A proposal for the suggested data retention law is already in the works and may now be extended to affect Web hosting sites and domain name registries. Last week US Attorney General Alberto Gonzales urged Senate to pass the data retention law as an aid in combating online child pornography. He also stressed for a need to increase current administrative subpoena powers and tighter money laundering laws to keep track of who is financing child pornography sites.

Such a law is meant to help combat crime and terroristic activity. The proposed law does not require the content of these communications to be preserved, only the logs of e-mail, Internet, phone activity and other identifying information useful for locating a customer. This data can only be accessed by court order similar to cases involving physical searches.

Privacy and industry groups are opposed to the proposal saying existing laws are sufficient for law enforcement. A 1996 federal law requires Internet providers to retain records for up to 90 days at the request of a government entity, while another law requires child pornography sightings to be reported. Civil liberties groups oppose this move, arguing that the information can be used for other purposes. ISP providers are also pointing out the increased costs of keeping and holding this increase in data. It is not clear just who will end up shouldering this cost.

The European Union had already passed a similar data retention law in 2005 requiring all telephone and Internet traffic to be stored from a period of six months up to two years.

Tags: News, Real-World Issues

Categories: News, Real-World Issues

Comments Off

Mozilla’s Firefox has the most number of vulnerabilities at forty seven, followed by Microsoft Internet Explorer’s thirty eight. This is an increase from last year’s record of 17 and 25, respectively. Even Apple’s Safari doubled its vulnerabilities to twelve, but Opera’s bugs decreased from nine to seven. IE remains as the most targeted web browser, accounting for 47% of all attacks. In second place (31%) are attacks exploiting the same vulnerabilities in multiple browsers, and Firefox placed third with 20 percent.

Despite the higher number of bugs, Mozilla ranks first in issuing patches, averaging only a day after public disclosure. Opera and Safari closely follows, while IE ranks last, avering nine days per patch. As for operating system patches, Sun has the highest patch development time at 89 days, while Microsoft ties with Red Hat for the shortest at 13 days.

7 out of every 10 new vulnerabilities uncovered from January through June were bugs in Web applications, and four-fifths of these were easily exploitable. Most of the attacks targeted home users and small businesses.

Phishing has also increased, with the financial sector receiving the bulk of these attacks. Phishing targeting Internet service providers (ISP) accounts ranked second. The United States was both the source of most attacks and the target for most Denial of Service (DoS) attacks.

A copy of the report can be downloaded from Sysmantec’s here.

Tags: News, Real-World Issues

Categories: News, Real-World Issues

Comments Off

What happens to your old units when you buy the newest mobile phone units coming out every few months? Are you generous and give it away to a friend or relative? Or do you delete your data according to the manual and try to sell it online, earning some cash in the process? Maybe the last option appeal to you, but be warned that your erased data might not be as gone as you think.

Last month a company named Trust Digital bought ten phones from E-bay and managed to recover data from all of them. The data ranged from personal information and bank account details to company communications. They recovered all this data because smart phones today use flash memory to store information, and it’s slow to erase information from them. Such flash memory are also used in music players and digital cameras. Only a zero out reset of the device can ensure the total obliteration of data. The same issues can arise with people selling their laptops online. Software easily obtainable online can recover records of your online transactions, which can then lead to sensitive personal data.

It may seem difficult to make a profit from getting information from an old mobile phone or laptop, but seeing the rise in corporate data breaches from stolen mobile gadgets, it’s not improbable that someone would attempt to do so. The best tip in this situation is to contact your gadget manufacturer for detailed instructions on a complete data erasure. If your device has password protection, you can try to type your password incorrectly until you are notified that the action will erase all of your data.

Tags: News, Physical Security, Real-World Issues, Tips

Categories: News, Physical Security, Real-World Issues, Tips

Comments Off

September saw the introduction of two new web browsers focusing on anonymous web browsing. Early this month, Browzar was launched by Freeserve founder, Ajaz Ahmed. It automatically deletes any cookies after each session, does not save save pages in cached folders, and its relatively small size makes it easy to bring along. There has been issues on it being merely an IE shell and that search results lead to sponsored links and adverts. Also, users need to download any security patches from Microsoft once a flaw has been identified for IE. After the two recent attacks on the browser, many are skeptical to its overall usability.

Torpack on the other hand came from Hacktivismo, a group of computer security experts and human rights workers, and is based on Mozilla’s Firefox. No installation is required to run the browser, though the two folders generated from the free download have to be kept together for it to run. This browser encrypts the data passing from the user’s computer and the TOR network, and causes the IP address seen by the website to change every few minutes. Torpack does have limitations; browsing speeds will be slower and it’s suggested not to log-in sites which cannot offer secure log-ins.

