InSecurity Complex

SAN JOSE, Calif.--Projects that turn slaughterhouse waste into energy and fertilizer, and zinc oxide from fuel cells into fertilizer, as well as programs to fortify rice with nutrients, feed Indian children, and boost wages for artisans were honored Thursday night at the Tech Awards for technology benefiting humanity.

Established in 2001, the Tech Awards recognize 15 laureates in the categories of education, equality, environment, biosciences economic development, and health. One laureate in each category receives a $50,000 cash prize. The winners were announced at a ceremony at which Al Gore, former U.S. vice president and Nobel Peace Prize winner, received a humanitarian award.

The Intel Environment Award went to the Cows to Kilowatts project, which Dr. Joseph Adelgan conceived of after realizing that people in his hometown of Ibadan, Nigeria, were being exposed to high levels of Salmonella, E.coli and other disease-causing microorganisms from waste runoff from the local slaughterhouse that ended up in surface water and groundwater.

"People were drinking from shallow wells," Adelgan, founder of the Global Network for Environment and Economic Development Research, said during an interview on Thursday. "People in the neighborhood were getting sick and they didn't understand why they were getting sick."

Cows to Kilowatts uses biogas technology to reduce greenhouse gas emissions from the decomposing organic waste from the slaughterhouse. A bioreactor converts the methane and carbon dioxide into cooking gas and fertilizer. The biogas could also be used to generate electricity.

The BD Biosciences Economic Development Award was presented to the Alternative Energy Development Corp., which makes zinc-air fuel cells, an affordable, alternative energy. The fuel cells generate energy and provide light in areas of Malawi, Namibia, Zambia, and South Africa without electricity, while the waste zinc oxide created by the fuel cells during energy production is used to fertilize vegetable gardens, said Rolf Papsdorf, head of the Alternative Energy Development Corp.

The winner of the Nokia Health Award is tackling the problem of malnutrition in developing countries. Seattle-based PATH offers Ultra Rice, which blends micronutrients like Vitamin A and iron with rice flour into grains that look, smell, and taste like traditional rice. The grain costs 2 percent to 5 percent more than regular rice, or about 41 cents per child per year in India.

Ultra Rice enriched with iron is being fed to 60,000 school children in India, while Brazilians are eating Ultra Rice fortified with iron, zinc, folic acid, and thiamin to combat anemia, said Dipika Matthias, project director at PATH.

Every year in developing countries, Vitamin A deficiency causes about 1 million deaths, folic acid deficiency is responsible for about 200,000 severe birth defects, and more than 60,000 women die from iron deficiency during pregnancy and childbirth, according to PATH.

Winning the Katherine M. Swanson Equality Award was the Fair Wage Guide from the World of Good Development Organization. The free online tool helps artisans around the world make a decent living by calculating fair wages for their work.

The open-source platform generates a localized price analysis of wages paid to artisans in comparison to international poverty levels and helps them figure out how to modify their products to improve efficiency and reduce costs.

The goal is to get their wages to 10 percent higher than the minimum wage for their area, said Audrey Seagraves of the Emeryville, Calif.-based organization.

"Many of the artisans don't know how much to charge for the items they make," she said. The Fair Wage Guide helps them set prices that are reasonable while making a decent wage, she added.

The winner of the Microsoft Education Award went to the Akshaya Patra Foundation, a public-private partnership that uses innovative technology, smart engineering, and good management in kitchens to offer school lunches to children in India at a low cost. The program feeds millions of children lunches for $28 per child per year.

Other laureates include the mPedigree network, which offers a way for people to check that the drugs they take are not counterfeits by texting a code from the label to a server; FrontlineSMS, technology that allows people to text large groups for election monitoring and providing rural medical services; Solar Ear, rechargeable digital aids and batteries for hearing aids, and LeafView: An Electronic Field Guide, which allows field researchers to automatically identify plant species. Sean White, who developed LeafView, said he is working on an iPhone app version of the guide.

