per cent of prisoners who escape are recaptured.

The Metropolitan Police refused to comment about Lynch's Facebook account but a spokeswoman for Suffolk Constabulary said routine checks are carried out on addresses he is linked to and his details have been circulated on the Police National Computer.

She added: "Because he has no links to Suffolk, other than the fact that he was in prison here, then these checks may be carried out by colleagues in other parts of the country."

Anyone with information about Lynch's whereabouts can contact Suffolk Police on 01473 613500.

found on http://www.telegraph.co.uk/

Kid uses facebook to blackmail classmates into sex.

2009-12-24T00:42:00.000-08:00

From a purely depraved perspective, Anthony R. Stancl's plot was simple and effective. He went on Facebook posing as a girl named "Kayla," then chatted up his male classmates at Eisenhower High School in New Berlin, Wisconsin. The fictitious "Kayla" had a way with the boys, convincing 31 to send Stancl pictures of themselves naked...

But that's when "Kayla" would turn on her Facebook lovers. Once they sent the photos, she would threaten to send them to the rest of the school unless they had sex with fellow student Anthony R. Stancl.

It didn't work on all 31, but police believe at least seven boys fell for the ruse. They would meet for sex with Stancl in the high school bathroom, the school parking lot, the men's room at the public library, and various parks around town. The victims ranged in age from 13-19.

The scam might have continued if Stancl hadn't overplayed his cards. One 15-year-old boy repeatedly had sex with Stancl to avoid having his naked photos sent around the school. Stancl would then photograph the encounters to add to his leverage.

Then Stancl tried to push the envelope, asking for naked pictures of the boy's brother. The kid didn't want his brother involved, so he told his parents, who in turn called the cops. When detectives grabbed Stancl's computer, they found it loaded with evidence, containing more than 300 nude photos of classmates at Eisenhower High School.

Stancl originally faced 12 felonies that could have landed him nearly 300 years in prison. But yesterday, he pleaded no contest to lesser charges of sexual assault and repeated sexual assault of a minor. The 19-year-old still faces up to 50 years in the slam.

Detectives say the victims were more than happy with the plea, since it kept them from having to out themselves in court.

"I've never had a case where the victims and their families were more apprehensive about testifying," Waukesha County district attorney Brad Schimel told the Associated Press. "From the victims' perspective, they're relieved we're doing this."

By Pete Kotz

Hackers Brew Self-Destruct Code to Counter Police Forensics

2009-12-15T01:05:00.000-08:00

Hackers have released an application designed to thwart a Microsoft-packaged forensic toolkit used by law enforcement agencies to examine a suspect’s hard drive during a raid.

The hacker tool, dubbed DECAF, is designed to counteract the Computer Online Forensic Evidence Extractor, aka COFEE. The latter is a suite of 150 bundled, off-the-shelf forensic tools that run from a script. Microsoft combined the programs into a portable tool that can be used by law enforcement agents in the field before they bring a computer back to their forensic lab. The script runs on a USB stick that agents plug into the machine.

The tools scan files and gather information about activities performed on the machine, such as where the user surfed on the internet or what files were downloaded.

Someone submitted the COFEE suite to the whistleblower site Cryptome last month, prompting Microsoft lawyers to issue a take-down notice to the site. The tool was also being distributed through the Bit Torrent file sharing network.

This week two unnamed hackers released DECAF, an application that monitors a computer for any signs that COFEE is operating on the machine.
According to the Register, the program deletes temporary files or processes associated with COFEE, erases all COFEE logs, disables USB drives, and contaminates or spoofs a variety of MAC addresses to muddy forensic tracks.

The hackers say that later releases of the program will allow computer owners to remotely lock down their machine once they detect that it has fallen into law enforcement hands. The hackers, however, have not released source code for the program, which would make it easy for anyone to see if the program contains malware that might also harm a computer or allow the attackers to take control of it.

By Kim Zetter

H1N1 malware epidemic is more contagious than real deal

2009-12-04T00:22:00.000-08:00

Malware authors are impersonating the CDC in a new scheme to propagate a trojan horse. Fraudulent e-mails sent by a botnet claim that the recipient must register for a fake state vaccination program but really link to a malware-infested phishing website.

The Center for Disease Control (CDC) issued a statement this week to warn citizens about a recent wave of phishing e-mails that deceptively claim to be from the government organization. The e-mails refer to a state vaccination program and tell recipients that they have to create a personal H1N1 vaccination profile.

No such vaccination program exists. A link in the e-mail directs users to a fraudulent website that attempts to infect their computer with malware. Specifically, the fake H1N1 messages are being used to propagate ZBot (also known as Zeus), a trojan horse that powers one of the most active botnets. The program serves as a spam relay and also surreptitiously collects private data about the user to funnel back to the botnet operator.

E-mail security company AppRiver detected the malware campaign earlier this week when it seemingly exploded in volume. The company's researchers wrote about it in a blog entry.

"We are seeing these messages at the extremely high rate of nearly 18,000 messages per minute netting over 1 million of these messages in the first hour alone," they wrote. "It is now officially flu season and considering the recent concerns over the H1N1 vaccine, I expect this to be a highly effective campaign against those who are not protected from this cyber-threat."

Security company Sunbelt Software, which publishes monthly reports on the prevalence of malware threats, says that ZBot held the top spot for seven months but declined sharply last month. Its November report, which was published today, lists ZBot as the second most prevalent malware threat and says that it represents 6 percent of all malware infections. The new H1N1 phishing scheme could potentially give it a boost.

ZBot's authors have used similar tactics in the past. A report at the CA Security Advisor Research Blog describes how previous iterations of have used fake e-mails claiming to come from the IRS, FDIC, and Microsoft. The websites linked in the e-mails attempt to get users to download the malware. They also have embedded iframes with PDF or Flash content that attempts to take advantage of security vulnerabilities in Adobe's software. Although Adobe has patched known vulnerabilities, users who have not updated to the latest versions are at risk.

Malware propagation is largely an exercise in social engineering. These fraudulent e-mails expand the botnet pool by preying on the ignorance and fear of recipients.

By Ryan Paul

Viagra spam gang fined $15.2m in US court

2009-12-02T01:56:00.000-08:00

A US district court has ordered the largest "spam gang" in the world to pay nearly $15.2 million (£9.4 million) for sending unsolicited email messages marketing male-enhancement pills, prescription drugs and weight-loss supplements, the US Federal Trade Commission said Monday.

Spamhaus, the antispam organisation, called the email marketing network the "No. 1 worst spam gang" on the Internet for much of 2007 and 2008.

Australian resident Lance Atkinson, the spam ring's leader, has paid more than $80,000 to New Zealand authorities after confirming his involvement in the spam network, and accomplice Jody Smith, a US resident, has agreed to an order that he turn over nearly all his assets to the FTC, the agency said.

In October 2008, a judge in the US District Court for the Northern District of Illinois, Eastern Division, ordered an asset freeze and a halt to the network's operation, which generated more than 3 million complaints to law enforcement authorities, the FTC said.

Earlier this month, the court issued a default judgment against Atkinson, his company, and three companies affiliated with Smith. In addition to the $15.2 million that Atkinson and his company have been ordered to pay, the three companies affiliated with Smith are liable for nearly $3.8 million.

Atkinson and Smith recruited spammers from around the world, according to the FTC’s complaint, filed last year. Those spammers sent billions of e-mail messages directing consumers to websites operated by an affiliate program called Affking, according to the complaint. The spammers used false header information to hide the origin of the messages and failed to provide an opt-out link or list a physical postal address, violations of the US CAN-SPAM Act, the FTC said.

The spam network, using the Canadian Healthcare brand name and other labels, marketed a male-enhancement pill, prescription drugs and a weight-loss pill, the FTC said. The e-mail messages falsely claimed that the medications came from a US-licensed pharmacy that dispenses US Federal Food and Drug Administration-approved generic drugs.

The defendants did not operate a pharmacy licensed in the US, the FTC said. The drugs they sold were shipped from India and had not been approved by the FDA, the agency.

The FTC alleged that Atkinson and Smith made false claims about the security of consumers’ credit card information and other personal data consumers provided when they bought goods. The defendants’ Web site assured potential consumers that the pharmacy "treats your personal information (including credit card data) with the highest level of security.”

The website went on to describe its encryption process, which supposedly involved “Secure Socket Layer (SSL) technology.” However, there was no indication that consumers’ information was encrypted using SSL technology.

To settle FTC charges that he helped send spam e-mails to millions of consumers, Smith will turn over nearly all his assets. Under the terms of the settlement, Smith will pay approximately $212,000. He also will assign any rights he has to $91,000 frozen in the name of one of his co-defendants, and $547,000 that may be held for his benefit in an Israeli bank.

Smith pled guilty in August to the criminal charge of conspiracy to traffic counterfeit goods, and faces up to five years in prison. He is scheduled to be sentenced in December in US District Court for the Eastern District of Missouri.

By Grant Gross
http://news.techworld.com

Εναντίον του Google Analytics στρέφονται οι γερμανικές υπηρεσίες προστασίας δεδομένων

2009-11-25T00:32:00.000-08:00

Associated Press

Βερολίνο

Παράνομη θεωρούν οι γερμανικές υπηρεσίες προστασίας προσωπικών δεδομένων τη χρήση του Google Analytics, της υπηρεσίας που παρουσιάζει τα «δημογραφικά χαρακτηριστικά» των επισκεπτών ιστοσελίδων.

Το Google Analytics χρησιμοποιείται για τη δημιουργία «προφίλ» των επισκεπτών συγκεκριμένων ιστοσελίδων, εξακριβώνοντας όχι μόνο το πόσοι και από πού είναι οι επισκέπτες τους, αλλά και το «διαδικτυακό» ιστορικό τους. Έτσι, ο ιδιοκτήτης της ιστοσελίδας ή ο όποιος ενδιαφερόμενος μπορεί να σχηματίσει μία εικόνα των επισκεπτών της και των προτιμήσεών τους.

Οι γερμανικές υπηρεσίες προστασίας προσωπικών δεδομένων όμως, τόσο σε ομοσπονδιακό επίπεδο όσο και σε διάφορα κρατίδια, θεωρούν ότι η χρήση του Google Analytics αντιτίθεται στο γερμανικό δίκαιο.

Σύμφωνα με την εφημερίδα Zeit, περίπου το 13% των γερμανικών ιστοσελίδων χρησιμοποιούν την υπηρεσία -ανάμεσά τους φαρμακευτικές εταιρείες, πολιτικά κόμματα και ΜΜΕ. Μεταξύ άλλων, το νομικό πρόβλημα δημιουργείται από το κατά πόσον η διεύθυνση IP, η «προσωπική υπογραφή» του κάθε υπολογιστή στο διαδίκτυο, αποτελεί δεδομένο «προσωπικώς συσχετίσιμο». Οι γερμανικές υπηρεσίες θεωρούν πως αυτό συμβαίνει ενώ η Google το βλέπει διαφορετικά, αλλά φαίνεται ότι και η γερμανική νομολογία παρουσιάζεται εξίσου αμφίσημη.

Οι υπηρεσίες φοβούνται ότι η Google θα μπορούσε να δημιουργήσει «προφίλ» εκατομμυρίων χρηστών του διαδικτύου, τα οποία θα συμπεριλαμβάνουν τα ενδιαφέροντά τους, τις συνήθειες ζωής τους, την καταναλωτική τους συμπεριφορά και τις πολιτικές ή ακόμη και σεξουαλικές προτιμήσεις τους.

Οι χρήστες, τονίζουν σύμφωνα με το δημοσίευμα οι γερμανικές υπηρεσίες, δεν έχουν τη δυνατότητα να επιλέξουν ενεργητικά τη μη υπαγωγή τους στο λογισμικό (opt-out), χωρίς το οποίο «δεν στέκει τίποτα». Εξίσου ενοχλημένες παρουσιάζονται οι υπηρεσίες με το γεγονός ότι τα προσωπικά δεδομένα μπορούν να γίνουν αντικείμενο επεξεργασίας από εταιρείες ή φορείες επί αμερικανικού εδάφους.

Η Google υποστηρίζει ότι η επεξεργασία των δεδομένων στις ΗΠΑ καλύπτεται απολύτως από τη συμφωνία «Safe Harbour» μεταξύ Ευρώπης και Ουάσιγκτον, ενώ θεωρεί περιττό το «opt-out» καθώς οι χρήστες μπορούν «να απενεργοποιήσουν τα cookies».

Ethics leaks spur House bill banning P2P apps on .gov PCs

2009-11-19T00:37:00.000-08:00

Over the past year, there have been several embarrassing incidents where private government documents have leaked because employees didn't know how to properly configure P2P client software. For the US House of Representatives, the last straw came when ethics documents were leaked. A bill has been introduced to ban the use of P2P apps by federal employees.

Peer-to-peer filesharing applications have been wildly popular, especially among those interested in accessing pirated software, music, and media. But not everyone who operates a P2P client knows how to properly configure the software, and some clients may share entire directories unless explicitly directed not to. Apparently, some government employees have exhibited this sort of carelessness, as private and secret government documents have shown up on P2P networks. Now, at least one Congressman has had enough, and has introduced a bill that would ban the use of P2P software by government employees.

The Congressman in question is Edolphus Towns of New York, who chairs the Committee on Oversight and Government Reform. In a statement announcing the bill's introduction, Towns highlights a number of embarrassing incidents in which sensitive government files showed up on P2P networks. These include schematics for the Presidential helicopter and the location of a first-family safe house, as well as the financial records of a Supreme Court Justice.

But the cynic would suggest that the real spur to action was the leak of a whole series of documents related to ethics investigations of Towns' fellow House members, which he also cited in the announcement. This included a full list of ongoing investigations and details on a number of them. The committee that suffered the leak issued a statement (PDF) at the end of October which indicated that P2P software was involved in the leak, so this appears to involve a relatively quick response.

The bill itself, termed the Secure Federal File Sharing Act, calls on the Director of the Office of Management and Budget to issue guidance on the use of P2P software, and provides the Director some guidance on what it should be: P2P software will be banned on government-owned computers. The OMB Director will have 90 days to come up with rules for government workers and contractors that have access to documents at home. Procedures will also be put in place for government agencies that have legitimate need for P2P software, in order to grant them exceptions.

By 180 days after the bill's passage, the OMB will have to specify procedures to detect and purge P2P use from within the government's networks. After the procedures are in place, the OMB will need to provide Congress with an annual report detailing all the exemptions that are in place.

Although it's tempting to snicker at the ethics leaks being the primary event that spurred Congress to action, it wouldn't be at all surprising if some of the complaints that leaked are the result of misunderstandings or political disagreements; all of them will almost certainly be used (and abused) in future political campaigns. In any case, the other leaks are certainly more severe, and there's no reason to think that the average government employee is ever going to be more technically savvy or security-literate than the general computer using population, so the law addresses a real issue.

Given that P2P software does have a number of legitimate uses, however, blanket restrictions and a formal approval process may turn out to be a hindrance. Assuming the bill passes, the real challenge is likely to be crafting a quick and effective exemption process.

By John Timmer

In Venezuela criminals use Facebook to research targets. Cops use it too — but not always for scrupulous purposes.

2009-11-17T06:41:00.000-08:00

In Venezuela criminals use Facebook to research targets. Cops use it too — but not always for scrupulous purposes.

CARACAS, Venezuela — It has taken Venezuela by storm, but it seems that Facebook and other social networking sites also come with their perils.

Police here revealed that a pair of students at a private university in Caracas had been robbing their virtual friends’ homes using information they had compiled using Facebook.

Police raided the apartment of one of two students who, working in tandem with another couple, had been using Facebook to befriend classmates. They then used the information their new “friends” posted on their profiles to find out where they lived, what they owned and when they were not at home.

"They observe the families’ movements, they study the residencies — the comings and goings, the security measures," said Wilmer Flores Trosel, director of the CICPC, Venezuela’s eqivalent of the FBI.

Security analysts in Venezuela say it is becoming increasingly frequent for criminals to use social networking sites such as Facebook, Twitter, Sonico and Hi5 as a source of information for house robberies, fraud and kidnappings.

And it's not just the criminals capitalizing on this online data source, the police too are using it, to go after both hard-core criminals and political protesters. In a country with little tolerance for dissent, many fear the government has designs on controlling these sites. And the crimes aided by Facebook, might give them cause to do just that.

“There's a certain amount of intelligence work involved in kidnapping that Facebook makes easier,” said Roberto Briceno Leon, director of the Venezuelan Observatory of Violence. “Before, what did kidnappers do? They could spend months checking accounts, studying a person's daily movements in order to be able to plan the kidnapping. That implies an investment. Now, Facebook makes that easier.”

Briceno Leon said that even an innocent photograph of a user’s home could reveal valuable information about security systems that could be used to plan robberies or kidnappings.

Leon's Venezuelan Observatory of Violence did a survey and they estimate that there were between 8,000 and 9,000 kidnappings in Venezuela in 2008. The official figure for last year was 554 but most kidnappings go unreported because victims' families prefer not to involve the police as they are often involved in the kidnappings.

Venezuelans are no strangers to crime. Murder rates have reached record highs in recent years and they have been a part of daily life since the late 1980s. Banks take elaborate precautions to avoid fraud. Making a simple withdrawal can involve heavy scrutiny and a customer often has to be photographed and fingerprinted before the money is released.

But Venezuelans are not similarly cautious when it comes to the personal details they publicize on social networks. There are 435,992 users signed up to three "Venezuela" pages on Facebook, and Facebook is used widely in the country for party invitations and political protests.

Briceno Leon said that social networking sites offer the illusion of safety but what may seem like an innocent confession often opens up a window into the private life of an individual.

“People feel intimate and safe, they don't feel like they are on the street,” he said. “That's why people cease to take precautions.”

Facebook is also a tool used by Venezuelan police — though not always effectively. Carlos Graffe, a student from Valencia, a city 75 miles west of Caracas, said the prosecutor’s office put out a warrant for his arrest after he was identified through a photo on Facebook as one of several protesters who are accused of inciting violence during a protest march in Caracas in August.

Graffe and his lawyer claim it’s a case of mistaken identity: The television footage that shows protesters dismantling police barriers during the march shows a different person than the one identified in the Facebook photograph. What’s more, the person in the Facebook photograph is in fact his cousin, also called Carlos Graffe.

Opposition figures claim the Venezuelan government ultimately wants to control social networking sites, which have become an important tool for organizing protests and marches.

Thousands of Venezuelans protested the closing down of local radio station CNB by posting messages on the Twitter account #freemediave. An editorial piece in the state-run Bolivarian News Agency then accused Twitter of becoming a “new channel for creating terror” by spreading disinformation in a campaign orchestrated by the Venezuelan ultra-right.

Government critics claim the government is pushing its own forms of disinformation. In July, Diosdado Cabello, the minister for public works, aired the idea of passing all of Venezuela’s internet traffic through the servers of Cantv, the state-run telecommunications company. Critics say the move would allow the government to control communication on social networking sites during protests.

Social networking sites are a threat to the government that fears that it cannot control the partisanship of sites such as Facebook, said Carlos Delgado, a media analyst at the Andres Bello Catholic University in Caracas. He said the government’s move to control Venezuela’s servers is an attempt to “consolidate its communicational hegemony.”

Criminal Charges

2009-11-17T00:43:00.000-08:00

This is Rodney Bradford. A few days ago, Facebook saved his 19-yo life. Facebook, and his status plea demanding the immediate consumption of one of the basic food groups every human being needs to properly function in the morning: Pancakes. [via gizmodo]

Rodney was arrested on October 18 as a suspect in two crimes. He declared himself innocent and Robert Reuland—his defense lawyer—found the key to free him: "Where's my pancakes?"

That seemingly inconsequential Facebook status update proved crucial when the Californian company confirmed that someone wrote it from his father's Harlem apartment computer, using Rodney's user and password at around the time of the alleged crime: Saturday October 17, 11:49am.

Of course, you can argue that anyone with Rodney's password could have written the status update, while the 19-yo went on to commit two crimes, but his defense lawyer and the district attorney disagree:

A spokesman for Brooklyn's District Attorney said the Facebook update served as the confirmation of the other alibis, namely Rodney's father and stepmother, who declared he was at their Harlem home at the time.
The most interesting thing in this case, however, is that this seems to be the first time in which social networking has been used to save the ass of someone, rather than nailing a really stupid thief.

AP+IMPACT%3A+Framed+for+Child+Porn+_+by+a+PC+Virus+-+ABC+News

2009-11-13T07:05:00.000-08:00

AP+IMPACT%3A+Framed+for+Child+Porn+_+by+a+PC+Virus+-+ABC+News

Pirates get a taste of Microsoft COFEE

2009-11-10T00:22:00.000-08:00

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) software, which helps law enforcement officials grab data from password protected or encrypted sources, has leaked.