Both of these applications are not meant to replace the current browsers you’re using in your computer. It’s interesting to note that they both have privacy and secure browsing as their main selling points. These features are useful for users who are leery of going online in public access locations like schools and Internet cafés, where a secure connection cannot be guaranteed. So far both of these are available for free download, and you might want to see which one will stand the test of continuous use.

Tags: Privacy-&-Anonymity, Programming, Review

Categories: Privacy & Anonymity, Programming, Review

Comments Off

Though we’ve recently covered a few scams about phishing and e-mail, some swindlers have graduated from targeting victims one-by-one to a large-scale scam called pharming. Pharming can reel in potentially millions of unwitting victims to their schemes without anyone realizing it.

Pharmers divert as many users as they can from legitimate commercial sites to malicious ones. These sites look exactly like the genuine site, but when users sign in with their log-in names and their passwords, this information is taken by criminals. Once they have these, they can access your account information and take credit and bank account numbers for their own nefarious use. Pharming are often targeted o auction and banking sites where financial rewards are great.

The most alarming pharming threat involves something called DNS poisoning. All the hosts in the internet are identified by numbered strings called IP addresses, and computers identify different sites using these. Because it’s difficult to remember a string of 32 numbers, the Domain Name System or DNS translates these addresses to a string of text that will serve as its directory entry. A DNS directory gets poisoned when it’s altered to hold false information leading to the bogus site. Typing in the site URL serves as no guarantee, because you will still be taken to the fake site. Even savvy net users can be caught by this technique.

Site users can protect themselves by logging onto their sites using a secure (https://) connection. If you’re suspicious, you can also check your commercial site’s security certificates to see if they are real. Some sites like yahoo offer various authentication methods such as personalized seals on their mail service page, so you can identify the real site from the fake ones.

Tags: IT Security Basics, Privacy-&-Anonymity, Real-World Issues

Categories: IT Security Basics, Privacy & Anonymity, Real-World Issues

Comments Off

My name is Danjuma Sule, one of the sons of major Gen Gumel Danjuma Sule, The late Nigeria’s former minister of mines and power in the regime of the late former Nigeria’s military Head of state, Gen Sanni Abacha. I am having a huge sum of money in the total sum of $18.6Million presently hidden in a safe place –

Sounds familiar? Maybe the words are different, but the contents are almost always the same. A complete stranger writes to you, and offers a large sum of money in the form of unclaimed foreign lottery winnings, a business investment, or a transfer of illegally-obtained funds. If at this point you express interest, they’d inform you they might need a little advance to handle transactions before you receive your money. Occasionally they will present official-looking documents and ask for your bank account information, as if guaranteeing you will receive the money – but you never do.

This type of advance fee scam is often called the Nigerian 419 scam, after the law it violates in that country. Though purporting to come from Nigeria, a number of these scammers now originate from Europe and America. They send thousands of e-mails hoping one or two might bite, and strange as it might sound, people do fall for these schemes.

At first it might not seem like this is an IT security issue, but the whole operations of these scammers rely on the Internet. They can create a new identity online with a few keystrokes, photos and addressed acquired off a search engine, and a free e-mail account. They’ve recently moved on to targetting online auctions, and credit card fraud. Some have even began searching for victims through popular dating services, but they cannot be traced unless they’re reported to the proper government offices. Statistics on this kind of crime is very unreliable due to the large number of cases that go unreported every year. A modest estimate has each scammer getting thousands of dollars per month. At this point you can use the technology on hand so you do not become a victim of these scams. Use search engines to verify if they are who they claim they are, familiarize yourself with their techniques, and always be constantly vigilant.

Tags: News, Privacy-&-Anonymity, Real-World Issues

Categories: News, Privacy & Anonymity, Real-World Issues

Comments Off

You’re probably taking part in one right now : you write about how your day was on an online journal, and check out how your friends are doing on theirs. You might have a profile on another site, sharing music or photos to friends and maybe complete strangers who’ve linked their profiles to yours, and if you’re feeling particularly romantic you might try online dating. Sites like the ones offering these services promote the creation of online social networks, where you keep in touch with old friends, and make new ones with people who share your interest, but might never meet outside the web.

Sounds like a good thing, all in all. Except for the issues dealing with privacy.

