Thursday, March 8, 2007

Homeland Security revives supersnoop - The Washington Times Homeland Security officials are testing a supersnoop computer system that sifts through personal information on U.S. citizens to detect possible terrorist attacks, prompting concerns from lawmakers who have called for investigations. The system uses the same data-mining process that was developed by the Pentagon's Total Information Awareness (TIA) project that was banned by Congress in 2003 because of vast privacy violations. A Government Accountability Office (GAO) investigation of the project called ADVISE -- Analysis, Dissemination, Visualization, Insight and Semantic Enhancement -- was requested by Rep. David R. Obey, Wisconsin Democrat and chairman of the House Appropriations Committee. The investigation focuses on whether the program violates privacy laws, and the findings will be released after completion of the Iraq war supplemental spending bill, possibly as early as this week, a panel aide said. The ADVISE and TIA data-mining projects rely on personal data to track individual behavior and consumer transactions to develop computer algorithms that create a pattern that some behavioral scientists say can predict terrorist behavior. Data can include credit-card purchases, telephone or Internet details, medical records, travel and banking information. Privacy concerns prompted lawmakers on both sides of the aisle to introduce legislation in January to require that government agencies disclose data-mining practices in regular reports to Congress. "A serious discussion on the implications of data-mining programs is long overdue," Sen. Russ Feingold, Wisconsin Democrat and a sponsor of the bill, said yesterday. Sen. John E. Sununu, New Hampshire Republican, is also a bill sponsor. 7:21:29 PM

FCW.com News - Census Bureau accidentally exposes personal data The Census Bureau accidentally posted personal information on 302 households on a public server several times since October 2006, officials said. The personal information, including names, addresses, phone numbers, birthdates, family income ranges and other demographic data, was contained in a file that was placed on a public server for the purposes of testing new software applications. The file included about 250 fake accounts in addition to the real information. The bureau found out about the mistake when it found the file on the server in mid-February. 7:04:50 PM

heise Security - All Microsoft updates phone home Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not. In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information. With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself. The WGA package thus, among other things, sends back an event code. To calm the fears of users, alexkoc presents a graphic explaining the various fields of such a data packet. When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users. 6:54:34 PM

All Microsoft Updates Phone Home. All Microsoft Updates Phone Home.   juct writes  "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."  [Slashdot: Your Rights Online] 6:49:17 PM

Vishing: Dialing for Dollars, Part II. Vishing: Dialing for Dollars, Part II. Security Fix received a copy of a new scam e-mail targeting Bank of America customers that is likely to con quite a few folks before it is shut down. Sure, Bank of America is hit by this sort of thing all the time. It's the fourth most popular target for "phishing" scams that use e-mail to lure people into giving away their data at counterfeit sites, according to stats just released by PhishTank. But this is one of the more convincing voice phishing or "vishing" attacks I've seen yet. Vishing scams start with an e-mail lure that asks the recipient to call a specific 1-800 number to settle some matter with his or her account. The numbers usually are connected to an automated system that asks the caller to key in data from a credit card -- the 16-digit account number, the expiration date and the three-digit security code on the back. This new Bank of America scam has the same elements, but its execution is nearly flawless (unlike the majority of previous vishing scams Security Fix has seen, which either bungle the voice mail system or use a lure full of poor spelling and grammar). It informs the recipient that his account has been suspended because it was used to purchase "obscene or certain sexually oriented goods or services." From the e-mail: "We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." That domain is registered to a guy in the Netherlands, but it's currently inactive. I recorded a short snippet of the first 45 seconds or so of the automated phone message used in this attack. If the you enter the requested information, the voice then asks for your bank PIN: "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities." Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number, a key piece of your personal data. It's also a good idea to be very suspicious of e-mails that ask you to call any number. When in doubt, open up a browser Window and find the official Web site of your financial institution, then look up the customer-service number listed there. [Security Fix] 6:41:03 PM

C-SPAN Unchains Congressional Hearing Videos. C-SPAN Unchains Congressional Hearing Videos. C-SPAN has announced that, effective immediately, its videos of Congressional hearings, White House briefings, and other federal events will be freely available for noncommercial copying, sharing and posting, so long as attribution is included (sounds like the Creative Commons by-nc license, but no confirmation on whether that's what they are using). According to the C-SPAN press release, the move recognizes that we're in "an age of explosive growth of video file sharers, bloggers and online citizen journalists." This is fantastic news! A considerable helping of the credit belongs to Carl Malamud, who responded to a copyright kerfuffle involving House Speaker Nanci Pelosi's use of C-SPAN hearing footage by writing an open letter to C-SPAN's CEO Brian Lamb challenging him to open up the archives to enable these kinds of public uses of C-SPAN content. Several meetings later, it appears C-SPAN decided to rise to the challenge. Kudos to Carl, and kudos to C-SPAN. This is an amazing bit of public service all around. (Full disclosure: EFF represented Carl in connection with this issue, but we hardly lifted a finger -- all credit goes to Carl.) [EFF: Deep Links] Editor: Hmm maybe I'll have to consider making some snippets available in the future. A lot of hearings are dry, but every once in a while you get a real gem. 5:56:27 PM

Cuban gets stuck into YouTube, demands it squeals. Cuban gets stuck into YouTube, demands it squeals. 'Talk, morons' Attention-seeking tech billionaire Mark Cuban has set the legal dogs on YouTube, demanding it snitch on users who uploaded video which one of his investments owns the rights to. [The Register - Music and Media] 5:47:54 PM

© Copyright 2007 Paul Hardwick. Last update: 3/18/07; 4:40:12 PM.