Spamzy

Test-preparatory firm The Princeton Review accidentally published the personal data and standardized test scores of tens of thousands of Florida students online, “where they were available for seven weeks,” says The New York Times.

A security hole, “allowed anyone to type in a relatively simple Web address and have unfettered access to hundreds of files on the company’s computer network, including educational materials and internal communications,” says the story, going on:

Another test-preparatory company said it stumbled on the files while doing competitive research. This company provided The New York Times with the Web address of the internal files on the condition that it not be named. The Times informed the Princeton Review of the problem on Monday, and the company promptly shut off access to that portion of its site.

One file on the site contained information on about 34,000 students in the public schools in Sarasota, Fla., where the Princeton Review was hired to build an online tool to help the county measure students’ academic progress. The file included the students’ birthdays and ethnicities, whether they had learning disabilities, whether English was their second language, and their level of performance on the Florida Comprehensive Assessment Test, which is given to students in grades 3 to 11.

Another folder contained dozens of files with names and birth dates for 74,000 students in the school system of Fairfax County, Va., which had hired the Princeton Review to measure and improve student performance.

According to the New York Times, The Princeton Review said student information should have been protected by a password, but the protection was, “most likely lost when the company moved its site to a new Internet provider in late June”.

It’s now looking into how many people might have accessed the files, some of which could be found through search engines,” adds the story.

Go here to read the rest:
Princeton Review test scores online

I was reading the Symantec State of Spam report for August and I thought this was funny and tragic– email spam targeting alcoholics and other users, and advertising rehab services. Users click the link allegedly for a rehab program, enter their personal information — and instead of getting help, they get scammed.

The report says:

July 2008 saw the emergence of rehab spam. Subject lines have included

- Get help today with Drug Rehab Info
- Overcome Alcoholism today
Spammers are constantly trying new tactics to try and coerce recipients into opening a
spam message so that they can obtain personal information from end users. In this particu-
lar example, they are trying to target individuals who are not in good health, in the hopes
that they will act on this spam message and give away their personal details.

Read the full August State of Spam report here.

See the rest here:

Robert Scoble has some interesting commentary this morning about the number of photojournalists with expensive gear covering the Olympics.

He’s a bit indignant that so much energy goes to sporting events like the Olympics rather than more important news that isn’t getting reported around the world.

This is in a year when tons of journalists are getting laid off.

This is in a year when there are tons of stories around the world that aren’t getting reported on.

Could we take half of those photographers and send them to Russia, for instance

Reminds me of a feeling I had back in college as an undergrad student studying social sciences and humanities, about the way my friends who were physicists interacted with the world. They were so awed by the stars, Mars, astrophysics, and it seemed to me interesting but altogether unimportant. They argued they may find something outside our planet that could help solve Earth-bound problems like disease, or find the origins of earth and humanity — but really they were doing it because they loved it. One of my friends had a good argument, though — there are enough people right now that we can specialize in what we care about, and there will still be others covering other topics. He could be a physicist and look into the universe’s origin, while I studied social interaction and writing, and our other friends looked into solving cancer or eradicating invasive plants in the native wetlands. We have to specialize, and there are enough of us to do it too.

I think it’s the same way in journalism — whether it’s sports, celebrity journalism, or coverage of politics and war, there are a lot of opportunities right now for journalists. Of course the business model is changing, and some old-schoolers won’t know how to roll with that, but generations change slowly; we’re learning.

Also, the Olympics is seen as more than a sporting event, it’s also a symbol of world competition and cooperation too — a way for countries to come together and share entertainment globally. I think that’s worth covering.

In the second post, Robert Scoble says there are plenty of great journalists but the public doesn’t care. In some ways I have to agree with that, but I don’t think it’s negative, necessarily. I had a conversation with someone the other day about world news reportage. He says, “I was just reading this story, but what does it matter to me if there’s a flood in some city in another country I’ll never visit and some farmer lost his sheep?” World news is only important when it’s relevant, so it’s no wonder that many people don’t care — if they don’t know much about the area, and it doesn’t affect them, they have no incentive to give it full attention. You can call that apathy, but I think it’s an important selectivity skill that humans have. We have to choose what to give priority to, so if nothing stands out as being particularly important, we just ignore it or gloss over it. Human nature…

Also I think the common person today just gets desensitized and doesn’t know where to turn their energy, when surrounded by so many crises. Either you focus on one specialty and do your best to work toward one cause in your life — and maybe that’s just in the course of your daily work — or you become a complete Attention-Deficit-Disorder case and bounce from one problem to the next, without knowing how to solve anything. That just causes a sense of bewilderment, despair, and either that bogs you down or eventually you get desensitized.