Updated November 18 at 11:19 a.m. PST to clarify that the data was sold by workers at T-Mobile UK, which is operated separately from T-Mobile USA.

T-Mobile workers sold personal data on thousands of customers to third parties who then called the individuals as their wireless contracts were due to expire, a T-Mobile UK spokesman has confirmed.

T-Mobile notified England's Information Commission, the watchdog agency responsible for safeguarding consumer privacy, and said the activity was done "without our knowledge," according to the BBC.

Information Commissioner Christopher Graham told the news agency his office will prosecute the individuals responsible.

It's the latest black eye for the T-Mobile brand in recent months. (T-Mobile UK and T-Mobile USA are operated separately.)

Last month an outage with T-Mobile USA network left Sidekick users unable to access the Web or their address books for several days.

And earlier this month T-Mobile's network in the U.S. suffered a major outage that left customers unable to send or receive text messages and access voice messages for part of a day. The outage was due to a software error in the back end system that generated abnormal congestion on the network, the company said in a statement.

If you have received an e-mail from the Internal Revenue Service or the Federal Deposit Insurance Corporation, chances are it was a phishing attempt. If you received e-mail from your bank, PayPal, or Facebook urging you to immediately verify information or risk having your account suspended, it was undoubtedly phishing.

Phishing attacks have spiked this year, according to recent reports. The Anti-Phishing Working Group reports that there were more than 55,600 phishing attacks in the first half of 2009 alone. Phishing is particularly dangerous because once criminals get a victim's password for one Web site they can often use it to get into other accounts where people have re-used the password.

And anyone can be at risk. The wife of FBI Director Robert Mueller banned him from doing online banking after he came close to falling for a phishing attempt.

Here is some basic information that can help people avoid being tricked by phishing attacks.

What is phishing?
Phishing is an attempt, usually via e-mail, to trick people into revealing sensitive information like usernames, passwords, and credit card data by pretending to be a bank or some other legitimate entity. The e-mails typically include a link to a Web site that appears to be legitimate and which prompts users to provide information. Sometimes, the phishing e-mail will include a form in an attachment to fill out. One common tactic phishers use is to pretend to be from the fraud department of a financial institution or online retailer like PayPal and ask for information to be provided to prevent identity fraud. In one case, a phishing e-mail purporting to be from a state lottery commission asked recipients for their banking information so their "winnings" could be deposited into their accounts.

Phishers also are increasingly exploiting interest in news and other popular topics to trick people into clicking on links. One e-mail purportedly about swine flu asked people to provide their name, address, phone number, and other information as part of a survey on the illness. And users of social networks are becoming popular targets. Twitter users have been directed to fake log-in pages.

Attackers are also turning to instant messaging to lure people into their traps. In one recent scam a live chat window was launched via the browser. The scammer communicated to victims via the chat window, pretending to be from a bank and asking for additional information.

What are other recent examples of phishing attacks?

• A recent e-mail scam asks PayPal customers to provide additional information or risk getting their account deleted because of changes in the service agreement. Recipients are urged to click on a hyperlink that says "Get Verified!"

• E-mails that look like they come from the FDIC include a subject line that says "check your Bank Deposit Insurance Coverage" or "FDIC has officially named your bank a failed bank." The e-mails include a link to a fake FDIC site where visitors are prompted to open forms to fill out. Clicking on the form links downloads the Zeus virus, which is designed to steal bank passwords and other information.

• E-mails that look like they come from the IRS tell recipients that they are eligible to receive a tax refund and that the money could be claimed by clicking on a link in the e-mail. The link directs visitors to a fake IRS site that prompts for personal and financial information.

• A legitimate-looking Facebook e-mail asks people to provide information to help the social network update its log-in system. Clicking the "update" button in the e-mail takes users to a fake Facebook log-in screen where the user name is filled in and visitors are prompted to provide their password. When the password is typed in, people end up on a page that offers an "Update Tool," but which is actually the Zeus bank Trojan.

