Paul Hardwick: Security

Sun CSO: Endless Internet Growth Keeps Security on Back Burner.

Wed, 14 Mar 2007 20:07:25 GMT

Sun CSO: Endless Internet Growth Keeps Security on Back Burner. Q&A: Whitfield Diffie, chief security officer at Sun and co-inventor of public-key cryptography, talks about the state of computer security and Microsoft[base ']s role in it. [Computerworld Privacy News]

Four Colorado Counties Placed on Election Watch List.

Wed, 14 Mar 2007 20:04:05 GMT

Four Colorado Counties Placed on Election Watch List. Errors with voting machines, delays in voting, inadequate security cited. [GT: Security and Privacy]

ID Fraud Manufacturing Ring Uncovered in Arizona.

Wed, 14 Mar 2007 20:00:48 GMT

ID Fraud Manufacturing Ring Uncovered in Arizona. Three month investigation of Arizona Homeland Security Fraudulent Identification Task Force (AFIT) uncovers one of the largest manufacturers of fraudulent identification in Southern Arizona. [GT: Security and Privacy]

Airport security targets the inside threat - CNN.com

Wed, 14 Mar 2007 19:58:40 GMT

TAMPA, Florida (CNN) -- The Transportation Security Administration carried out surprise inspections on workers at five airports in Florida and Puerto Rico on Monday, one week after a baggage handler in Orlando allegedly used his airport credentials to smuggle more than a dozen firearms into a commercial jetliner.

Some 160 TSA officers, backed by Federal Air Marshals and local police, searched airplanes for contraband, shined flashlights in airport vehicles and patted down contractor employees involved in airport security.

The five airports inspected were in Tampa, Orlando, Miami, Fort Lauderdale and San Juan, Puerto Rico.

The airport crackdown will continue through the week, spreading to other regions in the country as TSA increases random, unannounced searches targeting those who could misuse their access within the system.

"We realize the insider threat is a real threat, and we have to address it," said TSA spokesman Christopher White.

Latest ID-Theft Worry? Copiers.

Wed, 14 Mar 2007 19:55:53 GMT

Latest ID-Theft Worry? Copiers. Digital photocopiers use hard drives to store data. If not properly secured, they can be vulnerable to data thieves. By the Associated Press. [Wired News: Security Blanket]

Dispute surfaces over certification for personal health records

Wed, 14 Mar 2007 19:51:04 GMT

n a rare instance of public dissent, an American Health Information Community AHIC) workgroup has split over whether to recommend that product certification be available for personal health record software.

AHIC, a high-level advisory committee to the Department of Health and Human Services, sided with the majority on its Consumer Empowerment Workgroup and voted unanimously in favor of the certification recommendation.

A minority -- five members of the 23-person workgroup -- took the position that certification would be premature and the top priority should be privacy and security policies for PHRs. "The risks [of certification now] outweigh any potential benefits," the dissenters said in a letter to AHIC.

The workgroup's task is to foster widespread adoption of PHRs. One of its leaders, Dr. Rose Marie Robertson, told AHIC that the group believes PHRs will be more widely used if consumers do not have to sit at a computer and enter all their health information. Instead, the PHRs could be populated by data from doctors, health plans, drug stores, or elsewhere.

Medical data on Blue Cross members may be lost | CNET News.com

Wed, 14 Mar 2007 19:45:41 GMT

WellPoint, one of the nation's largest health insurers, has begun notifying 75,000 members of its Empire Blue Cross and Blue Shield unit in New York that a CD holding their vital medical and other personal information has disappeared.

The information was on an unencrypted disc that a subcontractor recently sent to Magellan Behavioral Services, a company in Avon, Conn., that specializes in monitoring and coordinating mental health and substance abuse treatments for insurance companies.

Empire began notifying the affected consumers by mail on Saturday that their records--including their names, Social Security numbers, health plan identification numbers and description of medical services back to 2003--had been lost.

[...]

Before shipping the information to Magellan, the coding and passwords that protect the privacy of the information was removed by a Magellan subcontractor, Lisa Ann Greiner, an Empire spokeswoman, said Tuesday.

Janlori Goldman, the director of the Health Privacy Center, a nonprofit organization in Washington, said the error was an "egregious breach of privacy." She said that insurance companies were responsible under a federal privacy law for ensuring that their contractors use adequate security procedures.

Greiner said that the subcontractor, Health Data Management Services, worked for Magellan, not Empire. "If any contract was breached, we are going to take direct action," she said.

Photocopiers: The newest ID theft threat.

Wed, 14 Mar 2007 19:40:11 GMT

Photocopiers: The newest ID theft threat. Photocopiers made in recent years often have hard drives that store what's been duplicated -- making them a potential target for identity thieves. [Computerworld Privacy News]

CDT Calls for Judicial Approval of National Security Letters.

Wed, 14 Mar 2007 19:35:59 GMT

CDT Calls for Judicial Approval of National Security Letters. CDT is calling on Congress to require judicial supervision of FBI requests for access to the sensitive records of US citizens to protect privacy and national security. Recent revelations regarding violations in the use of so-called "national security letters" have shown that no matter how many internal controls the FBI adopts, self-certification is not sufficient when the government is obtaining the sensitive financial and communications records of citizens. CDT believes Congress should reform the law and adopt a reasonable system of judicial checks and balances. [Center for Democracy and Technology]

How to surf anonymously without a trace - ComputerWorld

Tue, 13 Mar 2007 20:51:27 GMT

The punchline to an old cartoon is "On the Internet, nobody knows you're a dog," but these days, that's no longer true.

It's easier than ever for the government, Web sites and private businesses to track exactly what you do online, know where you've visited, and build up comprehensive profiles about your likes, dislikes and private habits.

And with the federal government increasingly demanding online records from sites such as Google and others, your online privacy is even more endangered.

But you don't need to be a victim. There are things you can do to keep your surfing habits anonymous and protect your online privacy. So read on to find out how to keep your privacy to yourself when you use the Internet, without spending a penny.

Do You Need to Surf Anonymously?

Tue, 13 Mar 2007 20:48:57 GMT

Do You Need to Surf Anonymously? An anonymous reader writes "Computerworld has up an article entitled 'How to Surf Anonymously without a Trace'. It purports to offer tips on how to avoid detection by anyone attempting to monitor your internet access. 'If you don't like the limitations imposed on you by [proxy] sites like the Cloak or would simply prefer to configure anonymous surfing yourself, you can easily set up your browser to use an anonymous proxy server to sit between you and the sites you visit. To use an anonymous proxy server with your browser, first find an anonymous proxy server. Hundreds of free, public proxy servers are available, but many frequently go offline or are very slow. Many sites compile lists of these proxy servers, including Public Proxy Servers and the Atom InterSoft proxy server list.'"

[Slashdot: Your Rights Online]

New US Computer Forensic Institute.

