The latest victim is Clarke Collision Center, an auto body shop in Hudson, Ohio. According to Craig Kintz, owner of Kintz Tech, a local security consulting company that responded to the incident, on Feb. 23 an employee of the victim firm noticed something strange when she went to log in to the company’s online bank accounts: The site said the bank’s system was down for maintenance.

Clark Collision’s bank, Cincinnati-based Fifth Third Bank, requires business customers to enter their user name and password, and a one-time passcode generated by a battery-operated key fob that is synched up to the bank’s back end servers. This approach — what banking regulators call “multi-factor authentication” — involves asking the user to provide something they know (a user name and password) in addition to something they have (a code generated by a security token).

But Kintz said that when the body shop employee visited the bank’s site and entered her user name, password and the output from the security token, she was directed to a page that said the bank’s site was temporarily unavailable. The page she was sent to even included a 1-800 number supposedly for the bank’s customer service line.

Kintz said the woman called that number, but quickly found that it was not in service. When the employee looked up the real customer service number for the bank and called to complain about the suspicious activity, she learned that there had just been a large number of wires and money transfers out of the company’s accounts to individuals in the United States and overseas, Kintz said.

“She reported it to the bank at 9 o’clock that morning,” Kintz told Krebs on Security. “By 11:30 a.m. the bank had frozen all of the company’s accounts, but by that time those accounts had all been emptied.”

Kintz said Fifth Third was able to reverse or stop payment on all of the fraudulent bank-to-bank transfers that were sent to money mules involved in the scam — willing or unwitting people in the U.S. hired by the perpetrators — but that Fifth Third was unable to reverse the wire transfers that constituted the bulk of the fraudulent transactions. Still, he said, Fifth Third ultimately made Clarke Collision whole, crediting the company’s account the remaining missing money.

Whoever hit Clarke Collision Center’s bank account was busy that day: Kintz said a bank manager told his client that four other Fifth Third business customers had been similarly attacked that very same day.

I sought comment from Fifth Third, but the bank declined to discuss any specific customer cases. Whitney Ellis, the bank’s assistant public relations manager, sent me the following statement via e-mail:

In regard to the commercial malware issue, Fifth Third Bank, as well as many other banks, has been alerted of a new wave of cyber attacks aimed toward businesses and corporations to get financial information. The Bank is determined to help its commercial clients ease this threat via aggressive customer education and additional tools to aid in the prevention of possible attacks.

For those that have been affected, we are working with the customer and proper authorities to try and rectify the situation. We have been, and will continue to be in contact with our clients in aggressive customer education and sharing best practices to help prevent these type of cyber crimes.

I don’t have any special inside knowledge, and I can’t speak for Microsoft, but when I look at the publicly available information it’s pretty clear to me how the cycle works.

60 Day QA Cycle

A 30 to 60 day QA cycle on a Microsoft patch is typical, and it’s actually pretty easy to tell how many days a patch was probably in QA. If you are curious, download the patch manually and take a look at the date the file was digitally signed. This isn’t an absolutely accurate date because a patch could drop in and out of the QA process several times, but it’s a reasonable approximation.

Using this method I calculated the average dates for the Dec 2009 patches at 54 days, November 2009 patches at 36 days, and October 2009 at 45 days. It’s not too hard to jump from those numbers to an average 60 day cycle.

Roller Coaster Months

The security teams in charge of acquiring, testing and installing patches can feel like they are on a roller coaster with Microsoft patches. In just the first three months of 2010 we’ve already had wild swings in the number of CVEs and bulletins. January saw 2 bulletins, followed by huge February with 13, and then this week we saw just 2 again.

If we plot the number of bulletins along side the number of CVEs patched each month, there is a distinct pattern. Most Microsoft patches are obviously on a two month push. The first graph plots Microsoft release trends from January 2006 to March 2010. The second graph shows just the last two years, 2008 and 2009, where the wild up and down pattern is more obvious.

Lessons Learned

We’ll never be able to predict the exact patch details for any month, but security teams can use these data points to help with planning. We all know that resources are short, but the risks and threats continue to grow, so better utilization of resources has never been more important.

There are no shortage of vendor patches. Luckily, Microsoft not only releases their patches on a predefined schedule, they are also fairly predictable in size. Since March was a pretty light Patch Tuesday, we can expect that the bulletin count for April will jump back up into double digits.

If you are the resource manager for a team of people in charge of your company’s patching methodology, just knowing that can help you plan. This month is your chance to catch up from January. Thinking ahead to April, it makes sense to anticipate a large release from Microsoft so plan to have all hands on deck.

Not really much of a mystery after all is it?

Patches:
On Tuesday, Microsoft released two bulletins that addressed eight vulnerabilities in Windows Movie Maker and Microsoft Producer 2003, as well as Excel.

The roles of TNC and IETF
As many of you know from my posts and talks, I always distinguish between frameworks and standards. TNC is a consortium that created a framework for NAC communications and endpoint checks. Many vendors have already bought in to the TNC specifications, but there have been a few holding out; Cisco being the largest and most influential. Strangely enough, Cisco wanted to have a standard in place, versus a less formal framework. Ironic, I know. In any event, the IETF (in the form of IETF’s NEA) has been trying to fill that gap of true NAC standards. The problem has been that, although vendors said “yes” to the IETF standards, no one was contributing any new specifications for it. Here’s where TNC reenters the picture. Slowly but surely, the IETF has been adopting the TNC’s frameworks as accepted specs for the standards.

The importance of this announcement
Today’s news demonstrates one more big step in the right direction for TNC, IETF and all the vendors participating. With the acceptance of two more TNC specifications into the IETF standard, we can expect to round out the full IETF NAC Standard by the close of 2010. With a full set of standards, vendors will be able to offer scalable, evolving solutions that integrate more seamlessly with the rest of the infrastructure. Exciting, isn’t it!?

The announcement begins

Internet Engineering Task Force Publishes Network Access Control Standards Based on Trusted Computing Group Specifications

PORTLAND, MARCH 11, 2010 - Trusted Computing Group today announced that two specifications created by its Trusted Network Connect (TNC) work group have been accepted and published as specifications by the Internet Engineering Task Force (IETF). This means that developers and OEMs wanting to create network access control products now will have a single set of standards to support.
“Enterprise users are the real winners; the agreement on a single standard for network access control and endpoint assessment will provide consistency across products from leading networking vendors,” said Russ Housley, chairman of the IETF.

Noted Steve Hanna, co-chairman of the TCG TNC work group and of the IETF working group on this topic, “This industry-wide agreement on standards will increase the number of vendors and customers adopting standards-based network security. In addition, products developed for the new standards can be deployed with the many existing products using TNC specifications to protect the network and critical assets from a myriad of threats.”

The first standard (called PB-TNC by the IETF and IF-TNCCS 2.0 by the TCG) defines a standard way to perform a health check of a network “endpoint” such as a laptop computer or printer. If the endpoint is not healthy, it can be fixed or have its network access restricted. The second standard (called PA-TNC by the IETF and IF-M 1.0 by the TCG) defines a standard set of health checks that are commonly performed, such as checking anti-virus status. These newest standards are based on the TNC standards that customers have been using for years.
continued

You can read the full press release online at: http://www.trustedcomputinggroup.org/media_room/news/113

Look for more information and content soon about TCG’s TNC, IETF and NAC standards, including a video interview with TNC’s Steve Hanna.

Resources and links:

• Trusted Computing Group http://www.trustedcomputinggroup.org
• IETF http://www.ietf.org

 # # #

The debate rages as to who is should be the one to set the time frame for responsible disclosure?  Should the person who identified and reported the vulnerability to the vendor also be the one to determine that timeframe?  That sounds a bit like extortion to me.  "Fix this problem by the time I say you should have it fixed by else we’ll expose you to the world"  seems an awful like someone who is sitting more toward the "black" end of the white/black hat spectrum. 

Should the vendor be the one to control that timeframe based on their knowledge of the risk factors (i.e. how exploitable is this problem?, Is it already being exploited?, What is the potential for damage if it were to be exploited?, How will it affect our market position, amongst other criteria) and other defined priorities?  Should they be held accountable for patching known flaws regardless of these factors due to their fear of being taken to task by the person who found the bug? 

In Byron’s article, he specifically mentions a campaign by Karsten Nohl, who is threatening to expose a longstanding flaw in the encryption method used on GSM phones that will allow eavesdropping of conversations to take place.  Nohl mentions in the article that this is already being exploited widely, but is also calling upon the community of hackers to crack the encryption method.  If it is already being exploited (meaning that proof of concept code exists), why is he calling on the community do it?  Isn’t that somewhat reinventing the wheel?  I didn’t quite follow this path in Byron’s article. 

So, what’s the point to all of this?  On one side we have "grey hat" (in my opinion this designation is silly.  Grey hat is just a candy-coated way of saying "black hat", but wanting to appear as if you have the public’s best interests in mind) hackers who feel like they are the superheroes of the security community by holding threat of humiliation over the heads of companies who don’t fix software flaws on their timeframe (Nohl suggests that the flaw he threatens to expose has existed for 15 years.  I am not sure how many of us are truly in the position to either confirm or refute that claim).  One the other we have companies who may have good intentions to fix vulnerabilities, but clearly perform their own internal risk assessments first based on a number of criteria, only a few of which I mentioned earlier. 

In my opinion, the answer to the question "how long should a vendor have to fix a reported vulnerability?" lies with the vendor and with the vendor alone.  Certain factors may cause a company to shift those priorities and release a patch outside of their regular software release cycles or the flaw might be something that doesn’t get fixed until the next major software release.  Either way, if you really have the common good (as opposed to your own inflated ego) in mind, you’ll let the vendor responsible for fixing the bug do so on a timetable that is acceptable to both them and their customers.  If their customers aren’t happy with whatever that timeframe is, don’t worry, they’ll complain loudly (customers do that ) and the vendor will be forced to shift their priorities accordingly.  The process self-regulates that way and leaves the over inflated egos out of it.

Obviously there are many opinions on both sides of the fence on this issue.  So, let’s have them!  Feel free to drop me a note at sam AT mxlogic.com or on Twitter as "@smasiello". 

Please contact us at securitybuzz AT mxlogic DOT com with your questions or thoughts and we’ll try to cover them during the next or upcoming tapings of the show. 

Thanks for listening to us on the Security Buzz podcast.  We hope that you find the show both enjoyable and educational!

While on the machine the attacker was able to replace the ssh (Secure Shell) client and server applications with versions that would log the usernames and passwords of those who were to access that machine.

