Thursday, September 21, 2006

Stop Specter's Surveillance Bill on the Senate Floor! Stop Specter's Surveillance Bill on the Senate Floor! Last week, the Senate Judiciary Committee unfortunately passed Senator Specter's dangerous surveillance bill, along with a related NSA spying proposal. But this fight is far from over -- with your help, we can beat these bills on the Senate floor. Every day we hold off these bills provides another opportunity for the courts and the public to make their voices heard. Judges in three courts -- including Judge Walker in EFF's case against AT&T -- have already rejected the government's bogus arguments shielding the NSA spying program. In just over two weeks, Congress will head into recess, and the November election gives the public a chance to rebuke those who have supported illegal spying. Take action now and tell your representatives to stop the surveillance bills. [EFF: Deep Links] 12:57:46 PM  PermaLink   / trackback []

Free anonymous browsing. Free anonymous browsing. Surf's up for privacy A modified version of Mozilla Firefox that lets users browse the web anonymously has been released. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:43:01 PM  PermaLink   / trackback []

Feds Offer Identity Theft Recs. Feds Offer Identity Theft Recs. The President?s Identity Theft Task Force announced interim recommendations, including having Congress change the law so that identity theft victims get compensation for the time they spend fixing their credit history and reducing the government's reliance on social security numbers as identifiers, Attorney General Alberto R. Gonzales and Federal Trade Commission Chairman Deborah Platt Majoras announced today. Other recommendations include having the Office of Management and Budget (OMB) issue regulations to agencies on how to deal with Data Breaches, create a universal police report for identity theft, and encourage banks and credit issuers to use biometrics to verify identity and prevent fraud. The report can be found in its pdf glory here. An identity theft fact sheet (mostly about federal prosecutions) is also available in pdf form. A final plan is due in November. Will this mean that finally the Department of Education will stop printing social security numbers on every student loan statement?   [27B Stroke 6] 12:41:28 PM  PermaLink   / trackback []

Tweaked Firefox Lets You Surf Internet Without a Trace. Tweaked Firefox Lets You Surf Internet Without a Trace. Torpark browser makes Web surfing more anonymous [PC World: Latest Technology News] 12:39:19 PM  PermaLink   / trackback []

ATM Hack Uncovered. ATM Hack Uncovered. A security expert in New York has learned how to get free money from some ATMs by entering a special code sequence on the PIN pad. Last week, news reports circulated about a cyber thief who strolled into a gas station in Virginia Beach, Virginia, and, with no special equipment, reprogrammed the mini ATM in the corner to think it had $5.00 bills in its dispensing tray, instead of $20.00 bills. Using a pre-paid debit card, the crook then made a withdrawal, and casually strolled off with a 300% profit in his pocket. Foolishly, he left the ATM misprogrammed this way for 9 days -- presumably to the delight of other customers -- before a good Samaritan reported the issue and exposed the caper. How, exactly, he pulled off the swindle remained unreported. Curious, Dave Goldsmith, a computer security researcher at Matasano Security began poking around. Based on CNN's video, he identified the ATM as a Tranax Mini Bank 1500 series. He then set out to see if he could get a copy of the manual for the apparently-vulnerable machine to find out how the hack worked. Fifteen minutes later, he reported success. I am holding in my hands a legitimately obtained copy of the manual. There are a lot of security sensitive things inside of this manual. As promised, I am not going to reveal them, but there are: Instructions on how to enter the diagnostic mode. Default passwords Default Combinations For the Safe Do not ask me for them. I didn't have to. Following his clues, I found a copy of the Tranax manual online, from a third-party website, within a few seconds. Sure enough, it includes a special key sequence to put the ATM into "Operator Mode." Passwords are required from there, but the default passwords are listed. The manual suggests operators change the default passwords. Presumably, Tranax sent out a reminder of this important tip last week after the Virginia heist appeared on CNN. Otherwise, expect long lines at the ATM for a while.   [27B Stroke 6] 12:37:01 PM  PermaLink   / trackback []

Privacy Expert on Feds' Identity Theft Recs. Privacy Expert on Feds' Identity Theft Recs. s noted earlier today, a federal task force recommended some changes to how the federal government, states and the law deal with the growing problem of identity theft and identity fraud. What does Beth Givens, the head of the Privacy Rights Clearinghouse which works to help identity theft victims, think of the suggestions? The recommendations are as fine as far as they go. Some are quite good, for example the uniform police report, I think that's quite excellent. But there are some things missing. I was surprised they didn't touch specifically on the whole matter of the Medicare card having the SSN printed on it and the military id number being your SSN, We see a great deal of identity theft that is caused because millions and millions of Americans are forced to carry these cards in their pockets. And when those wallets are stolen, they don't have their SSN card in there but they certainly have their Social Security number in there. The other thing they missed the biggest issue of all which is prevention. Identity theft is at epidemic proportions because credit issuers are giving credit to crooks. Now why aren't credit issuers doing a better job of identifying illegitimate applications? Givens points to some complicated rulemaking that was left to the Federal Trade Commission and the Federal Reserve Board when Congress passed the Fair and Accurate Credit Transactions Act in 2003. That bill contained a number of consumer protections, such as free annual credit reports (get yours here). One of the rules still being developed is known as the "Red Flag" rulemaking, which details the kinds of data discrepancies that credit issuers would be required to look for. The Red Flag rules say, "Hey, credit issuers, if there is an address discrepancy (between what is on an application and what is in your credit file) maybe that's a red flag. So it's the rulemaking that requires credit issuers to pay attention to the anomalies and discrepancies that could be an indicator of fraud. And it has taken so long for even the agencies to issue the rules. What they need to do is issue the regulations and not let it drag on anymore because that's where the rubber meets the road in terms of identity theft prevention. Givens says if a credit issuer were to ignore the most prominent red flags on an ongoing basis, then the FTC could have reason to investigate or punish the company. Given that credit issuers currently are liable and pay for most credit fraud, why haven't they stopped identity theft by tightening the loose standards of an instant credit society, say by requiring a phone call or email to your contact information on record? Apparently, they are still making more money by extending credit to lots and lots people with minimal evaluation of the applications, than they are losing from the small percentage of those that are fraudulent. I suppose the algebra is still on the plus side   [27B Stroke 6] 12:30:44 PM  PermaLink   / trackback []

