Planet Security

March 11, 2010

Network World on SecurityPennsylvania fires CISO over RSA talk

Pennsylvania's chief information security officer, Robert Maley, has been fired, apparently for talking publicly at the RSA security conference last week about a recent incident involving the Commonwealths online driving exam scheduling system.

Network World on SecurityBiometrics: What, Where and Why

Biometrics encompasses a variety of methods for ensuring identity based on physical or behavioral traits. Conventional identifying traits include fingerprints, face topology, iris structure, hand geometry, vein structure, voice, signature and keystroke recognition. Emerging technologies analyze characteristics such as gait, odor, and ear shape. Rather than being used in isolation, biometrics systems are increasingly becoming multimodal, an approach that serves both to increase security and overcome failure-to-enroll problems.

SecuniaRSA 2010 – good news for online security

Security Circus - RaistlinTories on cyber war: Waffle, mutter, waffle. Um, vote for us!

The Register - Security Estonian DDoS revenge worm crafter jailed

Infection still spreading

An Estonian virus writer has been jailed for two and a half years for creating a Windows worm family that launched denial of service attacks on the websites of a local insurance firm and ISP.…

infosecurity.usChip Bok: Apology Channel

infosecurity.usFDIC – Nefarious Hackers Abscond With Over $120M in 90 Days

FDIC

News, via ComputerWorld Robert McMillan of the United States Federal Deposit Insurance Corporation’s assertion of evidence leading the agency to guesstimate on-line banking fraud has led to over $120,000,000 in costs to small businesses who have fallen victim to scams, hacks, cracks and cons. More information, inclusive of linkage to the original post appears after the jump.

From ComputerWorlds’ Robert McMillan: “FDIC: Hackers took more than $120M in three months

“Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the U.S. Federal Deposit Insurance Corporation. Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said…”

Related Posts

  1. DHS Recruiting Ethical Hackers
  2. Measurable Drop In Nefarious UCE Activity After Atrivo Demise
  3. Network Solutions Drops The Ball
  4. FBI Opens Anti-Fraud Hurricane Gustav Hotline
  5. The Night McColo Came Down

Security Curve WeblogAnomaly Detection and Log Management: What we Can (and Can’t) Learn from the Financial Fraud Space

In this month’s Prism Microsystems newsletter I take a look at the differences between financial fraud and IT network and systems anomaly detection.

Have you ever been in a store with an important purchase, rolled up to the cash register and handed over your card only to have it denied? You scramble to think why: “Has my identity been stolen?” “Is there something wrong with the purchase approval network?” “Did I forget to pay my bill?” While all of the above are possible explanations – there’s a very common one you may not think of immediately: anomaly detection. Specifically, if the purchase you have in your hand doesn’t match up with your buying history, your bank might think it’s fraud and refuse the transaction. Even small changes in buying habits can trigger an alert. For example, credit card holders traveling outside the US for the first time may find their card declined in Paris on a European vacation. Buyers that rarely charge items over a couple of hundred dollars in value could find their first large ticket item (like a couch or a piece of jewelry) purchase blocked, at least temporarily.

Heise SecurityExploit for new IE hole

A public exploit for the new hole in Internet Explorer 6 and 7 has become available. This will probably force Microsoft to release an out-of-cycle patch


The Register - Security Tories on cyber war: Waffle, mutter, waffle. Um, vote for us!

'Computers. Clicking, typing. Email. I could go on'

Tory peer and shadow security minister Baroness Pauline Neville Jones has set out her party's thoughts on cyber war and defence. Unfortunately once the waffle is stripped away there's pretty much nothing there.…

The Register - Security Password reset questions dead easy to guess

Your pet's name is Poochie? You're pwned

Guessing the answer to common password reset questions is far easier than previously thought, according to a new study by computer science researchers.…

Schneier on SecurityWanted: Trust Detector

It's good to dream:

IARPA's five-year plan aims to design experiments that can measure trust with high certainty -- a tricky proposition for a psychological study. Developing such experimental protocols could prove very useful for assessing levels of trust within one-on-one talks, or even during group interactions.

A second part of the IARPA proposal might involve using new types of sensors and software to gauge human facial, language or body signals that might help predict trustworthiness. Perhaps facial recognition technology that could deduce emotions or facial tics might help, not to mention better lie detectors.

IARPA is the Intelligence Advanced Research Projects Activity, the U.S. intelligence community's answer to DARPA.

Digg.com SecurityEFF: New Smart Meters for Energy Use Put Privacy at Risk

The ebb and flow of gas and electricity into your home contains surprisingly detailed information about your daily life. Energy usage data, measured moment by moment, allows the reconstruction of a household's activities: when people wake up, when they come home, when they go on vacation, and maybe even when they take a hot bath...

Computerworld Security BlogAsk Amir #4: What's a Web reputation service?