Although the Apache folks believe that they identified and remediated the vulnerability quickly, and that no software available on the site was compromised, if you have recently downloaded software from the Apache web site, you might want to take a cynical approach and remove and reinstall the software from the uncompromised site that Apache has up now. 

Information is still slowly coming out about this story, and we will likely know more in the coming days.  It is important to note at this point that although Apache believes that they identified and fixed the problem quickly, the possibility remains until we hear otherwise that this server may have been compromised by hackers for some time and that many software downloads had potentially been affected if any publicly available software was modified. 

My advice: Be over-protective.  Keep a close eye on the traffic coming in and going out of your network to look for anything suspicious.  With over 50% of the web server installations worldwide, Apache is a potential high-value target for criminals as any infected software downloads could lead to backdoors in systems that install binaries with embedded trojans.

The IIS vulnerability exists in their FTP server in a directory with write access which means that the FTP server must both be turned on and a user (anonymous users also included) must be able to write to a directory in order to exploit the hole. 

The suggested workaround until a patch can be released is to turn off write access to the FTP server. 

Most IIS installations are not vulnerable to this exploit due to the nature of the configuration required to take advantage of it, however it will affect enough of them where it is cause for concern.  Take the necessary precautions to review your IIS web server configuration.  With proof of concept code available online, it will only be a short matter of time before malicious exploits are making their rounds.

*** UPDATE 9/1/2009 9:00pm MDT *** Microsoft has acknowledged the IIS FTP 0-day via the bulletin posted here.  Microsoft is still determining whether or not it will release an out of band patch and does not currently believe that there are any malicious exploits in the wild taking advantage of the vulnerability.

So, the question that I pose to myself is "What’s Next?"  Taking even just the events of the last decade into account, where are we headed for the next few years?  Some of this is obviously hard to determine because that also involves being able to forecast what new technologies will be released, but we can start to make some assumptions based off of what is available today. 

Since this is a blog post, I’ll try to keep this relatively brief.  Maybe it is something that I can submit as an article to some technology pub as a full byline article (Here’s a free plug for the folks over at (IN)Secure Magazine, who just released Issue 22 today.  I like them and I’ve had the opportunity to write for them twice now) at some point soon.

Some things to think about:

– The Insider Threat
Especially given the current economic conditions and the uneasiness around many offices around the country as to whether or not their companies will remain viable, organizations need to be ever cognizant of the data that is leaving their organization.  Given that the latest USB 3.0 spec that was released in November 2008 allows for data transfer speeds at about 5Gb per second sensitive, proprietary corporate data can be pulled off a company’s network an onto a thumb drive faster than ever before.  Couple that with the number of disgruntled employees who either see the writing on the wall for their own jobs or who are upset at benefit and wage freezes/cutbacks, and you have a dangerous cocktail for data theft.  We need to make sure we are putting as much focus on protecting our sensitive assets from insiders who much more easily have access to proprietary data as we do keeping the external threats at bay.

– VoIP
Voice over Internet Telephony technologies are being adopted at an ever increasing rate.  This is happening not only in the enterprise space, but in the consumer market.  Services like Vonage make it easier than ever for people to have portable phone numbers so that they can be easily reachable at local numbers by family members out of state.  VoIP implementations at organizations are also becoming ever popular as well.  As these technologies become more widely adopted we have started to see hints of what abuse of these tools might look like.  Throw away phone numbers used to make spam phone calls have started to become more common.  There are services available online which allow you to purchase throw away numbers in blocks.  Spammers and can use and abuse these numbers just like they do IP addresses now. 

Another thing to watch out for is the compromise of VoIP systems as vulnerabilities start coming out in larger quantities.  Threats like direct voicemail injection will become another method that cyber criminals will use in order to get advertisements delivered to end users.  As the social engineering used in these threats improves, they could easily be used to steal personal identities and corporate data. 

– Mobile Malware
Let’s face it.  The phones that we carry in our pockets are little personal computers.  Although they lack the computing power of the quad-core processors now becoming commonplace on personal computers, they are another "always connected" device that people always have turned on.  I think the only time that I turn mine off on a weekly basis is when we are doing our weekly recording of the Security Buzz podcast, and that is mainly because the GSM buzz wreaks havoc with the microphones (and our Executive Producer’s headphones ).  As mobile phone manufacturers have opened up their APIs to developers to create third party applications, they will need to be ever diligent in their QA processes to make sure that applications don’t get posted to their distribution channels that contain some form of malware or open up a trojan backdoor to the device.  The mobile phone industry is growing by leaps and bounds with the addition of new, better, more feature rich smartphones entering the market.  The smartphone market is too large of a target for cyber criminals to ignore, especially if you consider the value of the data that we are now storing on these devices.  Secure sandboxing of third party applications is a must, but that is only a start.  Only hundreds of mobile malware variants exist today (compared to the approximately 1 every 4 seconds that is released for PCs), but that number is slowly growing and as hackers pay more attention to how they can penetrate mobile devices, that number is sure to only increase.

– Social Networking
Social networks provide an interesting shift in the information sharing game because the rules that typically govern what personal data people are willing to share seem to have gone out the window.  This has really opened the door for cyber criminals.  With the data that is now available online through the use of social media sites like Facebook, Myspace, and Twitter criminals can much more easily target attacks to specific individuals or groups of individuals using data made available via public profiles or geolocation tools that map your IP address to what town you live in (or near) so that they can deliver compelling content which direct you to malware infected downloads (ala the Waledac botnet).  The Web of Trust that exists between users on social networking sites is being actively exploited regularly by hackers looking to take advantage of the fact that users will click on whatever their friends send to them.  It’s already been proven that people will click on links and open attachments from people they don’t know so why would they judge more closely the content from those that they do.

– Political Hacktivism
Recently cyber criminals have picked up the pace a bit with respect to using online resources like social networking sites to quickly spread political messages in order to help them spread propaganda and recruit people to fight for their cause.  Due to the sensitive nature of political issues and the passion that people have for them, social engineering techniques like creating highly controversial views on sensitive topics is something that cyber criminals will latch onto in order to get people to react quickly and irresponsibly to either open attachments or visit websites that they would normally scrutinize more closely. 

These are only a small sampling of what I believe we will be encountering as we move forward (I didn’t even go into the increased prevalence of compromise of legitimate web sites, and the further use of file sharing services, and calendar spam!), but they are things that we will need to keep top of mind as we look toward what threats are coming down the road.  Hackers will go where the money is and the money is where the people are.  So, whether it is Twitter, MySpace, Facebook, email, instant messenger, or our phones, criminals will leverage whatever technology is available because in their eyes the goal is to make money regardless of the available technologies, and if one person can be the one to figure out how to exploit a technology for their own financial gain before the others they’ll end up getting the lion’s share of the notoriety as well as beat defense mechanisms to the punch.

The email attempts to trick the user into believing that they misreported their income and gives them a link where they can review their tax statement online.

The link in the email does not directly install malware on the user’s machine.  Instead, potential victims are directed to a web site where they can download an executable file named tax_statement.exe, which contains the malicious code.

Earlier this morning our Threat Operations Center noticed a new spam campaign originating from the Cutwail botnet that is sending out emails spoofing the IRS.  We are currently observing traffic averaging about 90,000 messages per hour using this tactic.

The email that users are receiving which appears to come from no-reply@irs.gov is attempting to get them to believe that they misreported their income on their taxes and that the IRS is giving them an opportunity to fix it. 

The email provides a link for the user to view their recent tax statement online.  This link does not directly infect the user’s machine, but instead directs them to a website where the malicious code is being delivered from. 

If the user clicks on any of the links on this page, they are directed to download an application called tax_statement.exe.  As of the time of this posting, AV detection for this new variant is low. 

Please remember that the IRS does not know your email address and will not conduct official business with you over email.  Any email purporting to do so is a scam and should be deleted immediately.

Friday usually get people excited since it’s countdown to the weekend but this week we’re excited about it because we’re going to be having some stellar guests participate in the SecurityBuzz podcast.

As you may recall last week Robert Scoble’s WordPress blog Scobleizer was hacked. We’ve asked Scoble and Rob La Gesse, director of customer development at Rackspace to join us to discuss corporate blogs and security issues they face, how to prevent them, etc.

The podcast will be posted Friday afternoon so stay tuned. In the meantime, let us know if you have any questions you’d like for us to ask these guys and/or answer during the podcast. You can post them here or send me a note via Twitter - @smasiello.

ALERT: Over the next several weeks I will be transitioning the MX Logic IT Security Blog over to the McAfee Avert Labs blog.  Please continue to follow me there. 

Now onto today’s blog post

Another celebrity death.  Another recycled scareware tactic attemping to lure users to download malware by telling them that their PC is infected with a virus.  We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year.  Now the attention of cyber criminals has turned to Monday’s death of Patrick Swayze as the soup du jour for malware distribution.

Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed will lead users to a site that looks like this:

This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms.  The Windows Explorer-like screen presented to the user also uses geolocation to attempt to identify the country and city that the user is coming from in an attempt to make the user believe that their data is actively under attack.  Popups with phrases like "Scan procedures finished.  34 Potential aggressive items was found!" and "Your computer remains infected by threats!  They might lead to data loss and file structure damage, and needed to be heal as soon as possible.  Return to Total Security and download it secure to your PC" also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.

Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme.  Conficker/Downadup largely popularized scareware with its success (although it wasn’t the first to use it) and now others are riding of that popularity to repurpose it for their own scams.

In the latest social engineering tactic targeting people who like to play games online, a new spam campaign has emerged attempting to lure users into downloading a Monopoly game, which is more like a game of Russian Roulette.  The email arrives as a seemingly innocuous invite from a random user (usually your first clue that this is something to avoid!) using an inviting subject line like "Play Online Together" or "Tom has invited you to play Monopoly":

If the recipient follows the link to the monopoly2009.com web site, they are greeted with a web page that actually looks fairly well done advertising the Monopoly "game" and encouraging the user to download using several links dispersed throughout the page after giving a brief history of the game and providing some fun facts.

No code is injected on the user’s computer just by visiting the web page.  They need to download and install the monopoly.exe executable file that the site tries to deliver.  The executable file is just the first stage of the process, however.  A fairly common tactic being deployed by hackers is that the code that is installed as a result of the web site download is only the beginning.  At this point the trojan is activated on your computer, and now it is going to go out to another computer behind the scenes and download the second stage of the malware, the piece that turns your machine into a spam sending zombie touting Canadian Pharmacy products.

