AOL Ditches Security Tokens To Make Logging In Easier: Via Threat Level.

AOL customers who sprang for the company’s $10 “PassCode” security token to harden their account can get ready to toss their fancy crypto-numeric keyfobs in the same landfill as all those CD-ROMs AOL mailed them in the 1990s.

As the Virginia-based company prepares for its December 10 spin off from Time Warner, it’s telling customers that it will no longer support RSA’s SecurID tokens, which it began offering as an optional extra in 2004.  AOL drew accolades from security types at the time, for what was ballyhooed as the first broad consumer deployment of two-factor authentication. [ Read more ... ]

Cell-Tracking Bills Require Info Dump for Missing Persons: Via Threat Level.

Mobile phone companies would have to immediately turn over location data to emergency responders to help them quickly track missing persons, if any one of the four bills floating in the House get traction.

The law already allows, but does not automatically require, phone companies to turn over ping data from cell towers in emergency situations absent court warrants. The proposals would require telcos to promptly hand over the information if authorities tell them that harm or death are imminent.

At first glance, one might think the bills are a slippery slope toward requiring telcos to release such information during any criminal investigation, even when there is no pending emergency. But the Obama administration has jumped feet first into that slippery slope, and is seeking such information, without a court warrant, in a pending drug case. [ Read more ... ]

OpenID Pilot Program to be Announced by US Government: Via ReadWriteWeb Hat Tip to LauraS .

Ten private companies, a number of US Government Federal Agencies primarily in the Health sector and the OpenID and Information Card Foundations will announce this morning in Washington DC the launch of a pilot program to allow members of the public to log in to participating government websites with their credentials from approved independent websites.

That's right - someday soon you'll be able to log in to the websites of the Department of Health and Human Services, the National Insititute of Health and other government agencies with your accounts from Google, Yahoo and similar services. Below we discuss the privacy protection steps being taken, the usability issues and the ultimate significance of this announcement. [ Read more ... ]

Malware Steals ATM Data: Via Schneier on Security.

One of the risks of using a commercial OS for embedded systems like ATM machines: it's easier to write malware against it:

The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.

The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.

Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.

After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.

Read Original Article:(Via Schneier on Security.)

Judge Tosses Telecom Spy Suits: Via Threat Level.

A federal judge on Wednesday dismissed lawsuits targeting the nation’s telecommunication companies for their participation in President George W. Bush’s once-secret electronic eavesdropping program.

In his ruling, U.S. District Judge Vaughn Walker upheld summer legislation protecting the companies from the lawsuits. The legislation, which then-Sen. Barack Obama voted for, also granted the government the authority to monitor American’s telecommunications without warrants if the subject was communicating with somebody overseas suspected of terrorism.

Bush acknowledged the so-called Terror Surveillance Program in December 2005, and claimed as chief executive, his war powers gave him the authority to spy without court authorization. [ Read more ... ]

ISP Agrees to Ban Copyright Scofflaws: Via Threat Level

The music industry's move to ban from the internet alleged copyright scofflaws inched forward when an Irish internet service provider agreed to a so-called "three-strikes" policy to discontinue service for repeat copyright offenders.

The move by Eircom Group, the largest telecom in Ireland, comes a month after American record labels announced they would work with U.S-based internet service providers to adopt the same program, a plan called "graduated response." In June, the French cabinet approved legislation mandating a similar program where third-time offenders lose service for at least a year, a plan of which Italy is also considering.

None of the major ISPs in the United States, however, has signed on yet. Verizon told us weeks ago it would not participate under the Recording Industry Association of America's proposal. The always clued-in Greg Sandoval at CNET, citing unnamed sources, wrote that Comcast and AT&T were close to coming on board. The RIAA's private detectives perform the surveillance on file sharing networks. [ Read more ... ]

Anti-Piracy Firm Offering ISPs Money For Outing File-Sharers - Via Slashdot: Your Rights Online:

mytrip points out news that an anti-piracy firm called Nexicon has been offering financial incentives to ISPs in exchange for having the ISPs police their own networks for copyright infringement. Nexicon would offer their services (for a fee) to help the ISPs pinpoint users who are illegally sharing files, and then give the users an option to "settle" through their "Get Amnesty" website. The revenue generated by such settlements would then be shared with the ISPs. Jerry Scroggin, owner of a smaller ISP in Louisiana, is still skeptical, saying, "I would still wind up losing customers. I would also have to pay Nexicon for this ... I have to survive in this economy but I don't have the big marketing dollars that bigger ISPs have. I have to fund 401(K)s and find ways not to lay off people. Giving free rein to the RIAA is not part of my business model."

(Read Original Article - Via Slashdot: Your Rights Online.)

