daily online news

Last year, Netflix published 10 million movie rankings by 500,000 customers, as part of a challenge for people to come up with better recommendation systems than the one the company was using. The data was anonymized by removing personal details and replacing names with random numbers, to protect the privacy of the recommenders.

Arvind Narayanan and Vitaly Shmatikov, researchers at the University of Texas at Austin, de-anonymized some of the Netflix data by comparing rankings and timestamps with public information in the Internet Movie Database, or IMDb.

Their research (.pdf) illustrates some inherent security problems with anonymous data, but first it's important to explain what they did and did not do.

They did not reverse the anonymity of the entire Netflix dataset. What they did was reverse the anonymity of the Netflix dataset for those sampled users who also entered some movie rankings, under their own names, in the IMDb. (While IMDb's records are public, crawling the site to get them is against the IMDb's terms of service, so the researchers used a representative few to prove their algorithm.)

The point of the research was to demonstrate how little information is required to de-anonymize information in the Netflix dataset.

On one hand, isn't that sort of obvious? The risks of anonymous databases have been written about before, such as in this 2001 paper published in an IEEE journal (.pdf). The researchers working with the anonymous Netflix data didn't painstakingly figure out people's identities -- as others did with the AOL search database last year -- they just compared it with an already identified subset of similar data: a standard data-mining technique.

But as opportunities for this kind of analysis pop up more frequently, lots of anonymous data could end up at risk.

Someone with access to an anonymous dataset of telephone records, for example, might partially de-anonymize it by correlating it with a catalog merchants' telephone order database. Or Amazon's online book reviews could be the key to partially de-anonymizing a public database of credit card purchases, or a larger database of anonymous book reviews.

Google, with its database of users' internet searches, could easily de-anonymize a public database of internet purchases, or zero in on searches of medical terms to de-anonymize a public health database. Merchants who maintain detailed customer and purchase information could use their data to partially de-anonymize any large search engine's data, if it were released in an anonymized form. A data broker holding databases of several companies might be able to de-anonymize most of the records in those databases.

What the University of Texas researchers demonstrate is that this process isn't hard, and doesn't require a lot of data. It turns out that if you eliminate the top 100 movies everyone watches, our movie-watching habits are all pretty individual. This would certainly hold true for our book reading habits, our internet shopping habits, our telephone habits and our web searching habits.

The obvious countermeasures for this are, sadly, inadequate. Netflix could have randomized its dataset by removing a subset of the data, changing the timestamps or adding deliberate errors into the unique ID numbers it used to replace the names. It turns out, though, that this only makes the problem slightly harder. Narayanan's and Shmatikov's de-anonymization algorithm is surprisingly robust, and works with partial data, data that has been perturbed, even data with errors in it.

With only eight movie ratings (of which two may be completely wrong), and dates that may be up to two weeks in error, they can uniquely identify 99 percent of the records in the dataset. After that, all they need is a little bit of identifiable data: from the IMDb, from your blog, from anywhere. The moral is that it takes only a small named database for someone to pry the anonymity off a much larger anonymous database.

Other research reaches the same conclusion. Using public anonymous data from the 1990 census, Latanya Sweeney found that 87 percent of the population in the United States, 216 million of 248 million, could likely be uniquely identified by their five-digit ZIP code, combined with their gender and date of birth. About half of the U.S. population is likely identifiable by gender, date of birth and the city, town or municipality in which the person resides. Expanding the geographic scope to an entire county reduces that to a still-significant 18 percent. "In general," the researchers wrote, "few characteristics are needed to uniquely identify a person."

Stanford University researchers (.pdf) reported similar results using 2000 census data. It turns out that date of birth, which (unlike birthday month and day alone) sorts people into thousands of different buckets, is incredibly valuable in disambiguating people.

This has profound implications for releasing anonymous data. On one hand, anonymous data is an enormous boon for researchers -- AOL did a good thing when it released its anonymous dataset for research purposes, and it's sad that the CTO resigned and an entire research team was fired after the public outcry. Large anonymous databases of medical data are enormously valuable to society: for large-scale pharmacology studies, long-term follow-up studies and so on. Even anonymous telephone data makes for fascinating research.

On the other hand, in the age of wholesale surveillance, where everyone collects data on us all the time, anonymization is very fragile and riskier than it initially seems.

