Paul Hardwick: ReportsSurvey

Malware Threat Report for February 2007.

Sun, 04 Mar 2007 04:44:32 GMT

Malware Threat Report for February 2007. "Storm Worm," continues to severely impact worldwide mailboxes in successive waves. [GT: Security and Privacy]

FCW.com News - OMB: Agencies make headway with IT security

Sun, 04 Mar 2007 04:38:06 GMT

The state of the government's cybersecurity position has improved over the past year, but significant holes remain, especially in the areas of categorizing the risk level of systems and training, according to the Office of Management and Budget.

OMB found that more than 700 systems, including 397 managed by agencies, had not been categorized as high, medium or low risk. Also, the administration said more agency employees have received information technology security training -- up 10 percent since last year -- but more needs to be done.

In its fourth annual Federal Information Security Management Act report sent to Congress March 1, OMB said it will rely on the Security Line of Business effort to better train employees by using a standard program. OMB named three shared-service centers for security training in February: the Office of Personnel Management, the State Department and the U.S. Agency for International Development, and the Defense Department.

RIAA's 'Expert' Witness Testimony Now Online.

Sun, 04 Mar 2007 03:43:58 GMT

RIAA's 'Expert' Witness Testimony Now Online. NewYorkCountryLawyer writes "The online community now has an opportunity to see the fruits of its labor. Back in December, the Slashdot ('What Questions Would You Ask an RIAA Expert?') and Groklaw ('Another Lawyer Would Like to Pick Your Brain, Please') communities were asked for their input on possible questions to pose to the RIAA's 'expert'. Dr. Doug Jacobson of Iowa State University, was scheduled to be deposed in February in UMG v. Lindor, for the first time in any RIAA case. Ms. Lindor's lawyers were flooded with about 1400 responses. The deposition of Dr. Jacobson went forward on February 23, 2007, and the transcript is now available online (pdf) (ascii). Ray Beckerman, one of Ms. Lindor's attorneys, had this comment: 'We are deeply grateful to the community for reviewing our request, for giving us thoughts and ideas, and for reviewing other readers' responses. Now I ask the tech community to review this all-important transcript, and bear witness to the shoddy investigation and junk science upon which the RIAA has based its litigation war against the people. The computer scientists among you will be astounded that the RIAA has been permitted to burden our court system with cases based upon such arrant and careless nonsense.'" [Slashdot: Your Rights Online]

Researchers Say They Peeled the Onion Router.

Sun, 04 Mar 2007 03:31:22 GMT

Researchers Say They Peeled the Onion Router. Researchers in the U.S. say they've successfully shown how attackers could compromise a network designed to make it harder to trace Web sites they are viewing. [PC World: Latest Technology News]

Here comes image spam.

Fri, 02 Mar 2007 00:24:29 GMT

Here comes image spam. Image spam--e-mail solicitations that use graphical images of text--is not new. But its rising sophistication has made much of it invisible to spam filters so that it makes up one-third of all spam, according to Doug Bowers, director of antiabuse engineering at Symantec. E-mail traffic--83 percent of which was spam--rose in 2006, according to antispam company BorderWare, and researchers there expect image spam to grow. [CSO Online Data Security Briefing]

New SpamtaLoad Worm is Starting to Spread Rapidly, Says Report.

Wed, 28 Feb 2007 23:38:46 GMT

New SpamtaLoad Worm is Starting to Spread Rapidly, Says Report. "This type of malicious code is not usually the end in itself." [GT: Security and Privacy]

New Profiling Program Raises Privacy Concerns - washingtonpost.com

Wed, 28 Feb 2007 23:36:54 GMT

The Department of Homeland Security is testing a data-mining program that would attempt to spot terrorists by combing vast amounts of information about average Americans, such as flight and hotel reservations. Similar to a Pentagon program killed by Congress in 2003 over concerns about civil liberties, the new program could take effect as soon as next year.

But researchers testing the system are likely to already have violated privacy laws by reviewing real information, instead of fake data, according to a source familiar with a congressional investigation into the $42.5 million program.

Bearing the unwieldy name Analysis, Dissemination, Visualization, Insight and Semantic Enhancement (ADVISE), the program is on the cutting edge of analytical technology that applies mathematical algorithms to uncover hidden relationships in data. The idea is to troll a vast sea of information, including audio and visual, and extract suspicious people, places and other elements based on their links and behavioral patterns.

The privacy violation, described in a Government Accountability Office report that is due out soon, was one of three by separate government data mining programs, according to the GAO. "Undoubtedly there are likely to be more," GAO Comptroller David M. Walker said in a recent congressional hearing.

The violations involved the government's use of citizens' private information without proper notification to the public and using the data for a purpose different than originally envisioned, said the source, who declined to be identified because the report is not yet public.

The issue lies at the heart of the debate over whether pattern-based data mining -- or searching for bad guys without a known suspect -- can succeed without invading people's privacy and violating their civil liberties.

Symantec: Vista Fairly Secure but Still Full of Holes.

Wed, 28 Feb 2007 23:09:10 GMT

Symantec: Vista Fairly Secure but Still Full of Holes. There are still many ways attackers can exploit Windows Vista and leave users open to threats, according to a Symantec study. [PC World: Latest Technology News]

Administrivia: Now we have a overheated CPU ( 60 degrees centigrade )

Wed, 28 Feb 2007 00:39:01 GMT

OK, if the DDOS attack wasn't enough. Now our server went down with a temperature overload. We were up to 60 degrees centigrade when we shut down. The CPU and a broken fan have been replaced.

Administrivia: Our data-center was hit by a DDOS attack today.

Tue, 27 Feb 2007 22:19:59 GMT

Sorry for being either very slow or off the net for a while recently. The data-center we are part of was hit by a DDOS (Distributed Denial Of Service) attack recently. At the moment it looks to be under control, but we are keeping an eye on things.

Migrating to Windows Vista: Recognize the Security Risks.

Tue, 27 Feb 2007 21:25:09 GMT

Migrating to Windows Vista: Recognize the Security Risks. (Source: Messagelabs) What are the security risks involved in migrating to Microsoft Vista? This white paper examines the implications in terms of messaging and web security which IT managers urgently need to consider. [Computerworld Privacy News]

Sarasota: Could a Bug Have Lost Votes?