This week in Security Levity, I want to talk about 'web reputation' and how it's used to protect users from malicious Web sites, or sites with malicious content for some other reason.

read more

LiquidMatrixSecurity Briefing: March 11th

F-Secure - News from the LabAllaple Virus Author Sentenced

An Estonian virus writer has been sentenced to jail in Harju, Estonia.

The author of the Allaple virus family, 44-year old Mr. Artur Boiko pleaded not guilty.

Nevertheless, he was found guilty and sentenced to 2 years and 7 months in prison.

Allaple is a complex worm using polymorphic encryption. It spreads over network shares and by modifying local HTML files. When such HTML files are uploaded to public websites, they spread the infection further.

Apparently Mr. Boiko had been in a car accident and had ended up in dispute over his insurance claim with If Insurance. As a result, his worm launches DDoS attacks against these sites:

    www.if.ee             (website of the insurance company)
    www.online.if.ee    (customer online interface of the insurance company)
    www.starman.ee    (website of a local ISP)

The DDoS attacks were quite serious — see this post from ISC Diary in 2007.

We detected several variants of Allaple during 2006-2007. The problem is that this is not a botnet — these worms have no command and control channel. The infected machines will attack their targets until they are cleaned. There are still thousands of active, infected computers today around the world, and they are still attacking. And the worm is still spreading further.

Snapshot from F-Secure interface showing new samples on 11th of March 2010
Snapshot from F-Secure interface showing new samples on 11th of March 2010

Boiko was sentenced to prison, where he has already been awaiting his trial for 19 months. He was also sentenced to pay the following sums to cover losses:

To If Insurance: 5.1 Million Estonian Kroons (about 330000 Euros or 450000 USD)
To Starman ISP: 1.4 Million Estonian Kroons (about 91000 Euros or 130000 USD)

More info (in Estonian) from ERR Uudised

On 11/03/10 At 11:20 AM

The Register - Security Bogus Playstation emulators pack Trojan payload

'Will be around for a long time'

Retro gaming fans are being targeted in a new con designed to infect computers with a Trojan linked to scareware scams.…

The Register - Security PayPal restores Cryptome for real

Now go away

PayPal has finally made good on its pledge to restore Cryptome's account many hours after the firm's head of global communications told Register readers it had already done so.…

Darknet HackersZeus-related Botnet Servers Taken Offline

We wrote about Zeus a while back, a nasty trojan which can evade detection by Anti-virus software and is ranked as the number 1 trojan infector by numbers. About a week ok a massive sting operation took down large parts of the Mariposa botnet in Spain and the USA and the latest news is large [...]

Read the full post at darknet.org.uk


Security Circus - Raistlin(Image)

Anton ChuvakinLinks for 2010-03-10 [del.icio.us]

codeblogopenssl client does not check commonName

I realize the openssl s_client tool tries to be upper-layer protocol agnostic, but doesn’t everything that uses SSL do commonName checking (HTTP, SMTP, IMAP, FTP, POP, XMPP)? Shouldn’t this be something openssl s_client does by default, maybe with an option to turn it off for less common situations?

Here it doesn’t complain about connecting to “outflux.net” when the cert has a CN for “www.outflux.net”:

echo QUIT | openssl s_client -CApath /etc/ssl/certs \
  -connect outflux.net:443 2>/dev/null | egrep "subject=|Verify"
subject=/CN=www.outflux.net
    Verify return code: 0 (ok)

Internet Security and ProgrammingTories on cyber war: Waffle, mutter, waffle. Um, vote for us!

‘Computers. Clicking, typing. Email. I could go on’
Tory peer and shadow security minister Baroness Pauline Neville Jones has set out her party’s thoughts on cyber war and defence. Unfortunately once the waffle is stripped away there’s pretty much nothing there.…
Offloading malware protection to the cloud

Read more…

Roger's Information Security BlogCVE-2010-0188 Adobe Exploit

The Microsoft Malware Protection Center reported earlier this week a sighting of a malicious PDF file exploiting CVE-2010-0188. Adobe released 9.2.1 and 8.2.1 in February.

Users can pull down the 'help' menu and click on 'check for updates' to ensure that they're running the latest version.

One lesson learned here is don't skip deploying a patch just because no exploits are out for it. it will leave you scrambling later.

Adobe's next scheduled Reader and Acrobat update is due April 13.

NYC ResistorTHIS FRIDAY+SATURDAY: RESISTOR @ EYEBEAM

If you’re near Manhattan this weekend, stop in to Eyebeam for their MIXER event Friday and Saturday nights (Mar 13 and 14) from 9PM to 2AM.  NYC Resistor will be one of the presenting artists with our “Color Commentary Teletype” a restored 1930’s era Model 15 serial printer, along with a sentiment analysis chart recorder!  MIXER is a huge party, with music, art, and performances.  It’s going to be awesome!