Tue, 13 Mar 2007 20:33:22 GMT

New US Computer Forensic Institute. Quincy writes "The DHS and Secret Service are setting up a new computer forensic institute in Alabama. Set to open in mid-2008, the new National Computer Forensic Institute will be able to train over 900 law enforcement officers per year. 'It will initially be staffed by 18 Secret Service agents and will feature classrooms, a forensic laboratory, an evidence vault, and server rooms. Courses will be offered in the investigation of electronic crimes, network intrusion investigation, and computer forensics... [T]he Secret Service says that it will help to bring judges and prosecutors up to speed as well.'" Maybe over time we'll see fewer botches of justice like those in the news recently [Slashdot: Your Rights Online]

CDT Opposes Bill Expanding Pentagon Domestic Data Mining.

Tue, 13 Mar 2007 20:07:21 GMT

CDT Opposes Bill Expanding Pentagon Domestic Data Mining. CDT and other civil liberties groups are urging Congress to reject legislation that would exempt the Department of Defense from a key provision of the Privacy Act. The little-noticed amendment, already included in the Senate version of the Intelligence Authorization Act, would permit government agencies to disclose information on US citizens to the Defense Department. Such language could pave the way for entire databases of information to be transferred to the Defense Department without a clear purpose -- in turn opening the door to greater data mining by military agencies. [Center for Democracy and Technology]

CDT Calls for Reform of National Security Letters.

Tue, 13 Mar 2007 20:04:02 GMT

CDT Calls for Reform of National Security Letters. CDT is calling on Congress to require judicial approval of FBI efforts to access the sensitive records of US citizens. Recent revelations regarding violations in the use of so-called "national security letters" have shown that no matter how many internal controls the FBI adopts, self-certification in not sufficient when the government is obtaining the sensitive financial and communications records of citizens. CDT believes Congress should reform the law and adopt a reasonable system of judicial checks and balances. [Center for Democracy and Technology]

McAfee Says Vista's StickyKeys Could Be Misused.

Tue, 13 Mar 2007 20:02:15 GMT

McAfee Says Vista's StickyKeys Could Be Misused. A Windows Vista feature designed to simplify computing for disabled users has security implications, according to a McAfee researcher. [PC World: Latest Technology News]

Secure your enterprise data.

Tue, 13 Mar 2007 19:57:32 GMT

Secure your enterprise data. For DuPont, Gary Min may have seemed a model employee. A research chemist at DuPont's research laboratory in Circleville, Ohio, Min was a naturalized U.S. citizen with a doctorate from the University of Pennsylvania who had worked for DuPont for 10 years, even earning a business degree from Ohio State University with help from his employer. But Min's veneer of respectability began to crack on Dec. 12, 2005, when he told his employer he would be leaving his job. [CSO Online Data Security Briefing]

courant.com | Our I.D., Their Trash - Sensitive Records Turn Up In Ohio

Mon, 12 Mar 2007 20:41:49 GMT

Papers with sensitive information about Connecticut residents - Social Security numbers, medical records, names, phone numbers, addresses and bank records began blowing from an Ohio landfill onto nearby homeowner Harry Evans' yard months ago.

At first he just picked up the litter - dozens of papers in all - and threw it away. But about a week ago, Evans says, he talked with his wife about the personal nature of some of the windblown papers and decided he'd had enough. He called the local media. Soon, newspaper and TV reporters descended on his home in Negley.

TorontoSun.com - Canada - Privacy swipe? New system would check IDs in stores

Mon, 12 Mar 2007 20:38:21 GMT

Convenience stores that check ID by swiping driver's licences could be violating privacy law, Government Services Minister Gerry Phillips said Wednesday.

The system called "We Expect ID," would see store clerks swipe licences through a lottery terminal to verify a customer's age when purchasing alcohol, cigarettes, adult magazines, lottery tickets or fireworks. The terminal will read age information from the magnetic stripe on the licence and display the person's age on the terminal.

Popular P2P apps could expose sensitive files, report says.

Mon, 12 Mar 2007 20:33:43 GMT

Popular P2P apps could expose sensitive files, report says. Five popular peer-to-peer file-sharing applications include features that could allow users to inadverdently share sensitive files on their computers with others, according to the U.S. Patent and Trademark Office. [Computerworld Privacy News]

'Do the Right Thing'. Editorial

Mon, 12 Mar 2007 20:32:08 GMT

'Do the Right Thing'. Editorial: There is no greater hallmark of an IT leader than the courage it takes to do what[base ']s right, says Don Tennant. [Computerworld Privacy News]

Seagate Ships Super-Secure Hard Disk Drive.

Mon, 12 Mar 2007 20:18:52 GMT

Seagate Ships Super-Secure Hard Disk Drive. ASI Computer Technologies will use the automatically encrypted Momentus in a laptop. [PC World: Latest Technology News]

Human Error Causes Most Data Loss, Study Says.

Mon, 12 Mar 2007 20:08:30 GMT

Human Error Causes Most Data Loss, Study Says. Three-quarters of incidents involving loss of sensitive data are caused by human error, according to researchers. [PC World: Latest Technology News]

QuickTime Security Update Taxes Some Mac Users.

Mon, 12 Mar 2007 20:03:34 GMT

QuickTime Security Update Taxes Some Mac Users.

Some computer users running Apple Mac OS X are having a bit of a taxing time with the TurboTax software after installing a recent security update for Apple's QuickTime media player. The QuickTime update, released last week, effectively prevents a number of programs from launching.

The problem appears to be limited to users of Mac OS X 10.3.9 and earlier versions, but the interference caused by the QuickTime update is not limited to TurboTax. The update is reportedly causing problems with games such as World of Warcraft, Age of Empires III, Full Tilt Poker and Snake, according to numerous threads at the online user forums of both Apple and TurboTax.

It looks like TurboTax parent Intuit plans to release an update on Monday to try and work around Apple's patch. The company even posted a link where users can leave their contact information to be alerted when a fix is available.

For many users, that response stood in contrast to Apple's, which -- now a week after this "QuickTax" problem was first highlighted -- so far has been non-existent. Michael Molton, a software engineer from Virginia Beach, Va., was less than impressed: "COME ON APPLE," he wrote in a post last Wednesday on Apple's user forum. "You introduced this bug about 48 hours ago, there is zero excuse for not having a fix or at the VERY least some announcement that a fix is coming." A user going by the name MacPatty writes: "Is anyone at Apple actually working on this problem or we all just talking to each other here. Does Apple know that they created a big problem for us?"

Apple's silence on security-related problems facing its rapidly expanding user base has been lagging a bit lately. More than four months ago, a computer worm that leveraged a design flaw in QuickTime spread rapidly to users of the social networking site MySpace.com, stealing passwords from more than 100,000 users. The company responded by quietly issuing a patch designed just for MySpace users, which MySpace admins rolled out in a rather clumsy and insecure way. But Apple largely refused to talk to reporters about the whole incident, and it has yet to issue an advisory to let QuickTime users know whether they should be at all concerned about it, and if so what they can do to minimize their chances of being the next victim.

