"Space-oriented Web site SpaceRef.com has reported that a 
    laptop aboard the International Space Station has become 
    infected with a Level 0 virus, and on Tuesday the National 
    Aeronautics and Space Administration (NASA) confirmed that 
    a virus was carried aboard last month."

When it comes to virus levels, I doubt we can go any lower than zero, but I wonder what the maximum virus level is?

SpaceRef.com::NASA Discovers Computer Virus Aboard the International Space Station

Back in August of 2005, the NSF awarded $7.5 million to ACCURATE. ACCURATE is A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections.

Given who the principal investigators are for ACCURATE, especially with the inclusion of Peter Neumann and Avi Rubin, e-voting systems might someday become a reality.

GoogleBlog.Blogspot.com::Does your password pass the test?

Back in the 20th century, I wrote ThurmSpeaks::About Passwords

   "San Francisco's computer system has denied access to 
    IT administrators. Authorities said a disgruntled employee 
    programmed the system with a password only he knows."

NewsFactor.com reported that "Cisco has been consulted, and estimates are that in the worst case, the network could be rebuilt from scratch in six to eight weeks." Yuck!

NewsFactor.com::Admins Locked Out of San Francisco's I.T. System

[Extra] From last century... GDT::Speaks::About System Administrators (SysAdmins)

It appears as though Dan Kaminsky, director of penetration testing at IOActive, deserves a huge Thank You from all us Internet users.

NetworkWorld.com::Major DNS flaw could disrupt the Internet

   "Defendants encourage individuals to upload videos to the YouTube 
    site, where YouTube makes them available for immediate viewing by 
    members of the public free of charge.  Although YouTube touts
    itself as a service for sharing home videos, the well-known 
    reality of YouTube's business is far different.   YouTube has 
    filled its library with entire episodes and movies and significant
    segments of popular copyrighted programming from Plaintiffs and 
    other copyright owners, that neither YouTube nor the users who 
    submit the works are licensed to use in this manner.  Because 
    YouTube users contribute pirated copyrighted works to YouTube 
    by the thousands, including those owned by Plaintiffs, the videos
    'deliver[ed]' by YouTube include a vast unauthorized collection of     
    Plaintiffs' copyrighted audiovisual works. YouTube's use of this 
    content directly competes with uses that Plaintiffs have authorized    
    and for which Plaintiffs receive valuable compensation."

The EFF reported that the "court ordered production of not just IP addresses, but also all the associated information in the Logging database."

The EFF said the Logging database contains:

   "for each instance a video is watched, the unique 'login ID'
    of the user who watched it, the time when the user started 
    to watch the video, the internet protocol address other devices 
    connected to the internet use to identify the user's computer 
    (IP address), and the identifier for the video."

At least one person has suggest Google should provide the information in paper form.

Luckily for Google, they do not have to supply the code with the data.

EFF.org::Court Ruling Will Expose Viewing Habits of YouTube Users

I had not heard of identification systems that can "recognize" tattoos, but I can see them being effective.

   "Called 'Tattoo-ID,' the system Jain has been working on is a 
    software program, which includes an annotated database containing 
    images of scars, marks and tattoos, provided by law enforcement 
    agencies. Each tattoo image in the database is linked to the 
    criminal history records of all the suspects and convicts who 
    have a tattoo."

MedicalNewsToday.com::Taking Biometric Recognition To The Next Step By Adding Scar, Mark And Tattoo Recognition Capability

I've known about "kill switches."

   "OnStar will soon include the ability for the police to shut 
    off your engine remotely. Buses are getting the same capability, 
    in case terrorists want to re-enact the movie Speed. The Pentagon 
    wants a kill switch installed on airplanes, and is worried about 
    potential enemies installing kill switches on their own equipment.

But I had not heard heard of "Digital Manners Policies."

   "Microsoft is doing some of the most creative thinking along these 
    lines, with something it's calling 'Digital Manners Policies.' 
    According to its patent application, DMP-enabled devices would 
    accept broadcast 'orders' limiting capabilities. Cellphones could 
    be remotely set to vibrate mode in restaurants and concert halls, 
    and be turned off on airplanes and in hospitals. Cameras could be 
    prohibited from taking pictures in locker rooms and museums, and 
    recording equipment could be disabled in theaters. Professors finally 
    could prevent students from texting one another during class."

Students texting during class is not that big of deal... at least they're not sleeping.

Scheneir ends his posting with the following.

