Bike Bob’s Factoid-Free* Potpourri  - Home


Computer Security Hazards


[As with all of the subject-area sections on this web site,
the vast majority of new items are usually posted
at, or near, the bottom/end of the page.  -- Bike Bob]



     A couple of years ago, John Dvorak (a well-respected, and long-time "PC Magazine" columnist) noted that an "unprotected" computer -- that is one that does NOT have an active and properly configured firewall program, along with daily updated antivirus and anti-spyware/malware programs, too -- is now literally "compromised" (infected) WITHIN 15 seconds of merely connecting online!

     That is due to the fact
there are thousands, upon thousands, of "24/7" Internet-trolling autobots that are constantly seeking out insecure online computers to infect with worms, trojans, viruses and much more!    


As you read through the additional information below,
 
be sure to check out the
  many valuable resources
and recommendations
   on this page.

And, when you're all done with that,
don't forget to read "the kicker"
farther down in this page.

(But, don't spoil the surprise!
Do read through this page
-- in it's entirety -- first.)

-- Bike Bob



Right off the bat, please take note of the fact that -- even though much of the info below is Windows PC-centric, other computer operating systems are typically rife with wide-open security holes, too.  This also holds equally true for many of the newer mobile devices, such as: "smart" phones, tablet PCs, etc.  All such systems and devices need regular update "patches" (fixes) and proper configuration.

Speaking of which:

Why malware

for Macs

is on its way

(May 5, 2011 - By Ed Bott - ZDNet)

http://www.zdnet.com/blog/bott/why-malware-for-macs-is-on-its-way/3243

 




Here’s a timely excerpt from Ryan Singel’s article, “Why can’t we stop the botnets?” on p. 55 of the Feb., 2011, issue of Wired magazine.

(Emphasis added.):

 

  

‘The thieves’ main tool was a botnet --

a remotely controlled network of infected computers that spreads via web pages and email.

  The best efforts to destroy these zombie armies have failed;

botnets continue to thrive, sending daily bursts of stolen info

(yes, possibly yours) to servers around the world.’

 

   …. ‘According to security firm Websense,

the number of malicious web pages jumped 111 percent from 2009 to 2010.

  Nearly 80% of those were legitimate sites hacked into to serve up malware.’ ….

 

   “It takes just one click on a bad bit.ly link and criminals have access to all of your data,”...

 

   ‘Antivirus software helps, but it can’t keep up with the speed of malware mutation.’

  ‘…criminals are infecting pages tied to top Google searches and Twitter topics.’

 

   ‘For now, experts recommend running patch-checking tools like Secunia PSI as a compliment to your antivirus software.”

…. ‘Attacks are targeting Macs, too, as they become more widespread.’

 

 

According to a November 2010 “PC World” magazine sidebar article,

TIPS FROM THE PROS - Top 5 Ways to Stay Safe Online”:

 

“PC security is one area where it pays to be paranoid.”  You should “STAY UP-TO-DATE, STAY paranoid, stay protected.

 

Be sure to run Windows Update, as well as the software update features in the other programs that you use EVERY DAY.”

 

“…use a password manager.” and “…antivirus and security [firewall; anti-spyware/malware programs] software…”

 

Assume that no site is safe, and don’t trust a link or file download, even if a friend sends it to you.”

 

Under the heading: “Malicious PDFs that try to fool you into installing malware”, the article notes that:

  “In 2009, attacks using malicious PDFs made up 49 percent of Web-based attacks…”

and, further highlighted “… PDF attacks that embed malware inside the PDFs.”

 

 

 

Security and Privacy Issues in the PDF Document Format - (ScienceDaily  - Feb. 22, 2011) - UPM Facultad de Informática researchers compile information on security and privacy for authors or readers of PDF documents, the most popular format for publication of digital documents. - http://www.sciencedaily.com/releases/2011/02/110222083159.htm



For more extensive computer security advice,

be sure to read (online) PC World magazine’s

 The 17 Most Dangerous Places on the Web

 at this URL:




Also, be sure to read this "PC Magazine" (online) article:

"Don't Click That Ad . . . or Even Look at It"

at this URL:

http://www.pcmag.com/article2/0,2817,2256497,00.asp




“Prevent Clickjacking Attacks”  -   [From Wired Magazine ‘How-To Wiki’]:

“The scary thing about a clickjacking attack is there isn't any foolproof way of detecting when it is happening to you.

Through clever hackery, some dastardly villain somewhere will show you a website that looks harmless,

but they can use it to steal your clicks, making you do something drastically different than what you think you're doing.

Clickjacking, put simply, is when a button, image, video, or some form of embedded content on a website

is overlaid by an invisible layer that sits on top of the site underneath it.

For instance, you may see a page with a movie embedded on it. You want to watch the movie, so you click on the play button.

You don't think twice about it -- you've done it a million times. Meanwhile, a hacker has superimposed an invisible web page over the movie.

It just so happens that a button allowing access to your camera and microphone has been placed over the movie's play button.

Now, when you think you're playing the movie, you're actually permitting the hacker to access your video camera and microphone.

That invisible layer sitting on top of the page has intercepted and highjacked your mouse click.

There are a few steps you can take to ensure clickjacking is stopped at the source."


[Be sure to read the rest of the article for the specific how-to steps to follow via this URL.]:

http://howto.wired.com/wiki/Prevent_Clickjacking_Attacks






If you wish to keep up-to-date about online computer security hazards
:

(In addition to subscribing to a PC magazine, like the one's mentioned above...)

You’ll definitely want to bookmark:


GetNetWise

http://security.getnetwise.org


and...


OnGuard Online

http://www.onguardonline.gov

 


Secure Your Life in 12 Steps - (By Nick Mediati - June 2011 issue - PCWorld Magazine) - Lock down your computer, your home network, your identity--even your phone.

Good security advice can be hard to find. Lots of security experts offer help, but not all of their tips are accurate or up-to-date, and many address PC security only. So even if you follow their advice, you may be more vulnerable than you think. That's where we come in. We've assembled a dozen simple but essential tips -- a 12-step security program -- to keep your PC, smartphone, gadgets, and identity safe. The steps are practical and fairly easy to perform, so you can strengthen your security without losing your mind in the process.  -  https://www.pcworld.com/article/225806/secure_your_life_in_12_steps.html

 


 

BE SURE to check out Steve Gibson's free online "ShieldsUP!" service...

 ...at his www.grc.com web site.

You should also check out his free "Security Now!" podcast there, too!


[NOTE: Steve Gibson is THE person who first discovered, and coined the terms for, "spyware".]



Fire
sheep
! - Count on it…This one may keep you awake at night!

[From the front-page A1 (continued on page A4) Mon., Feb., 7, 2011, St. Louis Post-Dispatch article,

“Facebook accounts of legislators hacked”.]:  -  http://mcaf.ee/9f6b4  -


   Cybersecurity threats have increased sharply in recent months.

  They include a program called Firesheep that targets Wi-Fi users' private account information.


   Firesheep, which can be downloaded for free from the Web,

allows users with little computer knowledge to access the private Internet accounts

belonging to people on a shared wireless network,

and even assume control of those accounts as if they were each account's owner.’


   Firesheep...is "like someone sitting outside your home with an antenna pointed at your house,

and you wouldn't necessarily know it."


   "Firesheep is one of those things that scared the hell out of us

with getting into people's Facebook and grabbing passwords." ’


[If you want to find out more about the “FiresheepWi-Fi security threat,

be sure to check out Steve Gibson’sSecurity Now!” online podcast archive,

where you’ll find both the Oct. 28, 2010, “Firesheep” audio podcast/s

(among many others) and written transcripts free for online-access and/or download.

Here’s the URL to take you to Gibson’s Security Now! podcast archive.]:

    http://www.grc.com/securitynow.htm

 

[NOTE: It would be wise
to bookmark the above URL
for the Security Now! website.
It is highly recommended
to regularly listen to

(at least
the first half)
of Steve Gibson's
weekly Security Now! podcasts
in which he regularly covers the
current computer security alerts

and the available fixes
.
As mentioned above,
in additon to providing
the downloadable podcasts,
the site
also has the
complete written transcripts

-- in both regular text and PDF --
available to download
for all of the podcasts:
It's all FREE!]




Steve Gibson’sSecurity Now!”

(FREE) Online TWiT TV Podcast

Steve Gibson is the person who coined the term “spyware.”

Steve created the first anti-spyware program.

(Be sure to check out his free online ShieldsUP security test.) 

Steve’s weekly podcast discusses the hot topics in security today

with Leo Laporte, host of TWiT TV. 

You can either watch the free video podcast live ( http://twit.tv )

Or download the free archived video/s (.mp4) file versions:

http://twit.tv/show/security-now





[In the Feb. 2011 issue of PC World magazine, on page 75 under the subtitle, “New Threats for a New Year” (from the Battle of the Security Superpowersarticle) ]:

Malware has migrated to social networks….  …techniques that cyber-criminals use in attempts to poison SEO (search en­­gine optimization), loading up on popular search keywords to make malware-compromised sites appear higher in search results. ….

Another threat is the resurgence of banking-related

.  the relatively new "man-in-the-browser" attacks, in which the malware doesn't activate until you have successfully logged into your bank account.’  -  http://www.pcworld.com/article/214618/battle_of_the_security_superpowers.html



Hackers could track the person behind your usernames - (Feb. 7, 2011 - NewScientist) -   A new wave of online crime is on the way – and all that's required is your username. Hackers may soon be able to identify which screen names belong to one person just by analysing the characters that make up the name.  -  http://www.newscientist.com/article/dn20094-hackers-could-track-the-person-behind-your-usernames.html




How to Disable Geolocation in Specific Programs   

[As noted at the following URL]:

Geolocation is a rather secret feature

of some browsers and toolbars.

It allows the creator of that program

to get a fix on the location of your computer

to within a few meters of where you actually live.

For the potential dangers

read the article from BBC News entitled

'Web attack knows where you live' here.

The question is therefore

how to effectively disable this feature.

At this moment this site offers solutions for

Apple Safari, Firefox, Flock,

Google Chrome, Google Toolbar,

Opera and Twitter:

http://no-geolocation.blogspot.com/2010/08/01-what-is-geolocation_08.html

 



     These days it is VERY IMPORTANT to keep in mind the fact that there are new (and undiscovered -- at least for varying periods of time; ranging from hours to days/weeks) "in the wild" online threats emerging all time.  Some of these, unfortunately, fall under the notorious category of "Zero-Day Attacks."  Essentially, what that means is that all online-computers are vulnerable until such in-the-wild "expoits" are discovered and reported...and defense "signature definitions" are developed (which can take additional hours/days/weeks) for online computer anti-virus/malware/spyware programs.  [Some of these programs can optionally, or additionally, use what is known as "heuristics" that intelligently analyzes patterns of the "baddies" in hopes of fending them off in advance.  However, past experience has shown that this can sometimes result in what is known as troubling "false-positives."]

      Therefore it is important to remember that online computer-use defense, for the most part,
is always "behind the eight ball," and constantly playing catch-up.  This fact makes it MOST IMPERATIVE that you DO NOT DELAY in utilizing those daily newly downloaded defenses AND DO A SCAN  -- at the very least, via the shorter-in-running-time "quick scan" option -- with EACH anti-virus/malware/program RIGHT AFTER they have received those daily updates.  That is the recommended MINIMUM action for any online computer user! --- Don't forget to periodically do the longer, complete (comprehensive) FULL-system scans with each and every one of your installed online-security defense programs, too!

BTW,
these days (at least at the time of this writing) most of these programs have anti-virus/malware/definitions updated and available for downloading, on average, three times per day!  So, at the very least, it is wise to set these programs to check for such updates (via auto-downloads) automatically each time go online with your computer.  Some can even be set to also do auto-scans right after they're updated.  However, it is important to keep in mind, that -- even though you can usually set them all to do auto-updates -- in order to avoid program conflicts, you should only have ONE program (of each type) set to be your main default and "active" -- that is, "real-time" -- defender.

(Important Note:  You must have ONLY ONE firewall program operating at a time;
 and, you can have ONLY ONE anti-virus program even installed on your computer:
 that is because they see actions of the other as a "threat" and will conflict!)


     
In addition to a properly configured -- and, of course, regularly/daily updated -- firewall progam (these days, most of which also include anti-virus and anti-malware componets; such as: Norton's Internet Security, McAfee Total Protection, etc.), it wise to also have installed extra anti-malware/spyware programs, with which (after those regularly downloaded updates, of course!) you can also do additional auxillary manual scans.  The reason why this is a very good idea is that some of these programs manage to catch threats that your "active" programs may have missed! --- In hopes of furthering you along the path of computer self-defense, here are some recommended resources for you to consider.


(Good luck. -- Bike Bob)




Forever online: Your digital legacy




How To Create

A Full Administrator

Access-Control

Windows 7

God Mode

Desktop Folder


[From  April 12, 2011 - Maximum PC Magazine

Contest Winners: The 10 Best Windows Application Tips”

(Tip credit: Richard Schonegg)]:



Having all the Admin capabilities in one window is great.

I ran across this searching for ways to automate Administration in Windows 7

It is called God Mode by some.

Create a new folder and rename the folder to the following exactly as shown below:


GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}


Be sure to rename the folder as shown above from the G to the }


[NOTE: To create the folder,

just right-click on an empty space on your desktop,

choose “New”, then choose “Folder”;

then just copy-and-paste the entire (above)

“GodMode” code line, as instructed, to rename the folder.]

 

http://www.maximumpc.com/article/features/contest_winners_10_best_windows_application_tips

 




   Windows Defender -- which is free to use and comes pre-installed on Windows-based computers.  It is accessed via the Control Panel utility.

