TRUST Security and Privacy Blog

E-gold Owners Plead Guilty To Money Laundering

noreply@blogger.com (Mary Stewart) — Wed, 23 Jul 2008 23:41:00 +0000

Slashdot announces that the three owners of the Internet currency service called 'e-gold' pleaded guilty to money laundering in the U.S. District Court for the D.C.

Principal Director of E-Gold Douglas Jackson announced changes to the E-Gold user agreement, including a temporary suspension of new accounts. He called E-Gold more successful than most of its competitors, but also acknowledges problems with the service.

One problem is E-Gold's

"failure to transition from a marginal player for early adopters to a respected institution integrated into the global financial mainstream," he wrote. "E-gold's failure to emerge so far is a result of many factors but the root causes were design flaws in the account creation and provisioning logic that led to the unfortunate consequence of vulnerability to criminal abuse. Criminal abuse of the e-gold system, in turn, led to a self-reinforcing negative reputation."

E-Gold and its affiliate 'Gold & Silver Reserve' could be fined $3.7 million at sentencing and Jackson could be sentenced 20 years in prison and a fine of $500,000.

Although the E-Gold operation was required by law to be licensed and registered as a money transmitting business, it had not done so. The resulting lack of required procedures fostered an atmosphere where criminals could use "e-gold" (digital currencry) anonymously to further their illegal activities, the Department of Justice said.

See The Industry Standard for more information.

Google Is Watching, Perhaps Soon in Your Home

noreply@blogger.com (Mary Stewart) — Tue, 22 Jul 2008 21:34:00 +0000

ACM TechNews observes that regardless of the continual worries of privacy advocates and government officials that it knows too much, Google is after even more user data.

In a recent paper written by Google researcher Bill N. Schilit and computer scientists Jeonghwa Yang of Georgia Tech and David W. McDonald, of the University of Washington, propose "home activity recognition," or tracking people's activities at home through network interactions.

"Activity recognition is a key feature of many ubiquitous computing applications ranging from office worker tracking to home health care," the paper explains. "In general, activity recognition systems unobtrusively observe the behavior of people and characteristics of their environments, and, when necessary, take actions in response -- ideally with little explicit user direction."

When applied in certain circumstances, as with the elderly, such action might be beneficial. On the other hand, others might perceive it as positively Orwellian.

See details at InformationWeek.

FBI Fights Testing For False DNA Matches

noreply@blogger.com (Mary Stewart) — Mon, 21 Jul 2008 23:40:00 +0000

Slashdot notes an article in the Los Angeles Times about the 2001 discovery by Arizona crime lab technician Kathryn Troyer of two felons with remarkably similar genetic profiles, so similar that they would be accepted in court as a match. However, one of the two was white and the other was black.

Although the FBI estimates the odds of unrelated people sharing those genetic markers as 1 in 113 billion, Troyer found dozens of similar matches.

Several scientists and legal experts want to test the accuracy of official statistics using the nearly 6 million profiles in CODIS, the national system that incorporates most state and local databases.

"DNA is terrific and nobody doubts it, but because it is so powerful, any chinks in its armor ought to be made as salient and clear as possible so jurors will not be overwhelmed by the seeming certainty of it," said David Faigman, a professor at UC Hastings College of the Law, who specializes in scientific evidence.

FBI officials argue that critics exaggerate or misunderstand the implications of Troyer's discoveries.

"I can appreciate why the FBI is worried about this," said David Kaye, an expert on science and the law at Arizona State University and former member of a national committee that studied forensic DNA. But "people's lives do ride on this evidence," he said. "It has got to be explained."

See the full story in the Los Angeles Times.

Schneier, UW Team Show Flaw In TrueCrypt Deniability

noreply@blogger.com (Mary Stewart) — Fri, 18 Jul 2008 18:42:00 +0000

Slashdot relates how noted cryptographer Bruce Schneier and a group of researchers at the University of Washington have hacked the ultra-paranoid feature in the TrueCrypt disk encryption tool.