OK, so maybe the largest share of QuickTime users are running Microsoft Windows, and the MySpace worm didn't appear to do much more than steal MySpace logins. Still, this is an attack that could be replicated on other sites, with more serious consequences affecting both Mac and Apple users.

A question for Apple: Could you create a simple blog that offers suggestions or workarounds for high-profile problems affecting your customers, or at least assure users that you have heard their concerns and are investigating the problem?

[Security Fix]

Don't Let OneCare Eat Your Email - AppScout

Sun, 11 Mar 2007 19:08:23 GMT

Whenever a program gets wide distribution there are bound to be some users who, rightly or wrongly, feel it has caused them pain. Sometimes it's a case of post hoc ergo propter hoc (Latin for "the hog was here, so the hog did it"). Other times there really is a problem, perhaps due to an unusual configuration or a compatibility problem with some less-common applications. But it's rare that the problem is as serious and the response as limited as in this case.

A reader brought to my attention a thread in Microsoft's discussion forums for Windows OneCare titled "Outlook and Outlook Express Mail Store Missing or Quarantined". The thread started with a message in January and it's still running today, with no clear resolution. In brief, if you get a virus in an email message received by Outlook, OneCare's next virus sweep may quarantine or delete your entire email store. If you receive a virus via Outlook Express OneCare may quarantine or delete the entire folder containing the virus. Really!

As the thread goes on, more and more users weigh in reporting the problem. Moderators attempt soothing responses like "Obviously, the action by OneCare is undesirable. However, you can ... exclude the Outlook PST file" and "I know it won't make you feel any better, but you're all really helping to make OneCare a better program for everyone" and "You never want email scanned on the way in or out of the system as it causes more problems than it fixes." At one or two points the moderators announce a fix, but the problem reports keep coming in. One moderator mused that this had been a problem in the beta of OneCare 1.0, but he hadn't seen it since then. Another suggested that version 1.5 may have been coded from the wrong "code branch" of the base 1.0/1.1 version. Hmm....

Windows Live OneCare Can Eat Your Email.

Sun, 11 Mar 2007 19:04:30 GMT

Windows Live OneCare Can Eat Your Email. FutureDomain writes in to point us to a blog sponsored by PC Magazine, reporting about another problem with Windows Live OneCare. Apparently, it sometimes deletes the entire Outlook or Outlook Express .PST mailbox when it finds a virus in one of the messages. The only solution is to tell OneCare to exclude the entire Outlook mailbox. This is the software that came in last in antivirus tests. The trail of tears is ongoing over on the Microsoft forums. [Slashdot]

SSL optimization over the WAN needs scrutiny - Network World

Sun, 11 Mar 2007 17:45:40 GMT

Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways.

SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links.

In a survey last month of 1,300 IT executives by WAN-optimization vendor Blue Coat Systems, one-third of respondents said that 25% of their WAN traffic is SSL. And of those surveyed, 45% plan to roll out more SSL applications this year.

About a third of all WAN traffic at Richardson Partners Financial Ltd. in Toronto is SSL, says Andrew McKinney, director of technical services for the firm. But if only the urgent business traffic is considered, the percentage is much higher. "For critical business traffic, it's all encrypted," he says. So he uses Blue Coat Systems gear to secure traffic and optimize it for good performance.

SSL Optimization Over WAN Needs Scrutiny.

Sun, 11 Mar 2007 17:41:59 GMT

SSL Optimization Over WAN Needs Scrutiny. coondoggie writes with word of the expansion of WAN optimization appliances to handle SSL traffic and the security concerns this brings up. From the article: "With more and more WAN optimization vendors extending their capabilities to include encrypted traffic, corporate IT executives have a decision to make: Should they trust the security these devices provide? Rather than passing through SSL sessions between clients and servers located in remote data centers, some WAN optimization gear can terminate the SSL sessions, shrink the traffic, and re-encrypt it for the next leg of the trip. These chains of encrypted sessions introduce potential vulnerabilities that different vendors address in different ways. SSL traffic represents a growing percentage of total traffic on WAN links, according to Forrester Research. So SSL support in WAN optimization appliances will become more important to businesses that want to keep traffic secure while minimizing the size of their WAN links."
[Slashdot]

Connecticut Wants to Restrict Social Networking.

Sun, 11 Mar 2007 17:06:21 GMT

Connecticut Wants to Restrict Social Networking. csefft writes "According to the Hartford Courant, Connecticut became the latest state to want to restrict the use of MySpace and other social networking sites. The proposed bill would require that all such sites verify the identity and age of users, as well as get parent's permission for those under 18. Sites that failed to comply would be subject to a $5,000 per day fine. Attorney General Richard Blumenthal said of the proposition, 'If we can put a man on the moon, we can verify age on the Internet,' but quickly followed with the acknowledgment that there is no foolproof method." [Slashdot: Your Rights Online]

Don't like ID cards? Hand over your passport | the Daily Mail

Sun, 11 Mar 2007 16:56:16 GMT

Anybody who objects to their personal details going on the new "Big Brother" ID cards database will be banned from having a passport.

James Hall, the official in charge of the supposedly-voluntary scheme, said the Government would allow people to opt out - but in return they must "forgo the ability" to have a travel document.

With one in every eight people saying they will refuse to sign-up, up to five million adults could effectively be refused permission to leave the country.

Campaigners reacted to Mr Hall's remarks with fury, saying they were yet more evidence of the lurch towards "Big Brother" Britain.

Phil Booth, of the NO2ID group, said: "The idea that ID cards scheme is voluntary, and people can opt-out, is a joke.

"There are all sorts of reasons why people need to travel, not just for holidays. There is work, visiting relatives.

"What are these people supposed to do? It stretches the definition of voluntary beyond breaking point. They will go to any length to get personal information for this huge database. Who knows what will happen to it then?"

No Passport For Britons Refusing Mass Surveillance.

Sun, 11 Mar 2007 16:52:17 GMT

No Passport For Britons Refusing Mass Surveillance. UpnAtom writes "People who refuse to give up their bank records, tax records & details of any benefits they've claimed, and the records of their car movements for the last year, or refuse to submit to an interrogation on whether they are the same person that this mountain of data belongs to -- will be denied passports from March 26th. The Blair government has already admitted that this and other data will be cross-linked so that the Home Office and other officials can spy on the everyday lives of innocent Britons. Britons were already the most spied upon nation in Western Europe -- more so even than Sweden. Data-mining through this unprecedented level of mass-surveillance allows any future British government to leapfrog even countries like China and North Korea." [Slashdot: Your Rights Online]

Justice Department Says F.B.I. Misused Patriot Act.

Sun, 11 Mar 2007 02:49:18 GMT

Justice Department Says F.B.I. Misused Patriot Act.

