Tuesday, April 24, 2007

U.S. database exposes Social Security numbers (www.news.com)

The Social Security numbers of tens of thousands of people who received loans or other financial assistance from two Agriculture Department programs were disclosed for years in a publicly available database, raising concerns about identity theft and other privacy violations.

Officials at the Agriculture Department and the Census Bureau, which maintains the database, were evidently unaware that the Social Security numbers were accessible in the database until they were notified last week by a farmer from Illinois, who stumbled across the database on the Internet.

"I was bored, and typed the name of my farm into Google to see what was out there," said Marsha Bergmeier, president of Mohr Family Farms in Fairmount, Ill.

The first link that appeared in the search results was for her farm's Web site. The second was for a site that she had never heard of, FedSpending.org, which provides a searchable database of federal government expenditures. The site uses information from the Census database.

Bergmeier said she was able to identify almost 30,000 records in the database that contained Social Security numbers.

"I was stunned," she said. "The numbers were right there in plain view in this database that anyone can access."

While there was no evidence to indicate whether anyone had in fact used the information improperly, officials at the Agriculture Department and the Census Bureau removed the Social Security numbers from the Census Web site last week.

Officials at the Agriculture Department said Social Security numbers were included in the public database because doing so was the common practice years ago when the database was first created, before online identity theft was as well-known a threat as it is today.

Department officials said that more recently, when government agencies began to review public databases to remove sensitive personal information like Social Security numbers, they failed to notice that the numbers were being used in this database.

Terri Teuber, a department spokeswoman, said the agency was notifying people whose Social Security numbers were disclosed on the site. She said the agency was also planning to contract with a company to monitor the credit reports of all the affected individuals, at an estimated cost of about $4 million.

"We took swift action when this was brought to our attention, and took the information down," Teuber said. "We want to make sure that it doesn't exist on any publicly available Web site."

The Agriculture Department said that its review of the database shows that between 100,000 and 150,000 people could be at risk.

A spokeswoman for the Census Bureau referred all calls about the database to the Office of Management and Budget.

Privacy advocates say the actions by the agencies may not be enough. The database is more than two decades old, and is used by many federal and state agencies, by researchers, by journalists and by other private citizens to track government spending. Thousands of copies of the database exist.

Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, a privacy rights group, said the improper disclosures of Social Security numbers could violate the Federal Privacy Act, which restricts the release of personal information.

"Federal agencies are under strict obligations to limit the use of Social Security numbers as an identifier," said Rotenberg, "It doesn't look like that's what happened in this case."

FedSpending.org is owned by a nonprofit group called OMB Watch, which monitors the White House's Office of Management and Budget.

The group created the site last year to provide public access to government contracts and grants in a searchable database. Users can search the information by company or by individual names to see who receives federal money.

OMB Watch said it was taking the data off its website while the federal government corrects the problem with the revealed Social Security numbers. Gary Bass, executive director of OMB Watch, said the government's use of Social Security numbers in the database was "deplorable."

"It is most unfortunate that at least one agency has been inserting personally identifiable information into this database for a number of years," Bass said. "I'm amazed that, all these years, no one at the Department of Agriculture noticed that they were putting Social Security numbers into a public database."

Bass said the database is a valuable tool for government transparency and public disclosure, and that he hopes federal officials can continue to make the information available in a useful form while still protecting privacy.

The Census database disclosure is the latest in a string of embarrassing data-security breaches at federal agencies in the last few years. Last year, hackers illegally accessed an Agriculture Departmentdatabase containing the names, Social Security numbers and photos of current and former agency employees.

The Department of Energy, the Navy, the Department of Veterans Affairs, the Social Security Administration and the Internal Revenue Service also suffered data breaches last year in which personal information was lost or stolen.


Entire contents, Copyright © 2007 The New York Times. All rights reserved.

====================================================

this news is shocking that government agencies were being so uncautious about sensitive personal information such that any ordinary internet user can easily google for social security numbers. however, it is not surprising to see that in this incident, the insecure link is the human factor, rather than technological failures. these days, thanks to the search engines, information is implied to be publically availible if not otherwise protected.

Wednesday, April 18, 2007

Are you breaking the wi-fi law? Think before you wardrive...(http://networks.silicon.com)

By Gemma Simpson

Published: Wednesday 18 April 2007

Think before logging onto your neighbour's wi-fi network for some free surfing - you're running the risk of a brush with the law.