As the icing on the cake, the folks who created the page also included a hit counter at the bottom to lead you to believe that there are people playing the game online right now.  Don’t be fooled.  This is merely a counter of how many people have visited the page thus far.

You can sign up for the webinar here. The applicability of database assessment is pretty broad, so I’ll cover as much as I can in 30 minutes. If I gloss over any areas you are especially interested in, we will have 10 minutes for Q&A. Or you can send questions in ahead of time and I will try to address them within the slides, or you can submit a question in the GoToMeeting chat facility during the presentation.

- Adrian Lane
(0) Comments

read more

Zeus is the king when it comes to botnet creation kits. The Zeus kit sells for as little as $300.00 USD, or as much as $2,000 USD.

…criminals attempt to transfer the sum of 1 euro cent to several accounts at a particular bank, using account numbers they have generated at random. If the payment gets rejected by the bank, then the account number does not exist – but if the transfer goes through successfully, then the crooks know they have stumbled upon a genuine account number….

Armed with the account number, the crooks then start transferring sums of money out of that account, disguised as payments for supposed purchases or services.

And why is this a form of business logic abuse?  Because the criminals are using a legitimate function – transferring money between accounts – to confirm account numbers.  This is analogous to password guessing – guess the credential (in this case the account number) and then get  response to whether or not you were correct.

You can see the full article here.

Tagged: business logic abuse, Online Fraud, password guessing

I just read the sad announcement that SecurityFocus is going to be shut down (or phased out to sound more nice). The mailing lists will remain for a while, but all the rest will be moved to the Symantec web site…

Take a look: http://www.securityfocus.com/news/11582:

Beginning March 15, 2010 SecurityFocus will begin a transition of its content to Symantec Connect. As part of its continued commitment to the community, all of SecurityFocus’ mailing lists including Bugtraq and its Vulnerability Database will remain online at www.securityfocus.com There will not be any changes to any of the list charters or policies and the same teams who have moderated list traffic will continue to do so. The vulnerability database will continue to be updated and made available as it is currently. DeepSight and other security intelligence related offerings will remain unchanged while Infocus articles, whitepapers, and other SecurityFocus content will be available off of the main Symantec website in the coming months.

While the news portal section of SecurityFocus will no longer be offered, we think our readers will be better served by this change as we combine our efforts with Symantec Connect and continue to provide a valuable service to the community. As always, if you have any questions or concerns you can reach us at editor-at-securityfocus-dot-com.

Security Focus was a good site while it last and served its purpose very well.

Related Posts

1. Kelly: When I Grow Up…
2. Steve Benson: Tempus Fugit
3. Steve Benson: CageWorld
4. Steve Benson: Feeling Better
5. Steve Breen: Winter Games…

Ford and TellMe To Store 'Utterances'

Astonishing news of Ford Motor Corporation’s [FORD MOTOR CO (NYSE:F)] with the assistance of Microsoft Corporation (NasdaqGS: MSFT) borg-like Ford Sync, had decided to  ‘listen’ in on conversations (and store the binary recordings) that occur within the company’s consumer vehicles equipped with the already flawed Windows CE Operating System. A snippet of the SyncMyRide terms and conditions agreement, proving this, appears after the jump, and immediately thereafter, a full version of the online T&O also appears. Oops, best to read before use, don’t you think?

Ford Sync Terms and Conditions

Ford’s Service provider Tellme Networks, Inc. (“Tellme”), a subsidiary
of Microsoft Corporation, may record and retain user voice utterances
(“recorded utterances”), which are recordings of sounds made when the
TDI Service is in listen state and waiting for a user command or
response. These recorded utterances may include all sounds in the
vehicle, including the voice of the user and voices of other vehicle
occupants, while the service is in listen state. Tellme may also, at
Ford’s request, randomly record and assemble in sequence, all voice
communications made from the time the Service is connected (by the
user pressing the VOICE button) to the time the Service is
disconnected.

(“Whole call recordings (WCRs)”). WCRs will include voice utterances
and may include any other sounds in the vehicle, including the voices
of the user and other vehicle occupants, during the entire time the
Service is connected. Both recorded utterances and WCRs may be
associated with you or the cell phone number assigned to the Service.

—

Terms & Conditions of Use

SYNC Services SMS Text Message Alerts Summary

The SYNC Services subscriptions can be configured by registered SYNC Owners to receive Short Message Service (SMS) text messages. In this case, a mobile carrier’s message and data rates may apply to the use of these SMS text messages. Also, the frequency of these SMS text messages depends upon user activity and subscription preferences. Registered SYNC Owners can opt-out of receiving SMS text messages by changing their service preferences on the www.SYNCMyRide.com website or by sending STOP to 4SYNC (47962) short code. For help with using SMS Text Message Alerts, text HELP to 47962 or call Ford Customer Relations at 800-392-3673. Carriers supporting SYNC Services SMS text messaging include: Alltel, AT&T, Boost, Cincinnati Bell, Nextel, Sprint, T-Mobile, U.S. Cellular, Unicel and Verizon Wireless.

SYNC Traffic, Directions and Information Service and Vehicle Health Report

General Information

Your vehicle is equipped with SYNC. SYNC features may include Traffic, Directions and Information, and Vehicle Health Report, (the “SYNC Services”). The Traffic, Directions and Information Service can provide you with personalized traffic reports and text message traffic alerts, precise turn-by-turn driving directions, business searches, and news, sports, and weather updates (“Information Service”). Vehicle Health Report is an online service provided exclusively to SYNC customers by Ford Motor Company (“FORD”) in cooperation with the Ford or Lincoln Mercury Dealership you select as your preferred dealer (“your dealer”) that allows you to monitor various aspects of vehicle service including Malfunction Indicator Lights (in your dash), scheduled maintenance, un-serviced maintenance and wear items from your preferred dealer, and recalls. Any vehicle service or repairs performed by your dealer are solely the responsibility of the dealer.

Acceptance of Terms and Conditions of Use

Traffic, Directions and Information and Vehicle Health Report are available on certain SYNC-equipped vehicles produced by Ford for sale and operation in the United States (excluding U.S. territories). Your access to and use of the SYNC Services are subject to these Terms and Conditions of Use and all www.SYNCMyRide.com policies and guidelines, including the www.SYNCMyRide.com — Privacy Statement, hereafter collectively the “Terms and Conditions.”

By clicking “I Accept” below, you the user (“User”) agree to be bound by these Terms and Conditions whether or not you have read them. If you do not agree to these Terms and Conditions, you will be unable to run or activate the SYNC Services. You must be at least 18 years old, or the age of majority, as determined by the laws of your state of residency, to accept these terms and conditions and assume the obligations set forth in these Terms and Conditions. Further, you agree to make all other drivers, passengers or guests of your car aware of these Terms and Conditions and subject to these Terms and Conditions. You are solely responsible for the use of the SYNC Services for your vehicle, even if you are not the one using the SYNC Services and even if you claim later that another person’s use was not authorized.

Ford may at its sole discretion, with or without notice, modify these Terms and Conditions at any time and such modifications will be effective immediately upon being posted on this website. Your continued use of the SYNC Services will indicate your acceptance of these modified Terms and Conditions of Use. If you do not agree to the Terms and Conditions or any modification of the Terms and Conditions, then you must immediately stop using the Vehicle Health Report and/or Traffic, Directions and Information. By activating and using Vehicle Health Report and/or Traffic, Directions and Information, you represent that you possess a valid driver’s license for operating a SYNC-equipped vehicle in the United States. For information on how to turn off Vehicle Health Report or how to cancel the Traffic, Directions and Information Service in your vehicle, refer to your SYNC Owner Guide Supplement.

Ford may make changes to the content of Vehicle Health Report and/or the Traffic, Directions and Information Service or this website with or without notice at any time.

NOTE: If you want to retain a copy of these Terms and Conditions, copy and paste them into a word document and then save or print.

Vehicle Health Report

Vehicle Health Report is provided to SYNC-equipped vehicle owners at no additional charge and, as such, Ford at its sole discretion reserves the right to modify, restrict, or discontinue the service to any individual, entity, partially or in total, with or without notice, at any time. Cell phone airtime and/or SMS messaging usage may apply when using the Vehicle Health Report feature.

Vehicle Health Report – Text Messaging

The Vehicle Health Report service can be configured by SYNC customers to receive Short Message Service (SMS) text messages when their Vehicle Health Report is ready and if it contains an urgent fault condition. Message and Data Rates May Apply. The customer can opt-out of receiving text messages by: changing their service preferences on the www.SYNCMyRide.com website, sending STOP to 4SYNC (47962) short code, or replying STOP to any of the Vehicle Health Report service text messages. Help on using SMS text messages for Vehicle Health Report notifications can be found at www.SYNCMyRide.com or obtained by sending HELP to the 4SYNC (47962) short code. A complete list of carriers supported for Vehicle Health Report notifications can be found at www.SYNCMyRide.com. There are no subscription or activation fees for Vehicle Health Report. Subscription term is for as long as you own the vehicle. Vehicle Health Report service is compatible with AllTel, AT&T, Boost, Cincinnati Bell, Nextel, Sprint, T-Mobile, U.S.Cellular, Verizon Wireless Bluetooth^™ enabled handsets.

Scope of Vehicle Health Report and Your Ownership Responsibility

Always follow Ford’s scheduled maintenance instructions, regularly inspect your vehicle, and seek diagnosis and repair of damage or concerns at an authorized Ford or Lincoln Mercury dealership. Vehicle Health Report provides point-in-time status, at the time each health report is initiated, for certain vehicle electronic systems that have self-monitoring capability. Other systems’ status may be reported based on Ford or Lincoln Mercury dealership repair records; however, not all systems and vehicle components are reported by Vehicle Health Report. Vehicle Health Report does not replace the need to perform scheduled maintenance and vehicle inspections. Failure to perform scheduled maintenance and regularly inspect your vehicle may result in vehicle damage and/or serious injury.

If you would like to report a concern with your vehicle, please visit your authorized dealership or click here to Contact Us.

Vehicle Health Report Privacy Notice

When you run a Vehicle Health Report, Ford Motor Company may collect your cell phone number (to process your report request) and diagnostic information about your vehicle. Certain versions or updates to Vehicle Health Report may also collect additional vehicle information. Ford may use the vehicle information it collects, as well as information regarding individual access to Vehicle Health Reports at www.SYNCMyRide.com for any purpose. If you do not want to disclose your cell phone number or vehicle information, do not run the feature or set up your Vehicle Health Report profile at www.SYNCMyRide.com. Refer to www.SYNCMyRide.com — Privacy Statement — for more information.