Microsoft's Computer Online Forensic Evidence Extractor (COFEE) has made it into the hands of pirates, and their virtual ships are distributing it quickly for everyone to get a taste. The COFEE application uses common digital forensics tools to help law enforcement officials at the scene of a crime gather volatile evidence of live computer activity that would otherwise be lost in a traditional offline forensic analysis. In other words, it lets officers grab data from password-protected or encrypted sources. That means you can now break the law twice over: download the software and then use it to steal information from other people's computers.

Chances are you won't have any use for the tool, but pirates get a thrill from having something they shouldn't, and a forensics tool only distributed to police departments around the world is pretty high up on the list of things you shouldn't have on your computer. The forensics tool is approximately 15MB in size and works best with Windows XP. Microsoft is working on a new version of COFEE for next year that fully supports Windows Vista and Windows 7. Here's the official description of COFEE:

With COFEE, law enforcement agencies without on-the-scene computer forensics capabilities can now more easily, reliably, and cost-effectively collect volatile live evidence. An officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device. This enables the officer to take advantage of the same common digital forensics tools used by experts to gather important volatile evidence, while doing little more than simply inserting a USB device into the computer.

The fully customizable tool allows your on-the-scene agents to run more than 150 commands on a live computer system. It also provides reports in a simple format for later interpretation by experts or as supportive evidence for subsequent investigation and prosecution. And the COFEE framework can be tailored to effectively meet the needs of your particular investigation.

Microsoft first revealed the tool back in April 2008, so we have to say that the software giant did quite a good job keeping it away from pirates for over two years (that has to be some kind of record for Redmond). In April 2009, Microsoft announced that it will aid global law enforcement in fighting cybercrime by providing its COFEE tool free of charge to International Criminal Police Organization's (Interpol) Global Security Initiative (GSI), a project that addresses international security challenges, and the participating 187 countries. Now though, the valuable tool is available to more than just government crime fighting bodies, and we can't say we're comfortable with the possible implications.

Secure computers aren’t so secure

2009-11-04T07:06:00.000-08:00

Even well-defended computers can leak shocking amounts of private data. MIT researchers seek out exotic attacks in order to shut them down

You may update your antivirus software religiously, immediately download all new Windows security patches, and refuse to click any e-mail links ostensibly sent by your bank, but even if your computer is running exactly the way it’s supposed to, a motivated attacker can still glean a shocking amount of private information from it. The time it takes to store data in memory, fluctuations in power consumption, even the sounds your computer makes can betray its secrets. MIT researchers centered at the Computer Science and Artificial Intelligence Lab’s Cryptography and Information Security Group (CIS) study such subtle security holes and how to close them.

In 2005, Eran Tromer, now a postdoc at CIS, and colleagues at the Weizmann Institute in Rehovot, Israel, showed that without any breach of security in the ordinary sense, a seemingly harmless computer program could eavesdrop on other programs and steal the type of secret cryptographic key used by one of the most common Internet encryption schemes. Armed with the key, an attacker could steal a computer user’s credit card number, bank account password — whatever the encryption scheme was invoked to protect.

Computer operating systems are supposed to prevent any given program from looking at the data stored by another. But when two programs are running at the same time, they sometimes end up sharing the same cache — a small allotment of high-speed memory where the operating system stores frequently used information. Tromer and his colleagues showed that simply by measuring how long it took to store data at a number of different cache locations, a malicious program could determine how frequently a cryptographic system was using those same locations. “The memory access patterns — that is, which memory addresses are accessed — are heavily influenced by the specific secret key being used in that operation,” Tromer says. “We demonstrated a concise and efficient procedure for learning the secret keys given just this crude information about the memory access patterns.” Complete extraction of the private key, Tromer says, “takes merely seconds, and the measurements that are needed, of the actual cryptographic process being attacked, can be carried out in milliseconds.”

The encryption system that Tromer was attacking, called AES, was particularly vulnerable because it used tables of precalculated values as a computational short cut, so that encoding and decoding messages wouldn’t be prohibitively time consuming. Since Tromer and his colleagues published their results, Intel has added hardware support for AES to its chips, so that Internet encryption software won’t have to rely on such “lookup tables.”

In a statement, Intel told the MIT News Office that its decision “was mainly motivated by the performance/efficiency benefits achieved,” but that “in addition, there is a potential security benefit since these new instructions can mitigate the possibility of software side channel attacks on AES that have been described in research papers, including those discovered by Tromer, Percival, and Bernstein.”

“I think it’s fair to say that it’s a direct response to the cache-timing attacks against AES,” Pankaj Rohatgi, director of hardware security at the data security firm Cryptography Research, says of Intel’s move.

Together with CIS cofounder Ron Rivest and CSAIL’s Saman Amarasinghe, Tromer is trying to develop further techniques for thwarting cache attacks by disrupting the correlations between encryption keys and memory access patterns. A couple weeks ago, at the Association for Computing Machinery’s Symposium on Operating Systems Principles, the researchers announced that they had a “proof-of-concept prototype” of a defense system, but they plan to continue testing and refining it before publishing any papers.

Tromer has also been investigating whether cloud computing — the subcontracting of computational tasks to networked servers maintained by companies like Amazon and Google — is susceptible to cache attacks. Many web sites rely on cloud computing to handle sudden surges in their popularity: renting added server space for a few hours at a time can be much cheaper than maintaining large banks of proprietary servers that frequently stand idle.

The word “cloud” is supposed to suggest that this vast agglomeration of computing power is amorphous and constantly shifting, but Tromer and colleagues at the University of California, San Diego, were able to load their eavesdropping software onto precisely the same servers that were hosting websites they’d targeted in advance. In part, their approach involved spreading their software across a number of servers, then assailing a targeted website with traffic. By spying on the caches of the servers hosting their software, they could determine which were also trying to keep pace with their fake traffic spikes. Once they’d identified the target site’s servers, they could use cache monitoring to try to steal secrets.

“Imagine a stock broker that specializes in a specific company,” Tromer says. “If you observe that his virtual machine is particularly active, that could be valuable information. Or you may want to know how popular your competitors’ website is. We’ve actually demonstrated that we can very robustly estimate web server popularity.”

“This has sparked the imagination of both the research community and industry,” Rohatgi says. “I interact with a lot of people in industry, and when they say, ‘Give me the technical basis for this,’ I point to [Tromer and colleagues’] papers.”

Finally, Tromer is continuing work he began as a graduate student, on the use of a “hundred-dollar commodity microphone” to record the very sounds emitted by a computer and analyze them for information about cryptographic keys. So far, Tromer hasn’t been able to demonstrate complete key extraction, but he believes he’s getting close.

Any information at all about a computer’s internal workings “is actually fairly damaging,” Rohatgi says. “In some sense, some of these cryptographic algorithms are fairly brittle, and with a little extra information, you can break them.”

Larry Hardesty, MIT News Office

Phishing

2009-11-04T03:04:00.000-08:00

10 Ways to Spot an E-Mail Scam

2009-10-28T13:54:00.000-07:00

The increasing flood of e-mail hitting your inbox can lower the guard of even the most cautious person. In the rush to keep up with important notes, it's easier than ever to fall prey to the scam artists and identity thieves who lurk online.

E-mail scams and phishing attempts evolve constantly, hoping to take advantage of the latest trends and current events. Although the e-mails change, the people behind them inadvertently send up the same warning signs again and again. We dug through mountains of spam to find the most prevailing trends. We've collected some actual scam e-mails and highlighted the warning signs to help you spot a hustle the next time one lands in your inbox.

1. Requests for personal information

No legitimate organization will ask for your social security, bank account or PIN number via e-mail – and none will include a link, sending you to a form to enter it. No matter how authentic these emails may look, ignore 'em.

2. Watch for typos or spelling mistakes

Scam artists are street smart, but many flunked basic grammar (or barely speak English). Look for mistakes like inappropriate hyphens or confusing "your" and "you're." If the note has multiple typos or grammatical errors, odds are it's not legitimate.

3. Clickable Web links in e-mails

Don't trust links to Web sites in e-mails. What might look like a legitimate address is often linked to a third-party site that looks official, but is actually run by thieves and scammers. These are the fast track to identity and financial theft.

4. 'Market research' or surveys that ask you for personal information.

Disguising scam e-mails as marketing is a classic ploy. You'll be asked to fill out a survey or enter a contest – requiring you to give personal information or "log on" to your account. Once you've done so, the scammers can use it themselves.

5. Stock tips from random people or companies

Got a "hot stock tip" via e-mail? It's probably a "pump and dump" scheme. The sender already owns shares – and when you and others act on the "tip," the stock price soars and he sells fast – leaving you with virtually worthless shares.

6. Attachments in e-mails from anyone you don't know

It should be common sense, but just in case, we'll remind you again: Don't open an attachment from someone you don't know – even if it appears to be your bank or credit card company. It's almost always a virus or spyware meant to steal your personal information.

7. Wordless e-mails

Some legitimate looking "e-mails" are actually just images. The danger with these is that clicking anywhere in the body takes you to a suspect Web site – where you may be fooled into entering personal information, or the scammer may slip spyware onto your machine.

8. Outdated information

Some scammers like to pose as technical- or customer support from a company you associate with – but fail to keep up with current events. For example, in the example above, the senders forgot that Earthlink bought Mindspring in 2000.

9. Red-flag phrases

If you see the phrases "verify your account," "you have won the lottery" or "if you don't respond within XX hours, your account will be closed," it's a scam – every time. Hit the delete button and don't look back.

10. Generic greetings

While you can't trust every e-mail that knows your name, you can definitely ignore the ones that start "Dear member" or "Hello friend." If your bank or credit card company is writing you, it knows who you are. So do your friends.

by Chris Morris

Nigeria actually arrests, shuts down online scammers

2009-10-26T05:29:00.000-07:00

Nigerian officials have launched a new initiative called "Project Eagle Claw" that will target Internet scams coming out of the country. The Economic and Financial Crimes Commission has already made a number of arrests and shut down 800 websites, with many more to come.

It turns out Nigeria is taking measures to fight Internet scams—law enforcement there has shut down close to a thousand websites and made 18 arrests as part of a new initiative to save the nation's reputation and crack down on Internet scammers. The program, called "Project Eagle Claw," has only just begun, but Nigerian officials expect it to be fully operational in 2010.

Nigeria's Economic and Financial Crimes Commission (EFCC) described the initiative as "a renewed bid to clap down" (*clap clap*?) on Internet fraudsters. So far, the agency claims to have shut down 800 scam sites in addition to making the arrests, with many more apparently to come.

EFCC Chairman Farida Waziri said Wednesday during a US address to the National Conference of Black Mayors that Nigeria was working with Microsoft to fully deploy Project Eagle Claw, and that it will soon be able to take down up to 5,000 fraudulent e-mails per month. She also expects the system to send up to 230,000 advisory e-mails to victims every month.

Waziri explained that the EFCC's previous strategy for fighting cybercrime involved "cyber raids" and petitions—slow and ineffective in today's fast-moving Internet world—and that Eagle Claw would be much more proactive. "We expect that Eagle Claw as conceived will be 100 percent operational within six months and at full capacity, it will take Nigeria out of the top 10 list of countries with the highest incidence of fraudulent e-mails," Waziri said.

Indeed, if you live outside of Africa, Nigeria is practically synonymous with various scams, some of which predate the Internet. Thanks to the explosion of online connectivity in the last several decades, however, so-called "Nigerian scams" have taken on a new life of their own—fraudsters have managed to grift millions of dollars out of unsuspecting victims in recent years, with even major banks coming dangerously close to wiring their own cash halfway around the world.

This has caused an entire culture of scam baiters to spring up in order to troll scammers and distract them from the real victims (something that we here at Ars briefly dabbled in ourselves), showing that scams out of Nigeria are indeed more than a minor law enforcement annoyance. At this point, it's just nice to see Nigerian officials trying a more realistic strategy towards curbing cybercrime than merely blaming the victim, even if it may take years worth of enforcement before we see any tangible results.

By Jacqui Cheng

Malware worldwide grows 15 percent in September

2009-10-04T11:19:00.000-07:00

A rise in malware has caused the number of infected PCs worldwide to increase 15 percent just from August to September, says a report released Tuesday from antivirus vendor Panda Security.

Across the globe, the average number of PCs hit by malware now stands around 59 percent, an all-time high for the year. Among 29 countries tracked, the U.S. ranked ninth with slightly more than 58 percent of its PCs infected. Taiwan hit first place with an infection ratio of 69 percent, while Norway came in lowest with only 39 percent of its PCs attacked by malware.

(Credit: Panda Security)

The study found that in the U.S., Trojans and Adware were the two most pernicious types of malware, followed by worms and viruses.

(Credit: Panda Security)

"This is a clear sign that hackers are becoming more and more sophisticated," said PandaLabs Technical Director Luis Corrons. "Cybercriminals have found news ways to spread their creations, frequently exploiting the latest news stories to launch attacks through social networks, videos, and e-mail. The huge amount of Trojans in circulation is due to the spectacular increase in the number of banker Trojans aimed at stealing user data."

The company based its results on data taken from users who scanned their PCs with the free Panda ActiveScan online tool. The results for September were gathered from August 28 to September 28 and compared with the results from July 28 to August 27.

by Lance Whitney
http://news.cnet.com/8301-1009_3-10363373-83.html

Red Hat asks US Supreme Court to bar software patents

2009-10-04T11:07:00.000-07:00

Red Hat asks US Supreme Court to bar software patents.

Check Here

Facebook Beacon shines for last time as part of settlement

2009-09-22T02:02:00.000-07:00

Facebook's Beacon has been nothing but trouble since it launched in 2007, spurring numerous user complaints and a class-action privacy suit. The company has apparently learned its lesson, as it has now proposed a lawsuit settlement that involves shutting down Beacon and paying out $9.5 million to a settlement fund.

As quickly as it swooped into Facebook users' lives and revealed their secret purchasing habits to the world, Beacon has now been shut down as part of a lawsuit settlement. Facebook revealed late Friday that its controversial "advertising" feature would be shuttered, saying that the company had "learned a great deal from the experience." Facebook also plans to donate $9.5 million to an organization that fights for online privacy, though the settlement proposal still awaits approval by a judge.

Facebook's Director of Policy Communications Barry Schnitt said in a statement that the whole Beacon ordeal "underscored how critical it is to provide extensive user control over how information is shared." He said the company also learned how to communicate changes to users (you know, instead of just dumping things like Beacon on them without a peep), and that the introduction of Facebook Connect allows for much greater user control over how their Web antics get shared back to friends on Facebook.

"We look forward to the creation of the foundation and its work to educate Internet users on how best to control their privacy; engage in safe social networking practices; and, generally, enjoy themselves more online by having knowledge that gives them a greater sense of control," Schnitt said. "We fully expect the foundation to team with other leading online safety and privacy experts and organizations that have been working diligently in these fields."

Facebook first launched Beacon in November of 2007 as part of a new marketing strategy intended to benefit both advertisers and and Facebook users (more of the former than the latter). A number of companies signed up to be part of the program, meaning that any user activity that took place on their respective websites would be reported back to Facebook and published to users' timelines. Because Beacon was originally set up as an opt-out service instead of opt-in, many users were horrified to find their off-Facebook activities being published to their profiles automatically. Not only did users feel that their privacy was being violated, a number of users complained loudly that Beacon had ruined numerous surprise holiday gifts.

A few weeks after the initial backlash, Facebook founder Mark Zuckerberg posted an apology. He admitted that the company should have handled Beacon differently and said that the default settings had been changed so that publishing off-Facebook activities to users' news feeds would now be off. Instead, users could now opt in on a per-incident or per-site basis.

That didn't stop a class-action lawsuit from being filed in April 2008, alleging that Beacon and Blockbuster (one of Facebook's marketing partners) were in violation of numerous privacy laws by reporting user activity back to Facebook. The complaint said that off-Facebook activities were still being reported back to Facebook (even if users choose not to publish the info), and that Blockbuster's participation constituted a violation of the Video Privacy Protection Act—a law that prohibits video providers from allowing third parties to access identifiable information about someone's renting or buying habits without their express, written consent.

That lawsuit has been making its way through the court system for more than a year and Facebook apparently realized that it wasn't going to win anytime soon. As a result, the company decided to settle, proposing the $9.5 million settlement fund go towards the creation of an independent foundation that would "fund projects and initiatives that promote the cause of online privacy, safety, and security."

Despite Facebook's positively spun PR speak, it's clear that the company has learned a lesson from the calamity that was the Beacon experience. Everything about Beacon's rollout was done poorly, which then tainted the service forever despite Facebook's desperate attempt to right its wrongs. It took a major class-action lawsuit and the launch of an entirely new service (Facebook Connect) for the company to pull the plug on Beacon, but Facebook has learned the hard way that it earned its users by being conscious of privacy (at least compared to MySpace), and that it needs to continue giving users control if it wants to continue growing.

By Jacqui Cheng

SaveMitsos.gr

2009-09-21T00:14:00.000-07:00

Why virus writers are turning to open source

2009-09-19T05:19:00.001-07:00

Malware developers are going open source in an effort to make their malicious software more useful to fraudsters.

By giving criminal coders free access to malware that steals financial and personal details, the malicious software developers are hoping to expand the capabilities of old Trojans.

According to Candid W?est, threat researcher with security firm Symantec, around 10 percent of the Trojan market is now open source.

The move to an open source business model is allowing criminals to add extra features to their malware.

"The advantages are that you have more people involved in developing it, so someone who is into cryptography could add a cryptographic plug-in or somebody who does video streaming could add remote streaming of the desktop," W?est said.

Releasing Trojans as open source dates back to 1999, when the Cult of the Dead Cow group released the source code for its Trojan called Back Orifice.

More recently, the developers of the Limbo Trojan published its source code in an effort to boost take-up following a slump in its use by fraudsters.

Following its release in 2007, the Limbo Trojan became the most widely used Trojan in the world but fell from favor in 2008 after the more sophisticated Zeus Trojan was released, according to security company RSA.

There is a big cash incentive to be the dominant Trojan, with infected machines and the financial and personal details they capture worth millions of dollars on the black market. The Limbo Trojan kit was previously sold to fraudsters for $350 per time before it went open source, while the Zeus Trojan today sells for between $1,000 to $3,000.

"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations."
--Uri Rivner, RSA

However, head of new technologies at RSA, Uri Rivner, said the move to become open source had not reversed Limbo's decline in fortunes.

"It is a move to the same business model as that behind any open source project--to give away a basic version and sell more advanced versions, professional services or customizations.

"At the beginning of it going open source it was big news but people have since stopped investing in it.

"It is not the best Trojan any more but because it's open source you can try it as your first Trojan and it is still used in some places," he said.

Limbo's popularity continues to slump, despite numerous features in the basic version that allow criminals to add extra fields for PIN numbers into fake banking websites and capture the keystrokes and the files saved on an infected computer.

And while open source may not have boosted Limbo's fortunes, it also brings with it separate problems for the fraudsters: open sourcing code also places it in the hands of security professionals.

"If you make (the Trojan) open source, that means that a security company can find the source code and it is easier to make a general heuristic detection for it, as they know what could be in it," Symantec's W?est said.

The majority of Trojan infections occur via drive-by downloads, where the malware is automatically downloaded after browsing an infected website, or messages sent via social networking sites that encourage people to download a Trojan masquerading as a legitimate security update, according to RSA's Rivner.

These infection methods are proving far more effective at getting Trojans onto machines than earlier techniques such as sending an e-mail with a link to an infected file or attachment.

RSA analysts say these new methods have fuelled an exponential growth in the rate of infection, with the security firm detecting 613 Trojan infections in August 2008 compared to 19,102 in August 2009.

Nick Heath of Silicon.com reports from London.

Internet firms help Canadian courts ID authors of controversial email

2009-09-19T05:15:00.000-07:00

Think you can be anonymous online? Most people simply have no idea how easy it is for law enforcement officials -- and other litigants, like someone suing you -- to gain access to personal email, Google searches, and other online information users think is "theirs."

The latest ominous evidence of this fact comes from our friends to the north. A Canadian court has ordered Google (GOOG) to turn over the identities of anonymous Gmail users who had accused York University faculty members of fraud and dishonesty. Like similar cases in the U.S., the York incident shows just how easy it is for courts to allow authorities to gain access to "our" personal information.

"People need to know that very little information that they give or make available to third parties [like Google] is unavailable to the government or private litigants," says Eric Goldman, director of the High Tech Law Institute at Santa Clara University School of Law. "I think most people are surprised at how relatively easy it is for the government and private litigants to obtain 'their' information."

When York announced its hiring of Martin Singer in January as the first dean of its new Faculty of Liberal Arts and Professional Studies, the university called the professor a "renowned scholar of Chinese history" and quoted university president Mamdouh Shoukri as saying: "York University is fortunate to have attracted such a strong scholar and administrator."