FairPoint ready for final switch from Verizon: Via Rutland Herald Online

FairPoint spokeswoman Beth Fastiggi said Friday that Internet customers will keep their existing user names and passwords but will use a different domain: myfairpoint.net. [ Read more ... ]

Did Anti-Spam Group Create a Backstory For DarkMarket's Undercover Fed? - Via Threat Level:

Did a leading spammer-tracking site help create a Ludlow-esque background legend for an undercover FBI agent infiltrating the computer underground?

One of the mysteries still surrounding the FBI's bold sting operation against DarkMarket's computer fraudsters concerns the online identity assumed by Pittsburgh FBI agent J. Keith Mularski, who took control of the top English-speaking crime website under the handle Master Splynter. [ Read more ... ]

Homer Simpson and the Kimya Botnet - Via Slashdot:

An anonymous reader writes "As all hardcore Simpsons fans know, Chunkylover53@aol.com was revealed to be Homer Simpsons' email address in one particular episode, registered by one of the shows writers, who would reply to fans as Homer himself. After a flood of messages, 'Homer' signed off — seemingly forever. Well in the last few days, security company Facetime Communications reports that anyone who had Homer on their AIM buddy list would have noticed his sudden reappearance. Unfortunately for all, he appears to have been hacked and pushing malware links which deposit those unlucky enough to run the file into a Turkish Botnet. The message claims the file is a 'web exclusive' episode of the TV show — an interesting way of targeting a specific group of fans who would assume Homers return would only coincide with something special like (say) a TV episode just for them. What I want to know is, is Homer smart enough to run an AV scan?"

(Read Original Article - Via Slashdot.)

Judge Says First-Ever RIAA Piracy Trial May Need a Do-Over - Via Threat Level:

The federal judge who oversaw the Recording Industry Association of America's lawsuit against Jammie Thomas said Thursday he might have erred with one of his instructions to the jury, and is considering granting a new trial.

In response, an RIAA spokeswoman said, "if we have to re-try the case, we will do so without hesitation."

U.S. District Court Judge Michael Davis, who presided over the nation's only file sharing case to go to a jury, noted in a brief order (.pdf) Thursday that, under federal case law, infringing a copyright likely requires actual dissemination of the pirated content, not merely making copyrighted works available. [ Read more ... ]

Bloggers Respond to WSJ's NSA Surveillance Article - Via EFF: Deep Links:

Bloggers have already begun tackling the Wall Street Journal's "omnibus" article about expansive domestic surveillance by the National Security Agency (NSA). While many posts are providing large excerpts thanks to the Wall Street Journal's onerous paywall (which actually seems to be disabled for the story at the time of this writing), bloggers are reaching similar conclusions: [ Read more ... ]

Facebook Wants Founder's Privacy Back, THREAT LEVEL to Blame? - Via Threat Level:

There's much online ado about the independent Harvard magazine 02138 posting documents from the court case accusing Facebook founder Mark Zuckerberg of stealing the idea for the social networking site from some classmates, mainly because the documents include Zuckerberg's Harvard application with his full Social Security Number. (The sensitive info has since been redacted).

THREAT LEVEL read some of the transcripts from Zuckerberg's deposition where his arrogance is clear, but I mostly ignored the story until Facebook lawyers started stamping their feet, ironically complaining about privacy violations and crying that the documents should never have been released by the court.  [ Read more ... ]

Slashdot | NJ Spammer Gets Two Years Jail for AOL Spam Scam: "Tech.Luver writes 'A man from New Jersey has been sentenced to more than two years in prison for sending more than a million spam messages to AOL users. [ Read more ... ]

Who Loves Real ID? AOL, Microsoft and Yahoo Do.: "The federal Real ID Act doesn’t have many friends these days. Eighteen states have passed legislation rejecting the law, Congress has refused to put any money into implementing it, and just this week New York Gov. Elliot Spitzer announced he, not the Feds, would determine New York’s drivers license policy, with officials in his administration indicating the state might opt out of the Real ID program altogether.

The few remaining cheerleaders for this national ID system, which promises to be a nightmare for privacy and identity security, have resorted to classic doublespeak to try to salvage Real ID’s reputation. On the Department of Homeland Security blog Wednesday, Secretary Michael Chertoff claims Real ID would actually protect privacy. (‘War is Peace’ and ‘Freedom is Slavery’ will be the subjects of future blogs.) [ Read more ... ]

AOL Instant Messaging Client Vulnerable to Exploitation, Uninstall It Now:

AOL's Instant Messaging software, both old and the new beta, contains a security hole that lets anyone who sends you a message to run arbitrary commands and exploit Internet Explorer without the user having to do anything, according to Ryan Naraine at Zero Day.

