Friday, March 31, 2006

Totally Random One Time Pads. Totally Random One Time Pads.   liliafan writes  "Scientists in Japan have come up with a way of harnessing a truly random datasource for generating one time encryption pads: Quasars. One time encryption pads are widely accepted as being the most secure form of encryption, but this new technology from the National Institute of Information and Communications Technology makes the pads even more secure."  [Slashdot] 11:58:21 AM  PermaLink   / trackback []

Hackers Serve Rootkits with Bagles According to virus hunters at F-Secure, of Helsinki, Finland, the latest Bagle.GE variant loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. The use of offensive rootkits in existing virus threats signals an aggressive push by attackers to get around existing anti-virus software and maintain a persistent and undetectable presence on infected machines. Rootkits are typically used by attackers to open a backdoor into Windows systems, collect information on other systems on the network and mask the fact that the system is compromised. 11:54:55 AM  PermaLink   / trackback []

Hackers Serving Rootkits with Bagles. Hackers Serving Rootkits with Bagles. Iran Contra writes "Security researchers at F-Secure in Finland have discovered a rootkit component in the Bagle worm that loads a kernel-mode driver to hide the processes and registry keys of itself and other Bagle-related malware from security scanners. Bagle started out as a simple e-mail borne executable and the addition of rootkit capabilities show how far ahead of the cat-and-mouse game the attackers are." [Slashdot] 11:52:18 AM  PermaLink   / trackback []

Open source security testing methodology Truth is made of numbers. Following this golden rule, Federico Biancuzzi interviewed Pete Herzog, founder of ISECOM and creator of the OSSTMM, to talk about the upcoming revision 3.0 of the Open Source Security Testing Methodology Manual. He discusses why we need a testing methodology, why use open source, the value of certifications, and plans for a new vulnerability scanner developed with a different approach than Nessus. 11:33:02 AM  PermaLink   / trackback []

InformationWeek | Child pornography, Google, DOJ | FOIA Request: DOJ Subpoena Highlights | March 30, 2006 A Freedom of Information Act request reveals that the DOJ actually subpoenaed at least 34 companies in its bid to collect data in support of the Child Online Protection Act. The U.S. Department of Justice has gone far beyond Google, MSN, and AOL in its quest to justify the anti-pornography Child Online Protection Act: The DOJ actually subpoenaed at least 34 Internet service providers, search companies, and security software firms. InformationWeek obtained copies of the subpoenas, replies, and other supporting documents through a Freedom of Information Act request. Here are some highlights: 11:22:37 AM  PermaLink   / trackback []

34 ISPs Subpoenaed By U.S. Government. 34 ISPs Subpoenaed By U.S. Government. eanonymous writes "The Justice Department, in their continued effort to revive questionable legislation, has subpoenaed dozens of ISPs for files. Considering that ISPs generally host their users' mail, this seems like it could be a larger issue than their fight with Google over search queries. Some, like Verizon, even resisted the call for information." ---  From the article:  "Representatives for McAfee and Symantec confirmed that the companies had received and complied with the subpoenas. A spokeswoman at LookSmart did not immediately return a phone call. Many of the subpoenas asked for information related to products that can be used to filter out adult content for underage Internet users. Symantec's subpoena, dated June 29, asked for a wide range of information about the price and popularity of the Internet filtering products it sells and how the products are used by customers. "  Information Week has a number of the documents involved, including the letter of objection from Verizon. [Slashdot: Your Rights Online] 11:20:07 AM  PermaLink   / trackback []

CourierPostOnline - South Jersey - Small firms need help guarding consumer data Small businesses are just as vulnerable to losing important customer and employee data as larger firms, however, fewer small business have precautions in place. Since February 2005, more than 53 million Americans have had their personal information compromised, according to the consumer watchdog Privacy Rights Clearinghouse. This is why the Council of Better Business Bureaus and Privacy & American Business unveiled an educational initiative to help small businesses protect this important data, earlier this week. "Small businesses aren't quite in step with their larger industry counterparts in addressing data security," said Steve Cole, president and CEO of the Council of Better Business Bureaus. "They often believe they're better protected than they really are, because they don't have in-house experts to advise them on what else they should be doing beyond locking up their storefronts." During a conference call, Cole announced "Security & Privacy -- Made Simpler," which provides a free toolkit to small-business owners, available for download at www.bbb.org/security&privacy. 11:16:12 AM  PermaLink   / trackback []

