Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The BBC website has now has a very interesting article "Internet role in Egypt's protests" by Anne Alexander (Buckley Fellow at the Centre for Research in the Arts, Social Sciences and Humanities, University of Cambridge): A few days after the fall of Tunisian President Zine al-Abidine Ben Ali, a Jordanian newspaper printed a joke apparently doing the rounds in Egypt: "Why do the Tunisian youth 'demonstrate' in the streets, don't they have Facebook?" Only six days later, protests across Egypt co-ordinated by a loose coalition of opposition groups - many of which are very largely organised through Facebook - seemed to prove this cynicism wrong. Certainly, the Egyptian government reacted quickly: blocking social media sites and mobile phone networks before pulling the plug on Egypt's access to the Internet. This act of censorship was spectacularly unsuccessful. Full story at http://www.bbc.co.uk/news/world-middle-east-12400319 PS. A full (three part) subtitled version of the tremendously moving interview that Wael Ghonim (who set up the highly influential Facebook page ""We are all Khaled Said" Facebook page) gave shortly after he was released from 12 days blindfolded custody, can be found at, for example: > http://warincontext.org/2011/02/08/wael-ghonim-interview/ It's no wonder that after this interview was shown a popular private Egyptian TV channel (DreamTV) tens of thousands more Egyptians joined the protest in Tahrir Square. School of Computing Science, Newcastle University, Newcastle upon Tyne, NE1 7RU, UK EMAIL +44 191 222 7923 http://www.cs.ncl.ac.uk/people/brian.randell
[Source: John Markoff, *The New York Times*, Business Section, 10 Feb 2011, page 2; PGN-ed] At least five multinational oil and gas companies suffered computer network intrusions from a persistent group of computer hackers based in China, according to a report released Wednesday night by a Silicon Valley computer security firm. Computer security researchers at McAfee Inc. said the attacks, which were similar to but less sophisticated than a series of computer break-ins discovered in late 2009 by Google appeared to be aimed at corporate espionage. Operating from what was a base apparently in Beijing, the intruders established control servers in the United States and Netherlands to break into computers in Kazakhstan, Taiwan, Greece and the United States. The focus of the intrusions was on oil and gas field production systems as well as financial documents related to field exploration and bidding for new oil and gas leases, according to the report. The attackers also stole information related to industrial control systems, the researchers noted, but no efforts to tamper with these systems were observed. McAfee executives declined to name the victim companies, citing nondisclosure agreements it signed before being hired to patch the vulnerabilities revealed by the intrusions. Last year, when Google announced that intellectual property had been stolen by Chinese intruders, it expressed frustration that while it had observed break-ins at a variety of other United States companies, virtually none of the other companies were willing to acknowledge that they had been compromised. According to the report, the intruders used widely available attack methods known as SQL injection and spear phishing to compromise their targets. Once they gained access to computers on internal company networks, they would install remote administration software that gave them complete control of those systems. That made it possible for the intruders to search for documents as well as stage attacks on other computers connected to corporate networks.