Shortly thereafter, someone circulated an email from an account belonging to a group called "York Faculty Concerned About the Future of York University" among members of the community accusing Singer of "lying about scholarly credentials" and accusing Shoukri of perpetrating "an outrageous fraud." The anonymous group called for the president's resignation and a new search for a dean, according to Canada's National Post.

University authorities were not amused, and won a court order in May compelling Google to turn over the IP addresses linked to the Gmail account. Google, in turn, identified Bell Canada and Rogers Communications as the internet service providers from which the email originated.

Last month, neither of the ISPs opposed a court order requiring them to turn over the contact information of the persons who used the Gmail account. This past week, Justice George R. Strathy of Ontario Superior Court called the orders a reasonable balance between protecting freedom of speech and protection from libel, according to the paper.

David Noble, whom the Post refers to as "an outspoken professor at York," was outed as one person linked to the account. On Friday, he told the paper that York's legal action was "a fishing expedition" and accused the university of "trying to create a chill among faculty."

Noble maintained that the allegations raised about Singer were legitimate. "They are spending enormous sums, for what?" the Post quotes him as saying. "I think they are just desperate to find out who is involved," adding that his colleagues wanted to remain anonymous because they were "afraid of reprisals."

In response, Will McDowell, York's lawyer, defended the action, saying, "Academics enjoy quite extensive latitude in what they say and what they write and what they research at Canadian universities, but I would say this about any of us: The right of free speech is not unlimited."

"Like all law-abiding companies, we comply with local laws and valid legal process, such as court orders and subpoenas," a Google spokesperson said in a statement to DailyFinance. "At the same time, we have a legal team whose job is to scrutinize these requests and make sure they meet not only the letter but the spirit of the law."

York now has the identities of half a dozen people who allegedly had access to the Gmail account.

American laws governing similar situations differ somewhat from Canadian statutes, but the York case is reminiscent of the recent "Skank blogger" ruling, in which a Manhattan Supreme Court judge ordered Google to turn over the e-mail and IP address of an anonymous blogger who called model Liskula Cohen "the skankiest in NYC."

Writing about the case, my colleague Jeff Bercovici noted that the ruling could force anonymous internet cranks to go to greater lengths to shield their identity. "In trying to make people accountable for the vicious things they write online, that judge is only going to force them to cloak their identities ever more effectively," Bercovici wrote.

Google search queries -- obtained by court-ordered warrants -- have been used in numerous criminal cases, including the recent case of a Florida man who was convicted of murder based on evidence that included his own Google research, which included searching on terms like "trauma, cases, gunshot, right chest."

No matter how many precautions we take to remain private or cloak our identity, the authorities and other potential litigants usually have little difficulty obtaining this content. And they do it not by nefarious mean like hacking, but through our very own court system.

Internet users everywhere would do well to take heed. Your emails -- and maybe even your Google searches -- could be one subpoena away from the prying eyes of federal authorities, not to mention private litigants.

by Sam Gustin
Sep 12th 2009

Learn how to protect yourself from identity theft

2009-09-19T04:58:00.000-07:00

Did you know that there are numerous steps you can take to protect yourself against identity theft besides just checking your credit report? Here, we talk with an expert and offer tips on what regular people can do to ensure their identities stick with them instead of other shady characters.

Identity theft is big business, and it keeps getting bigger as more and more information about us floats around in an ever data-obsessed society. From every swipe of your credit card to every time you go to the doctor, doors are opened for thieves to snatch information and use it to their advantage. And, as the name implies, it's not just about fraudulent charges showing up on your bank account, either. At worst, you could find that someone has been using your social security number for years to work various jobs or, as in one Chicago student's recent experience, you could even get thrown in jail because a thief using your identity has a warrant out for his arrest. "Oops" doesn't even begin to describe it.

Most Americans know the basic principle of checking their credit reports once a year. Every US citizen can now get a free report from the three major credit bureaus every year to ensure everything is right on their accounts. However, that's the extent of most of our knowledge, and only addresses one facet of identity theft (financial institutions). It turns out there are a number of other preventative measures that can be taken, especially if you're the paranoid type.
Protect against spyware and malware. Seriously.

Electronic theft may not be the most common, but it's the fastest growing, as noted by TrustedID CEO Scott Mitic. (The most common form of ID theft is still via people in your life who have physical access to your stuff—family, friends, your cleaning lady, your waiter, etc.) Still, theft via computer is one of the fastest growing areas and protecting against it is extremely simple. "Go online and find one of the many different companies that provide anti-spyware protection, which everyone should have," Mitic told Ars.

Indeed, many companies even offer free software to do so, such as McAfee's free SiteAdvisor plugin that aims to prevent users from being phished or forced to download malicious software. And, as always, practice safe file and link opening practices from your e-mail: only open files that you are expecting from people you trust, and if you're ever suspicious of a link from somewhere like PayPal or your bank, it's always safest to go to your browser and type in the URL yourself to log in instead of clicking from an e-mail.
Fraud alerts are your friend

People are often advised to place fraud alerts on their files with the credit bureaus after someone has stolen their information, but how often are you told to do it before? As it turns out, paranoid types do it all the time, and it's not such a bad idea either. There are two steps to this: putting a fraud alert on your credit reports, and putting a freeze on your credit. "These two mechanisms work in similar ways—someone cannot simply get your name and address and apply for credit in your name, because lenders must check with consumer first when these freezes are in place," Mitic said. "These are highly effective ways of reducing most of the most dangerous forms of identity theft."

Of course, if you're the type who regularly applies for those department store credit lines to get a discount on your purchase, or you're about to apply for a time-sensitive loan (such as a mortgage on a house), this may be something you'll want to hold off on. However, if you don't usually open up many new credit accounts or if you have had a close call with ID theft, it may be a good idea.
Check for your kids

Children's identities are currently going for a premium, it turns out. And, because most people don't think to check up on their kids' credit reports, the use of their IDs can go on for years (or sometimes even decades) before it ever comes to light. "Consumers and parents should be checking their children's info by going to the three credit bureaus once per year and inquiring as to whether or not there is a credit report," Mitic said. In this case, no news is good news, but if your kid is only 5 and has a report, there could be a problem.

Another way to check on your kid's identity is to request a yearly summary of his or her earnings from the Social Security Administration. Obviously, if your child is too young to work, there shouldn't be any earnings. But, as Mitic pointed out, undocumented workers might get a job with a stolen social security number and, if it's a child's, might be able to use it for many years. If that happens, though, the earnings will be reported on the yearly summary, so it's a good way to make sure things are clean for your child (and you, as well).
Think about your medical identity, too

"What many people don't realize is that their medical insurance is valuable to those who don't have insurance," Mitic said. Your name, address, and insurance information can easily be used by fraudsters to get medical treatments in your name. This is the most serious if someone has used your insurance already for treatment in a life or death situation. "If you end up in the hospital with a split appendix and doctors look at your medical charts, they might think it's not an appendix problem because you've already had yours removed."

Okay, so that's an extreme case, but it could still happen. "Half a million to a million people per year are paying for medical procedures that are not theirs," Mitic warned. (Ouch.) A good idea in this case would be to contact your insurance company once per year to ask for an annual disclosure of benefits processed in your name. This document will show every claim processed for you and you can examine it to make sure every item is legit.
Oh social networking, you minx

We already know that social networking sites can pose a threat to people's machines and networks thanks to the proliferation of malware, but it's also a good medium to steal people's identities and scam "friends." According to Mitic, there have been repeated incidents of people getting messages from friends describing extreme circumstances like a car accident and asking for money.

"Employ a reasonable level of suspicion when someone who is not standing immediately in front of you is asking you for anything," he said. "That's especially true in this era of social networking. The message that seems to be coming from your friend may not be coming from your friend."

Similarly, ensure that your own accounts don't get hacked or stolen by employing best practices when determining your passwords, and of course, don't share your password information (or your secret questions!) with anyone.
Conclusion

The rabbit hole is pretty deep when it comes to little things you could do to protect yourself from identity theft, but these basic steps will help mitigate the large majority of situations. If there's one thing that could be improved upon, it's the fact that each individual entity must be dealt with if you end up finding something fishy—if you find something on your credit report, you must deal directly with the credit agencies and financial institutions. If you find something on your insurance, you must deal with your insurance company and hospitals involved. If it's a case of social security fraud, you have to deal with the Social Security Administration to sort it out. Aside from this inconvenience, though, it's not hard to keep regular checks going on various parts of your life to make sure someone else isn't pretending to be you.

Court’s Steroid Ruling Pumps Up Computer Privacy

2009-08-27T01:20:00.000-07:00

A divided 11-judge federal appeals court panel has dramatically narrowed the government’s search-and-seizure powers in the digital age, ruling Wednesday that federal prosecutors went too far when seizing 104 professional baseball players’ drug results when they had a warrant for just 10.

The 9th U.S. Circuit Court of Appeals’ 9-2 decision offered Miranda-style guidelines to prosecutors and judges on how to protect Fourth Amendment privacy rights while conducting computer searches.

Ideally, when searching a computer’s hard drive, the government should cull the specific data described in the search warrant, rather than copy the entire drive, the San Francisco-based appeals court ruled. When that’s not possible, the feds must use an independent third party under the court’s supervision, whose job it would be to comb through the files for the specific information, and provide it, and nothing else, to the government.

Judges, the appellate court added, should be wary of prosecutors and perhaps “deny the warrant altogether” if the government does not consent to such a plan in data-search cases.

The government said it was weighing its options, including whether to appeal to the Supreme Court.

The ruling came in a case that dates to 2004, when federal prosecutors probing a Northern California steroid ring obtained warrants to seize the results of urine samples of 10 pro baseball players at a Long Beach, California drug-testing facility. The players had been tested as part of a voluntary drug-deterrence program implemented by Major League Baseball.

Federal agents serving the search warrant on the Comprehensive Drug Testing lab wound up making a copy of a directory containing a Microsoft Excel spreadsheet with results of every player that was tested in the program. Then, back in the office, they scrolled freely through the spreadsheet, ultimately noting the names of all 104 players who tested positive.

The government argued that the information was lawfully found in “plain site,” just like marijuana being discovered on a dining room table during a court-authorized weapons search of a home. But the court noted that the agents actively scrolled to the right side of the spreadsheet to peek at all the players test results, when they could easily have selected, copied and pasted only the rows listing the players named in the search warrant.

Chief Judge Alex Kozinski, writing for the 9-2 majority, (.pdf) said the government “must maintain the privacy of materials that are intermingled with seizable materials, and … avoid turning a limited search for particular information into a general search of office file systems and computer databases.”

George Washington University law professor and former federal cybercrime prosecutor Orin Kerr called the decision “truly astonishing.”

“The majority opinion … announces a laundry list of brand-new rules, introduced with no citations to any authority, that henceforth the government must follow when executing warrants for digital information,” Kerr wrote in a post to the Volokh Conspiracy blog. “I can’t recall having read anything quite like it, although it does bring to mind Miranda v. Arizona.”

Four players whose names were seized, and who were not linked to the BALCO investigation, have been leaked to The New York Times. They are Alex Rodriguez, David Ortiz, Manny Ramirez and Sammie Sosa.

That privacy breach was not lost on Kozinski, who said those players suffered “harm as a result of the government’s seizure.”

In dissent, Judges Consuelo Callahan and Sandra Ikuta wrote that the majority was sidestepping its own precedent in which the circuit court had denied the suppression of child pornography evidence found on a computer during a search for the production of false identification cards pursuant to a valid warrant.

“There is no rule … that evidence turned up while officers are rightfully searching a location under properly issued warrant must be excluded simply because the evidence found may support charges for a related crime,” the dissenting judges wrote.

By David Kravets

New Rootkit Found

2009-08-26T06:28:00.000-07:00

The tale of discovering a library preloading rootkit that made itself nearly invisible and recorded incoming and outgoing connections out of the box.

Read the full story at : http://www.void.gr/kargig/blog/2009/08/21/theres-a-rootkit-in-the-closet/

Spotlight finds deleted e-mails on iPhone

2009-08-20T01:16:00.000-07:00

Spotlight finds deleted e-mails on iPhone, but don't panic (Updated)

Spotlight on the iPhone can find your deleted e-mails—oh no! The problem has been blown way out of proportion, though, and Apple has reportedly "fixed" the issue for iPhone OS 3.1.

The Mac blog-o-verse has been abuzz recently with the revelation that a Spotlight search can turn up deleted e-mails on an iPhone. While described as a bug or potential security issue, the truth is less scary than that. Additionally, it seems that Apple has already added a fix to the iPhone OS 3.1 update that is currently in beta.

Cult of Mac reader Matt Janssen revealed the bug yesterday morning after he discovered that an e-mail he remembered deleting showed up in a Spotlight search. "Obviously this is could be a major security issue if you think you deleted something from your iPod but it's not really deleted," Janssen told Cult of Mac. "You can still search through messages that are deleted. And this isn't messages that are just recent. I found some messages that are over three or four months old."

But, as TUAW points out, the problem is that when you hit "delete" on an e-mail, most (if not all) e-mail clients put the message in a special Trash folder. This is just like using the Trash on your desktop—it's a temporary staging area where you can retrieve messages if you deleted them accidentally. And, just like Spotlight on the Mac, Spotlight on the iPhone OS can find e-mails that are in the Trash. (By default it normally will ignore messages trashed in Mail, but you can search the Trash easily in Mail itself.)

Depending on the settings on your server, these messages may be "emptied" from the Trash in seven days, 30 days, or maybe even never. On the iPhone itself, the setting to control when messages are automatically emptied from the Trash is buried several levels deep in the Settings app (Mail, Contacts, Calendars > account > Account Info > Advanced > Remove Deleted Message...). I like TUAW's suggestion that Apple add an "Empty Trash" button in the iPhone version of Mail, but it turns out that is easy to do in iPhone OS 3.0. As Ars reader lloeki points out, just go to an account's Trash folder, press "Edit," then press "Delete All."

There is good news for those who would just assume messages in the Trash wouldn't turn up in a search, though. A tipster for Gizmodo said Apple is aware of the issue, and it appears that the current iPhone OS 3.1 beta doesn't show trashed e-mails in search results. So, it seems the crisis will be averted soon.

Still, even though the messages won't show up in a Spotlight search, that will only thwart casual peepers looking through your mail for potential dirt or other sensitive information. Those e-mails will still be in the Trash folder in your iPhone or iPod touch's flash memory, and will get backed up whenever you sync your device to iTunes. A more skilled hacker could find them if they wanted, so it's still best to manually empty e-mails that you don't want anyone else reading out of the Trash. To be extra safe, you could then zero out the free space on your device.

UPDATE: It appears that even after deleting messages form the Trash, they can still show up in Spotlight searches if the account in question is a POP account. According to TUAW's Mike Jones, whether or not the message can be accessed once it shows up in the Spotlight search is hit or miss as well. Since we use our iPhones with IMAP accounts, which are unaffected by the bug, we didn't notice the problem. Still, a fix from Apple is definitely on its way when iPhone OS 3.1 becomes available.

Data Hiding in Facebook through flash games

2009-08-16T13:33:00.000-07:00

The Anatomy Of The Twitter Attack

2009-07-20T07:50:00.000-07:00

The Twitter document leak fiasco started with a simple story that personal accounts of Twitter employees were hacked. Twitter CEO Evan Williams commented on that story, saying that Twitter itself was mostly unaffected. No personal accounts were compromised, and “most of the sensitive information was personal rather than company-related,” he said. The individual behind the attacks, known as Hacker Croll, wasn’t happy with that response. Lots of Twitter corporate information was compromised, and he wanted the world to know about it. So he sent us all of the documents that he obtained, some 310 of them, and the story developed from there.

This post isn’t about the confidential information taken from Twitter. It’s about exactly how Hacker Croll was able to get such deep access to Twitter in the first place.

It’s clear that Twitter was completely unaware of how deeply they were affected as a company - when Williams said that most of the information wasn’t company related he believed it. It wasn’t until later that he realized just how much and what kind of information was taken. It included things like financial projections and executive meeting notes that contained highly confidential information.

We’ve already said a lot about all of this and the related “server password = password” story that was discovered by another individual last week. But we’ve got two more stories to tell. The first, this post, is exactly how the hacks took place, based on information gathered from hours of conversations with Hacker Croll. The second is what was happening behind he scenes with Twitter as the story unfolded. We’ll post that later this week.

When the story first broke the true scope of what had taken place and how it occurred was not understood. Various bloggers speculated about the cause of the attack - with some placing the blame on Google while others blaming the rising trend of hosting documents in the cloud.

We immediately informed Twitter of the information we had in our possession (and forwarded it to them), and at the same time reached out to the attacker. With some convincing, the attacker responsible for the intrusion at Twitter began a dialog with us. I spent days communicating with the attacker in an effort to gain insight into how the attack took place, what the true scope of it was and how we could learn from it.

We’ve waited to post exactly what happened until Twitter had time to close all of these security holes.

Some Background

In the security industry there is a generally accepted philosophy that no system or network is completely secure - a competent attacker with enough time, patience and resources will eventually find a way into a target. Some of the more famous information security breaches have relied on nothing more than elementary issues exploited by an attacker with enough time and patience at hand to see their goal through. A classic example is the case of Gary McKinnon, a self-confessed “bumbling computer nerd” who while usually drunk and high on cannabis would spend days randomly dialing or attempting to login to government servers using default passwords. His efforts led to the compromise of almost 100 servers within a number of government departments. After McKinnon spent a number of years trawling through servers looking for evidence of alien life (long story), somebody within the government finally wised up to his activities which lead to not only the arrest and attempted extradition of McKinnon from the United Kingdom, but a massive re-evaluation of the security methods employed to protect government information.

A more recent example is the case of Kendall Myers, who after being recruited to work for the Cuban government by an anonymous stranger they met while on holiday in that country, set out to obtain a high ranking position within the State Department specifically to obtain access to US government secrets. Kendall dedicated his entire life to obtaining state secrets, and up until he was recently caught by the FBI had successfully passed on secret information and internal documents to the Cuban government for 30 years. He relied only on his memory, his education credentials and sheer dedication.

The Twitter Attack: How The Ecosystem Failed

Like other successful attacks, Hacker Croll used the same combination of patience, sheer determination and somewhat elementary methods to gain access to a frightening number of accounts and services related to Twitter and Twitter employees. The list of services affected either directly, or indirectly, are some of the most popular web applications and services in use today - Gmail, Google Apps, GoDaddy, MobileMe, AT&T, Amazon, Hotmail, Paypal and iTunes . Taken individually, most of these services have reasonable security precautions against intrusion. But there are huge weaknesses when they are looked at together, as an ecosystem. Like dominoes, once one fell (Gmail was the first to go), the others all tumbled as well. The end result was chaos, and raises important questions about how private corporate and personal information is managed and secured in a time when the trend is towards more data, applications and entire user identities being hosted on the web and ‘in the cloud’.

“Hacker Croll” is a Frenchman in his early 20’s. He currently resides in a European country and first discovered his interest in web security over two years ago. Currently in between jobs, he has made use of the additional time he now has, along with his acquired skillset, to break into both corporate and personal accounts across the web. His knowledge of web security has been attained through a combination of materials available to the public and from within a tight-knit group of fellow crackers who exchange details of new, and sometimes unknown, techniques and vulnerabilities. Despite the significance and impact a successful attack has, the cracker claims that his primary motivation is a combination of curiosity, exploration and an interest in web security. There is almost a voyeuristic tendency amongst these individuals, as they revel in the thought of gaining privileged access to information about the inner lives of individuals and corporations. The “high” of access and gaining unauthorized knowledge must be big enough to carry a cracker’s motivation through the long hours, days and months of effort it may take to hit the next pot of gold.

For Hacker Croll, his first port of call in setting out to gain access to a target network is to make use of public search engines and public information to build a profile of a company or individual. In the case of the Twitter attacks, this public information allowed him to create a rich catalog of data that included a list of employee names, their associated email addresses and their roles within the company. Information like birth dates, names of pets and other seemingly innocent pieces of data were also found and logged. This dragnet across the millions of pages on the web picked up both work and personal information on each of the names that were discovered. Public information on the web has no concept of, or ability to, distinguish between the work and personal details of a person’s identity - so from the perspective of a cracker on a research mission, having both the business and personal aspects of a target’s digital life intertwined only serves to provide additional potential entry points.

With his target mapped out, Hacker Croll knew that he likely only needed a single entry point in any one of the business or personal accounts in his list in order to penetrate the network and then spread into other accounts and other parts of the business. This is because the web was designed at a time where there was implicit trust between its participants - requiring no central or formal identification mechanism. In order to keep private data private, modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.

Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use - which often is to say, very weak.