Because SYNC provides service through wireless networks, we can’t promise that your communications won’t be intercepted by others. You agree we won’t be liable for any damages for any loss of privacy occurring in communication over such networks.

Vehicle Health Report Accounts, Passwords, and Security

To activate Vehicle Health Report through this website, you must register (includes setting up a user name and password) and establish preferences. Registration and preference setting are necessary to allow us to generate your Vehicle Health Report and to communicate with you about it. You are entirely responsible for maintaining the confidentiality of your account information, including your password, and for any and all activity that occurs under your account. You agree to notify Ford immediately of any unauthorized use of your account or password, or any other breach of security. However, you may be held liable for losses incurred by Ford or your dealer due to someone else using your user name, password, cell phone number or account. You may not use anyone else’s user name, password, cell phone number or account at any time without the express permission and consent of the holder of that user name, password, cell phone number or account. Ford and your dealer cannot and will not be liable for any loss or damage arising from your failure to comply with these obligations.

Never read text messages while driving. Always perform scheduled maintenance and regular vehicle inspections, and always review the vehicle owner guide for complete information. Never rely on Vehicle Health Report SMS text messages as a replacement for any of these functions. Not all systems and vehicle components are reported by Vehicle Health Report and even fewer will deliver text messages. Failure to perform scheduled maintenance, regularly inspect your vehicle, and review owner guide information may result in vehicle damage and/or serious injury.

Vehicle Health Report – Service Appointment Acceptance/Confirmation

Your receipt of a confirmation that your online service appointment request has been sent to your dealer does not signify your dealer’s acceptance of all items contained in your request, nor does it constitute an obligation for Ford or your dealer to fulfill them. Ford and your dealer reserve the right at any time after receipt of your service appointment request to accept or decline the appointment or any portion thereof for any reason.

Traffic, Directions and Information

You must register on www.SYNCMyRide.com to activate Traffic, Directions and Information. New vehicle owners will receive up to three (3) years of service from the vehicle sale date as recorded by the dealer, with yearly renewals required. Your subscription will continue for the length of the 3 year initial term but you must renew the subscription annually, based on your vehicle sale date as recorded by your dealer, at www.SYNCMyRide.com to continue the service. No refunds will be given if the Traffic, Directions and Information Service is cancelled during the 3 year complimentary service term period. This complimentary 3 year service term period is available for original owners only and is not transferrable. To add the service on incremental phones, additional Traffic, Directions and Information Service subscriptions must be purchased. Subsequent owners and incremental phones will need to separately subscribe to Traffic, Directions and Information and pay the subscription fee. Use of Traffic, Directions and Information Service requires purchase from your mobile phone carrier of standard airtime minutes.

The Traffic, Directions, and Information feature allows you to set preferences in your account at www.SYNCMyRide.com. You will be able to request traffic alerts, set saved points for use when seeking turn-by-turn directions, and set favorites for use when retrieving sports, news, and weather information. When setting your preferences, you may not create address point names that are profane or obscene. Ford reserves the right to remove and/or discontinue service if profane or obscene address point names are created, and to determine, in its sole discretion, what content constitutes profane or obscene.

Many different and changing considerations affect the availability, cost and quality of information services. Accordingly, Ford reserves the unrestricted right to change, rearrange, add, or delete Information Service, with or without notice to you. You always have the right to cancel your subscription to the Service if you do not accept any change. Your continued use of the Traffic, Directions and Information Service following any programming changes will constitute your acceptance of such changes.

Traffic, Directions and Information Service – Scope and Availability

The Traffic, Directions and Information Service is available in 50 United States. Not all services will be available in all markets and coverage is limited to your cellular phone coverage. Use of the Traffic, Directions, and Information Service will require registration. You can register at www.SYNCMyRide.com. To register, you will need your vehicle identification number (VIN) and the phone number to which you wish to link your Traffic, Directions, and Information Service. Until and unless you purchase another subscription, the Traffic Directions and Information Service will only work with the cellular phone that is registered. Though the subscription is not transferable to a subsequent vehicle owner, should the need arise you can change the phone number associated with the Traffic, Directions, and Information Service at www.SYNCMyRide.com.

You will only be able to register for Traffic, Directions, and Information if your vehicle is equipped with the Traffic, Directions and Information Service.

The Traffic, Directions and Information Service uses data from third parties to provide services and the data provided, including maps, may not always be accurate.

The Traffic, Directions and Information Service utilizes voice recognition software that can recognize many voices, accents, speech patterns and words, but not all and it may not work with your voice.

The Traffic, Directions and Information Service consists of a wide variety of voice applications. Many different and changing considerations affect the availability, cost and quality of programming. Ford reserves the unrestricted right to change, rearrange, add, or delete information services and programming, and our prices, at any time, with or without notice to you. You always have the right to cancel your subscription to Traffic, Directions and Information, in whole or in part, if you do not accept any change. To cancel your subscription, please reference the Cancellation section below which sets forth cancellation requirements. If you do not cancel your Subscription within 30 days of a change, your continued receipt of Traffic, Directions and Service will constitute your acceptance of such changes.

The Traffic, Directions and Information Service may be unavailable or interrupted from time to time for a variety of reasons, such as environmental or topographic conditions and other things, many of which Ford cannot control. Service might also not be available in certain places (e.g., in tunnels, parking garages, or within or next to buildings) or near other technologies. Ford is not responsible for any interruptions of Traffic, Directions or Information.

Traffic, Directions and Information Service – Initial Complimentary Subscription

A three year complimentary subscription to the Traffic, Directions, and Information Service is included with the purchase of a new SYNC-equipped vehicle. For vehicles that come factory equipped with software that supports the Traffic, Directions, and Information Service, this subscription begins on the sale date of the vehicle as recorded by your dealer (not upon activation) and is not transferable.

For early model 2010 vehicles that are subject to late software availability, this subscription begins on the date that the software update to support Traffic, Directions, and Information is available, expected to be on or about 18MAY09. This subscription is also not transferable.

Only new vehicle owners are entitled to three years of complimentary service. Owners must register on www.SYNCMyRide.com to activate Traffic, Directions and Information. To continue services, owners must renew their complimentary subscriptions annually at www.SYNCMyRide.com. Subscriptions are not transferable and are valid for one phone only. To allow service on incremental phones additional subscriptions must be purchased.

Ford reserves the right to cancel your complimentary subscription at any time if you are found not to be eligible as a new vehicle owner, if you violate or breach any of these terms, or for any other reason in Ford’s sole discretion. There will be no refunds associated with the complimentary subscriptions.

Purchasing Traffic, Directions and Information Service – Subscriptions

Subscriptions, subscription extensions, subscriptions for subsequent vehicle owners and incremental phones can be purchased at www.SYNCMyRide.com. Subscription fees and other charges and fees are subject to change without notice. You are responsible for paying for service, taxes, fees, or surcharges. You are responsible for notifying us of billing disputes. You must pay in advance by credit card. You must update your account immediately with any change in your name, address, email address, or telephone number.

You are responsible for all taxes or other government fees and charges, if any, which are assessed based on the address on your account. Taxes will be assessed based on your credit card billing address.

Ford reserves the right to cancel your subscription at any time if you fail to pay amounts owing to us when due, violate or breach any of these terms, or for any other reason in our sole discretion. If your subscription is cancelled, you will still be responsible for payment of all outstanding balances accrued through the cancellation date, including any fees described herein.

Traffic, Directions and Information Service – Cancellations and Refunds

You may cancel your subscription at any time at www.SYNCMyRide.com. If you cancel your paid subscription prior to its expiration, you will be refunded on a pro-rata basis, an amount based on the unused portion of your subscription. Subscription fees are tracked monthly and refunds will not be made for partial months of service. Upon cancellation, the service will continue for the remainder of that month (as tracked by the original subscription date) and the refund amount will be calculated accordingly. Your cancellation will become effective on your next subscription “cycle date” which is the next month anniversary of your initial activation date (i.e., if you activated your Subscription on January 15th and cancel on April 1st your Subscription will end on April 15th). A cancellation fee may apply. There are no refunds for complimentary three years subscription provided to original owners.

Refunds are posted to the credit card that was used to purchase the subscription. There may be instances where this takes time or issues may arise in posting refunds due to expired credit cards or other reasons. The User should follow-up with bank/financial institution to assure that refunds are made as requested. It is the User’s responsibility to notify us of any billing disputes.

If you have a question about your Service, subscription, subscription fees, charges, or bill, or if you would like to change or reactivate your subscription, please go to www.SYNCMyRide.com.

If you wish to dispute any charge, you must contact us by mail or phone (by following the instructions on our website (www.SYNCMyRide.com) within 120 days after the due date of the payment in question. OTHERWISE YOU WAIVE YOUR RIGHT TO DISPUTE THE CHARGE.

Vehicle Traffic, Directions and Information Service – Safety Information and Information Accuracy

When using the Traffic, Directions and Information Service maintain your hands on wheel and your eyes on road. Driving while distracted can result in loss of vehicle control, accident and injury. Ford strongly recommends that drivers use extreme caution when using any device that may take their focus off the road. The driver’s primary responsibility is the safe operation of their vehicle.

Always use street signs, good judgment and obey traffic laws. Any navigation features are provided only as aids. Make your driving decisions based on your observations of local conditions and existing traffic regulations. Any such feature is not a substitute for your personal judgment. Any route suggestions made by this system should never replace any local traffic regulations or your personal judgment or knowledge of safe driving practices. Do not follow the route suggestions if doing so would result in an unsafe or illegal maneuver, if you would be placed in an unsafe situation, or if you would be directed into an area that you consider unsafe. The driver is ultimately responsible for the safe operation of the vehicle and therefore, must evaluate whether it is safe to follow the suggested directions. Maps used by this system may be inaccurate because of changes in roads, traffic controls or driving conditions. Always use good judgment and common sense when following the suggested routes. Do not rely on any navigation features included in the system to route you to emergency services. Ask local authorities or an emergency services operator for these locations. Not all emergency services such as police, fire stations, hospitals and clinics are likely to be contained in the map database for such navigation features.

The Traffic, Directions, and Information Service and the Vehicle Health Report may send text messages to the driver’s cell phone. Such text messages are intended to be read in a safe manner, such as when the vehicle is not moving or through the use of SYNC’s text message reader feature. Do not read text messages while driving. Follow all applicable local and state laws.

