A recent survey by security appliance vendor (take with a grain of salt, they are the ones that provide the solution to the problem they have reported) indicates that 40% of the DNS servers run software that is outdated and very likely insecure and vulnerable to pharming attacks.

The Boulder, Colo.-based Measurement Factory, in querying some 17 percent of the roughly 7.5 million globally known authoritative DNS servers on the Internet, also found that in more than 40 percent of DNS servers, the software used to complete domain name resolution is out of date and likely insecure.

[Full survey]

Many online businesses are increasingly employing covert tactics to defend their rights online. Whether it is phishing, fraud-clicking, affiliate marketing, or commissions, the opportunities for abuse are abundant. One of the recent examples, Commission Junction, has contracted with Cyveillance to spider the web in search of affiliates that generate commissions without legitimately earning them - for example, cookie stuffing (send several cookies to user’s browser so that many retailers can "recognize" the affiliate referral, instead of only one), forced clicks (showing a pop-up as if the user had clicked on a link), among others.

Cyveillance’s strategies, however, have been decried as violating many Internet "good-faith" behavior protocols. For example, the company is alleged to abuse huge amounts of bandwidth of the spidered website, to ignore the "robots.txt" file, and (3) consort with the recording industry to prosecute individuals who share copyrighted music.

In response, Eric Olson, the VP of solution assurance at Cyveillance, says, "We try to maintain a light footprint, and we try not to overburden a server" during searches. He acknowledges that the company’s spider does look at pages that a site’s Robots.txt file labels as excluded. But, he adds, "We couldn’t do our jobs if we listened to every Web site saying, don’t look at these pages."

Eric Olson’s robots.txt claims have merit - they are 1) not required to "obey" robots.txt information and 2) they would be very ineffective if "bad guys" could protect themselves as easily as editing their robots.txt file. However, if the claims about Cyveillance being bandwidth-intensive, there may be claim against them for "trespass to chattels," a common law tort theory based on the premise that Cyveillance, by their heavy use of a server, prevent the rightful owner from full enjoyment of the server.

[Via InternetNews.com -]

When you are afraid that you might get mugged on a particular dark street, what do you do? Easy, don’t walk on that particular street. A recent research by Consumer Reports WebWatch shows that US Internet users are cutting down on their time online due to increased threats (or publicity) of identity and personal information threats.

According to the WebWatch report, released Wednesday, 80 percent of all
American Web surfers are at least somewhat concerned about the threat
of identity theft posed by engaging in online activities.

As a result of those concerns, at least 30 percent of the
1,500 people interviewed for the survey said they have reduced the
amount of time they access the Internet.

Is this a success or failure of the cybersecurity system? One of the goals is to educate the population that the Internet is dangerous and people should be careful what information they disclose online. According to this factor, the survey shows that efforts are paying off - people are at least more aware of the threats. On the other hand, the fact that people spend less time online due to their fears shows that other measures of preventing cybercrimes are not efficient. Which is it?

[Full report]

Are cyberterrorists going to wait until after February? The Department of Homeland Security would hope so. In an announcement this week, DHS has postponed the National Cybersecurity Simulation on hold until after February.

"While this exercise will be an important test of our readiness to
respond to and mitigate a significant cyberattack, our first priority
as a department is responding to real world events," spokesman Kirk
Whitworth said in an e-mail to CNET News.com. "As a result of
Hurricanes Katrina and Rita, many of the department’s resources, as
well as those of the private sector which would have been involved in
the Cyberstorm exercise, were reallocated to deal with the disasters in
the Gulf."

The National Cybersecurity Simulation was designed to simulate a major cyberattack on the nation’s electronic infrastructure, electronic payment systems, and major providers’ backbones. The Department of Homeland Security is the government agency responsible for securing the nation’s infrastructure and although it is true that the Department’s resources are stretched now due to the recent hurricanes, it is nonetheless as good time as there could be to conduct a realistic simulation.  Hopefully the cyberterrorists would please wait.

Is it time for a new category on this site - Splog? Maybe not yet, but spamming via weblogs (splogging) has gained a lot of attention after Google’s Blogger service was accused for being a "splog" breeding ground.