Now going back to Hacker Croll and his list of Twitter employees and other information. Twitter just happens to be one of a number of a new breed of companies where almost the entire business exists online. Each of these employees, as part of their work, share data with other employees - be it through a feature of a particular application or simply through email. As these users become interwoven, it adds a whole new attack vector whereby the weak point in the chain is no longer just the weakest application - it is the weakest application used by the weakest user. For an attacker such as Hacker Croll looking to exploit the combination of bad user habit, poorly implemented features and users mixing their personal and business data - his chances of success just got exponentially greater. Companies that are heavily web based rely largely on users being able to manage themselves - the odds are not only stacked against Twitter, they are stacked against most companies adopting this model.

Unfortunately for Twitter, Hacker Croll found such a weak point. An employee who has online habits that are probably no different than those of 98% of other web users. It began with the personal Gmail account of this employee. As with most other web applications, the personal edition of Gmail has a password recovery feature that presents a user with a number of challenges to prove their identity so that their password can be reset. It likely wasn’t the first account from a Twitter employee that Hacker Croll had attempted to access - but in the case of this particular account he discovered a kink in the armor that gave him the big first step. On requesting to recover the password, Gmail informed him that an email had been sent to the user’s secondary email account. In an effort to balance usability with security, Gmail offered a hint as to which account the email to reset the password was being sent to, in case the user required a gentle reminder. In this case the obfuscated pointer to the location of the secondary email account was ******@h******.com. The natural best guess was that the secondary email account was hosted at hotmail.com.

At Hotmail, Hacker Croll again attempted the password recovery procedure - making an educated guess of what the username would be based on what he already knew. This is the point where the chain of trust broke down, as the attacker discovered that the account specified as a secondary for Gmail, and hosted at Hotmail was no longer active. This is due to a policy at Hotmail where old and dormant accounts are removed and recycled. He registered the account, re-requested the password recovery feature at Gmail and within a few moments had access to the personal Gmail account of a Twitter employee. The first domino had fallen.

Well designed web applications will never just give a user their password if they forget it, they will force the user to pick a new one. Hacker Croll had access to the account, but with a password he had specified. To not alert the account owner that their account had been compromised, he had to somehow find out what the old Gmail password was and to set it back. He now had a bevy of information at his fingertips, a complete mailbox and control of an email account. It wasn’t long before he found an email that would have looked something like this:

To: Lazy User
From: Super Duper Web Service
Subject: Thank you for signing up to Super Duper Web Service

Dear Lazy User,

Thank you for signing up to Super Duper Web Service. For the benefit of our support department (and anybody else who is reading this), please find your account information below:

username: LazyUser
password: funsticks

To reset your password please follow the link to.. ahh forget it, nobody does this anyway.

Regards,

Super Duper Web Service

Bad human habit #1: Using the same passwords everywhere. We are all guilty of it. Search your own inbox for a password of your own. Hacker Croll reset the password of the Gmail account to the password he found associated with some random web service the user had subscribed to and that sent a confirmation with the password in clear text (and he found the same password more than once). He then waited, to check that the user was still able to access their account. Not too long later there was obvious activity in the email account from the account owner - incoming email read, replies sent and new messages drafted. The account owner never would have noticed that a complete stranger was lurking in the background. The second domino falls.

From here it was easy.

Hacker Croll now sifts through the new set of information he has access to - using the emails from this user’s personal Gmail account to further fill in his information map of his target. He extends his access out to all the other services he finds that this user has signed up for. In some instances, the password is again the same - that led Croll into this user’s work email account, hosted on Google Apps for Domains. It turns out that this employee (and in fact most/all Twitter employees and everyone else) used the same password for their Google Apps email (the Twitter email account) as he did with his personal Gmail account. With other sites, where the original password may not work - he takes advantage of a feature many sites have implemented to help users recover passwords: the notorious “secret question”.

Fork the story here for a moment because there is a real issue here with the “secret question” (from here on abbreviated more appropriately as just “secret ?”). For some strange reason, some sites refer to the “secret ?” as an additional layer of security - when it is often the complete opposite. In the story of Hacker Croll and Twitter, the internal documents that we now all know about were only a few steps away from the first account he gained access to. In addition to that, this attacker, and certainly others just like him, have been able to demonstrate that some of the biggest and most popular applications on the web contain fundamental weaknesses that alone might seem harmless, but in combination with other factors can cause an attacker to completely tear through the accounts of users, even those who maintain good password policy.

This is not the first time that the issue of “secret ?” being used in password recovery systems has been raised. Last September, US Republican Vice Presidential candidate and former governor of Alaska, Sarah Palin, had screenshots of her personal Yahoo mail account published to Wikileaks. A hacker or group known only as ‘Anonymous’ claimed credit for the hack, which was carried out by the attacker making an educated guess in response to the security question used to recover passwords. In early 2005, celebrity Paris Hilton suffered a similar incident when her T-Mobile sidekick account was broken into, and the details of her call log, messages (some with private pictures of Hilton) and contact list were leaked to the media. The culprit, again, was “secret ?”.

Giving the user an option to guess the name of a pet in lieu of actually knowing a password is just dramatically shortening the odds for the attacker. The service is essentially telling the attacker: “we understand that guessing passwords is hard, so let us help you narrow it down from potentially millions of combinations to around a dozen, or even better, if you know how to Google, just one”. The problem is not the concept of having an additional authorization token, such as mothers maiden name, that can be used to authenticate in addition to a password, the problem arises when it is relied on alone, when the answer is stored in the clear in account settings, and when users end up using the same question and answer combination on all of their accounts.

From this point, with a single personal account as a starting point, the intrusion spread like a virus - infecting a number of accounts on a number of different services both inside and outside of Twitter. Once Hacker Croll had access to the employee’s Twitter email account hosted by Google, he was able to download attachments to email that included lots of sensitive information, including more passwords and usernames. He quickly took over the accounts of at least three senior execs, including Evan Williams and Biz Stone. Perusing their email attachments led to lots more sensitive data being downloaded.

He then spidered out and accessed AT&T for phone logs, Amazon for purchasing history, MobileMe for more personal emails and iTunes for full credit card information (iTunes has a security hole that shows credit card information in clear text - we’ve notified Apple but have not heard back, so we won’t publish the still-open exploit now).

Basically, when he was done, Hacker Croll had enough personal and work information on key Twitter executives to make their lives a living hell.

Just to summarize the attack:

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

What could have happened next is that Hacker Croll could have used or sold this information for profit. He didn’t do that, and says he never intended to. All he wanted to do, he says, was to highlight the weaknesses in Twitter’s data security policies and get them and other startups to consider more robust security measures.

He also says he’s sorry for causing Twitter so much trouble. We asked Hacker Croll if he had any message he wants to deliver to Twitter, and he sent me the following:

Je tiens à présenter toutes mes excuses au personnel de Twitter. Je trouve que cette société a beaucoup d’avenir devant elle.

J’ai fait cela dans un but non lucratif. La sécurité est un domaine qui me passionne depuis de longues années et je voudrais en faire mon métier. Dans mon quotidien, il m’arrive d’aider des gens à se prémunir contre les dangers de l’internet. Je leur apprend les règles de base.. Par exemple : Faire attention où on clique, les fichiers que l’on télécharge et ce que l’on tape au clavier. S’assurer que l’ordinateur est équipé d’une protection efficace contre les virus, attaques extérieures, spam, phishing… Mettre à jour le système d’exploitation, les logiciels fréquemment utilisés… Penser à utiliser des mots de passe sans aucune similitude entre eux. Penser à les changer régulièrement… Ne jamais stocker d’informations confidentielles sur l’ordinateur…

J’espère que mes interventions répétées auront permis de montrer à quel point il peut être facile à une personne mal intentionnée d’accéder à des informations sensibles sans trop de connaissances.

Hacker Croll.

This roughly translates to:

I would like to offer my personal apology to Twitter. I think this company has a great future ahead of it.

I did not do this to profit from the information. Security is an area that fascinated me for many years and I want to do my job. In my everyday life, I help people to guard against the dangers of the Internet. I learned the basic rules .. For example: Be careful where you click the files that you download and what you type on the keyboard. Ensure that the computer is equipped with effective protection against viruses, external attacks, spam, phishing … Upgrading the operating system, software commonly used … Remember to use passwords without any similarity between them. Remember to change them regularly … Never store confidential information on the computer …

I hope that my intervention will be repeated to show how easy it can be for a malicious person to gain access to sensitive information without too much knowledge.

Croll hacker.

What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.

by Nik Cubrilovic on July 19, 2009

China outlaws virtual currency for real-world items

2009-06-30T10:55:00.000-07:00

China has passed a new law that makes the purchase of physical goods with virtual currency a law, but this may not have as large an effect on gold farming as it at first seems.

In a world of increasingly virtual human interactions, the idea of money is becoming more fluid than authorities find comfortable. China has officially outlawed the practice of exchanging virtual currency for real goods, and minors are no longer able to buy the virtual cash. These rules will help the government control trade in China, but they could also impact the huge gold-farming industry that exists in the country.
It's easy to understand why China has such a problem with "virtual" currency being used for so many purposes. Tencent QQ is China's most popular instant-messaging client, offering a currency called "QQ Coins" that are used for purchasing items for their online identity. This currency has become popular among the youth, and now many online stores will accept the coin as actual payment for goods or online gaming. Using this virtual currency for real-world transactions outside of the messaging service makes it an ideal way to hide transactions, giving organized crime a potential route to launder money.

The new law makes the acceptable uses of this currency clear. "The virtual currency, which is converted into real money at a certain exchange rate, will only be allowed to trade in virtual goods and services provided by its issuer, not real goods and services," the government explained.

So will this law hurt the gold farming industry? It's hard to say at the moment, but common sense says that with so many people making so much money from the practice, the gold farming business has its own momentum that makes enforcing legislation a challenge. Minors will no longer be able to buy gold or other in-game currencies with actual money, and the selling of the in-game cash for real-world money seems to run afoul of the new rules. The loophole? Gamers could still use the gold to buy in-game items, which could then be sold to other players to be converted back into gold. That adds an extra layer of complexity for selling in-game money, but shows how easily the law can be subverted.

There are also questions raised by the new law. If prepaid cards are considered virtual currency, will gamers be asked to provide identification showing they are of legal age before buying time on their favorite games? Only currency is named in the law, meaning that virtual items or even characters can still be bought and sold. As long as there is a stable economy without too much fluctuation in prices, anything online can be used as a currency, making the language potentially vague. Gamers can make actual money by buying and selling virtual currency—sometimes even across games—which makes the very definition of currency fluid. If enough people agree that a virtual blue T-shirt is worth a certain amount of yuan, that shirt can become as good as the QQ Coins that were used to buy it, which were of course as good as cash to many retailers already.

By Ben Kuchera

China not backing off despite filter code post on Wikileaks

2009-06-30T10:48:00.000-07:00

China still plans to implement the controversial Internet access control software "Green Dam Youth Escort" as of July 1 on every new PC sold in the country. This is despite warnings from security researchers and concerns from the US Embassy, not just over the restriction of information, but the security implications of what appears to be such vulnerable software.

hina is filtering out criticism and diving in headfirst with its plan to roll out controversial filtering software on all PCs sold in China. The Chinese media quoted an unnamed source inside the Ministry of Industry and Information Technology, saying that the software will still come with all computers as of July 1 despite the discovery of massive security holes and vulnerabilities by security researchers.

News came out about China's plan to implement Internet access control software, called the "Green Dam Youth Escort" earlier this month. The Windows-only software provides a mix of features, including whitelists, blacklists, and on-the-fly content-based filtering. The blacklists can be updated remotely, however, making Green Dam quite an attractive option for a government that likes to keep tight control over what kind of content its citizens are exposed to.

Unfortunately for everyone buying a computer in China after July 1, researchers at the University of Michigan soon discovered that Green Dam was plagued with serious security vulnerabilities. Not only can malicious websites easily take advantage of the security bugs to run arbitrary code on the user's computer, much of the blacklist content was stolen verbatim from commercial filtering programs sold in the US. Just yesterday, code to exploit the Green Dam software was published publicly on Wikileaks, thereby giving the entire world the ability to mess around with the software once it hits Chinese computers in just over a week.

None of this has stopped the Chinese government, though, who apparently told People's Daily that it will still mandate that Green Dam either come preinstalled or on a CD with every new computer. This, of course, continues to ruffle the feathers of US officials who not only condemn the filtering of Internet access on a government level but also share concerns about the software's security holes.

"We are concerned about Green Dam both in terms of its potential impact on trade and the serious technical issues raised by use of the software," the US Embassy said in a press briefing on Monday. "We believe there are other commercially available software programs which provide users with a wide range of choices for shielding minors from illicit or inappropriate internet contact—content, which is the ostensible rationale for this. We’ve also asked the Chinese to engage in a dialogue on how to address these concerns."

By Jacqui Cheng

Vista Forensics

2009-06-23T02:59:00.001-07:00

Check out this SlideShare Presentation:

Vista Forensics

View more OpenOffice presentations from ctin.

iPhone Forensics 101: Bypassing the iPhone Passcode

2009-06-22T17:20:00.000-07:00

Quantum Secrets: A New Standard in Crytopgraphy?

2009-06-20T09:12:00.001-07:00

Quantum cryptography has been a Holy Grail for security researchers since the idea was proposed, the promise of a new standard in absolutely unbreakable communications. But it's a new standard in the Microsoft sense: "Use our brilliant new system, because we're making sure the old one doesn't work anymore."

The most common security algorithm used online is RSA, an encryption system designed by MIT researchers Ron Rivest, Adi Shamir and Leonard Adlemen in 1977 (hence RSA, Rivest-Shamir-Adlemen). The idea is that any numerical code can be cracked, so rather than try to invent one that's unbreakable you settle for one that would take a really long time - everybody involved is dead because the sun has exploded five billion years later kind of long time. The system is scalable too - every time computers improve, you just make your RSA bit-string longer to exponentially increase the processing power needed to crack it before the user dies of old age.

That's where quantum computers come in. They operate using "qubits" which can be in every possible state at once - so an eight-qubit system could represent every possible 8 regular-bit piece of data. It still collapses into just one regular 8-bit state when you look at it, so the quantum nature of the data was just a mathematical oddity until MIT Professor Peter Shor came up with an algorithm that could access this "every possible state" property to crack the RSA problem. Since then the race to build a quantum computer has been running in earnest.

However, quantum mechanics also promises a replacement for the redundant RSA. Key codes can be transmitted in pairs of particles in such a way that they can't be copied, and these keys can then be used to make a truly uncrackable code. By uncopiable, we mean that the act of a spy even looking at the keycode will destroy it - and the receiver immediately knows to use a different one. This is known as Quantum Key Distribution (QKD), and an EU Initiative for "Secure Communication based on Quantum Cryptography" (SEQOQC) claims it will demonstrate a network-ready version of the technology this October in Vienna. You can be sure security experts worldwide will be paying close attention, as well as a couple of 00-agents and possibly Q.

But you have to be careful of the hype. While the theory of quantum communications promises absolute security, there's a lot of room between theory and actual practice for problems. Researchers at the University of Toronto have already demonstrated a successful spy-attack on a commercial QKD device, based on particular aspects of hardware not quite delivering the idealized situation. Because you'll always have people messing things up. Remember - you can use the very basic physics of the universe to transmit an absolutely secure code around the globe, but you can't stop the person at the other end writing it on a yellow sticky on the side of their monitor.

Posted by Luke McKinney.

Data Protection Makes Identifying Online Pirates a Nightmare

2009-06-11T03:05:00.000-07:00

Norway’s data protection department has indicated that ISPs must delete all personal IP address-related data just 3 weeks after collection. The instruction, initially given to two ISPs but applicable to them all, means that it will be incredibly difficult to take action against file-sharers.

Previously it hasn’t been particularly easy for copyright holders to go after alleged infringers in Norway, but just recently the country’s telecoms regulator said that file-sharers’ identities can be given to copyright holders, providing a court agrees there is a good reason to hand them over. This means that these individuals can be pursued through the courts, or through “pay up or else” type threats.

However, the authority in charge of data protection in Norway has just made that process much, much harder for the copyright holders, since it has instructed two ISPs - Tele2 and Lyse Tele - to delete all IP address-related personal information they hold on their customers which is more than 3 weeks old.

According to Aftenposten the decision, borne of the Personal Data Act which prohibits the storage of unnecessary data, will apply to all ISPs in Norway such as Canal Digital, NextGenTel, Telenor and others.

The fact that data can only be held for just 21 days will see the immediate deletion of IP information held on around 1.6 million subscribers by these Norwegian ISPs. However, the decision flies in the face of European Union rules which say that this type of data must be held for at least 6 months - right now in Norway, data retention can be anything from a few days to five months.

The process of monitoring file-sharers, gathering evidence and then collating it all into an acceptable format can be time consuming. Add this to the time taken to get into the system to obtain a court order from a judge to force the ISPs to hand over data on their customers, and you end up with a period longer than 21 days. By which time the data has gone and the evidence becomes useless, since it’s impossible to identity the alleged infringer.

Written by enigmax Torrent freak

Facebook blocks private messages

2009-06-04T17:48:00.000-07:00

PHOTO: AFP
SYDNEY - AN AUSTRALIAN news website reported on Friday that Facebook has begun blocking private messages.

The technology blog written by News Limited journalist Andrew Ramadge stated that Facebook 'has started censoring private messages sent between users to block out internet nasties'.

According to the blog on news.com.au, if links to certain websites are detected in a private message, the user is shown a warning.

The message says 'Warning: This message contains blocked content. Some content in this message has been reported as abusive by Facebook users.'

The message is then deleted automatically.

Mr Ramadge writes that the first block to be reported was applied to The Pirate Bay; one of the world's largest file-sharing websites. The Pirate Bay recently lost a legal battle against a number of music and film industry groups.

'Links to The Pirate Bay's homepage were reportedly accepted, but links to specific pages within the site were blocked,' wrote Mr Ramadge.

'When we tested it today, that was still happening. However links to other file-sharing sites were fine:

The Pirate Bay - BLOCKED

Mininova - OK

Demonoid - OK

BTJunkie - OK

'Links to at least one major pornography site were also blocked.'

The internet industry website, Wired, also reported that this censorship could lead to Facebook breaching United States wire-tapping laws.

Chris Kelly, Facebook's chief privacy officer, said the website had a legal right to censor messages, reported Mr Ramadge.

'Because users had agreed not to send 'spammy, illegal, threatening or harassing' content in accepting the site's terms of use,' wrote Mr Ramadge, quoting Facebook's officer.

Protests to rape game cast off

2009-06-04T17:47:00.001-07:00

TOKYO - A JAPANESE computer game maker on Friday dismissed a protest by US rights campaigners against the game 'RapeLay", which lets players simulate sexual violence against females.

New York-based Equality Now launched a campaign this week 'against rape simulator games and the normalisation of sexual violence in Japan'.

It urged activists to write in protest to the maker and Prime Minister Taro Aso, arguing the game breaches Japan's obligations under the 1985 Convention on the Elimination of All Forms of Discrimination against Women.

The Yokohama-based games manufacturer Illusion brushed off the campaign. 'We are simply bewildered by the move,' said spokesman Makoto Nakaoka. 'We make the games for the domestic market and abide by laws here. We cannot possibly comment on (the campaign) because we don't sell them overseas.'

Players earn points for acts of sexual violence, including stalking girls on commuter trains, raping virgins and their mothers, and forcing females to get abortions, according to the group's online statement.

Japan, often criticised as a major producer of child pornography, in 1999 banned the production, distribution and commercial use of sexually arousing photos, videos and other materials involving those aged under 18.

However, the law did not criminalise possession of such materials, and the ban also failed to cover child porn in animation and computer graphics, often categorised as 'hentai'.

US online retail giant Amazon in February took RapeLay off its websites after receiving complaints but clips of the game were still available this week on popular video sharing websites.

A Japan Committee for UNICEF spokeswoman said the Japanese loophole hindered international efforts to crack down on child porn.

'In this globalised world, connected via the Internet, even one loophole could jeopardise all the regulations,' she said. 'The world trend is to try to ban even the accessing and looking at websites of virtual images.' -- AFP

FCC can search homes without a warrant, agency says

2009-05-25T15:59:00.000-07:00

Unlicensed advocates disagree

Have a Wi-Fi router? If you do — and it uses an unlicensed frequency — you could be subject to a warrantless search of your home.

Federal Communications Commission guidelines stipulate that the agency can enter property when it suspects radio frequency energy is being abused. The provision, which was originally intended to aid the monitoring of unlicensed radio and tv stations, now has a broader range of application as more consumers join the wi-fi ranks.

“Anything using RF energy — we have the right to inspect it to make sure it is not causing interference,” FCC spokesman David Fiske told Wired for an article Thursday. The FCC spokesman said the scope included Wi-Fi routers.