The DFS (Deniability of File System) feature in TrueCrypt is a fairly extreme file-protection function that first encrypts the file, then hides it in an area on the disk drive that is also encrypted, sort of like a 'cloaking device'. However, Schneier, chief security technology officer with British Telecom, and colleagues have found that Microsoft Vista, Word, and Google Desktop can each blow the cover for these files that use the DFS feature.

Schneier says that DFS is actually easier to hack than encryption and that there may be no way to really make files undetectable on a hard drive.

“Deniability is a much harder security feature to enable than secrecy,” he says

The researchers discovered that Windows Vista shortcuts can give away the existence of a hidden file, Google Desktop exposes hidden files in TrueCrypt versions below 6.0 and the auto-save feature of Word saves versions of hidden files.

See more at Dark Reading.

Cybercrime Organizational Structures Evolve

noreply@blogger.com (Mary Stewart) — Wed, 16 Jul 2008 23:09:00 +0000

Slashdot writes of the latest findings in a report by Finjan's Malicious Code Research Center (MCRC)about the structural change in cybercrime organization. Loosely organized groups of hackers trading stolen data have been replaced by hierarchical cybercrime operations that deploy sophisticated pricing models and Crimeware business models.

These organizations are comprised of strict hierarchies where each cybercriminal is rewarded according his position and task.

For more info, see HELP NET SECURITY.

When the Phone Goes With You, Everyone Else Can Tag Along

noreply@blogger.com (Mary Stewart) — Tue, 15 Jul 2008 22:50:00 +0000

ACM TechNews says that while the launch of the 3G iPhone emphasizes the increasing sophistication of the cellphone and mobile device industries, it also generates some privacy concerns.

The iPhone blends GPS functions with the Internet to create a capability that not only pinpoints location, but displays nearby attractions. This feature could help merchants target ads, insurance adjusters calibrate premiums, or parents keep track of children. What also results from this features is that the consumer is sharing that information with network providers, social Web sites, law enforcement and/or others that have the potential of tracking everywhere they have been.

"There's a disconnect between our expectations of when we will be observed and who will be observing us and how that information will be used and what the technology is allowing companies to do," says University of Southern California law professor Jennifer Urban.

The big issues are transparency and user control, said James X. Dempsey of the Center for Democracy and Technology.

"How easy is it for the user to turn the location function on and off, and how easy it is for the user to delete past location information?" he said. "What are the companies collecting? Who are they sharing it with? How long do they store it? And what control does the consumer have over the information? These are the fundamental questions."

See full article at washingtonpost.com.

ACLU Files Lawsuit Challenging FISA

noreply@blogger.com (Mary Stewart) — Mon, 14 Jul 2008 21:28:00 +0000

Slashdot posts links to coverage of the federal lawsuit the American Civil Liberties Union filed just hours after Bush signed the expansion of the Foreign Intelligence Surveillance Act into law.

By passing the FISA Amendments Act, Congress has given the executive branch of the U.S. government the power to order Google, AT&T and Yahoo to forward all email, phone calls and text messages to them where one party to any conversation is thought to be overseas.

The ACLU is suing on behalf of journalist and human rights groups. While longtime foreign correspondent Christopher Hedges admits that surveillance is nothing to to journalists, he also says

"There is a lot of monitoring that goes on especially when you are overseas. But this creates a further erosion in my ability to work as a journalist."

The Electronic Frontier Foundation, at the forefront of yet continuing lawsuits agains the nation's telecoms, will challenge the provision in the bill that gives retroactive amnesty to telecoms that are currently being sued for helping the government spy on Americans without having warrants.

"We are also preparing a new case against the government for its warrantless wiretapping, past, present and future," said EFF senior staff attorney Kevin Bankston, who said the details were being withheld to keep the element of surprise.

See details in Wired.

Telecom Immunity Bill Hides Spying Provisions

noreply@blogger.com (Mary Stewart) — Wed, 09 Jul 2008 23:39:00 +0000

Slashdot mentions an analysis in ars technica of the new FISA bill that has been receiving much attention of late, with the particularly alarming realization that the bill loosens current protections on domestic wiretapping.

