The Electronic Frontier Foundation sued the CIA, the U.S. Department of Defense, Department of Justice, and three other government agencies on Tuesday for allegedly refusing to release information about how they are using social networks in surveillance and investigations.
The nonprofit Internet rights watchdog group formally asked more than a dozen agencies or departments in early October to provide records about federal guidelines on the use of sites like Facebook, Twitter, and Flickr for investigative or data gathering purposes, according to the lawsuit.
The requests were prompted by published news reports about how authorities are using social networks to monitor citizen activities and aid in investigations. For example, according to the lawsuit, government officials have: used Facebook to hunt for fugitives and search for evidence of underage drinking; researched the activities of an activist on Facebook and LinkedIn; watched YouTube to identify riot suspects; searched the home of a social worker because of Twitter messages regarding police actions he sent during the G-20 summit; and used fake identities to trick Facebook users into accepting friend requests.
The EFF needs access to the information to "help inform Congress and the public about the effect of such uses and purposes on citizens' privacy rights and associated legal protections," the lawsuit said.
None of the agencies contacted had complied with the EFF's Freedom of Information Act (FOIA) requests and only one, the IRS, had asked for an extension, according to the suit.
The suit, filed in federal court in San Francisco, names the defendants as the CIA, the office of the Director of National Intelligence, and the departments of Defense, Justice, Homeland Security, and Treasury.
The FOIA requests and the lawsuit were filed on behalf of the EFF by the Samuelson Law, Technology, and Public Policy Clinic at the University of California at Berkeley School of Law.
Government surveillance of citizens, particularly in areas they consider private, should have oversight, said Shane Witnov, a law student who worked on the case for the Samuelson Clinic.
"Social-networking sites are becoming a part of the way we communicate every day and everyone thinks they are sharing information [on the sites] with just their friends," he said. "Governments are using the sites but not in the way [citizens] expect when they sign up."
The government agencies could not be reached for comment Tuesday afternoon.
Updated 4:55 p.m. PST with comment from Samuelson Clinic law student.
Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
Updated 5:10 p.m. PST with information about later versions of the e-mail campaign directing to a landing page with hidden code that uses an Adobe exploit to try to download malware onto the system.
The e-mail appears to be from the CDC but directs people to a fake CDC site that serves up a Trojan.
(Credit: AppRiver)You can ignore that e-mail that looks like it comes from the U.S. Centers for Disease Control and Prevention about creating a profile for an H1N1 vaccination program. It's a malware scam, according to security provider AppRiver.
The fake alert informs recipients that as part of a "State Vaccination H1N1 Program" they need to create a profile on the CDC Web site. The link in the e-mail goes to a fake CDC page where the visitor is assigned a temporary ID and a link to a vaccination profile that is actually an an executable file containing a copy of the Kryptik Trojan targeting Windows, according to an AppRiver blog post on Tuesday.
Once installed, "this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization," the post warns. "It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker."
AppRiver said it was seeing the fake CDC e-mails at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone.
The malware campaign apparently got more dangerous as the day wore on. In later iterations of the fake CDC e-mail, the landing page that the link led to contained a hidden iFrame that pointed to a site hosted in Ukraine, according to Symantec. In the background, the iFrame checks to see if the system is running an unpatched version of Adobe Reader, Acrobat or Flash Player and if so it uses an exploit to download a file to the system, the company said.
"During testing, our detections picked up the Adobe exploitation attempts using generic IPS and AV signatures," a Symantec spokesperson said.
This screen shot shows the fake CDC Web page that is distributing the Trojan.
(Credit: AppRiver)IBM said Monday that it has acquired database security firm Guardium.
Guardium is a leading vendor in monitoring and protecting databases for large enterprises. In addition to securing the data and watching database activity, Guardium's technology can automate certain tasks to assist businesses with regulatory compliance, said IBM. Big Blue expects the acquisition to help its customers better shield their critical databases against both external and internal threats.
Guardium can check for specific patterns and anomalies when information is accessed, said IBM, allowing enterprises to maintain the integrity of their data. Guardium's technology can also detect fraud and unauthorized access to a database by way of an enterprise application, such as a company's ERP or CRM software.
