daily online news

Big box retailer Best Buy has admitted that it sold digital picture frames over the festive period containing malicious software that targets Windows-based PCs.

The US electrical retail giant said that a "limited number" of the LCD panels were "contaminated with a computer virus during the manufacturing process". It sold the 10.4 inch flat-panel frames, which display digital images, under its in-house Insignia brand.

Earlier this week Insignia posted a product alert on its website warning Best Buy customers that although it had pulled the affected product with the model number NS-DPF10A from its stores and websites, some frames had already been bought that carried the malicious code.

However, it did not reveal how many had been sold to unsuspecting customers.

Best Buy also kept quiet on details of the malware that latches onto Windows operating systems, other than to say that it was an "older virus… easily identified and removed by current anti-virus software".

Best Buy said in a second notice that went up on Insignia's website on Wednesday that it was continuing to investigate the virus debacle and also dished out a helpdesk number for customers to call.

"We apologise for the inconvenience that has been caused as a result of this incident," said the company.

Earlier this month we reported on a growing number of incidents involving computer viruses and Trojan horse programs hitching a ride with digital photo frames.

Greek police said on Friday they have arrested a man suspected of selling corporate secrets from France's Dassault Group, including data on weapons systems.

"This 58-year-old mathematician was wanted since 2002 after Dassault contacted Greek authorities," a police official, speaking on condition of anonymity, told Reuters.

"He is responsible for causing damages in excess of $361 million to the company and he has sold this corporate data, including information on weapons systems, to about 250 buyers through the Internet," the official said.

Police suspect the man of selling the data to buyers in Germany, Italy, France, South Africa, Brazil, as well as countries in Asia and the Balkans.

"The man hacked into the company's computer system and got possession of the data," the official said.

Police officers accompanied by computer experts raided the central Athens apartment the man was renting under an assumed name and said he was very competent in covering up his electronic footprints.

"He is one of the world's best hackers, using the nickname ASTRA, but we are also looking for an accomplice in the United Kingdom who helped him locate buyers online," the official said.

Dassault Group and its subsidiaries are a major player in civil aviation and the military sector.

The police official said the man would be taken to the prosecutors to be charged.

The apparent ease with which a former software developer turned rogue trader was able to sink France's second-biggest bank into a €4.9bn ($7.2bn) hole has sparked questions about the effectiveness of risk analysis systems.

Jerome Kerviel, 31, a junior trader at Société Générale Paris headquarters, caused five times the damage as notorious rogue trader Nick Leeson, who ran up losses of £800m ($1.58bn) that resulted in the collapse of his employer Barings Bank in 1995. Kerviel created fictitious accounts to take risky positions in the derivatives market that resulted in huge losses as stock markets across Europe fell.

The losses, reckoned to represent the largest ever fraud by a single trader, have shaken a banking system already struggling from the effects of the US sub-prime lending crisis. The City of London is buzzing with rumours that it was the unravelling of Kerviel's risky position after SocGen discovered them last weekend led to a drop in share prices across Europe, as market bears responded to a influx of sell orders by pushing markets further down.

SocGen maintains it will be able to weather the storm, with plans to raise €5.5bn ($8.01bn) in order to maintain liquidity. The bank continues to anticipate posting €800m ($1.176nn) profits for 2007.

Kerviel, described in reports as both intelligent and a troubled Walter Mitty-style fantasist, appears to have acted alone and without any personal financial benefit. He apparently joined the bank as a developer working on the middle office systems that control how much a trader can risk. The systems limit how much a trader or group of traders can risk.

"The total potential trades are just summed up, and matched against the limit for an individual/trading desk/company," an IT director at a leading investment bank told El Reg. "I say 'potential' since much may be offers to buy/sell rather than actual transfers. There's also some complex risk analysis processing, though I doubt that's relevant to SocGen."

The role gave Kerviel the knowledge of how to manipulate the system when he became a junior trader in 2005. His role as a hedger involved covering the bank's exposure to large losses by taking positions opposite to those taken out by more senior traders. Trading limits in the order of tens of millions of dollars ought to have been applied.