Tue, 27 Feb 2007 21:10:24 GMT

Sarasota: Could a Bug Have Lost Votes?

At this point, we still don[base ']t know what caused the high undervote rate in Sarasota[base ']s Congressional election. [Background: 1, 2.] There are two theories. The State-commissioned study released last week argues that for the theory that a badly designed ballot caused many voters to not see that race and therefore not cast a vote.

Today I want to make the case for the other theory: that a malfunction or bug in the voting machines caused votes to be not recorded. The case sits on four pillars: (1) The postulated behavior is consistent with a common type of computer bug. (2) Similar bugs have been found in voting machines before. (3) The state-commissioned study would have been unlikely to find such a bug. (4) Studies of voting data show patterns that point to the bug theory.

[...]

Conclusion

What conclusion can we draw? Certainly we cannot say that a bug definitely caused undervotes. But we can say with confidence that the bug theory is still in the running, and needs to be considered alongside the ballot design theory as a possible cause of the Sarasota undervotes. If we want to get to the bottom of this, we need to investigate further, by looking more deeply into undervote patterns, and by examining the voting machine hardware and software.

AHIC privacy co-chairman resigns in protest

Tue, 27 Feb 2007 00:10:39 GMT

Paul Feldman resigned on Feb. 21 as co-chairman of the American Health Information Community's Confidentiality, Privacy and Security (CPS) Workgroup, citing in a letter to Interim National Coordinator for Health Information Technology Robert Kolodner the panel's lack of "substantial progress toward the development of comprehensive privacy and security policies that must be at the core of a nationwide health information network."

Privacy Concerns a Major Roadblock for Location-based Services Says Survey.

Mon, 26 Feb 2007 23:40:51 GMT

Privacy Concerns a Major Roadblock for Location-based Services Says Survey. "Providers must give users control over location-based features to allay privacy concerns." [GT: Security and Privacy]

Tor Open To Attack.

Mon, 26 Feb 2007 23:00:19 GMT

Tor Open To Attack. An anonymous reader writes "A group of researchers have written a paper that lays out an attack against Tor (PDF) in enough detail to cause Roger Dingledine a fair amount of heartburn. The essential avenue of attack is that Tor doesn't verify claims of uptime or bandwidth, allowing an attacker to advertise more than it need deliver, and thus draw traffic. If the attacker controls the entry and exit node and has decent clocks, then the attacker can link these together and trace someone through the network." [Slashdot: Your Rights Online]

The Importance of Securing AJAX Web Applications.

Mon, 26 Feb 2007 22:42:53 GMT

The Importance of Securing AJAX Web Applications. This paper, submitted by Acunetix, reviews AJAX technologies with specific reference to JavaScript and briefly documents the kinds of vulnerability classes that should raise security concerns among developers, website owners and the respective visitors. By Acunetix. [Infosec Writers Latest Security Papers]

DRM Causes Piracy.

Sun, 25 Feb 2007 04:26:18 GMT

DRM Causes Piracy. igorsk recommends an essay by Eric Flint, editor at Baen Publishing and an author himself, over at Baen's online SF magazine, Baen Universe. In it Flint argues that, far from curbing piracy of copyrighted materials, DRM actually causes it. Quoting: "Electronic copyright infringement is something that can only become an 'economic epidemic' under certain conditions. Any one of the following: 1) The products they want... are hard to find, and thus valuable. 2) The products they want are high-priced, so there's a fair amount of money to be saved by stealing them. 3) The legal products come with so many added-on nuisances that the illegal version is better to begin with. Those are the three conditions that will create widespread electronic copyright infringement, especially in combination. Why? Because they're the same three general conditions that create all large-scale smuggling enterprises. And... Guess what? It's precisely those three conditions that DRM creates in the first place. So far from being an impediment to so-called 'online piracy,' it's DRM itself that keeps fueling it and driving it forward." [Slashdot: Your Rights Online]

Sarasota Study Report Released.

Sun, 25 Feb 2007 03:50:15 GMT

Sarasota Study Report Released.

The technical team commissioned by the State of Florida to study the technology used in the Sarasota election has released its report.

We are studying the report and will comment here as soon as we are able.

Cerf: Internet Reflects Society.

Fri, 23 Feb 2007 17:04:22 GMT

Cerf: Internet Reflects Society. Online abuses merely mirror its users' interests, says Net luminary and ICANN chief. [PC World: Latest Technology News]

What would you do as chief information security officer?

Fri, 23 Feb 2007 16:56:57 GMT

What would you do as chief information security officer. Becoming the chief information security officer (CISO) of a corporation makes you a strategic IT advisor to business management, the chief information officer, and the rest of the information technology staff. Just as no company is the same as another, the job of CISO -- or alternately, "chief security officer," which might include physical security as well -- isn't either. The four security professionals who share their priorities with us make it clear there's nothing cookie-cutter about the top IT security job.
[CSO Online Data Security Briefing]

Social Networks Key to 2008 Race.

Fri, 23 Feb 2007 16:51:14 GMT

Social Networks Key to 2008 Race. Social networking sites have changed the game for political candidates. [PC World: Latest Technology News]

Feinstein to GAO: Investigate E-voting System.

Thu, 22 Feb 2007 16:56:31 GMT

Feinstein to GAO: Investigate E-voting System.

During the 2006 election in Florida, electronic voting machines may have "undercounted" to the tune of 18,000 votes in Sarasota County. But because the new machines were not designed to provide paper receipts, there is no way to double check the vote.

Now, Senator Dianne Feinstein of California has taken action. Last week, she asked the Government Accountability Office (GAO) to investigate electronic voting systems that do not provide voter-verified paper ballots. Senator Feinstein specifically highlighted the problems in Florida, and asked for a "top to bottom investigation"

"Should the GAO become aware of any systems that are prone to software malfunctions, are susceptible to fraud, or use hardware design that would lead to voting system problems, I would request that you also inspect those systems," writes Senator Feinstein.

EFF and a coalition of voting integrity groups, representing Sarasota County voters, have filed suit in state court in Tallahassee asking for a re-vote in Florida's 13th congressional district. To find out more about EFF's work defending your right to vote, visit our E-voting page.

[EFF: Deep Links]

Core CS & Core PS Network High-Level Security Requirements.