“The FCC claims it derives its warrantless search power from the Communications Act of 1934, though the constitutionality of the claim has gone untested in the courts,” Wired’s Ryan Singer wrote. “That’s largely because the FCC had little to do with average citizens for most of the last 75 years, when home transmitters were largely reserved to ham-radio operators and CB-radio aficionados. But in 2009, nearly every household in the United States has multiple devices that use radio waves and fall under the FCC’s purview, making the commission’s claimed authority ripe for a court challenge.”

The Electronic Frontier foundation, an online privacy group, called the FCC’s interpretation a “major stretch.”

“It is a major stretch beyond case law to assert that authority with respect to a private home, which is at the heart of the Fourth Amendment’s protection against unreasonable search and seizure,” Electronic Frontier Foundation lawyer Lee Tien was quoted as saying. “When it is a private home and when you are talking about an over-powered Wi-Fi antenna — the idea they could just go in is honestly quite bizarre.”

“The rules came to attention this month when an FCC agent investigating a pirate radio station in Boulder, Colorado, left a copy of a 2005 FCC inspection policy on the door of a residence hosting the unlicensed 100-watt transmitter,” Singer writes.

“Whether you operate an amateur station or any other radio device, your authorization from the Commission comes with the obligation to allow inspection,” the statement said.

Boulder Free Radio simply moved the transmitter to a new location. They say they’ll continue to do so in the future.

KBFR Boulder Free Radio offers a glimpse into the troubles encountered by pirate radio stations. It aired from 2000 to 2005 using an unlicensed broadband radio frequency. During that time, the station’s founders mounted a transmitter in a tree while connecting it to the station in a van and parked it in various locations in an effort to frustrate FCC inspectors.

Ultimately, the station shut down. It was reincarnated, however, in 2006 and again in 2008.

Not everyone agrees with the FCC’s interpretation of the 1934 law. Rogue Radio Research, a company that promotes unlicensed broadcasters, says on its website that agents of the FCC don’t have the right to search homes.

“If FCC agents knock on my door and say they want to talk with me, do I have to answer their questions?” the site asks rhetorically on its “Pamphlets and Practical Guides” page.

“No,” they say. “You have a right to say that you want a lawyer present when and if you speak with them, and that if they will give you their names, you will be back in touch with them. Unless you have been licensed to broadcast, the FCC has no right to ‘inspect’ your home.

“If they say they have a right to enter my house without a warrant to see if I have broadcasting equipment, do I have to let them in?” they continue.

“No,” the site replies. “Under Section 303(n) of Title 47 U.S.C., the FCC has a right to inspect any transmitting devices that must be licensed under the Act. Nonetheless, they must have permission to enter your home, or some other basis for entering beyond their mere supervisorial powers. With proper notice, they do have a right to inspect your communications devices. If they have given you notice of a pending investigation, contact a lawyer immediately.”

Outlaw Legends: Secrets of Russian Hackers

2009-05-25T15:57:00.000-07:00

With cybercrime on the rise worldwide, hackers from Russia and China are called the most dangerous. Though several countries say Russian virtual terrorists threaten their security, they seem impossible to catch.

That mysterious Russian hacker – is he as scary as they say?

RT caught up with a professional hacker who, for obvious reasons, chose to remain anonymous.

“Everything is dependent on computers now,” he said.

“Bank cards, phones – everything functions through a computer, through an operating system. And all of it can be broken into and destroyed.”

The hackers often do it for the cash. But more often than not, the thrill and adrenaline is what drives their curious mind.

In the past few years, the US has often fallen victim to Russian hackers. They’ve broken into the systems of major companies and even the Pentagon. As a leader in computer technology, America is a juicy target for hackers.

“I don't know if Americans are afraid of us, but we’re definitely not afraid of them,” the interviewed hacker told RT.

“Half of our country is made up of hackers, why would we be afraid of the Americans? When we are the ones stealing their products and their software.”

Virtual ‘freedom fighter’

The Russian police’s cybercrime division named 'Department K' has warned many times that Russian hackers are the strongest in the world. And it’s extremely hard to catch a hacker red-handed.

“I was arrested, taken to three prisons in three weeks,” said Dmitry Sklyarov, programmer from Moscow.

“Then I was let out on bail and couldn’t return to Russia for six months because of the American justice system."

Dmitry Sklyarov’s arrest several years ago exploded into a frenzy of outrage among the public, both in the US and abroad.

At a computer conference in America several years ago, Dmitry showed how easy it is to break through the PDF format and was arrested by the FBI. He became a symbol of the fight for programmers’ freedom, and was soon released from an American prison.

Dmitry is now an IT professor at a prestigious Russian computer science university. The pro says he has never carried out any criminal activity using his knowledge.

“Thankfully, no one ever came to me and said ‘help us commit this crime or else,” said Sklyarov.

But Dmitry says, if he had, it would have been impossible to catch him.

Human lives in hackers’ hands

Nikita Sinitsyn, Editor-in-Chief of “Hacker” magazine – a how-to Russian publication – says it’s not true all hackers are criminals. He explained to RT the scale of what a hacker can do.

“The scariest thing about what a hacker can do is not money loss, but human lives,” he said.

“Hypothetically, if a hacker broke into a system of satellite control, made satellites crash into each other and fall to Earth, let’s say, in Los Angeles, that's scary. Systems containg state secrets being broken into by hackers – maybe that’s not such a bad thing. This doesn’t influence individual human lives. That’s something that states and corporations should worry about”.

One of the problems with catching a hacker is that there is no unified international law for Internet crime. Bringing charges against someone based in another country is extremely hard to do. So until there is a strong legal mechanism against them, hackers have lots of time and opportunities to keep up the cyber attacks.

A guide to safer social networking

2009-05-20T11:46:00.000-07:00

Just because that link was tweeted or messaged to you by a colleague doesn’t mean you should click it.

Just because your friend published a list of 25 previously unknown things about themselves doesn’t mean you need to reciprocate. Just because a celebrity you respect tweeted a link, it doesn’t mean it’s safe to follow it, particularly when the real destination is obscured through a URL shortening service.

Social networking has rapidly gained acceptance in all walks of life. Facebook boasts close to 200 million users. MySpace doesn’t advertise its figures but it is certainly Facebook’s closest competitor in terms of user numbers. Bebo can count in excess of 40 million users.

The customers of these social networking providers are not exclusively the school- or university-aged either. In fact, two-thirds of the world’s internet population now visit social networking or blogging sites, accounting for almost 10% of all internet time, according to a March 2009 Nielsen report.

It’s not just about social networking sites though. The professional networking site LinkedIn has a new member joining almost every second and will soon hit 40 million members, while micro-blogging service Twitter grew a staggering 1382% year on year in February 2009.

Explosive growth
With explosive growth and user populations of this order it’s hardly surprising that these services also appear to be coming of age as attack platforms for cybercriminals.

Among the more traditional attacks, facilitated through social networking, that we have seen over the past few months through social networking sites you can count the following.

• Several outbreaks of (so far) non-malicious worms on Twitter, using cross-site scripting vulnerabilities or clickjacking.
• Fake Bebo and LinkedIn profiles containing links that lead to malicious downloads.
• Rogue applications that appear to be designed for information harvesting and the infamous Koobface worm on Facebook.
• Hijacked profiles being used for 419 scams direct from one friend to another.
• Scam advertisements leading to bogus multi-level marketing schemes, or worse.

There are several entry points available for cybercriminals into the interactive playground of social networking; fake or compromised profiles, malicious applications, malvertisements, cybersquatting, spam and phish masquerading as legitimate notifications from social networks, information harvesting through group memberships, cross-site scripting vulnerabilities and direct messages just for starters.

Victims are at risk of identity theft, fraud, infection or simply of becoming an attack platform to infect or defraud their own friends and colleagues.

Bound by trust
The one thing that all of these attacks have in common, though, is the very thing that binds social networks together: trust. Because the attacks, messages and links come from friends or colleagues, they appear far more credible than the average spam email from a stranger.

Even the Koobface worm with its almost textbook standard spam messages such as “You are veryy ggood at pposing to a spy cameera!” becomes that little bit more believable when it comes from someone you know.

And, of course, when we choose to join a community, by default we naively choose to share all of our personal information with any other member of that community simply on the basis of a mutual shared interest.

Most of us are guilty of being far too trusting and far too free with our personal information online. We give away little snippets (or great chunks in some cases) of our personal lives in what is essentially a public or at best only semi-private forum, making the work of criminals such as carders and ID fraudsters far more simple.

More aware
In fact I have seen social networking sites spoken about in underground carding forums as a “free date of birth look-up service” along with a wealth of tips on how best to exploit these kinds of platforms.

We need to become far more aware of the value of our personal information and importantly the information we have about our friends. We also need to become far more conversant with the privacy controls available on social and professional networking sites and actually use them.

There is no need to fill out that questionnaire “25 Things About Me” and post it on your profile. There is no need to share your entire employment, educational or address history.

There is no need to share your “Porn Star Name” (first name = name of your first pet, family name = mother’s maiden name); isn’t that exactly the kind of information needed to reset your email account password, or access your financial data? And there is no need to volunteer the email addresses of friends and family when asked to recommend a “joke” website or application to 10 friends.

When your personal information becomes public it is out of your control and soon out of sight. Criminals can and do use this stuff to break into your online accounts. Just ask Sarah Palin.

Next time, before you hit “Post”, ask yourself this: “if a stranger called me on the telephone asking for this information, would I tell them?” If the answer is “No”, then step away from the mouse.
Rik Ferguson - Trend Micro

Graham: CIA Gave Me False Information About Interrogation Briefings

2009-05-15T06:55:00.001-07:00

n testimony that could bolster Speaker Nancy Pelosi's claim that the CIA misled her during briefings on detainee interrogations, former Senator Bob Graham insisted on Thursday that he too was kept in the dark about the use of waterboarding, and called the agency's records on these briefings "suspect."

In an interview with the Huffington Post, the former Senate Intelligence Committee Chairman said that approximately a month ago, the CIA provided him with false information about how many times and when he was briefed on enhanced interrogations.

"When this issue started to resurface I called the appropriate people in the agency and said I would like to know the dates from your records that briefings were held," Graham recalled. "And they contacted me and gave me four dates -- two in April '02 and two in September '02. Now, one of the things I do, and for which I have taken some flack, is keep a spiral notebook of what I do throughout the day. And so I went through my records and through a combination of my daily schedule, which I keep, and my notebooks, I confirmed and the CIA agreed that my notes were accurate; that three of those four dates there had been no briefing. There was only one day that I had been briefed, which was September the 27th of 2002."

As for the one briefing he did attend, the Florida Democrat said that he had "no recollection that issues such as waterboarding were discussed." He was not, per the sensitive nature of the matters discussed, allowed to take notes at the time. But he did highlight what he considered to be pretty strong proof that the controversial technique was not discussed.

"What struck me...was the fact that in that briefing, there were also two staff members," he said. "As you know, the general rule is that the executive is to brief the full committees of the House and Senate Intelligence committees about any ongoing or proposed action. The exception to that is what is called "covert action," where the president...only briefs the Gang of Eight, which is the four congressional leaders and the four intelligence committee leaders. Those sessions are generally conducted at an executive site, primarily at the White House itself. And they are conducted with just the authorized personnel, not with any staff or any other member of the committee.... Which leads me to conclude that this was not considered by the CIA to be a Gang of Eight briefing. Otherwise they would not have had staff in the room. And that leads me to then believe that they didn't brief us on any of the sensitive programs such as the waterboarding or other forms of excessive interrogation."

The remarks made by Graham bolster the comments offered by Pelosi on Thursday. The Speaker told reporters that during her briefing session in the fall of 2002 she was not just kept in the dark about the issue of waterboarding, she was assured that it had not been used.

"Yes, I am saying that the CIA was misleading the Congress," she said.

However, records and testimony do show that high-ranking aides were present during a February 2003 briefing when waterboarding was discussed by the CIA with Reps. Porter Goss and Jane Harman.

Graham declined to speculate as to what took place during Pelosi's briefings, noting that the House and Senate had two entirely different sessions. But he did point out that, at the time, "the whole credibility of the intelligence committee, particularly the CIA, was pretty much in question" -- giving credence to Pelosi's claims that she was given faulty information.

"The irony," said Graham, "is that the whole series of events in late September of '02 were concurrent with the CIA's release of the first classified version of the National Intelligence Estimate, which was one of the key factors that led me to vote against the war in Iraq because I thought that their case was so weak. And they were making to the public these very bold statements about how we were in extreme danger if we didn't move quickly to eradicate Saddam Hussein. The whole, 'a smoking gun may appear in the form of a mushroom cloud' kind of argument."

French 'net piracy' bill passed

2009-05-12T12:15:00.000-07:00

A controversial French bill which could disconnect people caught downloading content illegally three times has been passed by the National Assembly.

The legislation, backed by President Nicolas Sarkozy, was surprisingly voted down by the Assembly last month.

The bill sets a tough global precedent in cracking down on internet piracy, and is being closely watched by other governments as a potential deterrent.

The global music industry has been calling for tougher anti-piracy laws.

The Creation and Internet bill was passed by a vote of 296 to 233 by the lower house and will go before the Senate for final approval on Wednesday.

Three strikes

The new legislation operates under a "three strikes" system. A new state agency would first send illegal file-sharers a warning e-mail, then a letter, and finally cut off their connection for a year if they were caught a third time.

It has been backed by both the film and record industries.

But some consumer groups have warned that the wrong people might be punished, should hackers hijack their computers' identity, and that the scheme amounted to state surveillance.

The socialist parliamentarian Patrick Bloche said the bill was "dangerous, useless, inefficient, and very risky for us citizens".

John Kennedy, chairman of the IFPI, which represents the global music industry, has described the bill as "an effective and proportionate way of tackling online copyright infringement and migrating users to the wide variety of legal music services in France".

Q&A: FBI agent looks back on time posing as a cybercriminal

2009-05-08T09:49:00.000-07:00

In September 2008 police began arresting alleged members of Dark Market, an underground Internet forum for buying and selling credit card data used for identity fraud. The sting wouldn't have been possible without the work of FBI agent J. Keith Mularski who spent two years infiltrating the group.

FBI Special Agent J. Keith Mularski spent two years posing as a cybercriminal as part of an undercover sting operation.
(Credit: U.S. Federal Bureau of Investigation)

Mularski became hacker "Master Splynter," a play on the name of the Teenage Mutant Ninja Turtle character called "Master Splinter," a rat who lives in New York City's sewers. He was so successful in his online disguise that he ended up running the server that hosted the Dark Market forum from his offices at the National Cyber Forensics Training Alliance in Pittsburgh.

Mularski, a supervisory special agent with the FBI's Cyber Initiative & Resource Fusion Unit, spoke about the Dark Market sting during a session at the RSA security conference last month. CNET News caught up with him this week on the telephone to find out what it was like hanging out with cybercriminals.

Q: You were central to the Dark Market sting. Tell me what happened and what role you played.
Mularski: We kicked off an undercover operation to try to penetrate these underground crime groups that are running these forums on the Internet. We developed the persona of a spammer/hacker and I assumed that role. Our intention was to try to penetrate the groups and dismantle them like we would with organized crime. In this case we were very successful in getting to the upper echelons of the Dark Market group and we were actually able to run the server and host all the communications that were going on there to make our cases against the criminals. Worldwide we had 60 arrests. It was a two-year operation and we had arrests in the U.K., Germany, Turkey, and here in the U.S.

What measures did you take to try to prove you were legitimate?
I acquired the reputation of one of the world's top 5 spammers. The Spamhaus Project, which tracks spammers, made a listing for me as being a top spammer and that gave me credibility so that I didn't necessarily have to do any criminal activity. I could talk the talk. If someone wanted me to mail (send spam) for them I would (get out of it by giving them the excuse) that they were too small of a fish. If they were a big fish I'd just say I didn't have any openings or time to work with them.

What sorts of crimes were they doing on Dark Market?
They were doing all sorts of identity theft. They were hacking into companies and stealing credit card numbers and selling them. They were selling counterfeit drivers' licenses and other photo documentation, as well as manufacturing fake credit cards. They were selling harvested bank accounts and brokerage accounts and selling different types of malware or spyware programs or Trojan horses that you could infect peoples' computers with. The whole gamut of the cyber underground was available there. If you needed it you could get it there on the site.

How did being undercover interfere with your life? What extremes did you have to go to to keep up the facade?
I would have to be online all the time, basically, in case someone needed to get ahold of me. If I was at home I would always have a computer on, even while watching TV. If I went on vacation I took the computer with me to make sure I was able to log in. I would tell the (Dark Market) guys I was traveling to go surfing or something like that and I would tell them I'll be online at these times if you need to get me. I had a cell phone connected to a Gmail account and I would tell them if they had to get ahold of me to send an e-mail and it would ping me. It was like that for two solid years almost every day. My wife wasn't too happy about it (chuckling).

It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops.

No doubt! Was there ever a moment when you thought the jig was up and that they were on to you?
There were a couple of those. We had a problem with our backstopping right at the beginning of the operation when I took over the server. One of our rivals had hacked into the Dark Market server and was looking at who was logging in. He traced the IP address doing a "who is" (lookup) and the phone number connected to our covert IP address, which was supposed to be unlisted but instead it showed the address here at the National Cyber Forensics Training Alliance. By doing some research they determined that the IP address came from this building and they thought it came from me. I had to go on the offensive and say that it wasn't me and that it was already in the server. Eventually they believed me. There were a lot of wars between rival groups at the time. A lot of people were accusing each other of being "feds" and "cops" and I was able to use that to my advantage to create a smoke screen and create doubt.

How were you able to become administrator of the Dark Market server?
I had good relations with the administrator whose alias was "Jilsi." He wasn't a very technical guy and was having problems running the site because it was getting attacked by a rival group. So I told him about my background as a spammer and told him how good I was at setting up sites. I did some demonstrations and set up some test sites to show him I had the skills. Then there was just a lot of talk and rapport building. One night when Dark Market was getting attacked by a rival group I said I was ready and that I could secure the server for him and he said "let's move." That gave me full access to everyone using it and what they were doing.

Any anecdotes to tell about your dealings with these people?
It was like a soap opera. There was constant drama going on. A lot of people were accusing one another of being cops. It was funny being part of the discussion as people were talking about whether so and so was a cop or a fed and I was sitting there knowing full well that the person wasn't. There were a lot of egos, and a lot of funny stories where guys would brag about their close brushes with the law and how close they got to being arrested. You get 20-year-old guys, 30-year-old guys who are single and making a lot of money, so you hear a lot of stories of partying and things like that.

Did you get a sense of what these carders are like as people; what their characters are like?
There are a lot of guys who I think their curiosity just got the best of them and it led them down a dark path. One of the guys, Max Butler, who ran our rival site called Carders Market and used the hacker name Ice Man, was arrested in San Francisco. He was very intelligent. He could have been an excellent security expert. He could have given talks at RSA about vulnerabilities. A lot of these guys are just misguided. They get into a hotel and see that they have credit cards and one thing leads to another. I think that's how it all starts off and then they find they can make a lot of money and it becomes a business, a job. If you met them in person they were actually nice guys. I enjoyed a lot of my chat sessions when we were talking about other things, like traveling the world and things like that.

How old are they?
The average guy is in his mid-20s or so. We've seen guys in their 40s. Ages range from 17 to 40something, typically. A lot of the guys who we arrested were in their mid-30s.

How tied to organized crime are they?
One of the guys, "ChaO," kidnapped someone. He viewed himself as a traditional organized crime member. He was connected with organized crime groups in Turkey and they resorted to violence when they kidnapped someone who was talking too much about the operations. We're seeing more of that, especially in Romania. Also in Russia.

The attackers have changed with the emergence of organized crime into these cybercrimes...It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.

Did you hear from any of your former carder cohorts after the arrests?
I heard from sources that they couldn't believe I was an FBI agent. One of the guys whose house we raided wasn't at home and he sent me an expletive-filled message saying 'you're never going to catch me.' I told him he should give himself up rather than spend his life on the run and a week later he turned himself in.

This work sounds kind of dangerous. Did you ever feel you were in danger or are you worried now?
When you are an FBI agent there's always that threat of danger working crimes undercover. We never intended for my name to come out in this operation. But FBI agents' names are in affidavits. There was always that risk that my name could be exposed. It's always in the back of your mind but you try not to think about it.

What impact did the sting have?
It showed that we can get you no matter where you live. We were able to make internal relationships and work cases jointly with law enforcement in other countries. In the future there will be other joint cases in Europe and around the world. You don't necessarily have to be in the U.S. for us to bring you to justice. That is one of the most significant impacts it had. Another one is that it showed these guys that, yes, we do have a presence out there (on the Internet) and the U.S. is serious about targeting cybercrime. We are going to throw our resources at this problem.

