Thursday, October 28, 2010

World's Fastest Supercomputer Belongs to...China

$88 Million.  That's the cost of the world's fastest supercomputer.  It is named Tainhe-1a and will be used for large scale scientific calculations.

Previously at #1 was the Cray XT5 Jaguar at the U.S. National Center for Computational Sciences at Oak Ridge National Labs.


Sources:
"The World's Fastest Supercomputer Now Belongs to China", Stan Schroeder, Mashable, 10/29/2010.

Tweet Invites a Snatching? Woman's Story from China

A Chinese woman posted a tweet indicating she would march holding a banner to honor Nobel Peace Prize winner Liu Xiabo, Liu happens to be in prison.

Authorities who wanted to send a warning to friends and supporters of Liu made a visit to her home.  She had to leave with them.  When she returned home, the authorities retained her phone and computer.


Sources:
"China Snatches Woman After Protest Tweet for Nobel Winner Liu Xiaobo", The Huffington Post, 10/29/2010.

A Merger You May Have Missed - Zeus and SpyEye reach a teaming agreement

SpyEye hit the radar of security experts December 2009.  SpyEye's claim to fame was creating software called "ZeuS Killer" which would remove ZeuS from an infected machine and then install SpyEye.
At their core, their goal is stealing banking credentials and money.  Although Zeus deviants have been developed to commit other crimes.

In an article by Brian Krebs, he mentions that the FBI attributes $70 million dollars stolen from 400 organizations to Zeus.  In the same article, Krebs has a great quote from Trusteer CEO, Mickey Boodaei, "We are in an arms race with criminals".

In a note to previous Zeus customers, SpyEye welcomes his new customers to the fold and even offers them free support and discounts on future software.

Sounds like SpyEye, also known as, "Haderman", has done a Voice of the Customer session!




Sources:
"SpyEye v. ZeuS Rivalry Ends in Quiet Merger", KrebsonSecurity, 10/24/2010.

"ZeuS-SpyEye merger", Help Net Security, 10/27/2010.

Symantec Reports.

Google "Mortified" - Admits the Privacy Lapse


Google admitted that it collected personal information, by accident, when it dispatched Street View cars to your neighborhood and ones like it all around the globe.

What did they collect?  According to their admission, in some cases, entire email messages, passwords, and the websites you visited.

Google indicated it would delete the data as soon as possible.

Google has recently appointed a privacy director.

In the UK, the Information Commissioner's Office, will be looking into the matter.

Google employee, Alan Eustace, quote was posted in the Telegraph:

"It's clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs [web addresses] were captured, as well as passwords," said Alan Eustace, Google's vice-president of engineering and research.  "We want to delete this data as soon as possible, and I would like to apologise again for the fact that we collected it in the first place."

The original intent of Google Streetview cars capturing WiFi information was supposed to be to create a map of hotspots to help people on the go know where they could get WiFi access.


Sources:

"Google:  We're 'Mortified' about Privacy Lapse", Fox Business, 10/22/2010.

"Google Spied on British emails and computer passwords", David Barrett, Telegraph.co.uk, 10/23/2010.

Amazon Shoppers in NC - Recent Ruling

The NC Department of Revenue asked Amazon.com to provide information to help with collecting taxes for online sales from 8/2003 through 2/2010.  Amazon did provide product codes of what was purchased, which could be books about very personal or sensitive topics, but they withheld information that might allow someone to link a book specifically back to you.

It went to court and the federal judge ruled that the detailed NCDOR request violates Internet users' rights to free speech, privacy, and anonymity.   

Sources:
"Federal Court Upholds Amazon Users' Privacy and Free Speech Rights", ACLU, Press Release, 10/26/2010.

Friday, October 22, 2010

Wannabe Thieves Remind Me of the Country Song: "Here's Your Sign"

In a crazy move of brazenness, a would be criminal steals a laptop.

The location?  A security trade show.

Two members from the cleaning crew stole a laptop.

The entire heist was videotapped!

Reminds me of a country song by Bill Engvall, "Here's Your (Stupid) Sign".