There’s a commenter on Scoble’s blog, Spencer, who talks about this generation’s apathy. There are so many people who want to blame today’s generation or the young generation for this “apathy” that they sense. But I see it as a survival mechanism that arises from the way information flows these days. We’re surrounded by crises, everyone wants us to know about them — the water shortage, global warming, death in Iraq, the national deficit. Okay, crisis, I get it. But no one gives a real clear idea on what any individual is really supposed to do to solve the problem. You can’t get involved with one global cause, without ignoring all the others, and if you do get involved it’s likely to become your life’s purpose. Most people are concerned with other things — their families, their work, personal development, their homes and futures, and really that’s enough to take up all their time.

I’m always amazed when I read about the early unionists. Emma Goldman for example, the activist who pushed for the 8-hr workday, and campaigned for free love in the early 1900s when women were still wearing corsets, used to work 16 hour factory days as a seamstress, then lead meetings late into the night. Today we lead cushy lives comparatively–8 hour days, plus commute and lunch, family time, dinner time, gym maybe, sleep… but it still doesn’t seem like we ever have enough energy and time.

What Emma had that most people today don’t, is a community living in the same conditions as herself, with clear goals about what they were campaigning for, and a cause that affected their own daily lives. Today, unionism and local activism is in much shorter supply, in part due to the many people who work fairly comfy desk jobs, and the problem that everyone has his own specialization, works in a cubicle, does his or her own thing. The problems we’re facing today in terms of global warming, global water shortage, aren’t the same kinds of problems that activists have fought for in the past, and there’s no clear road map for how to solve them. Our leaders sure aren’t leading the way.

What we do have, at least, is the Olympics, which is an age old symbol of international cooperation, play and competition…so, uh, go sports! As for full disclosure, I don’t actually have a TV and haven’t watched the Olympics in many years, but I do try taking short showers–does that help?

Originally posted here:

One of my funny moments at Black Rock City last year was meeting a random guy early one morning on deep playa, chatting and finding out we both were involved in IT security. He’d been at the defcon conference just before Burning Man, we talked for just a minute about industry publications and the hacker contests, before getting distracted with shinier things. I’m not going this year but everyone I know is buzzing about BM this year:)

I was just reminded of this randomly just by reading this list of new tools released at the Defcon this year. Sounds like a busy conference, with a lot of hackers who love what they do. Good stuff.

It has become more like a global fair than what most people think of conferences; even the badge is highly unique. I say this because there are so many things to do at DEFCON, other than going to talks, that you could spend your whole weekend looking at the “World’s Largest Boar!” so to speak. One of the CTF (Capture the Flag) contest winners this year actually exclaimed that he only made it to 2 talks in 12 years! I am also one of those individuals who barely get a chance to go to talks and now that the speaker pool is so diverse it’s hard to find all of the “stuff” they release.

Read the list and full article here

View original post here:
New Releases at Defcon

Spamza.com is a website that recently went live, where you can enter someone’s - anyone’s - email address, and they will start getting instantly spammed by dozens of newsletters for which they did not sign up. If you’ve had a sudden increase in spam or suddenly found yourself signed up for a lot of newsletters and mailing lists that you didn’t request, Spamza may be why. You see, the Spamza site runs a script that takes their email address and then Spamza signs them up for those newsletters, without their permission.

Spamza then also encourages their victims to do the same thing to someone else, by sending that target email address several emails that are the spam equivalent of “nyeah, nyeah”, taunting the victim and saying:

“You got spammed!
Get your revenge and spam your enemies at

SpamZa.com will sign up any email to hundreds of newsletters anonymously”

Now, clearly this is pure evil.

But, is it really what it seems?

Let’s think this through.

The Spamza script that runs when you enter someone’s email address signs that email address up for a bunch of newsletter mailing lists.

However, this only works because those mailing lists don’t use confirmed (double) opt-in, which is considered the industry standard for best email practices. This means that they add that email address to their mailing list without first confirming that the owner of the address really wants to be on the mailing list.