In what should not come as that big of a surprise, AP reports:

The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years the FBI underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

[sigma]The audit by Justice Department Inspector General Glenn A. Fine found that FBI agents sometimes demanded personal data on individuals without proper authorization. The 126-page audit also found the FBI improperly obtained telephone records in non-emergency circumstances.

[sigma]Fine[base ']s annual review is required by Congress, over the objections of the Bush administration.

The audit released Friday found that the number of national security letters issued by the FBI skyrocketed in the years after the Patriot Act became law.

In 2000, for example, the FBI issued an estimated 8,500 letters. By 2003, however, that number jumped to 39,000. It rose again the next year, to about 56,000 letters in 2004, and dropped to approximately 47,000 in 2005.

Over the entire three-year period, the FBI reported issuing 143,074 national security letters requesting customer data from businesses, the audit found. But that did not include an additional 8,850 requests that were never recorded in the FBI[base ']s database, the audit found.

[sigma]The FBI also used so-called [OE][base ']exigent letters,'[base '] signed by officials at FBI headquarters who were not authorized to sign national security letters, to obtain information. In at least 700 cases, these exigent letters were sent to three telephone companies to get toll billing records and subscriber information.

[OE][base ']In many cases, there was no pending investigation associated with the request at the time the exigent letters were sent,'[base '] the audit concluded.

Unbelievable. The full 199-page report can be downloaded here (PDF). And more coverage is available at Boing Boing and 27B Stroke 6.

[michaelzimmer.org]

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Sun, 11 Mar 2007 02:43:18 GMT

Newly Revealed FBI Data Abuses and the Data Retention Red Flag.

Greetings. The release of a new report detailing massive FBI abuses of the PATRIOT Act (particularly in regard to National Security Letters), now confirms concerns that I and others have been long expressing about the potential abuse of retained Internet and other data, e.g.:

Sounding the Alarm on Government-Mandated Data Retention

An Open Letter to Google: Concepts for a Google Privacy Initiative

Broad abuses of retained data are now demonstrated to be real, not theoretical, as described in this Washington Post story.

We don't yet really know the full extent of these violations, but what has already been revealed is bad enough as a starting point.

I hope that these events will not only trigger considerable soul-searching by those firms who voluntarily retain user activity data, but also cause a renewed recognition of how broad mandated data retention can facilitate, and inevitably will facilitate, such abuses in the future.

--Lauren--

[Lauren Weinstein's Blog]

Open-source ID project awaits Microsoft's blessing | CNET News.com

Fri, 09 Mar 2007 20:42:06 GMT

An open-source rival to a Microsoft identity tool has been in limbo for months, awaiting the software giant's go-ahead on certain patent-related issues.

Developers working on the Higgins project want to create a tool equivalent to Microsoft's Windows CardSpace, but fear the software giant's legal wrath if they don't receive permission on certain features. Although parts of the project continue to move forward, proponents say it may not reach its full potential without Microsoft's help.

"There are some pieces that we would not be able to release that we would like to," Mary Ruddy, a Higgins project leader, said Thursday. "We want to make sure that the intellectual property for all of our open-source projects is really clean, so that people can feel confident about using our code."

In September, Microsoft pledged not to assert its patents pertaining to nearly three dozen Web services specifications. That did help the Higgins project, but developers say that wasn't enough to help them deliver all the features they hope to. They have asked Microsoft to provide guarantees that it won't sue on other parts of its intellectual property.

Open-Source ID Project Awaits Microsoft's Blessing.

Fri, 09 Mar 2007 20:39:39 GMT

Open-Source ID Project Awaits Microsoft's Blessing. An anonymous reader writes to mention that an open-source alternative to Microsoft's CardSpace tool has been on hold for months while they await patent blessing from the Redmond software giant. "While CardSpace is available on Windows, one goal of the Higgins project is to cover other operating systems. Higgins wants to offer an open-source alternative that works on Windows and on alternatives such as Linux and Mac OS X. The application would work similarly to CardSpace." [Slashdot]

Justice: FBI misused Patriot Act powers - Yahoo! News

Fri, 09 Mar 2007 20:34:53 GMT

The FBI improperly and, in some cases, illegally used the USA Patriot Act to secretly obtain personal information about people in the United States, a Justice Department audit concluded Friday.

And for three years the FBI underreported to Congress how often it forced businesses to turn over the customer data, the audit found.

Attorney General Alberto Gonzales, who oversees the FBI, described the problems cited in the report as unacceptable and left open the possibility of criminal charges. He ordered further investigation.

"Once we get that information, we'll be in a better position to assess what kinds of steps should be taken," Gonzales told reporters following a speech to privacy officials.

[...]

The FBI also used so-called "exigent letters," signed by officials at FBI headquarters who were not authorized to sign national security letters, to obtain information. In at least 700 cases, these exigent letters were sent to three telephone companies to get toll billing records and subscriber information.

"In many cases, there was no pending investigation associated with the request at the time the exigent letters were sent," the audit concluded.

In a letter to Fine, Gonzales asked the inspector general to issue a follow-up audit in July on whether the FBI had followed recommendations to fix the problems.

"To say that I am concerned about what has been revealed in this report would be an enormous understatement," Gonzales told the privacy officials. "Failure to adequately protect information privacy simply is a failure to do our jobs."

Senators outraged over the conclusions signaled they would provide tougher oversight of the FBI -- and perhaps limit its power.

"The report indicates abuse of the authority" Congress gave the FBI, said Senate Judiciary Committee Chairman Patrick Leahy (news, bio, voting record), D-Vt. "You cannot have people act as free agents on something where they're going to be delving into your privacy."

The committee's top Republican, Pennsylvania Sen. Arlen Specter (news, bio, voting record), said the FBI appears to have "badly misused national security letters." The senator said, "This is, regrettably, part of an ongoing process where the federal authorities are not really sensitive to privacy and go far beyond what we have authorized."

Sen. Russ Feingold (news, bio, voting record), D-Wis., another member on the panel that oversees the FBI, said the report "proves that 'trust us' doesn't cut it."

The American Civil Liberties Union said the audit proves Congress must amend the Patriot Act to require judicial approval anytime the FBI wants access to sensitive personal information. "The Attorney General and the FBI are part of the problem and they cannot be trusted to be part of the solution," said Anthony D. Romero, the ACLU's executive director.

Audit Finds FBI Abused Patriot Act.

Fri, 09 Mar 2007 20:27:43 GMT

Audit Finds FBI Abused Patriot Act. happyslayer writes to mention that according to Yahoo! News a recent audit shows that the FBI has improperly and in some cases illegally utilized the Patriot Act to obtain information. "The audit by Justice Department Inspector General Glenn A. Fine found that FBI agents sometimes demanded personal data on individuals without proper authorization. The 126-page audit also found the FBI improperly obtained telephone records in non-emergency circumstances. The audit blames agent error and shoddy record-keeping for the bulk of the problems and did not find any indication of criminal misconduct. Still, 'we believe the improper or illegal uses we found involve serious misuses of national security letter authorities,' the audit concludes." [Slashdot]

The Local - Olofsson claims Sweden has tapped phones 'for decades'

Fri, 09 Mar 2007 20:23:29 GMT

Deputy prime minister Maud Olofsson has added a new twist to Sweden's divisive surveillance debate. The Centre Party leader claims that defence minister Mikael Odenberg's proposed legislation would merely codify practices that have already been in operation for decades.