[Thanks to Tim Mather] Athima Chansanchai, Hacker steals $12 million worth of Zynga poker chips A gambling addict hacked into gaming heavyweight Zynga and stole 400 billion virtual poker chips worth $12 million to sell on the black market. He got caught and now he's facing some very real prison time. No amount of Farmville tasks can get him out of this one. Ashley Mitchell, 29, pleaded guilty to five charges brought under the Computer Misuse Act and the Proceeds from Crime Act and remanded until a date was fixed for sentencing, according to BBC. <http://www.bbc.co.uk/news/technology-12357005> <http://technolog.msnbc.msn.com/_news/2011/02/03/5981061-hacker-steals-12-million-worth-of-zynga-poker-chips#readabilityFootnoteLink-1>. BBC reported that Mitchell, who has apparently struggled with an online gambling addiction (especially Zynga poker), "posed as an administrator for the Zynga Poker game on Facebook in order to get at the computer systems for the game and steal the chips" between June and September 2009. He laundered the chips through a series of Facebook accounts trying to play catch me if you can with Zynga, best known for its popular (and addictive) Facebook games Farmville, Mafia Wars and the booming Cityville <http://technolog.msnbc.msn.com/_news/2010/12/14/5649599-zyngas-new-strategy-turns-cityville-into-boom-town> <http://technolog.msnbc.msn.com/_news/2011/02/03/5981061-hacker-steals-12-million-worth-of-zynga-poker-chips#readabilityFootnoteLink-2>. But Zynga didn't get where it is by being dumb, and they soon figured out something was amiss. They organized a sting. And they stung. He made only about $86,000 before he was pinched. The judge warned Mitchell he's looking at some substantial time behind bars, though he has yet to specify the duration. But seeing as how this isn't Mitchell's first dance as a hacker—he has a previous conviction of hacking into a local council's web site to change his personal details -- punishment might be stiff. Besides wondering if it is illegal to pilfer fake currency, I'm also pondering, maybe it's also time to call Gamblers Anonymous? Develop <http://www.develop-online.net/news/36921/Zynga-hacker-faces-jail-after-12m-theft <http://technolog.msnbc.msn.com/_news/2011/02/03/5981061-hacker-steals-12-million-worth-of-zynga-poker-chips#readabilityFootnoteLink-3> had some answers via Jas Purewal, lawyer and author of Gamer/Law, who told the publication that the case has set a new precedent. This shows that the legal regulation and protection of virtual goods and currency, which historically has been fairly uncertain, is evolving fast driven partly by the boom in virtual goods sales in games. This case is particularly interesting because it involved a UK court recognising virtual currency - in this case, Zynga chips - as legal property which can be protected by existing UK criminal laws...The court effectively found that even though virtual currency isn't real and is infinite in supply, it still can deserve legal protection in the same way as real world currency. *UPDATE: A Zynga spokesperson sent us this response: * "Zynga treats game security with the utmost of seriousness. We want to provide our users with the safest and most enjoyable game experience possible. To that end, we have a world class security team which continues to proactively identify and address security breaches with the highest priority. We will pursue these issues vigorously, which could involve criminal and civil prosecutions." Excerpted from Technolog - Hacker steals $12 million worth of Zynga poker chips http://technolog.msnbc.msn.com/_news/2011/02/03/5981061-hacker-steals-12-million-worth-of-zynga-poker-chips
Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL, Christopher Soghoian and Sid Stamm "This paper introduces the compelled certificate creation attack, in which government agencies may compel a certificate authority to issue false SSL certificates that can be used by intelligence agencies to covertly intercept and hijack individuals' secure Web-based communications. Although we do not have direct evidence that this form of active surveillance is taking place in the wild, we show how products already on the market are geared and marketed towards this kind of use-suggesting such attacks may occur in the future, if they are not already occurring. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks." http://bit.ly/fdA1Nb (Cryptogon) From Network Neutrality Squad [http://www.nns.org]
Data Are Stolen From Hospitals, Wall Street Journal The confidential personal health data of about 1.7 million New York City patients, hospital staffers and others were stolen in December, the city's Health and Hospitals Corp. [HHC] reported Friday. The medical files, which were stored on magnetic data tapes and extend back as long as 20 years, were stolen on Dec. 23 from an unlocked vehicle belonging to GRM Information Management Services, the city's medical-records vendor based in Jersey City, N.J. The information in the files includes names, addresses, Social Security numbers and medical information. http://online.wsj.com/article/SB10001424052748703786804576138443731081156.html per other reports these tapes were not encrypted. But... it's all ok since, as reported by Fox News: "Officials said the stolen data was in the form of electronic files and was 'not readily accessible without highly specialized technical expertise and data-mining tools.'" http://www.myfoxny.com/dpp/news/local_news/nyc/hospital-records-for-1.7-million-stolen
[From David Farber's IP]
... laboratory test results from the world's top manufacturer of
navigational gizmos, Garmin Ltd. The company's engineers found that popular
consumer GPS units started experiencing dropouts when approaching within 3.6
miles of a LightSquared transmitter. A commonly used aircraft navigation
unit completely lost its fix within 5.6 miles. Garmin spokesman Ted Gartner
told The Washington Times, “It's mind-boggling to us. If it's implemented
as is, we've presented a pretty good case with that test that there will be
some disruptions.''