"Organizations are grappling with government mandates, industry standards and business demands to ensure that their critical data is protected against internal and external threats," said Arvind Krishna, general manager of IBM Information Management, in a statement. "This acquisition is another significant step in our abilities to help clients govern and monitor their data, and ultimately make their information more secure throughout its lifecycle."
Guardium, a privately held company based in Waltham, Mass., will be integrated into IBM's Information Management Software portfolio.
Big Blue hasn't been shy about buying companies this year to increase the scope of its business services. In July, the company picked up analytics and information forecaster SPSS for $1.2 billion. With security a vital need for its customers, IBM also acquired security provider Ounce Labs around the same time.
Financial terms of the Guardium deal were not disclosed.
Microsoft has begun a campaign to actively urge users of its 8-year-old Internet Explorer 6 browser to upgrade.
After launching IE 8 in March, Micosoft has concurred with critics that IE 6 is outdated. Many people have dropped the older browser, but the remaining users are often the tough cases--those who don't have a choice because of corporate computing policy or who aren't tech-savvy enough to realize there's a reason to move on.
This eBay 'Web slice'--basically a live bookmark in Internet Explorer 8--is part of Microsoft's effort to get people to upgrade from IE 6.
(Credit: Screenshot by Stephen Shankland/CNET)It's this latter population Microsoft is targeting with a campaign that runs through June 2010 that touts its own IE 8 as a better alternative. The campaign's first visible elements are a video aimed at online holiday shoppers and a Web slice to promote daily deals at eBay. Web slices are basically live bookmarks that can show miniature Web pages in the browser.
"What we're doing with the outreach is help users understand how to protect themselves against social engineering threats that exist and to help people understand how Internet Explorer 8 puts people in control of their own privacy online," said Ryan Servatius, senior product manager for Internet Explorer. Security was one of the big problems with IE 6, and Microsoft now boasts that security features in IE 8 block 2 million malware sites a day.
According to Net Applications' statistics, Internet Explorer 6 is still the most widely used browser, with 23.3 percent share of usage in October, followed by IE 7 at 18.2 percent and IE 8 at 18.1 percent. The newer browsers are gaining on IE 6, but so are rivals including Mozilla's Firefox, Apple's Safari, and Google's Chrome.
Web developers often gripe about having to support IE 6, which doesn't support many modern features for more sophisticated Web sites and even applications. Microsoft acknowledges that it's holding back development of the Internet, too.
"The best thing a user can do to advance the Web is to help move people off IE 6," Servatius said.
Of course, many will upgrade to IE 8 by buying Windows 7. IE 6 was the browser that shipped with Windows XP, which remains entrenched, but there are signs Windows 7 is a more compelling successor than Windows Vista. That could help the corporate customers move away from IE 6, Servatius said.
"As enterprises migrate from whatever operating system they're using today to Windows 7, that's going to help deprecate IE 6," he said. "What we're doing is working both with consumers worldwide and IT professionals to help them understand what the benefits of a modern browser are."
Microsoft said on Monday that it is looking into reports that its latest security updates are causing some serious problems for certain users.
The problem has been dubbed the "black screen of death" because those affected are left with a black desktop and little else on their screen.
.JPG){kind=logo}
"Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers," the software maker said in a statement. "Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues. "
The issue was noted by British security firm Prevx on its blog on Friday, with that company also offering a suggested fix for the problem.
"The symptoms are very distinctive and troublesome," Prevx said. "After logging on there is no desktop, task bar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window."
Prevx suggested that the black screen issue can occur on a wide range of Windows machines from Windows NT through Windows 7. In its blog, Prevx said there appear to be many causes of the black-screen issue, not all of which are related to the security update.
"In researching this issue we have identified at least 10 different scenarios which will trigger the same black screen conditions," Prevx said. "These appear to have been around for years now." As for the latest security update, Prevx said changes to the way registry keys are handled appears to be the reason it is causing black screens.
I've asked Microsoft what it recommends users should do for now and will post its answer here.
Microsoft released its latest security updates on November 10, issuing six bulletins addressing 15 flaws.
Update, 3:35 p.m. PT: A Microsoft representative said that the company continues to recommend that customers "test and deploy" the November security updates.
"Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the representative said. "The issues as described also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles."