How have things changed since you started the Dark Market operation in 2006?
With every operation the bad guys learn more of the undercover techniques that law enforcement is using. Everything that was successful for us in this operation would have to be tweaked because of that. The level of sophistication is so much higher. The days of a cyber investigation where you just track an IP address and that leads you to a hacker's house, those days are long gone. There are many different anonymization services the bad guys are using. The exploits and botnets they are using are so much more sophisticated than they were a couple of years ago. Just two years ago the majority of the botnets were IRC botnets, which are fairly simple. Now we're seeing botnets like the Storm worm that are very sophisticated and running peer-to-peer networks and that makes it harder for us to track down the command and control servers.

Have you been involved in any of the efforts to track down the people behind the Conficker worm?
I can't comment on that.

Anything else to add?
The message I'm trying to preach is that we have international cooperation and that other countries are starting to recognize this problem. Also, the attackers have changed with the emergence of organized crime into these cybercrimes. It's not just an 18-year-old pimply faced kid in his room committing these crimes. These are organized crime groups doing it. It's all about the money now and not just about how elite my hacking skills are to get into this Web site. Profit is driving these groups.

The stakes are higher now for everyone?
Definitely.

by Elinor Mills

Researchers hijack botnet, score 56,000 passwords in an hour

2009-05-05T03:55:00.000-07:00

The Torpig botnet was hijacked by the good guys for ten days earlier this year before its controllers issued an update and took the botnet back. During that time, however, researchers were able to gain a glimpse into the kind of information the botnet gathers as well as the behavior of Internet users who are prone to malware infections.

Researchers at the University of California Santa Barbara have published a paper (PDF) detailing their findings after hijacking a botnet for ten days earlier this year. Among other things, the researchers were able to collect 70GB of data that the bots stole from users, including 56,000 passwords gathered within a single hour. The information not only gave them a look at the inner workings of the botnet, they also got to see how secure users really are when it comes to online activities. (Hint: they aren't.)

The botnet in question is controlled by Torpig (also known as Sinowal), a malware program that aims to gather personal and financial information from Windows users. The researchers gained control of the Torpig botnet by exploiting a weakness in the way the bots try to locate their commands and control servers—the bots would generate a list of domains that they planned to contact next, but not all of those domains were registered yet. The researchers then registered the domains that the bots would resolve, and then set up servers where the bots could connect to find their commands. This method lasted for a full ten days before the botnet's controllers updated the system and cut the observation short.

During that time, however, UCSB's researchers were able to gather massive amounts of information on how the botnet functions as well as what kind of information it's gathering. Almost 300,000 unique login credentials were gathered over the time the researchers controlled the botnet, including 56,000 passwords gathered in a single hour using "simple replacement rules" and a password cracker. They found that 28 percent of victims reused their credentials for accessing 368,501 websites, making it an easy task for scammers to gather further personal information. The researchers noted that they were able to read through hundreds of e-mail, forum, and chat messages gathered by Torpig that "often contain detailed (and private) descriptions of the lives of their authors."

(Comically, the report notes that 0.1 percent of Torpig victims love "exchanging insults" online, with another four percent spending their time looking for sex online. The rest are doing relatively mundane things like worrying about grades, looking for advice from doctors and lawyers, looking for jobs, and playing video games.)

Of course, the primary goal of Torpig is to steal financial information like credit card numbers and bank logins. In just ten days, Torpig apparently obtained credentials of 8,310 accounts at 410 financial institutions, including PayPal, Capital One, E*Trade, and Chase. The researchers noted, too, that nearly 40 percent of the credentials stolen by Torpig were from browser password managers, and not actual login sessions, and that the Torpig controllers may have exploited these credentials for between $83,000 and $8.3 million during that time period.

Interestingly, a large number of the financial institutions that had been breached required "monumental effort" in order to notify the victims, according to the report. In fact, financial institutions weren't the only ones—interacting with registrars, hosting facilities, and law enforcement were all "rather complicated," indicating that there's a long way to go in order to make notifying botnet victims easier.

Not becoming a victim in the first place is the most ideal situation, however. The researchers concluded that victims of botnets are usually those with poorly maintained machines and who choose "easily guessable" passwords. " This is evidence that the malware problem is fundamentally a cultural problem," reads the report. "Even though people are educated and understand well concepts such as the physical security and the necessary maintenance of a car, they do not understand the consequences of irresponsible behavior when using a computer."

Israeli hacker to be extradited to US

2009-05-03T14:36:00.000-07:00

Canadian media report Ehud Tenenbaum, dubbed 'the analyzer', to be transferred to United States on charges of hacking scheme spanning hundreds of companies

sraeli hacker Ehud Tenenbaum will be extradited to the United States despite his previous requests to be tried in Canada, where he was arrested, Canadian media reported over the weekend.
Case History
Canada: Israeli hacker suspected of involvement in major fraud case / Liron Sinai
Ehud Tenenbaum, who 10 years ago hacked Pentagon computers, detained on fraud charges
Full Story
Tenenbaum, who was dubbed "the analyzer" after it was discovered that he was the mastermind behind the hacking of the Pentagon computer systems in the late 1990s, has been in Canadian custody since August 2008, when he and three Canadian accomplices were arrested for hacking into the computers of Canadian company 'Direct Cash' and stealing CDN$1.8 million.

Ehud's mother, Malka, confirmed the extradition to Ynet and explained that it was "by agreement and there's something to the reports."
Shortly after his arrest, Tenenbaum was scheduled to be released on CDN$30,000 bail. The court later denied bail after the prosecution entered into evidence documentation suggesting he is the leading suspect in a US case investigating the hackings of hundreds of companies around the world, including some in the US, Russia, Turkey, Holland, Sweden and Belgium.

Due to the scope of the fraud and the involvement of US companies and the Pentagon, the United States' Federal Bureau of Investigation (FBI) is involved in the investigation against him.

Previously, Tenenbaum and his associates opposed extradition because the charges levied against them in the United States are much more severe than those in Canada. Now, however, Tenenbaum appears prepared to agree to comply with extradition and even decided to forego a preliminary hearing on the matter.

In the past, Tenenbaum's mother told Ynet she objected to the extradition because it involved charges that had taken place over a decade ago. Regarding the recent decision, she said "I don't want to talk so that I don't ruin anything and you'll understand what I mean when the time comes. Any superfluous talk will harm my son."

by Daniel Edelson
Published: 05.03.09, 10:49 / Israel News

New Jersey Case Looks At Whether Bloggers Can Protect Sources

2009-05-01T06:33:00.001-07:00

There have been a number of cases recently that have tested whether various laws that protect journalists from having to give up their sources also apply to people publishing content online in forums, email groups or blogs. The latest, sent in by someone Anonymous, is taking place in New Jersey, where a woman who revealed a security breach in the software of a company called Too Much Media is being sued for slander in revealing the breach. There are numerous issues with the lawsuit, including the oddity that they're suing for slander for online comments, since slander is for spoken words, whereas libel is normally applied to the written word. It's also odd that they're suing considering the fact that they don't deny the security breach existed, but dispute the claim that customer info (including credit card details) were exposed, because they claim the security breach was brief and no info was compromised. That seems like a pretty weak defense.

However, the real battle seems to be over the attempt to determine how the woman, Shellee Hale, found out about the breach in the first place. She's refusing to give that up, claiming that she has a right to protect her sources, just like any journalist. And while Hale writes multiple different blogs, and has written for many mainstream publications (including the Wall Street Journal and Business Week), Too Much Media claims that she doesn't deserve protections afforded to journalists because she wasn't working for any real publication and is just a blogger. The article quotes someone who says that if the court sides with Hale:

"then everyone is a journalist and the privilege becomes meaningless."

I don't see how that's actually true. In fact, I'd argue the other way. It's not that it becomes meaningless, but that it becomes very, very meaningful -- especially in an era where we're looking for new ways to prop up investigative journalism. If everyone's a journalist, and everyone has a reasonable expectation that their sources are shielded, then we're much more likely to continue to root out corruption. If this protection is somehow reserved for some "special" credentialed people, then it becomes that much harder to expose corruption.

Unfortunately, it appears that the judge in the case is almost entirely computer and internet illiterate, needing to ask for explanations for a variety of things during the court proceedings. He seemed entirely confused by the very concept of people blogging for personal interest:

"Why would a guy put all this stuff on a blog? Does he have nothing better to do?" Locasio asked. "Does he get paid?"

The judge, who apparently is about to retire in a couple months, also didn't understand the difference between blogs, message boards and forums, and was apparently unfamiliar with instant messaging. It's difficult to see why someone entirely unfamiliar with the technology should be able to judge a case like this, where understanding what's happening online is crucial to understanding what the case is really about.

New Zealand Officials To Scrap Copyright Law; Start From Scratch

2009-05-01T06:20:00.001-07:00

There was a lot of controversy over the past few months concerning an attempt to change copyright law in New Zealand. After tremendous uproar over the fact that the law (a version of three strikes) basically would declare people guilty based on accusations, rather than proof or conviction, the government finally agreed to dump the plan with plans to revisit it. However, it looks like now the government has decided to completely start from scratch, and to recreate copyright law anew. This is quite surprising. Historically, changes in copyright law tend to be patches. Every time a new technology changes things such that copyright law doesn't make sense, regulators duct tape on some "patch" that tries to deal with that new situation. Yet, New Zealand officials seem to be recognizing this, and want to see about rewriting copyright law from scratch:

The Copyright Act was written in the pre-internet age, and does not address any of the complexities surrounding file sharing, format shifting, and other modern issues such as DVD copying -- problems the last government was attempting to fix in a piecemeal fashion.

Of course, the real question is who will rewrite the law and how the process will work. If it's the industry, then you can expect the law to be much worse. But if it's designed with the full spectrum of interests taken into account, New Zealand could represent a useful sandbox for really (finally) rethinking some of the myths and talismans that some copyright maximalists insist are true, but for which no evidence exists. Hopefully, the government will consider ideas from outside the industry, and recognize both the public interest and the intention of copyright law.

Threat Level Privacy, Crime and Security Online Swedish ISP Thwarts Copyright Cops by Erasing Data

2009-04-29T14:08:00.001-07:00

The Swedish telecom operator Tele 2 plans to erase all data identifying its 600,000 customers, a decision that will undermine the new IPRED law and make the hunt for internet scofflaws more difficult.

Starting on Tuesday, Tele 2 will destroy records of IP addresses after they’ve been processed for internal use. It’s a way to secure the customers’ privacy — and, the company likely hopes, to strengthen the ISP’s market position.

“This is a strong wish from our customers and therefore we’ve decided to no longer keep records of customers’ IP addresses,” Tele2’s CEO in Sweden, Niclas Palmstierna, told the Swedish news agency TT. “We do this to strengthen the protection of customer privacy.”

“We’ve analyzed the legislation carefully and found that we have no obligations at all to store information about our customers’ IP addresses,” he continued.

The IPRED law went into effect on April 1 in Sweden and allows courts to order ISP’s to hand over details that can identify suspected illegal file sharers. Previously, the only option for copyright holders was to report alleged infringement to the police.

Tele 2 is following the example of Bahnhof and Alltele, smaller Swedish internet operators that declared early on that they would no longer store users’ IP addresses. But the announcement from Tele 2 is of considerably greater significance, since the company is one of Sweden’s main telecom providers and boasts a giant customer base.

With no data to reveal, the new law will be ineffective.

Henrik Pontén of the Swedish Anti-Piracy Bureau is very critical of the operators’ decision.
“This will cause a huge problem for the police in their investigations of severe internet crimes, such as child pornography,” he told Threat Level. “I think it’s a shame that a company puts its profit interest ahead of their customers’ safety. This will open the door to crime.”

A police official told TT that this could have a serious impact, not only on law enforcement’s bid to crack down on internet pirates, but also on other criminal investigations.

“In some cases, this will make an investigation impossible,” said Stefan Kronkvist, the head of Swedish police’s internet crime unit.

The police are now waiting for a new legislation implementing the European Union’s data retention directive, which would force ISPs to store electronic data for a minimum of six months. That law is planned to come into force this fall.

By Kerstin Sjoden

The Pirate Bay verdict, dishing the dirt

2009-04-28T13:12:00.000-07:00

The Pirate Bay ruling has been translated into English, and it's full of little surprises. Ars dives in to answer the big questions: who possessed those Klomifen tablets, how much did the state pay to defend The Pirate Bay admins, and why did the backers consider moving to Argentina?
Thanks to music trade group IFPI, the recent Pirate Bay ruling has now been "Englished" (PDF). While the verdict itself is well-known, numerous case details will be surprising to non-Swedish speakers—such as who paid for The Pirate Bay defense, which defendant was also arraigned on drug charges, and what happened to all that Pirate Bay computer equipment confiscated by the police?

A masterpiece of prose, the verdict is not. "A number of different filesharing programs and technologies have been developed over the years," says one representative section. "There have been or are two main types of filesharing systems."

But it does offer plenty of fascinating detail that was difficult for those not at the trial to learn. Let's take a look.

Confiscated equipment. All the confiscated servers and routing equipment from a police raid on The Pirate Bay "is declared forfeit," while other seized computers will remain confiscated "until the sentence has become legally binding." That process could take years, given the appeal already filed in the case, so by the time the equipment could be released, it will be obsolete.

Confiscated drugs. In the section devoted to defendant (and lover of wispy beards) Gottfrid Svartholm Warg, we come across this curious section. Not only were computers confiscated, but police picked up "three confiscated tablets of Klomifen," "narcotic drugs," and a "spoon containing traces of amphetamine."

Turns out that Warg wasn't just accused of aiding copyright infringement but also of violating Sweden's Prohibition of Certain Health-Impairing Goods Act. As part of the 2006 police raids on The Pirate Bay, the cops searched an apartment belonging to Warg's parents, where they found several of the listed items in "a drawer unit" and "a cupboard at the desk." Warg said that the apartment had been rented out to others at the time and that he had no knowledge of the drugs there; the court agreed that nothing had been proven against him.

But there was a second incident in June 2007, when a police patrol was called to an apartment and found Warg "heavily intoxicated." In his backpack, other "preparations" were found. Warg told the court "that, despite being intoxicated, he can remember the event. He has also stated that the backpack was his, but that he, at some point during the evening, had lent it to some individuals at the party. He knows 'approximately' who he lent the backpack to, but he does not want to reveal the names of these individuals."

This didn't go over well with the court, which found "beyond reasonable doubt that Gottfrid Svartholm Warg has been in possession of the preparations in question, and that he should, therefore, be sentenced for breach of the Prohibition of Certain Health-Impairing Goods Act."

Who paid for the lawyers? The older (and much richer) defendant Carl Lundström apparently paid for his own lawyer, but the three Pirate Bay admins did not. Their lawyers were all supplied an eventually paid for by the Swedish government, and they weren't cheap. Fredrik Neij's lawyer, for instance, was given 949,025 kronor (about $115,600) for his services; 35,525 kronor of that amount was given for "time wasted."

On moving to Argentina or Russia. As it became clear that Sweden might not be the best long-term base for The Pirate Bay, Carl Lundström explored the possibility of moving the site to Russia or Argentina—and he asked the Swedish Embassy for help. "A request by Carl Lundström to the Swedish Embassy in Argentina for assistance in relocating the operation there, since the situation vis a vis copyright in Argentina could be assumed to be more user-friendly than in Europe, was turned down by the Embassy," says the verdict. "Carl Lundström then contacted an Argentinean lawyer with the aim of ascertaining the cost of establishing the operation as a company in Argentina."

Similar moves were made in Russia; nothing appears to have come of them.

Legal advice. Why the interest in getting out of Sweden? A new copyright law came into effect in 2005, and Lundström worried that it would make the site illegal. "Carl Lundström contacted a lawyer," says the verdict. "Following discussions with his legal representative, he e-mailed Gottfrid Svartholm Warg and mentioned that as of 1 July 2005, the operation would be unlawful and that they should, therefore, consider relocating the operation to another country."

In the meantime, Fredrik Neij sought some legal advice of his own. Rather than pay a lawyer, though, he sought out the advice of a "law student who, in turn, checked with his teachers and professors." Based on advice from the student, Neij told the court that he believed The Pirate Bay was legal.

The Pirate Bay meets... TV? One other curious revelation was that Lundström had the idea back in 2006 "for new services in the form of a pooling of The Pirate Bay’s website and a digital television receiver." Few details are offered, but this sounds a bit like a set-top box that could tune TV and also grab video content from The Pirate Bay. As with many of the other schemes mentioned in the verdict, nothing came of this.

The Google defense. During the trial, the defendants harped on the fact that Google also indexes .torrent files, many of them infringing; why was a search engine like The Pirate Bay on trial while a search engine like Google was not?

Here is the judge's answer in its most condensed form: ""In accordance with what will be further demonstrated below, all the defendants were aware that a large number of the website’s users were engaged in the unlawful disposal of copyright-protected material. By providing a website with advanced search functions and easy uploading and downloading facilities, and by putting individual filesharers in touch with one other through the tracker linked to the site, the operation run via The Pirate Bay has, in the opinion of the District Court, facilitated and, consequently, aided and abetted these offences."

What happened to the "safe harbor"? US law offers immunity (under both the Communications Decency Act and the Digital Millennium Copyright Act) to certain websites and ISPs for the actions of their users. Europe's "Electronic Commerce Act" contains a similar provision, but the judge found that The Pirate Bay didn't qualify. Why not? Because the law requires that a service provider was "not aware of the existence of the illegal information or operation, and was not aware of facts or circumstances which made it obvious that the illegal information or operation existed or who, as soon as he received knowledge about or became aware of this, prevented the spread of the information without delay."

Since they posted many of the takedown letters sent in by copyright owners, the admins certainly knew about all sorts of copyright infringement taking place on their site. They did nothing about it and instead mocked the rightsholders. "It must have been obvious to the defendants that the website contained torrent files which related to protected works," said the court. "None of them did, however, take any action to remove the torrent files in question, despite being urged to do so. The prerequisites for freedom from liability under §18 have, consequently, not been fulfilled."

Translation: no immunity.
The end of the beginning

Despite the verdict, the case is just getting started. Defense lawyers have already filed an appeal and have since accused the judge overseeing the case of a conflict of interest. Judge Tomas Norström belongs to a couple of Swedish copyright associations, a fact no one managed to dig up before the trial.

While the court's judgment sheds plenty of light on how The Pirate Bay operated and what its backers believe, the least relevant part of it may in fact be the legal reasoning.

mp3-2-swfembedder

2009-04-26T08:35:00.000-07:00

//mp3-2-swfembedder.java
//@author Alex Zaharis, Dini Martini
//WDFIA 2009

import java.io.IOException;
import java.util.ArrayList;
import com.flagstone.transform.FSMovie;
import com.flagstone.transform.FSShowFrame;
import com.flagstone.transform.util.FSSoundConstructor;

class mp32swfembedder{
public static void main(String[] args){
try{
FSMovie movie = new FSMovie("theproof.swf");
FSSoundConstructor sounder = new FSSoundConstructor("theultrasound.mp3");

float framesPerSecond = 12.0f;
int samplesPerBlock = sounder.getSampleRate() / (int) framesPerSecond;
int numberOfBlocks = sounder.getSamplesPerChannel() / samplesPerBlock;
movie.add(sounder.streamHeader(samplesPerBlock));

for (int i=0; i numberOfBlocks; i++) {
movie.add(sounder.streamBlock(i, samplesPerBlock));
movie.add(new FSShowFrame());
}
movie.encodeToFile("aizak.swf");
}
catch (Exception e)
{
e.printStackTrace();
}
}
}

Libraries can be found here.
Examples can be found here.

Deep packet inspection could be outlawed in US

2009-04-24T11:32:00.000-07:00

US lawmakers are set to limit the way ISPs use deep packet inspection (DPI), even though no American service providers are using the technology.

Representative Rick Boucher, a Virginia Democrat, and three privacy experts, speaking at a hearing before the House Energy Commerce sub-committee urged lawmakers to pass comprehensive online privacy legislation in the coming months.

While DPI can be used to filter spam and identify criminals, the technology raises serious privacy concerns, Boucher said. "Its privacy-intrusion potential is nothing short of frightening," he added. "The thought that a network operator could track a user's every move on the Internet, record the details of every search and read every email ... is alarming."

Boucher, chairman of the House Subcommittee on Communications, Technology and the Internet, said he planned to introduce a privacy bill for online users. That legislation could possibly prohibit DPI for use in behavioural advertising and other uses not related to security or network management, he suggested.

Officials with Free Press, the Center for Democracy and Technology (CDT) and the Electronic Privacy Information Center (ERIC) all spoke in favour of online privacy legislation. "In our view, deep packet inspection is really no different than postal employees opening envelopes and reading letters inside," said Leslie Harris, president and CEO of CDT. "Consumers simply do not expect to be snooped on by their ISPs or other intermediaries in the middle of the network, so DPI really defies legitimate expectations of privacy that consumers have."