Like everything else in security, anonymity systems shouldn't be fielded before being subjected to adversarial attacks. We all know that it's folly to implement a cryptographic system before it's rigorously attacked; why should we expect anonymity systems to be any different? And, like everything else in security, anonymity is a trade-off. There are benefits, and there are corresponding risks.

Narayanan and Shmatikov are currently working on developing algorithms and techniques that enable the secure release of anonymous datasets like Netflix's. That's a research result we can all benefit from.

Juniper has published a security update designed to fix a bug involving its router software.

The glitch in JUNOS creates problems for networking kit from Juniper in processing Border Gateway Protocol (BGP) traffic. BGP is a core routing protocol of the internet that's widely used by ISPs and others to (put simply) map the best available routes for traffic to flow across the internet.

Left unfixed the flaw means that malformed BGP packets may induce "interface flapping".

Interface flapping means the interface of a network device is left going up and down repeatedly - like a tart's knickers, though on a much accelerated scale. The behaviour, on a large computer network, might be used to exhaust the memory buffers on devices targeted with malformed IPv6 messages. This, in turn, might lead to lost datagrams and general network chaos.

JUNOS releases from 7.3 to 8.4 are potentially vulnerable. Users are urged to upgrade their software to 8.5R1. The bug lends itself to remote exploitation, making it possible that it might form the basis of denial of service attack by hackers against service providers running Juniper kit.

Juniper is a strong number two behind Cisco in the supply of routing kit to large ISPs and telcos. One or two telco techies are already reporting minor glitches that they blame on the problem. A discussion on the issue can be found here. ®

MOBILE, Alabama (AP) -- Between ads for hamburgers and liposuction, the giant digital billboards flashed an image of Oscar Finch's face taken by a surveillance camera. The young man wasn't selling anything. He was running from police.

Finch was a suspect in a bank robbery last month. More than a week after the crime, authorities obtained the photo and immediately posted it on 12 digital billboards in Mobile, using the eye-catching electronic signs as digital wanted posters.

The billboard showed a grainy mugshot of Finch taken during the November 20 heist. The image, which was mixed in with commercial ads, included his name, his alleged offense and a phone number to contact police.

The 21-year-old Finch, who was the first suspect featured on an electronic billboard in Mobile, surrendered on December 1 -- just a day after his picture appeared. Police spokeswoman Nancy Johnson said he apparently turned himself in after seeing news coverage of the billboards.

"We had been looking for this individual for 10 days and turned it around in 24 hours," Johnson said. "So we're thinking it's going to be highly effective. I think it's a great asset for us."

Wanted posters have been used to find suspects for generations. Sketches of criminals in the Wild West were tacked onto trees and buildings. In more recent years, photos of the FBI's most wanted fugitives have been displayed in post offices.

With digital billboards, police can now display a suspect's face to thousands of people, sometimes almost immediately after a crime is reported.

"We can be up in 15 minutes" of getting a suspect's photo, said Troy Tatum, general manager of Lamar Advertising, the Baton Rouge, Louisiana-based company that provided free use of the billboards in Mobile as a public service.

When the electronic boards aren't showing suspects, they display regular advertising in moving, full-color images that stand 14 feet tall and 48 feet wide. They can also be used for AMBER Alerts for missing children and to deliver weather bulletins.

"We have a special slot set up for local emergencies," Tatum said.

Mobile Police Chief Phillip M. Garrett doesn't want to give such prominent display to "every lawnmower thief" wanted by police. He said the billboards will be used only in high-profile cases or in searches for missing people.

Only a fraction of U.S. billboards are digital -- 500-plus out of an estimated 450,000 total signs, according to the industry. But production of electronic boards is expected to grow.

Police in other parts of the country are also beginning to use the billboards.

In September, Florida authorities arrested a drug suspect two weeks after his photo was displayed on a billboard in Daytona Beach. A tipster who saw the suspect's picture found him sitting in a McDonald's.

The billboards have also been useful in disasters. When an interstate bridge collapsed in August in Minneapolis, billboards displayed an emergency message within 15 minutes.

The signs also have critics. Mobile City Council member Connie Hudson has proposed a temporary moratorium on any new billboards, saying the city needs safety regulations to control the number and spacing of the signs because they may distract drivers.