In December Kerviel removed limits on his personal trading positions and created fictitious customer accounts to balance the books, The Guardian reports. In December he took out a series of short positions, essentially betting that the market would fall. Not much happened. In January, Kerviel went the opposite way and gambled that the markets would rise, with disastrous results. He traded in futures contracts on three major stock markets in France, Germany and the Eurozone that involved highly-leveraged bets on the stock price of market-listed firms.

Kerviel seemed to believe that he had come up with a trading approach that would rake in huge gains for the bank and a fat bonus for himself. In reality he was acting like a woefully misguided gambler. His actions only came to light when one of his trading positions was flagged up on SocGen's internal system as going over his trading limit. After confessing responsibility when interviewed by senior executives last weekend, Kerviel has since gone AWOL amid expectation that SocGen will initiate legal proceedings against him.

Bank officials are puzzling over his motives.

Philippe Collas, from SocGen's global investment management division, said: "In December things were going very well for him, then he panicked, he gambled against the market, he started deliberately losing to try and hide it, to reduce the possibility he'd be caught. He made no money out of this, not a cent, this wasn't done to get rich. What was his motive? I don't know, maybe he wanted to prove himself. It's difficult to get money out of a bank, as soon as you try you will leave a trace."

SocGen is keen ro describe the losses as "isolated and exceptional" but that's done little to subdue questions about why the fraud was not detected earlier. Société Générale is based in France but trades in Europe and in other parts of the world, including the US, where its shares are traded as ADRs. That presumably leaves its subject to controls applied by the Sarbannes-Oxley Act. In case you forgot, that is the regulatory regime introduced in the US in response to accounting scandals at WorldCom and Enron, among others

The IRCBOT-RB Trojan poses as messages containing links to pictures on social networking sites such as MySpace and Facebook. Typical come-ons involve messages such as "Wanna see my pictures before i send em to facebook?". Clicking on a link takes users to booby-trapped websites.

Unusually, the polyglot malware changes these messages according to the language of the affected operating system used. Compromised machines are infected by a simple bot agent that leaves the hardware hooked up to a central control server, awaiting instructions.

Anti-virus firm Trend Micro advises users to avoid the temptation to follow any links or pictures sent via MSN Messenger (unless you are sure of the origin) and to be suspicious of messages which refer to the use of social networking sites.

In other malware/social engineering news, Trend Micro reports that it took less than a day for VXers to re-direct users who want to find out more about Brokeback Mountain actor Heath Ledger's untimely death to sides harbouring malware. The attack is similar to early attempts to populate Google search results with links to maliciously constructed sites

The UK government has banned laptops leaving government buildings unless the contents are encrypted.

A series of catastrophic data leaks has caused the clampdown, after growing fears about the amount of personal data being lost by government employees.

The move is likely to lead to a boom in sales of encryption technology.

Cabinet Secretary Sir Gus O'Donnell said in an email to top civil servants on Monday: "From now on, no unencrypted laptops or drives containing personal data should be taken outside secured office premises.

"Please ensure that this is communicated throughout your organisation and delivery bodies and implemented immediately, and that steps are taken to monitor compliance."

The move will cause considerable disruption in the Civil Service as encryption is relatively uncommon in government systems.

"It is not a technical problem at all, as it is really very simple to use encryption," said John Dasher, director of product marketing at encryption firm PGP.

"Once you have the policy in place, the workforce adjusts. The problem is that too many people think that losing data could not happen to them."

Add embassy websites to the growing list of hacked internet destinations trying to infect visitor PCs with malware.

Earlier this week, the site for the Netherlands Embassy in Russia was caught serving a script that tried to dupe people into installing software that made their machines part of a botnet, according to Ofer Elzam, director of product management for eSafe, a business unit of Aladdin that blocks malicious web content from its customers' networks. In November the Ministry of Foreign Affairs of Georgia and Ukraine Embassy Web site in Lithuania were found to be launching similar attacks, he says.

All three sites had been hacked to include invisible iframes that initiated a chain of links that ultimately connected to servers hosting malicious code, which was heavily obfuscated to throw off antivirus systems. The similarities led eSafe researchers to conclude the attacks were carried out by the same group. Elzam speculates the group has ties to organized crime in Eastern Europe.

