Wednesday, December 10, 2008

VOIP handicaps response to terrorist attack

Indian police officials said that the terrorists who struck Mumbai in November were directed by people using Voice over Internet Protocol (VoIP) phone service, which complicated efforts to trace and intercept the calls. A month earlier, a draft United States Army report highlighted the interest of Islamic militants, such as the Taliban, in using VoIP.

To locate a VoIP caller, investigators need access to service provider databases that track the unique numerical identifier (I.P. address) of the device the subscriber uses to connect to the Internet. Additional work is then needed to locate the device, which can take days longer than a phone .

See, "Mumbai Terrorists Relied on New Technology for Attacks," New York Times, December 9, 2008, at

Sunday, December 7, 2008

Fake call puts nuclear Pakistan on highest alert

A hoax phone call to the President of Pakistan led the nuclear-armed nation to put its air force on highest alert. On late Friday evening, November 28, on the heels of the Mumbai terrorist attacks, senior members of President Asif Ali Zardari's staff bypassed standard call verification procedures and transferred to Mr. Zardari a caller claiming to be Indian External Affairs Minister Pranab Mukherjee. The caller directly threatened to take military action if Pakistan failed to immediately act against the perpetrators of the Mumbai attacks.

Following the call, signals were sent out about how the situation could rapidly spiral out of control. A top Pakistan security officials advised the media that it might shift tens of thousands of troops from its western border with Afghanistan to its eastern frontier with India.

See, "A hoax call that could have triggered war," Dawn, December 6, 2008, at .

Saturday, November 29, 2008

Guilty verdicts in MySpace girl's suicide

A Missouri mother engaged in an online fraud that drove a 13-year old girl to suicide was convicted in Los Angeles on federal misdemeanor charges under the Computer Fraud and Abuse Act. Lori Drew was accused of violating the terms of service of a social networking site, MySpace, by creating a fictitious profile of a teen boy and creating postings, which she used to harass Megan Meier. The purpose of the fraud was to humiliate Megan for allegedly spreading gossip about Lori's daughter, Sarah.

Megan, who had a history of depression and suicidal impulses, received an e-mail message from Ms. Drew that said, “The world would be a better place without you.” Megan wrote back, “You’re the kind of boy a girl would kill herself over.” She then hanged herself with a belt in her bedroom closet.

Thomas P. O’Brien, the United States attorney in Los Angeles, prosecuted the case after law enforcement officials in Missouri determined Ms. Drew had broken no local laws. He based jurisdiction of the case on the fact that the MySpace computer servers are housed in Los Angeles.

See, "Woman Convicted of Minor Offenses in MySpace Hoax," Wall St. Journal, November 26, 2008, at; "Verdict in MySpace Suicide Case," New York Times, November 26, 2008, at;; "Jurors Wanted to Convict Lori Drew of Felonies but Were Stymied by Prosecutors," Wired Blog Network, December 1, 2008, at

Friday, November 21, 2008

Verizon employees view Obama cell phone account

Verizon (VZ) acknowledged that “a number of Verizon Wireless employees have, without authorization, accessed and viewed President-Elect Barack Obama’s personal cell phone account.”

See, "Verizon Apologizes To Obama: Sorry We Snooped On Your Account," D | All things Digital, NOvember 21, 2008, at

Thursday, November 20, 2008

NYPD fights Justice for terrorist surveillance warrants

The New York Police Department is struggling with the U.S. Justice Department over the process to obtain a warrant from the special Foreign Intelligence Surveillance Court before it can begin electronic monitoring of people suspected of spying or terrorism. New York's police argue that Justice Department lawyers impose a needlessly high standard to be certain that every surveillance application submitted to the court would be approved. As a local police force, New York's Police Department cannot apply directly for surveillance warrants, but must seek them through the F.B.I. and the Justice Department.