http://www.washingtontimes.com/news/2011/feb/7/obama-to-america-get-lost/
[Ed Biebel <edward@biebel.net> subsequently noted an article explaining
more of the technical issues surrounding the interference issues between
LightSquared and GPS.
http://www.tvtechnology.com/article/112844
PGN]
Update: February 10, 2011: The Vatican has now effectively banned the "confession app" that I originally referenced in: http://bit.ly/ffuq8b (Lauren's Blog) The Vatican now says that "under no circumstances is it possible to confess by iPhone." Their full wording suggests that Android and other platforms are also excluded. Priests the world over sigh in relief. People For Internet Responsibility: http://www.pfir.org +1(818)225-2800 Network Neutrality Squad: http://www.nnsquad.org http://www.vortex.com/lauren Global Coalition for Transparent Internet Performance: http://www.gctip.org PRIVACY Forum: http://www.vortex.com Blog: http://lauren.vortex.com
http://isolani.co.uk/blog/javascript/BreakingTheWebWithHashBangs/ An interesting article describes a problem that many web sites are falling into now with high-level content creation engines. There are many websites now that just don't work PERIOD if the end user's browser doesn't have Javascript enabled. The article also touches on how minor Javascript errors can translate into entire site problems for users of certain web browsers, the problems of advertisements also requiring Javascript to display their content, and how Javascript can cause content caching to fail. Quite a good article. And related: http://developer.yahoo.com/blogs/ydn/posts/2010/10/how-many-users-have-javascript-disabled/#comment-17071 "If site content doesn't load through curl it's broken" Thomas Dzubin, Vancouver, Calgary, or Saskatoon CANADA
A recent court case shows that using anonymous remailers is not always protection against legal action. http://virtualcourthouse.info/January-2011-Mark-W.-Decker-v-Mark-A.-Kukucka.html A related previous case against the same defendant was dismissed. http://findarticles.com/p/articles/mi_qn4183/is_20051128/ai_n15872662/
[Thanks to Peter Z Ingerman.] Man dies at 102 owns same car 82 years *Can you imagine having the same car for 82 years?! I guess it was no longer under warranty...* *"How Long Have You Owned a Car?" * Mr. Allen Swift (Springfield , MA) received this 1928 Rolls-Royce Picadilly P1 Roadster from his father, brand new - as a graduation gift in 1928. He drove it up until his death last year.....at the age of 102! He was the oldest living owner of a car from new. Just thought you'd like to see it. He donated it to a Springfield museum after his death. It has 170,000 miles on it, still runs like a Swiss watch, dead silent at any speed and is in perfect cosmetic condition. (82 years). That's approximately 2000 miles per year.
Extreme right-wing activists use a feature of Twitter which automatically blocks a page if enough people complain that the site had transgressed Twitter's policies, thus taking off the air many pages of left wing (or what the activists consider to be leftist) organizations and individuals. Full story at: http://www.haaretz.com/news/national/rightists-launch-battle-to-block-facebook-pages-of-left-wing-groups-1.340398?localLinksEnabled=false
1) Scrape some data from Facebook (apparently not difficult (sigh!)).
2) Set up a dating Website (www.lovely-faces.com).
www.lovely-faces.com is actually a mock-Website, but it could
have been real. Here is how to do it:
http://www.face-to-facebook.net/index.php
Jaikumar Vijayan, 'Lovely Faces' scrapes public data from Facebook to create
mock dating site; The social networking site is considering legal action
after the personal information of 1 million users was misused. 8 Feb 2011
http://www.itbusiness.ca/it/client/en/home/News.asp?id=61212
Facebook is threatening to take legal action against the creators of an
online "dating" site that features 250,000 profiles of men and women whose
photos and personal details were scraped off the social networking giant's
site and used without their permission.
The site, called Lovely Faces, was ostensibly set up as part of an attempt
to demonstrate to the world how easy it is to misuse data that is publicly
posted on sites such as Facebook. It allows users to search for men and
women using their real names, or by categories such as "easy going", "sly"
and "smug."