A pub owner in the U.K. has been fined £8,000 (about $13,183) because someone unlawfully downloaded copyrighted material over its open Wi-Fi hotspot, according to the managing director of hotspot provider The Cloud.
Graham Cove told CNET sister site ZDNet UK on Friday he believes the case to be the first of its kind in the U.K. However, he would not identify the pub concerned, because its owner--a pub that is a client of The Cloud's--had not yet given their permission for the case to be publicized.
Cove would say only that the fine had been levied in a civil case, brought about by a rights holder, "sometime this summer." The Cloud's pubco clients include Fullers, Greene King, Marsdens, Scottish & Newcastle, Mitchell & Butlers, and Punch Taverns.
The law surrounding open Wi-Fi networks and the liability of those running them is a grey area...
Read more of "Pub 'fined £8k' for Wi-Fi copyright infringement" and the followup story, "Law expert issues warning to open Wi-Fi operators," at ZDNet UK.
Shopping online does carry some risk, but so does shopping at brick-and-mortar stores. At least online shoppers don't need to worry about fender-benders in the parking lot, pick pockets at the mall, or getting the flu from all those fellow shoppers.
But the nice thing about shopping online is that by following some basic guidelines you can be reasonably sure you'll have a safe experience.
Secure your PC: The first thing you need to do is be sure your computer is secure. Trend Micro's education director David Perry, says that "bad guys these days are operating by planting a keylogger on your system that listens in, surreptitiously waiting for you to use your credit card or your bank password so that they can steal your money." So, even if you're dealing with a legitimate merchant, you're at risk if your computer is infected. Your best protection from these attacks is to keep your operating system and browsers updated and use a good and up-to-date security program. If you're getting or giving a Netbook or other PC for the holidays, make sure that security software is installed right away. Most security companies offer a free-trial version that will tide you over for a month or so, but be sure to subscribe so you get ongoing protection.
Click with care: You're going to be getting a lot of offers via e-mail this holiday season. While they might be legitimate, there is the possibility of some offers coming from criminals trying to trick you into giving your password to a rogue site or visiting a site that can put malicious software on your computer. Your best protection is to not click on any links--even if the message looks legitimate--but to type in the merchant's URL manually.
Know the merchant: : If you're not familiar with the merchant, do a little research like typing its name (and perhaps the word "scam") into a search engine to see if there are any reports of scams. Look for user reviews on sites like Eopinions.com. Look for seller ratings if you locate the merchant through a shopping search engine like Google Shopping . Google doesn't certify the integrity of the sites that come up in its searches, but if you see lots of seller ratings that are mostly positive, that's a pretty good sign. You're generally pretty safe with sellers that are affiliated with shopping aggregators like Amazon.com, Yahoo Shopping, Retrevo or BizRate. Microsoft's new Bing search engine offers a cash-back program with affiliated merchants.
Look for trust seals, but verify they're legitimate
(Credit: BBBOnline)It's a good idea to look for seals of approval from Truste or Better Business Bureau Online, but remember that a seal is only a graphic. It can be counterfeit. To be sure, visit the certifying agency's site to look up the merchant.
When you're about to enter your credit card, make sure you're on a "secure "site. The URL should have an https at the beginning (s for "security") and there should be a small gold lock in the lower right corner of the browser. This isn't an iron-clad guarantee, but still worth looking for.
If you're still not sure, look for a phone number and call them. Aside from eliminating the chance of a keylogger grabbing your information, you may get a little more assurance talking to a human being.
Pay by credit card: Credit cards offer you an extra level of protection including the right to "charge back" if you feel you're a victim of fraud. The credit company will investigate your claim and permanently remove the charge if fraud can be proven.
Also some credit card companies offer extra protections including extended warranties and protection against loss or theft. Federal law limits your liability for misuse of a credit card to $50 but many credit card companies will waive that limit. Unless you're very sure about the merchant, don't provide them with a checking account number and never disclose your social security number to online merchants.
It's also a good idea to check your online credit card statement frequently. Most credit card companies will display recent charges online within a few days of the actual transaction. While you're on your credit card company's site, check your interest rate. Credit card companies have been known to "adjust" rates (usually upward) for a variety of reasons.
