A District Court in Wisconsin agreed with claims by ISP Earthlink that a bank whose website was incorrectly flagged as "potentially fraudulent" by Earthlink’s toolbar cannot sue the provider because Earthlink was not the publisher of the information in terms of US law..

“Imposing liability on [Earthlink] for the inaccurate
information provided by a third-party content provider would treat
[Earthlink] as the publisher," he wrote, pointing out that
Earthlink is therefore immune from suit under the
relevant section of the Telecommunications Act.

The full ruling here.

[Via News.com]

News.com has a guide (more like a short explanation) to the common cyber scams that are most commonly reported to the Internet Fraud Complaint Center (under FBI.)

[Via CNET News.com, United States -]

More and more financial institutions adopt a two-factor authentication - in this case, Bank West has chosen to use an authentication token (a little device with rapidly changing authentication keys that is in possession of the user) along with a password to authenticate its online customers..

The system is designed to provide customers with greater protection
than that afforded by using static, reuseable passwords. BankWest
Business plans to distribute the free tokens to all customers by the
end of 2005.

This is good news for the financial (and security) industry - two factor authentication is likely to prevent individual account security breaches, and eliminate the threat of phishing - because of the quickly changing authentication code on the security token device, even if a phisher is able to trick a user into submitting his password + token key, the authentication information will be "valid" for the duration of the token key, which usually changes within seconds or few minutes.

[Via ZDNet.com.au, Australia -]

Now you should be very careful and aware of your surroundings not only when you walk at night on a dark street, but also when you walk onine in a computer game.

A Chinese exchange student was arrested in Japan last week for using
bots to run virtual stick-ups in the Lineage II: The Chaotic Chronicle
online game, stealing items from players then reselling them on eBay.

The Chinese student used online game bots to beat up and rob other players’ characters - all in an online world. The items, according to the Japanese police (in the real world, this time) included "Earring of Wisdom" or the "Shield of Nightmare" and were then resold over eBay (in the real world, again.) Sounds confusing? The line between virtual and real cash is almost all gone as players buy and sell virtual items on eBay, and at the same time crimes occurring in either world (real or virtual) have an implication in the other one.

I am not sure of how Japanese courts would consider their jurisdiction over crimes committed by a bot in a virtual world, but it certainly makes an interesting argument by both defense and prosecution. To make an analogy with US criminal procedure, how to you authenticate, for example,  the chain of evidence of the stolen items? It may be not that hard in this particular case but it does not require a stretch to imagine a situation where the lines between the virtual crime and real world prosecution will disappear.

Symantec may be on to something,

Computer hackers seeking financial gain rather than thrills or notoriety are increasingly flooding the Internet with malicious software code, according to a semi-annual report from security company Symantec. [Via ZDNet -]

Yes, there is a shift in who the virus/worm/trojan/spyware/etc writers are - no longer is impress a girl from high-school a motive to write a descrictive virus. The times are changing and more and more computer crimes are done by organized crime groups with increasingly sophisticated methods.

What should our response be? To start with, our perception of the hacker as a teenager with thick glasses sitting behind a green monitor should change to reflect reality - hackers are organized criminals, with malicious motives, sophisticated tools, and, sometimes, dangerous in the physical world. No longer is a slap on the wrist adequate punishment for releasing a worm, or for hacking into a government network. No longer can a government enact a domestic statute prohibiting and criminalizing an activity and hope that the result will follow - the anonymity of the Internet and the lack of uniform international criminal laws allows cyber criminals to launch attacks from a "safe country" many time zones away.

Not necessarily illegal under current laws, but highly annoying and potentially dangerous practice by online scammers is gaining speed and attention. Typosquatters are people who register a domain name which is just a slight variation (usually misspelling) of a famous domain name hoping to attract users inadvertently misspell the name of a large or popular domain name. After being shown a page full of sponsored links, often provided by Google AdSense, the user often clicks on one of the paid links and generates a profit for the typosquatter.

Typosquatters register hundreds or thousands of domain names with variations of popular domains hoping to attract a larger number of users and obtain a larger profit of misspelled domain names. While in most cases there is no damage to the user (who only has to make an extra click to go to the desired site,) a typosquatter can easily deliver a page that looks like the intended domain and then possibly phish the users to submit personal or financial information.

The individual companies and domain name owners have little recourse other than buy the domain names themselves (if they thought about this early enough) or fight the typosquatter under the domain registrar agreements (usually arbitration) for each domain name - a costly and time-consuming endeavor, considering the amount of typosquatted domain names that an organization might have.

Interesting article on eWeek about the Department of Homeland Security’s National Cyber-Security Division argues that there is little progress done in the area of protecting the nation’s cyber-structure.

Despite a budget of more than $1.7 billion covering 2004 and 2005, the
Information Analysis and Infrastructure Protection Directorate, home to
DHS’ core cyber-security activity, has yet to address a single item
among its stated cyber-security responsibilities. That judgment comes
not from academics or contractors but from the Government
Accountability Office.

..

Sen. Joseph Lieberman, D-Conn., the ranking minority member on the
Committee on Homeland Security and Governmental Affairs, said he wished
more progress had been made over the last year. "I don’t expect
overnight success, but I do expect visible improvement in DHS’ ability
to protect the cyber-structure that underpins our nation’s critical
infrastructure," Lieberman said.

So who is to take the initiative to protect the nation from cyber criminals and terrorists - the government or the private sector? Although the DHS clearly has been tasked with protecting the cyber-structure, the article argues that very little has been done on the government level despite the not-so-bad financing and increased position within DHS’ structure.

Much of the department’s resources and attention have been taken up
trying to get its own house in order, Hancock said. "It’s a huge
organization that’s trying to get a grip on its own problems."

Although the private sector may be more efficient in combating cybercrime, it is the government’s role and position to protect critical resources and infrastructure.

[Via eWeek, MA -]

Interesting use of Google Maps and spam data obtained by Mailinator, a free email service. The spam map shows theoriginating locations of recent spam received by Mailinator.

[Via Slashdot -]

A Massachusetts teenager was sentenced to 11 months in juvenile facility for hacking into Paris Hilton’s cell phone and T-Mobile’s network.

The charges included hacking into Internet and telephone service
providers, theft of personal information and posting it on the Web, and
making bomb threats to high schools in Florida and Massachusetts, all
over a 15-month period.

[Via ZDNet.com.au, Australia -]

Yes, passwords in and of themselves are no longer adequate measure of security (including typing on silent keyboards.) But are they good enough for most uses?

Gartner analyst Jay Heiser is quoted by CNET as saying the increasing
sophistication of attacks and the professionalism of cybercriminal
gangs have lead companies to make passwords longer, or to change them
more frequently. Speaking at the Gartner IT Security Summit in London,
Heiser also said users respond by forgetting passwords, or writing them
down, which can compromise security in a different way.

So what is the solution? It depends on the requirements of an organization. For example, a password is more than enough security to login to a bulletin board website while a simple password authentication is quite inadequate for online banking. A sliding scale approach is best, as demonstrated by attempts by institutions such as Bank of America to create a two-factor authentication using its SiteKey system.

However, such new approaches to security would be prohibitively expensive for smaller organizations so the security of your private data becomes as strong as the weakest link.  Even if Bank of American spend millions of dollars on a new authentication system and spend millions on revamping its procedures to protect your personal information, it could be your dry-cleaner or your university that will compromise your entire personal information.

[Via SAP INFO, Germany -]

« Previous entries