Thu, 22 Feb 2007 15:58:10 GMT

Core CS & Core PS Network High-Level Security Requirements. Jamie Fisher submits this extensive white paper on mobile/cellular security network. By Jamie Fisher. [Infosec Writers Latest Security Papers]

Ambiguity In Ajax Lockdown Framework.

Mon, 19 Feb 2007 21:47:00 GMT

Ambiguity In Ajax Lockdown Framework. Aditya Sood contributes this paper on some contradictions he has found against a framework that is based on the concept of fusing ajax applications with direct web remoting. By Aditya Sood. [Infosec Writers Latest Security Papers]

Research: Highest Rates of U.S. Identity Fraud Found in New York.

Mon, 19 Feb 2007 03:01:01 GMT

Research: Highest Rates of U.S. Identity Fraud Found in New York. The study also finds that the Detroit and Los Angeles metropolitan areas have high rates of ID theft. [eWEEK Security]

Half of pirated Vista is malware.

Mon, 19 Feb 2007 01:35:42 GMT

Half of pirated Vista is malware. You can't cheat an honest person, they say. Like generations of scammers before them, some malware writers are taking that "advice" to heart, releasing their Trojan software and keyloggers as "cracked" versions of Vista oon peer-to-peer service. Who's going to turn them in, after all -- a would-be pirate? [Computerworld Security News]

Smokers may be the weak IT security link.

Mon, 19 Feb 2007 01:28:48 GMT

Smokers may be the weak IT security link. Just when you thought there were no more ills to ascribe to tobacco, here's one that leaves your lungs alone and attacks your network instead. A U.K. security company is warning that smokers may undermine IT security, leaving open doors that could let in intruders who could abuse a company's network. [Computerworld Security News]

How to Explain DRM to Your Dad.

Mon, 19 Feb 2007 00:02:31 GMT

How to Explain DRM to Your Dad. Several DRM-related scenarios help you explain the problem with digital rights management to people who don't see what's wrong with it. In Listening Post. [Wired News: Top Stories]

Scanning Ajax for XSS entry points.

Sun, 18 Feb 2007 23:36:31 GMT

Scanning Ajax for XSS entry points. This contribution from Shreeraj Shah, introduces one to a quick way to identify XSS entry points in an application. By Shreeraj Shah. [Infosec Writers Latest Security Papers]

ID Theft Not Down, Only Different.

Fri, 16 Feb 2007 19:13:29 GMT

ID Theft Not Down, Only Different. A report funded by the banking industry finds U.S. ID fraud is down by a half-million victims in 2006. But a data-privacy expert says the study is dead wrong. In 27B Stroke 6. [Wired News: Top Stories]

Drive-By Pharming Attack Could Hit Home Networks.

Fri, 16 Feb 2007 18:42:34 GMT

Drive-By Pharming Attack Could Hit Home Networks. Rob wrote in with a link to a CBR Online article discussing drive-by pharming, a new exploitation technique developed by Indiana University and Symantec Corporation. While it's not known if the technique is in use 'in the wild', the exploit could easily co-opt the web-browsing habits of a user that had not properly configured their router. "The attack works because most of the popular home routers ship with default passwords, default internal IP address ranges, and web-based configuration interfaces. The exploit is a single line of JavaScript loaded with a default router IP address, a default password, and an HTTP query designed to reconfigure the router to use the attacker's DNS servers." The article goes on to discuss several related and more advanced techniques related to this one, which security companies will have to keep in mind to guard against future attacks. [Slashdot]

Next Generation Data Auditing for Data Breach Detection and Risk Mitigation.

Fri, 16 Feb 2007 16:05:39 GMT

Next Generation Data Auditing for Data Breach Detection and Risk Mitigation. (Source: Tizor) This white paper reviews cases of mass data theft from the data source and provides a best practices approach for protecting your organization's sensitive data and valuable brand equity from a major data breach. Find out how to effectively secure valuable company data and download this whitepaper. [Computerworld Privacy News]

The Dangers of Default Passwords.

Fri, 16 Feb 2007 15:48:27 GMT

The Dangers of Default Passwords.

Stroll through any neighborhood with an open laptop in hand and you will probably notice your machine automatically connecting to various wireless Internet routers that local residents have set up. If you are given a connection that allows you to surf the Web, chances are very good that you can also assume control over the same network that gave you the access.

In my experience, few people who operate wide-open wireless networks -- those unprotected by even the simplest encryption technology -- ever bother to change the default user name and password needed to reconfigure the router. Perhaps consumers who operate open networks aren't terribly worried about their neighbors "sniffing" the ambient wireless airwaves for passwords and other sensitive data. But it may be that a person running a router under the default factory settings has more to fear from a malicious Web site than a local interloper.

Researchers at Symantec Corp. have devised a series of "proof-of-concept" exploits that show how an Internet user running any one of several name-brand, $50 - $100 routers under the default factory settings could be in a world of trouble in a very short time, just by browsing to a malicious Web site. One of the easiest ways to commandeer a factory-set wireless router remotely is through the use of Javascript, a powerful Web programming language that makes it easy for Web sites to monkey with or otherwise manipulate a computer's settings.

For example, a nasty site could use Javascript to change the default settings on a router so that anytime the victim tries to visit a bank Web site he or she is silently redirected to a counterfeit site set up to steal online banking credentials (this is a type of phishing attack known as "pharming.") Or, the attackers could poke holes in the router's built-in firewall to allow certain types of traffic to slip through.

Zulfikar "Zully" Ramzan, senior principal researcher at Symantec, said he successfully tested such scenarios using mock Web pages and some of the more popular routers on the market today, including those sold by Linksys, D-Link and Netgear. "Using the same techniques, an attacker could create a very simple Web page that when viewed by a Web browser could change the default settings on a router," he said.

The reason this has the potential to be such a problem is that a broadband router sits apart from the user's computer, so it's likely to be one of those set-it-and-forget-it type appliances. Indeed, if a malicious Web site succeeded in altering the default settings on a router, the router might be the last place most users -- even security professionals -- would look to as the source of the problem.

Michael Sutton, security evangelist for Atlanta based SPI Dynamics, said Javascript's flexibility and power make it an increasingly common component of cyber attacks.

"People are always coming out with new tricks with Javascript, but the reality is that it's a very powerful language and if you can convince someone to run your code by visiting your site, you effectively control their actions," Sutton said.