Know the real price: Be sure you understand the actual cost of the item, including shipping, handling, and sales tax. That can have an enormous impact on the final price. Many merchants are offering free shipping during the holidays and some merchants that have both online physical stores will let you pick up the item in the store for free. In most states if you do business with a merchant that has a physical presence in your state, the merchant is required to collect state sales taxes. Although it's tough to enforce, some states expect you to self-report all of your online purchases and pay sales taxes when you file your state income tax return.
Happy returns: Be sure you understand the merchant's return policies including the deadline for returns and what documentation you'll need. In most cases, they won't refund the shipping charges and you'll have to pay to ship it back. Always keep your packing until you're sure you're not going to return it.
Read the privacy policy: The policy, according to the American Bar Association's Safeshopping.org, should disclose "what information the seller is gathering about you, how the seller will use this information; and whether and how you can "opt out" of these practices."
Enjoy the holidays: By paying attention to these tips, the odds of your being victimized by online fraud are pretty low --another good reason to be cheerful during the holiday season.
Black Friday is almost upon us, and the steep hardware discounts mean new computers for many. To help you during these tough economic times, we've refreshed the Download.com Security Starter Kit for 2010. Although nothing can replace common-sense browsing, this collection of freeware security tools will help you protect new machines and old from pernicious threats, large and small. Longtime readers will notice that in addition to changing up our recommended antivirus program, we've fleshed out the Web browsing safety category, and made other changes as well. If you're looking for more than freeware security programs, check out the CNET Download.com Windows Starter Kit for 2010.
In this year's version, you can expect to see Avast chosen ahead of AntiVir as our most favored antivirus app. Despite its odd interface, Avast scored higher than any other freeware antivirus in a third-party test, and it doesn't skimp on protection, either, with e-mail, network, rootkit, and behavioral guards along with its top-rated virus protections.
We're still recommending Malwarebytes Anti-Malware for spyware removal, but we've also added PC Tools' standalone ThreatFire as an excellent way to strengthen behavioral detections and prevent spyware from infecting you in the first place. Recent improvements to the program have made it incredibly light on resources, and in our days of empirical testing we didn't notice it slowing down our computers at all.
New this year is the expanded in-browser security category. We've recommended five browsing tools that are available as add-ons, and we took care to make sure that they applied to as many of the major browsers as possible. However, Firefox's deep add-on toolbox makes it naturally the browser with the most diverse collection of security tools, so expect to see it heavily, although not exclusively, represented.
PC Tools' ThreatFire.
(Credit: Screenshot by Seth Rosenblatt/CNET)Firewalls used to be the forefront of security, but now they're just another tool you should have. Microsoft has made the native Windows 7 firewall impressively useful, but we realize that not everybody has Windows 7, and even those who do might want an alternative. This year, Online Armor joins Comodo on the list.
In Encryption, TrueCrypt remains the gold standard. The Thunderbird extension Enigmail joins it as a must-have tool for keeping your private e-mails as you intended them--away from prying eyes. In Parental Control, we've added OnlineFamily.Norton. It's not strictly desktop based, although to use it you must use its desktop hook, called Norton Safety Minder. Symantec has created what looks to be a unique and free approach that includes an emphasis on parental education and attempts to foster parent-child communication about how to use the Internet safely. We're of the opinion that anything that helps parents realize that browsing the Internet is far more than a TV with options is a good thing.
If you disagree with our security and safety choices for the Security Starter Kit, please let us know in the comments below.
As the World Trade Center and Pentagon were ablaze on September 11, 2001, the U.S. Secret Service's presidential protective detail was informed that a "Korean airliner has been hijacked" en route to San Francisco, prompting already-skittish agents to worry about another wave of terrorist attacks.
That morning and afternoon, Secret Service agents assigned to protect the president and his family found their pagers constantly buzzing with alerts both true and false. There was a false alarm about a car bomb in downtown Washington, D.C., a report of "two Arab males detained" after asking for directions to the presidential retreat at Camp David, and reassurances that "Twinkle and Turq"--code names for the Bush daughters--were safe and accounted for.
This unusual glimpse into the events of 9/11 comes from messages sent to alphanumeric pagers that were anonymously published on the Internet on Wednesday, via WikiLeaks.org....
Read the full story of "Egads! Confidential 9/11 Pager Messages Disclosed at CBSNews.com.