See, "New York Police Fight With U.S. on Surveillance," November 20, 2008, at

Sunday, November 9, 2008

White House computers attacked by Chinese hackers

White House computer servers have repeatedly been compromised by Chinese hackers, who obtained non-classified email between government officials. The attackers entered the system for brief periods before US experts could patch it The Chinese government is the suspected sponsor of the attacks.

See, "Cyber-Attacks Reported At White House, Campaigns," Washington Post, Novemer 7, 2008, at; "Chinese hackers penetrate White House network," Financial Times, November 7, 2008, at

US Presidential campaigns hacked in foreign intelligence operation

The computer systems of both the Obama and McCain campaigns were attacked and large amounts of information were downloaded by hackers in what appears to have been a Russian or Chinese intelligence gathering operation.

See, "Obama computers 'hacked during election campaign'," Time Online, November 7, 2008, at

Monday, November 3, 2008

Faulty computer models cost AIG tens of billions of dollars

Computer models relied on by insurance giant AIG to evaluate more than $400 billion of credit-default swaps did not measure the risk of future collateral calls or write-downs. The deficiency, of which AIG was aware, reportedly cost it tens of billions of dollars and pushed the federal government to rescue the company in September 2008.

See, "Behind AIG's Fall, Risk Models Failed to Pass Real-World Test," Wall St. Journal, October 31, 2008, at

Government contractor loses confidential data on 12M users

The British government is investigating how a memory stick holding the user names and passwords for a government computer system was lost and later found in a pub parking lot. The memory stick belonged to a government contractor, which stated that an employee had breached procedure by removing the memory stick from the company's premises.

The incident resulted in the temporary shut down of the Gateway website, used by the public to access services such as tax returns, pension and child benefits. It has 12 million regsitered users.

See, "Inquiry into loss of confidential data on 12 million website users," The International Independent, November 3, 2008.

Friday, October 24, 2008

LPL Financial fined following account hacking

The SEC issued a cease and desist order and imposed a fine of $275,000 against LPL Financial due to the firm’s failure to implement adequate controls to protect access to customer accounts. Between mid-July 2007 and February 2008, LPL was subject to hacking incidents in which customer accounts were accessed and the perpetrator placed or attempted to place 209 unauthorized trades in 68 customer accounts, in the sum of over $700,000. At that time, the SEC found that LPL had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by SEC regulation.

The SEC noted that, among other things,
--LPL did not develop or maintain a complete set of policies and procedures addressing administrative, technical, and physical safeguards reasonably designed to protect customer records and information at its branch offices.
--LPL failed to reasonably evaluate security controls despite its knowledge of a prior data breach incident.
--A prior audit revealed deficiencies concerning users’ password complexity and session inactivity parameters.

The SEC Order In the Matter of LPL Financial Corp. is posted at

Monday, October 20, 2008

Citic Pacific faces billions in losses on unauthorized forex bets

Citic Pacific, a Chinese government conglomerate, is facing billions of dollars in losses after traders made what the company said were unauthorised bets against US currency. At current mark-to-market prices, Citic Pacific faces a loss of US$1.88bn. The company said that “there was no reason to believe fraud or other illegal activities were involved.” Following the news, Citic Pacfic shares lost 38%.

See, "Citic Pacific faces $2bn in forex losses," Financial Times, October 20, 2008, at; "CITIC Pacific shares dive 38 percent on forex losses," Reuters, October 20, 2008, at

Saturday, October 18, 2008

Quantum encryption demonstrated

Researchers demonstrated a quantum encryption system at a conference in Vienna. The system uses photons to encode data and relies on the Heisenberg Uncertainty Principle, which says that quantum information cannot be measured without disturbing it. As soon as the photons are observed by an eavesdropper they are scrambled, leaving the encryption unbroken and creating a trace of the eavesdropper.

See, "Researchers show off 'unbreakable' quantum encryption," ITPro, October 9, 2008, at; "The solace of quantum key technology," The Guardian, October 9, 2008, at

SMS attack on India's ICICI Bank

India's ICICI Bank has requested a police investigation into brokers and others who allegedly used SMS, email, and the Internet to launch a run on its branches and an attack on its shares, which fell as much as 28 per cent. One of the SMS messages reportedly said, "Kindly withdraw all your deposits and cash in account with ICICI Bank as ICICI Bank has already rushed to RBI for insolvency."