So what's the takeaway here? Whether you're using a wired or wireless router to split traffic on your home network, make sure you change the default password. A comprehensive list of default usernames and passwords for just about every commercial router is already available online. If you're the forgetful type, write down your router password and store it in a safe place. Even if you don't remember it, all consumer Internet routers ship with a tiny pinhole in the back that -- with the aid of something pointy and a steady grip -- allow you to reset the router to the factory settings (and back to the default password).

Also, consider browsing the Web with Mozilla's Firefox; with it, you can use the excellent "noscript" add-on that allows you to control which sites should be permitted to run Javascript inside of the browser. It's not a perfect solution, but it has saved my bacon on more than a few occasions. If anyone is aware of a similar add-on for Internet Explorer 7, please drop a pointer to it in the comments section below.

[Security Fix]

RFID Implementations Require Industry Specific Expertise, Survey Reveals.

Fri, 16 Feb 2007 01:59:30 GMT

RFID Implementations Require Industry Specific Expertise, Survey Reveals. Results should help manufacturers identify how to justify new RFID projects in terms of business objectives, technologies, and more. [GT: Security and Privacy]

ID Theft: Where you live makes a difference, study finds.

Fri, 16 Feb 2007 01:47:49 GMT

ID Theft: Where you live makes a difference, study finds. New York, California, Nevada and Arizona are among the riskiest U.S. states for ID theft, while Wyoming, Vermont, Montana and North Dakota are among the safest, according to a study by ID Analytics Inc. [Computerworld Privacy News]

Mobile Attacks Jumped Fivefold in 2006, Study Says.

Wed, 14 Feb 2007 00:14:44 GMT

Mobile Attacks Jumped Fivefold in 2006, Study Says. The number of security attacks reported by mobile phone operators in 2006 jumped fivefold over the year before, a McAfee study reports. [PC World: Latest Technology News]

Targeted Cyber Attacks - The Dangers Faced by your Corporate Network.

Mon, 12 Feb 2007 19:38:40 GMT

Targeted Cyber Attacks - The Dangers Faced by your Corporate Network. This security e-book, written by Sarah Testa from GFI, explains the real dangers posed by targeted cyber attacks and the measures organizations can adopt to secure against such threats By Sarah Testa. [Infosec Writers Latest Security Papers]

Despite Identity Theft Concerns, Consumers Not Taking Preventive Action.

Mon, 12 Feb 2007 18:38:01 GMT

Despite Identity Theft Concerns, Consumers Not Taking Preventive Action. New research shows identity theft tops consumer concerns about crime. [GT: Security and Privacy]

Electronic Medical Records Sound Good, Privacy an Issue, Says Survey.

Mon, 12 Feb 2007 18:36:18 GMT

Electronic Medical Records Sound Good, Privacy an Issue, Says Survey. "Personal medical records have always been rated as highly sensitive by the American public." [GT: Security and Privacy]

The Shifting Strategy of IT Threats: How SMBs Succeed in a Connected World. LIVE WEBCAST

Mon, 12 Feb 2007 18:32:11 GMT

The Shifting Strategy of IT Threats: How SMBs Succeed in a Connected World. LIVE WEBCAST
(Source: MessageLabs) In this exclusive live Webcast, Chris Christiansen and a panel of security experts will examine the fundamental link between IT security and its effects on business health. Register now for this live event, premiering 2/15 at 2pm EST. [Computerworld Privacy News]

Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best?

Sat, 10 Feb 2007 22:51:44 GMT

Asking the Right Question: Penetration Testing vs. Vulnerability Analysis Tools, Which Is Best? Dennis Hurst of Spi-Dynamics contirbutes this paper which discusses how penetration testing and assessments have matured and become more complex when dealing with web facing applications. By Dennis Hurst. [Infosec Writers Latest Security Papers]

Study Notes Link Between IT Sabotage, Work Behavior.

Thu, 08 Feb 2007 17:37:54 GMT

Study Notes Link Between IT Sabotage, Work Behavior. Workers who sabotage corporate systems are almost always IT workers who exhibit specific negative office behavior according to recent research. [PC World: Latest Technology News]

Study: Weak Passwords Really Do Help Hackers.

Thu, 08 Feb 2007 17:35:01 GMT

Study: Weak Passwords Really Do Help Hackers. Left online for 24 days to see how hackers would attack them, Linux PCs with weak passwords were hit by some 270,000 intrusion attempts. [PC World: Latest Technology News]

FTC Issues Fraud and ID Theft Data for 2006.

Thu, 08 Feb 2007 17:31:26 GMT

FTC Issues Fraud and ID Theft Data for 2006.

Unauthorized credit card charges were the leading contributor to more than $1.1 billion bilked in reported consumer fraud complaints last year, according to new figures released today by the Federal Trade Commission.

Shop-at-home/catalog sales and prizes and sweepstakes accounted for nearly 15 percent of all fraud-related complaints, followed closely by Internet services and online auctions. While the FTC's data tracks both online and offline fraud, the commission said some 60 percent of fraud complaints stemmed from transactions where the initial contact with the consumer was over e-mail (45 percent) and the Web (15 percent). (The PDF version of the FTC report is here.)

Credit-card fraud was the most common source of reported losses, followed by phone or utilities fraud (16 percent), bank fraud (16 percent) and employment fraud (14 percent). The latter category usually involved the unauthorized use of someone's Social Security number in order to secure employment.

Claudia Bourne Farrell, a spokesperson for the FTC, was herself a victim of employment fraud.

"I learned about it when the Internal Revenue Service asked why I wasn't declaring income and paying taxes on my job" at a Washington, D.C., restaurant, she said. Investigators later linked the identity thief to a local man using her Social Security number under the name Claudio Farrell.

While consumers are usually reimbursed by their bank for fraudulent credit- and debit-card charges, fraud that results from new accounts being opened in a victim's name -- from new cell phone and utility services ordered by the fraudsters -- represent a far more serious type of fraud, said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.

"Usually, when a new account is opened in your name, the monthly statements go to a drop box or the criminal's address, and the victim doesn't generally find out about it until they go to open a new line of credit or orders a copy of their credit report," Givens said. "This is the most difficult type of fraud to erase from your file." A victim must do a great deal of work to expunge the fraudulent accounts from their credit files, she said.