House Committees Approve Spy Bills. House Committees Approve Spy Bills. The House Judiciary Committee and the House Permanent Select Committee on Intelligence both approved versions of a wiretapping bill that radically expands presidential snooping power and legalizes the current the National Security Agency's warrantless surveillance program. The committees passed differing versions of H.R. 5825, the "Electronic Surveillance Modernization Act," authored by Representative Heather Wilson (R-NM), while a companion bill in the Senate has been resubmitted to the Senate Intelligence Committee. The Wilson bill (.pdf) gives the president the power to declare a pre-emptive state of emergency and have free rein to wiretap Americans and search their homes without court warrants if the President submits a secret letter to the heads of Congress, Congressional Intelligence committees, and the secret court set up to handle wiretapping warrants. Each certification lasts 90 days and can be re-authorized indefinitely in 90 day increments by sending another letter. Neither the court nor Congress can contest the declaration. Like the Specter bill in the Senate, Wilson's bill redefines surveillance so that capturing any international communication to or from an American is defined as not-surveillance. Acquiring the phone records and addressing information of any or all American's domestic emails, text or instant messages is also not surveillance. Given the short schedule left before Congress departs for the campaign trail, it's unclear if any of these bills will actually make it into law.   [27B Stroke 6] 12:25:48 PM  PermaLink   / trackback []

ATM Crime Spree Imminent? ATM Crime Spree Imminent? I ran to the Shell Food Mart across the street from Wired News HQ, and found a Tranax Mini -Bank 1500 sitting oblivious next to the potato chips. I did not try the  default password. But, I have to wonder, how many vulnerable ATM machines are out there? According to the company website, "Tranax has installed more than 70,000 ATMs and self-service terminals throughout North America." Besides the 1500, that includes card and ticket kiosks, and two other ATM models which may or may not have the same issue. But the Mini-Bank 1500 is the company's flagship. Now that the Virginia gas station hack has brought this cash-friendly crime to the fore, the implications are mind boggling; how many people bother to change default passwords, if given the option not to? There are some limitations for crooks though. From the manual, it appears the ATM has a hard limit on the number of bills it will dispense -- 40 per transaction. That caps the net take from a single card, at a single machine, at a meager $600. So it's a high-tech street crime, at best. I'd bet the perp in Virginia Beach has been pulling this caper for a long time, probably as part of an organized ring. I wonder if they practice the button-presses on a mock-up ATM pad, until the sequence for free money is absorbed into muscle memory. A Tranax spokeswoman told me at 4:00 p.m. she'd look into the whole thing and get back to me. For now, it's unclear what action the company has taken. And what about other ATMs? A Google search turned up the manual for a line of small cash machines from Tranex competitor Triton. These ATMs also have a backdoor key sequence, and a lamentably simple default password printed in the manual. But using it requires the ATM be power-cycled, which probably makes it less attractive to crooks. Who wants to be seen futzing with an ATM's power cord at the Quick-E-Mart? If you have experience with other models, or special insight into retail ATM security, drop me a line.   [27B Stroke 6] 12:23:14 PM  PermaLink   / trackback []

Hurd Knew About Deception Campaign. Hurd Knew About Deception Campaign. New reports implicate HP chief more deeply than previously thought. [PC World: Latest Technology News] 12:18:55 PM  PermaLink   / trackback []

Super cops seek fixed link to town centre CCTV. Super cops seek fixed link to town centre CCTV. Wireless makes surveillance easy in UK The Serious Organised Crime Agency (SOCA) is seeking a permanent tap into a network of 850 CCTV cameras that look down on greater Manchester. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:17:07 PM  PermaLink   / trackback []

Law chief wants wiretap evidence. Law chief wants wiretap evidence. Takes lessons from US Wire tap evidence should be admissible in court, attorney general Lord Goldsmith has told the Guardian newspaper after being briefed by his opposite number in the United States. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:15:02 PM  PermaLink   / trackback []

Thailand faces media clampdown. Thailand faces media clampdown. No news is not good news Thai radio, television and internet operators will from tomorrow face closure if they disseminate "news and comments deemed a threat to national security and the monarchy", Reuters reports. [The Register - Internet and Law: Digital Rights/Digital Wrongs] 12:13:44 PM  PermaLink   / trackback []

Safe Storage, Mac Style. Safe Storage, Mac Style. Disk-level encryption provides a safety net without a hassle  [CSO Online Data Security Briefing] 12:11:52 PM  PermaLink   / trackback []