Thursday, March 8, 2007

NHL Union Denies E-mail Spying. NHL Union Denies E-mail Spying. The union's chief Ted Saskin denies monitoring player's e-mails, pointing fingers at his predecessor Bob Goodenow, who also denied the spying allegations. By the Associated Press. [Wired News: Top Stories] 11:55:23 PM

State Eyes Age Checks for MySpace. State Eyes Age Checks for MySpace. Connecticut legislators want to force social-networking sites to verify users' ages and lock down parents' permission before minors can post personal profiles. By the Associated Press. [Wired News: Security Blanket] 11:36:59 PM

Now on the menu at Ruby Tuesday: Better security. Now on the menu at Ruby Tuesday: Better security. Spurred by the growing list of data breaches that have plagued other companies in recent years, restaurant chain Ruby Tuesday is moving to strengthen its credit card security efforts. [Computerworld Privacy News] 11:30:36 PM

Telecoms.com - Telecoms industry "worst for consumer privacy" The telecoms industry has been accused of collecting excessive amounts of personal data from its customers, with telecom firms faring worse for privacy than companies in other industries. The accusations come in the "First Quarter 2007 Online Customer Respect Study of the Telecommunications Industry", from international research... Editor: Just this teaser unless you register at their site. 7:27:48 PM

heise Security - All Microsoft updates phone home Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not. In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information. With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself. The WGA package thus, among other things, sends back an event code. To calm the fears of users, alexkoc presents a graphic explaining the various fields of such a data packet. When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users. 6:54:34 PM

All Microsoft Updates Phone Home. All Microsoft Updates Phone Home.   juct writes  "In the wake of heise Security's report on the garrulous WGA Notification, Microsoft has now supplied additional details on the data sent. They have revealed to developers that apparently all updates relay information to the company in Redmond."  [Slashdot: Your Rights Online] 6:49:17 PM

SEC Suspends Trading for 35 Companies Due to Spam. SEC Suspends Trading for 35 Companies Due to Spam. The U.S. Securities and Exchange Commission says the companies allegedly benefited from spam e-mail campaigns to hype their stocks.  [PC World: Latest Technology News] 6:46:03 PM

Vishing: Dialing for Dollars, Part II. Vishing: Dialing for Dollars, Part II. Security Fix received a copy of a new scam e-mail targeting Bank of America customers that is likely to con quite a few folks before it is shut down. Sure, Bank of America is hit by this sort of thing all the time. It's the fourth most popular target for "phishing" scams that use e-mail to lure people into giving away their data at counterfeit sites, according to stats just released by PhishTank. But this is one of the more convincing voice phishing or "vishing" attacks I've seen yet. Vishing scams start with an e-mail lure that asks the recipient to call a specific 1-800 number to settle some matter with his or her account. The numbers usually are connected to an automated system that asks the caller to key in data from a credit card -- the 16-digit account number, the expiration date and the three-digit security code on the back. This new Bank of America scam has the same elements, but its execution is nearly flawless (unlike the majority of previous vishing scams Security Fix has seen, which either bungle the voice mail system or use a lure full of poor spelling and grammar). It informs the recipient that his account has been suspended because it was used to purchase "obscene or certain sexually oriented goods or services." From the e-mail: "We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." That domain is registered to a guy in the Netherlands, but it's currently inactive. I recorded a short snippet of the first 45 seconds or so of the automated phone message used in this attack. If the you enter the requested information, the voice then asks for your bank PIN: "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities." Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number, a key piece of your personal data. It's also a good idea to be very suspicious of e-mails that ask you to call any number. When in doubt, open up a browser Window and find the official Web site of your financial institution, then look up the customer-service number listed there. [Security Fix] 6:41:03 PM

Patch Reprieve for March's Black Tuesday. Patch Reprieve for March's Black Tuesday. Windows PC users and corporate system administrators worldwide will earn a reprieve from Redmond next week. Microsoft said today it has no plans to release new software security updates this month. It's not as if there aren't any outstanding security flaws that Microsoft could fix this month, but the situation could be a lot worse. Perhaps Redmond is simply being kind to corporate IT folk, many of whom are working hard to update their companies' software and hardware for the early daylight saving switch this weekend: For the first time in 20 years, daylight saving time will not start on the first Sunday in April. Instead, it will begin three weeks earlier, at 2 a.m. on the second Sunday in March, the 11th. Our IT staff has sent numerous e-mails to laptop users to drop by and make sure the Macs and PCs are all up to date. (Apple and Microsoft have already pushed out patches to address this issue, and if you've been keeping up to date with them, you should be fine, but Windows users can consult this page to be sure.) By the way, updates are available to fix this shift for Palm and Windows Mobile PDAs. Normally, Microsoft plugs security holes in its software on the second Tuesday of every month, also known as "Patch Tuesday." Microsoft moved to a regular patch cycle a few years ago to make it more predictable for companies who need to staff or schedule extra IT personnel to test and deploy the updates to what could be thousands of systems. The system administrators to whom that task falls typically dread the monthly chore and have a different name for it: "Black Tuesday." It's been a while since Windows users have been given a pass on patches. By my count, the last time Microsoft skipped a cycle was back in September 2005. [Security Fix] 6:03:31 PM

Cuban gets stuck into YouTube, demands it squeals. Cuban gets stuck into YouTube, demands it squeals. 'Talk, morons' Attention-seeking tech billionaire Mark Cuban has set the legal dogs on YouTube, demanding it snitch on users who uploaded video which one of his investments owns the rights to. [The Register - Music and Media] 5:47:54 PM

No Microsoft Security Updates Coming Mext Week. No Microsoft Security Updates Coming Mext Week. In one of only a handful of times since 2003, Microsoft won't have security patches available next week. [PC World: Latest Technology News] 5:40:55 PM

The Fix is In: Massive Web Radio Fee Hike and the XM/Sirius Merger. The Fix is In: Massive Web Radio Fee Hike and the XM/Sirius Merger. Greetings. While no conspiracy beyond "business as usual" is required to explain this confluence of events, it is fascinating to note the continuing collapse of true competition in the music and radio industries (as in the Internet ISP industry).  [Lauren Weinstein's Blog] 5:37:56 PM

© Copyright 2007 Paul Hardwick. Last update: 3/18/07; 4:57:12 PM.