1.  Don't EVER leave a laptop unattended - at a trade show, in your car, in a hotel room.

2.  Stealing is never a good thing to do but you also add dumb to the equation to steal at a security trade show.

U.S. is ranked #1 - In Botnet Computer Infections!

Microsoft released its 9th Security Intelligence report focused on computer infections and botnets.

In 3 months alone, Microsoft doubled an important and staggering number. Yes, from April-June 2010, Microsoft cleaned 6.5 million computers from a botnet computer infection.

What is a botnet?  Basically, you think your computer is in your command because it appears to be.  However, behind the scenes it is a zombie under the control of cybercriminals.  They can use your computer to hide behind to do their evil bidding - spamming others, infecting others, attacking systems.

What can you do?
1.  Pay attention to your computer - is it suddenly slow?  Do you hear it accessing the hard drive but you are not running anything?
2.  Are your browsers, antivirus, and software up to date?
3.  Practice safe surfing - don't click on links or open attachments without thinking twice about it

U.S. Military Expands Its Cybersecurity Role

A series of new processes and procedures for cybersecurity were put into place this month.  They pave the way to better leverage the Defense Department's cyberwarfare capabilities in case there is an attack on the U.S. networks.

Think about the situation where you have a wildfire raging or a major hurricane.  The President can sign an order that allows FEMA to organize and coordinate recovery efforts using U.S. military forces.  The new procedures adopted for cybersecurity follow similar guidelines.

In this case, DHS would direct the work of the U.S. military.

According to a New York Times article, DHS team will deploy to a military base on Fort Meade, Md where the NSA and the military have instituted the Cyber Command.  A team of experts from Cyber Command will be assigned to the operations center at DHS.

Protection of civil liberties will be managed through a team of lawyers.

Sources:

"Pentagon Will Help Homeland Security Department Fight Domestic Cyberattacks',  Thom Shanker, New York Times, October 20, 2010.

Facebook gets tough on email scams

In a positive move, Facebook filed lawsuits this week against the scammers hitting it's site and it's users.

The three lawsuits filed name people and a company and accuse them of tricking Facebook users into visiting internet marketing websites.

In one of the scams, they created fake "dislike" buttons that then hijacked the user's account and sometimes their money.

There was a fake "Facebook Gold Account" offering slick features but really just took their data and sold it.

A reminder to us all that when something seems to good to be true, it probably is!

Sources:
"Facebook sues over free gift card, 'dislike' button scams", Robert McMillan, MacWorld, October 21, 2010.

Facebook Falls Short When it Comes to Child Predators - Parents, you are the first line of defense

Fox News did an investigation researching how well Facebook handles and blocks child predators.
Once they completed their research, they showed 2 Facebook executives, the screens they found that show predators are getting through to kids.

The researchers found that by entering "PTHC" which is shorthand for Pre Teen Hard Core, they were shown graphic images.

There is a database of words and terms that has been created by the National Center for Missing and Exploited Children.  This database can be accessed by programs like Facebook to alert them anytime a cybercreep is using terms or words that are clearly linked to child predator activity.

The Fox News research found child pornography as well.

Facebook committed to reviewing and enhancing their filters.

This is a complex issue and you cannot make Facebook the bad guy here.

You are your kid's first line of defense.  Be active on your kid's page.  Keep their profile secure.  Monitor their wall and friends' list.

Sources:

"Facebook Falls Short In Blocking Pedophiles", Fox News, October 21, 2010.

Facebook breach creates questions on the Hill

There are 500 Million Facebook users.

The Wall Street Journal reported that your information was being transmitted to marketing firms.

In response, U.S. Representatives Edward Markey (D-Mass) and Joe Barton (R-Texas), sent a letter to Facebook CEO, Mark Zuckerberg.

The WSJ noted an excerpt from that letter which expressed concerns that  "third-party applications gathered and transmitted personally identifiable information about Facebook users and those users' friends."

The letter requests that Mr. Zuckerberg provide information such as:  1.  how many people were affected; 2. when Facebook knew about it; and 3.  permanent changes Facebook will make to prevent further issues.

The response is due next week on 10/27!