See, "ICICI demands police probe into share attack," Financial Times, October 14, 2008, at; "ICICI moves cops against 'malicious' brokers," Business Standard, October 18, 2008, at

Thursday, October 9, 2008

Palin e-mail account hack

David Kernell, the son of a prominent Democratic Tennessee state lawmaker, was indicted for hacking into the Yahoo! Web mail account of Sarah Palin, Republican Vice-Presidential candidate and Alaska Governor. Kernell broke into the account by guessing the answers to her pre-selected "Secret Questions," which must be answered before Yahoo! will allow users to reset their account passwords.

The hack was apparently facilitated by the fact that Yahoo! does not allow new registrants to make up their own question for resetting their passwords. Kerrin apparently found information on Wikipedia and used Google to discover the answers to her pre-selected secret questions and change her account password.

See, "Son of Tenn. Lawmaker Indicted in Palin E-Mail Hack," Washington Post, October 8, 2008, at

Computer faults causes jet to plummet

The Australian Transport Safety Bureau said onboard computer equipment faults in a fly-by-wire Airbus jet, operated by Qantas, caused it to plummet, sending passengers, crew and objects flying through the air.

See, "Computer fault blamed in Qantas jet fall," Australian IT, October 9, 2008, at,24897,24469386-15317,00.html.

Friday, October 3, 2008

Surveillance system found in Chinese version of Skype

Tom-Skype, a joint venture between a Chinese wireless operator and eBay, the Web auctioneer that owns Skype (an online phone and text messaging service), has routinely been storing messages with politically sensitive keywords, along with with personal user records.

A research group at the University of Toronto, Citizen Lab, discovered an encrypted list of words inside the Tom-Skype software, which, in turn, monitors messages containing those words. Encrypted copies of messages containing the words are sent to servers that also store personal information about the customers who sent the messages. They also record chat conversations between Tom-Skype users and Skype users outside China.

The researchers were able to download and analyze copies of the surveillance data because the Chinese computers were misconfigured. The computer directories were readable with a simple Web browser and researchers also found a file containing the key needed to decode the encrypted files. The researchers said they did not know who was operating the surveillance system.

See, "Surveillance of Skype Messages Found in China ," New York Times, October 1, 2008, at

Text-messaging moments before train crash

A commuter train engineer apparently was exchanging text messages on his mobile phone moments before his train ran a red light and slammed into a freight train, resulting in 25 deaths. Following the crash, state railroad regulators temporarily banned the use of all cellular devices by anyone at the controls of a moving train. Federal railroad regulators also issued an emergency order banning most cellphone use by locomotive engineers.

See, "California Bans Texting by Operators of Trains," New York Times, September 18, 2008, at; "Railroad Agency Bans Cellphones," New York Times, October 2, 2008, at

Saturday, September 27, 2008

Kentucky seeks to block Internet gaming, seize domain names

Kentucky is working to force 141 Internet gaming sites to block access to Kentucky users, or to relinquish control of their domain names. The state alleges, among other things, that online gaming drains the state of money by undermining horse racing, a key state tourism industry. Following a hearing, a district judge ordered the domain names be transferred to the state. The sites will be able to object to the transfers.

See, "Kentucky attempts to seize gambling site domains," cnet, September 26, 2008, at

Saturday, September 13, 2008

Virginia anti-spam law unconstitutional

First Amendment guarantees reversed the conviction of Jeremy Janes, the first person in the U.S. convicted of a felony for sending unsolicited bulk e-mail. He was sending 10 million emails per day from his North Carolina home, via an AOL server in Virginia. The Virginia Supreme Court held that its state anti-spam law violates free speech because it does not just restrict commercial e-mail -- it prohibits the anonymous transmission of all unsolicited bulk e-mails, including those containing political, religious or other speech protected by the First Amendment to the U.S. Constitution.