Traffic, Directions and Information Service – Accounts, Passwords, and Security

To activate the Traffic, Directions and Information Service through this Website www.SYNCMyRide.com, you must first register (includes setting up a User name and password) and establish preferences. You are entirely responsible for maintaining the confidentiality of your account information, including your password, and for any and all activity that occurs under your account. You agree to notify Ford immediately of any unauthorized use of your account or password, or any other breach of security. However, you may be held liable for losses incurred by Ford or your dealer due to someone else using your user name, password, cell phone number, or account. You may not use anyone else’s user name, password, cell phone number, or account at any time without the express permission and consent of the holder of that user name, password, cell phone number, or account. Ford and your dealer cannot and will not be liable for any loss or damage arising from your failure to comply with these obligations.

Ford at its sole discretion reserves the right to modify, restrict, or discontinue the service to any individual, entity, or in total, with or without notice, at any time. Cell phone airtime usage may apply when using SYNC services.

Traffic, Directions and Information Service – Privacy Notice

When you activate the Traffic, Directions and Information (“TDI”) Service (“Service”) online at www.SYNCMyRide.com, we collect information about you, including the cellular number to which you wish to link your service, and you may record your name during the registration process. See the online Privacy Policy at www.SYNCMyRide.com.

When you connect to the TDI Service in your vehicle, the Service uses GPS technology and advanced vehicle sensors to collect your vehicle’s current location, travel direction, and speed (“vehicle travel information”) for the purpose of helping to provide you with the directions, traffic reports, or business searches you request. Additionally, in order to provide the services you request, and to troubleshoot problems and create a more personalized experience when using the Service, Ford’s TDI Service providers may collect, log, store, and share with Ford and with Ford’s other TDI Service providers details pertaining to your requests, including such things as your cell phone number, type of request, vehicle travel information, address information for driving direction requests, and other information you have provided such as your-user-defined routes for direction or traffic information, business directory look-ups, and sports, news and weather favorites (collectively referred to as “call details”). These call details may be linked to you or the cell phone number linked to the Service.

By activating or using the Service you expressly agree to the collection, logging, storage, and sharing of your vehicle travel information and other call details for the purposes set forth above in these Terms and Conditions regardless of whether or not you have read them. Further, you agree to obtain the consent to the collection, logging, storage, and sharing of vehicle travel information and other call details for the purposes set forth above from any other person(s) to whom you provide access to and use of the Service via your cell phone. If you don’t consent or wish to disclose this information, do not activate or use the Service.

Ford’s Service provider Tellme Networks, Inc. (“Tellme”), a subsidiary of Microsoft Corporation, may record and retain user voice utterances (“recorded utterances”), which are recordings of sounds made when the TDI Service is in listen state and waiting for a user command or response. These recorded utterances may include all sounds in the vehicle, including the voice of the user and voices of other vehicle occupants, while the service is in listen state. Tellme may also, at Ford’s request, randomly record and assemble in sequence, all voice communications made from the time the Service is connected (by the user pressing the VOICE button) to the time the Service is disconnected. (“Whole call recordings (WCRs)”). WCRs will include voice utterances and may include any other sounds in the vehicle, including the voices of the user and other vehicle occupants, during the entire time the Service is connected. Both recorded utterances and WCRs may be associated with you or the cell phone number assigned to the Service. Tellme records and retains recorded utterances and WCRs (if Ford requests) for the purpose of improving the performance of voice recognition and to improve the overall design of the user interface. Tellme, Inc. may share recorded utterances and WCRs with Ford for this purpose, and Ford may use them for this purpose. .

By activating or using the Service, you expressly agree to the recording and sharing of your utterances and WCRs as set forth above for the purposes set forth above in these Terms and Conditions regardless of whether or not you have read them. Further, you agree to obtain the consent to record utterances and WCRs from any other person(s) to whom you provide access to and use of the Service via your cell phone. If you don’t consent or wish to disclose this information, do not activate or use the Traffic, Directions and Information Service.

Ford will not share any personally identifiable information associated with (a) vehicle travel information, (b) other call details, (c) recorded utterances or (d) WCRs that it obtains in connection with providing the TDI Service with independent third parties for their independent use unless required by law. Ford’s TDI Service providers are required to keep such information confidential and are not permitted to use this information for any other purpose than to carry out the Service they are performing for Ford. Ford and its Service providers will disclose personally identifiable information, without notice, only if required to do so by law or in the good faith belief that such action is necessary to (a) conform to the edicts of the law or comply with legal process served on Ford or its Service providers; (b) protect and defend the rights or property of Ford Motor Company or SYNC or its Service providers, and (c) act under exigent circumstances to protect the personal safety of users of Ford Motor Company, SYNC, or the public. Ford reserves the right to use and share any aggregate (non-personally identifiable) information it obtains in connection with providing the TDI Service in your vehicle for any purpose. If you don’t consent or wish to disclose this information, do not activate or use the Traffic, Directions and Information Service.

Because SYNC provides service through wireless networks, we can’t promise that your communications won’t be intercepted by others. You agree we won’t be liable for any damages for any loss of privacy occurring in communication over such networks.

Text Messaging – Traffic, Directions, and Information

Based on the preferences that you select at www.SYNCMyRide.com for Traffic, Directions, and Information, the Traffic, Directions and Information service may send SMS (text) messages to your registered cell phone. Message and Data Rates May Apply. Such text messages are intended to be read in a safe manner, such as when the vehicle is not moving or through the use of SYNC’s text message reader feature. Do not read text messages while driving. Follow all applicable local and state laws. To stop receiving these text messages, please change the preference settings on your account at www.SYNCMyRide.com, or reply to any SYNC text message that you do receive with the word “stop”.

Traffic Alerts

Traffic Alerts SMS text message subscription automatically renews monthly. Normal usage of Traffic Alerts would be expected to generate fewer than ten messages per month. The actual number of alerts received will vary based on traffic conditions and based on the number of Traffic Alerts you have set in your preference settings on your account at www.SYNCMyRide.com. Opt-out of receiving Traffic Alert SMS text messages by: changing the preference settings on your account at www.SYNCMyRide.com, sending STOP to 58400 short code, or replying STOP to any of the Traffic Alert service text messages. Help on using SMS text messages can be obtained by going to www.SYNCMyRide.com, by sending HELP to the 58400 short code, or by calling the Ford Customer Relations Center at 1-800-392-3673.

Changes

Ford reserves the right to terminate accounts, and remove or edit content at its sole discretion. Your dealer reserves the right to refuse service at its sole discretion.

Ford reserves the right to change or terminate this Website, or any portion thereof, at any time with or without notice. Any and all changes and/or amendments to these Terms and Conditions will become binding immediately.

Errors on Our Website

The SYNC Services described in this website may include inaccuracies, including within the Vehicle Health Report itself, or typographical errors that may be corrected as they are discovered at the sole discretion of Ford or your dealer. Availability of the SYNC Services is subject to change without notice. All service appointments and associated vehicle services are the responsibility of you and your dealer and should be handled in accordance with your dealer’s service policy.

Termination of Use

Ford, in its sole discretion, may terminate your account or your use of SYNC Services at anytime. Ford reserves the right to change, suspend, or discontinue all or any aspects of the SYNC Services at any time without prior notice.

Limitation of Liability

In no event shall Ford, its affiliates, and any of their respective directors, officers, employees, agents, or other representatives be liable for any direct, indirect, special, incidental, consequential, punitive, or aggravated damages (including without limitation, damages for loss of data, income, profit, loss of or damage to property, and third-party claims), or any other damages of any kind, arising out of, or in connection with, the Traffic, Directions and Information Service and/or the Vehicle Health Report or this website; any materials, information, qualification, and recommendations appearing on this website; any software, tools, tips, products, or services offered through, contained in, or advertised on this website; any link provided on this website; and your account and password, whether or not Ford has been advised of the possibility of such damages. Furthermore, in no event shall any Traffic, Directions, and Information Service provider be liable for any indirect, special, incidental, consequential, punitive, or aggravated damages (including without limitation, damages for loss of data, income, profit, loss of or damage to property, and third party claims) arising from or in connection with the use or performance of such services. This exclusion of liability shall apply to the fullest extent permitted by law. This provision shall survive the termination of your right to use Vehicle Health Report and/or the Traffic, Directions and Information, and this website. You acknowledge that you will be fully liable for all damages resulting directly or indirectly from the use of the Traffic, Directions, and Information Service, and/or the Vehicle Health Report for your vehicle and this website.

Indemnification

You agree to indemnify and hold harmless Ford and its affiliates and their respective directors, officers, employees, agents, or other representatives from and against all claims, liability and expenses, including all legal fees and costs arising from or relating to (a) your breach of these Terms and Conditions of Use; (b) transmission or placement of information or material by you on this website; and (c) errors associated with Vehicle Health Report, and/or the Traffic, Directions and Information Service. This provision shall survive the termination of your right to use this website.

Dispute Resolution

All claims, disputes or controversies (whether in contract or tort, pursuant to statute or regulation, or otherwise, and whether pre-existing, present or future) arising out of or relating to: (a) these Terms and Conditions of Use; (b) errors associated with Vehicle Health Report and/or the Traffic, Directions and Information Service; (c) any advertisement or promotion relating to these Terms and Conditions of Use; (d) Vehicle Health Report and/or the Traffic, Directions and Information Service transactions; or (e) the relationship which results from these Terms and Conditions of Use (including relationships with third parties who are not party to these Terms and Conditions of Use) (collectively “Claims”), will be referred to and determined by binding arbitration governed by the Federal Arbitration Act and administered by the American Arbitration Association under its rules for the resolution of consumer-related disputes, or under other mutually agreed procedures. Because this method of dispute resolution is personal, individual and provides the exclusive method for resolving such disputes, you further agree, to the extent permitted by applicable laws, to waive any right you may have to commence or participate in any class action or class-wide arbitration against Ford related to any Claim. This provision shall survive the termination of your right to use this website.

SYNC End User License Agreement (EULA)

● You have acquired a device (“DEVICE”) that includes software licensed by FORD MOTOR COMPANY from an affiliate of Microsoft Corporation (“MS”). Those installed software products of MS origin, as well as associated media, printed materials, and “online” or electronic documentation (“MS SOFTWARE”) are protected by international intellectual property laws and treaties. The MS SOFTWARE is licensed, not sold. All rights reserved.