Previously, at a time when all telecommunications were state-operated, Sweden's National Defence Radio Establishment (FÃ¶rsvarets Radioanstalt - FRA) regularly tapped telephone lines in and out of the country, says Olofsson.

The Blotter(ABC NEWS) - Exclusive: Report Says FBI Violated Patriot Act Guidelines

Fri, 09 Mar 2007 17:02:02 GMT

The FBI repeatedly failed to follow the strict guidelines of the Patriot Act when its agents took advantage of a new provision allowing the FBI to obtain phone and financial records without a court order, according to a report to be made public Friday by the Justice Department's Inspector General.

The report, in classified and unclassified versions, remains closely held, but Washington officials who have seen it tell ABC News it documents "numerous lapses" and describe it as "scathing" and "not a pretty picture for the FBI."

FBI Director Robert Mueller is scheduled to brief Congress on the report at noon.

The officials say the inspector general found the FBI underreported by at least 20 percent the use of the controversial provision, known as National Security Letters, NSLs, in required disclosures to Congress.

The Patriot Act gave FBI agents the ability to demand telephone, bank, credit card and library records by issuing an administrative letter, bypassing the need to seek a warrant from a federal judge.

DNS Attack Factsheet Released.

Fri, 09 Mar 2007 16:30:25 GMT

DNS Attack Factsheet Released. Hoped to be first in a series. [GT: Security and Privacy]

Malware with Rootkit Features Grows.

Fri, 09 Mar 2007 16:28:49 GMT

Malware with Rootkit Features Grows. "Rootkit techniques are becoming increasingly popular among malware creators." [GT: Security and Privacy]

Policy Makers call for University Internet Filters.

Fri, 09 Mar 2007 16:16:28 GMT

Policy Makers call for University Internet Filters.

At today[base ']s House Judiciary Subcommittee on Courts, the Internet, and Intellectual Property hearing, titled [base "]An Update - Piracy on University Networks,[per thou] we heard from legislators that they[base ']re very concerned about [base "]piracy[per thou] on campus networks.

You should be able to watch the video of the hearing here.

The common theme of the solutions was not only educating students (which all of the witnesses said that they were working on collaboratively), but for campuses to employ technology to filter the packets flowing over the network.

[Public Knowledge - Blogging, Events, and Action Alerts]

Shred Your Data to Stay Ahead of the Pack.

Fri, 09 Mar 2007 16:09:28 GMT

Shred Your Data to Stay Ahead of the Pack. IBM's chief scientist has developed a data sharing system that hides what that data contains--by shredding it. [PC World: Latest Technology News]

Crash-Testing a Killer Bot.

Fri, 09 Mar 2007 04:57:23 GMT

Crash-Testing a Killer Bot. Israel rolls out a tiny, Uzi-toting robot. But what happens when the armed equivalent of the Blue Screen of Death occurs? In Danger Room. In Danger Room. [Wired News: Top Stories]

State Eyes Age Checks for MySpace.

Fri, 09 Mar 2007 03:36:59 GMT

State Eyes Age Checks for MySpace. Connecticut legislators want to force social-networking sites to verify users' ages and lock down parents' permission before minors can post personal profiles. By the Associated Press. [Wired News: Security Blanket]

Now on the menu at Ruby Tuesday: Better security.

Fri, 09 Mar 2007 03:30:36 GMT

Now on the menu at Ruby Tuesday: Better security. Spurred by the growing list of data breaches that have plagued other companies in recent years, restaurant chain Ruby Tuesday is moving to strengthen its credit card security efforts. [Computerworld Privacy News]

Image Gallery: Seven ways to keep your search history private.

Fri, 09 Mar 2007 03:22:29 GMT

Image Gallery: Seven ways to keep your search history private. Worried that Google and other search sites know too much about you -- and that the federal government can subpoena that data? Fear not -- we've got seven steps you can follow to keep your search history to yourself. [Computerworld Privacy News]

Managing Access to Critical Data for Protection and Privacy.

Fri, 09 Mar 2007 03:18:13 GMT

Managing Access to Critical Data for Protection and Privacy. (Source: Symantec) One common mistake that organizations make is by using Identity management solutions in isolation. Doing so risks access inflation, workarounds and coverage gaps. This white paper shows how comprehensive access management deploys identity management within a framework that includes disciplines for data protection, integration with hiring and promotion, and especially monitoring. [Computerworld Privacy News]

Homeland Security revives supersnoop - The Washington Times

Thu, 08 Mar 2007 23:21:29 GMT

Homeland Security officials are testing a supersnoop computer system that sifts through personal information on U.S. citizens to detect possible terrorist attacks, prompting concerns from lawmakers who have called for investigations.

The system uses the same data-mining process that was developed by the Pentagon's Total Information Awareness (TIA) project that was banned by Congress in 2003 because of vast privacy violations.

A Government Accountability Office (GAO) investigation of the project called ADVISE -- Analysis, Dissemination, Visualization, Insight and Semantic Enhancement -- was requested by Rep. David R. Obey, Wisconsin Democrat and chairman of the House Appropriations Committee.

The investigation focuses on whether the program violates privacy laws, and the findings will be released after completion of the Iraq war supplemental spending bill, possibly as early as this week, a panel aide said.

The ADVISE and TIA data-mining projects rely on personal data to track individual behavior and consumer transactions to develop computer algorithms that create a pattern that some behavioral scientists say can predict terrorist behavior.

Data can include credit-card purchases, telephone or Internet details, medical records, travel and banking information.

Privacy concerns prompted lawmakers on both sides of the aisle to introduce legislation in January to require that government agencies disclose data-mining practices in regular reports to Congress.

"A serious discussion on the implications of data-mining programs is long overdue," Sen. Russ Feingold, Wisconsin Democrat and a sponsor of the bill, said yesterday. Sen. John E. Sununu, New Hampshire Republican, is also a bill sponsor.

FCW.com News - Census Bureau accidentally exposes personal data

Thu, 08 Mar 2007 23:04:50 GMT

The Census Bureau accidentally posted personal information on 302 households on a public server several times since October 2006, officials said.

The personal information, including names, addresses, phone numbers, birthdates, family income ranges and other demographic data, was contained in a file that was placed on a public server for the purposes of testing new software applications. The file included about 250 fake accounts in addition to the real information. The bureau found out about the mistake when it found the file on the server in mid-February.

heise Security - All Microsoft updates phone home

Thu, 08 Mar 2007 22:54:34 GMT

Possibly as a reaction to heise Security's report that Windows Genuine Advantage Notification sends back data to Redmond even when users choose to terminate its installation, a Microsoft developer using the pseudonym alexkoc has now posted an entry in the WGA blog. There he reveals that every update that flows through Windows Update at the very least informs Microsoft about whether the installation was successful or not.

