Wednesday, December 27, 2006

"Leading Cyber-Pirates of the World"

The Wall Street Journal runs an op-ed by Paul McManus, president and CEO of The Leading Hotels of the World, Ltd. According to McManus, potential customers of the The Leading Hotels have been hijacked by malware on their computers. He proposes this solution:

What's needed is a set of international laws protecting business and consumers against Internet fraud plus a global squad of cyber crime-busters to enforce them. The U.S. has specific computer fraud laws and the FBI takes "thousands of complaints" annually through its Internet Crime Complaint Center ( But perpetrators who zero in on businesses like mine often work in countries with no laws protecting Web users and lax or little cooperation with U.S. or other foreign law-enforcement agencies.

Collaboration is the only realistic solution for the private sector to protect brands from online pirates. The global Internet community is already working together through ICANN . . . ICANN is a natural for stepping into the computer crime arena. It has respect, international treaties, a global presence and a solid organizational structure. But don't expect ICANN to wage war all by itself. Those of us in the business world who can't rely on the government for brand protection have to be partners in long battle.

Monday, December 25, 2006

"Cyber Crime Hits the Big Time in 2006"

The Washington Post (Brian Krebs, Dec. 22, 2006) has this survey of recent developments in "cyber crime." The article reports "an unprecedented spike in junk e-mail" -- a 60% increase in the last two months -- but otherwise gives a fairly anecdotal, but still informative, picture of criminal activity. Also interesting: Vincent Weafer, director of security response at Symantec, is quoted as saying: "The bulk of the fraud attacks we're seeing now are coming in Monday through Friday, in the 9-5 U.S.-workday timeframe[.] . . . For a great many online criminals these days, this is their day job: They're working full time now."

Tuesday, December 19, 2006

"Software to Spot 'Phishers' Irks Small Concerns"

An article in today's Wall Street Journal describes some of the fallout from a feature in Microsoft Internet Explorer 7: IE7 uses extended verification SSL (EV SSL) to classify sites using SSL. According to the article, IE7 displays a green address bar for secure sites verified as "legitimate"; yellow for "suspicious" sites; and red for known phishing sites. (An illustration is available here.) IE7 displays a standard white address bar for sites for which Microsoft has no information.

A problem, according to the article, is that Microsoft, and the EV SSL standard, exclude certain kinds of businesses:
[S]ole proprietorships, general partnerships and individuals won't be eligible for the new, stricter security certificates that Microsoft requires to display the color. There are about 20.6 million sole proprietorships and general partnerships in the U.S., according to 2003 and 2004 tax data from the Internal Revenue Service, though it isn't clear how many are engaged in e-commerce.
These kinds of businesses will have the regular white address bar when users visit those sites. It's unclear whether this will hurt businesses that fall within these categories. (The article also points out that it's unclear how consumers will interpret and use the signals conveyed by the colored address bars.)

In any event, the article quotes Spiros Theodossiou, a senior product manager for SSL at VeriSign: "We will come forward with a draft that will include these organizations" that are currently excluded, i.e., sole proprietorships, general proprietorships, and individuals.

Saturday, December 16, 2006

"Report blames Denver election woes on flawed software"

Computerworld's article, "Report blames Denver election woes on flawed software," covers the voting problems in Denver which resulted in long lines. Also, IDC Research has released a report, "Improving Voting System Investment, Credibility and Transparency," which discusses the lack of strategic, long term vision in electronic voting projects.

Friday, December 15, 2006

"Senator: Expect data privacy and patent law rewrite" reports that Sen. Patrick Leahy (D-VT), who is set to become chair of the Senate Judiciary Committeee, delivered a speech hinting that he would re-introduce data privacy legislation that he had introduced with Sens. Specter, Feinstein, and Feingold in the last Congress. In his speech, Sen. Leahy called for greater oversight of government data collection and data mining, and stiffer penalties for data privacy violations by private parties. According to Sen. Leahy, "[w]hen it comes to protecting Americans’ privacy, what we have today are analog rules in a digital world." The text of the originial Leahy-Specter bill from 2005 is available here.

Saturday, December 09, 2006

Eugene Spafford lectures on Cybersecurity Threats

Eugene Spafford's lecture at University of Delaware covered his view on the changing nature of cybersecurity threats.