Check out the details at Eyebeam!  Now!

Eyebeam event flyer image

MIXER:Olympiad

NYC ResistorMarch Madness 10 – Circles

Just a quickie today, circle patterns done in canvas. Source after the break as usual.

JPLT.Class.create("JPLT.Circles", JPLT.Object,
	function() {
		this.width = 800;
		this.height = 600;
		this.minWidth = -this.width/8;
		this.maxWidth = this.width+this.width/8;
		this.minHeight = -this.height/8;
		this.maxHeight = this.height+this.height/8;
 
		this.direction = [ {x:5, y:5}, {x:-5, y:5}, {x:5, y:-5}, {x:-5, y:-5} ];
		this.position = [ 
			{x:Math.random()*this.width, y:Math.random()*this.height},
			{x:Math.random()*this.width, y:Math.random()*this.height},
			{x:Math.random()*this.width, y:Math.random()*this.height},
			{x:Math.random()*this.width, y:Math.random()*this.height}
		];
 
		this.createElement();
		this.run();
	},
 
	{
		createElement: function() {
			var body = document.documentElement || document.body;
 
			var element = document.createElement("canvas");
			element.width = this.width;
			element.height = this.height;
			element.style.position = "absolute";
			element.style.top = window.innerHeight/2 - this.height/2;
			element.style.left = window.innerWidth/2 - this.width/2;
			body.appendChild(element);
			this.element = element;
		},
 
		context: function() {
			return this.element.getContext("2d");
		},
 
		run: function() {
			if (!this.timer) {
				this.timer = window.setInterval(this.delegate(this.paint), this.delay);	
			}
		},
 
		stop: function() {
			window.clearInterval(this.timer);			
			this.timer = null;
		},
 
		clear: function() {
			var ctx = this.context();
			ctx.clearRect(0,0,this.width,this.height);
		},
 
		paint: function(i) {
 
			try {
				this.clear();
 
				for (var i=0; i<4; i++) {
					var ctx = this.context();
					var pos = this.position[i];
					var dir = this.direction[i];
 
					pos.x += dir.x;
					if (pos.x > this.maxWidth || pos.x < this.minWidth) {
						dir.x = -dir.x;
					}
 
					pos.y += dir.y;
					if (pos.y > this.maxHeight || pos.y < this.minHeight) {
						dir.y = -dir.y;
					}
 
					ctx.save();
					ctx.strokeStyle = "rgba(0,0,0,0.3)";
					ctx.lineWidth = 25;
					ctx.translate(pos.x, pos.y);
 
					for (var r=5; r<this.width; r+=50) {
						ctx.beginPath();
						ctx.arc(0,0,r,0,Math.PI*2,true);
						ctx.stroke();
					}
 
					ctx.restore();
				}
			}
			catch (e) {
				this.stop();
				throw(e);
			}
		}
	}
);

CIO News AlertsIE Zero-Day Exploit Code Goes Public

An Israeli researcher has published exploit code for an Internet Explorer zero-day vulnerability that Microsoft had just disclosed on Tuesday.

CIO News AlertsPoor Bill Gates: Mexican Telecom Tycoon Grabs Richest Man Title

Microsoft co-founder Bill Gates is no longer the world's richest man according to the annual Forbes magazine list released Tuesday, but it's not like he's going to have to go crawling back for his old job either.

ItoolBox Networking and InfrastructureGoodbye Amsterdam, you put on a great event

I have just finished up a terrific week in Amsterdam. It was a little cold by Houston standards and a little damp, but the mainframe event I attended, put on by IBM Holland, was terrific. From all of the customers I had the chance to talk with, I was not alone in my opinion of how successful an event this was.

Roger's Information Security BlogZscaler protects against IE Zero Day

On Tuesday, as seems to be the custom, Microsoft released patches and announced a new zero day in Internet Explorer. MSKB 981374 is a remote code execution in IE6 and IE7. Who know that being on IE5 could ever be a good thing.

The KB says Microsoft released details to venders in their Microsoft Active Protections Program (MAPP) and Microsoft Security Response Alliance (MSRA) programs in order to provide protection to customers.

Within one hour Zscaler had protection in place for its customers. Zscaler offers web security company in a SaaS model. I would see them competing with Scansafe, Purewire and MessageLabs as well as any company trying to get you to put security appliances on your network for web security (bluecoat). Strangely, I didn't get email from any of those venders bragging they are protecting their customers against this zero day. If they were protecting their customers would there be any reason not to use it for PR? Its not like they are making a Oracle Unbreakable (or was that Apple Unbreakable) claim.

