You know that there is a problem when the UN comes out and gives an authoritative opinion.

"Some ISPs are very proactive, and are spending huge amounts of money combating spam. The problem is not all ISPs are doing this. A smaller group of ISPs profit from carrying spam or take no action, and those bad apples touch the rest of the ISP community," said Susan Schorr, regulatory officer with the ITU’s telecommunications development bureau.

The International Telecommunication Union (ITU) is the UN organization responsible for global telecom standards. According to them, ISPs should be required (by whom?) to enforce conduct codes regarding their customers and block spammers’ access to email.

"We’re proposing regulators could pass legislation to require ISPs to enter into enforceable codes of conduct for their customers," Schorr told ZDNet UK.

Nice idea, but does the ITU realize how hard it is to write new laws that force ISPs to create codes of conduct for their users? Shouldn’t the market do this?

[More at  ZDNet UK, UK -]

Another laptop theft. Another identity theft risk. This time it is Verizon.

A theft of two laptop computers has put a "significant number" of Verizon Communications’ employees at risk of having their identities stolen, the company said Wednesday.

According to the report, two laptops were stolen from a Verizon facility and may contain personal information, such as Social Security Numbers. Verizon has assured its employees in a March 1st letter that this incident appears to be a random criminal act and that the laptops were password protected.

It is interesting that Verizon has underscored that laptops were password protected. Are they trying to imply that because there is a password on the laptop any data stored inside is protected? Many of our readers know that having a Windows password is hardly any deterrent against obtaining access to the laptop information. Is having a relatively weak login password protection on a laptop sufficient to protect that data inside?

[Via Wall Street Journal (paid subscription required)]

A report conducted by the Australian Consumers’ Association found that most new PCs come packaged only with very basic trial (and not up-to-date) anti-virus software.

Most computers connect to the internet and we think all computers should be sold with a full internet security package rather than a couple of months’ protection against viruses and worms.

Considering that it takes only a few minutes to "zombify" an unprotected networked PC, this report underscores a major threat to the security of the Internet - as long as vendors to not provide adequately protected PC to new users, there will always be a pool of proud new PC owners who would provide easy targets to botnet operators.

[Via CNET.com.au, Australia -]

Personal Information Theft Case Du Jour: McAfee employees are now vulnerable to ID theft after McAfee’s auditor, Deloitte & Touche USA lost a disk with McAfee employee information.

The disc contained personal details on all current U.S. and Canadian McAfee workers hired prior to April 2005 and on about 6,000 former employees in the same region, (McAfee spokeswoman Siobhan) MacDermott said. (The security company currently has approximately 3,290 employees worldwide.) The information wasn’t encrypted and potentially includes names, Social Security numbers and stock holdings in McAfee.

Deloitte & Touche confirmed the incident. “A Deloitte & Touche employee left an unlabelled backup CD in an airline seat pocket,” a representative for the professional services firm said. “We are not aware of any unauthorized access to this data in the two months since the CD was lost.”

Source: ZDNet

How ironic. Of course, this is not McAfee’s fault (or at least the article and the facts on their face do not suggest so) but the story shows how even the most-protected or vigilant organizations are not immune to theft of important personal data.

The increased rise in phishing websites has been attributed to the increasing use of so-called "phishing kits". The Anti-Phishing Work Group has revealed in a December 2005 report that although the absolute number of phishing emails sent has decreased, the number of sites hosting phishing "action" pages has increased from 4,630 to 7,197 (over 50% increase). Readily-available "phishing kits" are circulating in underworld websites. These "phishing kits" allow even non-technical people to create and manage a multitude of phishing sites. Although usually the sophistication of such "amateur" phishing sites is likely to be low and subject to easy detection, the 50+ percent increase of such sites shows an alarming trend.

Joel Camissar, country manager for Australia and New Zealand at Websense, has told ZDNet that the situation is similar to what happened when virus-making kits started appearing a few years ago.

The commercialisation of these phishing tools is what we saw in the antivirus industry… when toolkits to create mass-mailing worms started becoming increasingly popular. We are seeing the same parallel in the phishing world, whereby these techniques are becoming mainstream.

[Via ZDNet UK, UK -]

A 21-year old virus writer who decided to give an interview to the Washington Post may be sorry after his identity was uncovered by the general Internet community (and largely Slashdot). The Washington Post agreed to preserve the identity of the virus writer 0×80 in an exchange for an interview and a rare glimpse into the life of a hacker (WaPo article).    The article is pretty catchy and is indeed an interesting read in and of itself:

Most days, I just sit at home and chat online while I make money," 0×80 says. "I get one check like every 15 days in the mail for a few hundred bucks, and a buncha others I get from banks in Canada every 30 days." He says his work earns him an average of $6,800 per month, although he’s made as much as $10,000. Not bad money for a high school dropout.

However, the happy hacking days may be over for 0×80 as it was discovered that the article, along with the published photo (which was later removed by the Washington Post) contained enough clues to unmask the identity of the virus writer. Some posters at Slashdot were able to identify where the picture was taken and the name of the photographer via metadata  (oh, this metadata again?) hidden in the picture. According to the Slashdot posts, the picture was taken in a rural town in Middle America that has a meager population of 2,842. Along with suggesting the name of the town, the article provides more clues:

Tall and lanky, with hair that falls down to his eyebrows, 0×80 almost never looks you in the eye when he talks, his accent a slurry of heavy Southern drawl and Midwestern nasality. He lives with his folks in a small town in Middle America. The nearest businesses are a used-car lot, a gas station/convenience store and a strip club, where 0×80 says he recently dropped $800 for an hour alone in a VIP room with several dancers.

Maybe the federal agents are already searching for a user-car lot in a proximity of a strip club somewhere in the Midwest?

 Next entries »