  Windows Malicious Software Removal Tool which also comes pre-installed on
Windows-based computers.  You utilize it to do a scan by typing
"MRT" (without the quotes) in to the Start button's search bar and hitting enter.

[Note: Windows Defender and the Windows
Malicious Software Removal Tool are both updated via "Windows Updates."]


Microsoft Safety Scanner is another free anti-malware/spyware utility that it would be wise to utilize on a regular basis, too.  You can download it via this URL:  https://www.microsoft.com/security/scanner/en-us/default.aspx




    Malwarebytes -- which is a free (no cost) program.

    (You can find a CNET editors' review of Malwarebytes at this URL.):

    http://mcaf.ee/d43c0


    Malwarebytes can be downloaded directly via this URL:

   http://www.malwarebytes.org/
 


    Secunia PSI
is another highly recommeded free-for-use program.  It checks your computer to see that the programs on your computer have been properly updated and secured against wide open security-hole attacks.  (Many of those 24/7 online auto-bots are specifically set to probe for such computer program vulnerabilities!)  Be sure to download Secunia PSI and set it to auto-update itself online and to use it regularly to scan your comuter, too.

    You can find a review of Secunia PSI via at this URL:

    http://mcaf.ee/17e5f

    You can directly download Secunia PSI via this URL:

    http://secunia.com/vulnerability_scanning/personal/


 


    A very good free web browser is Mozilla's


  You can find out more about it and download it via this URL:

    http://www.mozilla.com/en-US/firefox



    I also highly recommended that you conisder installing some of the many
extremely useful "add-on" Firefox extensions
 that are also
free from Mozilla.

  They can be found via this URL:





  You can also download Mozilla's free Thunderbird e-mail client program from  at this URL:

http://www.mozillamessaging.com/en-US/thunderbird/



You can also find additional free add-on extenstions for Thunderbird at this URL:

https://addons.mozilla.org/en-US/thunderbird/



   Finally...

     I've put together a list of suggested must-have and should-have Firefox add-on extensions,
 along with each of their individual, secure direct-download (from Mozilla) URLs.

  You can find that list at this link.


        I've also put together a list of suggested add-on extensions for  Thunderbird.


  You can find that list at this link.



Firefox Plug-ins Have To Be

Regularly Updated Manually

By YOU!


IF you are using the Firefox web browser,

it is very important to note that

while Firefox DOES automatically check

for security updates for installed third-party Add-ons,

it does NOT (as of this writing)

do so for any third-party Plug-ins

that are already pre-installed  in Firefox. 

YOU have to MANUALLY check

(at a minimum of at least one/week)

for needed updates for those Plug-ins.


Here’s how you can easily do that: 

In Firefox, click Tools. 

Then, in the drop-down list, click on Add-ons. 

When that opens up, click on the LEGO-type icon

(not the puzzle-piece icon, which is for the Add-ons.) 

Then click on the “Check to see if your plugins are up to date” underlined option.

You will then see a complete list and the current status of your plug-ins. 
You can then just click on the ones that are indicated that need to be updated.

  Good Luck.  --Bike Bob




(Okay, as promised at the beginning of this page, here's "the kicker.")...


     The following excerpt...

(found via this URL:  http://blog.icscomputers.ca/?p=154 )

...is from a September 2010 article entitled,
 "
Security Apps Frequently Miss New Malware,"
 written by Jeremy Kirk.

It appeared in the regular monthly "Security Alert" section of "PC World" magazine. :


   "New research further confirms that difficulties security vendors are having in keeping up with malware.

   Security software can take an average of two days to block an attack Website, says a report from NSS Labs.  The firm developed a test that mimics how people browse the Web, and recorded how and when security suites blocked the threats – if they did so at all.  The latest test ran for 24 hours a day for nine days."

   "Some security vendors employ reputation systems, which usually involves checking a database of blacklisted sites.  But such systems are not widely used and are immature, according to NSS Labs.  Overall, vendors took an average of 45.8 hours to block a site, if they blocked it at all, the report states.

   If a suite did not block a bad site the first time, NSS Labs continued to test every 8 hours to see how long the vendor took to add protection; times ranged from 4.62 hours to 92.48 hours.  The researchers also had a “zero hour” criterion, in which the test checked whether the software stopped newly found malware sites, and the results weren’t great: The best vendor blocked new sites only 60.6 percent of the time."



In the meantime, keep this in mind...


According to an article,

“ ‘Spam Clock’ Tallies Web Junk”

by John P. Mello Jr.,

published on p. 34 of the March 2011 issue of PC World magazine

( www.pcworld.com ):


   ‘…search engine newcomer Blekko has a clock at www.spamclock.com

that counts how many spam pages are created on the Internet every second.

  …. Today the economic incentives for Web spammers are even more lucrative than e-mail spam,

and almost guarantee a continuing blizzard of trash on the Web.’


    ‘Spammers are hiring low-wage workers

to churn out pages at anywhere from 5 cents to a dollar a pop.

  “Web spammers simply have to create pages on the Web

and sit back and let search engines send them the money,”

[Rich] Skrenta [Blekko founder] writes.


   The problem and challenges of spam to the entire world

are going to get worse,” he predicts.’


   [The article highlights:  Every hour 1 million new spam pages are created’]


 

On page 66 in the same March 2011 issue of PC World, in answer to…


   ‘Q. How Can I Determine Whether An Unknown Website Is Safe To Visit?


A.   You’ve probably read stories aboutdrive-by-downloads,”

viruses and spyware that sneak onto your PC when you visit a rigged Website.

  And that’s a hard truth:

The seemingly innocent act of clicking a link

-- even one that’s at the top of a Google search-results page --

can lead to malware infestations.

  How do you figure out whether a link is safe before you click it?

 




The Secret History

Of Hacking

The secret History of Hacking

is a public domain documentary

about the pioneers of

the hacking craze.

(50 min. - YouTube audio/video)

https://www.youtube.com/watch?v=5cecky3pvxc&feature=related





[Personally, I do not recommend

so-called “social networking

computer applications. 

I have never used them…

and, never will.

  Why? 

Check this out...

and the other

related info

that follows.

--Bike Bob] :

 

In-Q-Tel

 


For those that may use ‘Facebook',

here is a May 11, 2011,  Vancouver Sunalert:

 

Facebook leaks access to accounts: Change your password now

 


Viewpoint: Facebook Is Not Your Friend




Social Media:

A Skinner box

that trains you

to under-value

your privacy

(Cory Doctorow)

(12-1/2 min. - YouTube audio/video)

https://www.youtube.com/watch?v=RAGjNe1YhMA&feature=youtu.be




Hacking Democracy

(82 min. - video documentary)

http://video.google.com/videoplay?docid=7926958774822130737#



High fiber - (13 min. - video) - ( - by Betsy Rate - Need To Know/NPR)  -  The United States is where the internet was born. But we’re falling behind in the race to the online future. Most of us go online these days using a service that’s called broadband – faster than old-fashioned dial-up, and always on. But broadband service in the U.S. lags behind a dozen or more industrialized countries – and we’re doing worse every year. Need to Know correspondent Rick Karr traveled to the U.K. and the Netherlands – with support from the Ford Foundation and in collaboration with the website Engadget – to find out how these two countries have jumped ahead of us online. This is a story about capitalism, competition, dynamism and innovation in what is arguably the most important industry of the 21st century. Old fashioned American values, right? Then why are we being left so far behind?  -  http://www.pbs.org/wnet/need-to-know/video/video-high-fiber/9263/




Eric Pariser: "The Filter Bubble" - (51-1/4 min. - audio - May 17, 2011 - The Diane Rehm Show/NPR) - A quiet revolution is taking place on the Internet. The top 50 websites collect an average of 64 bits of information each time we visit. The personal data they track -- from our politics to the shoes we just browsed on Zappos – help advertisers tailor offers just for us. But one online pioneer believes we pay a big price for that customized experience – living in our own information universe. In our so-called “filter bubble,” we receive mainly familiar news that confirms our beliefs. And we don’t know what’s being hidden from us. Diane and her guest, Eli Pariser, talk about understanding the costs of online personalization.

What is the internet hiding from you? As internet giants like Google, Facebook, Netflix and Apple fine tune their ability to personalize content, we will increasingly each live in our own information universe, our own "filter bubble." Former director of MoveOn.org, Eli Pariser, explores the development and future of the most recent digital revolution.  -   http://thedianerehmshow.org/shows/2011-05-17/eli-pariser-filter-bubble



Virus Hoaxes & Realities



Cracking the code: Defending against the superweapons of the 21st century cyberwar - (13 min. video - May 20, 2011 - by Erin Chapman and Win Rosenfeld - Need To Know/PBS) -  http://mcaf.ee/64lb9 - The threat of attack has been a growing concern to national security experts for some time. Imagine what would happen if a malicious hacker could take out a power grid or cause the meltdown of a nuclear plant. Critics of the administration’s cyber-security plan question whether it goes far enough to protect us from the next generation of cyber-superweapons — including one devastating computer virus, Stuxnet, that’s already been unleashed in a foreign country.



Police Traffic Stops: Illegal Smartphone Searches With UFED Device



There’s a Secret Patriot Act, Senator Says - (May 25, 2011 - by Spencer Ackerman - Wired)  -  You may think you understand how the Patriot Act allows the government to spy on its citizens. Sen. Ron Wyden (D-Oregon) says it’s worse than you’ve heard.

Congress is set to reauthorize three controversial provisions of the surveillance law as early as Thursday. But Wyden says that what Congress will renew is a mere fig leaf for a far broader legal interpretation of the Patriot Act that the government keeps to itself — entirely in secret. Worse, there are hints that the government uses this secret interpretation to gather what one Patriot-watcher calls a “dragnet” for massive amounts of information on private citizens; the government portrays its data-collection efforts much differently.

“We’re getting to a gap between what the public thinks the law says and what the American government secretly thinks the law says,” Wyden tells Danger Room in an interview in his Senate office. “When you’ve got that kind of a gap, you’re going to have a problem on your hands.”

What exactly does Wyden mean by that? As a member of the intelligence committee, he laments that he can’t precisely explain without disclosing classified information. But one component of the Patriot Act in particular gives him immense pause: the so-called “business-records provision,” which empowers the FBI to get businesses, medical offices, banks and other organizations to turn over any “tangible things” it deems relevant to a security investigation.  -  http://www.wired.com/dangerroom/2011/05/secret-patriot-act/




[NOTE:  This is NOT “good” news.  Scientific studies have shown that the (inter)act(ive) of reading stimulates the brain and enhances both memory and I.Q.  (BTW…scientific studies show similar results for interactive computer games, too. :-)  However, the “images, not words” of the “augmented reality” described in this BBC News article, would be more in line with watching anentertainmentprogram on TV, which -- unless you’re watching an informative documentary -- tends to “dumb down” (literally) its audiences…and, can actually lower I.Q.!  --Bike Bob]:

Aurasma: Augmented reality future or forgettable fun? - (May 26, 2011 - by Rory Cellan-Jones - BBC News) - Rory Cellan-Jones tests augmented reality software that plays video over live images filmed through a phone

You're standing at a bus-stop, the adverts come to life, you're looking at menu, you can see the food, instruction manuals can show you how to put the Ikea table together.

Already, newspapers are talking about turning display adverts into video ads - which can earn them more. And movie studios are planning sightseeing tours where you see parts of a film played out in the real world.

Its a vision of a future where images, not words, become the building blocks by which we search the world and understand our surroundings.  -  http://www.bbc.co.uk/news/technology-13558137




Password Haystacks:  Padding Passwords

 

On Wed., June 1, 2011, Steve Gibson’s  Security Now! (podcast #303)

-- which is online-archived

(for FREE...both in audio and written transcript form)

at  https://www.grc.com/securitynow.htm

-- Steve talked about his new revelation/s

in regards to vital password security.

Specifically, he began talking about it in detail

at about 75 minutes into the 98 minute show...

and continued that discussion for about 10 more minutes

almost to the end of the show.

One of the things he recommended

was for listeners to check out his

Password Haystacks (Padding) page...

(see below.) -- Bike Bob]:


Every password you use can be thought of as a needle hiding in a haystack.

After all searches of common passwords and dictionaries have failed,

an attacker must resort to a “brute force” search

– ultimately trying every possible combination

of letters, numbers and then symbols

until the combination you chose, is discovered.

If every possible password is tried,

sooner or later yours will be found.

The question is:

Will that be too soon . . . or enough later?

This interactive brute force search space calculator

allows you to experiment with password length and composition

to develop an accurate and quantified sense

for the safety of using passwords

that can only be found through exhaustive search.


Please see the discussion

[at the following URL]

for additional information:

https://www.grc.com/haystack.htm





(Alert):  WebGL - A New Dimension for Browser Exploitation

 

[NOTE:  The NoScript (Firefox web browser) Add-on/extension
allows you to block WebGL via:  
Options
  |  Embeddings  |   "Forbid WebGL"

You can check out
NoScript via
my recommended list of

Firefox
add-ons
at this
link. -- Bike Bob]:



May  2011       Summary

(   http://www.contextis.com/resources/blog/webgl/   )


WebGL is a new web standard for browsers which aims to bring 3D graphics to any page on the internet. It has recently been enabled by default in Firefox 4 and Google Chrome, and can be turned on in the latest builds of Safari. Context has an ongoing interest in researching new areas affecting the security landscape, especially when it could have a significant impact on our clients. We found that:


1. A number of serious security issues have been identified with the specification and implementations of WebGL.

2. These issues can allow an attacker to provide malicious code via a web browser which allows attacks on the GPU and graphics drivers. These attacks on the GPU via WebGL can render the entire machine unusable.