Internet Security and ProgrammingBogus Playstation emulators pack Trojan payload

‘Will be around for a long time’
Retro gaming fans are being targeted in a new con designed to infect computers with a Trojan linked to scareware scams.…
The power of collaboration within unified communications

Read more…

VRT SOurcefireRule release for today - March 10th, 2010

Microsoft Internet Explorer (2010-0806): Microsoft Internet Explorer contains a programming error that may allow a remote attacker to execute code on an affected system. Check it here Oh, and the rule is a shared object rule, so the changelog won't actually show it. If you use PulledPork for your rule updates though, you should see it in the changes when you update.

LiquidMatrixSocial Media Fail Of The Day

Sometimes you find yet another reason why people should be made to pass an intelligence test before they’re permitted to engage in social media.

Just saying.

(Thanks to attrition.org for pointing that one out)


LiquidMatrixPennsylvania CISO Dismissed From Post

How stupid is this? Last week Robert Maley was the CISO for the Commonwealth of Pennsylvania giving a presentation at the RSA conference. He was speaking about a hacking incident at PennDOT from last year.

This week? He’s on the pavement. It would appear that someone in PA overreacted.

From Patriot News/Penn Live:

Danielle Klinger, a spokeswoman for the state Department of Transportation, said the agency is not aware of any hacking or breach that occurred involving scheduling system for its driving test. However, she said that a few weeks ago, “we did discover an anomaly and we have actually turned that over to [the state police] for further investigation. We’re not sure what that anomaly is, but it is being investigated. Unfortunately, I can’t provide any more details on it.”

Maybe Maley didn’t have leave to speak publicly about this incident in question. Which is something that PennDOT appears to have developed an Ostrich complex over. Some myopic nitwit thought it merited removing Maley from his post? They claim however that his talk had nothing to do with his dismissal. I’m not sure I believe that. Timing seems rather odd.

So, what of the alleged hacking incident?

Maley is reported to have said the hacker was later found to be someone with a driving school in Philadelphia who exploited a vulnerability in PennDOT’s system to schedule more driving tests than there were allotted slots.

This situation seems muddy at best. For more on this story read the article at Penn Live from this morning.

Article Link

(Image used under CC from Olivander)


Kasperky Lab WeblogWhen too much is not enough too much.

News has spread pretty quickly about the latest IE 0-day exploit (http://www.microsoft.com/technet/security/advisory/981374.mspx). Unfortunately, in trying to publicize the quality of his employer’s product in relation to this new exploit, according to Ryan Naraine (http:...

NYC ResistorReminder: Bioengineering Oracle at NYCR this Saturday

Robert Carlson bridges both the NYC Resistor and DIYBio worlds – he’s an electrical engineer who turns E. coli into circuits! He famously discovered the Carlson curves, the biotech equivalent of Moore’s Law. They show that biotech is advancing at a pace consistent with digital tech.

Come join us at the NEW NYC Resistor space for an afternoon talk by Rob and discussion afterwards.

DATE: Saturday, March 13
TIME: 2:00pm – 4:00pm
LOCATION: NYCR

Here’s a video of Robert from the Economist that appeared on the DIYBio blog recently: http://diybio.org/2010/01/01/rob-carlson-discusses-diybio-and-open-source-biology-on-the-economist. And an excerpt from his Wired article where he wrote about the emergence of DIYBiology in 2005:

The era of garage biology is upon us. Want to participate? Take a moment to buy yourself a molecular biology lab on eBay. A mere $1,000 will get you a set of precision pipettors for handling liquids and an electrophoresis rig for analyzing DNA. Side trips to sites like BestUse and LabX (two of my favorites) may be required to round out your purchases with graduated cylinders or a PCR thermocycler for amplifying DNA. If you can’t afford a particular gizmo, just wait six months – the supply of used laboratory gear only gets better with time. Links to sought-after reagents and protocols can be found at DNAHack. And, of course, Google is no end of help.

Still, don’t expect to cure cancer right away, surprise your loved ones with a stylish new feather goatee, or crank out a devilish frankenbug. (Instant bioterrorism is likely beyond your reach, too.) The goodies you buy online require practice to use properly. The necessary skills may be acquired through trial and error, studying online curricula, or taking a lab course at a community college. Although there are cookbook recipes for procedures to purify DNA or insert it into a bacterium, bench biology is not easy; the many molecular manipulations required to play with genes demand real skills.

http://www.wired.com/wired/archive/13.05/view.html?pg=2

Hack in the box8 weird but cool Android apps

So you told your boss that you bought your Android smartphone so that you could track your business calls, be more effective when traveling for your company, have easy access to Gmail and keep your organization's Twitter feed current. But we know what's really going on -- you got that smartphone because it was cool and because you wanted to play with all the apps. (And possibly because it wasn't Apple or AT&T.) Just for the heck of it, I've gathered eight free apps that are just plain fun to use. A couple of them are also actually useful; another two are sort of useful (if you stretch the point a bit); the last four are just there to play with.