The full council has not acted on Hudson's concerns.

Ken Klein, vice president of the Outdoor Advertising Association of America Inc., in Washington, D.C., said billboard wanted posters became more common after a young woman was slain in 2002 in Leawood, Kansas.

The victim's father, Roger Kemp, approached Lamar Advertising for help, and the company posted a composite sketch of the suspect on a conventional billboard. A tipster who saw the sketch led authorities to Benjamin Appleby, 31.

Appleby was convicted in 2006 and sentenced to life in prison for killing 19-year-old Ali Kemp.

Apple has patched a flaw in its Quicktime multimedia player which is currently being exploited by attackers.

The vulnerability exists in the way Quicktime handles RTSP streaming media files. When a specially crafted file is launched, a buffer overflow error occurs. This error allows an attacker to remotely execute code on the targeted users machine.

The vulnerability was discovered by Polish security researcher Krystian Kloskowski in late November. Less than two weeks later, reports surfaced that attackers were actively targeting the vulnerability via adult websites.

The flaw was considered a greater risk for Firefox users because of the way the browser interacted with the Quicktime player. Researchers found that both Internet Explorer and Safari were able to prevent the attack form successfully executing.

The update addresses the issue in both the Quicktime player software for both Windows and MacOS systems. Users can download the update from Apple's website or via the company's Software Update utility.

Security researcher Jose Nazario has uncovered circumstantial evidence of the use of botnets in politically-motivated denial of service attacks.

Political events in the wider world are sometimes accompanied by hacking incidents in cyberspace, such as defacements and the like. Nobody paid much attention to the issue until the Estonian DDoS events of earlier this year when government and commercial sites in the small Baltic country were taken offline for days in April amid a row with Russia about relocation of a Soviet-era memorial to fallen soldiers and war graves.

Botnets orchestrated by Russian hackers are reckoned to have been used to fire up the Estonian attacks. Involvement of elements from the Russian government is suspected by some, though there's nothing by way of evidence that the Kremlin had a hand in the assaults.

Nazario, a senior security researcher at Arbor Networks, has documented how botnets have featured in more recent politically motivated DDoS events. Attacks on the Ukrainian pro-Russian site of the Party of Regions, a party led by the Ukrainian Prime Minister Viktor Yanukovych, over the last three months were traced by Nazario back to networks of compromised machines.

Earlier DDoS attacks against the site of Ukraine President Viktor Yushchenko, a moderate Ukrainian nationalist, were not traced back to botnet activity.

Last week, Nazario traced attacks on the site of Gary Kasparov, famed Russian chess grand master turned anti-establishment politician, and namarsh.ru, another dissident site, back to a botnet. Both targeted sites seem to have weathered the assault largely unscathed (though the graphics on Kasparov's site failed to load properly).

The motives, much less the perpetrators, of the attacks remain unclear. "I can dream up scenarios where Russian hackers attack Russian dissident websites and politicians’ websites (and why, for example, a Ukrainian site that is pro-Russian is attacked), but I don’t know who is at the keyboard," Nazario writes. "I’ll keep watching these attacks and seeing what I can figure out, but so far it’s just a matter of guessing at motivations." ®

Nearly 85 percent of privacy and security professionals believe a reportable breach of personally identifiable information (PII) occurred within their organization in the last year, according to an online survey of 800 such professionals published on Tuesday by accounting firm Deloitte & Touche and the Ponemon Institute.

Almost two-thirds of the professionals polled stated that their organizations had experienced multiple reportable breaches in the past year. The security and privacy managers only dedicated approximately 7 percent of their time to training employees and, at most, 10 percent of their time to establishing an incident response team, the survey found.

“Frankly, I’m shocked by the high percentage of PII data breaches we’re seeing occur within organizations," Rena Mears, Deloitte global and U.S. privacy and data protection leader, stated in the release announcing the study. "This survey provides insight into the scale of the problem and how enterprises are struggling to respond. It’s clear that both privacy and security professionals are caught in a reactive cycle, and they agree on the need to move to a more proactive stance.”

A number of events in 2007 have raised corporate awareness of privacy issues. In January, retail giant TJX Companies announced that successive online attacks during 2005 and 2006 has resulted in the loss of, at last count, more than 94 million credit- and debit-card accounts. Last month, the head of HM Revenue & Customs, the United Kingdom's tax agency, resigned following a massive data leak that potentially put the sensitive personal details of 25 million people at risk.