What are some tell-tale signs of a phishing attempt?
Many phishing attempts originate from outside the U.S. so they often have misspellings and grammatical errors. Some have an urgent tone and they seek sensitive information that legitimate companies don't typically ask for via e-mail.

What should I look for in an e-mail?
Check the sender information to see if it looks legitimate. Criminals will choose addresses that are similar to the one they are faking. For instance, phishers have used "Alerts@Paypal.co.uk." However, legitimate PayPal messages in the U.S. come from Service@paypal.com" and include a key icon. Most phishing e-mails come from outside the U.S. so an address ending in ".uk" or something other than ".com" could indicate it's a phishing attempt.

The e-mail address may also be obscured. Hitting "reply all" may reveal the true e-mail address. You can also set your e-mail preferences to show "full header" to see the full e-mail address and other information. If you are at all unsure whether the e-mail is legitimate, go to the company's Web site to see the address listed.

Legitimate companies tend to use customer names or user names in the e-mail, and banks often will include part of an account number. Phishing emails typically offer generic greetings, like "Dear PayPal customer."

Inspect the hyperlinks inside the body of the e-mail. Phishers typically will use subdomains or letters or numbers before the company name, and sometimes the words in the links are misspelled. For example, www.BankA.security.com would link to the 'BankA' section of the 'security' Web site. Often, it's difficult to tell if the link is legitimate just by looking at it. By mousing over the link you can see the real address on the bottom of most Web browsers.

In addition, PayPal, Amazon, banks, and many other businesses use the SSL (Secure Sockets Layer) protocol which is designed to ensure that customers are visiting the real site. That means https:// will be seen in the URL address bar instead of just http:// and usually there will be some other change in the address bar. For instance, PayPal displays a "P" and its name is highlighted in green at the front of the URL. The major browsers have antiphishing measures designed to detect malicious sites. Some phishers also try to hide the real Web address they are sending victims to by using URL shortening services.

If the e-mail has an attachment, be wary of .exe files. Scammers like to hide viruses and other malware there so it executes when opened.

Do not be fooled by the look of the Web site you may be directed to. The Web site may look just like a real bank or PayPal page, including the use of the real logos and branding. It could be a good fake page or it could be a legitimate page with a phishing pop-up window on top.

How can phishing attacks be avoided?

• Try to stay off spam lists. Don't post your e-mail address on public sites. Create an e-mail address that is less likely to get included in spam lists. For instance, instead of bobsmith@xyz.com, use bob.smith.az@xyz.com.

• If an e-mail looks reasonable contact the company directly if you receive an e-mail asking you to verify information. Type the address of the company into the address bar directly rather than click on a link. Or call them, but don't use any phone number provided in the e-mail.

• Don't give out personal information requested via e-mail. Legitimate companies and agencies will use regular mail for important communications and never ask customers to confirm log-in or passwords by clicking on links in e-mail.

• Look carefully at the Web address a link directs to and type in addresses in the browser for businesses if you are uncertain.

• Don't open e-mail attachments that you did not expect to receive. Don't open download links in IM. And don't enter personal information in a pop-up window or e-mail.

• Make sure you are using a secure Web site when submitting financial and sensitive information.

• Change passwords frequently. Don't use the same password on multiple sites.

• Regularly log into online accounts to monitor the activity and check statements.

• Use antivirus, antispam, and firewall software and keep your operating system and applications up-to-date.

(My colleague Larry Magid has more tips and a podcast interview with Symantec on avoiding phishing attacks.)

What can I do if I think I've been victimized by phishing?
The Anti-Phishing Working Group has a comprehensive site explaining exactly what steps people should take based on what type of information they have given out.

Where can I report phishing attempts?
You can forward suspected phishing e-mails to reportphishing@antiphishing.org and spam@uce.gov. Companies typically have an address to forward phishing examples to, such as "spoof@company.com." Always include the entire phishing e-mail. Complaints can be lodged with the Internet Crime Complaint Center at the FBI.