Hack in the boxSchneier: Fight for privacy or kiss it good-bye

If the public wants online privacy it had better fight now for laws to protect it because businesses won't and individuals don't have the clout, security expert Bruce Schneier told RSA Conference. The longer information-privacy policies go unset, the more likely it is that they never will be set, says Schneier, an author of books about security and CTO of security consultant BT Counterpane. As young people grow up with broad swaths of information about them in the public domain, they will lose any sense of privacy that older generations have. And they will have no appreciation that lack of privacy shifts power over their lives from themselves to businesses or governments that do control their information. Laws protecting digital data that is routinely gathered about people are needed, he says. "The only lever that works is the legal lever," he says. "How can we expect the younger generation to do this when they don't even know the problem?"

Hack in the boxSoft skills lacking in candidate-rich market

Recruitment firm Kelly Services says demand for skilled and experienced IT professionals continues, despite recent economic conditions. Late last year, Kelly Services conducted a workplace survey in 12 countries, including New Zealand, polling senior IT decision makers across many industries. In the New Zealand survey, approximately 71 percent of respondents reported an increase or no change in demand for IT staff. This was little different from Kelly Services' previous survey, carried out in July 2008, when 80 percent of respondents described the effects of the then-IT skills shortage as moderate to severe.

Hack in the boxZeus Botnet Dealt a Blow as ISP Troyak Knocked out

Internet service providers linked to the notorious Zeus botnet have been taken down, knocking out a third of the command-and-control servers that run the network of hacked machines. Two ISPs, named Troyak and Group 3, were home to 90 of the 249 known Zeus command-and-control servers. Zeus Tracker, a Web site that tracks the botnet, noticed the steep drop in servers on Wednesday morning. The Troyak network was itself an upstream provider to six networks, known to host a large number of cybercrime servers, including Web sites used in drive-by attacks and phishing sites, according to Kevin Stevens, a researcher with SecureWorks. "There's lots of Zeus and Fragus exploit kit [sites]," he said. Whoever was behind the takedown "just decided to knock out a large area of cybercirme, and this was probably one of the easiest ways to do it."

Hack in the boxTwitter Becomes More Proactive About Phishing

Twitter is finally being proactive about the large number of phishing scams that have plagued the micro-blogging service in the past year. On Wednesday, Twitter introduced its own anti-phishing service designed to protect its users from these types of attacks. The new security measures will focus on Twitter direct messages (DMs) -- private tweets addressed to a specific user -- and corresponding e-mail notifications. Twitter believes DMs are the primary source of Twitter-based phishing attacks, and has not yet announced any plans to extend the new service to regular Twitter messages. DMs will now be routed through Twitter's anti-phishing service to "detect, intercept, and prevent the spread of bad links," Del Harvey, director of Twitter's trust and safety team, wrote in a recent blog post. After Twitter has approved a link, it will be delivered to users via a new 'twit.tl' URL instead of bit.ly, tinyURL or other link-shortening services. Twitter also claims that if a bad link gets through to a user via e-mail, the company would still "be able to keep that user safe."

Hack in the boxGoogle Street View to cover 96 per cent of UK roads from tomorrow

Google will make a further 210,000 miles of UK roads available for your perusal on Street View this Thursday, adding to the 28,000 miles that are currently shown. That means you'll be able to see about 96 per cent of this leafy land's approximately 246,985 miles of thoroughfares. Twenty-four perfectly respectable UK settlements, as well as Sc**thorpe, enjoyed the Street View treatment when it launched in Blighty in March last year. Now you'll be able to virtually visit cities and hamlets -- at least the ones where the Google Street View car hasn't been forced to beat a speedy retreat by a pitchfork-wielding posse -- from Cornwall to the Shetlands.

Hack in the boxEFF knocks Apple's 'secret' restrictive developer agreement

The first rule of Apple's App Club is: You do not talk about App Club. Any developer who writes an app for the App Store is forbidden from making any public statements about the iPhone Developer Program Licensing Agreement. Second rule of App Club is: Said developers also can't sell their apps to other app stores, even if that app is eventually rejected by Apple. Third rule of App Club: You can't reverse engineer anything having to do with the App Store software development kit (SDK) or the iPhone OS. Fourth rule: Apple retains the right to remove your app from the App Store at any time, for any reason. (Hello, Hottest Girls app; goodbye, Hottest Girls app.) Fifth rule: If you're sued because of your app, or if Apple screws up the app to the point where you lose money and/or customers, Steve Jobs' company is liable for only a whopping US$50 in damages -- an Apple self-insurance deductible, as it were.

Hack in the boxDouglas Duchak charged over bid to damage US security database

A Colorado man has been charged with trying to sabotage a U.S. security database that holds sensitive information used for screening air travelers, the Justice Department said on Wednesday. Douglas Duchak, 46, had worked at a Transportation Security Administration operations center for five years, updating its computers with data from the Terrorist Screening Database and the U.S. Marshal's Service Warrant Information Network. The TSA is primarily responsible for screening passengers at U.S. airports and uses information from intelligence and law enforcement agencies to prevent people who pose a threat from boarding commercial flights. The agency has come under new pressure to ramp up security in the wake of a failed plot in late December to blow up a U.S. commercial jetliner.