Sources:
"More Questions for Facebook", Wall Street Journal, Geoffrey A. Fowler, October 18, 2010.

244,000 Not in favor of Homes Posted via Street View in Germany

Google reported that 244,000 Germans asked that their homes be fuzzed up in its Street View program.  This is roughly 3% of the number of households across the 20 largest cities.

In a fascinating move, German officials demanded that Google allow their citizens to request that their homes not be pictured or be blurred out in Street View.  The basis for this was individual privacy.

Germany is the ONLY country where citizens can request this.


Sources:
"Google: 244,000 Germans say 'no' to Street View", USA Today, October 21, 2010.

Monday, October 18, 2010

Facebook - Breaking Your Privacy Rules.

The Wall Street Journal has written a multi-part series, an excellent expose called "What They Know", covering the complex world behind the web and how it impacts your personal privacy.

Today they brought to light a practice of Facebook applications.  The unique "Facebook ID" number is being shared between Facebook, Facebook applications, and vendors that the Facebook applications might do business with.  

The cause for concern is the Facebook ID number can be used to trace back to a person's name and their friends' names even if you have your security settings at the highest and strictest levels.  In other words, you have a false sense of privacy.

A Facebook user ID is a public part of your profile.  ANYONE can use the ID to look up your name, even if you have all of your Facebook information set to private.

Do you love to play FarmVille or Texas HoldEm Poker?  Or, do your friends?  If so, your privacy is at risk based on the games you play and the games your friends play.

Roughly 25 apps on Facebook were found to be violating your privacy by collecting your information and passing it along.  

The WSJ reports that RapLeaf linked your Facebook user IDs to information in other databases to create a more thorough profile about you.  When confronted by the WSJ, RapLeaf asserted that the transmission of Facebook ID was unintentional.  

I am finding it challenging that these companies with innovative leaders and technology geniuses are doing all this by accident?  What is your opinion?

There is a point of view out there that your privacy has already been invaded so you should not be upset.

{POST REVISION NOTE}  By the way, I got a note from Rex Hammock, who is mentioned in the Atlantic Wire as "the CEO of a media marketing firm".  In that article, He says your grocery store programs sell more information about you than Facebook apps do.  He wrote and clarified his position.  He commented that "there are many ways people constantly give out information about themselves that third-parties sell -- and that marketers use."  See his comments below.

Experts may be divided but there are a set of experts that feel you should be allowed to control your security and trust that your information is only being shared with your permission and not through a technology loophole.

How to Protect Yourself:
1.  Avoid playing Facebook games
2.  Check out the list of top 10 apps that were sending out information and discontinue use
3.  Educate your friends on Facebook - their actions could leak your information

Top 10 Apps Sending Your Facebook ID:
FarmVille
Phrases
Texas HoldEm
FrontierVille
Causes
Cafe World
Mafia Wars
Quiz Planet
Treasure Isle
IHeart

Sources:

"Facebook in Privacy Breach - Top-Ranked Applications Transmit Personal IDs, a Journal Investigation Finds", Wall Street Journal, Emily Steel and Geoffrey A. Fowler, October 18, 2010.



"How Harmful Is Facebook's Privacy Breach?", The Atlantic Wire, John Hudson, October 18, 2010.

Thursday, October 14, 2010

Arab Student Busts the FBI

There is a legal option called the "open field" precedent that allows law enforcement to plant tracking devices on your car without your knowledge or a warrant.

Yasir Afifi, a 20 year old US born citizen is a business marketing student at Mission College in Santa Clara, CA.

He learned after an oil change that there was a tracking device attached to his car.  The garage owner, Mazher Khan, helped him remove it.

Mr. Afifi then posted pictures of the device on Reddit to see what others might say about it.  A person saw his post and told him it was a Cobham Orion Guardian GPS Tracker typically used by U.S. Law Enforcement.

FBI agents, noticing the device no longer working, came to Mr. Afifi's house to ask for the device back.  Mr. Afifi says in conversations with them he got the idea they might have been tracking him 3-6 months.

He gave the device back.