In the Privacy Statement of Windows Update Microsoft grants itself fairly far-reaching rights. Thus the information collected by the Redmond-based behemoth includes the computer make and model, version information for the operating system, browser, and any other Microsoft software for which updates might be available, Plug&Play ID numbers of hardware devices, region and language setting, Globally Unique Identifier (GUID), Product ID and Product Key, BIOS name, revision number, and revision date. By way of justifying Microsoft's approach, alexkoc writes that the EULA, likewise presented by the WGA installer, also covered the relaying of such information.

With some updates such as the WGA Notification, the installer transmits data that Microsoft says it merely requires for quality control purposes and to improve the installer itself. The WGA package thus, among other things, sends back an event code. To calm the fears of users, alexkoc presents a graphic explaining the various fields of such a data packet.

When the product IDs and product keys found belong to legal software, Microsoft will delete the data right away; only in cases of suspected software piracy will it store the data, the company has said. In the blog, the company once again explicitly states that it does not use the information gathered to identify or contact users.

Vishing: Dialing for Dollars, Part II.

Thu, 08 Mar 2007 22:41:03 GMT

Vishing: Dialing for Dollars, Part II.

Security Fix received a copy of a new scam e-mail targeting Bank of America customers that is likely to con quite a few folks before it is shut down.

Sure, Bank of America is hit by this sort of thing all the time. It's the fourth most popular target for "phishing" scams that use e-mail to lure people into giving away their data at counterfeit sites, according to stats just released by PhishTank. But this is one of the more convincing voice phishing or "vishing" attacks I've seen yet.

Vishing scams start with an e-mail lure that asks the recipient to call a specific 1-800 number to settle some matter with his or her account. The numbers usually are connected to an automated system that asks the caller to key in data from a credit card -- the 16-digit account number, the expiration date and the three-digit security code on the back.

This new Bank of America scam has the same elements, but its execution is nearly flawless (unlike the majority of previous vishing scams Security Fix has seen, which either bungle the voice mail system or use a lure full of poor spelling and grammar). It informs the recipient that his account has been suspended because it was used to purchase "obscene or certain sexually oriented goods or services." From the e-mail:

"We are hereby notifying you that, after a recent review of your account activity, it has been determined that you are in violation of Bank of America's Acceptable Use Policy. Therefore, your account has been temporarily limited for: hotjasmin.com cam shows. In order to remove the limit please call our TOLL FREE number [omitted]." That domain is registered to a guy in the Netherlands, but it's currently inactive.

I recorded a short snippet of the first 45 seconds or so of the automated phone message used in this attack. If the you enter the requested information, the voice then asks for your bank PIN: "Bank of America asks for your PIN in order to verify your identity. This also enables us to assist federal authorities in order to prevent money laundering and other illegal activities."

Generally, it's a good idea not to even dial these bogus 1-800 numbers, as you're essentially giving the scammers your phone number, a key piece of your personal data. It's also a good idea to be very suspicious of e-mails that ask you to call any number. When in doubt, open up a browser Window and find the official Web site of your financial institution, then look up the customer-service number listed there.

[Security Fix]

Patch Reprieve for March's Black Tuesday.

Thu, 08 Mar 2007 22:03:31 GMT

Patch Reprieve for March's Black Tuesday.

Windows PC users and corporate system administrators worldwide will earn a reprieve from Redmond next week. Microsoft said today it has no plans to release new software security updates this month.

It's not as if there aren't any outstanding security flaws that Microsoft could fix this month, but the situation could be a lot worse.

Perhaps Redmond is simply being kind to corporate IT folk, many of whom are working hard to update their companies' software and hardware for the early daylight saving switch this weekend: For the first time in 20 years, daylight saving time will not start on the first Sunday in April. Instead, it will begin three weeks earlier, at 2 a.m. on the second Sunday in March, the 11th. Our IT staff has sent numerous e-mails to laptop users to drop by and make sure the Macs and PCs are all up to date. (Apple and Microsoft have already pushed out patches to address this issue, and if you've been keeping up to date with them, you should be fine, but Windows users can consult this page to be sure.) By the way, updates are available to fix this shift for Palm and Windows Mobile PDAs.

Normally, Microsoft plugs security holes in its software on the second Tuesday of every month, also known as "Patch Tuesday." Microsoft moved to a regular patch cycle a few years ago to make it more predictable for companies who need to staff or schedule extra IT personnel to test and deploy the updates to what could be thousands of systems. The system administrators to whom that task falls typically dread the monthly chore and have a different name for it: "Black Tuesday."

It's been a while since Windows users have been given a pass on patches. By my count, the last time Microsoft skipped a cycle was back in September 2005.

[Security Fix]

No Microsoft Security Updates Coming Mext Week.

Thu, 08 Mar 2007 21:40:55 GMT

No Microsoft Security Updates Coming Mext Week. In one of only a handful of times since 2003, Microsoft won't have security patches available next week. [PC World: Latest Technology News]

How Computers Can Make Voting More Secure.

Thu, 08 Mar 2007 21:35:06 GMT

How Computers Can Make Voting More Secure.

By now there is overwhelming evidence that today[base ']s paperless computer-based voting technologies have such serious security and reliability problems that we should not be using them. Computers can[base ']t do the job by themselves; but what role should they play in voting?

It[base ']s tempting to eliminate computers entirely, returning to old-fashioned paper voting, but I think this is a mistake. Paper has an important role, as I[base ']ll describe below, but paper systems are subject to well-known problems such as ballot-box stuffing and chain voting, as well as other user-interface and logistical challenges.

Security does require some role for paper. Each vote must be recorded in a manner that is directly verified by the voter. And the system must be software-independent, meaning that its accuracy cannot rely on the correct functioning of any software system. Today[base ']s paperless e-voting systems satisfy neither requirement, and the only practical way to meet the requirements is to use paper.

The proper role for computers, then, is to backstop the paper system, to improve it. What we want is not a computerized voting system, but a computer-augmented one.

This mindset changes how we think about the role of computers. Instead of trying to make computers do everything, we will look instead for weaknesses and gaps in the paper system, and ask how computers can plug them.

There are two main ways computers can help. The first is in helping voters cast their votes. Computers can check for errors in ballots, for example by detecting an invalid ballot while the voter is still in a position to fix it. Computers can present the ballot in audio format for the blind or illiterate, or in multiple languages. (Of course, badly designed computer interfaces can do harm, so we have to be careful.) There must be a voter-verified paper record at the end of the vote-casting process, but computers, used correctly, can help voters create and validate that record, by acting as ballot-marking devices or as scanners to help voters spot mismarked ballots.