Hack in the boxNo-Fly List Includes the Dead

You may be dying, figuratively, to get off the government’s no-fly list, but death won’t guarantee removal. The government’s no-fly list includes the names of dead suspects to help catch people who may try to assume the suspect’s identity, according to government officials who spoke with The Associated Press. The no-fly list has been shrouded in mystery since it was first developed after the 9/11 attacks. How people get on the list or get off it has been a closely guarded secret, with only bits of information made public during congressional hearings. The AP has pieced together the broad steps it takes for someone to get on the list, and some of the changes the list has undergone since it was created nine years ago.

Hack in the boxNew Gestures coming to iPhone/iPad: Triple tap and long press

On the surface, the latest iPhone 3.2 Beta 4 SDK didn't have much new information. Diving a little deeper however, we find some very exciting news. In the gestures folder, you'll see two new types of commands (3Tap.plist and LongPress.plist) that are certainly not implemented in the current 3.1 iPhone SDK. Apple is likely allowing developers to use these capabilities in the next versions of the OS. We might even see these in the shipping version of the iPad.

Hack in the boxNo Trace: How to Completely Erase Your Hard Drives, SSDs and USB Drives

With stories abounding of identity theft aided by information lifted from discarded storage devices, you want devices you no longer plan to use to have no usable information when they head out the door. Here's how to wipe them clean. Sure, you could erase the contents of the drive, but keep this in mind: the act of erasing a file does not remove it from a storage device. When you erase/delete a file from your computer, it's not really gone until the areas of the disk it used are overwritten by new information. If you use the normal Windows delete function, the "deleted" file is sent to the Recycle Bin until the space it uses is required by other files. If you use Shift-Delete to bypass the Recycle Bin, the space occupied by the file is marked as available for other files. However, the file could be recovered days or even weeks later with third-party data recovery software. As long as the operating system does not reuse the space occupied by a file with another file, the "deleted" file can be recovered.

Hack in the boxHow deep can Intel get inside the smart grid?

I think a lot about which companies that I’ve been covering for zillions of years will be around 10 years from now, as the Internet moves into its next phase of innovation around things like machine to machine communications, which is sort of personified in the smart grid. If you think Microsoft and IBM and Hewlett-Packard are invincible, pause a moment to memorialize Digital Equipment Corp. Clearly, many of the legacy IT companies — IBM, Microsoft, SAP, Oracle, to name a few — are all over the whole intelligent utility market like a bad suit. But what about that other kingpin of the personal computing movement, Intel, the company of the famous “Inside” motto. Clearly, the company hopes to be deep inside the smart grid.

Hack in the boxARM Expects 50 Tablet Devices to Hit the Market This Year

ARM, a leading developer of microprocessor technologies for portable and consumer electronics, said at a press conference on Wednesday that this year around 50 tablet PC devices akin to Apple iPad released worldwide. While analysts agree that there may be a lot of slate-type PCs launched, far not all will become successful. “The first tablet devices will launch in the second quarter by [mobile network] carriers. You will see a lot more in the third quarter,” said Roy Chen, ARM's worldwide mobile computing ODM manager, during a press meeting in Taipei, reports IDG News Services. There are so many tablet PCs incoming that ARM even had to book the additional space at Computex Taipei trade-show to demonstrate all the products, many of which will be launched by small companies that can hardly efficiently advertise their devices and do not have an established brand among consumers.

Digg.com SecurityGovernment No-Fly List Includes the Dead

You may be dying, figuratively, to get off the government's no-fly list, but death won't guarantee removal. The government's no-fly list includes the names of dead suspects, according to government officials who spoke with the Associated Press, to help catch people who may try to assume the suspect’s identity...

Hack in the boxSun’s open source chief leaves after Oracle merger

Sun's chief open source officer, Simon Phipps, has left the company following its acquisition by Oracle, the executive announced in his blog Tuesday. "Today is my last day of employment at Sun (well, it became Oracle on March 1st in the UK but you know what I mean)," Phipps wrote. "I am a few months short of my 10th anniversary there (I joined at JavaOne in 2000) and my 5th anniversary as Chief Open Source Officer." With the acquisition of Sun, Oracle is poised to become what some analysts think is the industry's most powerful open source vendor. But it will chart a new path in open source without Phipps. Phipps looks back fondly at successes at Sun, but admits some regrets for goals left unaccomplished. Phipps wrote that he and his colleagues "achieved some amazing things" such as changing Sun's attitude toward open source, kick-starting the "corporate blogging revolution" with Blogs.Sun.com, and releasing software such as Java under free licenses.