So what is your opinion here?  Many felt that more should have been done to track the attempted "panty bomber" and we are fortunate he was not successful.  This young man's story shows the difficulty we have in balancing freedom and privacy with security.  Where should the needle fall?

I do not pretend to have the answer but believe it lies in open debate and relying on the constitution.

Sources:

"Caught Spying on Student, FBI Demands GPS Tracker Back", Wired Magazine, Kim Zetter, October 7, 2010.



"FBI Gets Busted Spying on Arab-American Student With Tracking Device",  Jason Mick, DailyTech (Blog) - October 8, 2010.

Attention Aldi Shoppers - Cybercrooks stealing credit card info.

Have you visited an Aldi in North Carolina?  Especially in Charlotte or Raleigh?

Or, how about those of you in CT, GA, IL, IN, MD, NJ, NY, PA, SC or VA?

Customers in these 11 states had their payment card data at risk as cybercrooks gained access to Aldi to install bogus point of sale terminals.

The bogus terminals drank the credit card data faster than you can chug sweet tea at a bar-b-q.
They pulled name, account number and pin.

By the way, this went on from June 1, 2010 - August 31, 2010.

Sources:
"Grocery Terminals Slurped Payment Card Data", The Register, Dan Goodin, October 8, 2010.

Aldi Foods Press Release



Chitty Chitty Bang Bang We Love You - Flying Humvees and Self Driving Cars

It was a big week for those of that grew up watching Chitty Chitty Bang Bang.

Google announced it is testing self driving cars.  The tests, of all places, are in California.  Why not New York City?

Not to be outdone by Google, the Defense Advance Research Projects Agency (DARPA) announced its Transformer X project - building a Humvee that can fly and land with little human instruction.  Some of the vendors and braintrusts that will come together to build this include:  Carnegie Mellon University, Aurora Flight Services, Lockheed Martin.

Transformer X will move soldiers and supplies.

Sources:

Danger Room, Wired Magazine, "Darpa moves a step closer to its flying Humvee", Spencer Ackerman, September 29, 2010.

Forbes Blog - The Firewall, "Forget Google's Self-Driving Cars.  The Pentagon is Building a Self Flying Humvee, Andy Greenberg, October 13, 2010.

Thursday, October 7, 2010

"Phone Home..." was cute in E.T. but not on your smart phone

A new tool called "TaintDroid" revealed some important secrets behind the Android phones this week.
The tool is a real-time privacy monitoring tool.

30 popular apps on the Android phones were recently reviewed using "TaintDroid" by researchers at Duke, Penn State, and Intel.  Out of the 30 apps reviewed, they all asked for the phone's current location.  Once you answer "yes", 15 of the 30 send out the information to ad networks without your permission.

Roughly 1/3 of those 15 apps also included other details which COULD BE used to track you personally such as the:  Device ID, SIM card number, and the phone number.

Google indicates that they ask permission first to use your phone location.  Seems a little sneaky to me.

As always, I am open to your opinions!

Source:

"Study: Android Apps Sending Private Data To Advertisers", Barry Levine, Newsfactor.com, September 30, 2010.

TelecomTV One, October 4, 2010.

If your computer is infected should it be unplugged from the internet?

Microsoft has a team called "trustworthy computing".  The head of that team, Scott Charney, has a recent post on Microsoft's blog: 

"Just as when an individual who is not vaccinated puts others' health at risk, computers that are not protected or have been compromised with a bot put others at risk and pose a greater threat to society."
On the surface, this makes sense.  In practice, this may be a challenge.

Open questions:
If your machine is driven off the internet, you do not have access to the tools you need to clean it.

Someone or some technology obviously makes the call on the "infection".  Do we wall off everyone with annoying spyware or only bots, viruses, trojans, and malware we know?

Obviously if the current anti virus and anti malware software packages let the infection flow through, how would we catch it?

The bulk of the world's infected computers are in China and South Korea but the U.S and Europe have a great share too.


Sources:

"Microsoft: virus-infected computers should be quarantined", Josh Halliday, guardian.co.uk, October 7, 2010.

Microsoft Company Blog post.