   "'Digital Manners Policies' is a marketing term. Let's call this 
    what it really is: Selective Device Jamming. It's not polite, it's 
    dangerous. It won't make anyone more secure -- or more polite."

Wired.com::I've Seen the Future, and It Has a Kill Switch

   "Our View: More safeguards must be in place before 
              moving all our information online"

   "Perhaps it's time we Americans start to talk honestly about 
    the dangers we subject ourselves to by accepting an ever-widening 
    use of our personal information on government and private 
    Internet sites."

Hmmm... this is the middle of 2008. This editorial should have been printed at least a decade ago.

Plus, in addition to being at least a decade behind the times, the East Valley Tribune use the word hacker when they should have used the word cracker.

   "C. Nandini of the Vidya Vikas Institute of Engineering and
    Technology and C.N. Ravi Kumar of the S.J. College of Engineering 
    in Mysore, India, explain that human gait typifies the motion 
    characteristics of an individual. Viewed from the side, we each 
    have a unique gait that makes us easily recognizable."

EurekAlert.org:: Tell me by the way I walk

I don't have any data to say anything about China cracking the computers that belong to the U.S. government, but for some reason I suspect these computers are easily crackable.

From the duh department...

   "We cannot afford to look the other way when foreign sources 
    are threatening to compromise our government institutions, 
    our economy, our very way of life through cyber espionage. 
    We cannot sit by and watch."--Rep. Frank Wolf of Virginia

Note: The state of Virginia is Internet heartland.

NewsFactor.com::China Accused of Hacking Computers on Capitol Hill

   "Chinese hackers pose a clear and present danger to U.S. 
    government and private-sector computer networks and may 
    be responsible for two major U.S. power blackouts."

Cyberwarfare is going to be uglier than ugly.

   "Cyber-networks are the new frontier of counterintelligence.
    If you can steal information or disrupt an organization by 
    attacking its networks remotely, why go to the trouble of 
    running a spy?" -- Joel Brenner, the government's senior 
                                     counterintelligence official

NationalJournal.com::China's Cyber-Militia

   "It exploits the fact VOIP uses UDP, not TCP; it is designed 
    to tolerate some packets going missing so hijacking a few to 
    transmit a hidden message is not a problem."

Technology.NewScientist.com::Secret messages could be hidden in net phone calls

Talk about the power of The Code...

   "Two changed lines of code have created profound security 
    vulnerabilities in at least four different open-source 
    operating systems, 25 different application programs, 
    and millions of individual computer systems on the Internet."

SSL stands for "Secure Socket Layer" and it is used to encrypt and decrypt information.

   "Modern computer systems employ large numbers to generate 
    the keys that are used to encrypt and decrypt information 
    sent over a network."

Large numbers are critical when it comes to encryption.

   "Instead, it reduces the number of different keys that 
    these Linux computers can generate to 32,767 different 
    keys, depending on the computer's processor architecture, 
    the size of the key, and the key type."

32,767 is not a large number.

TechnologyReview.com::Alarming Open-Source Security Holes

Blogs.ZDNet.com:: With the Quickness: HD Moore sets new land speed record with exploitation of Debian/Ubuntu OpenSSL flaw

   "A spokeswoman for the Phoenix Mars Lander mission says 
    a hacker took over the mission's public Web site during 
    the night and changed its lead news story."

Phoenix.LPL.arizona.edu::Phoenix Mars Mission

   "China's cyber warfare army is marching on, and India is 
    suffering silently. Over the past one and a half years, 
    officials said, China has mounted almost daily attacks 
    on Indian computer networks, both government and private, 
    showing its intent and capability."

Cyberwarfare is beyond ugly.

IndiaTimes.com::China mounts cyber attacks on Indian sites

Good news...

   "A year ago, one out of every 909 e-mails was infected with 
    malicious code. In the first quarter of 2008, only one out 
    of every 2,500 was infected. 

Bad news...

    "Last year, Sophos detected an average of roughly 5,000 infected 
     Web pages a day; this quarter, the average is 15,000 per day. 
     That's one new infected Web page every five seconds."

   "And these are sites you may well visit: 79 percent are legitimate 
    sites, not sites set up specifically to host malicious attacks."

More bad news...

   "The Sophos report also shows that more than 92 percent of all 
    e-mail sent in the first quarter of this year was spam. 

Crackers are criminals.