The attacker, or splogger, used automated tools to manipulate the
Blogger-BlogSpot service and create thousands of fake blogs loaded with
links to specific Web sites (home mortgage, poker and tobacco sites
among them). The move was designed to doctor search results and boost
traffic to those sites by fooling the search-engine spiders that crawl
the Web looking for commonly linked-to destinations.

One of the major problems with detecting and prevenging spam on weblogs is that unlike email, there are no readily available tools to detect and erase what may be a legitimate blog posting or comment. Although keyword filtering may help, spammers are very good at evading such filters. In addition, unlike email where a piece of email’s headers can provide valuable clues to its legitimacy, a posting on a website does not hold much meta data which can help identify it as an illegitimate piece.

Splogging seems to be a growing problem in the blogosphere. Marc Cuban officially warned Google that Blogspot will be excluded from Icerocket.com (the search engine he owns) unless Google get their s*$# together.

In the old days the biggest threat to a PC and its owner’s data was the 5.25" floppy disk that contained the latest and greatest version of the "Avenger91" (or something similar) virus on its boot sector. The  virus would load into the 1MB of RAM, would stay "resident" until the owner changed floppy disks and then it would copy itself onto the new disk. This scenario shows how malware used to be distributed - one floppy at a time, one user at a time.

The times are changing. First, merely connecting an unpatched Windows PC to the Internet will give you an average of 12 minutes to protect it before it becomes infected (or "zombie") with a trojan or worm of some sort. Even if you survive these 12 minutes, merely by installing an "interesting" piece of software you might inadvertently "agree" to have a different piece of software installed which monitors your online activity and in the best case scenario provides you with marketing opportunities or, very often, would secretly record your keystrokes or financial information and send it to a server in China, Brazil, Korea, or Romania.

While I try to paint a grim picture to illustrate a point, the reality is not far off. It is reported that researchers at Kaspersky Lab, a Moscow-based anti-virus company, receive 5,000 samples of malicious code each month, double what they received the previous year. According to Kaspersky Lab, approximately 80% of the pieces of code they receive (4,000/month) can be attributed to online criminals who make money through identify theft or hacking. For comparison, only 5% are written by hacker-wannabees or "script kiddies."

With the increased criminalization of malicious software, companies such as Kaspersky Lab, Symantec, McAfee, etc. are facing battle with organized crime groups and not just individuals sitting in their bedrooms and writing worms. Thus, it is increasingly important that computer security firms cooperate with law enforcement and legislation. While Symantec’s name and research can be very valuable in the United States, more often than not, the criminals would be in a country where Symantec’s cooperation with law enforcement is not as strong as in the United States.  The idea of having computer security firms based in countries where computer crime is rampant is the best way to "put troops on the ground" where security experts can best evaluate the credibility of the threats and create relationships with local law enforcement.

While it may seem fruitless to base a computer security team in a place where computer crime laws are weak, non-existent, or unenforced, I believe that uncovering the problem is the first step to educating local  legislation and law enforcement as to the potential for financial loss and public embarassment. Places such as Romania, Brazil, Korea, and China are gaining notoriety for being lax on computer criminals and I believe that establishing local computer crime research labs will be helpful.

Internetnews reports on a guilty plea entered by a Washington, D.C. man on charges of using the Internet to distribute and receive child pornography. The guilty plea was on one count each of using a computer to advertise, transport, receive and possess child pornography. The US statute criminalizing child pornography is 18 U.S.C. §§2251-2260.

The prosecution by U.S. Department of Justice outlines an increased effort to prevent the use of Internet by child abusers,

"Pedophiles who think the Internet is a safe haven for the sexual exploitation of children are dead wrong," Assistant Attorney General Alice Fisher said in a statement. "We will find and punish those who prey on our nation’s youth."

Under the federal sentencing guidelines, Schiffer faces a likely sentence of 262 to 327 months in prison. The government is also seeking the forfeiture of the computer equipment allegedly used to commit these crimes. Sentencing is set for Feb. 9.