3. Additionally, there are other dangers with WebGL that put users' data, privacy and security at risk.

4. These issues are inherent to the WebGL specification and would require significant architectural changes in order to remediate in the platform design. Fundamentally, WebGL now allows full (Turing Complete) programs from the internet to reach the graphics driver and graphics hardware which operate in what is supposed to be the most protected part of the computer (Kernel Mode).

5. Browsers that enable WebGL by default put their users at risk to these issues.





Targeted cyber attacks an 'epidemic'

By Maggie Shiels Technology reporter, BBC News, Silicon Valley

June 2, 2011

Security experts said spear phishing attacks were easy to perpetrate because of the amount of information people put on the internet about themselves on social networking sites such as Facebook and Twitter.

The mountain of data lets canny hackers piece together enough information to make e-mails they concoct appear convincing and genuine.

In this attack, some Gmail users received a message that looked like it came from a work colleague or was linked to a work project.

On Ms Parkour's site, she shows some of the spoof e-mails indicating how easy it was for people to be hoodwinked.

"It makes sense these bad guys would go that way given the amount of time, effort and investment they have to make in orchestrating an attack," said Dr Hugh Thompson, chief security strategist at People Security who also teaches at Columbia University.

People tend to trust messages that look like they come from people bearing details of where they last met or what they did, he said.

"I can then point you to a site that looks very much like Gmail and you are not going to question that because I already have your trust," he said.

Steve Durbin, head of the Information Security Forum, said phishing attacks were a well-established attack method and e-mail had long been a favourite among criminals keen to winkle out saleable data.

"Whether you are a government official with access to sensitive or secret information, or the average e-mail user, everyone must be on their guard and become more security savvy," he said.  -  http://www.bbc.co.uk/news/technology-13626104





Leakage of
Private
Information
from Popular Web Sites
Is Common,
New Study Finds


ScienceDaily (June 2, 2011)

A study of more than 100 popular web sites
used by tens of millions of people
has found that three quarters directly leak
either private information or users' unique identifiers
to third-party tracking sites
.
 
The study, co-authored by Craig Wills,
professor of computer science
at Worcester Polytechnic Institute (WPI),
also demonstrated how the leakage
of private information by many sites,
including email addresses, physical addresses,
and even the configuration of a user's web browser
-- so-called browser fingerprints --
could permit tracking sites to link
many disparate pieces of information,
including browsing histories
contained in tracking cookies
and the contents of searches
on health and travel sites,
to create detailed profiles of individuals.


 
http://www.sciencedaily.com/releases/2011/06/110602111437.htm





U.N. Report Declares Internet Access a Human Right - (June 3, 2011 - by David Kravets - Wired) - A United Nations report said Friday that disconnecting people from the internet is a human rights violation and against international law.

The report railed against France and the United Kingdom, which have passed laws to remove accused copyright scofflaws from the internet. It also protested blocking internet access to quell political unrest (.pdf).  [The report states]:

While blocking and filtering measures deny users access to specific content on the Internet, states have also taken measures to cut off access to the Internet entirely. The Special Rapporteur considers cutting off users from internet access, regardless of the justification provided, including on the grounds of violating intellectual property rights law, to be disproportionate and thus a violation of article 19, paragraph 3, of the International Covenant on Civil and Political Rights.

The report continues:

The Special Rapporteur calls upon all states to ensure that Internet access is maintained at all times, including during times of political unrest. In particular, the Special Rapporteur urges States to repeal or amend existing intellectual copyright laws which permit users to be disconnected from Internet access, and to refrain from adopting such laws.  -  http://www.wired.com/threatlevel/2011/06/internet-a-human-right/




Hacking collective targets FBI affiliate InfraGard

 



Are there lots of hacking groups?


(June 6, 2011 - BBC News/Technology)

Hundreds.

They range from disinterested academics and professionals

through teenage trouble-makers to out-and-out criminals.

At one end of the scale are "white hat" hackers

who find vulnerabilities and inform website owners so they can fix them.

"Black hat" hackers represent the other extreme -

they are typically criminals or hackers working for criminals

looking to access information for profit.

In the middle are "grey hat" hackers
who are generally intent on mischief making.
 
At the moment, LulzSec seems to fall into this category.


http://www.bbc.co.uk/news/technology-13671195




Is Your Mobile Phone Transmitting Your Private Information to Corporations?
- (June 3, 2011 - Sarah Jaffe - AlterNet) - Our mobile phones and computers are storing and sharing more and more personal information--but do we have control over who sees it?   -  http://mcaf.ee/0qtjs




Privacy Rights Clearinghouse




No Privacy on Amazon’s Cloud Drive




Careless Behaviour of Cloud Users Leads to Crucial Security Threats, Experts Find - ScienceDaily (June 20, 2011) — Scientists from the Darmstadt Research Center for Advanced Security (CASED) have discovered major security vulnerabilities in numerous virtual machines published by customers of Amazon's cloud. Among 1100 public Amazon Machine Images (AMIs), which are used to provide cloud services, about 30 percent are vulnerable, allowing attackers to manipulate or compromise web services or virtual infrastructures, the researchers say.

The main reason lies in the careless and error-prone manner in which Amazon's customers handle and deploy AMIs. CASED scientists have developed a vulnerability scanner for virtual machines that customers create to run on Amazon's infrastructure. It can be freely downloaded at  http://trust.cased.de/AMID.

Cloud computing is becoming increasingly popular. More and more companies and private users are offering services in the cloud. While security experts have been mainly focusing on security aspects of the underlying cloud infrastructure and provider, it seems that in practice the threats caused by the cloud customers when constructing services are still underestimated or ignored. How severe the consequences resulting from wrong user behaviour can be, has now been shown by recent analysis carried out by the research group led by Prof. Ahmad-Reza Sadeghi at CASED.

the scientists found that at least one third of the machines under consideration have flawed configurations. The research team could extract security critical data such as passwords, cryptographic keys and certificates from the analyzed virtual machines. Attackers can use such information to operate criminal virtual infrastructures, manipulate web services or circumvent security mechanisms such as Secure Shell (SSH).

"The problem clearly lies in the customers' unawareness and not in Amazon Web Services. We believe that customers of other cloud providers endanger themselves and other cloud users similarly by ignoring or underestimating security recommendations," emphasizes Prof. Sadeghi. ….  -  http://www.sciencedaily.com/releases/2011/06/110620095240.htm

 

 

US builds net for cyber war games

 



Barcode? Passé. Here comes the QR. - (June 17, 2011 - by Shan Li - Los Angeles Times/MCT) - Barcode for the digital age: Quick Response codes are designed for smart phones. And they convey far more data than a barcode.

For privacy advocates, however, QRs are one more source of concern. That's because the codes don't just impart information, they can also collect data on where and when a QR was scanned. They can, in some cases, even latch on to the phone user's name, age and other personal information.

LOS ANGELES – Suddenly, they're popping up everywhere — those square, futuristic-looking matrixes that appear to be a cross between abstract art and Rorschach tests.

You'll find them in the corner of newspaper and magazine ads, in department store aisles, on product displays, price tags and For Sale signs in front of homes. Giant-size versions have shown up on billboards.

Called quick response codes, or simply QRs, they're the barcode for the digital age — but ones that convey far more information, and which can be scanned by consumers with smartphones and tablet computers to open a Web page, play a video or even place a call.

"Theoretically, over time companies can build up their database and amass a collection of information that leads to a profile of who I am and what I buy," said Julie Ask, a mobile marketing analyst at Forrester.  -  http://mcaf.ee/jrip5




How to Prevent a Gawker-Style Hack From Endangering You





How to Know if Hackers Have Stolen Your Password - June 23, 2011 - - Scientific American) - The New York Times reports on a easy-to-use web tool that a security professional has created that will check your email address against 13 different databases containing 800,000 email address/password combinations. Called, appropriately, "Should I Change My Password?", the site runs a simple search for your email in the known files.

If you find daunting the idea of creating separate passwords for all of the dozens of online accounts you need to maintain, take the advice of Christopher Mims over at the Technology Review blog: Set up four or five passwords, using one for all the low-security sites, another for any site that also has your credit card number, another for social networking, another for email, and the most secure for your banking sites.  -  http://www.scientificamerican.com/blog/post.cfm?id=how-to-know-if-hackers-have-stolen-2011-06-23





Net neutrality enshrined in Dutch law - (June 23, 2011 - AP - The Guardian/UK) - Netherlands becomes first European country to ensure web providers cannot charge more to access certain services  -  http://mcaf.ee/59emx




How Hacker Activists Are Risking Jail for Everyone's Right to Internet Freedom - (June 24, 2011 - By Julianne Escobedo Shepherd - AlterNet) - Since WikiLeaks, authorities have been more aggressive about arresting citizen cyber activists. Yet new actions by the biggest "hacktivists" show they're willing to risk it.

As First Base Technologies' Peter Wood put it to the BBC on June 22, "I can't condone anyone breaking the law... but I do understand where they are coming from." Another way to look at it: "hacktivism" is the future of peaceful protest; these brave, super-smart cyber activists are defending all of our right to expression, defending our freedom on the battleground of now and the future. As more and more governments want to clamp down on the way we can use the internet, the best of the hacktivists are working on keeping it free.  -  http://tinyurl.com/629rcy8




Security researchers discover 'indestructible' botnet





Know Your Rights!





[Hopefully, the Firefoxcompartmentalization

is good news if it truly does result in

improved Javascript security

...(as noted below).  -- Bike Bob]:


Firefox gets graphics, Javascript revamp



In the quest for better browser speed, Mozilla has begun work on new Firefox engines for running JavaScript programs and displaying graphics.

The new JavaScript engine, which includes a compiler called IonMonkey, is designed to run Web-based programs faster and to impose less disruption during the pesky memory-scrubbing process called garbage collection. The graphics engine, called Azure, is intended to get along better with Windows' graphics interfaces while still working with those of Mac OS X and Linux.

Says Joe Drew, who's working on Azure:

   Firefox 4's graphics performance is great ...We're not content with "great", though, and our investigations into how to make drawing even faster have revealed that some of our choices in Gecko's graphics engine aren't optimal for performance.

Naturally, Azure is designed to improve the performance. It also lays the groundwork for future work in separating Mozilla processes into different memory compartments, a long-running project called Electrolysis. The compartmentalisation has the potential to improve security and performance, but it requires extensive retooling of basic parts of the browser.
  -  http://www.zdnet.com.au/firefox-gets-graphics-javascript-revamp-339314095.htm





Can We Trust

Corporations

That Profit Off

  Our Information?

For Facebook,

Twitter, Google

and More,

You're The Product

(July 7, 2011 - by Carne Ross -  Comment Is Free)

The fight to control

our own

private information

online

is ultimately

a political battle.

http://mcaf.ee/uksch




Hacked Hardware Has Been Sold in the U.S. - (July 11, 2011 - by Michael Moyer - Scientific American) - Last week, an official at the Department of Homeland Security (DHS) told a congressional panel that hardware sold in the U.S. has been compromised by foreign agents. According to a report at Fast Company:

When asked by Rep. [Jason] Chaffetz [R-UT] whether [acting deputy undersecretary of the DHS National Protection and Programs Directorate Greg] Schaffer was aware of any foreign-manufactured software or hardware components that had been purposely embedded with security risks, the DHS representative stated that “I am aware of instances where that has happened,” after some hesitation.

In other words, hardware manufactured abroad has been embedded with malicious code, a problem described last year in Scientific American by John Villasenor, a professor of electrical engineering at the University of California, Los Angeles. The design of modern integrated circuits has become so complex, says Villasenor, that malicious agents could insert unwanted instructions into the circuits at some point in the process. “Given the sheer number of people and complexity involved in a large integrated-circuit design, there is always a risk that an unauthorized outsider might gain access and corrupt the design without detection,” Villasenor writes.  -  http://mcaf.ee/yxjd9



 

Pentagon Makes Love, Not Cyber War, in New Strategy - (July 14, 2011 - by Noah Shachtman - Danger Room/Wired)  -  …the Pentagon strategy uses tones of cooperation, not confrontation, in the strategy it released today. “By sharing timely indicators about cyber events, threat signatures of malicious code, and information about emerging actors and threats, allies and international partners can increase collective cyber defense,” the document notes. “Cyberspace is a network of networks that includes thousands of ISPs [Internet Service Providers] across the globe; no single state or organization can maintain effective cyber defenses on its own.”

Yes, there are all kinds of bad guys out there on the internet, the strategy adds. But many of them are out for money, not for blood. “The tools and techniques developed by cyber criminals are increasing in sophistication at an incredible rate, and many of these capabilities can be purchased cheaply on the internet.” And the best way to stop these crooks is through strong passwords, up-to-date software, and keeping unclassified disks and drives off of secret systems. “Most vulnerabilities of and malicious acts against DoD systems can be addressed through good cyber hygiene,” document adds.

If there was a nod to the McConnell crowd — who’d like to “reengineer the internet” to make everyone trackable online — it was in the declaration that “DoD will pursue revolutionary technologies that rethink the technological foundations of cyberspace.” But the nod was a subtle one.

Behind closed doors, some Pentagon officials take a much harder line. There have been calls to massively shift Defense Department spending from defensive measures to online offense. Other countries — especially the Chinese, they believe — had infiltrated every corner of the military-industrial complex, and need to be shoved back. Every fresh online break-in brings a fevered call to declare the intrusion an “act of war.”  -  http://www.wired.com/dangerroom/2011/07/make-love-not-cyber-war/

 

 

24,000 Pentagon files stolen in major cyber breach, official says - (July 14, 2011 - By Jason Ukman and Ellen Nakashima - Washington Post) - The Defense Department lost 24,000 files to “foreign intruders” in the spring in what appears to be one of the most damaging cyberattacks to date on the U.S. military, a top Pentagon official acknowledged Thursday.