See, "Virginia: Spam Law Struck Down on Grounds of Free Speech," New York Times, Sept. 12, 2008, at

Confusion reigns as US government e-records disappear

While US federal law requires retention of electronic records, including email, government employees don't appear to understand their obligations. Widespread violations of federal record-keeping requirements have been uncovered. Many employees do not seem to understand what a record is, "much less how it must be preserved,” says Melanie Sloan, executive director of Citizens for Responsibility and Ethics in Washington, a watchdog group.

See, "In Digital Age, Federal Files Blip Into Oblivion," New York Times, Sept. 12, 2008, at

Friday, September 12, 2008

Guilty of massive U.S. credit-card number theft

A defendant pled guilty to the theft of more than 40 million credit-card numbers from U.S. retailers. Damon Patrick Toey was charged along 10 other men in 5 countries with wireless interception of retailers' data transmissions and use of "sniffer" programs to steal credit card numbers as they were being swiped at cash registers. The case is the largest identity fraud theft prosecuted in the U.S.

See, "Hacker Pleads Guilty In TJX Security Breach," Wall St. Journal, Sept. 12, 2008, at

Wednesday, September 10, 2008

Search engine sinks UAL stock

Stock in the parent of United Airlines sank from nearly $12.50 a share to $3, before trading was halted, after Google's news service surfaced an apparently new story about a bankrutcy filing by the airline. Google's search engine picked up the story from a new link on the website of a South Florida newspaper. The underlying article, published by the Chicago Tribune in December 2002, did not carry a date.

According to the Wall St. Journal,

"The damage was exacerbated by the growing use on Wall Street of automated programs that trigger stock trades without any human interaction. The so-called algorithmic trading mechanisms, which buy and sell stocks based on news headlines and earnings data, were responsible for roughly a quarter of New York Stock Exchange trades in the last week of August.
Investors said simple human scrutiny would have indicated the UAL story was old, but computerized trading systems don't make such determinations."

See, "UAL Story Blame Is Placed on Computer," Sept. 10, 2008, at

Monday, September 8, 2008

London Stock Exchange trading system fails

A “connectivity issue” halted trading on the London Stock Exchange for the longest period in over eight years, “amid a day of frenzied trading as dealers responded to [the previous] night's rescue by the US Government of Fannie Mae and Freddie Mac.”

See, "London halts trading after shares surge on US bailout," Times Online, Sept. 8, 2008, at

Space Station computer worms

A computer virus has been found in laptops used by astronauts on board the International Space Station. Known as W32.Gammima.AG, the virus spreads through removable storage devices and monitors keystrokes and seeks online gaming passwords.

See, “Stowaway computer virus sent into orbit,” The Times Online, Aug. 28, 2008, at

Sunday, August 31, 2008

GPS: Search and Seizure

Police are using Global Positioning System data as evidence in criminal prosecutions, for crimes such as murder, rape and arson. Critics, like University of Maryland law professon Renée Hutchins, argue that GPS data is protected under the Fourth Amendment.

See, "Police Using G.P.S. Units as Evidence in Crimes," New York Times, Aug. 30, 2008, at

Wednesday, August 27, 2008

Computer failure delays US flights

Failure of a communications link in an Atlanta computer system for filing flight plans delayed hundreds of flights across the US. The other flight-plan facility in Salt Lake City tried to take up the slack and handle the entire country, but the backup system overloaded. This led to manual processing.

The FAA said that it had never experienced a computer problem this severe.

See, "U.S. airports back to normal after computer glitch," Reuters, Aug, 26, 2008, at

Tuesday, August 26, 2008

Outsourcing cv fraud threatens sensitive bank data

A background screening company reports that resume cheating in India's outsourcing industry rose 80% in the first quarter of 2008, compared with the first quarter of 2007.

The issue is troubling because recruits in in the outsourcing industy often have access to highly sensitive information and processes for leading international financial institutions.