Confirmed or double opt-in means that they first send an email to that address asking the owner of that email address to confirm that they really want to be on the mailing list, by clicking a link, or replying to the confirmation email.

(And actually, some of those mailing lists are confirmed opt-in, and did send confirmations when we did our own testing of Spamza - good for them!)

The point here is that the only reason Spamza is able to create the havoc that it does is because people run single opt-in mailing lists, where they grab any email address that comes their way, say “Oh goody! Another subscriber!”, and add it to their list, without first checking that it was a legitimate subscription.

Now, we have been saying for years that running single opt-in mailing lists, even if you are pure of heart, is a wide open security hole, because anybody can sign up someone else. And the response has always been “Oh c’mon, you’re making that up - nobody would actually do that. Who would do that??”

Well, here’s your answer.

Spamza would do that.

Which brings us to our title question: is Spamza really the ultimate spamming weapon? Or, is it the ultimate anti-spammer weapon?

Was Spamza created by some whacko who just wanted to see how much spam they could proliferate on the Internet?

Or was Spamza created by some ardent anti-spammer, who knew that, among other things, all those single opt-in mailing lists would get in trouble for having been duped into unwittingly proving what the email receiving and anti-spam industries have been saying all along: single opt-in is ripe for abuse?

You be the judge - here is what Spamza says about itself:

“SpamZa.com is a website designed to promote newsletters and interesting content. WE DO NOT SEND SPAM. SpamZa will subscribe the e-mail you submit to hundreds of popular and free newsletters. You can leave these newsletter at any time. Simply speaking, you put any e-mail, you click “Spam this email!” and we do the rest. The said e-mail will be registred to hundreds of daily newsletter and receive thousands of e-mails, most of them who avoid the junk filter. The point of this website? To spend as much newsletters as possible to as much people as possible. There are very few things the owner of the e-mail can do: change his e-mail address (but you can re-submit his e-mail), manually unsubscribe hundreds of newsletters (but you can resusbcribe him… if you are really evil) or ignore all the message (it becomes impossible to execute the most basic tasks). In short, SpamZa! is a very mean way to create a lot of problems

SpamZa was created with the idea that spam and newsletters were our friends, not our enemies. Think about it for a second: some people worked really really hard to write interesting newsletters and emails. The least we can do is read it! SpamZa will subscribe any email sent to hundreds and hundreds of newsletters. Furthermore, its algorithm always being under development, you can expect the e-mail owner to make a lot of friends from Nigeria who have a lot of money to give and he can expect to have your Bank of America/Citigroup/eBay/Paypal account suddenly locked with a poorly written email from LOLUGETSCAMMED@PHISINGROFLMAO.com. You know all the newsletters that say “we do not redistribute or resell your email” (but do anyway)? We do the opposite. We get your email known, and pretty well known to as many newsletters are possible. Expect any email entered in our form to receive 100-150 emails per day at the bare minimum, most being able to bypass most junk filters. To use our service, enter any email and click “Spam this email!” and get ready to get spammed. You may enter any email you want but please understand this is very, very mean to use. For maximal efficiency, enter the email every day and re-spam it, so even if the person unsubscribe, he’ll get in again the next day.

SPAMZA DOES NOT SENDS SPAM. SPAMZA TAKES NO RESPONSABILITY FOR THE E-MAIL YOU CHOOSE TO SUBMIT TO OUR ALGORITHM. SPAMZA WAS CREATED TO PROMOTE POPULAR NEWSLETTERS AND NOT FOR SPAM. SpamZa is perfectly legal and respect all anti-spam policies around.

SpamZa is not responsible for any consequences of using its services. SpamZa provides its services in a purely informative manner. The user is solely responsible the email he submits to our engine and algorithm. We are not responsible for any unwanted email from anyone. We do not send unwanted email and do not maintain a newsletter for ourselves. SpamZa is neither affiliated nor associated with any newsletter or website sent from using this service. SpamZa does not approve nor disapprove any email, communication letter or information sent using its service. If you received spam because someone used SpamZa on you, we do not care. If you want to bitch because your email is unusable, we do not care, but please send us your hate mail anyway so we can laugh at it. If you are frustrated about our website, good for you.

PRIVACY
We never reveal the IP of the person who visits our website and submit e-mails, no matter what. We never reveal who subscribed him to SpamZa! and all those newsletters. The victim will most likely never know who subscribed him to this service, making it almost impossible to track the person who subscribed him to so much spam.