Deputy Defense Secretary William J. Lynn III, who disclosed the March breach during a speech to roll out the Pentagon’s new cyber strategy, said the files were taken from a defense contractor. He did not say who was believed to be behind the attack or describe the nature of the files that were stolen.

But Lynn said that, over the past few years, all manner of data has been stolen, some of it mundane, some of it concerning “our most sensitive systems, including aircraft avionics, surveillance technologies, satellite communications systems, and network security protocols.” 

“It is a significant concern that over the past decade, terabytes of data have been extracted by foreign intruders from corporate networks of defense companies,” Lynn said.

Last August, the Pentagon acknowledged for the first time that the U.S. military had suffered a major cyberattack in 2008 after malicious code was placed on a flash drive inserted into a U.S. military laptop. The code spread undetected on both classified and unclassified systems, “establishing what amounted to a digital beachhead,” Lynn wrote last year in an article for Foreign Affairs.

The Pentagon’s vast networks are believed to be the subject of malicious probing every day, but it is often difficult if not impossible to determine the identity of an attacker.

In a statement Thursday, Defense Secretary Leon Panetta said more than 60,000 new malicious software programs or variations are identified every day threatening our security, our economy and our citizens.”  -  http://mcaf.ee/vsquz




What Are We Capable Of ?

A Message From

The “AnonymousHacktivists Group

TheAnonPress

(14 min. - YouTube audio/video)

http://www.youtube.com/watch?v=YLJ2z8BSUPc&feature=player_embedded#t=4s




Google-NSA Secrets Can Stay That Way, Judge Rules - Spy agency won't confirm or deny its dealings with Google - (July 15, 2011 - by Truman Lewis - Consumer Affairs) -

It might sound like tilting at windmills, but a privacy organization says it will appeal a federal judge's ruling that the super-secret National Security Agency (NSA) doesn't have to disclose its relationship with Google, or for that matter whether it has or ever has had such a relationship.

The Electronic Privacy Information Center (EPIC) began its quest for information following press reports that the NSA and Google had formed a partersnhip of some kind after hackers in China launched a cyber attack on the U.S. government in January 2010.

EPIC first filed a Freedom of Information Act (FOIA) request seeking any documents that would reveal whether NSA and Google were developing technical standards that would enable greater surveillance of Internet users.

Not surprisingly, NSA denied the request, saying it could neither confirm nor deny that any such documents existed.

Appeal promised

EPIC said it plans to appeal the decision by U.S. District Court Judge Richard J. Leon, noting NSA's argument that revealing a relationship with Google could dissuade other companies from working with the agency in the future.

"This is a serious concern which … warrants finding for the NSA," Leon wrote.

EPIC says it is also seeking information from the NSA about Internet vulnerability assessments and its private findings on how its practices impact Internet privacy. EPIC also wants details about the NSA's "Perfect Citizen" program.  -  http://mcaf.ee/107tq





Little-known firms tracking data used in credit scores - (2011 - by Ylan Q. Mui - Washington Post) -  [NOTE: ChoicePoint -- one of the "fourth bureau" companies highlighted in this Washington Post article -- was one of the private "proprietary" information/data aggregator companies to whom the Bush/Cheney admin "farmed out" services to get around Congressional proscriptions denying the authorization of the "Total Information Awareness" (TIA) program; which was spear-headed by Adm. John Poindexter (of “Watergate” noteriety).  Bush/Cheney did their end-run around Congress by breaking the TIA (and the law!) into various "compartmentalized" components, such as the TALON program.  --BikeBob]:  -  http://mcaf.ee/zcg1u




Spoofing services make mobile voicemail hacking easy





Welcome to the age of the splinternet





Apple Laptop Security Flaw Found In Computer Batteries - (July 27, 2011 - by Gerry Smith - TheHuffingtonPost) - A security researcher claims to have found a new security flaw in Apple laptops that could allow hackers to ruin laptop batteries, infect them with malware or potentially cause them to overheat and catch fire.

Charlie Miller, principal research consultant at Accuvant Labs, said he has found a way to manipulate chips embedded inside Apple laptop batteries.

The chip monitors the battery's temperature and level of charge, among other things. Those chips can be remotely controlled by hackers using a default password that Miller found on a website of the chip's creator, Texas Instruments. Apple never changed the default password, Miller said.

Miller's discovery, first reported by Forbes.com, is the latest potential security flaw found in Apple's product line. Earlier this month, security experts disclosed a bug in Apple's iOS operating system that could allow criminal hackers to gain remote access to iPhones, iPads and iPod Touch devices, Reuters reported. Apple said it is fixing that issue in an upcoming software update.

At the very least, Miller found he could ruin laptop batteries by altering the chip's code. Not wanting to set his home on fire, Miller stopped there. But he imagines darker possibilities for hackers if Apple does not fix the security flaw.

"I have full access to the battery and I can make any changes I want," Miller told The Huffington Post.

For example, hackers could install malware on the battery that would not be detected by anti-virus software because it would not appear on the hard drive, he said. The malware could attack the laptop's operating system again and again, even after the user installed a new hard drive.

"The battery would keep attacking it," he said.  -  http://mcaf.ee/132mu





Cyber Weapons: The New Arms Race








The Cybercrime Economy




Stegobot steals passwords from your Facebook photos - (July 29, 2011 - by Jacob Aron - NewScientist) - THINK twice before uploading your holiday pictures to Facebook - you could be helping someone to steal information from your computer. A botnet called Stegobot was created to show how easy it would be for a crook to hijack Facebook photos to create a secret communication channel that is very difficult to detect.

Like most botnets, Stegobot gains control of computers by tricking users into opening infected email attachments or visiting suspect websites. But rather than contacting the botmasters directly, it piggybacks on the infected user's normal social network activity. "If one of your friends is a friend of a friend of the botmaster, the information transfers hop by hop within the social network, finally reaching the botmasters," says Amir Houmansadr, a computer scientist at the University of Illinois at Urbana-Champaign who worked on the botnet.

Stegobot takes advantage of a technique called steganography to hide information in picture files without changing their appearance. It is possible to store around 50 kilobytes of data in a 720 by 720 pixel image - enough to transmit any passwords or credit card numbers that Stegobot might find on your hard drive.

The botnet inserts this information into any photo you upload to Facebook, and then waits for one of your friends to look at your profile. They don't even have to click on the photo, as Facebook helpfully downloads files in the background. If your friend is also infected with the botnet - quite likely, since any email you send them will pass it on - any photo they upload will also pass on the stolen data.  -  http://tinyurl.com/grlm746

 


 

Here’s How U.S. Spies Will Find You Through Your Pics







NSA & Microsoft - The San Antonio Connection


The NSA’s new data-mining facility is one component of a growing local surveillance industry

[This article excerpt is from Dec. 3, 2008 issue of “San Antonio Texas Current.”  Early that year, James Bamford -- author of non-fiction books on the NSA, such as, "The Puzzle Palace" and "The Shadow Factory" -- talked about this (see below) twice on NPR…on both "Fresh Air" and "The Diane Rehm Show."  He emphasized that he considered the physical proximity of the NSA and Microsoft facilities as an ominous development.  He also said that both the Microsoft and NSA facilities in San Antonio are HUGE...each covering at least a city block...purportedly to contain vast electronic storage-capacity facilities.  --- Interestingly, this may have also been connected with Microsoft’s development of its “Bing” search-engine and its promotion of “cloud computing.”]:


Bamford writes about how NSA and Microsoft had both been eyeing San Antonio for years because it has the cheapest electricity in Texas, and the state has its own power grid, making it less vulnerable to power outages on the national grid. He notes that it seemed the NSA wanted assurance Microsoft would be here, too, before making a final commitment, due to the advantages of “having their miners virtually next door to the mother lode of data centers.” The new NSA facility is just a few miles from Microsoft's data center of the same size. Bamford says that under current law, NSA could gain access to Microsoft's stored data without even a warrant, but merely a fiber-optic cable.

“What the Microsoft people will have will be just storage of a lot of the email that is being sent. They keep this email — I don't know why — and there should be some legislation saying how long it should be kept,” said Bamford in a phone interview last week. “The post office doesn't keep copies of our letters when we mail letters; why should the telecom companies or the internet providers keep copies of our email? It doesn't make sense to me. But there's no legislation. So they need a place to store it, and that's where they're storing all this stuff.”  - 
http://www2.sacurrent.com/news/story.asp?id=69607









Newspaper Uncovers Systemic Monitoring Plans of Public Online Sources - (Katitza Rodriguez - Electronic Freedom Foundation)  -  http://www.commondreams.org/view/2011/08/04-6




Hackers in demand at US government agencies

 

 

US internet providers hijacking users' search queries

 

 

China a Suspect in Hacking Attack

 

 

Researcher follows RSA hacking trail to China -  Botnet expert spent months tracking malware's command-and-control servers in Beijing, Shanghai - (August 4, 2011 - by Gregg Keizer - Computerworld)  -  http://www.computerworld.com/s/article/9218857/Researcher_follows_RSA_hacking_trail_to_China?taxonomyId=82




Can Darpa Fix the CybersecurityProblem From Hell?’ - (August 5, 2011 - by Adam Rawnsley - Wired)  -  There are computer security threats — and then there are computer security nightmares. Put sabotaged circuits firmly in the second category. Last week, retired Gen. Michael Hayden, the former CIA and NSA chief, called the hazard of hacked hardware “the problem from hell.”

“Frankly, it’s not a problem that can be solved,” he added. “This is a condition that you have to manage.”

The Pentagon’s top research division is trying, however. Over the past two months, Darpa, has awarded nine contracts totaling $49 million for its Integrity and Reliability of Integrated Circuits (IRIS) program to check for compromised chips. Seven companies and two universities received the awards.

The Defense Department has been worried about foreign adversaries tampering with its hardware for a while now. The Pentagon now buys 1 percent of all the world’s integrated circuit production; America’s defense community simply uses too many to monitor them all. In 2005, a Defense Science Board report warned that foreign adversaries could slip back doors into chips(.pdf) destined for installation in important military gear.

The hacked circuits, the report said, could be tweaked to malfunction early or provide a de facto kill switch to a weapon system.  -  http://www.wired.com/dangerroom/2011/08/problem-from-hell/

 

 

 

CNN: Is Facebook

Bad For You?

(4-1/2 min. - YouTube audio/video)

http://www.youtube.com/watch?v=3L71oPCHSGM&feature=related

 

 

 

The Terrible Truth

About Facebook -

Think you have any privacy

when it comes to a

social networking site?

Think again.

Just take a look at who

has invested in the site

and open your eyes.

(4 min. - YouTube audio/video)

http://www.youtube.com/watch?v=UJqGbA2tLww&feature=related









Smartphones are newest target of hackers - (August 8, 2011 - St. Louis Post-Dispatch/ Associated Press) - Last week, security researchers uncovered yet another strain of malicious software aimed at smartphones that run Google's popular Android operating system. The application not only logs details about incoming and outgoing phone calls, it also records those calls.

That came a month after researchers discovered a security hole in Apple Inc.'s iPhones, which prompted the German government to warn Apple about the urgency of the threat.

Security experts say attacks on smartphones are growing fast — and attackers are becoming smarter about developing new techniques.

[….]

Wrongdoers have infected PCs with malicious software, or malware, for decades. Now, they are fast moving to smartphones as the devices become a vital part of everyday life.

[….]

All at once, smartphones have become wallets, email lockboxes, photo albums and Rolodexes. And because owners are directly billed for services bought with smartphones, they open up new angles for financial attacks.The worst programs cause a phone to rack up service charges, record calls, intercept text messages and even dump emails, photos and other private content directly onto criminals' servers.  -  http://mcaf.ee/arhnx





Survey Finds Smartphone Apps Store Too Much Personal Data - (August 8, 2011 - by Mike Isaac - Wired)  -  An uncomfortably large percentage of mobile applications are storing sensitive user account information unencrypted on owners’ smartphones, according to a new survey of 100 consumer smartphone apps.

Some 76 percent of the apps tested stored cleartext usernames on the devices, and 10 percent of the tested applications, including popular apps LinkedIn and Netflix, were found storing passwords on the phone in cleartext.

Conducted by digital security firm ViaForensics, the testing occurred over a period of over eight months and spanned multiple categories, ranging from social networking applications to mobile banking software. The firm tested apps only for iOS and Android, the market’s leading mobile platforms.

If I get my hands on someone’s lost phone, it could take me ten minutes to find an account username and password,” said Ted Eull, techology services vice president at ViaForensics, in an interview.

ViaForensics sells mobile security tools and services to corporations, attorneys and government agencies.  -  http://mcaf.ee/n1sj4




New Anti-Censorship Scheme Could Make It Impossible to Block Individual Sites - ScienceDaily (Aug. 10, 2011) — A radical new approach to thwarting Internet censorship would essentially turn the whole web into a proxy server, making it virtually impossible for a censoring government to block individual sites.

The system is called Telex, and it is the brainchild of computer science researchers at the University of Michigan and the University of Waterloo in Canada. They will present it Aug. 12 at the USENIX Security Symposium in San Francisco.

"This has the potential to shift the arms race regarding censorship to be in favor of free and open communication," said J. Alex Halderman, assistant professor of computer science and engineering at U-M and one of Telex's developers.

