Monday, September 18, 2006

If Phone Fraud Happens in the FBI Can Congress Hear It? If Phone Fraud Happens in the FBI Can Congress Hear It? Back in May, MSNBC's Bob Sullivan revealed that a House investigation into the fraudulent acquisition of individuals phone records by private investigators revealed that some of these PI's customer's included government agencies such as the FBI, a story that didn't get enough attention at the time. News.com's Declan McCullogh pays it some mind today and rightly lectures Congress for its attempts to find away to let government agencies practice fraud, while outlawing it for companies like HP. The problem, though, is that the proposals in front of Congress aren't likely to stop some of the most aggressive users of "pretexting": the FBI, the Department of Homeland Security and other law enforcement agencies. They're simply immunized. Police who engage in pretexting and the shady private investigators they hire won't be affected. A CNET News.com chart of 11 supposedly "anti-pretexting" bills shows that all but four bills exempt police in one way or another. Let's be clear about what pretexting is. It means committing fraud to acquire someone's personal records, such as phone calls, without their consent. It's like hiring a private investigator to break into someone's safe-deposit box one evening because you're curious about their net worth. [...] This all amounts to an extreme case of double standards. HP's unethical behavior appears to have targeted no more than 20 people and was not, as far as we know, a routine procedure. Too bad the solons in Congress can't get half as outraged about unethical behavior that affects far more Americans and, disturbingly, has become a routine practice by the very police agencies charged with upholding our laws. Sounds about right from here. Three letter agencies and cops around the country, if you want phone records, get thee to a magistrate and apply for a warrant.   [27B Stroke 6] 11:56:38 PM  PermaLink   / trackback []

Consent Form for NSA Surveillance. Consent Form for NSA Surveillance. It turns out the NSA has a consent form you can fill out to give the agency permission to monitor your overseas phone calls and e-mail. The form (.pdf) comes from a procedures manual (.pdf) FOIAed by John Young at Cryptome. It looks like it was crafted for government employees who want to go the extra mile for Uncle Sam. But there's no reason you can't volunteer -- unless, of course, you have something to hide. Executive Order 12333 Consent Agreement Signals Intelligence Coverage I _____________ (full name) _________________________ title ________________, hereby consent to the National Security Agency undertaking to seek and disseminate communications to or from or referencing me in foreign communications for the purpose of ___________________. This consent applies to administrative messages alerting elements of the United States Signals Intelligence System to this consent as well as to any signals intelligence reports which may relate to the purpose stated above. Except as otherwise provided by Executive Order 12333 procedures, this consent covers only information which relates to the purpose stated above and is effective for the period: _______________. Signals intelligence reports containing information derived from communication to or from me may only be disseminated to me and to __________________. Signals intelligence reports containing information derived from communication referencing me may only be disseminated to me and to [names of departments and agencies, e.g., DoD. CIA. etc] except as otherwise permitted by procedures under Executive Order 12333. (SIGNATURE) (TITLE) (UNCLASSIFIED until completed. Classify completed form based on information added, but not lower than CONFIDENTIAL.) For "purpose", I'd write, "To win the War on Terror." Effective: "Until the War on Terror is won." I suggest sending it to the NSA's main address at Fort Meade with an appropriate Attn line: National Security Agency Attn: Spy on Me! 9800 Savage Road, Suite 6740 Fort Meade, MD 20755-6740 This is a great opportunity to show that you stand behind your president. The Specter bill is poised to make the NSA's warrantless surveillance of Americans legal, but it isn't yet the law of the land, and a federal judge has already ruled the program violates federal statute and the Constitution. If every man, woman and child in the U.S. fills out this form and sends it to the NSA, the agency, and President Bush, will no longer be breaking the law. Remember, there's no Terrorist Surveillance Program without U. Forward this to everyone you know. [27B Stroke 6] 11:53:18 PM  PermaLink   / trackback []

firstamendmentcenter.org: Former FCC lawyer: Media study was destroyed WASHINGTON -- The Federal Communications Commission ordered its staff to destroy all copies of a draft study that suggested greater concentration of media ownership would hurt local TV news coverage, a former lawyer at the agency says. The report, written in 2004, came to light Sept. 12 during the Senate confirmation hearing for FCC Chairman Kevin Martin. Sen. Barbara Boxer, D-Calif. received a copy of the report "indirectly from someone within the FCC who believed the information should be made public," according to Boxer spokeswoman Natalie Ravitz. Adam Candeub, now a law professor at Michigan State University, said senior managers at the agency ordered that "every last piece" of the report be destroyed. "The whole project was just stopped -- end of discussion," he said. Candeub was a lawyer in the FCC's Media Bureau at the time the report was written and communicated frequently with its authors, he said. Boxer last night asked the FCC to begin a formal investigation into why the report was never circulated. In the letter, Boxer asked the FCC's Office of Inspector General "to conduct an independent investigation into who suppressed this report." 11:48:37 PM  PermaLink   / trackback []