The FTC warned that the percentage of fraud complaints where wire transfers were the reported payment method continued to increase last year. Most wire transfer losses are associated with Internet auction scams, where auctioneers simply take the money but never ship the promised merchandise. Twenty-three percent of the consumers reported fraud incidents where wire transfer was the payment method, an increase of eight percentage points from calendar year 2005, the FTC said.

California, Texas and Florida led the nation in the total number of identity and consumer fraud cases that were reported last year. Virginia and Maryland were sixth and eighth, respectively, in the rankings of consumer fraud complaints per 100,000 people by state. Maryland came it at No. 11 in the rankings of reported identity theft cases per 100,000 people, while Virginia came in at 15 in the same measure.

For Washington, D.C., the FTC said there were 1,904 complaints made by city residents last year about consumer fraud or identity theft. The Washington region in general ranked 110 in fraud complaints out of the top 400 metropolitan areas in the country.

Consumers in the 18-29 age set were the largest age group that reported losses from fraud. That finding closely mirrors other studies that have identified younger online users as those most likely to be defrauded or scammed.

The overall number of fraud complaints was down slightly from 2005, but the FTC noted that one major data contributor did not properly catalog many of its complaints, so comparisons with previous years are difficult.

The FTC and consumer advocates urge consumers to keep a close eye on their credit files for signs of fraudulent activity. Under federal law, consumers are entitled to a free copy of their credit report each year. Consumers can order their free credit report by visiting AnnualCreditReport.com.

[Security Fix]

FTC: Identity Theft Remains Top Consumer Complaint.

Thu, 08 Feb 2007 17:27:49 GMT

FTC: Identity Theft Remains Top Consumer Complaint. Identity theft complaints remained a top priority for U.S. consumers last year, the FTC says. [PC World: Latest Technology News]

Internet Attacked! (Did Anyone Notice?)

Thu, 08 Feb 2007 17:24:54 GMT

Internet Attacked! (Did Anyone Notice?)

Tuesday marked the fourth anniversary of "Safer Internet Day," a 40-country effort to raise awareness about computer and Internet security. But the day probably didn't feel too safe for the dozens of unheralded technologists responsible for defending the World Wide Web against one of the most concerted attacks against the Internet's core since a similar assault in 2002.

Details about the sources, size and methods used in the attack are still trickling in, but like the celebration of Safer Internet Day, it's not clear that anyone using the Web at the time even took notice. That's largely a good thing, and I'll explain why later in this post.

At around 7 p.m. ET on Monday, three of the Internet's 13 "root servers" -- the computers that provide the primary roadmap for nearly all Internet communications -- came under heavy and sustained attack from a fairly massive, remote-controlled network of zombie computers. These are machines infected surreptitiously with programs that allow criminals to control them remotely. The zombies were programmed to try to overwhelm several of the root servers with massive amounts of traffic.

Among the apparent targets was a root server controlled by the Department of Defense Network Information Center. There is also evidence to suggest the attackers targeted the servers responsible for managing the stability of the ".uk" and ".org" domains.

A number of technologists I spoke with who helped defend against the attack said it's too early to say definitively where the attack came from, but this perspective from an operator responsible for maintaining one of the root servers suggests that South Korea, China and the United States were the biggest source of computers used in the attack (the initial analysis suggest that 13 percent of machines involved in the attack were located here in San Francisco, the site of the RSA Security Conference, from which I'm currently blogging.)

In the news coverage so far, theories about the motives behind the attack varied widely, from speculation that it was just hacker mischief to notions that it was cooked up by curious criminals bent on testing their ability to extort the many wealthy and powerful interests that rely on a functioning Internet.

The truth is that no one but the attackers knows the true reason. Paul Levins, vice president of the Internet Corporation for Assigned Names and Numbers (ICANN) -- the entity charged with, among other tasks, coordinating responses among root server providers in such attacks -- said it would likely be at least a week before the more meaningful facts come out.

"This is a fact based community, and we're waiting for the facts to come in after the analysis before we can make committed statements about what the origins were, and its intended targets," Levins said.

This attack highlights a couple of important but often overlooked points, one dark and troubling, and the other somewhat more hopeful. First, the tools and resources used by organized cyber criminals -- namely hacked personal computers that can be remotely controlled by attackers -- are so abundant that they've become virtually disposable. Experts estimate that at any given time there are tens of millions of hacked personal computers that are used in attacks or, more commonly, in sending spam and hosting phishing Web sites.

On the other hand, the fact that there is scant evidence that anyone surfing the Web at the time of the attack even noticed is testament to the resiliency of the global Internet infrastructure, as well as to the swift action on the part of the technologist and experts charged with maintaining the network most of us have come to take for granted.

Not that you can ever have enough security and capacity to handle these types of attacks. The various organizations that operate the 13 root servers are constantly upgrading bits and pieces of their systems to make them more robust and resilient, and one root-server operator -- Verisign Inc. -- is announcing Thursday that it plans to spend $100 million over the next three years to achieve a tenfold increase in its capacity to handle Internet traffic requests.

[Security Fix]

Exploiting JSON Framework : 7 Attack Shots.

Wed, 07 Feb 2007 18:36:50 GMT

Exploiting JSON Framework : 7 Attack Shots. This article, contributed by Aditya Sood, defines the layout of the exploiting factors of web attacks ie where the JSON framework is compromised. By Aditya Sood. [Infosec Writers Latest Security Papers]

FTC to release ID theft data.

Tue, 06 Feb 2007 02:08:11 GMT

FTC to release ID theft data. The Federal Trade Commission on Wednesday will release its latest "Consumer Sentinel" statistical analysis on identity theft, a precursor to a more comprehensive report later this year on ID fraud. [Computerworld Privacy News]

Research Reveals Data Loss Still Major Threat Despite Increased Corporate Efforts.

Mon, 05 Feb 2007 20:13:18 GMT

Research Reveals Data Loss Still Major Threat Despite Increased Corporate Efforts. Focus on threat of outside attacks overlooks danger employee behavior. [GT: Security and Privacy]

Confidential Data Lost Via USB Drives and Other Mobile Devices, New Survey Finds.

