State Cannot Force Removal of SSNs From Privacy Advocate's Site

Slashdot notes a story about privacy advocate Betty Ostergren, who runs a website that highlights privacy problems that result from posting of unredacted public documents such as land and tax-lien records posted on government web sites. Her site posts Social Security numbers obtained from public records and are part of her campaign to show how easy it is to access personal information on the web.

Although legistlation was introduced in Virginia to combat her website, Judge Robert Payne of the U.S. District Court for the East District of Virginia last Friday shot down the attempt to censure her, writing

"It is difficult to imagine a more archetypal instance of the press informing the public of government operations through government records than Ostergren's posting of public records to demonstrate the lack of care being taken by government to protect the private information of individuals."

See complete article in COMPUTERWORLD Security.

California's Wireless Road Tolls Easily Hackable

Slashdot posts a story about researcher Nate Lawson of Root Labs that has figured out how to clone the wireless transponders used by the automated FasTrak toll system on roads and bridges in the Bay Area of California.

Lawson says that fraud could be easily committed by cloning a transponder's unique identity number and copying that Id of another driver onto their own device. The ID number thief could then travel for free while other drivers unwittingly foot the bill.

"It's trivial to clone a device," Lawson says. "In fact, I have several clones with my own ID already."

Lawson also raised the poissilibity of using the FasTrak system to create false alibis by overwriting one's own ID onto another driver's device before committing a crime The logs for the toll system would appear to show the perpetrator driving at another location when the crime was being commited, he says.

See more at Technology Review.

Microsoft Applies For Patent On Private Browsing

Slashdot picked up a story in BBC News about Microsoft's plan to use a "privacy mode" in the next release of its web browser, Internet Explorer. With the click of a button, users of IE8 will be able to limit how much information is recorded about their online activity. Two applications by Microsoft have been spotted for covering trademarks for managing the amount of information a browser logs.

Although many browsers already have menu options that let users alter security settings and clear history files, it typically must be done on a per use basis. Microsoft's approach will allow users to turn on a privacy mode that will erase data that browsing programs log and turns off features that record sites visited.

Apple's Safari browser already has a privacy mode and the creators of Mozilla's Firefox are apparently working on a similar feature as well.
For details see: BBC NEWS.

U.S. At Risk of cyberattacks, experts say

ACM TechNews states that the next large-scale military or terrorist attack against the United States could be launched by hackers half a world away through cyberspace, which internet security experts claim could be just as devastating to the U.S. eonomy and infrastructure as a bombing attack.

Last week's attack on the former Soviet republic of Georgia last week wherein a Russian military offensive was preceded by an internet assault that overwhelmed Georgia's governmental websites indicates a new kind of cyberwar, one for which the U.S. is not prepared.

"Nobody's come up with a way to prevent this from happening, even here in the U.S.," said Tom Burling, acting chief executive of Tulip Systems, an Atlanta, Georgia, Web-hosting firm that volunteered its Internet servers to protect the nation of Georgia's Web sites from malicious traffic.

"The U.S. is probably more Internet-dependent than any place in the world. So to that extent, we're more vulnerable than any place in the world to this kind of attack," Burling added. "So much of what we're doing [in the United States] is out there on the Internet, and all of that can be taken down at once."

For details, see CNN.com/technology.

Fighting Identity Theft with Analytics

eWEEK.COM is running an article about security vendor Guardian Analytics, whose recent technological developments use behavioral modeling to prevent online identity theft and bank fraud.

The small company has launched its FraudMAP 2.0 product, which models an individual account holder's activity from session to session in an attempt to detect suspicious activity inconsistent with predicted behavior.

"We have more behavioral kinds of things, like do you access your account during the week or during the weekends,” said Tom Miltonberger, CEO of Guardian Analytics. “All those things go into the model for you so that we can predict what you might do next. There’s no single profile, there’s no single indicator, there’s no rule, if you will. It’s all very complex, multi-dimensional prediction of things that you might do, and then we’re comparing the new activity to how likely we think that would be you versus how likely we think that activity might be someone else.”

See full article for more information.

Officials Say Flaws at Polls Will Remain in November

ACM TechNews relays information in an article in the New York Times regarding the apparent failure of a federal agency to fix the flaws in voting machines used by millions of people in time for the presidential election.

The Election Assistance Commission, the federal agency that oversees voting, says they will not be able to certify that flawed machines are repaired by November nor provide software fixes or upgrades given the backlog at the laboratories the commission uses.

“We simply are not going to sacrifice the integrity of the certification process for expediency,” said Rosemary E. Rodriguez, the chairwoman of the commission.

The certification process was previously performed by a volunteer program managed by the National Association of State Election Directors. The slowdown began in February 2007 when the federal commission took over.