I'm Not Talking Quilting - 10/12 Patch Tuesday Biggest Ever!

Each week, the technology community and Microsoft have a day dedicated to patching.  For the non techies reading this, the day of the week is affectionately called "Patch Tuesday".  

Microsoft notified companies this week that they will issue 16 Security Bulletins that fix 49 security vulnerabilities.

If 16 Security Bulletins (in 1 week!) or 49 vulnerabilities sounds high to you, it is.  This is considered the biggest patch Tuesday ever.  

Out of the 49 vulnerabilities 4 are critical & 10 are important.  

If you are wondering what the critical means, in this case, all of the holes in the Windows software allow a hacker to gain control of your machine.





Sources:


"October 2010 Patch Tuesday will come with most bulletins ever", Ars Technica, Emil Protalinski, October 7, 2010.


"Microsoft Security Bulletin Advance Notification for October 2010, Published: October 07, 2010,
Microsoft Security Bulletins to be issued: October 12, 2010".  www.Microsoft.com

NASA vs. Nelson

The Supreme Court heard a NASA Privacy Case this week.  

The lawsuit was brought forward by NASA Jet Propulsion Lab scientists, including Robert Nelson.
The premise of the lawsuit is whether or no the government has the right to do extensive background checks of contractors deemed "low risk" that have access to federal facilities.  This team of contractor scientists objects to the background checks and filed a lawsuit saying that the checks violate their privacy.

A federal judge heard the case and allowed the security checks to continue.

The 9th U.S. Circuit Court of Appeals overturned the federal judge's decision.

What is your opinion?  

The background checks are designed to make sure that contract workers on Federal projects pass the sniff test in the name of National Security.

Should it be the price of admission?  In my humble opinion, yes.

The hearing was held 10/6.  Court reporters thought that most of the court seemed to lean towards upholding the use of background checks.  Elena Kagan, the newest member did not participate in the arguments on Tuesday.

More to come.



Sources:
"Supreme Court to Hear NASA Privacy Case, NASA vs rocket scientists: Supreme Court to hear privacy case against space agency", ABC News, October 3, 2010.

The University of Chicago Law School, "NASA v. Nelson Oral Argument Aftermath - What Should the Majority Opinion Look Like?", The Faculty Blog, October 6, 2010.


"Justices question Caltech scientists' privacy claims", Los Angeles Time, David G. Savage, Tribune Washington Bureau, October 6, 2010.

Use LinkedIn for Networking? Don't Get Duped by Spam Scam

CISCO reported that almost 25% of the world's spam on Monday for about 15 minutes came from infected related emails targeted at LinkedIn users.

The emails look legitimate and shows a linked in request.  If you click on the link, you wait for a few seconds and then Google launches.  Behind the scenes though, Zeus has been dropped onto your computer in what is called a "drive by download".

Zeus is the malware that typically focuses on stealing your online banking credentials from you.

If you use a mobile phone and think this does not apply to you, think again.  If they can infect your computer and your phone, they could reroute calls and text alerts so you will not know until it's too late.

The experts believe that this attack is most likely targeted at employees that have access to financial systems, including online commercial bank accounts.

Sample screen of the spam scam email from the Cisco Blog:

LinkedIn Spam

TIPS TO PROTECT YOURSELF:
1.  Educate - People are the first line of defense.
2.  Think Before You Click - Whenever you get reminder emails from social networking sites, I ignore the link and go directly to the site.  Most sites have an easy way to get to your pending messages.
3.  Computer Changes - If your computer starts to act sluggish or freezing up, you may be infected by Zeus or another malware; refer to a computer professional to clean your computer.

Sources:
"LinkedIn Attack Spreads Zeus Financial Malware", Mathew J. Schwartz, InformationWeek,  September 29, 2010.


"LinkedIn and ZeuS", Adam Ross, Nextgov.com, October 1, 2010.

"LinkedIn Zeus spam run targets prospective business marks", John Leyden, The Register, October 5, 2010.

CISCO Blog Report at http://blogs.cisco.com/security/cisco_security_tracks_linkedin_spam_attack/