Fri, 02 Feb 2007 07:20:37 GMT

Confidential Data Lost Via USB Drives and Other Mobile Devices, New Survey Finds. Data loss prevention at the endpoint is top priority for IT security. [GT: Security and Privacy]

Rise in Sophisticated Attacks Against Savvy PC Users Expected to Rise.

Fri, 02 Feb 2007 07:08:56 GMT

Rise in Sophisticated Attacks Against Savvy PC Users Expected to Rise. "Malware writers continue to blur the line between trojans, worms, viruses and spyware." [GT: Security and Privacy]

Records on Spy Program Turned Over to Lawmakers - washingtonpost.com

Fri, 02 Feb 2007 06:44:13 GMT

The Justice Department turned over documents about the government's controversial domestic spying program to select members of Congress yesterday, ending a two-week standoff that included pointed threats of subpoenas from Democrats.

The deal appears to resolve the latest conflict between Congress and the administration over the National Security Agency's surveillance effort, and it provides new evidence of the administration's more accommodating approach to the Democrats who now control Congress.

The agreement follows the administration's announcement two weeks ago that it was replacing NSA's warrantless surveillance program with a plan approved by the secret court that administers the Foreign Intelligence Surveillance Act, or FISA. The NSA had conducted the domestic spying for more than five years without court oversight.

Under yesterday's accord, announced by Attorney General Alberto R. Gonzales, more than three dozen lawmakers will have access to the secret court orders governing the spying program that were issued Jan. 10 and the applications from the Justice Department that preceded them. The lawmakers include the House and Senate leaders, the members of the two intelligence panels and the heads of the two judiciary committees, officials said.

But Gonzales and other Bush administration officials also indicated that they had no intention of making the orders and related documents available to the public. The lawmakers and staff who view the records will be subject to strict statutes that bar disclosure of classified information. Congressional aides said it was unclear how much new information could be shared with the public.

Poll Exposes Generational Divide on Privacy Expectations.

Fri, 02 Feb 2007 06:34:26 GMT

Poll Exposes Generational Divide on Privacy Expectations. "This survey raises questions that could significantly impact our policymaking on privacy in years to come, assuming the MySpace generation maintains their privacy views as they age." [GT: Security and Privacy]

Has the White House interfered on global warming reports? | csmonitor.com

Fri, 02 Feb 2007 03:09:56 GMT

More than 120 scientists across seven federal agencies say they have been pressured to remove references to "climate change" and "global warming" from a range of documents, including press releases and communications with Congress. Roughly the same number say appointees altered the meaning of scientific findings on climate contained in communications related to their research.

These findings, part of a new report compiled by two watchdog groups, shed new light on complaints by a scattering of scientists over the past year who have publicly complained that Bush administration appointees have tried to mute or muzzle what researchers have to say about global warming.

"We are beyond the anecdotal," says Francesca Grifo, director of the scientific integrity program at the Union of Concerned Scientists (UCS), one of the two groups, referring to press reports of a dozen instances of interference that have emerged over the past 12 months. "We now have evidence to support the view that this problem goes deeper than just these few high-profile cases."

Global-warming science must be accurately represented to enable lawmakers to craft adequate policies to control the problem and adapt to climate change, Dr. Grifo says. Scientists at the National Aeronautics and Space Administration, the National Oceanic and Atmospheric Administration, and other agencies working on climate-related issues are doing excellent work. "But it's under threat, and they are struggling to get their results out" to the general public, she says.

Grifo described some of the report's findings during hearings Tuesday before the House Committee on Oversight and Government Reform and during a press briefing afterward. The two groups say they will release additional material next week, when the Senate Committee on Commerce, Science, and Transportation holds similar hearings.

Congress Hears From Muzzled Scientists.

Fri, 02 Feb 2007 03:05:52 GMT

Congress Hears From Muzzled Scientists. BendingSpoons writes "More than 120 scientists across seven federal agencies have been pressured to remove the phrases 'global warming' and 'climate change' from various documents. The documents include press releases and, more importantly, communications with Congress. Evidence of this sort of political interference has been largely anecdotal to date, but is now detailed in a new report by the Union of Concerned Scientists. The House Oversight and Government Reform Committee held hearings on this issue Tuesday; the hearing began by Committee members, including most Republicans, stating that global warming is happening and greenhouse gas emissions from human activity are largely to blame. The OGR hearings presage a landmark moment in climate change research: the release of the 2007 report by the Intergovernmental Panel on Climate Change. The IPCC report, drafted by 1,250 scientists and reviewed by an additional 2,500 scientists, is expected to state that 'there is a 90% chance humans are responsible for climate change' -- up from the 2001 report's 66% chance. It probably won't make for comfortable bedtime reading; 'The future is bleak', said scientists." [Slashdot: Your Rights Online]

Survey: Identity theft on the decline | NetworkWorld.com Community

Fri, 02 Feb 2007 02:55:57 GMT

Hours after meeting with Verisign yesterday at DEMO 07 to discuss that company's major anti-identity theft initiative comes news from a trio of leading financial firms that this ongoing crisis of consumer confidence -- the bane of retailers both online and off -- is already well under control, with the number of victims down 12% last year over 2005.

Pop the corks? ... Well, there's every reason to hope that this report reflects an emerging new reality ... as well as every reason to remain skeptical. The problem with vendor-sponsored surveys of this nature, of course, is that they make it difficult to overlook the obvious self-interest of the parties involved. The e-commerce world as a whole has been in full panic mode over the public's increasing wariness about doing business online. All would hail anything that might lessen that unease.So this poll offers such hope, grain of salt and all. The 2007 Identity Fraud Survey Report paid for by Visa, Wells Fargo and CheckFree contends that:

Survey Indicates ID Theft May Be Diminishing.

Fri, 02 Feb 2007 02:52:57 GMT

Survey Indicates ID Theft May Be Diminishing. netbuzz passed us a link discussing a survey conducted by major credit firms. Keeping in mind the source (CheckFree, Visa, and WellsFargo), the results indicate identity theft may be on the downswing as consumers wise up to scammers. The number of respondents that reported a fraudulent account created with a stolen identity dropped by a full half percentage point between 2005 and 2006. Overall fraud apparently dropped by some 12% over last year, representing $6.4 billion in fraud reduction. Again, consider the source: identity fraud is still apparently costing some $49.3 billion annually. [Slashdot: Your Rights Online]

Preventing a Brute Force or Dictionary Attack.