"The Internet has the ability to catalyze change by empowering people through information and communication services. Repressive governments have responded by aggressively filtering it. If we can find ways to keep those channels open, we can give more people the ability to take part in free speech and access to information."  -  http://www.sciencedaily.com/releases/2011/08/110810133023.htm










Lawmakers Call for Probe of Medical Devices After Researcher Hacks Insulin Pump - (August 19, 2011 - by Kim Zetter  - Wired) - Two federal lawmakers have asked the General Accountability Office to look into the security of medical devices after a researcher showed how he was able to hack his insulin pump and alter settings due to security flaws in the system.

Earlier this month, Jay Radcliffe, a computer security professional who is also diabetic, showed how an attacker could remotely control insulin pumps to deliver too much or too little insulin to the individual wearing the device.

Radcliffe, who conducted the research on his own pump and delivered his findings at the Black Hat security conference in Las Vegas, said that because his insulin pump doesn’t encrypt communication or require authentication from the systems that communicate with it, an attacker can sniff the traffic to study how the devices communicate, then devise commands to inject into the communication traffic to alter the insulin dosage. He also found that he could control what information is fed to a diabetic’s blood sugar monitoring device so the individual would think he’s receiving the right amount of insulin when he’s not.

“My initial reaction was that this was really cool from a technical perspective,” Radcliffe told the Associated Press. “The second reaction was one of maybe sheer terror, to know that there’s no security around the devices which are a very active part of keeping me alive.”

He noted that many other medical devices that use wireless communication and allow for remote-control access could have the same vulnerabilities.  -  http://www.wired.com/threatlevel/2011/08/medical-device-security/









When algorithms control the world - (Aug. 22, 2011 - If you were expecting some kind warning when computers finally get smarter than us, then think again.  …our electronic overlords are already taking control…-  http://www.bbc.co.uk/news/technology-14306146












Hackers steal SSL certificates for CIA, MI6, Mossad - Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue 'death sentence' - (September 4, 2011 - by Gregg Keizer - Computerworld)  

Computerworld - The tally of digital certificates stolen from a Dutch company in July has exploded to more than 500, including ones for intelligence services like the CIA, the U.K.'s MI6 and Israel's Mossad, a Mozilla developer said Sunday.

The confirmed count of fraudulently-issued SSL (secure socket layer) certificates now stands at 531, said Gervase Markham, a Mozilla developer who is part of the team that has been working to modify Firefox to blocks all sites signed with the purloined certificates.

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft's Windows Update service.  -  http://www.computerworld.com/s/article/9219727/Hackers_steal_SSL_certificates_for_CIA_MI6_Mossad





ResearchersTyposquatting Stole 20 GB of E-Mail From Fortune 500 - (September 8, 2011 - by Kim Zetter - Wired) - Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies say they managed to vacuum up 20 gigabytes of misaddressed e-mail over six months.

The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions.

“Twenty gigs of data is a lot of data in six months of really doing nothing,” said researcher Peter Kim from the Godai Group. “And nobody knows this is happening.”

Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a subdomain name from a primary domain name – as in the case of seibm.com as opposed to the real se.ibm.com domain that IBM uses for its division in Sweden.

Kim and colleague Garrett Gee, who released a paper this week (.pdf) discussing their research, found that 30 percent, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, internet communication, media, aerospace, defense, and computer security.

The researchers also discovered that a number of doppelganger domains had already been registered for some of the largest companies in the U.S. by entities that appeared to be based in China, suggesting that snoops may already be using such accounts to intercept valuable corporate communications.  -  http://www.wired.com/threatlevel/2011/09/doppelganger-domains/





Now You Can Get Hacked by Your Mouse -  (September 12, 2011 - by Roy Wood - Wired) - So, you’ve installed a reputable anti-virus package on the family computer, cranked up the security on your wifi router, adopted a smart strategy to keep track of your passwords, and educated the whole family on how to recognize phishing and harpoon scams.Your network and computer systems are now secure, and you can sit back and rest easy, right? RIGHT?

Sadly, computer security is an ongoing cat and mouse game between the hackers and the hackees, and you have to be ever vigilant. All it takes is one momentary lapse of judgment and your system can be infiltrated.  ….

As the security guys like to say, security is an ongoing journey, not a destination. You have to keep up to date with the evolving risks, and continue to evolve your defenses accordingly. It’s not exactly fun, but there’s enough at stake that you can’t afford to get lazy or sloppy–ever. - http://www.wired.com/geekdad/2011/09/now-you-can-get-hacked-by-your-mouse/





How to Protect Your Smartphone From Malware





QR Tags Can Be Rigged to Attack Smartphones - A blogger has demonstrated how these innocuous tags can be made into cybercrime weapons - (Sept. 13, 2011 - by Matt Liebowitz and SecurityNewsDaily)

You've probably seen QR tags thousands of times, from advertisements in the subway to coupon flyer in the mail to products in the supermarket. They look like stamp-size bar codes, a grid of small black-and-white rectangles and squares, usually with bigger black squares in the corners.

A marketer's dream-come-true, these tiny images are capable of storing and transmitting loads of data directly to the smartphones of interested customers. When a person scans a QR tag with a smartphone, the tag can do any number of things, including taking the user right to the product's website.

[How to Protect Your Smartphone From Malware]

But like any technology, they can also be manipulated to bite the hands — or phones — that feed them. On the mobile security blog Kaotico Neutral, researcher Augusto Pereyra demonstrated how these innocuous QR tags can be made into cybercrime weapons.

In his proof-of-concept hack, Pereyra took a QR tag he created from a free online tag creator and embedded in it the URL for an attack server called evilsite.dyndns.org. When the target smartphone scanned the tag, the browser was directed to the spoofed site and fed malware.

QR tags are touted for their convenience, but it's that same convenience — coupled with their increasing prevalence — that Pereyra believes could allow them to become dangerous attack vectors. Popular QR tag-scanning software, such as ScanLife, automatically takes mobile browsers to the site embedded within the tag, and while it makes the process quick, it does nothing for its safety.

"This is a serious problem since this is the equivalent of clicking a link with your eyes closed," Pereyra wrote.  -  http://www.scientificamerican.com/article.cfm?id=qr-tags-can-be-rigged-to




CIA's Next Mission is to Keep Prying Eyes Off Your Screen - (Sept. 14, 2011 - by John P. Mello Jr., PCWorld)  - The CIA takes such a dim view of people peeking at computer displays while someone is working that the agency is investing in Oculis Labs, a company that makes software to prevent prying eyes from gleaning any information from computer screens.

The spy agency is investing in Oculis through a nonprofit investment company called In-Q-Tel that was chartered in 1999 by a group of private citizens at the request of the director of the CIA and with the support of Congress. It was launched in response to the agency's desire to increase its access to private sector innovation.

In a statement announcing its partnership in Oculis, In-Q-Tel said it was making a "strategic investment" in the software maker. The amount of that investment wasn't revealed.

[….]

"Oculis Labs is an important addition to our investment portfolio and we are excited about this technology's ability to address a critical need in information security, protecting the last two feet of the network," T.J. Rylander, a partner on In-Q-Tel's investments team, said in a statement. "Oculis Labs' technologies offer a vital new capability in securing computer systems against a wide range of insider and outsider threats."

Oculis makes both a consumer and military version of software products. The consumer offering, called PrivateEye ($1.99), uses a webcam and facial recognition software to blur your computer screen when you walk away from it or turn your head to talk to someone behind you. It will also detect someone approaching you from behind as far as 10 feet away and obscure your display as they get closer.  -  http://mcaf.ee/3c9px





Law Enforcement Appliance Subverts SSL - (March 24, 2010 - by Ryan Singel - Wired) - Normally when a user visits a secure website, such as Bank of America, Gmail, PayPal or eBay, the browser examines the website’s certificate to verify its authenticity.

At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications — without breaking the encryption — by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.

The attack is a classic man-in-the-middle attack, where Alice thinks she is talking directly to Bob, but instead Mallory found a way to get in the middle and pass the messages back and forth without Alice or Bob knowing she was there.

The existence of a marketed product indicates the vulnerability is likely being exploited by more than just information-hungry governments, according to leading encryption expert Matt Blaze, a computer science professor at University of Pennsylvania.

If the company is selling this to law enforcement and the intelligence community, it is not that large a leap to conclude that other, more malicious people have worked out the details of how to exploit this,” Blaze said.  -  http://mcaf.ee/teabs





Fear of Repression Spurs Scholars and Activists to Build Alternate Internets - (Sept. 18, 2011 - by Jeffrey R. Young - The Chronicle of Higher Education/Wash. D.C.) - Protecting PrivacyMr. Moglen, the [Columbia U.] law professor. He's leading the development of a device called the Freedom Box, and though it doesn't look like much—a gadget the size of a paperback book—he believes that it would be able to help Internet users preserve their privacy.

The concept: It's a personal server, which automatically scrambles digital data to make them harder for unauthorized people to intercept. The idea is to create a personal "cloud," or online storage space, for data before the information is sent to standard e-mail or Web services.

Mr. Moglen and a team of programmers are developing the software under the auspices of the FreedomBox Foundation, a nonprofit organization, and plan to release it under an open license that lets anyone use and modify it. The initial Freedom Box code is expected to hit the Web in the next week or two, although it is more of a framework for developers at this point and lacks most of the planned features.

For Mr. Moglen the work is part of a longtime mission. The Chronicle profiled him several years ago, soon after he founded the Software Freedom Law Center and published what he called The dotCommunist Manifesto.

In the manifesto, he argues that all software should be developed by groups under free licenses rather than by companies out to make profit. Critics have called his approach extreme and unworkable, but in some areas open-source software has gained ground in recent years.

"The Net we have is increasingly monitored, measured, and surveilled everywhere by everybody all the time, or at least by somebody who's doing it for somebody else and would answer a subpoena if they got one," he argued at a conference this year. "Our Net has been turned against us."  -  http://mcaf.ee/rnf07





Diebold voting machines can be hacked by remote control - Exclusive: A laboratory shows how an e-voting machine used by a third of all voters can be easily manipulated - (Sept. 27, 2011 - By Brad Friedman - Salon.com) - It could be one of the most disturbing e-voting machine hacks to date.

Voting machines used by as many as a quarter of American voters heading to the polls in 2012 can be hacked with just $10.50 in parts and an 8th grade science education, according to computer science and security experts at the Vulnerability Assessment Team at Argonne National Laboratory in Illinois. The experts say the newly developed hack could change voting results while leaving absolutely no trace of the manipulation behind.

"We believe these man-in-the-middle attacks are potentially possible on a wide variety of electronic voting machines," said Roger Johnston, leader of the assessment team "We think we can do similar things on pretty much every electronic voting machine."  -  http://www.salon.com/news/politics/elections/2011/09/27/votinghack/index.html





How to Use an HTTPS-Encrypted Connection When Browsing - (June 28, 2011 - by Nick Mediati - PCWorld) - Maintain an encrypted pathway between your PC and the Websites you visit.  -  http://mcaf.ee/5yrj7






[This obviously is the reason why -- a few years ago -- there was a push on by cell phone service providers (in "the service" of the government?) to get folks to upgrade their analog mobile phones to newer digital models.  The newer cell phones were required -- by government edict -- to be manufactured with GPS-tracking chips preinstalled.  The official explanation for that requirement was to enable "911" call-tracking.  Also, the newer cell phones are "always on" -- even when they are supposedly "turned off."  That, too, was supposed to facilitate "emergency" GPS-location tracking.  Unless you physically remove the battery from your cell phone, the 24/7 whereabouts of your cell phone is always known.  --Bike Bob]:


'Stingray' Phone Tracker Fuels Constitutional Clash - (Sept. 22, 2011 - by Jennifer Valentino-Devries - Wall Street Journal) - Stingrays are designed to locate a mobile phone even when it's not being used to make a call. The Federal Bureau of Investigation considers the devices to be so critical that it has a policy of deleting the data gathered in their use, mainly to keep suspects in the dark about their capabilities, an FBI official told The Wall Street Journal in response to inquiries.

[….]

A stingray works by mimicking a cellphone tower, getting a phone to connect to it and measuring signals from the phone. It lets the stingray operator "ping," or send a signal to, a phone and locate it as long as it is powered on, according to documents reviewed by the Journal. The device has various uses, including helping police locate suspects and aiding search-and-rescue teams in finding people lost in remote areas or buried in rubble after an accident.  -  http://mcaf.ee/qpjkb






Watch out for fake virus alerts - (Microsoft Safety & Security Center - PC Security)

Rogue security software, also known as "scareware," is software that appears to be beneficial from a security perspective but provides limited or no security, generates erroneous or misleading alerts, or attempts to lure users into participating in fraudulent transactions.

How does rogue security software get on my computer?

Rogue security software designers create legitimate looking pop-up windows that advertise security update software. These windows might appear on your screen while you surf the web.

The "updates" or "alerts" in the pop-up windows call for you to take some sort of action, such as clicking to install the software, accept recommended updates, or remove unwanted viruses or spyware. When you click, the rogue security software downloads to your computer.

Rogue security software might also appear in the list of search results when you are searching for trustworthy antispyware software, so it is important to protect your computer.

What does rogue security software do?

Rogue security software might report a virus, even though your computer is actually clean. The software might also fail to report viruses when your computer is infected. Inversely, sometimes, when you download rogue security software, it will install a virus or other malicious software on your computer so that the software has something to detect.

Some rogue security software might also:  -  http://www.microsoft.com/security/pc-security/antivirus-rogue.aspx

 

 

 

How to Avoid Scareware - (Dec. 8, 2010 - by Neil J. Rubenking - PC Magazine) - If you're fooled by a rogue security program, you pay good money for nothing, miss out on actual security, and give your credit card info to shady characters. Here's how to avoid being duped.  -  http://www.pcmag.com/article2/0,2817,2373975,00.asp

 

 

 

What To Do When Scareware Strikes









The 'Worm' That Could Bring Down The Internet - (43 min. - audio) - (Sept. 27, 2011 - Fresh Air - WHYY/NPR) - For the past three years, a highly encrypted computer worm called Conficker has been spreading rapidly around the world. As many as 12 million computers have been infected with the self-updating worm, a type of malware that can get inside computers and operate without their permission.