The ars technica article expounds on the dramatic expansion of the government's ability to wiretap without any real judicial oversight while also giving the fed unprecedented additional latitude in choosing eavesdropping targets on anything, not just terrorist-related activities. Basically, the FISA Amendments Act of 2008 opens up such huge loopholes to the feds that the telecom immunity issues are somewhat trivialized by comparison. The new legislation stretches the judicial process out so much that in many cases, the federal government would be able to finish its surveillance activities before the courts have even decided whether they're legal.

To date so far, the only determined opposition is a small group of Senators led by Chris Dodd and Russ Feingold, who have managed to stall the legislation for a couple of weeks.

"By blocking a vote on the Foreign Intelligence Surveillance Act (FISA), the fight to stop retroactive immunity goes on -- for another week anyway" said Dodd. "The Senate will take the bill up again this week as it returns from the July 4th recess."

For complete article see, ars technica.

Firefox Users Most Secure on Internet, Study Shows

noreply@blogger.com (Mary Stewart) — Tue, 08 Jul 2008 23:15:00 +0000

Slashdot links to an article about the study "Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the "insecurity iceberg", whose aim was to analyze web browser preferences and behavior by people using the Internet. The study is a collaboration among researchers at The Swiss Federal Institute of Technology, Google and IBM Internet Security Services which offers a comprehensive analysis of Web browsers, particular with regard to the area of security.

Firefox users were by far the most likely to use the latest version at an overwhelming rate of 83.3 percent running an updated browser on any given day. The study also revealed that 65.3 percent of Safari users were likely to be running the latest version and that Microsoft Internet Explorer users ranked dead last in terms of safe browsing.

"With today's hostile Intent and drive-by download attack vectors, failure to apply patches promptly or missing them entirely is a recipe for disaster; exposing the host to infection and possibly subsequent data disclosure or loss," said researchers.

See Channel Web for details.

ICANN Loses Control of Its Own Domain Names

noreply@blogger.com (Mary Stewart) — Mon, 07 Jul 2008 22:37:00 +0000

Slashdot notes an AP story picked up by CBCNEWS.ca about ICANN losing control over two of their own domain names on June 26th. Apparently a domain registrar in an internet registration company overseen by ICANN (Internet Corporation for Assigned Names and Numbers) transferred the domains to somebody else. While the attack was noticed very quickly and ICANN's domain names were restored within 20 minutes, many internet directories retain information for a day or two and visitors may have been redirected to an unauthorized site for longer.

The ICANN press release about the incident states that:

'The DNS redirect was a result of an attack on ICANN's registrar's systems. A full, confidential, security report from that registrar has since been provided to ICANN with respect to this attack.'

For further information, see CBCnews.ca.

More Than 630,000 Laptops Lost at Airports Each Year (June 30, 2008)

noreply@blogger.com (Mary Stewart) — Thu, 03 Jul 2008 21:57:00 +0000

SANS reports that a study commissioned by Dell reveals the loss of nearly 637,000 laptops at some of the largest and medium-sized U.S. airports every year.

According to the Ponemon Institute, chosen to conduct the survey, laptops are most commonly lost at security checkpoints. The chaos in going through security checkpoints can make it easy for travelers to lose track of their laptops, making it "fertile ground for theft," the FTC said.

Dell is launching a suite of data protection and asset recovery services, including GPS. The data protection services include an ability to remotely delete data data on a hard drive as well as services for recovering data from failed hard drives.

See the complete study for more information.

Cisco, IBM, Intel, Juniper and Microsoft Fight Cyber Terror Together

noreply@blogger.com (Mary Stewart) — Wed, 02 Jul 2008 23:49:00 +0000

ACM TechNews flags a NetworkWorld article about the formation of the Industry Consortium for Advancement of Security on the Internet (ICASI) by Cisco, IBM, Intel, Juniper, and Microsoft.

The intent is to respond faster to multi-product security threats which pose problems for both the vendor and the end user.

