Wednesday, March 14, 2007

Four Colorado Counties Placed on Election Watch List. Four Colorado Counties Placed on Election Watch List. Errors with voting machines, delays in voting, inadequate security cited. [GT: Security and Privacy] 4:04:05 PM

Latest ID-Theft Worry? Copiers. Latest ID-Theft Worry? Copiers. Digital photocopiers use hard drives to store data. If not properly secured, they can be vulnerable to data thieves. By the Associated Press. [Wired News: Security Blanket] 3:55:53 PM

Photocopiers: The newest ID theft threat. Photocopiers: The newest ID theft threat. Photocopiers made in recent years often have hard drives that store what's been duplicated -- making them a potential target for identity thieves. [Computerworld Privacy News] 3:40:11 PM

Apple Releases a Bushel of Software Patches. Apple Releases a Bushel of Software Patches. Today turned out to be "Patch Tuesday" after all, only the security updates were released by Apple instead of Microsoft. Apple issued security updates to plug at least 46 separate security holes in its operating system and other software. The updates are available through Apple's site or via the built-in Software Update feature. Nearly one-third of the fixes mend flaws outlined in the controversial Month of Kernel Bugs and Month of Apple Bugs projects from November 2006 and January 2007, respectively. Also included was a patch for a serious flaw in Apple's Software Update application. A number of the patches address third-party applications built for use on Mac OS X and Mac OS X Server systems. Today's bundle fixes at least seven bugs in the MySQL database software, and two flaws in OpenSSH, a tool used to encrypt online communications. Other programs patched in this release include iPhoto, QuickDraw, and Adobe's Flash Player. [Security Fix] 11:35:07 AM

Tracking the Password Thieves. Tracking the Password Thieves. The Washington Post today ran a story I wrote about an epidemic of data theft being fueled by password-stealing viruses and phishing attacks. In some ways, the story behind the reporting that went into the piece is just as interesting, so I'd like to share a few of those details. I based the story in part on a cache of stolen data I found online (more on how I obtained it in a bit). The data was being compiled by a password-stealing virus that had infected many thousands of computers worldwide; the particular text file that I found included personal information on 3,221 victims scattered across all 50 U.S. states. Using a custom-built application that makes use of the Google Maps API, I was able to chart the approximate locations of the victims. This was possible because at the beginning of each record was the virus's best guess of the longitude and latitude of the infected computer's Internet address. This so-called "geo-IP" process is far from perfect: Sometimes these automated guesses are disturbingly accurate, and other times they are miles wide or completely wrong. The approximate location of the 3,221 U.S. residents victimized by this virus (Data gathered by washingtonpost.com; image courtesy Secure Science Corp. and Google). Scammers collect information about the location of their victims because it becomes useful when they want to conduct fraud with a hijacked credit or debit card account. The idea here is to evade a key component of fraud detection in the financial industry -- transaction location tracking. If Joe in Georgia starts suddenly withdrawing money or making purchases in Nigeria or Europe when his last transaction was an hour earlier in Atlanta, Joe's bank is going to flag the transactions as fraudulent and in all likelihood cancel the card. [Security Fix] 11:30:56 AM

© Copyright 2007 Paul Hardwick. Last update: 3/18/07; 5:47:13 PM.