"What Conficker does is penetrate the core of the [operating system] of the computer and essentially turn over control of your computer to a remote controller," writer Mark Bowden tells Fresh Air's Terry Gross. "[That person] could then utilize all of these computers, including yours, that are connected. ... And you have effectively the largest, most powerful computer in the world."

The gigantic networked system created by the Conficker worm is what's known as a "botnet." The Conficker botnet is powerful enough to take over computer networks that control banking, telephones, security systems, air traffic control and even the Internet itself, says Bowden. His new book, Worm: The First Digital World War, details how Conficker was discovered, how it works, and the ongoing programming battle to bring down the Conficker worm, which he says could have widespread consequences if used nefariously.

"If you were to launch with a botnet that has 10 million computers in it — launch a denial of service attack — you could launch a large enough attack that it would not just overwhelm the target of the attack, but the root servers of the Internet itself, and could crash the entire Internet," he says. "What frightens security folks, and increasingly government and Pentagon officials, is that a botnet of that size could also be used as a weapon."  - 

http://www.npr.org/2011/09/27/140704494/the-worm-that-could-bring-down-the-internet





Facebook Keeps A History Of Everyone Who Has Ever Poked You, Along With A Lot Of Other Data - (Sept. 27, 2011 - Kashmir Hill, Forbes Staff - Forbes) -  http://mcaf.ee/p9hd4




Cloud-Powered Facial Recognition Is Terrifying - (Sept. 29, 2011 - by Jared Keller - The Atlantic Monthly) - By harnessing the vast wealth of publicly available cloud-based data, researchers are taking facial recognition technology to unprecedented levels

a new application developed by Carnegie Mellon University's Heinz College that's designed to take a photograph of a total stranger and, using the facial recognition software PittPatt, track down their real identity in a matter of minutes. Facial recognition isn't that new -- the rudimentary technology has been around since the late 1960s -- but this system is faster, more efficient, and more thorough than any other system ever used. Why? Because it's powered by the cloud.


The logic of the new application is based on a series of studies designed to test the integration between facial recognition technology and the wealth of data accessible in the cloud (by which we basically mean the Internet).  ….

 

Naturally, the development of such software inspires understandably Orwellian concerns. Jason Mick at DailyTech notes that PittPatt started as a Carnegie Mellon University research project, which spun off into a company post 9/11.  "At the time, U.S. intelligence was obsessed with using advanced facial recognition to identify terrorists," writes Mick. "So the Defense Advanced Research Projects Agency (DARPA) poured millions into PittPatt." While Google purchased the company in July, the potential for such intrusive technology to be used against law-abiding citizens is cause for concern.

 

While private organizations may vie for a piece of PittPatt's proprietary technology for marketing or advertising purposes, the idea that such technology could be utilized by a tech savvy member of the public towards criminal, fraudulent, or extralegal ends is as alarming as the potential for governmental abuse.  -  http://mcaf.ee/en5l4




In-Q-Tel
The CIA's
computer high-tech
venture capital-investment
proprietary
public front.
(Do you know
which way
the wind blows? 
They apparently do!)

[ link ]




Exclusive: Computer Virus Hits U.S. Drone Fleet - (Oct. 7, 2011 - by Noah Shachtman - Wired) - http://www.wired.com/dangerroom/2011/10/virus-hits-drone-fleet/








Cyber Threats Forecast for 2012 Released - ScienceDaily (Oct. 11, 2011) — The year ahead will feature new and increasingly sophisticated means to capture and exploit user data, as well as escalating battles over the control of online information that threatens to compromise content and erode public trust and privacy. Those were the findings announced by the Georgia Tech Information Security Center (GTISC) and the Georgia Tech Research Institute (GTRI) in today's release of the Georgia Tech Emerging Cyber Threats Report for 2012. The report was released at the annual Georgia Tech Cyber Security Summit, a gathering of industry and academic leaders who have distinguished themselves in the field of cyber security.

According to GTISC, GTRI and the experts cited in the report, specific threats to follow over the coming year include, among others:

Search Poisoning -- Attackers will increasingly use SEO [Search Engine Optimization] techniques to optimize malicious links among search results, so that users are more likely to click on a URL because it ranks highly on Google or other search engines.

Mobile Web-based Attacks
-- Expect increased attacks aimed specifically against mobile Web browsers as the tension between usability and security, along with device constraints (including small screen size), make it difficult to solve mobile Web browser security flaws.

Stolen Cyber Data Use for Marketing -- The market for stolen cyber data will continue to evolve as botnets capture private user information shared by social media platforms and sell it directly to legitimate business channels such as lead-generation and marketing.  -  http://www.sciencedaily.com/releases/2011/10/111011132050.htm





Meet In-Q-Tel, the CIA’s Venture Capital Firm - (Oct. 9, 2011 - by James Corbett - The Corbett Report) - [Transcript:] - Gainspan Corporation manufactures low power Wi-Fi semiconductors that form the heart of modern remote sensing, monitoring and control technologies.

Recorded Future Inc. is a Massachusetts web startup that monitors the web in real time and claims its media analytics search engine can be used to predict the future.

Keyhole Corp. created the 3D earth visualization technology that became the core of Google Earth.

The common denominator? All of these companies, and hundreds more cutting edge technology and software startups, have received seed money and investment funding from In-Q-Tel, the CIA’s own venture capital firm.

Welcome, this is James Corbett of The Corbett Report with your Eyeopener Report for BoilingFrogsPost.com

[….]

Publicly, In-Q-Tel markets itself as an innovative way to leverage the power of the private sector by identifying key emerging technologies and providing companies with the funding to bring those technologies to market.

In reality, however, what In-Q-Tel represents is a dangerous blurring of the lines between the public and private sectors in a way that makes it difficult to tell where the American intelligence community ends and the IT sector begins.

In-Q-Tel has generated a number of stories since its inception based on what can only be described as the “creepiness” factor of its investments in overtly Orwellian technologies.    -  http://www.corbettreport.com/meet-in-q-tel-the-cias-venture-capital-firm-preview/





Internet Security: Researchers Break W3C Standard - ScienceDaily (Oct. 19, 2011) — Standards are supposed to guarantee security, especially in the WWW. The World Wide Web Consortium (W3C) is the main force behind standards like HTML, XML, and XML Encryption. But implementing a W3C standard does not mean that a system is secure. Researchers from the chair of network and data security have found a serious attack against XML Encryption. "Everything is insecure," is the uncomfortable message from Bochum.  -  http://www.sciencedaily.com/releases/2011/10/111019104907.htm








Important Update:
Companies and
Government Agencies
that were effected
by the malware infection
of RSA’sSecureID”!








Social networking surveillance: trust no one - (August 12, 2011 - by Dan Gillmor - The Guadian) - Governments will always try to monitor citizens' 'secure' communications – and corporations will always help them  -  http://www.guardian.co.uk/commentisfree/cifamerica/2011/aug/12/social-networking-surveillance

 

 

 

Your phone company is selling your personal data - (November 1, 2011 - Your phone company knows where you live, what websites you visit, what apps you download, what videos you like to watch, and even where you are. Now, some have begun selling that valuable information to the highest bidder.  -  http://money.cnn.com/2011/11/01/technology/verizon_att_sprint_tmobile_privacy/index.htm

 

 

 

Screen-spy program can read texts and emails - (November 2, 2011 - by Melissae Fellet - NewScientist) - NEXT time you're tapping off a private text message or sensitive email in a public place, consider this: someone could be reading every letter you type from up to 60 metres away.

"We can be in the second floor of a building and read a phone on the ground," says computer vision researcher Jan-Michael Frahm, of the University of North Carolina at Chapel Hill.

Frahm and Fabian Monrose, also of UNC-Chapel Hill, have built a program, dubbed iSpy, that can identify text typed on a touchscreen from video footage of the screen or even its reflection in windows or sunglasses. Video from an ordinary mobile phone camera can be used to spy on a person from 3 metres away. And a snoop with a digital SLR camera that shoots HD video could read a screen up to 60 metres away. - http://tinyurl.com/zx562qe




Block scripts in Firefox
The NoScript add-on
will give you
some extra control
and protection against
malicious scripts
and ads.

(2-1/2 min. - YouTube audio/video)
http://www.youtube.com/watch?v=GzBqnLgOzwM








DARPA Begs Hackers: Secure Our Networks, End ‘Season of Darkness’ - (November 7, 2011 - by Spencer Ackerman - Wired) - The Pentagon’s far-out research agency and its brand new military command for cyberspace have a confession to make. They don’t really know how to keep U.S. military networks secure. And they want to know: Could you help them out?

Darpa convened a “cyber colloquium” at a swank northern Virginia hotel on Monday for what it called a “frank discussion” about the persistent vulnerabilities within the Defense Department’s data networks. The Pentagon can’t defend those networks on its own, the agency admitted.  -  http://www.wired.com/dangerroom/2011/11/darpa-hackers-cybersecurity/












Online Security: Rising Danger - (December, 2011 - by Eric Geier - PCWorld) - From mobile malware to social networking attacks, threats to your security and privacy will only grow…

Computer security involves more than installing an antivirus utility on your PC. Malicious hackers are on a mission to steal money and wreak havoc, and they’ll do it by any means possible. The growing number of mobile devices, such as phones and tablets, and the popularity of social networks give them new avenues in which to expand their cybercrime.  -  http://mcaf.ee/6dknp





This 28-Year-Old Is Making Sure Credit Cards Won't Exist In The Next Few Years - (November 10, 2011 - by Alyson Shontell - San Francisco Chronicle) - There's a tiny 12-person startup churning out of Des Moines, Iowa that most people have never heard of.

Dwolla was founded by 28-year-old Ben Milne, and it's an innovative new way of thinking about online payments that sidesteps credit cards completely.  -  http://mcaf.ee/54way















Mobile ‘RootkitMaker Tries to Silence Critical Android Developer - (November 22, 2011 - by David Kravets - Wired) - A data-logging software company is seeking to squash an Android developer’s critical research into its software that is secretly installed on millions of phones, but Trevor Eckhart is refusing to publicly apologize for his research and remove the company’s training manuals from his website.

Though the software is installed on millions of Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until the 25-year-old Eckhart analyzed its workings, recently revealing that the software secretly chronicles a user’s phone experience, from its apps, battery life and texts. Some carriers prevent users who actually find the software from controlling what information is sent.

Eckhart called the software a “rootkit,” a security term that refers to software installed at a low-level on a device, without a user’s consent or knowledge in order to secretly intercept the device’s workings. Malware such as keyloggers and trojans are two examples.  -  http://www.wired.com/threatlevel/2011/11/rootkit-brouhaha/











Researcher’s Video Shows Secret Software on Millions of Phones Logging Everything - (November 29, 2011 - by David Kravets - Wired) - The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.

Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience — ostensibly so carriers and phone manufacturers can do quality control.

But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.

Eckhart labeled the software a “rootkit,” and the Mountain View, California-based software maker threatened him with legal action and huge money damages. The Electronic Frontier Foundation came to his side last week, and the company backed off on its threats. The company told Wired.com last week that Carrier IQ’s wares are for “gathering information off the handset to understand the mobile-user experience, where phone calls are dropped, where signal quality is poor, why applications crash and battery life.”

The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim.

In a Thanksgiving post, we mentioned this software as one of nine reasons to wear a tinfoil hat.

The video shows the software logging Eckhart’s online search of “hello world.” That’s despite Eckhart using the HTTPS version of Google which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google.

Cringe as the video shows the software logging each number as Eckhart fingers the dialer.

Every button you press in the dialer before you call,” he says on the video, “it already gets sent off to the IQ application.”

From there, the dataincluding the content of text messagesis sent to Carrier IQ’s servers, in secret.

By the way, it cannot be turned off without rooting the phone and replacing the operating system. And even if you stop paying for wireless service from your carrier and decide to just use Wi-Fi, your device still reports to Carrier IQ.  -  http://www.wired.com/threatlevel/2011/11/secret-software-logging-video/






Printers Can Be Hacked to Catch on Fire - (November 29, 2011 - by Paul Wagenseil and SecurityNewsDaily  - Scientific American) - These devices are completely open and available to be exploited, a researcher says

Two researchers at Columbia University in New York say they've found a flaw in ordinary office printers that lets hackers hijack the devices to spy on users, spread malware and even force them to overheat to the point of catching fire.

"The problem is, technology companies aren't really looking into this corner of the Internet. But we are," Salvatore Stolfo, the Columbia professor overlooking the research, said to MSNBC's Bob Sullivan, who first reported the story.

Stolfo and his fellow researcher Ang Cui sent a Hewlett-Packard LaserJet printer various bogus firmware updates. One made the fuser overheat, causing the paper in the printer to yellow and smoke until the machine shut down.

When a tax return was sent to the printer as a print job, another bogus update secretly forwarded the document, complete with Social Security numbers, to a second computer.

"The research on this is crystal clear," Stolfo said. "The impact of this is very large. These devices are completely open and available to be exploited."  -  http://www.scientificamerican.com/article.cfm?id=printers-can-be-hacked-to-catch-fire






The Department Of Homeland Security Wants All The Information It Has On You Accessible From One Place - (11/29/2011 - by Kashmir Hill - Forbes Staff )  -  http://mcaf.ee/7cf4z

 

 

 






Wikileaks Julian Assange tells iPhone, Blackberry and Gmail users: "You're all screwed." - (December 12, 2011 - By Mirror.co.uk) - The whistle-blowing website has released details of companies it says are selling information obtained by monitoring people's mobile phones and computers.