Thu, 01 Feb 2007 04:15:14 GMT

Preventing a Brute Force or Dictionary Attack. Bryan Sullivan of Spi Dynamics submits this paper which takes a look at Brute Force and dictionary attacks and methods to defend against them. By Bryan Sullivan. [Infosec Writers Latest Security Papers]

Why So Many Undervotes in Sarasota?

Tue, 30 Jan 2007 18:06:28 GMT

Why So Many Undervotes in Sarasota?

The big e-voting story from November[base ']s election was in Sarasota, Florida, where a congressional race was decided by about 400 votes, with 18,412 undervotes. That[base ']s 18,412 voters who cast votes in other races but not, according to the official results, in that congressional race. Among voters who used the ES&S iVotronic machines [~] that is, non-absentee voters in Sarasota County [~] the undervote rate was about 14%. Something went very wrong. But what?

Since the election there have been many press releases, op-eds, and blog posts about the undervotes, not to mention some lawsuits and scholarly studies. I want to spend the rest of the week dissecting the Sarasota situation, which I have been following closely. I[base ']m doing this now for two reasons: (1) enough time has passed for the dust to settle a bit, and (2) I[base ']m giving a joint talk on the topic next week and I want to work through some thoughts.

There[base ']s no doubt that something about the iVotronic caused the undervotes. Undervote rates differed so starkly in the same race between iVotronic and non-iVotronic voters that the machines must be involved somehow. (For example, absentee voters had a 2.5% undervote rate in the congressional race, compared to 14% for iVotronic voters.) Several explanations have been proposed, but only two are at all plausible: ballot design and machine malfunction.

The ballot design theory says that the ballot offered to voters on the iVotronic[base ']s screen was misdesigned in a way that caused many voters to miss that race. Looking at screenshots of the ballot, one can see how voters might miss the congressional race at the top of the second page. (Depressingly, some sites show a misleading photo that the photographer angled and lit to make the misdesign look worse than it really was.) It[base ']s very plausible that this kind of problem caused some undervotes; and that is consistent with the reports of many voters that the machine did not show them the congressional race.

It[base ']s one thing to say that ballot design could have caused some undervotes, but it[base ']s another thing entirely to say it was the sole cause of so elevated an undervote rate. Each voter, before finalizing his vote, was shown a clearly designed confirmation screen listing his choices and clearly showing a no-candidate-selected message for the congressional race. Did so many voters miss that too? And what about the many voters who reported choosing a candidate in the congressional race, only to have the no-candidate-selected message show up on the confirmation screen anyway?

The malfunction theory postulates a problem or malfunction with the voting machines that caused votes not to be recorded. There are many types of problems that could have caused lost votes. The best way to evaluate the malfunction theory is to conduct a careful and thorough study of the machines themselves. In the next entry I[base ']ll talk about the efforts that have been made toward that end. For now, suffice it to say that no suitable study is available to us.

If we had a voter-verified paper trail, we could immediately tell which theory is correct, by comparing the paper and electronic records. If the voter-verified paper records show the same high undervote race, then the ballot design theory is right. If the paper and electronic records show significantly different undervote rates, then something is wrong with the machines. But of course the advocates of paperless voting argued that paper trails were unnecessary [~] while also arguing that touchscreen systems reduce undervotes.

Several studies have tried to use statistical analyses of undervote patterns in different races, precincts, and machines to evaluate the two theories. Frisina, Herron, Honaker, and Lewis say the data support the ballot design theory; Mebane and Dill say the data point to malfunction as a likely cause of at least some of the undervotes. Reading these studies, I can[base ']t reach a clear conclusion.

What would convince me, one way or the other, is a good study of the machines. I[base ']ll talk next time about the fight over whether and how to look at the machines.

Study Finds IE7 + EV SSL Won't Stop Phishing.

Mon, 29 Jan 2007 20:11:05 GMT

Study Finds IE7 + EV SSL Won't Stop Phishing. An anonymous reader writes "Stanford University and Microsoft Research have published a study that claims that the new Extended Validation SSL Certificates in IE7 are ineffective (PDF). The study, based on user testing, found that EV certificates don't improve users' ability to detect attacks, that the interface can be spoofed, and that training users actually decreases their ability to detect attacks. The study will be presented at Usable Security 2007 next month, which is a little late now that the new certificates are already being issued." [Slashdot]

Michael Geist - Vista's Fine Print Raises Red Flags

Mon, 29 Jan 2007 18:13:53 GMT

Vista's legal fine print includes extensive provisions granting Microsoft the right to regularly check the legitimacy of the software and holds the prospect of deleting certain programs without the user's knowledge. During the installation process, users "activate" Vista by associating it with a particular computer or device and transmitting certain hardware information directly to Microsoft.

Even after installation, the legal agreement grants Microsoft the right to revalidate the software or to require users to reactivate it should they make changes to their computer components. In addition, it sets significant limits on the ability to copy or transfer the software, prohibiting anything more than a single backup copy and setting strict limits on transferring the software to different devices or users.

Vista also incorporates Windows Defender, an anti-virus program that actively scans computers for "spyware, adware, and other potentially unwanted software." The agreement does not define any of these terms, leaving it to Microsoft to determine what constitutes unwanted software. Once operational, the agreement warns that Windows Defender will, by default, automatically remove software rated "high" or "severe,"even though that may result in other software ceasing to work or mistakenly result in the removal of software that is not unwanted.

For greater certainty, the terms and conditions remove any doubt about who is in control by providing that "this agreement only gives you some rights to use the software. Microsoft reserves all other rights." For those users frustrated by the software's limitations, Microsoft cautions that "you may not work around any technical limitations in the software."

Payments News: Mobile Malware A Risk - January 22, 2007

Mon, 29 Jan 2007 17:56:59 GMT

TowerGroup has published a new research report titled "Fraud, Virus and ID Theft: Mobile Malware Stands to Create a New Beginning" - saying that as the use of mobile devices for banking and payments increases, incidents of mobile virus and mobile malware are likewise going to be on the upswing.

Enterprise Rights Management (ERM): Architectural Approaches.