Privacy. In its basic sense, it’s all about keeping certain things that you want to keep to yourself private. It’s always important to safeguard your personal information, especially with people ready to use it for criminal acts against you. But it leads to a tricky situation when you’re dealing with social networking sites, where you might not be aware you’re giving this same information away. After all, popular sites like MySpace allows visitors not logged in to the site to visit profiles. And recently Facebook, a social networking site geared for college students, faced protests from its users when they announced the news feed feature. Users felt it was a breach of their privacy, going so far as to call it stalking, even if most of the information you can get from these were things readily available to their friends. Though the clamor has died down, and Facebook has added privacy settings, the users are now aware how much information Facebook can actually share.

It’s a fact that since Facebook is the one providing the services to connect users to each other, they can make changes in their privacy policy and how they give those services to the users. Users might not like these changes, but they must accept it, or shift to another service. Facebook, and other companies like it, should also take their users’ possible reactions to any percieved attack on their privacy if a situation like this arises again.

Tags: News, Privacy-&-Anonymity, Real-World Issues

Categories: News, Privacy & Anonymity, Real-World Issues

Comments Off

Anonym.OS is an interesting development on the LiveCD front. Its an OpenBSD based operating system on a CD, engineered for anonymity.

According to the various news sources, Anonym.OS is running in secure mode, but changes its TCP packet length, and other technical details, to make it appear as a Windows XP SP1 system.

This is an interesting concept, and it does indeed seem to be engineered for anonymity. Provided it doesn’t leave any unique fingerprint, this should be a fairly big step towards reclaiming some anonymity.

The project website itself talks of government surveillance and corporate content restrictions. The Anonym.OS CD contains “strong tools for anonymising and encrypting connections”.

Anonym.OS makes use of the Tor network; an onion routing network which uses an array of servers to pass encrypted traffic. This prevents tracing, but slows down the connection considerably.

Tags: Network Security, Operating Systems, Privacy-&-Anonymity

Categories: Network Security, Operating Systems, Privacy & Anonymity

1 Comment

Whether you are a home computer user, a blogger, a freelancer, an office employee, making backups is an important task that you ought to schedule. After all, you never know what will happen. That is the dilemma that we all have. The moment a computer virus hits our systems or maybe some natural disaster or maybe even theft of our hardware, we could lose every bit of data.

There are different needs for each case. Take freelancers, for example. If you think about it, they have different clients, peak season for projects, etc. If you are a freelancer, how do you make backups? I know someone who makes backups every month, just to make sure that the articles are all together. There are even checklists to make sure they are intact.

For some companies that are involved mainly with graphics, they make weekly backups. It is to make sure that when their clients look for the materials, they have them immediately. They burn the files on discs so that they are handy. Aside from that, there are also some companies that have dedicated file servers. In case you have a setup wherein people could save their files on to the servers, make sure that those are the important files which are critical for your operation. It might be difficult to create a policy for such but it’s the best way to go about it.

Backups are practical. There are also news about developments in terms of optical storage media so stay tuned. These new kinds of optical storage media would impact not only those who are heavily into downloading but more importantly, the ones who are making sure that the data could be recovered in case of a security breach.

[tags]security,storage[/tags]

Tags: Backups, IT Security Basics, Physical Security, security, Storage

Categories: Backups, IT Security Basics, Physical Security, Storage

Comments Off

Microsoft confirmed that there has been recent reports of attacks on Internet Explorer using a previously unknown flaw in its VML. VML stands for Vector Markup Language, and is used to display graphic information on the web. This type of malicious code is called exploits. As the name suggests, exploits are code and software created to take advantage of security vulnerabilities in programs and operating systems. They are often used to install malware onto an unsuspecting victim’s computer. This particular exploit allows the attacker to execute arbitrary code on the user’s system, installing a host of malware onto the system.

The attack was first reported by researchers of the Sunbelt Software, Inc. on September 18, and is currently hosted on on a handful of sites. But based on previous browser-oriented attacks it might not be long before legitimate sites are affected. This attack works on all versions of Windows running the IE 6 browser, including fully-patched machines. It is believed that an exploit kit called Web Attacker has been updated to include code to exploit this vulnerability. This exploit kit is sold underground and can be used to easily develop malware.

This is the second attack on an IE vulnerability following a long string of attacks on the company’s Office Suites. The first occurred last week and involved a flaw in the handling of multimedia component of the browser. Microsoft has issued a security advisory saying that a patch to handle this vulnerability is scheduled for release on October 10 or sooner depending on the severity of the problem. It’s been suggested that users can avoid this VML attack by disabling Javascript from their IE or by using alternative web browsers.

Tags: Malware, News, Spyware, Tips

Categories: Malware, News, Spyware, Tips

Comments Off