The findings come as Websense, a separate security firm that's based in San Diego, recently estimated that 51 per cent of websites hosting malicious code over the past six months were legitimate destinations that had been hacked, as opposed to sites specifically set up by criminals. Compromised websites can pose a greater risk because they often come with a degree of trust.

Stories reporting security vulnerabilities frequently carry the caveat that an attacker would first need to lure a victim to a malicious website. Poisoning the pages of a legitimate embassy or ecommerce website would be one way to carry that out.

Frequently, the compromised websites launch code that scours a visitor's machine for unpatched vulnerabilities in Windows or in applications such as Apple's QuickTime media player. Such was the case in two recent hacking sprees (here and here) that affected hundreds of thousands of sites, including those of mom-and-pop ecommerce companies and the City of Cleveland.

But in the case of the Netherlands Embassy, the attackers simply included text that instructed visitors to download and install the malware. Of course, no self-respecting Reg reader would fall for such a ruse. But sadly, Elzam says, because the instruction is coming from a trusted site, plenty of less savvy users do fall for the ploy. Saps.

"Using social engineering is almost fool proof," he says. "My mother would fall for that because she is really conditioned to click on OK when she's asked to do something like that."

High-profile websites have cleaned up their act after a small team of security researchers documented how they were unwittingly helping phishing fraudsters.

Phishing scams often use "open redirector" exploits on major sites to make their attack URL look more legitimate. The trick also makes it more likely that fraudulent emails that form the basis of phishing attacks will slip past spam filters.

Typically, security shortcomings on targeted sites allow scammers to furnish links that appear kosher but actually redirect to a fraudulent site.

Previous Register stories have covered examples of the ruse practiced on websites including Barclays Bank (story here), eBay (here), and others.

A campaign by SiteTruth to name and shame high profile firms that fail to block open redirector exploits is beginning to bear fruit.

SiteTruth cross-referenced the 10,000 sites listed in PhishTank (a clearing house for reports about phishing sites) with the 1.7 million sites in the Open Directory Project database to discover a list of problem domains. Domains listed typically have a security vulnerability which is being exploited by phishing fraudsters.

URL redirection isn't the only category for listing in this blacklist (hosting or otherwise unwittingly helping phishing scams also counts), but the sites allowing URL redirection included many high-profile organisations that ought to know better, including Google Maps, AOL, and eBay.

Recent updates by Google Maps and eBay since we wrote about SiteTruth's work have nipped the problem in the bud. Other organisations, such as AOL, are yet to address the problem. Nonetheless, SiteTruth is happy at making inroads into the number of high-profile sites open to abuse.

"You'll be pleased to know that the combination of your article, our reports, efforts at the Anti-Phishing Working Group, and a certain amount of nagging on our part has made a considerable dent in the 'open redirector' problem," SiteTruth's John Nagle told El Reg. Google fixed its problem last week, and currently has no active phishing attacks listed in PhishTank. eBay also cleaned up its act and it too is now out of the tank.

AOL, however, is yet to clear up its problem, first reported earlier this month, that allows open redirector exploits (harmless example that redirects from AOL to El Reg here).

That's just one example that illustrates the problem is a long way from being resolved. Nonetheless, SiteTruth's list of problem domains is shrinking.

"Our list of major sites with exploited vulnerabilities, not all of which are open redirectors, has been shrinking as the word gets out. There were 171 problem domains in early December, and we're down to 54 today. Publicity is working," Nagle added.

Phishing sites come and go rapidly, but some problematic domains have become a fixture of SiteTruth's phishing blacklist.

"Only 16 of those domains have been on our list since its inception in late November. Most of those are DSL service providers inadvertently providing connections for computers hosting phishing attacks. The others come and go as phishers find vulnerabilities and site operators plug the holes," Nagle concluded.

Mozilla’s security chief Window Snyder has confirmed a proof of concept information leak flaw in Firefox–even fully patched versions.

Snyder confirmed the issue in a blog post. The proof of concept vulnerability was highlighted by researcher Gerry Eisenhaur on Jan. 19. In a nutshell, Firefox leaks information that can allow an attacker to load any javascript file on a machine.