Dishonestly using an electronics communications service with the intent to avoid paying is breaking the law - and it's something police are increasingly taking seriously.

Two people were recently cautioned for using other people's wi-fi connectivity without permission in Redditch in the West Midlands. One man was arrested and cautioned when residents in the town contacted the police after seeing him in a car outside their houses using a laptop last week.

A woman was arrested in similar circumstances in the town last month although the two cases are not thought to be connected.

As more money is spent on wireless broadband connectivity and people store important information on their computers, wi-fi theft will become an area that the police and legislators will increasingly have to concentrate on, said Clive Gringras, head of internet and ecommerce at legal firm Olswang.

But he told silicon.com there is a grey area in the legislation as to whether a person knows they are acting dishonestly when accessing someone else's wireless network.


Legislation covering wi-fi theft

Communications Act 2003 Chapter 21, Section 125: dishonestly obtaining electronic communications services

(1) A person who -
(a) dishonestly obtains an electronic communications service, and
(b) does so with intent to avoid payment of a charge applicable to the provision of the service,

is guilty of an offence.

Not all wi-fi is equal, as Gringras pointed out. "There is a big difference between what Starbucks makes available to you when you walk into their shops and what an ISP gives you when it provides you with connectivity in your home," he said.

The Redditch cases are not the first time wi-fi has got someone into trouble with the law. Back in July 2005 a man was fined £500 and given a 12-month conditional discharge for piggybacking on someone else's wireless broadband connection in London.

==============================================

it used to be that, at leat for ordinary people, exploiting unsecured WiFi signals is just like borrowing interent access at a Starbucks, and even some of those people who were stolen of such signals do not take active measures to prevent such thefts, as they consider it a generous offer to strangers. what they don't realize is that insecure networks may expose your personal information to wardrivers, and with the aid of signal enhancing devices, wardrivers are able to save the driving and exploit your network miles away at their homes. It is good to see that the law enforcements are now taking a more serious approach to digital information theft, but more importantly, I think we as average WiFi users should aware ourselves of how to protect our home networks.

Tuesday, April 10, 2007

news: Asus Web site harbors threat (www.news.com)

It is not such a Good Friday for ASUStek Computer.

The main Web site of the Taiwanese hardware maker, known for its Asus branded PCs and motherboards, has been rigged by hackers to serve up malicious software that attempts to exploit a critical Windows flaw, security experts said Friday.

The attackers added an invisible frame, a so-called iframe, to the front page of the Asus.com Web site. When visiting the site, a victim's browser will silently connect to another Web site that tries to install a malicious program.

"We've just confirmed multiple reports about Asus.com, a very well known hardware manufacturer, being compromised," a researcher with Kaspersky Lab wrote on the company's Viruslist.com site.

The SANS Internet Storm Center, which monitors network threats, also confirmed the hack. However, the malicious code the ISC found did not attempt to exploit the Windows cursor hole for which Microsoft rushed out a patch this week. Kaspersky said the nefarious code it found did.

David Ray, a spokesman for Asus in the U.S., could not confirm if the company's main Web site had been hacked. However, he noted that the U.S. sub site appeared fine.

Cybercrooks often hack trusted sites to deliver nasty software that typically logs keystrokes and lets attackers remotely control commandeered PCs. A recent incident involved the site for the Miami Dolphins stadium, days before the Super Bowl was held there. Microsoft's MSN Korea site has also been hacked in a similar way.

The recent Windows vulnerability related to animated cursor files is being exploited widely, experts have said. A PC can be compromised when the user simply surfs to a malicious site or views a rigged e-mail.

Posted by Joris Evers

=====================================

so now even without goving away any personal information or manually execute any peice of software can get your PC compromised. It is not even a fake fishing site that's playin the trick anymore, but the hacked real official websites. it seems like almost impossible to prevent a PC from any sorts of attacks nowadays. you never know how many more exploitable windows bugs there are left and how they might come at you.

Wednesday, April 4, 2007

Web filters mistakenly blocking Yahoo (www.news.com)

Websense's products are meant to block malicious Web sites, but on Tuesday and Wednesday the Web filters also blocked Yahoo.com.