Hack in the boxTurkish police detain 23 PKK hackers in 13 provinces

Police have detained 23 suspects in operations in 13 provinces, charging them with membership in a terror organization and attacking public institutions’ Web sites, the daily Radikal reported Wednesday. The suspects, allegedly members of the outlawed Kurdistan Workers’ Party, or PKK, were taken to Diyarbak?r for questioning. The investigation of this case was still continuing when the Daily News went to print. A hacker team for the outlawed organization was captured previously, but the members reorganized and attacked roughly 300 Web sites belonging to public institutions.

Hack in the boxReader exploit prompts Adobe update alert

Users of Adobe PDF Reader should check they are running the latest version of the software after the discovery of an exploit that takes advantage of a serious flaw patched only three weeks ago. According to Microsoft's Threat Research and Response blog, its researchers have discovered a circulating PDF-based attack that hooks into the publicised flaw, CVE-2010-0188, to download a Trojan backdoor capable of taking control of the affected system. The warning relates mainly to Adobe Acrobat and Reader up to 9.3.0 for Windows, Apple and Unix. older versions of Acrobat and Reader, 8.2.0 (used by anyone unable to update to 9.3.x), are also affected on Windows and Apple and should be patched to 8.2.1.

Hack in the boxAndroid native development kit updated

Developers of the Google-backed Android mobile application platform have released revision 3 of Android NDK (Native Development Kit), which complements Android SDK by enabling developers to build performance-critical portions of an application in native code. Release of NDK r3 was noted in a posting on the Android Developer Blog on Monday. Version 3 includes OpenGL ES (Open Graphics Library for Embedded Systems) 2.0 native library support. Also featured is a sample application making use of OpenGL ES 2.0 vertex and fragment shaders. "[OpenGL ES 2.0] brings the ability to control graphics rendering through vertex and fragment shader programs using the GLSL shading language," said David Turner, a member of the Google technical staff, in the Android Developer Blog.

CNET News.com - SecurityLimeWire enlists AVG for user protection

Notorious as a malware ghetto, LimeWire takes its first steps to integrate authoritative threat protection by signing on AVG to provide premium users with download scanning and blocking.

Hack in the boxFour over-rated security technologies

The security community has grown to depend on some basic technologies in the fight against cyber thieves, such as antivirus software and firewalls. But are practitioners clinging to tools that outlived their usefulness long ago? Were those tools ever really useful to begin with? CSOonline.com recently conducted an unscientific survey on the matter, asking those questions to a variety of security forums on LinkedIn and following it up with e-mails and phone conversations. What follows are four technologies several cited as overrated in today's security fight. We'll follow up next week with security technologies many believe are underrated. It's safe to predict that some of the technologies on this list will also appear there.

Hack in the boxThe top 10 geek anthems of all time

Geeks rock. When Buddy Holly jerked onstage as a bespectacled counterpoint to the pelvis-swiveling cool of Elvis, it carved out a spot in rock and pop music for the kids more inclined to admire Stephen Hawking than Steven Tyler or Bill Gates than Billy Idol. The South by Southwest Interactive conference kicks off Friday in Austin, Texas, offering up as pure a convergence of geek and rock sensibilities as you're apt to find. Started in 1987 to showcase Austin's burgeoning alt-rock scene, South by Southwest added interactive and film gatherings in 1994.

Hack in the boxLED lights may be the future of broadband

German scientists say they've created a data connection that uses light produced by lamps to encode a wireless broadband signal. The researchers, led by Jelena Vucic of the Fraunhofer Institute for Telecommunications at the Heinrich-Hertz-Institute in Berlin, say getting a broadband connection might be as simple as turning on a lamp. Currently, most wireless connections are achieved through a radio-frequency WiFi connection. But the scientists say WiFi has limited bandwidth, and it's unclear where to find more in the already-crowded radio spectrum. By contrast, they say visible-frequency wireless has all the bandwidth one could want.

Light Blue TouchpaperA wrecking amendment ?

For the past few months the Digital Economy Bill (DEB) has been quietly making its way through the House of Lords. As is the way of these things, large numbers of amendments have been proposed, their lordships have had a series of mini-debates on each set of issues, and the Government have been busily amending the Bill in an attempt to fix all the things that they didn’t think through properly.

The main thrust of the DEB’s approach to dealing with unlawful file sharing of copyright material has been a “three strikes” policy. That is, should you be detected to be sharing some popular beat combo’s music without permission, then on the first two occasions you’d receive an admonishing letter, and on the third time then you would be subject to “technical measures” (ie: very slow Internet speeds) or disconnection, the latter doubtless annoying the rest of your family as they would be unable to visit DirectGov / keep up their social life / catch-up TV shows / do their homework / avoid being sacked from their work-from-home job!