The attention has caused many companies move toward encrypting their data. The survey found that 55 percent of companies are implementing "some type of encryption" and 37 percent are currently encrypting data in transit and information stored on servers, according to the survey.

The Dutch Data Protection Authority is investigating claims that a medical database set up by health insurance companies reveals details about nearly every Dutch citizen.

Birth dates, social security numbers, health insurance information, and addresses of Dutch celebrities, MPs, and even well-known criminals can be easily traced by doctors, dentists, or suppliers of health care aids who use the database, Dutch newspaper Trouw revealed this week.

The Vecozo medical database is used by health care workers to make payments easier and to check Dutch medical insurance data. At least 80,000 people are able to search the database.

Vecozo, which is secured with a password and a certificate, stresses that no phone numbers can be found in the database. Celebs are able to change their personal information, so they cannot be traced under their own name.

Anyone that abuses the database will be punished, Vecozo warned yesterday, but computer security expert Bart Jacobs of Radboud University Nijmegen and TU Eindhoven told Trouw there is simply too much information in the database. "You don't need all that data in order to verify certain procedures," he said. ®

Spam email accounted for between 90 and 95 per cent of all email in 2007, up from an estimated five per cent of email in 2001, according to a report from web security company Barracuda Networks.

The report, which analysed more than one billion daily email messages sent to more than 50,000 users worldwide, also tracked the increasing complexity of spam techniques over the past several years. 2007 witnessed the majority of spammers using identity obfuscation techniques, in which spammers send email from diverse sources throughout the internet.

Other spamming trends also include the increased the use of attachments, including as PDF files and other file formats.

Prominent spam techniques from previous years include:

2006 - Image spam and botnets
2005 - Rotating URL spam
2004 - Automated generation of spam variants
2003 - Open relays, blast emails, spoofing

“The spam war is a continuous battle between spammers and security vendors,” said Dean Drako, president and CEO of Barracuda Networks. “Security vendors now require 24-by-7 defence operations to continuously monitor the internet for new spam trends and distribute new defensive solutions immediately.”

A separate poll of business professionals by the same company found that more than half (57 per cent) of the 261 respondents, now consider spam to be the worst form of junk advertising, nearly double the 31 per cent that cited postal junk mail and well ahead of the 12 per cent who chose telemarketing as their chief bug bear.

Security company Arbor Networks declared the iPhone to be a big target of mainland cybercriminals next year

IT security company Arbor Networks released a statement Tuesday declaring the iPhone to be a big target amongst cybercriminals next year.

Its Security and Engineering Response Team (ASERT) said the iPhone will fall "victim of a serious attack" in 2008, noting that the mobile device will likely be hit by "drive-by attacks". Arbor described these attacks as malware embedded in commonly used information such as images, which are capable of conducting "dangerous actions" when rendered in the iPhone's Web browser.

Because of the attention the iPhone generated over the past year, ASERT said hackers will be lured by the idea of being the first to penetrate the new platform and attack Apple users.

Arbor is not the first to issue security warnings about the iPhone. A team of U.S. security researchers in July said they had written two exploits capable of causing "serious problems" with the design and security implementation on the phone.

Research house Gartner also issued a cautionary note in June calling for enterprises to outlaw the Apple device from their office environment, due to lacking support from major mobile security tools and mobile e-mail vendors, among other issues.

A Gartner analyst, however, later predicted Apple may introduce an enterprise-class version of the iPhone that will better meet the requirements of a corporate environment.

Officially launched in the United States and Europe earlier this year, the iPhone is expected to make its debut in Asia next year, though Apple has yet to firm up an official launch date. The U.S. company is reportedly in talks with various operators across the Asian region.
Chinese spells trouble, too

According to ASERT, 2008 will also see an increase in "Chinese on Chinese" online attacks, involving specifically Chinese-language software such as QQ Messenger. Arbor noted that such attacks are expected to grow next year as new Chinese users join the online community, more software is written for the Chinese market, and Chinese cybercriminals become increasingly sophisticated and organized.

The IT security vendor also expects much larger Storm botnets and peer-to-peer attacks to be prevalent next year.