● The MS SOFTWARE may interface with and/or communicate with, or may be later upgraded to interface with and/or communicate with additional software and/or systems provided by FORD MOTOR COMPANY. The additional software and systems of FORD MOTOR COMPANY origin, as well as associated media, printed materials, and “online” or electronic documentation (“FORD SOFTWARE”) are protected by international intellectual property laws and treaties. The FORD SOFTWARE is licensed, not sold. All rights reserved.

● The MS SOFTWARE and/or FORD SOFTWARE may interface with and/or communicate with, or may be later upgraded to interface with and/or communicate with additional software and/or systems provided by third party software and service suppliers. The additional software and services of third party origin, as well as associated media, printed materials, and “online” or electronic documentation (“THIRD PARTY SOFTWARE”) are protected by international intellectual property laws and treaties. The THIRD PARTY SOFTWARE is licensed, not sold. All rights reserved.

● The MS SOFTWARE, FORD SOFTWARE and THIRD PARTY SOFTWARE hereinafter collectively and individually will be referred to as “SOFTWARE.”

● IF YOU DO NOT AGREE TO THIS END USER LICENSE AGREEMENT (“EULA”), DO NOT ACCEPT THESE TERMS AND CONDITIONS.

● GRANT OF SOFTWARE LICENSE. This EULA grants you the following license:

○ You may use the SOFTWARE as installed on the DEVICE and as otherwise interfacing with systems and/or services provide by or through FORD MOTOR COMPANY or its third party software and service providers.

● DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS.

○ Speech Recognition. If the SOFTWARE includes speech recognition component(s), you should understand that speech recognition is an inherently statistical process and that recognition errors are inherent in the process. Neither FORD MOTOR COMPANY nor its suppliers shall be liable for any damages arising out of errors in the speech recognition process.

○ Limitations on Reverse Engineering, Decompilation and Disassembly. You may not reverse engineer, decompile, or disassemble nor permit others to reverse engineer, decompile or disassemble the SOFTWARE, except and only to the extent that such activity is expressly permitted by applicable law notwithstanding this limitation.

○ Single EULA. The end user documentation for the DEVICE and related systems and services may contain multiple EULAs, such as multiple translations and/or multiple media versions (e.g., in the user documentation and in the software). Even if you receive multiple EULAs, you are licensed to use only one (1) copy of the SOFTWARE.

○ SOFTWARE Transfer. You may permanently transfer your rights under this EULA only as part of a sale or transfer of the DEVICE, provided you retain no copies, you transfer all of the SOFTWARE (including all component parts, the media and printed materials, any upgrades, and, if applicable, the Certificate(s) of Authenticity), and the recipient agrees to the terms of this EULA. If the SOFTWARE is an upgrade, any transfer must include all prior versions of the SOFTWARE.

○ Termination. Without prejudice to any other rights, FORD MOTOR COMPANY or MS may terminate this EULA if you fail to comply with the terms and conditions of this EULA.

○ Security Updates/Digital Rights Management. Content providers are using the digital rights management technology (“DRM”) contained in your DEVICE to protect the integrity of their content (“Secure Content”) so that their intellectual property, including copyright, in such content is not misappropriated.  Portions of the SOFTWARE and third party applications such as media players use DRM to play Secure Content (“DRM Software”). If the DRM Software’s security has been compromised, owners of Secure Content (“Secure Content Owners”) may request that MS and/or FORD MOTOR COMPANY block the ability of DRM license servers and personal computers to deliver new licenses that enable an affected DEVICE to play Secure Content.  This action does not alter the DRM Software’s ability to play unprotected content.  A list of revoked DRM Software is sent to your DEVICE whenever you download a license for Secure Content from the Internet or from your personal computer.  You therefore agree that MS and/or FORD MOTOR COMPANY may, in conjunction with such license, also download revocation lists onto your DEVICE on behalf of Secure Content Owners.  MS will not retrieve any personally identifiable information, or any other information, from your DEVICE by downloading such revocation lists.

○ Consent to Use of Data. You agree that MS, Microsoft Corporation, FORD MOTOR COMPANY, third party software and systems suppliers, their affiliates and/or their designated agent may collect and use technical information gathered in any manner as part of product support services related to the SOFTWARE or related services. MS, Microsoft Corporation, FORD MOTOR COMPANY, third party software and services suppliers, their affiliates and/or their designated agent may use this information solely to improve their products or to provide customized services or technologies to you. MS, Microsoft Corporation, FORD MOTOR COMPANY, third party software and systems suppliers, their affiliates and/or their designated agent may disclose this information to others, but not in a form that personally identifies you.

○ Internet-Based Services Components. The SOFTWARE may contain components that enable and facilitate the use of certain Internet-based services. You acknowledge and agree that MS, Microsoft Corporation, FORD MOTOR COMPANY, third party software and service suppliers, their affiliates and/or their designated agent may automatically check the version of the SOFTWARE and/or its components that you are utilizing and may provide upgrades or supplements to the SOFTWARE that may be automatically downloaded to your DEVICE.

○ Additional Software/Services. The SOFTWARE may permit FORD MOTOR COMPANY, third party software and service suppliers, MS, Microsoft Corporation, their affiliates and/or their designated agent to provide or make available to you SOFTWARE updates, supplements, add-on components, or Internet-based services components of the SOFTWARE after the date you obtain your initial copy of the SOFTWARE (“Supplemental Components”).

○ If FORD MOTOR COMPANY or third party software and services suppliers provide or make available to you Supplemental Components and no other EULA terms are provided along with the Supplemental Components, then the terms of this EULA shall apply.

○ If MS, Microsoft Corporation, their affiliates and/or their designated agent make available Supplemental Components, and no other EULA terms are provided, then the terms of this EULA shall apply, except that the MS, Microsoft Corporation or affiliate entity providing the Supplemental Component(s) shall be the licensor of the Supplemental Component(s).

○ FORD MOTOR COMPANY, MS, Microsoft Corporation, their affiliates and/or their designated agent reserve the right to discontinue without liability any Internet-based services provided to you or made available to you through the use of the SOFTWARE.

○ Links to Third Party Sites. The MS SOFTWARE may provide you with the ability to link to third party sites through the use of the SOFTWARE. The third party sites are not under the control of MS, Microsoft Corporation, their affiliates and/or their designated agent. Neither MS nor Microsoft Corporation nor their affiliates nor their designated agent are responsible for (i) the contents of any third party sites, any links contained in third party sites, or any changes or updates to third party sites, or (ii) webcasting or any other form of transmission received from any third party sites. If the SOFTWARE provides links to third party sites, those links are provided to you only as a convenience, and the inclusion of any link does not imply an endorsement of the third party site by MS, Microsoft Corporation, their affiliates and/or their designated agent.

○ Obligation to Drive Responsibly. You recognize your obligation to drive responsibly and keep attention on the road.  You will read and abide with the DEVICE operating instructions particularly as they pertain to safety and assumes any risk associated with the use of the DEVICE.

● UPGRADES AND RECOVERY MEDIA.

○ If the SOFTWARE is provided by FORD MOTOR COMPANY separate from the DEVICE on media such as a ROM chip, CD ROM disk(s) or via web download or other means, and is labeled “For Upgrade Purposes Only” or “For Recovery Purposes Only” you may install one (1) copy of such SOFTWARE onto the DEVICE as a replacement copy for the existing SOFTWARE, and use it in accordance with this EULA, including any additional EULA terms accompanying the upgrade SOFTWARE.

● INTELLECTUAL PROPERTY RIGHTS. All title and intellectual property rights in and to the SOFTWARE (including but not limited to any images, photographs, animations, video, audio, music, text and “applets,” incorporated into the SOFTWARE), the accompanying printed materials, and any copies of the SOFTWARE, are owned by MS, Microsoft Corporation, FORD MOTOR COMPANY, or their affiliates or suppliers. The SOFTWARE is licensed, not sold. You may not copy the printed materials accompanying the SOFTWARE. All title and intellectual property rights in and to the content which may be accessed through use of the SOFTWARE is the property of the respective content owner and may be protected by applicable copyright or other intellectual property laws and treaties. This EULA grants you no rights to use such content. All rights not specifically granted under this EULA are reserved by MS, Microsoft Corporation, FORD MOTOR COMPANY, third party software and service providers, their affiliates and suppliers. Use of any on-line services which may be accessed through the SOFTWARE may be governed by the respective terms of use relating to such services. If this SOFTWARE contains documentation that is provided only in electronic form, you may print one copy of such electronic documentation.

● EXPORT RESTRICTIONS. You acknowledge that the SOFTWARE is subject to U.S. and European Union export jurisdiction. You agree to comply with all applicable international and national laws that apply to the SOFTWARE, including the U.S. Export Administration Regulations, as well as end-user, end-use and destination restrictions issued by U.S. and other governments. For additional information, see http://www.microsoft.com/exporting/.

● TRADEMARKS. This EULA does not grant you any rights in connection with any trademarks or service marks of FORD MOTOR COMPANY, MS, Microsoft Corporation, third party software or service providers, their affiliates or suppliers.

● PRODUCT SUPPORT. Product support for the SOFTWARE is not provided by MS, its parent corporation Microsoft Corporation, or their affiliates or subsidiaries. For product support, please refer to FORD MOTOR COMPANY instructions provided in the documentation for the DEVICE. Should you have any questions concerning this EULA, or if you desire to contact FORD MOTOR COMPANY for any other reason, please refer to the address provided in the documentation for the DEVICE.

● No Liability for Certain Damages. EXCEPT AS PROHIBITED BY LAW, FORD MOTOR COMPANY, ANY THIRD PARTY SOFTWARE OR SERVICES SUPPLIERS, MS, MICROSOFT CORPORATION AND THEIR AFFILIATES SHALL HAVE NO LIABILITY FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING FROM OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE SOFTWARE. THIS LIMITATION SHALL APPLY EVEN IF ANY REMEDY FAILS OF ITS ESSENTIAL PURPOSE. IN NO EVENT SHALL MS, MICROSOFT CORPORATION AND/OR THEIR AFFILIATES BE LIABLE FOR ANY AMOUNT IN EXCESS OF U.S. TWO HUNDRED FIFTY DOLLARS (U.S.$250.00).

�         THERE ARE NO WARRANTIES OTHER THAN THOSE THAT MAY EXPRESSLY BE PROVIDED FOR YOUR NEW VEHICLE.

Microsoft End User Notice for SYNC Services [Is this for all SYNC Services or just Traffic, Directions and Information Service?]