NewsFactor.com::Study Finds Infected Web Pages on the Rise

   "The three systems we looked at are three of the most widely 
    used around the nation.  They're going to be using them in 
    the 2008 elections; they're still going to have the same 
    vulnerabilities we found."--David Wagner, Computer Science
    professor at UC-Berkeley

PCWorld.com:: U.S. Presidential Election Can Be Hacked Cracked

ClickForensics.com:: Industry Click Fraud Rate Climbs to 16.6 Percent for Fourth Quarter 2007

BlueCross BlueShied's Dental Network unit needs to improve their IT operations.

   "A dental HMO accidentally put the social security numbers 
    of 75,000 members online last month, and the people weren't
    notified until three weeks later, the Baltimore Sun reports.

USA Today reported that the HMO said "the data is now secure and the issues that resulted in the data breach have been corrected." That's nice, but I doubt the 75,000 people who have had their SSNs exposed could care less.

The Security Watchdog hopes "fewer than 2,000 cases of reported fraud" isn't considered "good" news; just one case of fraud is one case too many.

Hannaford's press release indicated that "data was illegally accessed from Hannaford's computer systems during the card-authorization transmission process."

The Security Watchdog found the following quote humorous.

   "What showed up here was a new trend where criminals are going 
    after data in transit, as opposed to data at rest. I think 
    everybody was caught off-guard by that."--Avivah Litan, 
    a security analyst for Gartner, via NewsFactor.com

It is difficult to believe that anybody was "caught off-guard" by the fact that crackers around the world are intercepting data that's being transmitted via the world's networks.

Hannaford.com:: Credit Card Security Press Release

   "Hackers have a lot of fancy names for the technical exploits 
    they use to gain access to a company's networks: cross-site 
    scripting, buffer overflows or the particularly evil-sounding 
    SQL injection, to name a few. But Johnny Long prefers a simpler 
    entry point for data theft: the emergency exit door."

   "By law, employees have to be able to leave a building without 
    showing credentials," Long says. "So the way out is often the 
    easiest way in." 

   "Case in point: Tasked with stealing data from an ultra-secure 
    building outfitted with proximity card readers, Long opted for 
    an old-fashioned approach. Instead of looking for vulnerabilities 
    in the company's networks or trying to hack the card readers at 
    the building's doors, he and another hacker shimmied a wet washcloth 
    on a hanger through a thin gap in one of its exits. Flopping the 
    washcloth around, they triggered a touch-sensitive metal plate 
    that opened the door and gave them free roam of the building. 
    'We defeated millions of dollars of security with a piece of 
    wire and a washcloth,' Long recalls, gleefully."

Physical security remains a huge issue and I don't think it is going away anytime soon.

Forbes.com:: The No-Tech Hacker

   "The infected pages bring up what appears to be a pornographic 
    web site. Upon loading the page, a 'fake codec' social engineering 
    attack is attempted. The user is told that in order to view the 
    movie on the page, a special video codec must be installed."

   "The user then downloads a trojan program which installs a malware 
    package on the users system then delivers a fraudulent error message 
    telling the user that the supposed codec could not be installed."

Crackers are criminals.

ITNews.com.au::Second mass hack exposed

Crackers can use GNU Radio software to crack a "combination pacemaker and defibrillator having wireless capabilities."

InformationWeek.com wrote the following.

   "The researchers say they believe that their attempts to 
    reverse-engineer the communications going to and from the 
    Medtronic implantable cardioverter defibrillator represent 
    the first use of software defined radios in the security 
    community for reverse engineering wireless protocols. The 
    group used the GNU Radio software toolkit to create a radio 
    receiver capable of processing radio waves as defined by software."

InformationWeek.com:: Pacemakers Vulnerable To Hacking

   "Thai students will be barred from wearing watches in national 
    university entrance exams this weekend after a student was 
    caught cheating using a mobile phone wrist watch."

In our March department meeting, one faculty member indicated that instructor copies of textbooks can be obtained on eBay.com for $10.

Our educational systems have not adapted to the Internet world. What a shame.

The crackers are using the "NeoSploit 2" toolkit, which is "designed to exploit and trade FTP account credentials stolen from legitimate companies."

NewsFactors.com headline uses the term "Saas" and SaaS stands for "Software as a Service."

NewsFactor.com:: Hackers Use SaaS To Auction FTP Passwords, Inject Code

Fortune Magazine had an article titled "Who owns your address book?" The answer seems almost as obvious as who owns your door knob, but then again nothing's easy.

Money.CNN.com:: Who owns your address book?

   "Next Generation Identification, will give the government new 
    capabilities to identify people in the United States and abroad."