“The problem is that the pace of innovation is outstripping the pace of regulation,” said Doug Chapin, director of the Web site set up by Pew Center on the States, electionline.org. “Federal certification is intended to help election officials manage voting technology, but right now it’s getting in the way instead.”

Advocates for better election systems say one reason for the slowdown is that the machines are fraught with problems that should have been detected earlier and, had those problems been addressed the current level of scrutiny would not be necessary.

“The E.A.C., to its credit, has decided to dig their collective heels in and insist that the software and hardware be rigorously tested by professional testing labs,” said Warren Stewart, a technology expert with Vote Trust USA, a voting rights watchdog group.

See full article in The New York Times

Georgia Under Online Assault

The WIRED BLOG NETWORK covers the story of the denial of service attacks that have been occurring on the websites of the government of Georgia for several weeks now, where it is apparent that Russia is behind the digital assault and which intensified significantly once the shooting between Russia and Georgia began.

The Associated Press meanwhile reports that the Georgian President's Web site along with a Georgian television station's site have been moved to a US web hosting service in Atlanta, Georgia, although the attacks (traced to Moscow and St. Petersburg) are continuing now on the U.S. server.

The RBNExploit blog, referenced as an authoritative source on this subject, is in the forefront of reporting on what Intelfusion is calling a "full scale cyberware being conducted by Russia against Georgia."

The Georgian news site, Civil.ge is under permanent attack and has swtiched their operations to one of Google's Blogspot domains to keep information flowing about what is going on in their country.

"Another interesting aspect is seeing how certain countries are what I call 'cyberlocked,'" cybersecurity veteran Richard Bejtlich tells Danger Room. "We know a land-locked country has no access to the sea. Countries like .ge [Georgia] might rely too heavily on one or a handful of connections, potentially through hostile countries (eg, .ru [Russia]), for their physical connectivity. As a result, an adversary can control their network access to the outside world. "

Estonia, once victimized by Russian hackers is itself hosting Georgia's Ministry of Foreign Affairs website. To add to the mix, NPR's Ivan Watson reports that Russian planes are continually bombing cell phone towers in an efforts to knock out telecomunications networks as well.

See Aid Worker Daily and washingtonpost.com for more coverage.

Hacking Ring Nabbed by US Authorities

Slashdot notes the story of catching the members of a hacking ring that stole more than 40 million credit card and debit card numbers from retail organizations in the U.S.

Now charged by a Boston court with numerous crimes, including conspiracy, computer intrusion, fraud and identity theft, the group of eleven perpetrators allegedly hacked into nine major U.S. retailers. The ring is also said to have sold the customer information to criminals in the U.S. and Eastern Europe, who in turn, encoded numbers on the magnetic strips of bank cards and withdrew tens of thousands of dollars from ATMs.

Mike Maddison, head of security for consultancy Deloitte, said

"We have seen so many data breaches recently and they all compromised large amounts of data".

Maddison said consumers need to take more responsibility for their data, adding:

"They need to analyse their bank statements and call up credit check companies so they are aware of fraudsters trying to take up loan agreements."

See YAHOONews .

Faux-CNN Spam Blitz Delivers Malicious Flash

Slashdot points to a story appearing yesterday about the serving up of fake Flash Player software to users by more than 1000 hacked Web sites. Users are duped into clicking on links in mail that is part of a massive spam attack masquerading as CNN.com news notifications.

The bogus messages, purportedly from the CNN.com news Web site, include links to what are claimed to be the day's top 10 news stories and top 10 news video clips. Clicking on such a link, however, brings up a dialog box that claims that an incorrect version of Flash Player has been detected and that the user needs to update to a newer version, according to Sam Masiello, vice president of MX Logic Inc.

People who approved the download of the fake flash executable file instead received a Trojan horse that in turn "phones home" to a malicious server to grab and install additional malware, said Adobe product security manager David Lenoe.

See full article at COMPUTERWORLD Security.

Where To Draw the Line When Punishing Email Snooping?

Slashdot recounts a recent case of a Philadelphia TV news anchor charged with breaking into his co-anchor's email accounts.

Lawrence Mendte was charged with one felony count of 'intentionally accessing a protected computer without authorization and obtaining information in furtherance of a tortious act.'

News anchor Mendte, of CBS affiliate KYW-TV is accused of secretly accessing one work and two personal email accounts for co-anchor Alycia Lane between March 2007 and May 2008.

"People expect that e-mail in a password-protected, personal e-mail account is private," said acting U.S. Attorney Laurie Magid. "If you think of it in the context of another era, it's no different than someone stealing your locked briefcase containing confidential information from your lawyer, prying it open and helping themselves to the contents. The mere accessing and reading of privileged information is criminal. This case, however, went well beyond just reading someone's e-mail."

Mendte allegedly shared private and legal information from stolen email documents with a reporter from the Philadelphia Daily News.

See COMPUTERWORLD Security for details.