Mon, 29 Jan 2007 16:25:04 GMT

Enterprise Rights Management (ERM): Architectural Approaches. This document compares the architectural approaches to implementing an effective enterprise rights management (ERM) system, namely tethered and untethered models. The document attempts to explore the advantages and disadvantages of both approaches and the impact the two models have on a corporate installation of such a system. By Avoco Secure. [Infosec Writers Latest Security Papers]

The cheapskate's infosecurity toolbox.

Fri, 26 Jan 2007 19:08:44 GMT

The cheapskate's infosecurity toolbox. As we all know, not everyone is fortunate enough to have a blank check for security-related procurement and implementation. As security executives, we are often called upon to pull a rabbit out of the hat on short notice and make security issues disappear. Making the best of your allocated budget may at times call for primary or supplementary solutions that are freely available. This strategy cuts procurement time completely out of the loop as well. Here's a list of security tools available on the Web for free that you should add to your toolbox. [CSO Online Data Security Briefing]

The best practices for network security in 2007.

Fri, 26 Jan 2007 18:00:20 GMT

The best practices for network security in 2007. We all face it - the daily barrage of spam, now infested with zero-day malware attacks, not to mention the risks of malicious insiders, infected laptops coming and going behind our deep packet-inspecting firewalls and intrusion-prevention systems. Some even have to worry about how to prove steps of due care and due diligence towards a growing roster of regulatory compliance pressures. [CSO Online Data Security Briefing]

Watch out for PHP holes.

Fri, 26 Jan 2007 17:53:14 GMT

Watch out for PHP holes. In the first half of 2006, desktop filtering software maker Websense counted a 100 percent rise in Web sites that contained code potentially harmful to visitors. The company declined to reveal how many Web sites it tallied, but it did say that 40 percent of the sites were hacked -- that is, they had their site code altered by outsiders. Of those hacked Web sites, the vast majority (91 percent) were commissioned to install Trojan horses that take control of visiting computers to turn them into bots -- to relay spam, wage denial-of-service attacks or carry out ID theft schemes -- or use them as bases for spreading malicious programs such as worms and keyloggers inside the enterprise. [CSO Online Data Security Briefing]

Spam is Back With A Vengence.

Tue, 23 Jan 2007 02:11:03 GMT

Spam is Back With A Vengence. Ant writes "The Red Tape Chronicles reports that just last December (2006), the FTC published an optimistic state-of-spam report. It cites research indicating spam had leveled off or even dropped during the previous year. It now appears spammers had simply gone back to the drawing board. There's more spam now than ever before. In fact, there's twice as much spam now as opposed to this time last year. And the messages themselves are causing more trouble. About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now." [Slashdot]

The Anatomy of Pump N' Dump Stock Spamming.

Tue, 23 Jan 2007 02:05:31 GMT

The Anatomy of Pump N' Dump Stock Spamming. giorgiofr writes "Laura Frieder and Jonathan Zittrain have analyzed pump n' dump spam activity in their paper 'Spam Works: Evidence from Stock Touts and Corresponding Market Activity'. Unbelievably, it appears that spammers are able to achieve a 5% gain on pumped stock before dumping it, along with a dramatic increase in transaction volume of the stock. From the synopsis: ' We suggest that the effectiveness of spammed stock touting calls into question prevailing models of securities regulation that rely principally on the proper labeling of information and disclosure of conflicts of interest to protect consumers, and we propose several regulatory and industry interventions. Based on a large sample of touted stocks listed on the Pink Sheets quotation system, we find that stocks experience a significantly positive return on days prior to heavy touting via spam. Volume of trading responds positively and significantly to heavy touting.'" [Slashdot]

United States Worst for Malware Hosting and Spam-Relaying, Says Security Report.

Tue, 23 Jan 2007 00:32:57 GMT

United States Worst for Malware Hosting and Spam-Relaying, Says Security Report. "The U.S. market is undeniably a target for online criminal activity." [GT: Security and Privacy]

Top 10 Internet Scandals of All Time.

Mon, 22 Jan 2007 23:27:29 GMT

Top 10 Internet Scandals of All Time. The Web is a great way to deliver information, but it's also a great way to expose, spread, or jump-start a scandal. [PC World: Latest Technology News]

Thousands of PCs Infected by Nasty Trojan Horse.

Sun, 21 Jan 2007 04:38:45 GMT

Thousands of PCs Infected by Nasty Trojan Horse. One in 200 e-mail messages sent today carry the vicious software, expert says. [PC World: Latest Technology News]

Putting a Bug in Apple's Ear.

Wed, 17 Jan 2007 20:31:37 GMT

Putting a Bug in Apple's Ear. Hell hath no fury like a security researcher scorned, and other lessons from the Month of Apple Bugs. By Quinn Norton. [Wired News: Top Stories]

Civil Liberties Showdown Looms.

Wed, 17 Jan 2007 20:29:12 GMT

Civil Liberties Showdown Looms. Privacy proposals in the Democratic bill revisiting the 9/11 commission's recommendations both expand privacy officials' powers and require them to report to Congress. The Bush administration is likely to balk. In 27B Stroke 6. [Wired News: Top Stories]

Reports on Online Identity Theft Trends.

Wed, 17 Jan 2007 18:44:00 GMT

Reports on Online Identity Theft Trends. 250 percent increase in keyloggers, and 100-fold increase in phishing alerts. [GT: Security and Privacy]

Modesto Bee - Justice Dept. concealing leak report

Wed, 17 Jan 2007 18:36:40 GMT

WASHINGTON (AP) - The Justice Department is fighting in court to keep secret a government report concluding that it leaked confidential and damaging information against a former prosecutor accused of bungling a high-profile terror trial.

Justice attorneys say they can't disclose all the contents of the December 2004 report by the department's inspector general without violating employees' privacy.

However, ex-Assistant U.S. Attorney Richard G. Convertino of Detroit said the Justice Department violated his own privacy rights by revealing to the media that he was the subject of an internal ethics inquiry after he criticized the Bush administration's counterterrorism strategy.

Two people who have seen the full report confirmed it rules out Convertino as a suspect in the leak case. Those people described the report's findings to The Associated Press on condition of anonymity because it is sealed under a Justice Department protective order.

A heavily edited version of the report is included in court documents filed in Washington. It concludes that investigators "did not find sufficient evidence to prove, by a preponderance of the evidence, who leaked this information."