According to Mr Assange, more than 150 organisations around the world have the ability to use phones as tracking devices as well as intercept messages and listen to calls.

Those companies then sell the wholesale information, often the telecommunications data of "entire populations".

He told a press conference at City University in London that the publication of the "Spy Files" is a "mass attack on this mass surveillance industry".

The 40-year-old asked the audience of students and press: "Who here has an iPhone? Who here has a BlackBerry? Who here uses Gmail?

"Well, you're all screwed.

"The reality is, intelligence contractors are selling right now to countries across the world mass surveillance systems for all those products."

Mr Assange said this interception, although lawful, is leading towards a "totalitarian surveillance state".

WikiLeaks is releasing 287 documents today, in conjunction with website spyfiles.org.

Mr Assange said the US, UK, Australia, South Africa and Canada are all developing the "spying systems", and the information is being sold to "dictators and democracies alike".

He said: "Today we release over 287 files documenting the reality of the international mass surveillance industry - an industry which now sells equipment to dictators and democracies alike in order to intercept entire populations."

The Australian national said the surveillance industry has grown over the last 10 years from "a covert, very secretive, small industry" to one involving 160 companies and 25 countries.

"There is an international corporatised mass surveillance industry," he said.  -  http://mcaf.ee/qo0j6






Is Carrier IQ’s Data-Logging Phone Software Helpful or a Hacker’s Goldmine? - (December 3, 2011 - Controversy over what else the company could do with the information it gathers arose a few weeks ago, when software developer Trevor Eckhart pointed out on his Android Security Blog that Carrier IQ can tap into a variety of information stored on a handset, including “manufacturer and model, available memory and battery life, the type of applications resident on the device, the geographical location of the device, the end user’s pressing of keys on the device, usage history of the device, including those that characterize a user’s interaction with a device.” Eckhart, who claims to have obtained this information from a Carrier IQ patent filing, then tested the software for himself.

Eckhart’s subsequent claims that Carrier IQ is a “rootkit” that logs mobile phone users’ activity and location prompted the company to obtain a cease-and-desist order, which was later rescinded when Eckhart retained the Electronic Frontier Foundation. Rootkit is a loaded cyber-security term referring to keylogging, trojan or other software installed without a user’s consent or knowledge for the purpose of tracking activity on that device. More recently, software developer Grant Paul (a.k.a. chpwn) claimed that Carrier IQ is installed on iPhones as well the Android, Blackberry and Nokia phones originally identified by Eckhart. Apple has since distanced itself from Carrier IQ, as Macworld.com noted on Thursday.

More disconcerting than the evidence that Carrier IQ is collecting sensitive data is the lack of evidence that the company knows how to protect that data, says Chris Soghoian, a privacy and security researcher at the School of Informatics and Computing at Indiana University Bloomington. “You have this application running on your phone with basically full privilegesable to access users’ e-mails, phone calls, location information, text messages and photographs—and it’s just sitting there,” he adds. “Even if you believe that Carrier IQ is well-intentioned or believe that the carriers are not receiving this information, you still have a security crisis just waiting to happen when a hacker figures out how to exploit this information. This is an absolute gold mine for hackers or intelligence agencies or law enforcement.”

The notion that spy agencies or law enforcement could take advantage of Carrier IQ to access private information is particularly relevant given the California Supreme Court case earlier this year that awarded police the authority to search mobile phones without a warrant.

Carrier IQ’s software is like “a gremlin living inside your phone that has the capability to report back to someone else if asked to do so,” says Soghoian, who is also a graduate fellow at the Indiana University’s Center for Applied Cybersecurity Research. Despite Carrier IQ’s claims that it is working to improve network performance for callers, Soghoian adds, the company is hired by the carrier and the performance improvements are only a marginal aspect of what the collected user data could be used to do.  -  http://mcaf.ee/njb5k











Assange on mass surveillance:

'You are all screwed!'

(1 min. - YouTube audio/video)

http://www.youtube.com/watch?v=B5cLqY6_2X8

 

 

 

Spy Files:
WikiLeaks
exposes
dark secrets
of surveillance

(3-3/4 min. - YouTube audio/video)
http://www.youtube.com/watch?v=zfdCBdOHoYA










How the world's first cyber 'super weapon'...now threatens the world

 

 

 

8 Out of 10 Software Apps Fail Security Test

 

 

 

 






Security Alert: Practical advice for protecting your PC and your privacy

Scareware has gone mobile: Users of Android devices are starting to see sleazy ads warning that they need to upgrade their device's battery. The supposed battery-saver apps that those ads prod you to download, however, could endanger your privacy or siphon money from your wallet--and generally they'll do nothing to improve your gadget's battery life, security experts say.

In some cases you don't even need to agree to download the apps. For example, PCWorld spotted one ad on an Android phone for a battery utility called Battery Upgrade. Tapping the ad--even by accident--launches the phone's Web browser, which automatically initiates the download of the app's installer file on the Android device.

"These ads cross a line," says Andrew Brandt, director of threat research for Solera Networks. It's one thing to market a worthless battery app, he says, but another to scare or trick people into installing a program they don't need.

The ads are similar to scareware marketing tactics that have appeared on PCs: Such ads pop up on desktops or laptops, warning that your computer is infected and advising you to download a program to fix the problem. In many cases those rogue system utilities and antivirus products are merely disguises for software that spies on users.  -  http://www.pcworld.com/article/241967





















Carrier IQ Explains Secret Monitoring Software to FTC, FCC - (December 14, 2011 - by David Kravets - Wired) -  The software maker said the data it vacuums to its servers from handsets is vast -- as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, the company said, the software is logging every keystroke. - http://mcaf.ee/3hfm6

 

 

 

Congress Authorizes Pentagon to Wage Internet War

 

 

 






American Companies Providing Technology Helping Repressive Regimes (& the U.S. Gov’t.) Spy On Protestors - (31 min. audio) - (Dec. 14, 2011 - Fresh Air/NPR) - journalist Ben Elgin talks about a Bloomberg News series, "Wired for Repression," which details how Western companies are selling surveillance technology to regimes including Iran, Syria, Bahrain and Tunisia.

Those regimes have then used the information obtained from those technologies to torture protesters and dissidents, Elgin tells Fresh Air contributor Dave Davies.

The surveillance industry is booming, Elgin says, with some analysts estimating that the sector brings in between $3 billion and $5 billion a year. A recent surveillance trade show — which is not open to the public — was attended by 1,300 people, with representatives from 35 U.S. federal agencies.

"Some of the sessions at these shows are just remarkable," Elgin says. "They do publish the agenda online so you can see the types of things that they talk about. In an upcoming show in Dubai in February, there's a session on government IT hacking, on how governments can essentially penetrate the computers or cellphones of would-be targetstheir citizens. ..."  -  http://www.npr.org/2011/12/14/143639670/











Some Facts About Carrier IQ - (Dec. 13, 2011 - by Peter Eckersley - Electronic Frontier Foundation)  -  https://www.eff.org/deeplinks/2011/12/carrier-iq-architecture





Cell phones are 'Stalin's dream,' says free software movement founder - (March 14, 2011 - by Jon Brodkin - Network World) - Richard Stallman: iPhones and Androids are 'Big Brother' tracking devices

Nearly three decades into his quest to rid the world of proprietary software, Richard Stallman sees a new threat to user freedom: smartphones.

"I don't have a cell phone. I won't carry a cell phone," says Stallman, founder of the free software movement and creator of the GNU operating system. "It's Stalin's dream. Cell phones are tools of Big Brother. I'm not going to carry a tracking device that records where I go all the time, and I'm not going to carry a surveillance device that can be turned on to eavesdrop."

Stallman firmly believes that only free software can save us from our technology, whether it be in cell phones, PCs, tablets or any other device. And when he talks about "free," he's not talking about the price of the software -- he's talking about the ability to use, modify and distribute software however you wish.  -  http://www.networkworld.com/news/2011/031411-richard-stallman.html

 

 

 






Screen-spy program can read texts and emails - (November 2, 2011 - by Melissae Fellet - New Scientist) - NEXT time you're tapping off a private text message or sensitive email in a public place, consider this: someone could be reading every letter you type from up to 60 metres away.  -  http://mcaf.ee/ki4yl





ALERT:

Disable AND Remove

"Test Pilot"

in Thunderbird

 

If you're using Mozilla's Thunderbird e-mail client, take note:

It includes -- enabled by default -- a type of spyware called "Test Pilot." 

Test Pilot supposedly "reports" back what/how users do in/with Thunderbird.


Presumably, Test Pilot is likely not as bad as Carrier IQ

(which logs users each and every keystroke, etc.)  

Test Pilot effectively is spyware, though.


Test Pilot first appeared in version #9 of Thunderbird. 

You can check your current version of Thunderbird

by clicking "Help" in the toolbar

and then choosing "About Thunderbird."


Here's what you can do to avoid

Test Pilot's phone-home “performance” reporting:


  In Thunderbird, click "Tools," and then choose "Add-Ons."  

Make sure the “Extensions” category is open, and then scroll down to "Test Pilot."


 You then need to perform TWO operations on Test Pilot: 

First, click on "Disable," then "Restart now." 

Second, after Thunderbird re-starts,

go through the same above process,

but this time finally choose "Remove" (Test Pilot);

and then, close and restart Thunderbird one more time.


Just in case, in the future,

with each successive Thunderbird version upgrade,

I'd be on the alert and double check Add-Ons (again, via "Tools")

to see if Test Pilot sneaks back in again.


BTW...once you have removed Test Pilot,

it's still "made available" as a stand-alone add-on

that you could choose to reinstall.

(Yeah, right...like I'm going to voluntarily choose to be spied upon!  -- Bike Bob)















Tweeting the word 'drill' could mean your Twitter account is read by U.S. government spies - (December 28, 2011 - by Rob Waugh - Daily Mail/UK) - The Department of Homeland Security makes fake Twitter and Facebook profiles for the specific purpose of scanning the networks for 'sensitive' words - and tracking people who use them.

Simply using a word or phrase from the DHS's 'watch' list could mean that spies from the government read your posts, investigate your account, and attempt to identify you from it, acccording to an online privacy group.

The words which attract attention range from ones seemingly related to diseases or bioweapons such as 'human to animal' and 'outbreak' to other, more obscure words such as 'drill' and 'strain'.

The DHS also watches for words such as 'illegal immigrant'.

The DHS outlined plans to scans blogs, Twitter and Facebook for words such as 'illegal immigrant', 'outbreak', 'drill', 'strain', 'virus', 'recovery', 'deaths', 'collapse', 'human to animal' and 'trojan', according to an 'impact asssessment' document filed by the agency.

When its search tools net an account using the phrases, they record personal information.  -  http://mcaf.ee/5cy9z




















Occupy Wall Street Builds Facebook Alternative

 

 

'Anonymous' targets German far-right with Nazi-leaks.net

 

 











New PC virus doesn't just steal your money - it creates fake online bank statements so you even don't know it's gone - (January 6, 2012 - by Rob Waugh - Daily Mail/UK) -  Crimeware steals passwords from your browser.  Cyber criminals use your debit card details to drain your account.  When you visit your bank, it adjusts figures so the criminal transactions don't appear.  Attack has been used in U.S. and UK.  -  http://mcaf.ee/7cjwz





How SOPA [Stop Online Piracy Act] would affect you: FAQ - (December 21, 2011 - by Declan McCullagh - CNET) - http://news.cnet.com/8301-31921_3-57329001-281/how-sopa-would-affect-you-faq/










PROTECT IP
 SOPA Breaks
The Internet

(4-1/2 min. - video)
http://vimeo.com/31100268





Keep Your Computer Bug-Free




White House Blasts Internet Blacklisting Bills




Bitcoin online currency gets new job in web security





"Internet Censorship Affects Everybody"





"I Know Who You Are and I Saw What You Did: Social Networks and the Death of Privacy"





Stay safe online: Google's 'Good to Know' Is a Great Online Privacy Resource





Long-time Computer Security Guru Steve Gibson Speaks Out On The Major Threat To Internet Security By Ongoing Government Attempts At Online Censorship!

 

[Here is the pertinent excerpt (bold emphasis added) from the recent (Wed., Jan. 18, 2011) weekly episode (#336) of Steve Gibon’sSecurity Now! podcast. --- (NOTE: Steve Gibson is THE computer security expert who first discovered -- and coined the terms for -- “spyware”; he then wrote the first computer security defense programs to combat same.) --- The URLs for the podcast (free downloadable .mp3 file) and free transcript follow the excerpt. --Bike Bob]:

 

 

STEVE [GIBSON]:  …let's talk about DNSSEC [Domain Name System Security]...

 

LEO [LaPorte]:  …the SOPA [Stop Online Piracy Act] protests.  These bills, SOPA in the House and IP Protect Act, or PIPA, Protect IP Act, in the Senate, and other bills like it around the world, one of the features of them is that they modify DNS.  They allow the government to say "Take this website off DNS," the presumption being these are pirate sites, and we're going to take them down.

 

STEVE:  Well, essentially, what they're trying to do is to legislate spoofing of DNS.  They're wanting ISPs to redirect people to a different website than their actual target.  And how many times in this podcast have we talked about the security problems associated with spoofing DNS?  That's a big problem. [Example: Rouge websites that “spoof” well-known banking websites. --Bike Bob] And what DNSSEC, that is to say, DNS Security, does is it signs DNS records so that spoofing can be prevented.  So it adds a layer, I mean a valuable layer, of true security.