Here are additional resources.

http://apwg.org/consumer_recs.html

http://www.irs.gov/newsroom/article/0,,id=154848,00.html

http://www.microsoft.com/mscorp/safety/technologies/antiphishing/guidance.mspx

Major countries and nation-states are engaged in a "Cyber Cold War," amassing cyberweapons, conducting espionage, and testing networks in preparation for using the Internet to conduct war, according to a new report to be released on Tuesday by McAfee.

In particular, countries gearing up for cyberoffensives are the U.S., Israel, Russia, China, and France, the says the report, compiled by former White House Homeland Security adviser Paul Kurtz and based on interviews with more than 20 experts in international relations, national security and Internet security.

"We don't believe we've seen cases of cyberwarfare," said Dmitri Alperovitch, vice president of threat research at McAfee. "Nations have been reluctant to use those capabilities because of the likelihood that [a big cyberattack] could do harm to their own country. The world is so interconnected these days."

Threats of cyberwarfare have been hyped for decades. There have been unauthorized penetrations into government systems since the early ARPANET days and it has long been known that the U.S. critical infrastructure is vulnerable.

However, experts are putting dots together and seeing patterns that indicate that there is increasing intelligence gathering and building of sophisticated cyberattack capabilities, according to the report titled "Virtually Here: The Age of Cyber Warfare."

"While we have not yet seen a 'hot' cyberwar between major powers, the efforts of nation-states to build increasingly sophisticated cyberattack capabilities, and in some cases demonstrate a willingness to use them, suggest that a 'Cyber Cold War' may have already begun," the report says.

Because pinpointing the source of cyberattacks is usually difficult if not impossible, the motivations can only be speculated upon, making the whole cyberwar debate an intellectual exercise at this point. But the report offers some theories.

For instance, Alperovitch speculates that the July 4 attacks denial-of-service on Web sites in the U.S. and South Korea could have been a test by an foreign entity to see if flooding South Korean networks and the transcontinental communications between the U.S. and South Korea would disrupt the ability of the U.S. military in South Korea to communicate with military leaders in Washington, D.C., and the Pacific Command in Hawaii.

"The ability of the North Koreans to disable cybercommunications between the U.S. and South Korea would give them a huge strategic advantage" if they were to attack South Korea, he said.

There have been earlier attacks that smack of cyberwarfare too. Estonian government and commercial sites suffered debilitating denial-of-service attacks in 2007, and last year sites in Georgia were attacked during the South Ossetia war, orchestrated by civilian attackers, the report says.

The report concludes that if we aren't seeing it already, cyberwarfare will be a reality soon enough.

"Over the next 20 to 30 years, cyberattacks will increasingly become a component of war," William Crowell, a former NSA deputy director, is quoted as saying. "What I can't foresee is whether networks will be so pervasive and unprotected that cyberwar operations will stand alone."

The revised Google Books settlement agreement may quiet international opponents, but it still gives Google a monopoly on commercializing out-of-print books where the copyrights are unclaimed and fails to protect consumer privacy, opponents said on Monday.

"We're at a cross roads," Internet Archive Director Brewster Kahle said during a panel late Monday on the Future of Books at the Commonwealth Club in San Francisco. "Is it going to be a subscription life...where one or two companies own the distribution and presentation (rights) to these books?"

In response, Google Books Engineering Director Dan Clancy said: "This is just one of a panoply of choices that people will have in the future."

Google is scanning and digitizing books in libraries and publishers' catalogs so people can view and search them online and buy electronic versions. The company is striking deals with publishers for copyright-protected books and offering to pay rights holders to digitize out-of-print works, and will share revenue from sales with authors.

The agreement would settle a 2005 copyright infringement lawsuit filed by the Authors Guild over Google's book scanning plans.

Key concerns focus on licensing rights to so-called "orphan works" where the copyright holder is unknown, as well as books where the rights holder has not stepped forward--together estimated to represent more than half of the available works.

The modified settlement, filed in federal court in New York late on Friday, attempts to address U.S. Department of Justice concerns that the settlement would give Google unfair competitive advantages and violated copyright law.

