Security & Privacy

Updated at 7:55 a.m. PT on Wednesday to specify that the FBI cleared Mitnick of any wrongdoing in this event.

Since being released from prison eight years ago, Kevin Mitnick's brushes with the law have consisted of a few parking tickets and a citation for driving without a front license plate--that is, until he returned from a trip to Colombia two weeks ago.

After landing at the Atlanta airport for a security conference, Mitnick was detained for four hours for reasons still not fully explained. To make matters worse, while customs officials in Atlanta were busy inspecting his cell phone, laptop, and luggage, police in Bogota were ripping open a package he had mailed to his U.S. address on suspicion that it contained cocaine.

The simultaneous incidents gave Mitnick deja vu of his days as a fugitive pursued by the FBI for breaking into computer networks, only this time, he hadn't broken any laws.

"There was uncertainty, fear, and panic because I didn't know what was going on, and I didn't do anything wrong," he said in a recent telephone interview with CNET News. "In my mind, I thought I was being set up for something."

Here's a rundown of what happened:

Mitnick's Delta Airlines plane landed in Atlanta on September 16 at around 3 p.m. He had flown in from Bogota, where he had gone to give a speech to the newspaper El Tiempo and to visit his girlfriend.

The first sign of trouble was when a U.S. customs agent swiped his passport through the computer system and started staring intently at the screen and typing. "Kevin," the agent said with a big smile on his face. "Guess what? There are some people downstairs who want to have a word with you, but don't worry. Everything will be OK." … Read more

New security features planned for Zimbra will resolve an issue responsible for passwords being transmitted as clear when accessing Yahoo Mail, a Yahoo spokeswoman said on Tuesday.

"Plain text authentication is an industry-wide challenge that major e-mail clients and providers face when providing the right balance of backward compatibility and security," a Yahoo spokeswoman said in an e-mail statement.

"Zimbra has plans as part of the next beta release to implement additional new security features to provide more secure authentication options. This approach will be in place in the next few weeks well before we launch the … Read more

In Germany it's apparently OK to have non-employees roam the offices, while in Brazil corporate secrets are commonly shared with family members, and even with total strangers. These are some of the results of a survey (PDF) commissioned by Cisco Systems and released Tuesday.

"It's interesting to see the cultural differences in terms of what's allowed and what's not allowed in different countries," said Marie Hattar, vice president of network and security solutions at Cisco. "If you look towards doing a data leakage prevention strategy, you've got to consider physical security as … Read more

Passwords used to access Yahoo mail through the Zimbra client are sent over the Internet in clear text, a Canadian programmer says.

Holden Karau stumbled upon this problem while participating in the Yahoo University Hack Day at the University of Waterloo last week.

"The Yahoo imap server's used by the Yahoo Desktop don't support SSL and the password was being transmitted in plain text," Karau wrote in a blog post on Friday.

"What does this mean for you? If you use Zimbra to access your Yahoo mail, you almost certainly need to change your password … Read more

Microsoft and the Attorney General's office in Washington state said on Monday they have filed a handful of lawsuits over pop-up ads that scare consumers into paying for software that supposedly fixes critical errors on a PC.

The lawsuit filed by the Attorney General's office alleges a Texas firm sent incessant pop-up ads that falsely claimed the computer had critical errors in its registry and directed people to a Web site where they could download free scanning software to find the problems.

The software then reports 43 critical problems and offers to sell a fix for $39.95. However, the software, dubbed "Registry Cleaner XP," does nothing but lull the consumer into a false sense of security, officials said.

It's a "blatant rip off of consumers," Washington State Attorney General Rob McKenna said in a news conference. Consumers were "duped into downloading a fake scan (of the computer) and then duped into paying for software they don't need."

The pop-ups take advantage of a function called Windows Messenger (not to be confused with Microsoft's instant-messaging program Windows Live messenger) that was designed to allow network administrators to send alerts to Windows PCs on a network. The functionality was turned off in Windows XP Service Pack 2, said Richard Boscovich, senior attorney for Microsoft's Internet Safety Enforcement Team.

The messages often would be displayed repeatedly, with one IP address receiving more than 200 in one day, the complaint alleges. … Read more

Jason Ostrom of VoIP Hopper on Saturday plans to release his next-generation VoIP sniffer at Toorcon in San Diego to help raise awareness of the type of vulnerabilities businesses face as they adopt unified communications (UC) technology.

He told CNET News that the tool, UCSniff, has two settings. One is a learning mode, sniffing all the IP traffic then mapping telephone extensions to specific addresses. By default, it is capturing all the calls and saving them to wave files.

The other setting is a bit more creepy: targeting conversations. After learning the IP addresses of the phone system, someone using … Read more

Mozilla pushed out an update to its e-mail client Thunderbird today. The 2.0.0.17 update, for both Windows and Mac versions, corrects two potential exploits. Centered around Newsgroup functionality and an obscure UTF-8 hyperlink spoof, they could've allowed an attacker to execute arbitrary code.

A spate of bug fixes, memory leaks, and other less severe tweaks were addressed, too. The full changelog can be read here.

I sat down on Thursday with someone who watches the underground criminals who are trying to break into people's bank accounts and steal their money. And the picture isn't pretty.

Online fraudsters are coming up with more types of dangerous attacks and more sophisticated methods, says Uri Rivner, head of new technologies for RSA Consumer Solutions, which is owned by EMC.

I've already written about how the cybercriminals are borrowing organizational structures from the mafia and even legitimate businesses, and have further explored the threats from identity fraud. Rivner filled in some details with his assessment of how the fraudsters are operating. He talked about the "Fraud Supply Chain" in which harvesters steal the data and then sell it to people who are expert at turning the data into cash by emptying out the bank accounts.

The two sides of this e-commerce underground communicate via informal marketplaces on IRC Chat channels. They also share information on sites like "Carder's Market," where you can read industry blogs and even reviews of Trojans and other malware.

Fraudsters aren't just targeting bank customers. They are also luring victims off social networks, where they harvest sensitive private information, and online gaming sites, where they steal accomplished avatars and accounts and sell them for money, Rivner says.

Another recent trend is the blending of phishing and malware on spoof Web sites that look legitimate but prompt visitors to run an executable in order to see a video, for instance. Instead, the executable is a Trojan that can grab the sensitive data on the computer. The recent "Obama sex video" spam is an example of this. … Read more

Large organizations are deploying more and more encryption technologies these days on laptops, tape backup systems, mobile devices--everywhere.

Yes, they are concerned about regulatory compliance, data breaches, and embarrassing front-page headlines, but there is something else going on as well. Technology suppliers are now baking encryption into technology components and systems. As encryption becomes cheap and ubiquitous, risk-averse users will likely deploy it everywhere.

Ironically, multilayer encryption may actually compromise data security. Why? If data is encrypted multiple times, someone better know about the chain of encryption events that took place. Each encryption activity relies on an encryption key to … Read more