FCC study on media ownership ordered destroyed. FCC study on media ownership ordered destroyed. Rory Litwin at Library Juice reports on this AP story about a former FCC lawyer stating that a report on media ownership was ordered destroyed by the FCC: WASHINGTON - The Federal Communications Commission ordered its staff to destroy all copies of a draft study that suggested greater concentration of media ownership would hurt local TV news coverage, a former lawyer at the agency says. The report, written in 2004, came to light during the Senate confirmation hearing for FCC Chairman Kevin Martin. Sen. Barbara Boxer, D-Calif. received a copy of the report "indirectly from someone within the FCC who believed the information should be made public," according to Boxer spokeswoman Natalie Ravitz. ...Adam Candeub, now a law professor at Michigan State University, said senior managers at the agency ordered that "every last piece" of the report be destroyed. "The whole project was just stopped - end of discussion," he said. Candeub was a lawyer in the FCC's Media Bureau at the time the report was written and communicated frequently with its authors, he said. In a letter sent to Martin Wednesday, Boxer said she was "dismayed that this report, which was done at taxpayer expense more than two years ago, and which concluded that localism is beneficial to the public, was shoved in a drawer." Following Senator Boxer's protest of this action, the FCC has posted the report on its website. [michaelzimmer.org] 11:44:51 PM  PermaLink   / trackback []

New Firefox Version Fixes 7 Security Holes. New Firefox Version Fixes 7 Security Holes. Mozilla this week pushed out a new version of its Firefox Web browser to mend at least seven security holes in the program, including at least four flaws that attackers could use to install software on vulnerable computers. Firefox version 1.5.0.7 patches several serious security vulnerabilities, including a potential threat to the security of the browser's automatic update functionality, as well as one demonstrated last month that could allow bad guys to fool the browser into accepting perfectly forged digital certificates of the sort typically used to verify the authenticity of a secure Web site or digitally signed e-mail. If you are using any version of Firefox 1.5, the browser should download and install the update automatically, and alert you that a restart of the browser is needed. If you are using an older version of Firefox, it's time to uninstall the old version (might want to back up that profile first) and upgrade to the latest version. [Security Fix] 11:40:45 PM  PermaLink   / trackback []

Newly Detected IE Exploit Spells Massive Spyware Trouble. Newly Detected IE Exploit Spells Massive Spyware Trouble. A previously undocumented flaw in Microsoft's Internet Explorer Web browser is reportedly being exploited by online criminals to install an entire kitchen sink of malicious software on any computer that visits any of a handful of sites currently exploiting the vulnerability. Researchers at Sunbelt Software discovered the exploit last week while conducting some routine online surveillance of known crimeware gangs. According to Sunbelt researcher Eric Sites, the exploits at the moment appear to be hosted mainly on hardcore porn sites. But if past experience with new IE exploits holds true, we may soon see this exploit being sewn into the fabric of legitimate, but poorly programmed, business Web sites that hackers can manipulate to their advantage. According to Sites, among the nasty pieces of software an IE user can expect to be whacked with upon visiting one of the sites is the BigBlue keystroke logger, which monitors and captures data from computers including screenshots, keystrokes, web cam and microphone data; it also records instant messaging chat sessions, e-mail information and the Web sites visited by the user. The exploit is also being used to install the incredibly invasive Spybot worm and VXGame Trojan, as well as adware titles that scam artists profit from on a per installation basis, such as Virtumondo, SafeSurfing, Avenue Media, WebHancer, Internet Optimizer, SurfSidekick, DollarRevenue, and the bogus anti-spyware program SpySheriff. And that's not even the half of it, Sites said. "We haven't even fully analyzed this piece of malware yet." Sites said Sunbelt had notified Microsoft of the discovery. I put in a call to the company late Monday but haven't heard back yet. I will update the blog when I hear back or when the company issues an advisory about this. This whole thing is starting to smell a lot like the activity that preceded similar attacks on an unpatched IE flaw at the beginning of the year. For a week or so at the end of 2005, a handful of crime groups were using an undocumented IE vulnerability to attack people who visited a small number of fringe or hardcore porn Web sites, and Microsoft downplayed the threat from it by noting that fact. As the new year arrived, however, hundreds of legitimate Web sites had been compromised and were installing spyware on the computers of any user who visited them with the IE browser. "Usually, as soon as we see these things in the wild like this they start spreading very quickly," Sites said. Sites said the flaw appears to be the result of Microsoft's implementation in IE of "vector mark-up language," or "VML" for short -- an XML Web programming language used to create scalable graphics. This new exploit, combined with two other publicly available exploits for a separate, unpatched IE flaw, should give pause to anyone using the Microsoft browser. My advice: If you or someone you care about is in the habit of cruising the Web with IE, now would be a very good time to get acquainted with another browser that doesn't use IE's rendering engine, such as Firefox or Opera. But if IE is your browser of choice, make sure you have Windows set to receive automatic software updates, and be very careful about visiting Web sites that are off the Internet's beaten path. [Security Fix] 11:38:59 PM  PermaLink   / trackback []