"Big Shift Seen in Voting Methods With Turn Back to a Paper Trail"

The N.Y. Times article, "Big Shift Seen in Voting Methods With Turn Back to a Paper Trail," discusses the move back to optical scan or electronic voting with a paper record.

Friday, December 08, 2006

FTC complaint filed against FastMP3Search, a project led by the Berkman Center for Internet & Society and the Oxford Internet Institute at Oxford University, and the Center for Democracy and Technology (CDT) have filed a formal complaint with the Federal Trade Commission against According to the complaint, offers MP3 downloads but requires users to use a plugin to do so; this plugin goes on to download software, including adware and Trojan horse applications. and CDT allege that this is "deceptive" and "unfair" conduct, in violation of Section 5 of the FTC Act (15 U.S.C. 45(a)(1)). In addition to joining the complaint, offers a separate report discussing the plugin's behavior and effects.

Thursday, December 07, 2006

"CMU Researchers Uncover Online Auction Fraud; Data Mining Software Fingers Both Perpetrators and Accomplices"

The AScribe news wire article, "Carnegie Mellon Researchers Uncover Online Auction Fraud; Data Mining Software Fingers Both Perpetrators and Accomplices," covers research in using data mining on EBay logs to find auction fraud.

"Panel Backs Guideline Favoring Voting-Machine Verification"

The Washington Post's article, "Panel Backs Guideline Favoring Voting-Machine Verification," reports that Technical Guidelines Development Committee states that "the 'next generation' of voting systems should have an independent means of verifying election results."

Wednesday, December 06, 2006

"Personal firewall for the RFIDs you carry"

Aaron Burstein recommended this paper by

Melanie R. Rieback, Georgi N. Gaydadjiev, Bruno Crispo, Rutger F.H.
Hofman & Andrew S. Tanenbaum, "A Platform for RFID Security and Privacy Administration," which discusses "a device that sits on your person and jams the signals from all your personal wireless tags (transit passes, etc), then selectively impersonates them according to rules you set." See also the Boing Boing post

"How to tell if your cell phone is bugged"

Lauren Weinstein's blog item, "How to tell if your cell phone is bugged," discusses some of the details of how cell phones can be used to monitor conversations. The FBI recently used this technique to eavesdrop, see's article, "

"Three guilty of identity fraud which netted millions"

The Register's article, "Three guilty of identity fraud which netted millions," covers the case of Anton Dolgov, a banker already on the run after disappearing with $150 million in 1995.

"Spam Doubles, Finding New Ways to Deliver Itself"

The N.Y. Times article, "Spam Doubles, Finding New Ways to Deliver Itself" covers the rise of botnets and penney stock spam.

Tuesday, December 05, 2006

"Nike+iPod Sport Kit raises privacy concerns"

The University of Washington's article, "Nike+iPod Sport Kit raises privacy concerns," discusses how the Nike's wireless pedometer can be used to track a person electronically. UW researchers have built a number of devices that interact with the pedometer, including one that shows all the pedometers within range.

"ACLU Urges U.S. to Stop Collection of Traveler Data"

The Washington Post article, "ACLU Urges U.S. to Stop Collection of Traveler Data," discusses the ACLU's reaction to DHS's Automated Targeting System, which started out as a cargo screening system but is now used to screen incoming passengers. The ACLU says that the "program's existance without notice violates the 1974 Privacy act."
12/07/2006 Update: See also the Wired article "DHS Passenger Scoring Illegal?"

Sunday, December 03, 2006

"Health Hazard: Computers Spilling Your History"

The NY Times has an article, "Health Hazard: Computers Spilling Your History," that covers electronic medical records.

"EveryDNS Under Botnet DDoS Attack"

Eweek's Security Watch reports: EveryDNS Under Botnet DDoS Attack." Is this similar to the Blue Security debacle?

Friday, December 01, 2006

"New rules compel firms to track e-mails"

AP's article, "New rules compel firms to track e-mails," discusses new electronic information retention requirements by companies involved in Federal lawsuits. " Sto’Mo’s 3 Minute Guide to Electronic Discovery" has more details . The "Amendment to Federal Rules of Civil Procedure" is at least one of the actual documents that covers the change.
Update: See also the AP item: "New E-Discovery Rules Benefit Some Firms."