Hacker hits Georgia state database via hole in security software. Hacker hits Georgia state database via hole in security software. An unknown hacker accessed a Georgia state database containing confidential information on more than 570,000 people by exploiting a hole in a widely used security product. [Computerworld Privacy News] 11:13:23 AM  PermaLink   / trackback []

Phish Registry Launched. Phish Registry Launched. Free online resource where organizations may register their websites and receive notifications of online fraud attempts [GT: Privacy] 11:11:37 AM  PermaLink   / trackback []

US News Article | Reuters.com - Senate panel backs phone record privacy bill WASHINGTON (Reuters) - The U.S. Senate Commerce Committee on Thursday approved legislation to protect consumers' telephone records by making it illegal to sell such information without consent. The measure would boost penalties to as much as $30,000 per incident and up to $3 million for continuing violations by telephone companies that fail to properly safeguard consumer information. The bill would also require carriers to inform consumers if their information was accessed without permission and let companies and individuals sue when their records are illegally obtained. Similar legislation in the U.S. House of Representatives would increase fines to as much as $300,000 per violation and a maximum of $3 million for continuing incidents. Both measures are in response to a wave of concerns about Internet sites offering to obtain consumers' phone records for a nominal fee. Investigations are underway by the Federal Communications Commission, Federal Trade Commission and state attorneys' general. 11:10:24 AM  PermaLink   / trackback []

AP Wire | 03/30/2006 | Major changes in state privacy laws seen as unlikely this year ST. PAUL - Open government supporters expressed relief Thursday that legislative proposals to restrict public access to records are more modest than first anticipated. In the weeks leading up to the session, prominent politicians including Gov. Tim Pawlenty and Attorney General Mike Hatch said that some information collected by the state was vulnerable, particularly driver's license information and motor vehicle registration data. Public concern over identity theft and the upcoming statewide elections made significant changes seem inevitable. But with the session half over, the proposed changes to the way the state handles residents' personal data are fairly modest, according to those following the bills. "If you compare the statements made to the actual bills now being considered, it's a bit anticlimactic - which I'm happy about," said Mark Anfinson, attorney for the Minnesota Newspaper Association. Pawlenty alarmed open government advocates when he called for a fundamental change to the state's Data Practices Act. He proposed scrapping the current presumption that all government records are public unless otherwise specified. Instead, all records would have been private unless state law specifies otherwise. 11:08:22 AM  PermaLink   / trackback []

'Tag all the foreigners' - possible ID card sales pitch emerges. 'Tag all the foreigners' - possible ID card sales pitch emerges. Why settle for oppressed illegal workers when you can have oppressed legal ones instead? Comment The Institute for Public Policy Research (IPPR) suggestion that the UK's illegal immigrant population should be offered amnesty (full report here) does not on the surface look entirely helpful to the Government. Could it be that one of the top Blairite think tanks has joined those sinking their fangs into Mr Tony? Perhaps - but The Register's department of strange coincidences sees a strong possibility that this is a lifeboat whose time is coming. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 10:58:54 AM  PermaLink   / trackback []

BMC's tips for planning an identity management rollout. BMC's tips for planning an identity management rollout. Last week, I told you about a Webinar, "Identity Management as a Lifestyle vs. a Project," that my friends Phil Becker and Ian Glazer were putting on. The thrust of their presentation could be summed up as: once the implementation and rollout of the identity product has occurred, what else needs to be done? If you made notes, you might want to compare with what another identity management provider recommends for consideration after implementing an identity management project. [Identity mangement news] 10:56:51 AM  PermaLink   / trackback []