Copyrights holders now have more control than they previously had. Authors and publishers were given seats on a Books Rights Registry board, a nonprofit that would be responsible for making payments and holding revenue from unclaimed works for up to 10 years. The registry is now required to search for copyright holders who have not yet come forward and revenue from unclaimed works will be used to locate copyright holders instead of for operations or distribution it to known copyright holders.

The revised settlement also could remove some of the heat Google was getting from governments in other countries over copyright concerns. Author and publisher groups in Germany, France, China, and elsewhere have voiced opposition to the Google Books plan. In response, Google, the Authors Guild, and other parties in the settlement excluded any out-of-print works not registered in the U.S. or published in the U.K., Australia, or Canada.

"Just because they are taken out of the agreement doesn't mean Google will stop scanning their books," Pam Samuelson, director of the Berkeley Center for Law & Technology, said of the works from the other countries. "Google has already scanned many of their books."

Also troubling to critics is the fact that the revised settlement circumvents traditional copyright provisions by allowing Google to digitize orphan works without first getting rights holder permission, while any Google competitors are blocked from doing so barring legislation granting them licensing rights.

"For the millions of volumes of orphan books that Google has already scanned in, they can offer those without risk of anyone coming forward and suing them for infringement," said John Simpson, a consumer advocate at Consumer Watchdog.

The Justice Department's main concerns were not addressed, others added. (A DOJ spokeswoman did not return a call seeking comment.)

"The Department of Justice was trying to get them to also create a mechanism for licensing to third parties and the amended settlement agreement doesn't go that far," Samuelson said. "It creates a fiduciary for unclaimed books to potentially license unclaimed books at some point in the future, but only if Congress passes orphan works legislation."

Why monetize unclaimed works before getting permission?
Danny Sullivan, editor-in-chief of Search Engine Land, wrote on his blog: "Given that everyone is so positive that you CAN find rights holders for most of these unclaimed works, why not go out and find them first, then ask if they want to be included. Surely the settlement can generate enough money from books with known authors to fund that without having to include these books at the outset?"

"The Registry is trying to lay claim and charge for, monetize, works that have never been claimed and this is what causes the whole thing to be broken," Kahle of the Internet Archive said after the Commonwealth panel. The Internet Archive has been scanning books and archiving all types of media for years, but on nonprofit resources.

However, Clancy said most of the unclaimed works will eventually be claimed and predicted there would be legislation soon to resolve the matter. "We will have orphan works legislation before this thing is over ... [because of the settlement] people are pushing to resubmit it as we speak," he said.

Samuelson and other critics are worried that as a result of Google having the only comprehensive collection of out-of-print books, there will not be competitive pressure on the company to keep prices fair. "The risk of price gouging over time is very high and universities in particular have experienced excessive increases in prices of scholarly journals over the last few years," she said.

"The settlement is a total failure to address most of the problems the Justice Department raised and virtually all the problems raised by U.S. objectors and amicus [friends of the court] briefs."

--Gary Reback, Open Book Alliance

Samuelson reiterated her concerns about pricing at the Commonwealth panel event, adding that she doesn't think Google will price gouge in the immediate future, but that it could happen in the longer term. Clancy made no assurances but mentioned something about there being alternatives, like physical books, and that "the platform is there to provide the protections."

"The settlement is a total failure to address most of the problems the Justice Department raised and virtually all the problems raised by U.S. objectors and amicus [friends of the court] briefs," said Gary Reback, an antitrust lawyer and leader in the Open Book Alliance, whose members include nonprofit author groups, library institutions, and Google rivals Amazon, Microsoft and Yahoo.

"If we are going to allow Congress to [pass a law granting others licensing rights for orphaned works] why do we need a settlement?" said Reback. "The right way to do this would be to have Congress deal with it; not for Google to give itself a preference."