The second way computers can help is by improving security. Usually the e-voting security debate is about how to keep computers from making security too much worse than it was before. Given the design of today[base ']s e-voting systems, this is appropriate [~] just bringing these systems up to the level of security and reliability in (say) the Xbox and Wii game consoles would be nice. Even in a computer-augmented system, we[base ']ll need to do a better job of vetting the computers[base '] design [~] if a job is worth doing with a computer, it[base ']s worth doing correctly.

But once we adopt the mindset of augmenting a paper-based system, security looks less like a problem and more like an opportunity. We can look for the security weaknesses of paper-based systems, and ask how computers can help to address them. For example, paper-based systems are subject to ballot-box stuffing [~] how can computers reduce this risk?

Surprisingly, the designs of current e-voting technologies, even the ones with paper trails, don[base ']t do all they can to compensate for the weaknesses of paper. For example, the current systems I[base ']ve seen keep electronic records that are subject to straightforward post-election tampering. Researchers have studied approaches to this problem, but as far as I know none are used in practice.

In future posts, we[base ']ll discuss design ideas for computer-augmented voting.

WGA Reports Back To MS Even If You Choose Not To Install - Aviran's Place

Wed, 07 Mar 2007 17:06:01 GMT

Heise online reports on a very interesting action Microsoft is taking during the installation of WGA.

When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send your info and the fact that you choose not to install WGA back to their servers.

In addition to that it seems that the setup program send some information stored in your registry to http://genuine.microsoft.com/. While it does not specifically identify the user, it looks like it does send some identification of your computer and Windows version (see picture) to Microsoft servers.

Microsoft WGA Phones Home Even When Told No.

Wed, 07 Mar 2007 17:00:00 GMT

Microsoft WGA Phones Home Even When Told No. Aviran writes "When you start WGA setup and get to the license agreement page but decided NOT to install the highly controversial WGA component and cancel the installation, the setup program will send information stored in your registry and the fact that you choose not to install WGA back to Microsoft's servers." [Slashdot]

Malware Increased 172 Percent in 2006, According to Report.

Wed, 07 Mar 2007 15:57:37 GMT

Malware Increased 172 Percent in 2006, According to Report. Amount of malware detected in 2006 same as past 15 years, combined. [GT: Security and Privacy]

Patient control of EHR data on network gets mixed reaction

Wed, 07 Mar 2007 15:56:32 GMT

The Health and Human Services Department has received mixed reviews for its decision to insist that the next iteration of the Nationwide Health Information Network (NHIN) allow patients to control who sees their electronic health records on the network.

Dr. Robert Kolodner, interim national coordinator of health information technology, said March 1 that trial networks funded by his office should give "people the capability to decide how they view, store and control access to their own information. A person could say how that information flows to specific entities or completely block the flow of information."

"If they do what they say, it's a tremendous thing for privacy," said Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation. "It's exactly what we've been talking about for a long time."

Peel said she talked with Kolodner and learned that he wants to give patients the ability to control what happens to their health information, "down to the data field level." "I think his intentions are fantastic," she said.

Asked whether such a network would be technically feasible, Peel said the existing technology would support that degree of granularity in controlling the flow of EHR data.

But Mark Rothstein, director of the Institute for Bioethics, Health Policy and Law at the University of Louisville School of Medicine, said he doubts the HHS move will make a difference. "I don't really have a lot of confidence that it would really have any effect whatsoever," said Rothstein, a member of the official National Committee on Vital and Health Statistics.

The reason Rothstein was less than enthusiastic about the HHS move: Privacy problems are primarily policy and legal issues in his view, not technology-based. Rothstein recently testified before a Senate subcommittee, criticizing HHS for failing to tackle privacy and other policy issues associated with development of the NHIN. Kolodner's announcement doesn't address many of the policy questions, he said.

Kolodner's office "has indicated no prior interest in this concept," Rothstein said, suggesting that there is no way to know how committed HHS is to its plans. Others have pointed out it is one of the first HHS health IT initiatives that deviates from plans outlined by Kolodner's predecessor, Dr. David Brailer.

Wal-Mart fires technician who recorded phone calls

Wed, 07 Mar 2007 15:52:20 GMT

March 05, 2007 (Reuters) -- CHICAGO - Wal-Mart Stores Inc. said today it fired a systems technician for intercepting text messages of people who were not Wal-Mart employees and for recording telephone conversations with a New York Times reporter without authorization.

Wal-Mart, the world's largest retailer, said an internal investigation found the technician had monitored and recorded phone calls between Wal-Mart public relations employees and a New York Times Co. reporter between September and January.

The Bentonville, Ark.-based retailer also said the technician, who worked in its information systems division, intercepted and stored text messages that contained certain key words, including those sent by people in the Bentonville area who were not Wal-Mart employees.

Wal-Mart spokeswoman Mona Williams said on a call with reporters that the technician "did this on his own."

While interviews with the technician gave the retailer an idea as to why he recorded the calls, Williams said she could not disclose the reasons because the case has been turned over to federal investigators.

Spying at Wal*Mart: Human nature run amuck?

Wed, 07 Mar 2007 15:46:37 GMT

Spying at Wal*Mart: Human nature run amuck? Does the Wal-Mart eavesdropping debacle have the potential to be this year's HP scandal? A former IT security staffer for the retailer evaluates what might have happened. [Computerworld Privacy News]

Texas House exempts courthouse clerks from privacy laws.

Wed, 07 Mar 2007 15:43:07 GMT

Texas House exempts courthouse clerks from privacy laws. The Texas House of Representatives has approved a bill that would allow local courthouse clerks to disclose "in the ordinary course of business" Social Security numbers contained in public records maintained by their offices. Computerworld Privacy News]

Crack! Security expert hacks RFID in UK passport.

Wed, 07 Mar 2007 15:41:33 GMT

Crack! Security expert hacks RFID in UK passport. The British government says that forgery of their new biometric passports is inconceivable, but a security expert has demonstrated a successful crack of the embedded RFID chip and its info. And he did it without taking the document out of its mailing envelope. [Computerworld Privacy News]

Your Wi-Fi can tell people a lot about you | CNET News.com

Wed, 07 Mar 2007 02:20:57 GMT

ARLINGTON, Va.--Simply booting up a Wi-Fi-enabled laptop can tell people sniffing wireless network traffic a lot about your computer--and about you.

Soon after a computer powers up, it starts looking for wireless networks and network services. Even if the wireless hardware is then shut-off, a snoop may already have caught interesting data. Much more information can be plucked out of the air if the computer is connected to an access point, in particular an access point without security.

"You're leaking all kinds of information that an attacker can use," David Maynor, chief technology officer at Errata Security, said Thursday in a presentation at the Black Hat DC event here. "If the government was taking this information from you, people would be up in arms. Yet you're leaking this voluntarily using your laptop at the airport."

There are many tools that let anyone listen in on wireless network traffic. These tools can capture information such as usernames and passwords for e-mail accounts and instant message tools as well as data entered into unsecured Web sites. At the annual Defcon hacker gathering, a "wall of sheep" always lists captured log-in credentials.