"2007 was the year of the browser exploit, the data breach, spyware and the storm worm. We expect 2008 to be the year of the iPhone attack, the Chinese hacker, P2P network spammers and the hijacking of the Storm botnet," Jose Nazario, senior security engineer at Arbor Networks, said in the statement.

"Online fraud is soaring and security attacks are now being used in countless and ever more sophisticated ways to both steal and launder money. Financial and other confidential data is being obtained, sold and utilized in the highly-developed black market," Nazrios said.

"In 2008, this market will continue to grow and it is important that businesses implement the processes and technology necessary to protect themselves and their customers."

More than half (57 per cent) of office employees admit to having lost an office laptop, BlackBerry or USB stick at some point in their careers, according to a recent survey.

Pubs, bars or restaurants are cited as the most common locations, the study by online backup firm Databarracks reported.

More than three quarters (77 per cent) of the 100 office workers canvassed in the survey also confessed to storing personal content such as photos on their office network or computers, despite the risk of malware infection.

According the survey, personal data is often prioritised over company data in the workplace. In the event of an office fire, 77 per cent of respondents indicated they would reach for their personal mobile phones ahead of their work PC.

"This research paints a frightening picture for UK organisations. Almost every business, irrelevant of sector, is reliant on the information stored on its IT network to manage day-to-day operations," said Databarracks managing director Peter Groucutt.

“While employees can be educated to treat corporate data more carefully, human error will always be a factor, so this is not a problem that is going to disappear overnight. More organisations have to start seriously considering secure online backup to protect themselves from unforeseen events.”

A small team of security researchers has documented how many high-profile websites are unwittingly helping phishing fraudsters.

Phishing scams often use "open redirector" exploits on major sites to make their attack URL look more legitimate. The trick also makes it more likely that fraudulent emails that form the basis of phishing attacks will slip past spam filters. Typically, security flaws on exploited high-profile sites allow a phisher to provide a link which appears to be a legitimate URL, but actually redirects to a fraudulent site.

Previous Register stories have covered examples of the ruse practiced on websites including Barclays Bank (story here), eBay (here), and others.

To date, most of the information about the topic has been anecdotal. SiteTruth aims to shed light on the scope of the problem by collecting hard numbers as part a project that ultimately aims to provide a search engine that will allow clued-up surfers to check on the legitimacy of sites. SiteTruth's search service isn't limited to sites that have paid a fee. Nor is it selling "seals of approval".

Its findings are partly based on existing business records, as well as links with other anti-phishing organisations (such as PhishTank, a clearing house for reports about phishing sites), and its own research. It also takes submissions from webmasters, as explained here.

Even so, the site admits its findings aren't infallible and ought to serve only as a guideline. The safe search feature is currently in Alpha testing.

SiteTruth's research, based on the collection of information about exploited websites and updated every three hours, also reports on insecure practices that serve the interest of cybercrooks. SiteTruth breaks down the vulnerabilities it finds into five categories, as follows:

* Open redirectors
* Sites that allow user hosted content in ways exploitable for phishing (i.e. "photobucket.com", which will accept uploads of Flash files)
* ISPs that provide DSL or cable connections for phishing sites
* Unscrupulous commercial hosting services
* Compromised sites exploited by phishers (Universities with high bandwidth connections and lax security are a favourite in this category)

Some of the items on the list cover broadly similar ground to that documented by Spamhaus and others. However, the open redirector run-down compiled by SiteTruth is a distinct list that makes for interesting reading.

SiteTruth has cross referenced the 10,000 sites listed in PhishTank with the 1.7 million sites in the Open Directory Project database to discover a list of 171 problem domains. Domains listed typically have a security vulnerability which is being exploited by phishing fraudsters.

URL redirection isn't the only category for listing in this blacklist (hosting or otherwise unwittingly helping phishing scams also counts). But the sites allowing URL redirection include many high-profile organisations that ought to know better, including Google Maps. It's easy to bounce off Google Maps to reach the register, for example.

AOL, Microsoft Live, the BBC, Yahoo!, and UK bank Alliance and Leicester have also been greylisted by SiteTruth over the last three weeks.

"Phishing sites come and go rapidly; this list may be out of date within hours," SiteTruth's John Nagle told El Reg. "Some sites are still in PhishTank because they had an active phish in the recent past and PhishTank hasn't purged the entries yet. But some major sites have been on the list for weeks to months.