However, the Government are concerned that this won’t be enough, and that unlawful sharing of copyright material might occur in new ways in future. So in clause 17 of the DEB they set out a scheme for amendment (in ways that would be decided as future circumstances required) of the Copyright, Designs and Patents Act 1988 through secondary legislation.

It is unusual to grant such open ended powers to amend primary legislation, because Parliament would be presented with an unamendable statutory instrument and invited to vote for it — no such SI has been defeated in the House of Lords since 2000, and the time before that was in 1968.

There was an outcry over the breadth of clause 17, and so the Government set out amendments to restrict it — but last week peers voted for an opposition amendment (120A) to have an alternative arrangement altogether, a regime of High Court injunctions that would force ISPs to block websites.

This is such a dumb (and dangerous) idea that it has all the characteristics of a wrecking amendment, added to the Bill just to eat up parliamentary time so that the whole Bill will fall at the dissolution for the upcoming election.

There are so many problems with the new clause that it’s hard to know where to begin.

For an analysis of how the costs regime makes it very likely that ISPs will just block, rather than risking the cost of a court action see this article by Francis Davey (a working barrister).

The next problem is that most ISP blocking is trivial to evade. Although Ofcom reports that 98.6% of UK consumer broadband lines are supplied by ISPs who use the Internet Watch Foundation (IWF) list to block child sexual abuse images, in practice all of the systems are trivial to evade by using https links, by using proxies, or in most cases by running your own DNS server or just hard-coding IP addresses into your HOSTS file.

It suits everyone (IWF, ISPs, Government) to pretend that the IWF list blocking schemes work, but when ISPs are faced with the prospect of being found in contempt of court, they will have to implement something which is actually effective — which can in practice only mean “blackholing” IP addresses so that no traffic can be exchanged.

That will mean that everything else at that address is will be blocked as well — so all of t35.com, smtp.ru or blogger.com would disappear if a foreign company’s view of what was a copyright infringement in their jurisdiction was to differ from that of the UK High Court (for example, Disney’s Snow White is out of copyright in Japan — the term is 75 years from 1937 date of release — but not in the UK — where the term is Walt Disney’s 1967 death + 70 years).

IP address blocking is also relatively simple to evade (as has already been discovered by the citizens of China, Iran and elsewhere), by means of proxies, by IP address agility by the websites, or by means of general purpose anonymity systems such as Tor. When the content industries find that the sites aren’t actually blocked, how realistic (or how draconian) will the High Court be ?

Interestingly, the security services (MI5/MI6) share this concern. If evading blocking systems becomes a mainstream activity (and there’s said to be 6-7 million illegal file sharers in the UK) then it will be used, almost automatically, by subversive groups — preventing the spooks from examining the traffic patterns and comprehending the threat. The amendment says that the court must consider “any issues of national security raised by the Secretary of State”, but it’s unclear how they’ll do that even if Lord Mandelson is prepared to wander down to Strand and say that he’s worried that snooping won’t be so effective in the future.

The final problem is that their Lordships clearly envisaged these injunctions being taken out by major film studios against the latest incarnation of The Pirate Bay or some equally high profile den of wickedness. But what if it turns out that they’re used:

  • to block US University websites — It’s common to find otherwise hard to view academic papers on such sites, usually through allowing non-local access to material which is being provided to students under “fair use” provisions;
  • to block YouTube — which contains thousands of copyright infringing items; there’s not even any need for a High Court litigant to be the copyright owner, so one aggrieved party could point at all the other infringements to show how substantial the problem is;
  • to block access to embarassing leaked documents on Wikileaks or (as Microsoft briefly managed recently under US DMCA provisions), on Cryptome;
  • to block access to the next disclosure of unjustifiable Parliamentary expense claims!

The Earl of Erroll who, although a hereditary peer, is one of the few members of the Upper House with substantial “clue” on Internet matters spoke out clearly against the amendment and in favour of just deleting clause 17. Perhaps in Third Reading, next Monday, the House will listen more carefully to what he has to say — sending this Bill to the Commons in its current form makes a mockery of the Lords’ claim to intelligently revise flawed legislation …

… for the real risk is that the Bill could subsequently go through all substantive Commons stages “on the nod” in a few frantic minutes after the election is called, with the Government accepting all the Lords amendments to avoid a time-consuming game of Parliamentary ping-pong. Wrecking the bill is one thing, wrecking the Internet in the UK is quite another!

Hack in the boxOur Apps Are Vulnerable -- And Constantly Attacked

If you worry that your organization's applications are vulnerable to attack, then you're not alone, according to study results released yesterday. In a survey at the RSA Conference 2010 in San Francisco last week, researchers from security vendor Fortify found that most security pros are stressed about potential attacks on their apps. In fact, 73 percent of respondents thought the applications in their companies had vulnerabilities that hackers could exploit. In fact, most agreed it would be "ignorant" to say they didn't. Twenty-six percent said they either did not know the answer or did not want to disclose the information.