 

[….]

 

So essentially what happened was, in response to this call for breaking DNS by legislatively requiring that DNS be spoofed, the real engineer techies of the Internet said, wait a minute, we've been working now for quite a while to prevent exactly what you're suggesting you're going to require by law, and it breaks the Internet security.  And it absolutely does.  ….

 

[….]

 

…the entire DNS system is in the clear [meaning: unencrypted] right now with no protection.  So what we're moving towards is providing for the first time the ability to cryptographically sign and verify that the DNS record that arrives at our computer is the one that the owning DNS server sent, and that the technology will absolutely prevent that from being tampered with.  Yet what this legislation would do would be to break what we're heading towards and just arbitrarily say, oh, you asked for this URL.  We're going to give you a different IP to redirect you to a page that says we're sorry, service has been suspended because that site is believed to be a pirate site.  And that breaks DNS.

 

LEO:  Well, there you have it, if you needed another reason to not like this.  ….


                                                                   Security Now!:  http://www.grc.com/securitynow.htm

 

 

Security Now! Episode #336 (Free .mp3 file): http://media.GRC.com/sn/SN-336.mp3
 

Security Now! Episode #336 (Free transcript):  http://www.grc.com/sn/sn-336.txt






Could the Internet Ever Be Destroyed?January 20, 2012 - The coming threats to the global Internet could take many forms

The redundancy of so much online content and of connectivity routes makes the Internet resilient to physical attacks, but a much more serious threat to its status quo existence is government regulation or censorship.  -  http://www.scientificamerican.com/article.cfm?id=could-internet-ever-be-destroyed





Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software - (January 19, 2012 - by Kim Zetter - Wired) - http://www.wired.com/threatlevel/2012/01/scada-exploits





Anonymous Tricks Bystanders Into Attacking Justice Department - (January 20, 2012 - by Quinn Norton - Wired)  -  http://www.wired.com/threatlevel/2012/01/anons-rickroll-botnet/





The Threat of Deep Packet Inspection - (Excerpt from the “PRIVACY WATCH column by Alex Wawro on page 38 in the February, 2012, issue of “PC World Magazine”)

Bills in Congress like SOPA [Stop Online Piracy Act] and the Protect IP Act may require your ISP to start monitoring your online activity.

…. But if your Internet service provider becomes legally obligated to prevent you from accessing restricted websites, it might use deep packet inspection tools to keep tabs on you.

[….]

Absent legal restrictions, however, your ISP can root through all the information you exchange online, perhaps selling your age, location, shopping records, and other personal data in anonymized batches to advertising companies.  And, law enforcement can monitor and curtail your Net access without your knowledge.
















Better Business Bureau issues warning about e-reader scams - (Jan. 23, 2012 - by Grant Bissell - KSDK-TV/St. Louis, MO) - …the Better Business Bureau is warning scammers are using e-readers to rip you off.

E-readers work a little differently than a regular computer, but they're not immune from scams designed to steal your credit card information.

Chris Thetford of the St. Louis BBB says it all starts with what you download.

"Consumers need to be very careful with what they bring into their e-book reader to make sure that what they're getting is actually the book rather than some sort of malware or some sort of virus which can get in and get their financial information like their credit card number stored on the e-book reader," said Thetford.

Those problem programs are all over the internet. A quick search for "free e-books" turned up more than 265,000 results. The lure of getting a best-seller for free could be hard to resist, but Thetford says offers for free e-books, especially from unknown sites, should be a red flag.

"You want to do your homework to make sure you are dealing with someone you can trust, because it's a financial transaction just like any other financial transaction that you might do electronically," he said.

The bottom line: only download from trustworthy places. If you have doubts, check out blogs and web pages for recommendations from other consumers.

If you do download a nasty program onto your e-reader, computer experts say you could be in trouble.

Often, the only way to get rid of it is to do a factory reset on your machine. That could wipe out everything you've got saved.
  -  http://www.ksdk.com/news/article/299003/71/New-scams-target-e-readers






I Spy Your Company’s Boardroom - (January 23, 2012 - by Kim Zetter - Wired) - [The following URL is in regards to apparently widespread, insecure video-conferencing. --- Interestingly, on a related "Security Now!" (http://www.grc.com/securitynow.htm) podcast last year, computer security guru Steve Gibson talked about another similar issue: Insecure Bluetooth devices that literal drive-by ("war driving") hackers -- or, nearby parked "listening in" industrial espionage spies -- could easily access.  This was especially true for those now seemingly ubiquitous phone headsets with talk-into microphones.  -- Bike Bob]:  -  http://mcaf.ee/uqjh9










Super-Security Expert

Bruce Schneier

Cautions ATM users

To be aware of

Lurking thermal cameras!


[Excerpt from the August 25, 2011, episode (#315) of

Computer-Security Guru, Steve Gibson’s

Security Now!” podcast

(http://www.GRC.com/securitynow.htm).

  (Emphasis added.)]:

 
STEVE [Gibson]:  ...Bruce [Schneier] also blogged about 
stealing ATM
PINs with a thermal camera: 
"Researchers from UCSD pointed thermal cameras towards
plastic ATM PIN pads and metal ATM PIN pads..."
 "...to test how effective they were at stealing PIN numbers. 
The thermal cams did not work at all against metal pads."
 
[….]
 
STEVE:  "But on plastic pads 
the success rate of detecting all the digits
was 80 percent
after 10 seconds
and 60 percent after 45 seconds
."
 
LEO [Laporte]:  That's amazing because 
you really don't touch, when you're using an ATM,
you touch those keys very rapidly.
 
[….]
  
STEVE:  ....  He said, "If you think about your average ATM trip, 
that's a pretty wide window and an embarrassingly
high success rate for thieves to take advantage.
" 
So the idea being someone does their transaction. 
If they're sufficiently
quick, they walk away,
you run over and take a picture of it with a thermal camera
and see if there's still some heat signature left on the PIN pad.
 
LEO:  So you should take your time at the ATM.  
Or somebody's saying I never touch them anyway, I use a pen.
 
[Free transcript: http://www.grc.com/sn/sn-315.txt]
 
[Free audio .mp3: http://media.GRC.com/sn/SN-315.mp3]





Why the Supreme Court GPS Decision Won't Stop Warrantless Digital Surveillance

 

 

 

Conventions Will Leave A Permanent Surveillance And Security Footprint In Host Cities

 

 

 

FBI releases plans to monitor social networks

 

 

 

Anonymous Goes After World Governments in Wake of Anti-SOPA Protests - (January 25, 2012 - by Quinn Norton - Wired) -  http://www.wired.com/threatlevel/2012/01/anonymous-internationalist/





Google announces privacy changes across products; users can’t opt out - (Jan. 25, 2012 - by Cecilia Kang - The Washington Post) - Google will soon know far more about who you are and what you do on the Web.

The Web giant announced Tuesday that it plans to follow the activities of users across nearly all of its ubiquitous sites, including YouTube, Gmail and its leading search engine.

Google has already been collecting some of this information. But for the first time, it is combining data across its Web sites to stitch together a fuller portrait of users.

Consumers who are logged into Google services won’t be able to opt out of the changes, which take effect March 1. And experts say the policy shift will invite greater scrutiny from federal regulators of the company’s privacy and competitive practices.  -  http://mcaf.ee/1vea6











Symantec: We Didn’t Know in 2006 Source Code Was Stolen - (January 26, 2012 - by Kim Zetter  - Wired) - Anti-virus giant Symantec says it did not know back in 2006 that source code for its software was stolen when it experienced a breach at that time.

The company surprised the public last week when it disclosed that hackers had obtained source code for its pcAnywhere software and other products, and that the code had likely been stolen in a six-year-old breach that Symantec had never disclosed.

Symantec said in its announcement that users should disable pcAnywhere until the company had time to update the software to ensure that hackers are unable to exploit holes they might find in the code.

The pcAnywhere software is a popular remote access program that lets administrators get into computers to troubleshoot and also allows mobile users on the road to access content on their office desktop. It’s also installed on point-of-sale terminals in stores and restaurants to allow administrators to update software that’s used to process the information on credit and debit cards as they’re scanned at a register check-out.

What was unclear from Symantec’s disclosure, however, was just how long Symantec had known its source code had been breached. The statement left open the question of whether Symantec knew in 2006 that its source code was taken and only disclosed it this month after hackers claimed to have it.

But Symantec spokesman Cris Paden told Threat Level that the company did not know before this month that the pcAnywhere source code had been stolen.  -  http://www.wired.com/threatlevel/2012/01/symantec-source-code-hack/






























Threat from new virus-infected emails which take over your PC even if you DON'T open their attachments - (February 2, 2012 - by Rob Cole - Daily Mail/UK) - A new class of cyber attack is threatening PCs - emails which infect PCs without the user having to open an attachment.

The user will not even be warned this is happening - the only message that appears is 'loading'.

The email automatically downloads malicious software into your computer from elsewhere the moment a user clicks to open it.

The mails themselves are not infected - and thus will not 'set off' many web-security defence packages.

Security experts say that the development is 'particularly dangerous'.

'This sort of spam also affects cautious users which would never open an unknown attachment or link,' say security experts Eleven Research Team.

Previous generations of email-borne viruses and trojans required users to click on an attachment - often an office document such as a PDF.

The new emails - dubbed 'drive-by emails' - have been detected 'in the wild' by computer researchers Eleven Research Team.

'This driveby spam automatically downloads malware when the e-mail is opened in the e-mail client,' says Eleven Research Team.

'Previous malware e-mails required the user to click on a link or open an attachment for the PC to be infected.'

The current wave of emails arrive with the title 'Banking Security Update.'

To stay safe, the security company advises switching all security settings in email software to maximum, and updating your browser to the latest version so it's protected against malicious software.  -  http://mcaf.ee/0jzhe











VeriSign Hacked: What We Don't Know Might Hurt Us - (Feb. 3, 2012 - by Tony Bradley, PCWorld) - VeriSignthe company behind the root DNS servers that provide the foundation for the Web, and formerly the largest encryption certificate authority – has revealed that it was repeatedly hacked in 2010. Details are sparse thus far, but the revelation calls into question the security of the Internet itself.  -  http://mcaf.ee/bfq3k






How Latest Malware

Uses Disguises

To Avoid Detection

(2 min. - video)

http://news.bbc.co.uk/2/hi/programmes/click_online/9692842.stm

 





Flaw in Home Security Cameras Exposes Live Feeds to Hackers

 

 


 

Symantec code theft: Hackers 'attempted extortion' - (February 7, 2012 - BBC News/UK) - It comes as hackers made public emails from law enforcement agents posing as a Symantec employee.

Officials pretended to be the security firm in order to "offer" the hackers $50,000 (£32,000).

However, more source code has allegedly been released after negotiations apparently broke down.

[….]

At risk

Last month, users of PC Anywhere software were told by the company to disable its use where possible.

The company confirmed that "old" source code stolen by the hackers had exposed vulnerabilities in the program which allows remote access to computers.

Other programs affected include Norton Antivirus Corporate Edition, Norton Internet Security and Norton Systemworks (Norton Utilities and Norton Go Back).

However, only PC Anywhere is said to be at risk. Symantec has been releasing patches and further information via its website.  -  http://www.bbc.co.uk/news/technology-16927660

 

 

 

Hackers Release Symantec Source Code After Failed $50K Extortion Attempt - (February 7, 2012 - by Kim Zetter - Wired) - The release of source code would allow hackers to study the program to find security vulnerabilities that would allow them to potentially breach companies using the programs. But Symantec told customers in January to disable their pcAnywhere programs until the company could patch the systems, which it has subsequently done.  -  http://mcaf.ee/7ovik











Do-Not-Track Browser Add-on

 

 

 

The Perpetual, Invisible Window Into Your Gmail Inbox





The Onion Router (TOR) Is NeitherAnonymousNor Secure!

[The following excerpt was taken from the transcript of the Episode #138 podcast (April 3, 2008) of “Security Now!” with Steve Gibson…which can be found at  http://www.grc.com/sn/sn-138.htm ]:

Steve: …. Now, subsequent to our talking about The Onion Router network, there was some news about malicious TOR nodes, meaning that bad people were - or people of varying badness, maybe even state-run agencies, were creating TOR nodes and monitoring the traffic. Which is really not what you expect or want from a TOR node. You would like it to be run by a white hat, by somebody who is pro-anonymity who's offering a TOR node because they believe in the concept of supporting the anonymous use of the Internet.

[Now what that means is that anyone can set themselves up as avoluntaryTOR node, and then have direct access to the incoming and outgoing addresses of everyone who (by chance) is using that random TOR node!  -- Bike Bob]






Google Busted With Hand in Safari-Browser Cookie Jar

 

 

 






New Concerns Over Online Privacy - (51-1/2 min. - audio) - (February 20, 2012 - Diane Rehm Show/NPR) - Technology companies collect vast amounts of information about you and your habits. In return, you get free content, play games and connect with friends. But recent findings are raising concerns over security and privacy. A Stanford researcher discovered Google and other companies bypassing the privacy settings on Apple's Safari web browser. An app company called Path was collecting and storing personal address book information without permission. And an FTC report on children’s app privacy showed parents are not getting information on what data is being collected, how it is being shared, or who will have access. Diane and her guests discuss privacy and transparency in our rapidly changing computer world.

Guests interviewed include: Marc Rotenberg, Exec. Dir. of the Electronic Privacy Information Center and teaches Information Privacy Law at Georgetown University Law Center; Edward Markey, Democratic Congressman from Massachusetts, co-chair of the Bipartisan Congressional Privacy Caucus;