“To date there has not been a trusted vendor environment that allows companies to identify, assess, and mitigate multi-product, global security challenges together on the customers' behalf,” the group says in a statement. “ICASI aims to fill this void.”

See complete article in Network World.

FBI's New Eye Scan Database Raising Eyebrows

noreply@blogger.com (Mary Stewart) — Tue, 01 Jul 2008 23:19:00 +0000

Slashdot writes that the FBI has confirmed to Popular Mechanics that it isn't just palm prints they're adding to criminal records. The agency is also preparing to expand its repository of photos as part of a new biometric software system that stores millions of iris scans and could be the basis of facial recognition.

The FBI's Next Generation Identification (NGI) system, contracted with Lockheed Martin for $1 billion over 10 years, would create an unparalleled database of biometric markers, as with facial images and iris scans. NGI could be as useful as DNA some day. To privacy advocates, this represents a dual threat, one as advancing toward a police state and the other as a most attractive collection of personal data to be pillaged by cybercriminals.

See full article in Popular Mechanics.

Crooks Nab Citibank ATM Codes, Steal Millions

noreply@blogger.com (Mary Stewart) — Fri, 27 Jun 2008 21:59:00 +0000

Slashdot recounts how Citibank is reissuing ATM cards on the heels of a server breach where hackers stole customer PIN codes. Wired magazine published two related articles about the FBI's arrest of 10 people allegedly involved in stealing over $2 million from Citibank checking and savings accounts, two of which were Ukrainian immigrants each caught with $800,000 in cash stashed in boxes in their homes.

The ATM crime caper is apparently the first to be publicly linked to the breach of a major US Bank's systems, say experts.

"We've never heard of PINs coming out of the bank environment," says Dan Clements, CEO of the fraud watchdog company CardCops, who monitors crime forums for stolen information.

See complete details at WIRED ThreatLevel on June 18th and WIRED ThreatLevel on June 24th.

Senate Hearing On Laptop Seizures At US Border

noreply@blogger.com (Mary Stewart) — Thu, 26 Jun 2008 23:29:00 +0000

Slashdot notes that at a senate hearing, privacy advocates and industry groups will press lawmakers to take action to protect the privacy of Americans returning home to the United States.

According to travel and privacy analysts scheduled to testify before a Senate panel today, U.S. Customs and Border Patrols' routine of seizing laptop computers and other electronic devices from American travelers returning to the United States without notifying them of what will happen to the data could negatively affect the U.S. economy.

Peter Swire, chief counselor for privacy under President Bill Clinton, said he plans to tell the subcommittee how laptop searches are similar to the failed encryption policies of the 1990s.

“The government policy violates good security practices,” he said. “It asks for password and encryption keys, which people are trained to never reveal. It violates privacy, chills free speech and compromises business secrets."

See details at nextgov.

US Court Disconnects Canadian Domain Name Scammers

noreply@blogger.com (Mary Stewart) — Mon, 23 Jun 2008 22:11:00 +0000

A post ran in Slashdot about an order by a US District judge to halt the illegal practices of Canadian operators posing as domain name registrars who, according to the Federal Trade Commission send bogus bills to thousands of U.S. small businesses and nonprofit organizations for the annual "Website Address Listing". Many businesses, believing that they would lose their website addresses, pay the invoice.

The FTC says that the Toronto-based Internet Listing Service has been sending fake invoices since 2004 and that most consumers have not received any domain name registration services.

For the complete story, see article by the Federal Trade Commission.

New Intrusion Tolerance Software Fortifies Server Security

noreply@blogger.com (Mary Stewart) — Fri, 20 Jun 2008 23:12:00 +0000

ACM TechNews reports that researchers at George Mason University have developed a nonreactive approach for dealing with intrusion detection and prevention.

Arun Sood, professor of computer science and director of the Laboratory of Interdisciplinary Computer Science and Yin Huang, senior research scientist in the Center for Secure Information Systems, make the assumption that someone is trespassing on computers servers. They believe that by limiting the time of continuous connectivity to the Internet and using virtualization technology to create duplicate servers, an online server is periodically cleansed and restored to a known clean state, regardless of whether an intrusion has actually occurred or been detected.