Technically, it’s a chrome protocol directory transversal. Snyder explains:

When a chrome package is “flat” rather than contained in a .jar the directory traversal allows escaping the extensions directory and reading files in a predictable location on the disk. Many add-ons are packaged in this way.

A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. This information may be used to profile the system for a different kind of attack.

Some extensions may store information in Javascript files and an attacker may be able to retrieve those. Greasemonkey user scripts may be retrieved using this method. Session storage and preferences are not readable through this technique.

Mozilla gives the flaw an low severity rating for now, but add ons such as Download Statusbar and Greasemonkey are vulnerable. Look for this vulnerability to get patched low risk or not. Mozilla has opened a bug.

For the first time, legitimate Web sites compromised by attackers made up the majority of sites used to spread malicious programs, security firm Websense said in a report published on Tuesday.

During the second half of 2007, the number of malicious compromised sites climbed to 51 percent, becoming a more popular way to spread code then sites created by attackers, Websense said in its research highlights. Mass Web site attacks aimed at creating online points of infection have become more common in the past year, including major incidents in March and November.

"These sites pose a significant risk because many security companies rely on Web site reputation to protect customers," the company stated in the report. "Compromised sites have a good reputation, plus the have a built-in group of visitors to the site."

In the past, massive attacks aimed at Web sites typically involved defacements by online vandals. Yet, as online crime increasingly becomes motivated by profit, defacements have given way to finding ways to insert iframe redirection code or compromise a site to host malicious software. Earlier this month, for example, security firm Finjan warned that hackers had bypassed security on at least 10,000 legitimate domains to install the Random JS infection toolkit.

At least one other firm estimated that hacked legitimate sites surpassed maliciously-created Web sites some time ago. In its January Malicious Page of the Month report, Finjan stated that in the middle of 2007, legitimate sites made up 80 percent of all malicious sites.

In the latest study, 18 percent of the sites specifically created by online fraudsters appeared to have been created by software toolkits sold on the Internet, according to Websense. In addition, the company found that seven out of eight e-mail messages were spam, and two-thirds of those messages contained links to malicious sites.

Microsoft's Surface technology sure is nifty, but it's going to cost a pretty penny. Oh, and it's real world applications are a bit questionable, too. But this Wii-mote hack, done in the Johnny Lee style does its best to recreate the Surface tech, without leaving greasy fingerprints. Maestro, as its creators at Cynergy have named it, requires a Wii remote and a pair of LED gloves—soon to be obsolete when we'll have the diodes embedded in our fingertips in the not too distant future—in order to work. More details are available by pressing play or visiting the YouTube page on the matter.

The website of Panama's National Assembly has been out of action since 9 January after hackers briefly posted the US flag there.

According to Reuters, unnamed officials accordingly suspect the attack may have come from the US, possibly provoked by the election to the legislature's presidency last September of Pedro Miguel Gonzalez - wanted in the States for the 1992 murder of US Army Sergeant Zac Hernandez.

The US strongly opposed Gonzalez's candidature, and high-profile politicians including Hillary Clinton have "vowed not to ratify a pending free trade deal with Panama unless Gonzalez is removed from his post".

Suspicions that US hackers are behind the cyber invasion are reinforced by the fact that the assault came on Panama's "Martyrs' Day", on which the country remembers the deaths of roughly 20 people in 1964 in clashes between anti-US protesters and American soldiers protecting the Panama Canal Zone

Defence Secretary Des Browne has launched an official inquiry into military security after the loss of a Royal Navy laptop containing the personal details of 600,000 people.

Browne also revealed that two other laptops had been stolen, one in Manchester in October 2006 and one in Edinburgh in December 2000, neither of which were brought to light until now.

The Conservative Party lambasted Browne over the loss during a parliamentary meeting, producing statistics claiming that more than 600 Ministry of Defence laptops and PCs had been stolen since 1998.

Shadow Defence Secretary Dr Liam Fox said: "In many ways this is worse than the loss of the child benefit records because we know this fell into criminal hands."

Data security firms have also slammed the government over yet another loss of data, pointing out that the information could have been protected in a number of ways.