Of the settlement's handling of orphan works, James Grimmelman, a professor at New York Law School, writes on his blog that "It's a very clever hack. I have my doubts whether it's legal." Google remains "the only game in town" for unclaimed works, he said. (For more on the copyright implications of the settlement read Larry Downes' guest column on CNET News.)

The amended settlement also does not provide privacy protections for consumers that privacy advocates and authors including Michael Chabon, Bruce Schneier, and Jonathan Lethem had requested.

"One of our core privacy concerns with the settlement has been that reading records are not properly protected from disclosure to the government and third parties," the American Civil Liberties Union of Northern California wrote in a blog post. "Readers should be able to use Google Book Search without worrying that the government or a third party is reading over their shoulder."

In response to Samuelson complaining at the Commonwealth event that the revised settlement offers no privacy protections for consumers, Google's Clancy said, "We didn't think the settlement was the right place to discuss this."

Updated 8:20 p.m. PST with Google, Internet Archive, and Samuelson comments at Commonwealth Club event Monday night.

MOUNTAIN VIEW, Calif.--Google, Microsoft, and Yahoo may be tough competitors when it comes to Internet software and services, but they are putting their differences aside to build a developer community to tackle bigger picture problems like saving lives in emergencies.

The companies have joined with NASA, the World Bank, and PR agency SecondMuse to organize the first-ever Random Hacks of Kindness event, which was held at a warehouse space-cum community center called Hacker Dojo this weekend. For two days, coders worked on ways to use technology to help solve real-world problems, such as how people can get information and find each other during disasters.

The event came about after representatives from Google, Microsoft, and Yahoo attended a Crisis Camp conference for emergency and disaster relief groups in Washington, D.C. in May. The technologists decided that they would join forces to create a community of developers to build tools to help emergency workers.

"We're trying to seed the community," said Jeffery Martin, business product manager for Google Crisis Response. "We're saying, partner with the private sector and we can push technology forward and innovate."

Developers worked on a dozen or so tools that could help disaster and emergency workers in times of crisis. Several tools took advantage of social media sites, like Twitter, and SMS for information sharing. One project envisioned using laptops, routers, mobile devices, USB keys and Wi-Fi to create a mesh network for times when normal networks are down.

Several projects explored the use of maps, including one group that built a widget that allows a user to click on a point in a map to have the coordinates automatically inserted into a message that can then be posted to multiple social networks at once via the HelloTXT service.

The first-place prize went to a group of Carnegie Mellon Silicon Valley researchers who also work at NASA. They worked on a mobile notification app that can be used when regular cellular networks are so bogged down people can't make phone calls. Using the "I'm OK" app, people can easily notify friends and family members that they are safe via SMS by clicking one button. The "I'm OK" message is then instantly distributed to everyone a user has designated on a pre-set contact list.

Separately, NASA coders collaborated with Google on a GeoCam tool that was used by people fighting California fires earlier this year to place photos of burn areas that were taken by GPS-enabled cell phones on maps so workers can see what damage is like in specific locations.

In addition to training AMES Research Center employees to be first responders in disasters, NASA wants to offer developers use of the satellite and other earth science data collected by its space crafts, which comes to about four terabytes per day, said Robert Schingler, a project manager in the office of center director at NASA Ames research center at nearby Moffett Field. NASA also has tools to analyze the data, which provide information about things like sea surface temperatures, ice sheet activity, and aerosols in the upper atmosphere, he said.

"We've got 40 years of data," Schingler said. But, NASA needs a good application programming interface (API) so developers can make better use of it, he said. Meanwhile, the tools developed at Random Hacks of Kindness events could be used by workers at the World Bank and other agencies.

"It's a perfect opportunity to mobilize the technology community to work on issues such as sustainable development and disaster relief," said Emma Phillips, a consultant in disaster risk management and sustainable development at the World Bank. "This is a first step in building community, and bringing together the public and private sectors for a common goal."

The next Random Hacks of Kindness event will be early next year in Washington, D.C.

Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.

The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.

"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."

Microsoft is not aware of attacks to exploit the hole at this time, he said.