In creating Self Cleansing Intrusion Tolerance (SCIT), Sood and Huang achieve the goal of limiting the exposure time of the server to the Internet.

“This approach of regular cleansings, when coupled with existing intrusion prevention and detection systems, leads to increased overall security,” says Sood. “We know that intrusion detection systems can detect sudden increases in data throughput from a server, so to avoid detection, hackers steal data at low rates. SCIT interrupts the flow of data regularly and automatically, and the data ex-filtration process is interrupted every cleansing cycle. Thus, SCIT, in partnership with intrusion detection systems, limits the volume of data that can be stolen.”

See George Mason University News for further information.

Can Computer Scientist Dream Team Clean Up E-Voting?

noreply@blogger.com (Mary Stewart) — Thu, 19 Jun 2008 21:45:00 +0000

An entry in ACM TechNews states that the Center for Correct, Usable, Reliable, Auditable, and Transparent Elections (ACCURATE) has received a $7.5 million National Science Foundation award to bring the latest research, insight, and innovation from the lab to the voting booth making e-voting systems mores secure.

The organization of computer experts from across the country and academic disciplines find areas that need additional research and determine how to apply existing technology and research findings to voting systems.

One such tool is the open source AttackDog, a threat modeling system developed by David Dill, Co-PI and Professor at Stanford University. According to Dill, AttackDog is a good example of how the ACCURATE project uses computer science tools and techniques to to help local officials improve the security of their elections.

"It's using computers to get a grip on problems that are too complex for the mind to understand unaided," Dill says.

See full article at NETWORKWORLD.

Nuclear Warhead Blueprints On Smuggler's Computers

noreply@blogger.com (Mary Stewart) — Wed, 18 Jun 2008 22:58:00 +0000

Slashdot reports that, according to leading US researcher David Albright, blueprints for a sophisticated and compact nuclear warhead have been found in computers belonging to the nuclear smuggling network run by rogue Pakistani nuclear scientist Abdul Qadeer Khan. The designs, found in heavily encrypted computer files in Switzerland, are supposed to be in the possession of U.S. authorities and the International Atomic Energy Agency in Vienna. Investigators fear, however, that they could have been extensively and copied to "rogue" states within the nuclear black market

Albright, a physicist, former UN weapons inspector and authority on the nuclear smuggling ring run by Khan, said that the "construction plans" included previously undisclosed designs for a compact warhead that could fit Iran's medium-range ballistic missiles.

"These advanced nuclear weapons designs may have long ago been sold off to some of the most treacherous regimes in the world," wrote Albright.

For more information see this article in the New York Times, as well as another report in guardian.co.uk .

EFF To Fight Border Agent Laptop Searches

noreply@blogger.com (Mary Stewart) — Mon, 16 Jun 2008 23:38:00 +0000

Slashdot notes that the Electronic Frontier Foundation (EFF) and the Association of Corporate Travel Executives have filed an amicus brief requesting that the 9th Circuit Court of Appeals rehear and reverse a three-judge ruling that permits border agents to routinely search files on laptops and mobile devices.

The random searching of laptops is "widespread," said Lee Tien, senior staff attorney with the EFF. The U.S. Department of Justice "claims that U.S. border agents have the power to do so, no suspicion needed, and there are plenty of reported incidents," he added.

Tien noted that there have been multiple media reports in recent months of laptops or other electronic devices being searched or seized at U.S. borders. In some cases, customs officials have not returned the electronic devices to travelers.

See details at InfoWorld.

Data Breach Study Spanning 500 Break-Ins Released

noreply@blogger.com (Mary Stewart) — Fri, 13 Jun 2008 22:57:00 +0000

Slashdot presents a link to a report from Verizon Business that is a summary of what they found in 500 forensic investigations involving 230 million records, with an analysis of hundreds of corporate breaches including 3 of the 5 largest ever reported.