To all the little shits that try to take us down by submitting complaints — it won’t work. Stop wasting your time and ours and e-mail us if you got a problem”

[Ed. Note: Ironically, it appears that it did work, as as of noon EST today, the Spamza.com site is down.]

See the original post:
Spamza - The Ultimate Spamming Weapon - Or is It?

The latest threat to online banking accounts involves fraudsters using multi-step schemes that involve different interaction points with financial institutions.

Cyber-criminals commit this multi-channel fraud by first breaching an account via the online channel to steal valuable information such as account balances, check images, or signature blocks, in order to commit wire, check and other types of offline fraud that never gets linked to the original breach online.

Unfortunately, the online channel’s role in these schemes is often overlooked. This is precisely what makes this kind of fraud so effective - and hard to catch. Financial institutions only register the final transaction fraud, and cannot account for the original breach, which often occurs in the online channel. Add this to the fact that consumers don’t know it is happening, and the fraudsters have a perfect opportunity to continuously get away with this crime.

Case in point is what happened recently to a leading financial institution that serves tens of thousands of customers daily. Despite aggressive efforts to safeguard its online environment, fraudsters pulled off a startling multi-channel fraud scheme.

Here’s how the fraud scheme worked:

1. The fraudster called the institution’s customer service number and, using social engineering techniques, reset the online account password and contact phone number.

2. The fraudster accessed the online account, learned more about the customer’s online activities, and downloaded check images containing the customer’s signature.

3. The fraudster then called on a separate institution using the stolen information to open a new account in the victim’s name.

4. A wire transfer was arranged to empty the victimized account and credit the new account at institution #2. Because the names on the accounts were the same and the fraudster had provided a phone number under his/her control and a valid signature, an offline verification of the transfer by phone, as a second means of identification, passed and was authorized.

5. The fraudster withdrew his loot piecemeal, visiting separate branches in a state different than the victim’s.

Legacy Fraud Detection Methods Blind to Online Activity

When fraudsters use schemes involving multiple interactions with different touch-points across an institution, they aren’t caught because the precursor online channel breach is often overlooked.

Common industry practice registers the final fraud transaction as the breach point, and case forensics employ limited resources to return insight that cannot trace the original breach to the online channel. When accessed only for reconnaissance, the online channel records no “transaction” for detection. This is precisely what makes multi-channel fraud so effective - and so hard to catch. Moreover, what kind of fraud is our previous example to be classified? Is such a loss wire fraud, check fraud, or simply “online account fraud”?

A next-generation approach to online fraud prevention is needed if we are to continue to inspire customer confidence in the online channel. According to Javelin Research’s 2007 Identity Fraud Survey Report, it takes an average of 60 days for consumers to even detect that fraud has occurred. This leaves fraudsters with a perfect opportunity to commit successful multi-channel fraud crimes if financial services providers don’t take pre-emptive steps to protect both their customers and their bottom line. New best practices and back-end technologies that focus on online behavior can better isolate and prevent multi-channel fraud at the source.

Modeling Individual Account Behavior Stops Fraud at Its Source

An emergent best practice is to employ predictive models of individual customer online behavior to detect when the “customer” logging in isn’t who they say they are, even if they pass authentication. Beyond simple machine signature technology, user profiling technologies rely on trended analysis of behavior account by account. They start by understanding what “normal” behavior is for each individual customer - and admit that there is no single pattern of “normal” behavior to write an anti-fraud rule against.

Dynamic, model-based analysis of account activity “does the math” - piecing together what are by themselves may seem like weak indicators of fraud until a powerful pattern emerges. Behavior that deviates from what is expected becomes suspicious - the more the deviation, the deeper the suspicion. This comprehensive analysis allows for more granular risk scoring and better correlation with offline activity patterns. A byproduct of this behavioral analysis also allows for a rich history of online activity that aids investigation and forensics.

Using these techniques, institutions can identify the fraudster via the alerts to online activity outside the customer’s predicted behavior. Deploying strong analytics at the source - the online channel - ensures that fraudsters’ attacks are shut down before any damage is done.

Credit:
Don’t Overlook the Online Channel: Combating Multi-Channel Fraud at the Source

I can’t keep track of how many different passwords I have, although I know it’s not nearly enough — I tend to be lazy like most people and re-use the same passwords for many different accounts.
But here’s a new idea — what if passwords for online accounts were replaced entirely by cryptographic keys that sat on our desktops like icons, and functioned in the background, so we wouldn’t need to remember a string of letters or numbers?