Paolo Cirio, an Italian media artist, and Alessandro Ludovico, a media
critic and editor in chief of Neural magazine in Italy, are the site's
creators. On a site explaining their caper , the two admit to using an
automated bot program to systematically scrape publicly available
information from 1 million Facebook profiles (PDF document) , over a period
of several months.
The goal of the experiment apparently is to highlight the often
underestimated consequences of publicly posting personal data on social
media sites such as Facebook.
"The price users pay is being categorized as what they really are, or
better, how they choose to be represented in the most famous and crowded
online environment," the duo noted. "The project starts to dismantle the
trust that 500 million people have put in Facebook."
They say Lovely Faces highlights how an "endlessly cool place" such as
Facebook is also a goldmine for identity theft. "But that's the very nature
of Facebook and social media in general. If we start to play with the
concepts of identity theft and dating, we should be able to unveil how
fragile a virtual identity given to a proprietary platform can be."
Prank "dating site" imports 250K Facebook profiles w/o permission http://bit.ly/gly8HY (ars technica)
A single server failure results in loss of some 6 years worth of data. Data has reportedly been recovered, but hardware to provide access is not available 8+ months after the failure. FEMA Loses Lessons Learned Data <http://www.informationweek.com/news/government/enterprise-apps/showArticle.jhtml?articleID=229209496&subSection=All+Stories> Apparently the lessons learned do not include much in the way of backup, recovery, and migration procedures.
Anne-Marie Oostveen, University of Oxford, Outsourcing Democracy: Losing Control of e-Voting in the Netherlands http://www.psocommons.org/policyandinternet/vol2/iss4/art8/?sending=11289 Outsourcing IT services is a common practice for many governments. This case study shows that outsourcing of elections is not without risk. Studying electronic voting in the Netherlands through documents obtained with Freedom of Information requests, we see that government agencies at both local and national level lacked the necessary knowledge and capability to identify appropriate voting technology, to develop and enforce proper security requirements, and to monitor performance. Furthermore, over the 20 years that e-voting was used in the Netherlands, the public sector became so dependent on the private sector that a situation evolved where Dutch government lost ownership and control over both the e-voting system and the election process. Recommended Citation Anne-Marie Oostveen (2010) "Outsourcing Democracy: Losing Control of e-Voting in the Netherlands," Policy & Internet: Vol. 2: Iss. 4, Article 8. DOI: 10.2202/1944-2866.1065
Oscar Ballots Mailed, Tom Sherak Talks: Online Ballots, Franco and Hathaway, Indie Wire (blog) Until Sherak is convinced that no one could influence the voting by hacking into an online voting system, he's sticking with paper ballots. It's safer. ... But the Oscars are a fat juicy target. “I've yet to be convinced that you couldn't find someone to hack into it. Nobody has said to me, “you can't get in.' The Academy is as pure as the driven snow.'' http://blogs.indiewire.com/thompsononhollywood/2011/02/03/oscar_watch_ballots_mailed_due_february_22_sherak_on_why_online_ballots_won/
http://blog.mysanantonio.com/education/2011/02/tree-octopus-exposes-internet-illiteracy/ The endangered Pacific Northwest tree octopus in its natural habitat. (snicker) Is this creature capable of exposing shocking Internet illiteracy? Donald Leu, a researcher from the University of Connecticut, conducted a U.S. Department of Education-funded study of Internet literacy among so-called `digital natives', fabricating the tree octopus to test students' ability to evaluate information they find on the Internet. Researchers asked students to find out information about the endangered Pacific Northwest tree octopus. Students had no problem locating a website dedicated to the cause, http://zapatopi.net/treeoctopus/, but insisted on the existence of the made-up story, even after researchers explained the information on the website was completely fabricated, according to a press release. (Author's note: You gotta check out this website, you can actually buy posters and T-shirts through Cafe Press.) Leu: Most students “simply have very little in the way of critical evaluation skills. They may tell you they don't believe everything they read on the Internet, but they do.'' The study also found that students shunned search engines in favor of typing what they think is the right site directly into the address bar, such as Georgewashington.com. When they did use a search engine, they skipped right over