See, "Outsourcing groups battle India's CV cheats," Financial Times, Aug. 25, 2008,

Bank data on 1M customers found on computer sold on eBay

An eBay buyer reported to UK authorities that a computer he bought online contained data on at least one million credit card customers of the Royal Bank of Scotland, its subsidiary NatWest, and American Express, including account numbers, passwords, cell phone numbers and signatures.

The computer was apparently sold online by an archiving firm that stores financial information for the three financial institutions.

See, "U.K. Man Buys Computer With Millions Of Credit Card Data For $142 On eBay," AHN, Aug. 26, 2008, at; "Privacy probe into bank data sale," Financial Times, Aug. 27, 2008, at

Terror group hijacks Wi-Fi connections

Email from a terrorist group, Indian Mujahideen, has been traced to a college in Mumbai. The email hinted at new terror attacks and warned that suicide bombers would be deployed. As a result, city colleges are working to eliminate the threat posed by unsecured Internet and Wi-Fi connections

A similar email was sent prior to serial bomb blasts in the west Indian city of Ahemdabad on July 26, 2008, which killed 42 people. That email was sent via a hacked computer with an unsecure Wi-Fi connection in a private Mumbai residence, and appears to be the first time that a local IP address has been hacked by terrorists.

See, "Second terror e-mail traced to Mumbai college," Morung Express, Aug. 25, 2008; "Colleges wake up to wi-fi threat," Hindustan Times, Aug. 26, 2008, at; "American expats caught up in Indian bomb blast inquiry," Guardian, July 29, 2008, at; and, "Anyone can be caught in the web of terror," Times of India, July 29, 2008,

Saturday, August 23, 2008

Inmate data lost

A consulting firm lost a computer memory stick containing details of all 84,000 prisoners in England and Wales. Details including names, addresses and birthdate of 33,000 people with six or more convictions, and people in drug rehabilitation programmes were also on the stick. The data was apparently being held by the government in secure form, but was downloaded onto a memory stick in violation of rules in the contract with the consulting firm.

The loss follows admissions by UK Revenue and Customs that it lost data on about 25 million people; by the Ministry of Defence that about 658 laptops have been stolen in the past four years; and, by the Transport Secretary that details of some three million learner drivers were lost by a firm in the US.

The consulting firm involved is one of the main companies involved in setting up a controversial ID cards scheme and its failure raised concerns about the safety of the national identity database.

See, "Tories call for data loss prosecutions," The Observer, Aug. 24, 2008; "UK criminals' details go missing," Aug. 22, 2008, OneNews, at

Friday, August 22, 2008

China Internet control claimed as trade violation

The California First Amendment Coalition (CFAC) filed a petition with the Office of the US Trade Representative protesting that US service providers are severely damaged by restrictions place on Internet usage by China. CFAC claims that the restrictions place US companies at a disadvantage (e.g., by forcing them to register at a local level, or submit content for government approval) and violate international trade agreements, including the protocol China singed when it joined the World Trade Organization. See, "Google and Yahoo tread carefully in China internet row," Financial Times, Aug. 22, 2008.

China blocks iTunes

Internet users report that China apparently blocked access to the Apple’s iTunes Store due to the presence of the pro-Tibet “Songs for Tibet” benefit album, which includes 20 songs from artists like Sting, Dave Matthews and Moby. See, "Apple iTunes Store Is Blocked in China, Internet Users Say," New York Times, Aug. 22, 2008.

Students' right to publicize flaw

A U.S. District Court in Boston ruled that students have the right to publicize a flaw that allows magnetic fare cards used by Boston's subways and buses to be counterfeited. The court ruled that the National Information Infrastructure Protection Act of 1996 likely does not prohibit revealing weaknesses in computer-security systems. See, "Judge Backs Students in Transit Hacking Case," Wall St. J., August 20, 2008, at

Student data and test scores released

Personal data and test scores of thousands of Florida students were accidentally published by The Princeton Review on its web site. See, "Student Files Are Exposed on Web Site," New York Times, Aug. 18, 2008, at