An interesting blog post this morning discusses the obstacles and implications of this kind of technology, in part quoting a recent New York Times article —

In short, we need a log-on system that relies on cryptography, not mnemonics. As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code.

An obstacle to this kind of system are the current initiatives toward Open ID and single-sign on services, strategies that are backed by large industry players such as the Equifax, Google, Novell, Microsoft, Oracle, etc. In the open ID system, you would log in to a session on the web with one password, which would be accepted by any application/account supporting the open ID infrastructure.

To me Open ID sounds like a step backwards, toward less security…
then again, I would think that encrypting everything could also make your system run significantly slower, and that it wouldn’t prevent all the risks either…

Here is the original:
Will Passwords Become Obsolete?

There’s an increased risk that multi-faceted attacks or “converged threats,” warns messaging security provider Cloudmark.

The company says it’s discovered new, advanced threat techniques which combine spam, phishing and malware into a single attack distributed across e-mail, the web, mobile devices and social networks.

“Convergence is everywhere, including in the online attacker community,” WHIR News has Cloudmark chief technology officer Jamie de Guerre saying.

The attacks, “look for holes in traditional security solutions designed for a specific type of attack, such as a spam for a specific medium like e-mail, evading traditional security because they mash-up elements of spam, phishing and viruses,” says Cloudmark., which says it’s also has identified several new converged threats including “Smishing,” a mobile phishing attack that usually uses VoIP phone number accounts stolen by email phishing attacks to stage the mobile breech.

“Cloudmark also found what they call a ‘crush’ attack, distributed through SMS messaging, email and social network communication, crush attacks entice users to log into a Webpage and unknowingly opt in for a premium rate SMS service by telling users ‘Someone has a crush on you!’ followed by a link,” says WHIR News, adding:

“It also found that modern email viruses no longer distribute viruses as an attachment; they instead host the virus on a separate website and distribute emails that link to that Website.”

Read more:
Beward ?Smishing? ? mobile phishing attack

If you trust the media and are looking to the future, you might be thinking a good deal about Cloud Computing — according to ComputerWorld, this could be the next big movement.

I’ve heard the buzzwords but wasn’t exactly sure what they meant–luckily, when there’s media hype, there are definitions, too. According to this article, cloud computing is exemplified by Software as a Service — outsourced, hosted platforms and software that perform services for companies.

Another article puts it slightly differently:

OK, let us look at what form of computing in being provided via the cloud. In this model, all IT applications and facilities (i.e. compute, storage and network) are provided as a service rather than dedicated infrastructure. This is intended to allow any user, independent of client platform, to access IT services without knowledge or concern of their location or form. Sound familiar — it’s a service-oriented architecture (SOA)!

In addition, cloud computing incorporates almost every computing manifestation within the IT world: distributed, grid, utility, on-demand, open-source, Web services, P2P, Web 2.0 and, last but not least, software as a service.

It also accommodates thin, thick and mobile clients and allows integration of corporate, commercial and service provider cloud-accessed resources. As an example, in this model, storage is a service resource that is accessed via the cloud, not a dedicated user resource.

Honestly I read that last one first and found the definition a bit dense. It sounds like a summation of everything that makes up our Internet infrastructure already, so how is that different than the Internet itself? Well, cloud computing isn’t about what service or devices are being supported — it’s more about how it’s being provided– it is a location-independent style of computing. The first article calls it “platform as a service.”

Have you heard better definitions of what cloud computing is and does? Share them in the comments below. Thanks!

See the original post here:

It’s not just sales burning in Apple’s pockets — one of the Apple buildings in Cupertino caught fire today and burned for 3 hours before being extinguished — there was considerable damage.

The incident appeared to be connected to a construction crew working in the area where the blaze started, Darron Pisciotta, captain of operations for the Santa Clara County Fire Department, told InformationWeek. The work crew was the first to report the fire. More than 60 firefighters responded to the alarms.

I have a friend who’s been contracting down there, so glad to hear that no one was hurt!
I hope this doesn’t set development on the iTablet back;)

Hey, if you have construction workers in your area, tell them to be careful, okay?

Excerpt from:
Apple on Fire!