[Via InternetNews.com -]

With obscenity complaints at an all-time high, the FTC has launched an informational site to "educate" the public and to provide more information to people who file a complaint. With 160,000 complaints filed only this year, the FTC obscenity site tries to explain what is considered obscene under Supreme Court law and answers frequently asked question.

The FTC obscenity site.


[Via InternetNews.com -]

Who is best prepared to tackle the problem of identity theft? According to security expert Bruce Schneier in his Wired article, it is the banks who need to do more to prevent this problem.

"Financial institutions make it too easy for a criminal to commit
fraudulent transactions, and too difficult for the victims to clear
their names," warned Schneier. "They can put security countermeasures
in place to prevent fraud, detect it quickly and allow victims to clear
themselves."

This approach makes sense - banks (and financial institutions in general) are the custodians of the private information which is then used to steal a person’s identity - as such custodians, they are in the best position to put measures and protections. Considering the current high level of identity theft, it is hard to believe that the market has not demanded better protections from the banks. If customers demanded better security and guarantees by the banks of the security of their information, banks would have already done so. In similar cases, when market forces are unable to correct this problem, it is the government that needs to step up.

There are several states which have identity theft statutes on their books, and there are federal bills pending in Washington to create uniform protection against one of the fastest growing crimes.

News.com reports a story on the arrest of a Florida web-site operator who created a controversy some time ago by posting the grimsy photos of corpses of people killed in Iraq and Afghanistan. However, the arrest in this case seems to be seemingly unrelated to the dead bodies controversy - Christoper Wilson was arrested allegedly on bscenity violations.

Although the article does not go into clear details, it may seems that the charges are under state scenity laws as Florida’s Polk County Sherriff was making a statement on the case. Alternatively, charges in many cases can be brought under the federal obscenity laws, 18 USC §§1460-1470, although the federal obscenity laws usually have a "transport in commerce among states" requirement which may or may not be easily met.

Obscenity on the Internet is not really a common crime. The roliferation of pornographic and other objectionable by some websites has rendered many law enforcement agencies unable to devote the resources to prosecute even a small portion. Generally, prosecution is reserved for some "special" cases. This highly selective approach may create an environment for bias and targeted prosecution, especially where there are other concerns involved, e.g. political or personal motivation by the prosecution.

With the sparse facts that seem to be released to the publit at this point, Mr. Wilson’s arrest in Florida seems to be one of those specially-motivated prosecutions that may not have happened had he not posted the war photos on a previous and seemingly unrelated incident. The fact that the prosecution could not go after Mr. Wilson previously for posting the war photos (not enough evidence, statute not broad enough to cover the facts) may indicate that the prosecution put him on a "sticky" note and waited for a second chance - obscenity in this case.

Obscenity in General

Obscenity las has been limited by the U.S. Spreme Court’s interpretation of the First Amendment. To be beyond the protection of the First Amendment as obscene the content must meet a three-part test:

1. whether an average person, applying contemporary community standards, would find that the work, taken as a whole, appeals to the prurient interest,
2. whether the work depicts or describes, in a patently ofensive way, sexual conduct specifically defined by the applicable state law, and
3. whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value.

Obscenity in this case

It is very difficult to evaluate the strength of this obscenity case without the much needed factual details. The News.com article indicates that the charge is based on pornographic materials which may be harder to meet the Miller test, especially if access to the photos was restricted in some way to authorized users only. Additionally, the inescapable connection between this incident and the war photos incident may give the defense a strong argument that the current prosecution is motivated by expression of political ideas which strengthens the First Amendment protection.

This is a very preliminary overview of this controversy on a *very* sparse facts. More will follow shortly as more facts become available.

Fact Update:
The site in question is http://www.nowthatsf***edup.com/ [full the gaps appropriately.]  It seems to has the proper disclaimer and requirement that people 18 or over enter. Also, Mr. Wilson has been charged with 100 counts of distribution or transmission of obscene materials, 100
counts of offering to distribute or transmit obscene materials, and 100
counts of possession of obscene materials. All are misdemeanors. [Thanks Interstate4Jamming]

« Previous entries