Comcast and Cox Communications, both cable-based broadband providers, have experimented with using DPI in conjunction with behavioural advertising, but panelists at the hearing said they knew of no US ISP now using DPI that way. However, there are about a dozen companies offering DPI services to ISPs, said Ben Scott, policy director at Free Press.

With ISPs staying away from DPI, Congress should let ISPs self-regulate, said Kyle McSlarrow, president and CEO of the trade group the National Cable and Telecommunications Association. "Any technology can be used for good purposes and for bad," he said. "We recognise that no one would want us looking at the communication in e-mail. We don't particularly want to do that."

The technology is changing so rapidly, it may be difficult to draft appropriate legislation, he added. "There are new models being created," he said. "It's fairly hard to freeze, in one point and time, a fairly immature marketplace. We should allow industry and all stakeholders to try to work together ... come up with self-regulatory principles that protect consumer privacy."

Some Republicans on the subcommittee also questioned whether legislation should be targeted only at ISPs. "Our focus should ... look at the entire Internet universe, including search engines and Internet advertising networks," said Representative Cliff Stearns, a Florida Republican. "Consumers don't care whether you are a search engine or a broadband provider; they just want to ensure that their privacy is protected."

Privacy advocates also urged lawmakers to go beyond rules that would force ISPs to get opt-in permission from customers before tracking their online activities. In many cases, customers don't completely understand what they're being asked to opt into, said Marc Rotenberg, EPIC's executive director.

"I don't think [opt-in] is sufficient because it won't be meaningful unless consumers understand what data about them is being collected and how it's being used," he said.

By Grant Gross, IDG news service

BT blocks off Pirate Bay

2009-04-22T05:45:00.000-07:00

BT and other mobile broadband providers are blocking access to The Pirate Bay, as part of a "self-regulation" scheme.

Read our top ten Pirate Bay putdowns here.

BT Mobile Broadband users who attempt to access the notorious BitTorrent tracker site are met with a "content blocked" message.

The warning page states the page has been blocked in "compliance with a new UK voluntary code".

"This uses a barring and filtering mechanism to restrict access to all WAP and internet sites that are considered to have 'over 18' status," the warning states. It goes on to list a series of categories that are blocked, including adult/sexually explicit content, "criminal skills" and hacking.

It's not stated which category The Pirate Bay breaches, although the site does host links to porn movies.

BT's warning message advises customers to contact customer services if they want the block on the site to be lifted. The message also invites users to seek further information on the self-regulation scheme on the Internet Watch Foundation's website, although an IWF spokesman denies any involvement with the mobile filtering scheme.

All mobile networks

The self-regulations scheme includes all five of the major mobile networks. (BT's service is based on the Vodafone network).

The Code says that members agree to block even legal "adult" content on mobile connections, in case phones or laptops fall into the hands of minors.

"The Code covers new types of content, including visual content, online gambling, mobile gaming, chat rooms and internet access," the code of practice states.

However, it then goes on to state that "the Code does not cover peer-to-peer communications but it does give assurances to customers that the mobile operators are taking action to combat illegal, bulk and nuisance communications."

Pirate Bay's founders last week lost their landmark case against several leading record companies and now face a huge fine and up to a year in jail, pending an appeal.

BT says that it alone took the decision to block The Pirate Bay site. "BT and the other UK mobile operators have agreed and implemented a voluntary Code of Practise for mobile content that restricts access to content unsuitable for customers under the age of 18," the company claims in a statement.

"The list of sites and content that is restricted is compiled by individual operators themselves. The warning that BT provides links to the IWF website is for information on the Code only. BT customers who wish to have access to particular sites reactivated can do so by calling 150."

Report: Payment card data was top target in 2008

2009-04-22T05:43:00.001-07:00

More records were breached in 2008 than in the previous four years combined as a result of a few large breaches involving payment cards, according to a report released on Wednesday.

Last year, 295 million records were compromised and there were 90 confirmed breaches, the Verizon Business 2009 Data Breach Investigations Report (PDF) found.

The top five breaches accounted for 93 percent of total records compromised and as a percentage of caseload, 80 percent were payment card breaches while payment card data represented 98 percent of all records compromised last year.

PIN data was increasingly targeted in 2008 in attacks in which magnetic-stripe data and PIN data was used for identity fraud. For example, criminals used the data to make ATM withdrawals from victim's accounts.

PIN data stolen in a breach at payment processor RBS WorldPay was used to clone cards and withdraw millions of dollars from victim bank accounts last year. Meanwhile, payment processor Heartland had a huge data breach of its own last year that it reported in January and there have been reports of another breach at an unidentified institution.

More than three-fourths of organizations suffering payment card breaches were found to be not compliant with PCI data security standards or had never been audited. The typical organization had met less than a third of the requirements in the standards, the report found.

This chart shows threat categories by percent of breaches (black) and records (red).

(Credit: Verizon)

Of the total breaches, 75 percent came from external sources, 39 percent involved multiple parties, 32 percent involved business partners and in 20 percent of the cases insiders were implicated. Three-fourths of the breaches were undiscovered and uncontained for weeks or months.

As far as types of breaches, 64 percent resulted from malicious hacking, 38 percent used malware, 22 percent involved privileged misuse, and 9 percent used physical attacks such as equipment theft or tampering.

In about four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software, typically provisioned to third-parties for remote administration.

During 2008, malware was involved in more than one-third of the cases investigated and contributed to nine out of 10 of all records breached.

"Malware is now an essential component to nearly all large-scale data breach scenarios," the report said. "Hacking gets the criminal in the door, but malware gets him the data."

New MS08-067 Exploit Creeps in During DOWNAD Frenzy

2009-04-12T04:05:00.001-07:00

A new MS08-067 exploit silently made its entrance as the rest of the world was keeping watch on DOWNAD’s next step last week. In what seems to be a case of “old worm with new tricks,” the worm Neeris which has been active for a few years now was found updated with the now infamous MS08-067 exploit.

Detected by Trend Micro as WORM_NEERIS.A, the number of PCs infected by this variant reportedly spiked almost at the same time that DOWNAD was supposed to do its thing. However, despite similarities between DOWNAD and Neeris, Microsoft reports that no evidence has been found suggesting any connection between the two.

Apart from propagating through the Microsoft Server Service Vulnerability, WORM_NEERIS.A also propagates through removable drives, SQL servers, and through the instant messaging application MSN Messenger. It also drops a rootkit component, detected as RTKT.FARFLI.UW which it uses to hides its processes. This worm also opens the affected system’s port 449 and connects to a certain site where it waits for commands sent by a remote user.

If Neeris would be able to live up to the mark left by DOWNAD is anyone’s guess for now. Sadly, the fact that another threat leveraging on the same vulnerability that had just been on the global spotlight has emerged indicates that there are still users who are unable to see the importance of updating their systems. Users must realize that cyber criminals will continue to strike as long as they keep themselves vulnerable. So please, update here

Η Forthnet ελέγχει IPs για Card Sharing

2009-04-07T12:09:00.000-07:00

Σύμφωνα με δημοσίευμα του περιοδικού DSTV που ειδικεύεται στα δορυφορικά, η NOVA σκληραίνει την στάση της και μετά το εξώδικο, στους διαχειριστές του justin.tv και του blog troktiko, έδωσε την έγκρισή της στην FORTHNET στο να ελέγξει και καταγράψει όλες τις IP πελατών της, ώστε να διαπιστωθεί ποιοι από αυτούς μοιράζουν η μοιράζονται κλειδιά από κάρτες NOVA, το γνωστό και ως internet card sharing.

Όπως γράφετε στο περιοδικό, έχει γίνει αίτηση στην εισαγγελική αρχή έτσι ώστε να εξαναγκασθούν και οι άλλοι παροχείς να κάνουν το ίδιο, δίνοντας έτσι τα στοιχεία των πελατών τους που χρησιμοποιούν αυτόν τον παράνομο τρόπο διαμοίρασης.

To θέμα αμέσως έλαβε διαστάσεις στο δορυφορικό και Internetικό γίγνεσθαι και κάποιοι χρήστες ήδη ετοιμάζονται να κάνουν καταγγελία στην αρχή προστασίας προσωπικών δεδομένων θίγοντας έτσι το ευαίσθητο θέμα του προσωπικού απορρήτου.

Μάλιστα σε συζητήσεις χρηστών γράφεται τόσο ότι η Forthnet έχει στείλει σχετικό memo στην HOL, όσο ότι στην Κατερίνη ήδη συνελήφθησαν κάποιοι για αυτό τον λόγο.

Υπενθυμίζεται ότι η τηλεπικοινωνιακή εταιρεία Forthnet έχει αγοράσει το πλειοψηφικό πακέτο της NOVA εδώ και 11 μήνες.

French government OKs Web piracy law

2009-04-07T02:27:00.001-07:00

LONDON -- The French National Assembly has voted to adopt the central clause in the anti-piracy Creation and Internet Law, which would allow a state body to cut off copyright infringers' broadband access after two warnings were issued.

The three-strikes scheme proposed by the French government to tackle P2P file-sharing has met with opposition from some politicians and consumer groups, but the vote has been welcomed by parts of the international music business.

"The French government has taken a decisive step to protect artists and creators, setting an example to the rest of the world," said IFPI chairman and chief executive John Kennedy in a statement. "The great thing about this French initiative is that it will result in very sensible and achievable actions by ISPs to reduce piracy in a way that is overwhelmingly preventative and not punitive."

IMPALA, which represents 4,000 independent labels across Europe, also welcomed the vote.

"We see this as a great breakthrough. Independents produce 80% of all new releases and as a result suffer particularly from illegal downloading," said executive chair Helen Smith in a statement. "We feel that this text reaches an excellent compromise between the interests of the fans, the music companies and the ISPs."

Michel Lambot, co-president of PIAS and co-president of IMPALA, added: "This was a bold move by the French, and has brought its fare share of criticism. We hope the law will now be able to go on to be the success that we believed it would and that it will serve as an example that other countries can follow."

France's consumer rights group UFC-Que Choisir has opposed the plan.

Thursday's vote on the three-strikes measure was crucial to the legislation, which will undergo parliamentary scrutiny article by article, beginning April 9, before it is finally passed into law.

Survey: Credit card fraud a top concern in U.S.

2009-04-07T02:09:00.000-07:00

This should come as no surprise to anyone, but people in the U.S. are worried that as the economy worsens, the chances for identity fraud, particularly with regard to credit card data theft, will increase.

Nearly 75 percent of Americans believe that the global financial crisis increases their risk of identity and related fraud, according to the Unisys Security Index due to be released on Monday.

More than two-thirds surveyed said they are extremely or very concerned about other people obtaining and using their credit and debit card data, with 90 percent at least somewhat concerned.

Credit and debit card fraud is the top security concern for people, with 68 percent saying they are extremely or very concerned. And 66 percent said they are seriously concerned about unauthorized access to or misuse of personal information.

More than 40 percent of respondents said they are extremely or very concerned about security related to viruses and unsolicited e-mail.

Overall, people are more worried about their financial security and less worried about national security than in previous surveys, according to the survey.

The survey of more than 1,000 respondents in the U.S. was conducted from February 20-22.

France to Block The Pirate Bay, Disconnect File-Sharers

2009-04-04T11:05:00.000-07:00

Despite public protests the French Parliament has passed a controversial new law that will see alleged copyright infringers disconnected from the Internet. In addition, France’s Minister of Culture Christine Albanel has stated that under the new law, ISPs may be ordered to block The Pirate Bay.

In order to clamp down on piracy the French have passed a new law requiring Internet service providers to cut off Internet access for persistent offenders. Under the new legislation ISPs have to warn alleged copyright infringers twice, and if they they ignore these warnings their Internet access is terminated for up to a year.

One of the biggest problems with the new law is that copyright infringers will be identified only by an IP-address, which will undoubtedly lead to many false accusations. Those who want to prove their innocence have only one option, namely, to install a spyware application that will monitor their every move on the Internet and report it back to the authorities. Hardly practical.

The law goes much further than disconnecting alleged file-sharers though. In addition it is now possible to take “any action” in order to put a halt to copyright infringement. Minister of Culture, Christine Albanel, explicitly named The Pirate Bay as one of the sites that could be easily blocked under the new law.

Thus, without having to provide evidence that a website is engaging in illegal activities, it can still be blocked. Potentially this could mean that access to BitTorrent sites is disallowed in France, as well as access to sites like YouTube or perhaps even Google.

In summary, the new law introduces unlimited options for the copyright holders to go after sites and people that may or may not infringe copyright, without having to actually proove that the accused are guilty. To date, this is by far the most aggressive and unbalanced piece of copyright legislation that we’ve seen.

Even more so, only last week the European Parliament spoke out against such disproportionate legislation by adopting a report that aims to protect the rights and freedoms of Internet users and excludes ‘three strikes’ as a punitive sanction. Unfortunately, members of the French parliament completely ignored this.

What struck us most is that the people who get to decide on these issues have no clue about file-sharing at all. Many of them don’t know what BitTorrent is, or how it works. Yet, they decide the fate of hundreds of thousands of Internet users.

New Nmap version detects the Conficker worm

2009-04-03T01:47:00.001-07:00

The Conficker worm is receiving a lot of attention because of its vast scale (millions of machines infected) and advanced update mechanisms. Thanks to research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, a new Nmap release is here which can remotely scan for and detect infected machines.

To scan for Conficker, use a command such as:
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

A clean machine should report at the bottom: “Conficker: Likely CLEAN”, while likely infected machines say: “Conficker: Likely INFECTED”. For more advice, see this nmap-dev post by Brandon Enright. Dan Kaminsky broke the story on Doxpara.com.

While Conficker gets all the attention, 4.85BETA5 also has many other great improvements:

* Ndiff now includes service (version detection) and OS detection differences.
* [Ncat] The --exec and --sh-exec options now work in UDP mode like they do in TCP mode: the server handles multiple concurrent clients and doesn't have to be restarted after each one.
* [Ncat] The -v option (used alone) no longer floods the screen with debugging messages. With just -v, we now only print the most important status messages such as "Connected to ...", a startup banner, and error messages. At -vv, minor debugging messages are enabled, such as what command is being executed by --sh-exec. With -vvv you get detailed debugging messages.
* [Ncat] Chat mode now lets other participants know when someone connects or disconnects, and it also broadcasts a current list of participants at such times.
* [Ncat] Fixed a socket handling bug which could occur when you redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next user to connect would end up with file descriptor 0 (which is normally stdin) and thus confuse Ncat.
* [Zenmap] The "Scan Output" expanders in the diff window now behave more naturally. Some strange behavior on Windows was noted by Jah.
* The following OS detection tests are no longer included in OS fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI, and SI were found not be helpful in distinguishing operating systems because they didn't vary. TOS and TOSI were disabled in 4.85BETA1 but now they are not included in prints at all.
* The compile-time Nmap ASCII dragon is now more ferocious thanks to better teeth alignment.
* Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI test that could cause a closed-port IP ID to be written into the array for the SEQ.TI test and cause erroneous results.
* Nbase has grown routines for calculating Adler32 and CRC32C checksums. This is needed for future SCTP support.
* [Zenmap] Zenmap no longer shows an error message when running Nmap with options that cause a zero-length XML file to be produced (like --iflist).
* Fixed an off-by-one error in printableSize() which could cause Nmap to crash while reporting NSE results. Also, NmapOutputTable's memory allocation strategy was improved to conserve memory.
* [Zenmap] We now give the --force option to setup.py for installation to ensure that it replaces all files.
* Nmap's --packet-trace, --version-trace, and --script-trace now use an Nsock trace level of 2 rather than 5. This removes some superfluous lines which can flood the screen.
* [Zenmap] Fixed a crash which could occur when loading the help URL if the path contains multibyte characters.
* [Ncat] The version number is now matched to the Nmap release it came with rather than always being 0.2.
* Fixed a strtok issue between load_exclude and TargetGroup::parse_expr that caused only the first exclude on a line to be loaded as well as an invalid read into free()'d memory in load_exclude().
* NSE's garbage collection system (for cleaning up sockets from completed threads, etc.) has been improved.

Introspection of Virtual Machines,get access to memory

2009-03-24T06:02:00.000-07:00

Save the children? ICANN opens debate on CyberSafety charter

2009-03-23T18:47:00.000-07:00

The group behind the campaign to take porn off of port 80 is now lobbying ICANN to create a new "Cybersafety Constituency" to assist in the formulation of domain name system policy.

ICANN has been soliciting a lot of comments on its governance and future of late, including one petition to form a CyberSafety Constituency (CSC) within the Non-Commercial Stakeholders Group. (NCSG). The petition (PDF) as filed with ICANN is fairly innocuous and harmless-sounding, but the woman doing the filing—Professor Cheryl B. Preston, of Brigham Young University—has ties to other nonprofit organizations that should have been disclosed at some point within the application procedure.

Preston is general counsel for the nonprofit group CP80, which advocates for the creation of an Internet filtration system that would supposedly seek to keep porn and other adult content sandboxed away from the family-friendly tubes. The organization deserves credit for proposing a system that wouldn't automatically cripple Internet access speeds nationwide, force deep packet inspection, or turn ISPs into de facto Internet police. That said, failing to qualify as prima facie terrible does not automatically qualify CP80's legislative baby, the Internet Community Portals Act (ICPA) as a good idea.
Filtering at the port level

CP80's solution to the seemingly intractable problem of Internet filtering is to segregate traffic by port. All "normal" traffic (have fun defining that) would continue to flow over Port 80 or whatever port it's currently assigned to. Adult content, however, would be shifted away from Port 80 (hence the group's name, "Clean Port 80") and on to a new port—let's call it Port XXX. Were CP80's legislation to pass, the Internet would look something like this:

The system as illustrated would allow an ISP to sell access plans to both the filtered and unfiltered Internet, consumers could choose which they want, freedoms are preserved, and everyone goes home happy...at least in theory. CP80's proposal might deserve a small bit of credit for avoiding some of the obvious issues that sank the concept of an adult-content .XXX domain name—except for the massive technical flaws and political challenges inherent to the ICPA's design. If you're already wondering about international governance and enforcement, don't worry—CP80 has anticipated your concerns:

Got that?
The ICANN connection

Professor Preston describes the CSC as a group that would focus on Internet safety issues and cites her personal concern that "as Internet policies are developed at ICANN, the interests of families, children, consumers, victims of cybercrime, religions, and cultures become better represented...we need to carefully craft mechanisms involving law and industry that balance unfettered free speech and anonymity with some protections against exploitation of the most vulnerable, the ability to address and reduce criminal activity, and the right of Internet users to have choices in the nature of their access."

As proposed, the CSC would also function as a global outreach initiative and would attempt to coordinate international responses to what the paper posits are common cross-border, cross- cultural concerns. Again, as written, all of this is very kosher: everyone wants to balance rights and responsibilities, protect the "most vulnerable" from exploitation, and give users freedom of choice. Preston's letter advocating the creation of the CSC is consistent with her work for CP80, but some mention of the latter should occur in any discussion of the former, especially since CP80 makes it clear that they've considered the role ICANN might hypothetically play in the creation and international adoption of ICPA-equivalent legislation.

Preston's omission is made potentially more serious by the fact that CP80 itself isn't exactly a digital city on a hill. The organization is headed by Ralph Yarro III, CEO and largest shareholder of the SCO Group. He's also the Founder/CEO of ThinkAtomic; if you visit that company's website you'll note (for now, at least) that the "Featured Company" of the day is CP80. ThinkAtomic is a prominent backer of CP80, and is listed as providing the group with legal, strategic, medical, and technology contributions. Run down the page, and you'll note a common last name—Ralph, Justin, and Matthew Yarro are all listed as technology contributors.

If the BYU professor is serious about establishing the CSC, she'd do well to distance herself from either CP80 or the CSC petition before ICANN. There's nothing within the CSC's stated mission objective that would automatically create conflict with other actors interested in maintaining free speech and online anonymity. The best way to disperse accusations that she or the organization she currently represents has a hidden agenda is to cut ties with one or the other. Whether people agree or disagree with any particular position a hypothetical CSC might advocate, they won't respect the body as legitimate if its viewed as nothing more than the puppet of a US group.

As for CP80's ICPA proposal, it's a bad idea; there's no way feasibly address the political and technical challenges of the project. Even if all such barriers vanished, there would still remain the age-old question of censorship—who does the censoring and writes the standards? Pretending that these issues are irrelevant because we all agree that protecting children is important is whitewashing the topic at its finest. ICANN is accepting public comment on the issue.

By Joel Hruska

Forensics Tool for Firefox 3.X - F3e

2009-03-17T18:21:00.000-07:00

An interesting article i stumbled upon while surfing .
Aparently Firefox uses SQLite databases to store all sorts of interesting stuff like :
Internet browsing history,Bookmarks,Settings,Downloads,Cookies,Form History etc.