In an advisory, Microsoft criticized the way Gaffié handled the discovery.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."

The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.

RSA FraudAction Research Lab has uncovered the workings behind a recent re-shipping scam in which U.S. residents were used as mules to send goods purchased with stolen credit card numbers overseas.

The operation began a year ago and received applications from more than 1,900 people, though only 33 people were "hired," according to an RSA FraudAction Research Lab blog post on Thursday.

Laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before the scam ended earlier this year.

The operation masqueraded as a company called "Air Parcel Express," and it had an authentic-looking Web site, RSA said. However, there is a legitimate shipping firm with the same name that is completely unassociated with the scam.

The use of unwitting accomplices to re-ship items purchased fraudulently in the U.S. to other countries is not new. However, the degree to which the scammers went in creating the illusion of legitimacy is noteworthy, RSA said.

"They had a really professional, highly executed effort in recruiting the re-shippers, which is fairly novel," said Sean Brady, senior manager of identity protection and verification at RSA. "The average re-shipping campaign is based on e-mail or ads that direct people to a crude location" on the Web, he added.

Here's how the scams work. Criminals get credit card numbers through phishing, Trojan attacks, and hacking databases, like that of Heartland Payment Systems and RBS WorldPay. They use the information to make online purchases of items, typically electronics goods that they can resell at a high profit and typically purchased in the U.S., where they are cheaper.

The criminals recruit U.S. residents to receive and re-ship the goods out. Re-shippers are asked to unpack the item from the merchant's box and put it in a plain box, probably so the boxes face less scrutiny at customs, Brady said.

To find the mules, the criminals advertise on legitimate employment Web sites and on search engines. Usually, the re-shippers don't get paid as promised, RSA said.

"What's interesting is that criminals in Eastern Europe can orchestrate the campaign, recruit in the U.S., and ship to Europe without ever needing to have any level of personal contact" with the re-shippers, Brady said.

More information on how job seekers can detect scams is available from the Privacy Rights Clearinghouse, as well as Monster.com and the U.S. Federal Trade Commission.

Updated 1:49 p.m. PST to clarify that Gmail issue was fixed and any attack would be theoretically possible but extremely difficult to accomplish.

A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.

The problem stems from the origin policy of Adobe Flash, Mike Bailey, a senior security researcher at Foreground Security, said in an interview on Wednesday. "Adobe should change the way Flash Player handles the security policy so it doesn't allow arbitrary content to access the application without permission."

By default, Flash Player trusts anything, but it should only trust what is allowed," he said, providing more technical discussion in a blog post.

For example, someone could upload what appears to be a picture to a social-networking site but which is actually a Flash file designed to execute malicious code in the browser when the file is opened. Anyone who views that picture could be compromised, said Mike Murray, chief information security officer at Foreground Security.

Bailey said that as far as he knows the technique has not been used in the wild as an attack, but that a "huge number of sites are vulnerable." (Gmail previously had an issue that could allow for this type of attack, but that has been fixed. Flash payload could "theoretically" still be executed, but it would be incredibly difficult to do, Baily wrote in his post.)

Adobe has known about the issue for a while but says it can't fix it or risk breaking a lot of existing Flash content and applications around the Web, he said.

Administrators make configuration changes to each Web site to mitigate the risk, Bailey said.

Meanwhile, users should disable Flash completely or use NoScript, a browser plug-in that blocks Flash and Java from untrusted sites, he said.

Asked to comment, an Adobe representative provided this statement:

"Generally speaking, by nature, Flash (SWF) content is powerful, active content and should be handled with the same care as other active content technologies, such as JavaScript, to ensure a site's design does not become vulnerable to abuse scenarios. Adobe has always advised that allowing arbitrary uploads or attachments of Flash (SWF) content to trusted domains should not be performed due to potential abuse scenarios, such as the ones outlined by Mike Bailey. Adobe has published several best practice advisories and blog posts for developers and site owners on how to safely host Flash content. For example, our Flash Player security white paper describes our model in great detail."