End User Notice

Microsoft® Windows® Mobile for Automotive

Important Safety Information

This system Ford SYNC contains software that is licensed to Manufacturer FORD MOTOR COMPANY by an affiliate of Microsoft Corporation pursuant to a license agreement. Any removal, reproduction, reverse engineering or other unauthorized use of the software from this system in violation of the license agreement is strictly prohibited and may subject you to legal action.

Read and Follow Instructions

Before using your Windows Automotive-based system, read and follow all instructions and safety information provided in this end user manual (“User’s Guide”). Not following precautions found in this User’s Guide can lead to an accident or other serious consequences.

Keep User’s Guide in Vehicle

When kept in the vehicle, the User’s Guide will be a ready reference for you and other users unfamiliar with the Windows Automotive-based system. Please make certain that before using the system for the first time, all persons have access to the User’s Guide and read its instructions and safety information carefully.

Warning:

Operating certain parts of this system while driving can distract your attention away from the road, and possibly cause an accident or other serious consequences. Do not change system settings or enter data non-verbally (using your hands) while driving. Stop the vehicle in a safe and legal manner before attempting these operations. This is important since while setting up or changing some functions you might be required to distract your attention away from the road and remove your hands from the wheel.

General Operation

Voice Command Control

Functions within the Windows Automotive-based system may be accomplished using only voice commands. Using voice commands while driving allows you to operate the system without removing your hands from the wheel.

Prolonged Views of Screen

Do not access any function requiring a prolonged view of the screen while you are driving. Pull over in a safe and legal manner before attempting to access a function of the system requiring prolonged attention. Even occasional short scans to the screen may be hazardous if your attention has been diverted away from your driving task at a critical time.

Volume Setting

Do not raise the volume excessively. Keep the volume at a level where you can still hear outside traffic and emergency signals while driving. Driving while unable to hear these sounds could cause an accident.

Use of Speech Recognition Functions

Speech recognition software is inherently a statistical process which is subject to errors. It is your responsibility to monitor any speech recognition functions included in the system and address any errors.

Navigation Features

Any navigation features included in the system are intended to provide turn-by-turn instructions to get you to a desired destination. Please make certain all persons using this system carefully read and follow instructions and safety information fully.

Distraction Hazard

Any navigation features may require manual (non-verbal) setup. Attempting to perform such set-up or insert data while driving can seriously distract your attention and could cause an accident or other serious consequences. Stop the vehicle in a safe and legal manner before attempting these operations.

Let Your Judgment Prevail

Any navigation features are provided only as an aid. Make your driving decisions based on your observations of local conditions and existing traffic regulations. Any such feature is not a substitute for your personal judgment. Any route suggestions made by this system should never replace any local traffic regulations or your personal judgment or knowledge of safe driving practices.

Route Safety

Do not follow the route suggestions if doing so would result in an unsafe or illegal maneuver, if you would be placed in an unsafe situation, or if you would be directed into an area that you consider unsafe. The driver is ultimately responsible for the safe operation of the vehicle and therefore, must evaluate whether it is safe to follow the suggested directions.

Potential Map Inaccuracy

Maps used by this system may be inaccurate because of changes in roads, traffic controls or driving conditions. Always use good judgment and common sense when following the suggested routes.

Emergency Services

Do not rely on any navigation features included in the system to route you to emergency services. Ask local authorities or an emergency services operator for these locations. Not all emergency services such as police, fire stations, hospitals and clinics are likely to be contained in the map database for such navigation features.

Related Posts

1. Astounding… Five Year Old Walmart Breach Revealed
2. New Amazon AWS Public Beta Announced
3. ENISA: Security Risks Within Remote eHealth Monitoring & Treatment
4. SANS: Signs of Compromise
5. Locative Computing Dangers

The …

Cyber-criminals have been taking a longer and longer view …

Cybercriminals often take advantage of public interest in both individual celebrities and world entertainment events, so it is …

Daytona Beach, Florida 
Panel Presentation: George Japak

More Information

Q: Tell us a little about yourself.

I am the security intern at Liquidmatrix Security Digest, however I am currently on hiatus as I went from part-time to full-time student last fall. I miss contributing more than I imagined I would. New semester, new schedule, I’m hoping to fit in a day or two a week again. In addition to that, I’m a mom and a person who teaches, learns and shares.

Q: How did you get interested in information security?

People contain information. Loads of information. People interest me greatly. And I’m surrounded by smart people who hold important information. I am also surrounded by dumb people who hold even more important information. I’m interested in helping the first group excel and succeed and ensuring that the second group are well contained and effectively managed. I suppose that really means “human resources”, actually, and I think there is a fairly large contingent of people in information technology who would like to deal less with traditionally educated human resource type folks. I am fairly certain that is where my future lies. The kind of specialist who can mediate and integrate smart technical people with organizations who need their smarts.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I am currently working on my undergraduate degree, though I do have 40 years of life experience. I believe that because I’m focusing more on people hacking that I do need formal education to get my foot in the door. From what I’ve witnessed however, people don’t necessarily need a Comp Sci degree to make a name and place for yourself in information security. Ultimately though, parenting has taught me much about how to manage people, especially those who persist in acting like children after they have offices and suits and shiny computers.

Q: What did you want to be when you grew up? Would you rather be doing that?

Oh brother. Shoot me. Nao. I wanted to be an accountant. Or rather, I thought I did. That said, I was far more interested in playing euchre in the student center than I was attending any of the pre-requisite courses for accounting in university. Turns out, one cannot earn credit for garnering both bowers and going alone. So now, 20 years later I’m continuing that education but in a different direction. I’ve never really lost the desire to create order from chaos, and isn’t a project team just like a shoe-box full of receipts at tax time?

Q: What projects (if any) are you working on right now?

My degree is the big one. And finding my niche. Also, I need an original idea or ten and a thesis to follow. Oh, and training a cadre of miniature hackers suitable for deployment in any situation requiring equal parts social engineer and cuteness.

Q: What is your favorite security conference (and why)?

I think that because Notacon (Cleveland, OH) was my first conference, it’ll always hold a special spot. I like it’s intimacy and the variety of content. I really enjoyed DefCon though I was at times a little overwhelmed by the sheer volume of people there. Ask me this question again in a few weeks after I’ve had a ride on the mechanical moose at Shmoocon.

Q: What do you like to do when you’re not “doing security”?

Parenting, homework, DDR, perezhilton.com, scrabble, fighting the laundry pile, the twitter and it’s internets and watching movies.

Q: What area of information security would you say is your strongest?

The hacking of the people. Social engineering. For certain.

Q: What about your weakest?

Every other.

Q: Can you share with us a story of your social engineering prowess?

I’ve always been able to tell a convincing story. Ditch day comes to mind, I assured my Mom I was not one of the 4 people in the bank on ditch day… but I digress. One of the earliest and most memorable occurred after a football game when I was in high school. Earlier in the week, a friend and I had been to the Army Surplus store and bought neon orange construction vests and hard hats. That Friday evening just before the game was over, we parked our cars perpendicular to the intersection leaving the school, completely blocking one of 2 roads out of the parking lot. The other road led to the bowling alley parking lot. With flashlights in hand, standing in the middle of the road with nothing other than a sense of mischief to guide us, we directed the entire population leaving the game into parking spaces at the bowling alley. A harmless prank though I learned that night that simply acting the part can reap stunning results.

Q: What advice can you give to people who want to get into the information security field?

Me giving advice is about the funniest concept ever but I will say this: there is a place for everyone. You may find yourself looking in from the outside and having no idea where to start. Make contacts. Contacts are endlessly useful. When you ask a question, shut the hell up and listen to the answer. Seek advice from those smarter than yourself. IE: not me.

Q: This is a fairly male dominated industry. How do plan to blaze your own trail upon completion of your degree and do you think your gender will help or hinder that plan?

I’m optimistic enough to think I’ll do just fine. I’m realistic enough to know that not only do I have gender going against me, I also have age. I’m not a fresh-faced graduate. Some will think that’s a benefit, others probably will not.

When I first began the “intern gig” liquidmatrix.org, people assumed I was male for a long time and I did not dissuade anyone of that. Women face challenges that men do not. As a “young male”, the intern was accepted by most. As an “old(er) female”, I was fairly sure people would view me with a more critical eye and dismissive attitude. Women often struggle to be taken seriously, I’d never been wholly accepted and with few exceptions @securityintern was a trusted entity. That was new for me and oddly satisfying. Having said all that, I have knowledge and insight to bring to the table. I’m also old enough to know that choosing battles carefully is a skill, almost an art-form, and which weapons to use in order to gain ground. New graduates don’t have that. Hopefully, someone(s) will find value in what I offer.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @securityintern

Email: infosecintern@gmail.com

You see, there are a variety of factors that play into what a security program should contain, and every organization is completely different. Security requirements can be influenced by whether a company is public or private, its vertical markets and even its size, among other things. They can also be impacted by the organization’s level of security awareness.  As a result, some companies may have IT departments that include one security-focused resource; others may have entire departments with multiple resources, while some don’t have any security experts on staff at all. This disparity makes it almost impossible to come up with a one-size-fits-all, cookie cutter approach to information security.

So, rather than focus on the development process, which is clearly just one aspect of security, each company really needs to think about how its overall security program should look when it’s mature. The underlying goal is always to define and develop a program that protects the confidentiality, integrity and availability of information assets. This requires taking the appropriate steps to evaluate the organization’s current risk landscape as well as the risk-reducing potential of available solutions.

Using this risk-based approach, companies will be able to see where they fall short when it comes to compliance, including for regulations and standards such as HIPAA, GLBA, and PCI, and mitigate gaps. Organizations will also be better equipped to address their unique risks with measures that are logical, efficient and cost-effective. Furthermore, companies will be in a position to effectively test the integrity of their existing security program so they can see where their current measures are sufficient and where they are not, and then weigh their priorities based on need.

It is not news to anybody that threats are present in every environment and, regardless of the existence of an information security program, incidents can and do occur. However, organizations that invest time and effort into implementing coherent information security practices reduce both the likelihood (probability) and scope of the episode. This translates into an enormous business impact. Failing to entrust data can be very costly, including the direct expenses associated with detecting, halting and repairing compromised systems, as well as the tangential expenses tied to attempting to restore a ruined reputation. There also are penalties for violating state and federal privacy laws under the principles of unfair or deceptive trade practices, and the inherent loss of productivity, which can result in tens of thousands of dollars a day based on loss of email usage alone. The implications – both financial and operational – skyrocket when malware spreads to other aspects of the computing environment such as servers, workstation operating systems, and file shares.