From $2.7 billion in 2007 to $7.1 billion on 2012?

   BCC Research called The Global Biometrics Market, the 
   global market for biometrics was worth nearly $2 billion 
   in 2006 and is expected to increase to $2.7 billion in 
   2007 and $7.1 billion by 2012, a compound annual growth 
   rate of 21.3 percent over the next five years.

NewsFactor.com:: FBI Unveils $1B Biometrics Initiative

   "A Polish teenager allegedly turned the tram system in 
    the city of Lodz into his own personal train set, triggering 
    chaos and derailing four vehicles in the process. Twelve 
    people were injured in one of the incidents."

   "The 14-year-old modified a TV remote control so that it could 
    be used to change track points, The Telegraph reports. Local 
    police said the youngster trespassed in tram depots to gather 
    information needed to build the device. The teenager told 
    police that he modified track setting for a prank."

TheRegister.co.uk:: http://www.theregister.co.uk/2008/01/11/tram_hack/ Polish teen derails tram after hacking train network

   The United States has little to fear from hackers, but 
   we have lots to be worried about when it comes to crackers.

   Hackers good; crackers criminals. Some crackers are hackers 
   that have gone bad; however, these days it is relatively easy 
   for somebody who is not a hacker to be an effective cracker.

   This posting should have been titled "U.S. tests its 
   cracker defenses." 

   I wanted to extend a Thank You to kgcoleman and 
   rootwebmasteraz for their informative comments.

   Cyberwarefare, if it happens, is not going to be fun. 
   Reboot America could be a movie titled "Reboot America
   --Invasion of the Blue Screens of Death."

[Extra] Quoting Bill Joy: "September 11 was essentially a collision of early 20th-century technology: the aeroplane and the skyscraper. We don't want to see a collision of 21st-century technology."

I suspect Joy was referencing bioterrorism (near term) and nanowarfare (next 2-3 decades), but cyberwarfare has probably already started. Simple attack: crack banking systems and multiple every positive account balance by zero. When the masses don't have any money, then what?

   "No-one should underestimate the significance of 
    financially-motivated malware arriving for Apple 
    Macs at the end of 2007. Although Macs have a long 
    way to go in the popularity stakes before they overtake 
    PCs,particularly in the workplace, their increased 
    attractiveness to consumers has proven irresistible 
    to some criminal cybergangs."--Graham Cluley

Sophos.com:: Sophos Security Threat Report reveals cybercriminals moving beyond Microsoft

The RIAA's press release started with the following paragraph.

   "The Recording Industry Association of America (RIAA), on 
    behalf of the major record companies, this week sent a new 
    wave of 407 pre-litigation settlement letters to 18 universities 
    nationwide as part of an ongoing campaign against online music 
    theft. The letters reflect evidence of significant abuse of 
    campus computer networks for the purpose of copyright infringement."
    [source: RIAA.com on 10 January 2008]

On the local front, Arizona State University received 33 of the RIAA's 407 letters.

RIAA.com:: RIAA Continues College Deterrence Campaign Into 2008

   "I have watched kids testifying before Congress. It is clear 
    that they are completely unaware of the seriousness of their 
    acts. There is obviously a cultural gap. The act of breaking 
    into a computer system has to have the same social stigma as 
    breaking into a neighbor's house. It should not matter that 
    the neighbor's door is unlocked. The press must learn that 
    misguided use of a computer is no more amazing than drunk 
    driving of an automobile."

Anybody who breaks into a computer is a cracker and crackers are criminals. And this is true independent of the cracker's age.

Bell-Labs.com:: Reflections on Trusting Trust by Ken Thompson

Independent.co.uk:: Prisoners 'to be chipped like dogs'

It's more than just clicks. An "event" is generated everytime a computer mouse moves from one pixel to another. In addition, the amount of time a mouse hovers over a pixel can be measured. All this information can be transmitted over the Internet to supercomputers and subjected to 21st century Informatic processing.

With respect to privacy, I wonder if Business Week said anything about RFID?

   "The number of publicly reported data breaches in the U.S. 
    rose by more than 40% in 2007, compared to the previous year, 
    according to statistics compiled by the Identity Theft Resource 
    Center (ITRC), a consumer rights advocacy group."

InformationWeek.com reported that "127 million data records were exposed during 2007."

The Security Watchdog will remain operational during 2008 and it might even make it into 2009.

InformationWeek.com:: Record Number Of Data Breaches Reported In 2007

Security Watchdog Archives: 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000