Errata has developed another network sniffer that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more.

A Network Sniffer On Steroids.

Wed, 07 Mar 2007 02:14:20 GMT

A Network Sniffer On Steroids. QuantumCrypto writes "Errata has developed a new network sniffer, dubbed 'Ferret,' that looks for traffic using 25 protocols, including those for the popular instant message clients as well as DHCP, SNMP, DNS and HTTP. This means the sniffer will capture requests for network addresses, network management tools, Web sites queries, Web traffic and more. 'You don't realize how much you're making public, so I wrote a tool that tells you,' said Robert Graham, Errata's chief executive. Errata has released the source code to this version 1.0, 'feature-poor and buggy' tool on its site. Anyone with a wireless card will be able to run it, Graham said." [Slashdot: Your Rights Online]

Cybercrime Treaty: What it Means to You

Wed, 07 Mar 2007 01:53:57 GMT

In that vein, in August the Senate ratified the Convention on Cybercrime, drafted by the Council of Europe with considerable input from the United States. So far, 43 nations have signed on. The Convention includes many sensible provisions aimed at unifying global computer-crime laws, and closes loopholes that make it possible for criminals to escape prosecution by locating their activities offshore.

But civil libertarians, along with leading telecommunications companies, strongly oppose the treaty. Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located. If France is investigating a sale of Nazi memorabilia on eBay, the U.S. must cooperate, even though such transactions are not illegal in the U.S.

Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind.

These are potentially serious problems, especially given that the Convention is open to any country that wants to join. But there are more practical reasons U.S. businesses should be concerned. The provisions for data retention and production apply to any operator of a computer network, not just telecoms. Worse, Article 12 attaches liability to businesses for "lack of supervision or control" of employees who commit criminal offenses covered by the Convention. Businesses must worry about employee activities that may be legal here, but illegal elsewhere, risking administrative, civil, or even criminal penalties.

These investigative and supervision costs will invariably be imposed on businesses without any real controls. Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you.

Cybercrime Treaty ó Hidden Costs For All.

Wed, 07 Mar 2007 01:48:08 GMT

Cybercrime Treaty [~] Hidden Costs For All. linuxtelephony writes in with an article at CIO Insight about a cybercrime treaty drafted in Europe with help from the US. It has implications for just about everyone with a network. From the article: "Civil libertarians are especially concerned about the sweeping authority given to participating countries to seize information from private parties as they investigate cybercrimes, even when the activity being investigated isn't a crime in the country where the data is located... Telecommunications companies object to provisions that require member countries to establish and enforce potent data-retention policies for network traffic, and require any operator of a computer network to respond to requests for information from any participating country without compensation of any kind... The provisions for data retention and production apply to any operator of a computer network, not just telecoms... Worldwide law-enforcement agencies, in other words, may now avail themselves of the opportunity to outsource their most expensive problems to you." [Slashdot: Your Rights Online]

Bagle Worm Still Swarming over the Net.

Wed, 07 Mar 2007 01:36:02 GMT

Bagle Worm Still Swarming over the Net. Three years after it first appeared, the Bagle is still in business, with many anti-virus engines unable to keep up, a security vendor claims [PC World: Latest Technology News]

Apple Patches QuickTime Holes.

Tue, 06 Mar 2007 16:04:12 GMT

Apple Patches QuickTime Holes.

Apple on Monday issued security patches to plug multiple security holes in its QuickTime media player software. The new version of the player -- QuickTime 7.1.5 -- fixes at least eight separate and serious vulnerabilities.

Updates are available for Mac OS X, Windows 2000, Windows XP and Windows Vista versions. Mac users can get the latest version either from Apple's site or via the built-in Software Update feature. Windows users with recent versions of QuickTime installed will already have Apple's Software Update program and should use that to get this latest version. Alternatively, Windows users can download it by following this link.

[Security Fix]

Month of PHP Bugs Gets Rolling.

Tue, 06 Mar 2007 15:58:44 GMT

Month of PHP Bugs Gets Rolling. Developer launches a Month of PHP Bugs project with 11 bugs in five days. [PC World: Latest Technology News]

Tonight(Tuesday) on Nightline - The NSA at AT&T

Tue, 06 Mar 2007 15:55:07 GMT

Tonight(Tuesday) on Nightline is an episode on the NSA having a monitoring station in the AT&T wire room. They have the guy who originally broke the story being interviewed tonight.

Top Secret: We're Wiretapping You.

Mon, 05 Mar 2007 20:41:41 GMT

Top Secret: We're Wiretapping You. The feds accidentally give a D.C. attorney a classified document showing that the NSA intercepted his phone calls without a warrant. When they ask for it back, they get a $2 million lawsuit along with it. By Ryan Singel. [Wired News: Security Blanket]

WIRED Blogs: Danger Room - The Pentagon Wants TiVo (to Watch You)

Mon, 05 Mar 2007 02:34:51 GMT

Reuters yesterday reported on a recently issued study on future technologies written by the Pentagon's Defense Science Board. More than anything, it seems these outside advisers want a surveillance system that would put Big Brother to shame, and they're looking at the commercial sector to provide it:

PC World - Microsoft OneCare Last in Antivirus Tests

Mon, 05 Mar 2007 02:27:26 GMT

Microsoft's Windows Live OneCare came in dead last out of a group of 17 antivirus programs tested against hundreds of thousands of worms, viruses, Trojan horses and other malware, an Austrian antivirus researcher reported Wednesday.

The AV Comparatives Web site, which is maintained by Andreas Cleminti from Innsbruck, Austria, posts quarterly results of tests that pit the top antivirus products against a dynamic list of nearly half a million individual pieces of malware.

Microsoft OneCare Last in Antivirus Tests.

Mon, 05 Mar 2007 02:23:42 GMT

Microsoft OneCare Last in Antivirus Tests. Juha-Matti Laurio writes "PC World has a story reporting that Microsoft's Windows Live OneCare came in dead last out of a group of 17 antivirus programs tested against hundreds of thousands of pieces of malware. The report of an Austrian antivirus researcher was released at the AV Comparatives Web site this week. Several free AV products were included in the test as well." --- While the top dog was able to find 99.5% of the malicious code, OneCare clocked in at 82.4%. Of course, there's no metric for the severity of the malware in the 17% gap. [Slashdot]

Hacker Defeats Hardware-based Rootkit Detection.

Mon, 05 Mar 2007 01:52:23 GMT

Hacker Defeats Hardware-based Rootkit Detection. Manequintet writes "Joanna Rutkowska's latest bit of rootkit-related research shatters the myth that hardware-based (PCI cards or FireWire bus) RAM acquisition is the most reliable and secure way to do forensics. At this year's Black Hat Federal conference, she demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU. The overall problem, Rutkowska explained, is the design of the system that makes it impossible to reliably read memory from computers. "Maybe we should rethink the design of our computer systems so they they are somehow verifiable," she said." [Slashdot]