The blockade is the result of an erroneous update sent out to Websense customers late Tuesday afternoon, a representative for the San Diego, Calif.-based company said. "The details are still under investigation but some IP addresses associated with the Yahoo.com site were classified incorrectly," the representative said.

As a result, Web surfers at organizations that use Websense filtering software are unable to access the popular Web site. Websense on its Web site states that its products are used to filter Web traffic for about 24.5 million computers worldwide.

"Our helpdesk was flooded with calls this morning since people couldn't get to the search engine or e-mail for Yahoo due to the incorrect categorization," an IT pro at a large health care organization wrote in an e-mail to CNET News.com. "Looks like they are doing the best they can to fix it, but it's a pretty nasty 'oops.'"

The Websense products are used by organizations to prevent access to Web sites that contain malicious code, are part of a phishing scam, or are otherwise considered malicious. The system works with blacklists that Websense compiles and updates frequently.

Various versions of the Websense products are affected by the problem, including 4.4.1, 5.1, 5.5 and 6.1 through 6.3, the Websense representative said. An update to correct the issue on 6.1 systems was pushed out early Wednesday morning, and downloadable files to fix the other systems are slated to be available this afternoon, the representative said.

"Misclassifications of well-known sites are very rare," the Websense representative said. "We are reviewing processes, code, validation systems, etcetera and making adjustments to catch this kind of case in the future before publication of any files."

Such errors happen occasionally with security software, particularly antivirus products. For example, Symantec last month flagged Yahoo Mail as a virus, Microsoft's Windows Live OneCare in November warned that Google's Gmail contained a virus, and earlier last year, McAfee's security tools flagged Excel and other legitimate applications as threats.

Typically, these errors can be fixed by updating the signature files in security applications. These signatures are the rules used by the security program to identify malicious software.

=================================================================================

it can really be a big trouble when security softwares go wrong. it could be pretty desasterous considering how much profit yahoo could generate in the period of time when the web pages were blocked. as the cyber attacks gets more and more sophisticated it will probably be more difficult to accurately identify malicious targets in the future.

Tuesday, April 3, 2007

Hacking - Hall of Fame

the internet was not meant to be a secure channel of communication. with a breif understanding of the history behind this technology, it does not take an tech expert to realize this. there is no machanism embeded in the nature of packet switching to ensure the integrity of content. the loopholes of internet was probably more glaring in the early days when computers just came to existence.

the internet evolve so fast that the security aspect is too often left behind. this is especially observant in the e-commerce trend where businesses quickly gain access to the market yet easily exposed to potential attacks.

Wednesday, March 28, 2007

The Book Stops Here

Wikipedia is a decentralized form of an encyclopedia that takes advantage of all the quick-and-easy information exchange features of the internet. Literally anyone who has internet connection can contribute to the knowledge pool on whichever topic and however they like. The idea was first sought to be purely experimental but Wikipedia's revolutionary success proves that this model does actually work for practical purposes.

Wikipedia demonstrated a revolutionary way of how information is exchanged. it's not only an online encyclopedia that has a fairly quick and easy keyword searching feature, it also avoided the credit attribution problem all together by simply allowing the information provider to eitehr reveal his/her user account name or post anonymously. Wikipedia inspired many other applications based on the same principle.

Tuesday, February 27, 2007

Technology Writings: Throwing Google at the Book

I believe that google is definitely not the first to come up with the idea of providing digital books on the web, but who is more suitable to act on such an ambitious vision than the seach engine dominator, google? The article provides interesting arguements from both sides of the debate over google's rightfulness in conducting the digital book project.

In my opinion, google cannot argue that it is trying to benefit from the authors in a way that can potentially affect book sales; however, if the publishers and authors keep retaining a firm stance against digitizing book, they are more likely to be the eventual loser rather than google or even average tech-literate people, who are already pretty happy with the notorious P2P file sharing. This is to say that the book industry should peacefully sit down with google and devise a mutually benificial plan to migrate the industry from paper-and-ink to bits-and-bytes before illeagal file sharing gets hold of the market.

The book industry should simply realize that this media transition of books is inevitable. There might be some foreseeable lose to authors and publishers, but they should try to make the best out of the situation when it is still a creditable company like google that is taking the lead.