Joe Fantuzzi, chief executive at security firm Workshare, believes that UK citizens should be given a timeline for tackling data breaches, which continue to put people's identity and privacy at risk.

"The latest data breach which has resulted in the loss of MoD data affecting 600,000 people is shocking," said Fantuzzi.

"After the HMRC scandal we would have thought that the government would put safeguards on information such as passport details, National Insurance data and NHS numbers with more care."

Fantuzzi added that the government continues to come under fire for information loss, but appears reluctant to introduce data breach regulation which would result in more punitive measures for such serious losses of data.

Jamie Cowper, director of marketing in EMEA at PGP Corporation, warned that policies, procedures and training will take time and money to implement, and that laptops will continue to be lost.

"Organisations must make it an absolute priority to start proactively defending electronic information now," he said.

Alan Bentley, EMEA vice president of Lumension Security, agreed that educating employees over the risks of data theft needs to be tackled.

"At the heart of all the recent data losses is a lack of awareness and coherence in security policies," he said.

"The 'human factor' is often the weakest link in any security armour and the MoD is no exception to this rule. The laptop stolen on 9 January failed to meet the specific requirements of its security policy, i.e. to encrypt data carried on laptops."

Bentley warned that organisations holding sensitive data should lock down their databases so that employees cannot download data onto mobile devices and take them off the premises.

If you’re already using a Zune, you’re obviously using the Zune software and probably have no need for iTunes or other programs. But if, for some reason, you feel the need to use iTunes, or if you just want the freedom to choose what software to use - then you’re going to like this one. There’s a hack called zAlternator that lets your Zune work with iTunes and programs like Windows Media Player, Winamp, and Mediamonkey. Save for iTunes, all of the programs have been tested by the guys at the Zune forums and seem to be working well.

Before you try to sync your Zune to another program, you’ll need to manually unlock it first. Here’s how you do it, courtesy of our source:

1. Start up the Zune program
2. Get media and start a sync to your Zune
3. When your Zune is displaying the “synconizing” screen, end the Zune process through Windows Task Manager
4. Fire up zAlternator and set Zune to use a different program

BT has denied claims made by an "ethical hacker outfit" that the telecommunication company's wireless routers are vulnerable to hijacking by fraudsters.

The hackers, who call their organisation GNUCitizen, posted a blog on Monday that claimed users of BT's Home Hub routers could be conned into making premium-rate VoIP calls, due to the continued existence of a security hole in the router's firmware.

"In summary, if the victim visits our evil proof-of-concept web page, his/her browser sends a HTTP request to the BT Home Hub's web interface," read the post. "After this, the Home Hub starts a VoIP/telephone connection to the recipient's phone number specified in the exploit page. This is what the attack looks like: the victim's VoIP telephone starts ringing and shows an external call message on the LCD screen along with the recipient's phone number. However, what's interesting is that, from the point of view of the victim, it looks like he/she is receiving a phone call from the number shown on the screen, but in fact he/she is calling that number!"

The demonstration, shown on a YouTube video, follows a similar GNUCitizen announcement in October 2007. At that time, the hackers demonstrated a backdoor exploit to "control the router remotely", disable the router's wireless capabilities and steal the WEP/WPA passkey.

A spokesperson for BT told ZDNet.co.uk on Tuesday that GNUCitizen's latest exploit was the "same thing" as last year's exploit. "This particular vulnerability was resolved several firmware updates ago and it is no longer possible to do this," said the spokesperson.

However, Petko Petkov, one of the GNUCitizen hackers, subsequently denied BT's claim. Speaking to ZDNet.co.uk, he said the routers that had been hacked were still on firmware version 6.2.6.B. The latest version of the firmware, which BT started pushing out to Home Hub users on 12 December last year, is 6.2.6.E.

"Up until now, our testing Home Hub routers are still version 6.2.6.B, which means that no updates have been carried out by BT's firmware upgrade facilities," said Petkov. "Therefore, the attack, although based on CSRF and authentication-bypass vulnerabilities discussed back in September 2006, is very relevant today."

"I just want to stress that this is not the same hack that we exposed last year, but rather a side effect that occurs due to the fact that no upgrades/patches have been applied by BT to close [the flaws exposed in] our earlier security reports," Petkov added.