The 2008 Data Breach Investigations Report covers four years and as the first-of-its-kind study, found that 73 per cent of breaches came from external sources versus 18 per cent from insider threats.

“Security breaches and the compromise of sensitive information are very real and growing concerns for organizations worldwide,” said Dr. Peter Tippett, vice president of research and intelligence for Verizon Business Security Solutions. “This report can help companies better understand data breaches – how they occur and the commonalities that exist. Most importantly, it urges organizations to be proactive in their approach to security -- the absolute key to safeguarding data.”

See complete article at verizonbusiness.com.

Chinese Government Accused of Hacking Congress

noreply@blogger.com (Mary Stewart) — Thu, 12 Jun 2008 23:32:00 +0000

A Slashdot post from yesterday says that Chinese hacking is getting serious Congressional attention.

Two House members said that their Capitol Hill computers, which have information about political dissidents from all over the world, had been hacked by parties apparently working out of China. Both lawmakers have been longtime critics of China's record on human rights. One of them, Virginia Rep. Frank Wolf, says the hacking of computers in his Capitol Hill office started in August 2006.

Wolf suggested the problem is probably even larger.

"If it's been done in the House, don't you think that they're doing the same thing in the Senate?"

See full article at Yahoo News.

TSA Bans Flight If You Refuse To Show ID

noreply@blogger.com (Mary Stewart) — Wed, 11 Jun 2008 23:54:00 +0000

Slashdot notes CNET's article regarding a press release issued recently by the Transportation Security Administration announcing that passengers refusing to show ID will no longer be able to fly.

"Beginning Saturday, June 21, 2008 passengers that willfully refuse to provide identification at security checkpoint will be denied access to the secure area of airports. This change will apply exclusively to individuals that simply refuse to provide any identification or assist transportation security officers in ascertaining their identity."

However, passengers claiming to have lost or forgotten their proof of identity will still be able to fly. To clarify: Passengers who refuse to show ID, citing a constitutional right to fly without ID will be refused passage beyond the checkpoints. Passengers who say they have left their ID at home, will be searched, and then permitted to board their flights.

In other words, TSA's new rules only protect us from a non-existent breed of terrorist who is unable to tell a lie...

See more at cnet NEWS.com.

ID Theft In US Continues Apace Despite Data Breach Laws

noreply@blogger.com (Mary Stewart) — Tue, 10 Jun 2008 02:43:00 +0000

A Slashdot posting from yesterday points to an article in TechWorld about Carnegie Mellon researchers' published analysis of the ineffectiveness of data breach notification laws adopted by 43 US states.

"There doesn't seem to be any evidence that the laws actually reduce identity theft," said Sasha Romanosky, a Ph.D student at Carnegie Mellon who is one of the paper's authors.

Nevertheless, they did find that other factors, such as the state's population, gross domestic product and fraud rate did have a significant effect on identity theft rates.

Gartner analyst Avivah Litan points out that it is hard to draw conclusions from the data because FTC reports are incomplete. She notes that while breach laws have made front-page news out of lost laptops, most companies respond to tighter laws and regulations by concentrating on compliance rather than on security.

Often, that's not good enough to protect customers from ID theft, she said.

"If you just meet the letter of the law you may pass an audit, but you have to pass the spirit of the law."

See Techworld for more information.

China's Cyber-Militia

noreply@blogger.com (Mary Stewart) — Tue, 03 Jun 2008 22:21:00 +0000

Slashdot posted an article about the cover story in the current issue of National Journal that is an in-depth report on China's cyber-aggression toward US government, military, and business networks.

While China's cyber-warfare actions have been discussed on numerous occasions in the past, this report suggests that Chinese cyber-attackers may have been involved in major power outages in the US.

To wit, computer hackers in China, including those working on behalf of the Chinese government and military, have gained access to electric power plants in the United States, possibly triggering two recent widespread blackouts in Florida and the Northeast.

For a discussion of China's People's Liberation Army's likely involvement in the outages, see National Journal Magazine.