"So some major websites are being used to lend credibility to phishing attacks. But the number of major sites involved isn't large. It's no longer an acceptable excuse to claim that 'everybody has that problem'. Only some have it, and they need to fix it."

Critical bug-fixes ship for Internet Explorer, DirectX, and Windows Media Format technology.

Microsoft has released its monthly set of security patches, fixing critical flaws in the Windows desktop.

The December updates released Tuesday include critical fixes for Internet Explorer, DirectX and the Windows Media Format technology. Security experts say that the most important of these updates is the Internet Explorer patch, because it fixes four separate bugs in the browser. One of these flaws, relating to the way the browser renders dynamic HTML (DHTML) pages, has been exploited in online attacks, Microsoft said.

All of the browser vulnerabilities in this update are rated critical -- Microsoft's most serious rating -- for IE 7 users running on the latest version of Windows XP, Microsoft said.

Though Microsoft has assigned it the less-grave rating of "important," a patch for Macrovision copy-protection software that ships with Windows should also be given priority, security experts say. That's because criminals have already leveraged this bug in online attacks.

The Macrovision issue first cropped up in mid-October, when Symantecspotted attackers exploiting the flaw, but Microsoft was not able to ship a fix for the problem in last month's security updates, released Nov. 13. The flaw could be used by attackers to allow their software to run at a higher level of privilege within the operating system.

The flaw lies in the secdrv.sys driver that is used by Macrovision's SafeDisc system, which ships with Windows XP and Windows Server 2003.

Microsoft also issued important updates for the Windows Vista Server Message Block (SMB) version 2 filesharing protocol, the Vista kernel, and the Message Queuing Service in XP and Windows 2000.

Microsoft did not fix a recently publicized flaw in the way its Windows operating system looks up other computers on the Internet. This bug, which was publicized at a hacker conference in New Zealand, has to do with the way Windows systems look for DNS (Directory Name Service) information under certain configurations.

Interestingly, the Vista SMB flaw lies in a feature that allows senders to digitally sign SMB data in order to confirm that it is legitimate. Because the signing feature is not properly implemented, however, "an attacker could modify SMBv2 packets and impersonate a trusted source to perform malicious operations," Microsoft said.

"It's a security vulnerability in a security feature," said Eric Schultze, chief technology officer of Shavlik Technologies, via instant message. "SMB version 2 was built for Vista and Windows Server 2008, so it should have been vetted in the code design process. But it obviously slipped through."

In all, seven sets of patches were released Tuesday, fixing 11 vulnerabilities.

Though Microsoft has made much of its efforts to develop more secure software, the company ended 2007 with about the same number of security updates that it had in the year before, according to security vendor Kaspersky Lab. "The situation in 2007 hasn't changed noticeably from 2006," wrote David Emm, a senior technology consultant with Kaspersky, in a blog post. "Last year there were 49 critical, 23 important, and 5 moderate updates. 2007 brought very slightly fewer patches, with 43 critical, 24 important, and 2 moderate fixes."

San Francisco, CA (AHN) - A U.S. government computer security watchdog warned companies using Microsoft Office Access, hackers may be targeting the application. The U.S. Computer Emergency Readiness Team (US-CERT) said earlier this week it is "active exploitation" of Access database files.

Although the agency provided no details on the attacks observed, hackers could use the Access Database files to inject computer commands. Both Microsoft Internet Explorer and Outlook Express normally block the .mdb files, security vendor Symantec told InfoWorld.

As in previous warnings, Microsoft told users not to accept files from unknown sources.

A Texas A&M graduate has received a 10-month sentence for hacking into the university's computer system and capturing students' and faculty private account information.

Luis Castillo, 23, will serve five months in prison and the remaining five months of his sentence under house arrest, U.S. District Judge Kenneth Hoyt ruled Monday. The judge also ordered that Castillo pay restitution totaling $67,401 to the university.

University officials first discovered in February that the school's private computer network had been hacked several times.

A joint investigation with the FBI, university administration and law enforcement revealed that Castillo had logged onto the university's network from a residence in Oregon in that month, gaining unauthorized access to passwords and IDs.

"He is extremely remorseful," said Kirk Lechenberger, the Dallas-based attorney who represented Castillo. "Luis wants to make amends, wants to put this chapter behind him and make things right."