legitimate pages—because it didn't look like what they had in mind.'' [PGN-ed] What the article fails to take into account is that we had the same problem for centuries before the Internet was developed. When I was in grade school, I was doing a research paper on Atlantis. I went to the local university library and grabbed all the books I could find on the subject, including some paranormal and occult books from the 1920s, based on theosophy (trust me, look it up). My paper was a huge mess, because I suffered from information overload, and had not learned how to judge the reliability of a resource yet (I suspect that we all still struggle with that to some extent). We forget now how many pre-Internet references are based on bad logic and superstition. It is certainly possible to find misinformation in books, magazines, as well as on the Internet. The only extra disadvantage the web has is that an article you find today might not be hosted tomorrow, or may have undergone subsequent revisions. Yes, we absolutely need to teach critical thinking - but we shouldn't be fooled into believing this is a new problem. Sam Waltz
BKCYWRFR.RVW 20101204 "Inside Cyber Warfare", Jeffrey Carr, 2010, 978-0-596-80215-8, U$39.99/C$49.99 %A Jeffrey Carr greylogic.us %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2010 %G 978-0-596-80215-8 0-596-80215-3 %I O'Reilly & Associates, Inc. %O U$39.99/C$49.99 800-998-9938 fax: 707-829-0104 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/0596802153/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/0596802153/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/0596802153/robsladesin03-20 %O Audience n Tech 1 Writing 2 (see revfaq.htm for explanation) %P 212 p. %T "Inside Cyber Warfare: Mapping the Cyber Underworld" The preface states that this text is an attempt to cover the very broad topic of cyber warfare with enough depth to be interesting without being technically challenging for the reader. Chapter one provides examples of cyber attacks (mostly DDoS [Distributed Denial of Service]), and speculations about future offensives. More detailed stories are given in chapter two, although the reason for the title of "Rise of the Non-State Hacker" isn't really clear. The legal status of cyber warfare, in chapter three, deals primarily with disagreements about military treaties. A guest chapter (four) gives a solid argument for the use of "active defence" (striking back at an attacker) in cyber attacks perceived to be acts of war, based on international law in regard to warfare. The author of the book is the founder of Project Grey Goose, and chapter five talks briefly about some of the events PGG investigated, using them to illustrate aspects of the intelligence component of cyber warfare (and noting some policy weaknesses, such as the difficulties of obtaining the services of US citizens of foreign birth). The social Web is examined in chapter six, noting relative usage in Russia, China, and the middle east, along with use and misuse by military personnel. (The Croll social engineering attack, and Russian scripted attack tools, are also detailed.) Ownership links, and domain registrations, are examined in chapter seven, although in a restricted scope. Some structures of systems supporting organized crime online are noted in chapter eight. Chapter nine provides a limited look at the sources of information used to determine who might be behind an attack. A grab bag of aspects of malware and social networks is compiled to form chapter ten. Chapter eleven lists position papers on the use of cyber warfare from various military services. Chapter twelve is another guest article, looking at options for early warning systems to detect a cyber attack. A host of guest opinions on cyber warfare are presented in chapter thirteen. Carr is obviously, and probably legitimately, concerned that he not disclose information of a sensitive nature that is detrimental to the operations of the people with whom he works. (Somewhat ironically, I reviewed this work while the Wikileaks furor over diplomatic cables was being discussed.) However, he appears to have gone too far. The result is uninteresting for anyone who has any background in cybercrime or related areas. Those who have little to no exposure to security discussions on this scale may find it surprising, but professionals will have little to learn, here. copyright, Robert M. Slade http://www.infosecbc.org/links rslade@vcn.bc.ca rslade@computercrime.org victoria.tc.ca/techrev/rms.htm slade@victoria.tc.ca
The 23d International Conference on Advanced Information Systems Engineering CAISE'2011, 20-24 June 2011, London, UK http://www.caise2011.com/ IS Olympics: Information Systems in a diverse world Submission deadline: 21st March 2011
Please report problems with the web pages to the maintainer