Asked about this counterclaim, BT's spokesperson maintained that the "alleged vulnerability was fixed in a firmware upgrade which we rolled out to BT Home Hub users last year".

"I'm not sure what's happening with [GNUCitizen's testing routers]. That's what we've done and, as far as we're concerned, the matter is closed," said BT's spokesperson. "No customers of ours have been, or are ever likely to be, affected by this."

Security researchers claim that a mass attack of websites is much worse than was feared. According to ScanSafe, the attack has affected at least 10,000 sites.

When the attack was first publicised, last Monday, Mary Landesman, a senior security researcher at ScanSafe said that she had uncovered hundreds of sites which had been hacked and were feeding exploits to visitors. However, Don Jackson, a senior researcher with Atlanta-based SecureWorks claimed that the real number was considerably larger.

According to ScanSafe's data, approximately 10,000 sites hosted on Linux servers running Apache, most likely with purloined log-in credentials. Those servers have been infected with a pair of files that generate constantly-changing malicious JavaScript. When visitors reach the hacked site, the script calls up an exploit cocktail that includes attack code targeting recent QuickTime vulnerabilities, the long-running Windows MDAC bug, and even a fixed flaw in Yahoo Messenger.

If the visitor's PC is unpatched against any of the nine exploits Jackson listed, it's infected with new variant of Rbot, the notorious backdoor Trojan he called "a very nasty piece of software." The end result: The PC is added to a botnet.

Jackson's can't prove how the sites were originally hacked, but all the evidence points to the theft of log-on credentials; one reason why he came to that conclusion is that hosts that have been cleaned of the infection - or in some cases even had Linux reinstalled - are quickly reinfected.

"There was no sign of brute forcing [of passwords] just prior to the infection," said Jackson, "but attackers hosting companies are hit all the time with password attacks. It's part of doing business."

Last week, ScanSafe's Landesman drew a link between the security breach at UK-based Fasthosts and the site hacks, saying then that the domains ScanSafe had found infected had, or had recently had, a relationship with Fasthosts.

Fasthosts denied such a cause-and-effect, and cited what it called "technical discrepancies" with Landesman's claims, but said it was investigating nonetheless.

Friday, Landesman said more data during the week had made her change her mind about the link to Fasthosts. "There are a great deal more of these [compromised] sites than earlier," she said. "There are a number of them that can be traced to Fasthosts, but not all of them do."

Like Jackson, Landesman remained convinced that the hacks were possible because of stolen log-on usernames and passwords. "From everything we have it does point to some kind of compromise of usernames and passwords," she said. "My theory remains that the eventual source of the compromise is going to be a fairly finite number [of hosting companies]."

Jackson stressed that while the site hacks were done sans a true vulnerability, the Apache feature used by the hackers - "dynamic module loading" - is little known by most site administrators, making it extra difficult for all infected sites to cleanse themselves.

More to the point, said Jackson, administrators must change every password on the infected server; failing to do so has led to quick reinfections on some hosts. "All passwords must be changed," he said, "not just FTP and Cpanel passwords." There's some evidence, he said, that other passwords besides those for FTP and Cpanel - a popular server control panel program - have been used to access the hacked sites.

Other clues led Jackson to speculate that the attackers are not the usual cyber criminals based in Russia or China, but are likely from North America or western Europe. The code for the hacking and file upload tools lack any comments written in Russian or Chinese, which is normally the case when an attack originates in Russia or China. Instead, the comments and code snippets are in English only. "Almost all the hacking business in western Europe is done in English," Jackson said, mentioning Germany specifically.

Users can protect themselves from attack by making sure all software on their systems is patched and that their security software signatures are up-to-date. Website administrators, on the other hand, should disable dynamic loading in their Apache module configurations.

Personal information belonging to more than 650,000 US customers of J.C. Penney and other retailers is at risk after the company hired to safeguard the data lost a backup tape.

The information, which was entrusted to a company called GE Money, included social security information for about 150,000 people. The data was on a backup tape that was discovered missing in October from a warehouse maintained by storage company Iron Mountain. While there is no indication the tape was stolen, company officials have been unable to locate it, either.