Here

An Australian man arrested in an undercover sting has been charged for allegedly tapping into home wireless networks so he could anonymously send threatening emails.

Police say the 22 year-old from Rockhampton, Queensland had sent threatening emails to various individuals since August. To avoid detection, he connected to unencrypted Wi-Fi connections so the IP addresses couldn't be traced back to him. The practice is sometimes called piggybacking. He also spoofed the email address of Tony Sarno, editor of the APC Computer magazine.

At one point, investigators knocked on the door they believed belonged to the perpetrator, but later concluded the elderly couple living there had their wireless connection accessed by someone else.

The break in the case came last week after the suspect sent a letter demanding money be delivered to a park. Police arrested him there without incident. He has been charged with demanding property by threat and using a carriage service to threaten serious harm.

More coverage is here and here

Burglars break into an apartment, hoping to pick up some expensive electronics or jewelry. But they're out again, empty-handed, within seconds, howling with pain and surprise. They've been driven back by waves of intolerable heat: Entering the apartment is like stepping into a furnace. It's the Active Denial System, or ADS, at work, the ultimate in home protection ... among other uses.

Also known as the "pain beam," ADS is a revolutionary non-lethal weapon that uses microwaves to cause burning pain without injury. The 95-GHz waves only penetrate a fraction of an inch, heating the outer surface of the target's skin. According to the Air Force, nobody can tolerate the beam for more than five seconds, and improvised protection such as wrapping yourself in wet towels or tin foil is useless.

There have been repeated calls for ADS to be deployed in Iraq, but the military is bogged down in reviews of the technology. However, now that ADS exists, the pain beam's manufacturer is exploring domestic U.S. uses, like industrial- and home-security systems. The Department of Energy is looking at employing the technology to protect America's nuclear stockpile. Meanwhile, some U.S. law enforcement officials are eager to get their hands on the pain weapon, and the Department of Justice is funding a multimillion-dollar research project to give it to them.

"We seem to have no qualms about dropping bombs on people, but are afraid of being embarrassed if we accidentally hurt someone while trying to save their lives," says Charles "Sid" Heal, a commander at the Los Angeles County Sheriff’s Department "Those restrictions do not apply to the Department of Justice and we are zealously looking for ways of resolving confrontations without having to kill or seriously hurt our adversary."

A former Marine, Heal has tested Active Denial and believes it could be invaluable in situations like jail riots, where the searing pain could cow rebellious prisoners. His biggest problems are the system's size and price tag; it's currently mounted on a Hummer and costs millions of dollars, putting it far beyond the reach of police departments.

That's where the U.S. Justice Department comes in. The National Institute of Justice, the department's R&D branch, believes police need a cheaper, lightweight Active Denial system with shorter range. NIJ tested a prototype of such a system earlier this year, but the results of testing have not yet been revealed. A working device is expected to be delivered towards the end of 2008.

"NIJ is working with the developer of the ADS system, Raytheon, to modify its underlying technology for law enforcement and corrections application in a man-portable configuration with a desired range of a hundred feet," says Department of Justice spokeswoman Sheila Jerusalem.

Mike Booen, Raytheon's vice president of directed energy weapons, says the handheld version could progress rapidly if the demand is there. So far funding has only amounted to $2.5 million (compared to $100 million on the military version), and more money would speed the process of getting it into the field. Such a device might be a separate unit or might be mounted under a rifle.

Booen says the smaller system may fire short pulses rather than a continuous beam due to power limitations. Beam diameter will be much smaller than the Hummer-mounted version -- just a few inches, instead of six feet. But in tests, even one square inch of exposure produced the "repel effect," forcing the subject to get out of the way as quickly as possible.

A handheld ADS would deliver an intermediate level of force, between verbal commands and more drastic means such as pepper spray or Tasers. But some have concerns that it could be used to punish or torture suspects rather than control them. Pepper spray and Tasers have caused plenty of debate, and any police use of "pain compliance" methods invites controversy. A device that causes intense pain but leaves no physical or chemical traces could easily be abused.

Concerns about data loss are clearly a burning issue among enterprise information officers at present.

At the CSO Interchange – a forum for chief security officers – held in London recently, 60 per cent of the senior security professionals present professed to having only "some idea" as to where their customer data is stored and "limited controls" over it.