The hole, first reported to AOL more than a month ago, will not be fixed until the middle of October for the millions of people using AOL's AIM client. [ Read more ... ]

Privacy commissioner says mining info from used-goods sellers a slippery slope | CFRB: TORONTO (CP) - Ontario's privacy commissioner has ordered the city of Ottawa and its police force to stop mining "extensive" information from people selling goods to second-hand stores, cautioning the practice is a slippery slope toward an Orwellian society where authorities could misuse private data.

Information and Privacy Commissioner Ann Cavoukian has also ordered the destruction of all personal information already collected, marking the first time she has used a special cease-and-destroy provision in the province's privacy laws.

"It seems to me that this is a solution in search of a problem," [ Read more ... ]

Class Action Initiated Against RIAA: NewYorkCountryLawyer writes "Ever since the RIAA's litigation campaign began in 2003, many people have been suggesting a class action against the RIAA. Tanya Andersen, in Oregon, has taken them up on it. The RIAA's case against this disabled single mother, Atlantic v. Andersen, has received attention in the past, for her counterclaims against the RIAA including claims under Oregon's RICO statute, the RIAA's hounding of her young daughter for a face-to-face deposition, the RIAA's eventual dropping of the case 'with prejudice,' and her lawsuit against the RIAA for malicious prosecution, captioned Andersen v. Atlantic. Now she's turned that lawsuit into a class action. [ Read more ... ]

Contracts can't be changed online without notice, court rules A federal appeals court has ruled that companies can't change their contracts and post those revisions online without notifying customers first.

The ruling (download PDF) by the U.S. Court of Appeals for the Ninth Circuit paves the way for Joe Douglas, a customer of telephone company Talk America Holdings Inc., to file a class-action suit against the company. Talk America has since merged with Cavalier Telephone LLC in Richmond, Va. Cavalier could not be reached for comment.

Privacy experts and others have been grappling with the issue of how companies service customers online, as well as how they use their personal information after mergers or acquisitions, since the emergence of e-commerce in the 1990s.

"It seems as if this was born of someone trying to get something out of someone," said Sucharita Mulpuru, an analyst at Forrester Research Inc. in Cambridge, Mass.

Mulpuru said companies should always notify customers before making any changes to their policies.

"How hard is it to send out an e-mail letting people know about [any changes]?" she said. [ Read more ... ]

Courts Reject Tech Corporation Bans on Class Action Suits: "Frosty Piss writes 'Class action waivers included in cell phone companies' contracts with customers are invalid in Washington State because they violate the state's Consumer Protection Act, the state Supreme Court ruled Thursday. Five plaintiffs accused Cingular of [ Read more ... ]

Experian rejects ID theft notification proposal | Channel Register: Credit rating giant Experian has rejected the notion of automatically informing UK citizens when their ID details may have been hijacked.

Experian's hardline stance came at a conference on 'Big Brother Britain' in London today, where a number of speakers said that more severe penalties and obligations should be imposed on companies to ensure data individuals' privacy concerns are taken seriously.

Anna Fielder, policy consultant at the National Consumer Council, said the UK should follow the example of California, where companies who expose individuals' data have to contact and notify the individuals concerned. [ Read more ... ]

Encryption vendor claims AACS infringes its patents, sues Sony:Canadian encryption vendor Certicom yesterday filed a wide-ranging lawsuit against Sony, claiming that many of the products offered by the electronics giant infringe on two Certicom patents. This might sound like business as usual until you realize what's being targeted: AACS and (by extension) the PlayStation 3.

Certicom has done extensive work in elliptic curve cryptography (ECC), and the patents in question build on this work. The patents have already been licensed by groups like the US National Security Agency, which paid $25 million back in 2003 for the right to use 26 Certicom patents, including the two in the Sony case. [ Read more ... ]

NY teen hacks AOL, infects systems - Network World: "A New York teenager broke into AOL LLC networks and databases containing customer information and infected servers with a malicious program to transfer confidential data to his computer, AOL and the Manhattan District Attorney's Office allege.

In a complaint filed in Criminal Court of the City of New York, the DA's office alleges that, between December 24, 2006 and April 7, 2007, 17-year old Mike Nieves committed offenses like computer tampering, computer trespass and criminal possession of computer material. [ Read more ... ]

What MSN, Google, Yahoo and AOL Know About You: "hotgist writes 'America's top four Internet companies, Google, Yahoo, AOL and Microsoft's MSN, promise they will protect the personal information of people who use their online services to search, shop and socialize. But a close read of their privacy policies reveals as much exposure as protection. [ Read more ... ]