In a twist of irony, the revelation of the missing information coincided with the debut of a mini documentary on cyber crime in which the chairman and CEO of J.C. Penney, Mike Ullman, speaks about the growing risk posed by online thieves.

At one point in the 20 minute-film, which was produced by security provider Fortify Software, he acknowledges that criminals are actively probing server code for mistakes that will allow them to access J.C. Penney information. He makes no mention of vulnerabilities relating to physical security or business partners.

The disclosure comes a year after TJX Cos., owner of the T.J. Maxx and Marshalls retail chains, suffered a server breach that exposed personal information for as many as 100 million people. Despite it being the world's biggest credit card heist ever and despite revelations security measures failed to meet credit card industry requirements, there's been little measurable backlash on the company. TJX stock has lost less than 1 percent over the past year, compared with a six per cent decline in the S&P 500.

GE Money has offered to pay for 12 months of credit monitoring for anyone whose social security number was lost.

According to the Associated Press, a letter signed by GE Money President Brent P. Wallace reads in part that J.C. Penney "was in no way responsible for this incident

Montana governor Brian Schweitzer (D) declared independence Friday from federal identification rules and called on governors of 17 other states to join him in forcing a showdown with the federal government which says it will not accept the driver's licenses of rebel states' citizens starting May 11.

If that showdown comes to pass, a resident of a non-complying state could not use a driver's license to enter a federal courthouse or a Social Security Administration building nor could he board a plane without undergoing a pat-down search, possibly creating massive backlogs at the nation's airports and almost certainly leading to a flurry of federal lawsuits.

States have until May 11 to request extensions to the Real ID rules that were released last Friday. They require states to make all current identification holders under the age of 50 to apply again with certified birth and marriage certificates. The rules also standardize license formats, require states to interlink their DMV databases and require DMV employee to undergo background checks.

Extensions push back the 2008 deadline for compliance as far as out 2014 if states apply and promise to start work on making the necessary changes, which will cost cash-strapped states billions with only a pittance in federal funding to offset the costs.

Last year Montana passed a law saying it would not comply, citing privacy, states' rights and fiscal issues.

In his letter (.pdf) to other governors, Schweitzer makes clear he's not going to ask for an extension.

"Today, I am asking you to join with me in resisting the DHS coercion to comply with the provisions of REAL ID, " Schweitzer wrote. "If we stand together either DHS will blink or Congress will have to act to avoid havoc at our nation's airports and federal courthouses."

But Homeland Security spokeswoman Laura Keehner says DHS has no intention of blinking.

"That will mean real consequences for their citizens starting in may if their leadership chooses not to comply," Keehner said. "That includes getting on an airplane or entering a federal building, so they will need to get passports."

Keehner says DHS's policy won't change even if Georgia -- one of the 17 states that has signaled strong opposition to the rules -- declines to apply for an extension.

If that scenario came to pass, every Georgian who flies out through the nation's busiest airport -- Atlanta-Hartsfield International -- would have to be patted down by Homeland Security agents and have his carry-on bag hand-screened, likely resulting in massive delays.

Keehner also suggests that patted-down citizens will turn their wrath not on the feds but on their state government.

For his part, Schweitzer wants Congress to step up and pass alternative legislation that would stop Real ID and re-instate a commission that was working on driver's license rules before the REAL ID Act was slipped into must-pass defense legislation in 2005. That legislation assigned DHS the task of setting the rules single-handedly.

Keehner is adamant that the rules will make the country safer and that the price tag is not too high.

"The ability to get false identification must end, and Real ID is that step," Keehner said.

Privacy groups counter that the rules create a de-facto national identification card and won't stop terrorism or identity theft.

For his part, Schweitzer struck back at DHS statements he obviously considers arrogant.

"I take great offense at this notion we should all simply 'grow up'," Schweitzer wrote, referring to Thursday remarks from DHS Secretary Michael Chertoff about border rules regarding Canada. Schweitzer says those remarks "reflect DHS (sic) continued disrespect for the serious and legitimate concerns of our citizens."