Alarmingly, nine per cent of those present had not even yet considered data loss as a specific issue, although 72 per cent see the impact of payment card loss on brand reputation as their biggest concern.

Speaking at the event, cross bench peer, Lord Erroll, a member of the House of Lords Science and Technology Committee, described the recent HMRC data breach as a "godsend".

"With luck the missing CDs have ended up in a landfill site, but this fiasco will force the government to start taking security seriously and the powers of the Information Commissioner's Office will be strengthened," he said.

Philippe Courtot, chairman and CEO of Qualys and co-founder of the CSO Interchange added: "More than 70 per cent of the security professionals attending CSO Interchange indicated that securing their networks and therefore the confidentiality of their electronically stored data is now harder than ever. The HMRC breach and other recent media stories are forcing this into the open as a public issue. We must take these matters seriously and rethink the way security is provided online."

Managing risk was clearly seen as the biggest driver behind security strategy and executives know they need to improve at this. Half of those surveyed felt that they could do better at articulating the impact of risks within their organisation as well as the impact of mitigating them financially.

There was clear recognition too for the risks posed by insiders within their organisation – with 75 per cent citing this as greater than the risks from outsiders.

For the past 20 months, the Ministry of Defence has been generous enough to provide detailed information about visits to its Counter Terrorism Science & Technology site.

We're not sure, exactly, what to make of the logs showing some of the site's most popular pages and most prolific visitors. On the one hand, such details aren't exactly state secrets. Then again, what possible benefit can come from volunteering statistics that show that the Bulgarian IP address 85.187.138.185 was the top visitor for the month of March, having accessed 668 files for a total of 3.5 MB worth of data?

Until late last week, usage stats as measured by an analysis program called Webalizer were freely available from April, 2006 through this month. We're guessing the disclosure was not intentional, because the information was quickly removed about a day after MOD admins were informed of the public pages. (The information is still available in search engine caches by using search strings such as http://www.ctcentre.mod.uk/usage/usage_200604.html, http://www.ctcentre.mod.uk/usage/usage_200605.html and so on.)

Besides showing top visitors, they list some of the site's most popular pages for each month. Last month, for instance, the Counter Terrorism site had just north of 15,000 page impressions ,and its fourth most popular URL was this one relating to potential suppliers.

To be sure, disclosures such as these aren't likely to lead to the kinds of security nightmares that result when, say, a consultant "loses" a laptop containing personal information belonging to hundreds of thousands of individuals. At the same time, seeming innocuous information like this can be precisely the kind of fodder gathered in footprinting exercises, in which attackers learn as much as possible about sites they intend to penetrate. Loose lips sink ships, as the saying goes.

"I think I can reasonably say that any conventional enterprise or government entity most likely intends to have policies in place that would consider IP addresses of visitors to be information not intended to be casually shared on the public internet," says security researcher Rodney Thayer of Canola & Jones.

The MOD is by no means the only website that has made its Webalizer logs available to the world. Running this search reveals tens, possibly thousands, of sites that allow anyone to view usage statistics. NASA, the US Army and a UK Hospital are among them

Transport groups in Iloilo, Capiz and Aklan will hold a two-day transport strike on Wednesday and Thursday (Dec. 12 and 13) to protest the continued increase of oil prices.

Public jeepneys, tricycles and and small bus lines will stop plying their routes at midnight on Wednesday, said Edgar Salarda, secretary of the Iloilo City Alliance of Drivers Associations (Icada), the umbrella of around 18 associations of jeepney operators and drivers in the city and neighboring towns.

Salarda, also chair of the Pinag-isang Samahan ng mga Tsuper at Operator Nationwide (Piston-Iloilo), said similar transport strikes will be held in Aklan on Wednesday and Thursday and in Capiz on Thursday.

He said the income of drivers and operators have significantly dropped because of at least seven rounds of oil price increases since January this year amounting to P7.50 per liter.

This translates to a reduction in the daily income of drivers by P150 or P2,500 per month since they ply their routes by an average of 20 days per month, said Salarda.

The transport groups in Iloilo are also protesting the traffic rerouting experiment of the city government. They are calling for the traffic regulation on private vehicles and a stop the issuance of new franchises for public jeepneys.