Mr. Chris Cohen has written a very useful freeware tool that extracts data from these databases . The tool is called Firefox 3 Extractor or F3u and you can download it from here

The location of these databases , differ among operating systems and can be found at these locations :

Windows XP

C:\Documents and Settings\{user id}\Application Data\Mozilla\Firefox\Profiles\{profile folder}\

Windows Vista

C:\Documents and Settings\{user id}\AppData\Roaming\Mozilla\Firefox\Profiles\{profile folder}\

Linux/Solaris

{User dir - See /etc/passwd for the location}/.mozilla/firefox/{profile folder}/

Aparently f3u has lately started to extract *experimentaly* same information from chrome browser , even though i haven't quite tested it yet.

If you would like to see a tutorial on how to use it you can click Keven Murphy

12 changes that would give US cybersecurity a much needed kick in the pants

2009-03-16T08:21:00.000-07:00

Potential cyber attacks against federal and private-sector networks loom larger every day and while the Department of Homeland Security (DHS) has made some important efforts, it has yet to fulfill many of the myriad responsibilities placed on it by the national cybersecurity plan.

Those were the main conclusions of a Government Accountability Office report out today on the status of US national cybersecurity efforts. The GAO report included input from a panel of cybersecurity experts including representatives from the Internet Corporation for Assigned Names and Numbers, Juniper, Verizon, the US Department of Justice and the Electronic Frontier Foundation.

The group came up with 12 cybersecurity improvements that DHS and others involved in the protection of national networked assets should employ. According to the GAO report these recommendations are as follows: :

1. Develop a national strategy that clearly articulates strategic objectives, goals, and priorities.

2. Establish White House responsibility and accountability for leading and overseeing national cybersecurity policy: Currently the DHS is the focal point for cybersecurity; however, according to panel members, DHS has not met expectations and has not provided the high-level leadership needed to raise cybersecurity to a national focus. Accordingly, panelists stated that to be successful and to send the message to the nation and cyber critical infrastructure owners that cybersecurity is a priority, this leadership role needs to be elevated to the White House. In addition, to be effective, the office must have, among other things, corresponding authority-for example, over budgets and resources-to implement and employ appropriate incentives to encourage action.

3. Establish a governance structure for strategy implementation. The strategy establishes a public/private partnership governance structure that includes 18 critical infrastructure sectors, corresponding government and sector coordinating councils, and cross-sector councils. However, according to panelists, this structure is government-centric and largely relies on personal relationships to instill trust to share information and take action.

4. Publicize and raise awareness about the seriousness of the cybersecurity problem. Experts suggested that an aggressive awareness campaign is needed to raise the level of knowledge of leaders and the general populace that our nation is constantly under cyber attack.

5. Create an accountable, operational cybersecurity organization. DHS established the National Cyber Security Division (within the Office of Cybersecurity and Communications) to be responsible for leading national day-today cybersecurity efforts; however, according to panelists, this has not enabled DHS to become the national focal point as envisioned. Panel members stated that currently, DOD and other organizations within the intelligence community that have significant resources and capabilities have come to dominate federal efforts. The group told the GAO there also needs to be an independent cybersecurity organization that leverages and integrates the capabilities of the private sector, civilian government, law enforcement, military, intelligence community, and the nation's international allies to address incidents against the nation's critical cyber systems and functions. However, there was not consensus among the panel regarding where this organization should reside.

6. Focus more actions on prioritizing assets, assessing vulnerabilities, and reducing vulnerabilities than on developing additional plans.

7. Bolster public/private partnerships through an improved value proposition and use of incentives. Panelists stated that the federal government should provide valued services (such as offering useful threat or analysis and warning information) or incentives (such as grants or tax reductions) to encourage action by and effective partnerships with the private sector.

8. Focus greater attention on addressing the global aspects of cyberspace. Panel members stated that the US should pursue a more coordinated, aggressive approach so that there is a level playing field globally for US corporations and enhanced cooperation among government agencies, including law enforcement. In addition, a panelist stated that the

US should work towards building consensus on a global cyber strategy.

9. Improve law enforcement efforts to address malicious activities in cyberspace. Panel members stated that current domestic and international law enforcement efforts, including activities, procedures, methods, and laws are too outdated and outmoded to adequately address the speed, sophistication, and techniques of individuals and groups, such as criminals, terrorists, and adversarial foreign nations with malicious intent.

10. Place greater emphasis on cybersecurity research and development, including consideration of how to better coordinate government and private sector efforts. experts stated that the US is not adequately focusing and funding research and development efforts to address cybersecurity or to develop the next generation of cyberspace to include effective security capabilities. In addition, the research and development efforts currently underway are not being well coordinated between government and the private sector.

11. Increase the cadre of cybersecurity professionals. Experts stated that actions to increase the number of professionals with adequate cybersecurity skills should include (1) enhancing existing scholarships and (2) making the cybersecurity discipline a profession through testing and licensing.

12. Make the federal government a model for cybersecurity. Although the federal government has taken steps to improve the cybersecurity of agencies, panelists stated that it still is not a model for cybersecurity. Further, they said the federal government has not made changes in its acquisition function and the training of government officials in a manner that effectively improves the cybersecurity capabilities of products and services purchased and used by federal agencies.

Fingerprinting Blank Paper Using Commodity Scanners

2009-03-16T08:16:00.000-07:00

Today Will Clarkson, Tim Weyrich, Adam Finkelstein, Nadia Heninger, Alex Halderman and I released a paper, Fingerprinting Blank Paper Using Commodity Scanners. The paper will appear in the Proceedings of the IEEE Symposium on Security and Privacy, in May 2009.

Here's the paper's abstract:

This paper presents a novel technique for authenticating physical documents based on random, naturally occurring imperfections in paper texture. We introduce a new method for measuring the three-dimensional surface of a page using only a commodity scanner and without modifying the document in any way. From this physical feature, we generate a concise fingerprint that uniquely identifies the document. Our technique is secure against counterfeiting and robust to harsh handling; it can be used even before any content is printed on a page. It has a wide range of applications, including detecting forged currency and tickets, authenticating passports, and halting counterfeit goods. Document identification could also be applied maliciously to de-anonymize printed surveys and to compromise the secrecy of paper ballots.

Viewed under a microscope, an ordinary piece of paper looks like this:

The microscope clearly shows individual wood fibers, laid down in a pattern that is unique to this piece of paper.

If you scan a piece of paper on an ordinary desktop scanner, it just looks white. But pick a small area of the paper, digitally enhance the contrast and expand the image, and you see something like this:

The light and dark areas you see are due to two factors: inherent color variation in the surface, and partial shadows cast by fibers in the paper surface. If you rotate the paper and scan again, the inherent color at each point will be the same, but the shadows will be different because the scanner's light source will strike the paper from a different angle. These differences allow us to map out the tiny hills and valleys on the surface of the paper.

Here is a visualization of surface shape from one of our experiments:

This part of the paper had the word "sum" printed on it. You can clearly see the raised areas where toner was applied to the paper to make the letters. Around the letters you can see the background texture of the paper.

Computing the surface texture is only one part of the job. From the texture, you want to compute a concise, secure "fingerprint" which can survive ordinary wear and tear on the paper, such as crumpling, scribbling or printing, and moisture. You also want to understand how secure the technology will be in various applications. Our full paper addresses these issues too. The bottom-line result is a sort of unique fingerprint for each piece of paper, which can be determined using an ordinary desktop scanner.

For more information, see the project website or the research paper.

By Ed Felten

New Side to Face-Recognition Technology: Identifying Victims

2009-03-12T12:55:00.000-07:00

Since Sept. 11, discussion of the disputed technology of face recognition has focused on its potential for identifying criminals and terrorists -- and for invading citizens' privacy. But in England, the police are pursuing a different path: they want to use facial recognition software to identify crime victims.

Using software developed by a Canadian company, Britain's National Crime Squad is creating a database of nearly three million pictures seized in raids of child pornography rings. By matching the images against pictures of missing children, investigators hope to find them, or at least generate clues -- an unusual car or or distinctive scenery -- that can help identify the people making the photos and films.

Facial recognition has been in development for decades, but recent advances in computer power and software have made the systems less expensive and more accurate -- though just how accurate remains a subject of debate.

Most systems work by taking pictures of faces, comparing them to a template and making dozens of measurements of each one, including factors like the distance between the eyes. In the case of Imagis Technologies -- the company in Vancouver, British Columbia, that created the software out of earlier work on recognizing patterns in satellite photographs -- the program detects hundreds of ''light source positions.'' It also measures factors like the angle of the head and facial shape, said Andy Amanovich, the company's chief technology officer.

The mathematical description of those features is stored in a database, to be compared with other strings of numbers that have been derived from faces -- and also jewelry, clothes, scars and background objects like furniture or vehicles.

No facial recognition system is perfect, or even close: all make mismatches and overly broad matches. Many can be confounded by simple subterfuges like wigs or glasses. Civil liberties and other groups say they cast too wide a net, invading privacy and extending the reach of surveillance too far.

And the technology's credibility has not been helped, many experts agree, by exaggerated claims for its effectiveness. ''These software companies have popped off numbers that they can't really substantiate,'' said Ron Cadle, a vice president of Pellco Inc., which is adapting facial recognition systems for use in Fresno Yosemite International Airport. ''It's kind of given them a black eye.''

Mr. Amanovich agreed. ''There's a lot of false claims out there and a lot of specious claims to what all technologies can do,'' he said.

Nevertheless, Mr. Cadle, who uses recognition programs from Visionics Inc. and Viisage, said his company had boosted the reliability his partners' software so that it can make a match 80 percent of the time and falsely claim a match with just 1 of every 500 passengers. Mr. Amanovich, however, said such figures are so malleable at this early stage that claims are not useful.

The British project had its origins in a 1997 sweep in which 101 members of a child pornography trading ring called Wonderland were arrested in raids around the world.

Aficionados of child pornography tend to be obsessive collectors of pictures and films, and that and other raids led to a police database of some three million images -- too many for humans to sort through effectively. (Efforts to create books or CD's by hand had yielded 1,200 identifiable faces, leading to the identification of just 18 children, one of whom had been murdered.) So in December 2000, the squad signed an agreement with a contractor, Serco Group, to automate the rest of the process. Serco turned to Imagis.

Peter Spindler, a detective superintendent with the National Crime Squad, says he has been impressed with early results. The software was able to identify images from a test database -- not just images of children, but also of siblings. The feature could could help identify families participating in the porn trade.

But one expert in child pornography said the British efforts was ''not going to do much.''

Dr. John Philip Jenkins, a professor of history at Penn State and author of ''Beyond Tolerance: Child Pornography on the Internet,'' said child pornography photos were unlikely to lead investigators to the children involved. A child victim's identity, he said, ''is only likely to come to light if the child comes up in an abuse case.''

Many of the images, he added, now flow from the former Soviet Union, where lax enforcement allowed the trade to flourish. There, he said ''police corruption is going to limit the effectiveness of any attempt to use this technology'' successfully.

He called for international efforts to crush online image trading.

But Detective Spindler said the police had to try to do more than restrict the traffic in illicit images. ''It's not simply about identifying people who are abusing the Internet, people who are trading child pornography,'' he said. ''This is about people abusing children.''

Photo: A detective in London, Peter Spindler, left, says image identification from a test database was impressive. Dave Lutes, chief engineer of Imagis Technologies, demonstrates the program in Victoria with a mock photo. (Jeff Vinick for The New York Times); (Johnathan Player for The New York Times) Chart: ''How Face-Recognition Technology Works'' Face-recognition technology is increasingly being used in security systems and law-enforcement investigations. Here is one approach, the basis of systems made by several companies in the field. FIRST LOOK -- The system must decide whether the image before it is a human face. It looks for a pair of eyes and the borders of the face. RESIZING -- The computer adjusts the contrast and size of the image to make it similar in format to the other faces in its database. MATH -- The image is now a grid of pixels, each with a "gray scale" value between 0 for black and 255 for white. These can be expressed as numbers and used to process the image mathematically. COMPARISON -- The face is compared with 128 archetypal faces, or eigenfaces, made from thousands of faces in a database. The new face is described as being similar, by percentages, to the eigenfaces. RESULT -- The system compares the new face's eigenface against the eigenfaces of all the real people in its database, then displays all the people the new face resembles, in order of similarity. (Source: ''Face Recognition for Smart Environments,'' Alex Pentland and Tanzeem Choudhury, in the IEEE publication Computer; Jim Wayman, San Jose State University)

By JOHN SCHWARTZ

Self-encrypting drive standard gains momentum

2009-03-05T16:50:00.000-08:00

I've long been a big proponent of self-encrypting drives as the best way to encrypt data-at-rest on PCs and storage systems.

This belief became a lot more real in January when the Trusted Computing Group published three storage encryption standards for laptops, enterprise storage, and software interoperability. Fujitsu, Hitachi, Seagate, and Toshiba support these standards and are already shipping self-encrypting drives.

In February, IBM joined the fray, further validating the self-encrypting drive standard. IBM announced that its massive DS8000 storage system will now offer self-encrypting drives to protect the confidentiality and integrity of data-at-rest. LSI, another leading storage system vendor, is also on board.

I have to believe that Fujitsu and Hitachi will soon follow this trend. Both companies currently offer encrypting storage systems that use a cryptographic processor resident in their storage controllers. Since both companies supply self-encrypting drives, it is likely that they will replace encrypting controllers with self-encrypting drives in future product revisions.

It seems to me that the dominoes are falling at an accelerating pace and that within two to three years, every device that ships with a hard drive or solid-state disk will offer self-encrypting drives. Chief information security officers, purchasing managers, management software vendors, and government agencies should plan for this inevitability.

by Jon Oltsik

ATM Scam Yields $9M

2009-03-04T14:24:00.000-08:00

Judge orders defendant to decrypt PGP-protected laptop

2009-03-04T13:53:00.000-08:00

A federal judge has ordered a criminal defendant to decrypt his hard drive by typing in his PGP passphrase so prosecutors can view the unencrypted files, a ruling that raises serious concerns about self-incrimination in an electronic age.

In an abrupt reversal, U.S. District Judge William Sessions in Vermont ruled that Sebastien Boucher, who a border guard claims had child porn on his Alienware laptop, does not have a Fifth Amendment right to keep the files encrypted.

"Boucher is directed to provide an unencrypted version of the Z drive viewed by the ICE agent," Sessions wrote in an opinion last week, referring to Homeland Security's Immigration and Customs Enforcement bureau. Police claim to have viewed illegal images on the laptop at the border, but say they couldn't access the Z: drive when they tried again nine days after Boucher was arrested.

Boucher's attorney, Jim Budreau, already has filed an appeal to the Second Circuit. That makes it likely to turn into a precedent-setting case that creates new ground rules for electronic privacy, especially since Homeland Security claims the right to seize laptops at the border for an indefinite period. Budreau was out of the office on Thursday and could not immediately be reached for comment.

The Fifth Amendment says nobody can be "compelled in any criminal case to be a witness against himself," which Magistrate Judge Jerome Niedermeier ruled in November 2007 prevented Boucher from being forced to divulge his passphrase to prosecutors.

Originally, the U.S. Department of Justice asked the magistrate judge to enforce a subpoena requiring Boucher to turn over "passwords used or associated with" the computer. In their appeal to Sessions, prosecutors narrowed their request and said they only want Boucher to decrypt the contents of his hard drive before the grand jury, apparently by typing in his passphrase in front of them.

At issue in this case is whether forcing Boucher to type in that PGP passphrase--which would be shielded from and remain unknown to the government--is "testimonial," meaning that it triggers Fifth Amendment protections. The counterargument is that since defendants can be compelled to turn over a key to a safe filled with incriminating documents, or provide fingerprints, blood samples, or voice recordings, unlocking a partially-encrypted hard drive is no different.

Barry Steinhardt, director of the ACLU's technology and liberty program, said on Thursday that the opinion reached the wrong conclusion and that Boucher "should have been able to assert his Fifth Amendment rights. It's not the same thing as asking him to turn over the Xeroxed copy of a document."

"There is no distinction" between requiring a defendant to turn over the passphrase or type it in himself in front of a grand jury, Steinhardt said. "Either of those things results in an encrypted set of files being brought into plain view."

Judge Sessions reached his conclusion by citing a Second Circuit case, U.S. v. Fox, that said the act of producing documents in response to a subpoena may communicate incriminating facts in two ways: first, if the government doesn't know where the incriminating files are, or second, if turning them over would "implicitly authenticate" them.

Because the Justice Department believes it can link Boucher with the files through another method, it's agreed not to formally use the fact of his typing in the passphrase against him. (The other method appears to be having the ICE agent testify that certain images were on the laptop when viewed at the border.)

Sessions wrote: "Boucher's act of producing an unencrypted version of the Z drive likewise is not necessary to authenticate it. He has already admitted to possession of the computer, and provided the government with access to the Z drive. The government has submitted that it can link Boucher with the files on his computer without making use of his production of an unencrypted version of the Z drive, and that it will not use his act of production as evidence of authentication."

The defendant is a Canadian citizen who is a lawful permanent resident in the United States and lived with his father in Derry, N.H.

Boucher was initially arrested when customs agents stopped him and searched his laptop when he and his father crossed the border from Canada on December 17, 2006. An officer opened the laptop, accessed the files without a password or passphrase, and allegedly discovered "thousands of images of adult pornography and animation depicting adult and child pornography." Boucher was read his Miranda rights, waived them, and allegedly told the customs agents that he may have downloaded child pornography. But then--and this is key--the laptop was shut down after Boucher was arrested.

It wasn't until December 26 that a Vermont Department of Corrections officer tried to access the laptop--prosecutors obtained a subpoena on December 19--and found that the Z: drive was encrypted with PGP, or Pretty Good Privacy. (PGP sells software, including whole disk encryption and drive-specific encryption, which can be configured to forget the passphrase after a certain time. That would effectively re-encrypt the Z: drive.)

by Declan McCullagh

Thumbs.db: How Computer Forensics Can Reveal Traces of a Deleted Image

2009-03-03T16:53:00.000-08:00

In recent years, initiatives such as Operation Ore have stepped up efforts to identify and prosecute those possessing indecent images of children in England and Wales. When a person is suspected of such an offence, the first action by the police is usually to confiscate all their computer equipment so that it can be examined by a computer forensic analyst. The aim of this analysis is to recover any evidence of indecent images on the suspect’s computer.

Often the suspect will have deleted the images before the police reach them. In such cases, computer forensic analysts often look to the Thumbs.db file on computers running Windows XP to reveal the presence of images, even after they have been ‘deleted’ by the user.

A thumbs.db file is automatically generated whenever a user views a folder in ‘thumbs’ or ‘filmstrip’ mode. The file create a set of small images (no more than 96×96 pixels), known as thumbnails, for all of the images in a folder. The purpose of this file is to speed up the time it takes to display a folder in ‘thumbs’ mode by creating a cached thumbnail of each image so that Windows does not have to create a new one every time. Files that are indexed in a Thumbs.db file include image files such as JPEGs, BMPs, GIFs and PNGs, document image files such as TIFFs and PDFs, video files such as AVIs and MOVs, presentation files such as PPTs and some HTML web pages.

When the Thumbs.db file creates a thumbnail of an image, this often remains on a person’s computer even after they have deleted the image file itself. Many people fail to delete the Thumbs.db file when deleting images because it is a ‘hidden file’, meaning that it is only viewable in a directory when the “Show Hidden Files” option is turned on.

Thumbs.db data is stored in ‘OLE Compound Document format’ which means the contents of the file cannot be viewed without specialist knowledge or software. However, computer forensic experts are able to convert the data stored within a Thumbs.db file into readable form, extracting each of the thumbnail images, along with information such as the original file name and the date each thumbnail was last written. There are also a number of tools available that can be used to extract and view the data in a Thumbs.db file. These include ‘Encase’ and ‘AccessData FTK’, which offer a simple user interface for viewing the thumbnails within Thumbs.db files.

Evidence extracted from Thumbs.db files can carry significant weight in court cases. For example, in December 2008, a Norwegian man, Martin Stenstadvolden pleaded guilty to downloading child pornography after computer forensic analysis revealed cached thumbnails of illicit images, which he believed he had erased all trace of. With the sheer amount of information on the Internet becoming greater every day, and new technology producing ever more illicit ways of sharing indecent images, computer forensics represents an ever increasingly vital tool in the arsenal of law enforcement.

IntaForensics a BS EN ISO 9001:2000 registered firm providing Computer Forensics, Expert Witness, Mobile Phone Forensics, and Forensic Data Recovery to the Legal Sector, Police Forces, Local Authorities and Commercial organisations internationally. Visit Computer Forensics for further information.

Info originated from here