A DHS policy maker suggested earlier this week that Real IDs could also be required to buy cold medicine and to prove employment eligibility.

Schweitzer's letter went out to the governors of Colorado, Georgia, Idaho, Maine, New Hampshire, Oklahoma, South Carolina, Arizona, Hawaii, Illinois, Missouri, Nebraska, Nevada, North Dakota, Pennsylvania, Tennessee, and Washington.

Security experts have warned users to focus on securing their whole online lifestyle in 2008.

Care should be taken in all aspects of online services, including bill payments, shopping and stock trading, and not just in the use of social networking and gaming sites.

"Social engineering will still be the preferred method to lure people into infecting their computer or giving away password information, but the approaches will become much more sophisticated," said Diego d'Ambra, chief technology officer at SoftScan.

"As criminals redouble their efforts to improve response yields and ultimately increase turnover, we expect to see highly targeted spam with content written specifically for the recipient."

D'Ambra believes that the majority of information used to create spam messages will be collected from online services, which often hold private and financial data that can be exploited.

Phishing attacks are also likely to have a makeover in 2008. Links will redirect users to spoofed sites that include symbols such as the padlock and allow the criminal to lead the user further into a false sense of security.

Popular websites that include content and links from a large range of third parties will be high on the target list for malware writers, according to SoftScan.

Attacks have already seen advertising content providers inadvertently delivering malware via infected adverts. SoftScan expects this type of threat to develop further during 2008.

"Botnets will continue to play an important part in the dissemination of spam and other types of attack, and their 'success' may well inspire others to start their own business," said d'Ambra.

"If this occurs, we will also see criminals developing malware to try to harvest each other's bots, proving that there is no honour among thieves in the online world."

At the same time, SoftScan expects to see plenty of old tricks in 2008. The Olympics, European Soccer Championship and the US Presidential election will be popular subjects for malware emails.

In addition, spammers will continue to use obfuscation techniques to beat anti-spam filters by using video clips and the like to deliver messages.

Two business groups urged the U.S. Securities and Exchange Commission on Friday not to reinstate a Web tool aimed at helping investors identify companies with investments in countries the United States designates as "sponsors of terrorism."

"This is the kind of thing that prompts companies to go somewhere else," said William Reinsch, president of the National Foreign Trade Council, which represents major U.S. corporations.

The SEC is seeking comment about whether to reinstate some kind of mechanism that would make it easier for investors to find out if a company has any business in or with countries that are designated by the U.S. government as "state sponsors of terrorism."

In July, the agency suspended its Web site search tool after heavy criticism from lawmakers and business groups who called the tool unfair and said it portrayed firms in a misleading and negative light. At the time, the SEC said it would revamp the tool so it would more accurately reflect a company's activities in the countries.

The online tool had allowed visitors to the SEC's Web site to search for companies whose annual reports contain references to business related to Sudan, Syria, North Korea, Iran, and Cuba.

"Sensitive judgments have to be made and the SEC is the wrong place to be doing it," said Todd Malan, president of the Organization for International Investment, which represents foreign companies.

Both the National Foreign Trade Council and the international investment group are urging the SEC not to do anything. "We're sort of saying: it ain't broke, so why fix it," Reinsch told reporters.

The SEC set a January 22 deadline for investor groups, companies, and individuals to offer comments and suggestions.

THE BUSH administration has destroyed countless emails during a crucial part of US history in the interests, it claims, of saving disk space.

According to the Washington Post, the mails related to the first three years of the Bush administration.

Problems that Bush faced were little issues like the Iraq war, the leak of former CIA officer Valerie Plame Wilson's name and the CIA's destruction of interrogation videotapes.

Any hope of history finding any answers to those questions in emails have been squashed because while the White House felt it was important to back up the emails, it claims it felt it could save a few quid by wiping.

Classically a White House spokesman Tony Fratto said he has “no reason to believe” any e-mails were deliberately destroyed because the wiping was routine.

Apparently the most powerful office in the land used the same backup tape each day to copy new as well as old e-mails, he said, making it possible that some of those e-mails could still be recovered even from a tape that was repeatedly overwritten.

For some reason, this state of affairs was not noticed until the White House was involved in couple of court cases.