Think about it. Can your organization really afford to focus only on one piece of the puzzle?

Doug Landoll, CISSP, CISA, MBA
Practice Director – Risk & Compliance Management

That is, until they stop working. Indeed, often the first indication that these things are run by Windows is when something causes them to crash, at which point the all-too-familiar Windows error messages or dreaded Blue Screen of Death (BSoD) splashes up on the device’s display. True, malicious software can cause BSoDs, which is the operating system’s way of shutting down to prevent irreparable damage to the underlying system. Just as often, however, a BSoD or critical stop error is the result of some kind of hardware malfunction, such as faulty memory, a failing power supply, or overheating.

It seems I’ve been seeing these BSoDs and “fatal error” type messages in the oddest places lately. Below is a gallery of just a few that I’ve shot recently with my trusty iPhone (aside from that last three, which came from friends and readers). Click one of the images to cycle through a slideshow.

I don’t know why I find these so fascinating, but it seems I’m not alone, as there are quite a few repositories for these types of pictures. For some reason (probably because the displays overheat from being always-on), airports are a very common place to see BSoDs.

There several Web sites dedicated to Windows BSoDs and error messages in bizarre places. Check out Miguel Carrasco’s Top 10 BSoDs. Flickr has an impressive collection of error pics tagged “BSoD”. One of the largest examples of a very public BSoD came during the opening ceremonies at the 2008 Summer Olympics in China, when one of the massive LCD screens overhead suddenly went blue.

Surely, some of you readers have snapped your own photos of BSoDs or error messages in unexpected places. If so, shoot them to me at krebsonsecurity at gmail dot com, and I may include them in this post. Please don’t send photos you don’t want posted, and most especially only send me pics that are original and that you have the rights to publish.

More information

More information

More information

A former IT employee of Swiss subsidiary HSBC Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, obtained the information between late 2006 and early 2007, the bank said. The accounts, held by individuals worldwide, were all opened before October 2006..

Ultimately this means that the value of data is dependent on it’s relationship to the relevant state of affairs. Put differently, if a credit card account is inactive that data is worthless if someone attempts to use it. If the inactive data ties one back to fraud that occurred last year, it’s still relevant.

In the case of HSBC, the accounts reflect who was (potentially) cheating on their taxes in 2006. If the statute of limitations has not run out the information is still valuable.

© Ken Belva at SecurityMaverick.com, 2010. |
Permalink |
No comment |
Add to
del.icio.us


Post tags: data, HSBC, stolen

Feed enhanced by Better Feed from Ozh

Well, the folks over at the 1105 Government Group have offered us a free pass to give away to any of our readers/followers. In old fire hall style, we’ll be giving the pass away through a raffle. To enter just check out the @grecs or @novainfosec Twitter feeds and RT the special raffle tweet that we’ll be putting out in the next few hours. The contest will last for one week and at that time we’ll pick a winner. Note that you must be a US resident to be eligible for the contest.

For more information on GovSec, see its description in our Infosec Conferences section as well as our previous post. Finally, head on over to the GovSec conference site for all the information pertaining to this event. And be sure to keep up to date with the latest conference happenings by following @GovSecUSLaw on Twitter.

At the recent X9 meeting, I noticed an interesting pattern in the discussions about the appropriate level of security around various on-line banking transactions. In every case that I can remember, we had a discussion that went something like this:

Bank A representative: So we think that this new technology has the potential to really revolutionize banking. Bank A loves it.

Bank B representative: Our concern with that particular technology is that we’ll never be able to make it secure enough. Plus, our customers really don’t want it.

Bank A representative: We don’t see security as a problem at all. We’ve actually been using this technology for over two years now and customers love it.

Because these opinions were often so far apart, I had to wonder exactly how much thought went into creating some of the banks’ positions. Had they really thought through the security implications of using a new technology? Did they really have an idea of what their customers really want?

With opinions as different as the ones that I saw, I suspect that not everyone had been as careful in forming their opinions as they should have been, although it was hard to see which position could have benefitted from some additional research.  

> But Microsoft also released advisory KB981374 which describes a 0-day vulnerability

> reported to Microsoft only recently. At the moment only a limited number of targeted

> attacks have been reported. Internet Explorer 8 is not vulnerable, another good reason

> to update to this latest version of IE. There are not a lot of details available on the

> vulnerability, but for IE6/7 workarounds apply and are detailed in the advisory.

Hacker sites and foreign press are picking up the story today of the arrest of at least 23 hackers in 13 different provinces in Turkey. The news was first seen in Russian on 09MAR2010, but is now spreading into the English speaking press, with more details available.

News.AZ ran the story 23 Kurdish hackers arrested in Turkey, which provides some basic facts that the hackers are associated with the Kurdistan Workers’ Party, or PKK, and were taken to Diyarbakır for further questioning. This article calls the hacker team the “Cold Attack Team”, and says that it took orders from leaders in Kandil in Iraq and in Europe regarding what websites to hack and what messages to place there. It also mentions that the hackers distributed a PowerPoint attachment via email which would trojan the readers computer.

It is unknown if this story is related to news first released in February about another PKK hacker. A story in Today’s Zaman provides a bit more depth, PKK hacker faces up to 10 years in prison, identifying the leader of a PKK hacker group as having been apprehended on November 14th, and charged with “acquiring state secrets and confidential documents on behalf of the PKK terrorist organization”. The indictment unveiled by a Diyarbakır prosecutor reveals that the hacker, who they call by his initials, R.Ç., had classified documents on his computer belonging to Turkey’s National Intelligence Organization, the Milli Istihbarat Teskilati (MİT), and evidence that the hacker had an “online friendship” with Murat Karayılan, who leads the PKK in northern Iraq. R.Ç. claims he was introduced to Murat by a friend in France, and that they gained the classified documents through “computer virus programs he placed on pornographic Web sites visited by army members.”

Mr. WaGrAnT is probably a member of the group - a YouTube tribute to his hacks, posted by “KurdishKANGAL58″ back in August shows many examples of his works, under the title: Cold Hackers Kυrdish Hαcкєяѕ Gяσυρ 2σσ9, but there are actually many other Kurdish hacker tributes, including this one that gives you a nice exposure to Kurdish rap music: Kurdish Hacker ” Mr.WaGRaNt ” Dünyaya Karsi.

COLDHACKERS VE THT YANI TOLHILDAN HACK TEAM UNLU KURD HACK GRUBU TURKLERIN SANAL KABUSU is one of many other sites, which actually shows the group name “ColdHackers” where they call themselves “Cyber Median’s Guerillas”.

Zone-H statistics for the ColdHackers gives them credit for 2,661 website defacements on 1,230 unique computers, including 3 hacks in the past 48 hours.

(click image to visit Zone-H)

The team’s website, ColdHackers.team-forum.net is still live as of this writing. Members share their PKK pride with avatars such as this one:

Someone on the team also maintains their “cold-hackers.spaces.live.com” website at Microsoft — which has this example of their photoshop abilities. Famous hackers need a good PhotoShop team!

This image is from their defacement in December of a Turkish government website:

My wife is not into technology.  Or security.  Or UNIX.  Basically she looks at her Macbook as a way to check email, buy shoes, organize photos and videos, and make checklists for the babysitter.  So when she takes an interest in what I do, I REALLY perk up. She is very attentive to the things I do with our mail and sensitive information, only because she hears me talking about it all the time.  She knows not to give out passwords or personally identifying information.  She shreds expired cards and junk mail. She’s definitely more in tune to security than the average citizen.

Robber Dale hides from Cop Chip, by Loren Javier

We recently noticed a reporting error from the Social Security Administration and the only way to clear it up was to go to the local SSA office with a state-issued ID in hand.  Check out how they are “protecting” your personally identifiable information!

After taking her number she found a chair in the holding pen which is shared with the consultation desks where citizens talk to the agents resolving problems.  The part she got very concerned about was the lack of privacy and sound dampening properties of the room!  People were LOUDLY and openly talking about their problems at the desks, in which each conversation started with saying their social security number.  Follow up questions depending on your problem included full name, address, telephone, date of birth, mother’s maiden name, and mother’s married name.

REALLY?  Thank goodness there was a ban on cell phone usage (with a guard to enforce it) because nobody would think to bring a pen and paper to take notes!

Imagine sitting in a room and gathering enough information to steal ten to twenty identities per hour.  Sure, you’d start to look suspicious after a while, but that’s where college kids come into play.  Pay a handful of students $5 per identity, have them sit in there for an hour at a time, and everyone is happy.  You’ve bought enough information to create fake credentials and open lines of credit, and a college kid made a quick $50-$100 to spend on… uh… BOOKS and TUTORING.  Right.

All of the controls that we discuss daily as information security professionals mean nothing if all it takes to steal an identity is a college student with a pen and a Moleskine.  The take on a hack with a massive breach would be much higher and could be done remotely, but guaranteed identities with a little bit of time invested?  Yet another example of how low-tech hacking can be just as dangerous then the high tech stuff.

Please join the IRC channel during the stream - we can take live comments and discussion from the channel! Find us on IRC at irc.freenode.net #pauldotcom.

When active, the live stream(s) can be found at:

PaulDotCom Livestream - All new with Video and Chat! You can access the streaming videos at any time by visiting http://pauldotcom.com/live/

PaulDotCom Icecast Radio

Break out your adult beverage of choice and join us, enjoy the show live, and thanks for listening!

- Larry, Mick, Carlos, John, Darren & Paul

Related Posts

1. Chip Bok: Killer Whales
2. Chip Bok: Death Panel
3. XKCD: Wood Chip Hoax
4. Clear® Registered Traveler Customer Apology Letter
5. Giant Chip Fabricator INTEL CORP Falls Victim To Hack

News, via ComputerWorld Robert McMillan of the United States Federal Deposit Insurance Corporation’s assertion of evidence leading the agency to guesstimate on-line banking fraud has led to over $120,000,000 in costs to small businesses who have fallen victim to scams, hacks, cracks and cons. More information, inclusive of linkage to the original post appears after the jump.

From ComputerWorlds’ Robert McMillan: “FDIC: Hackers took more than $120M in three months“

“Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation. Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said…”

Related Posts

1. DHS Recruiting Ethical Hackers
2. Measurable Drop In Nefarious UCE Activity After Atrivo Demise
3. Network Solutions Drops The Ball
4. FBI Opens Anti-Fraud Hurricane Gustav Hotline
5. The Night McColo Came Down