School District Took 'Thousands' Of Webcam Images

In an update on the ongoing Webcamgate saga, lawyers for 15 year old Blake Robbins have dropped a bombshell. Their latest motion asserts that the Lower Merion School District secretly captured 'thousands' of webcam images using software designed to track stolen school issued laptops. LMSD has asserted the software had only been activated 42 times for this purpose. 400 photos and screen captures are said to exist from Blake Robbins' laptop alone. The photo to the right is purported to be one of them.

The system that Lower Merion school officials used to track lost and stolen laptops wound up secretly capturing thousands of images, including photographs of students in their homes, Web sites they visited, and excerpts of their online chats, says a new motion filed in a suit against the district.

More than once, the motion asserts, the camera on Robbins' school-issued laptop took photos of Robbins as he slept in his bed. Each time, it fired the images off to network servers at the school district.

Back at district offices, the Robbins motion says, employees with access to the images marveled at the tracking software. It was like a window into "a little LMSD soap opera," a staffer is quoted as saying in an e-mail to Carol Cafiero, the administrator running the program.

"I know, I love it," she is quoted as having replied...

In the filing, the Penn Valley family claims the district's records show that the controversial tracking system captured more than 400 photos and screen images from 15-year-old Blake Robbins' school-issued laptop during two weeks last fall, and that "thousands of webcam pictures and screen shots have been taken of numerous other students in their homes."

Robbins, a sophomore at Harriton High School, and his parents, Michael and Holly Robbins, contend e-mails turned over to them by the district suggest Cafiero "may be a voyeur" who might have viewed some of the photos on her home computer.

The motion says Cafiero, who has been placed on paid leave, has failed to turn that computer over to the plaintiffs despite a court order to do so, and asks a judge to sanction her...

Since the Robbinses sued in February, district officials have acknowledged that they activated the theft-tracking software on school-issued laptops 42 times since September, and a number of times in the previous school year - all in order to retrieve lost or stolen computers.

But they have stopped short of specifying how many students may have been photographed and monitored, or how often - information that could shed light on whether Robbins' experience was unique or common...

Also Thursday, Sen. Arlen Specter (D., Pa.) introduced legislation to close what he said was a loophole in federal wiretap laws and prevent unauthorized monitoring. Specter recently held a hearing in Philadelphia on the issue.

"Many of us expect to be subject to certain kinds of video surveillance when we leave our homes and go out each day - at the ATM, at traffic lights, or in stores, for example," Specter, who is running for reelection, said on the floor of the Senate. "What we do not expect is to be under visual surveillance in our homes, in our bedrooms and, most especially, we do not expect it for our children in our homes."

[via Philly.com] 

Son Sues Mom Over Facebook 'Hacking'

Suing your parents isn't just for celebrities anymore--a 16-year-old Arkansas boy is suing his mother for hacking into his Facebook account and allegedly posting slanderous remarks.

Denise New of Arkadelphia is facing harassment charges from her 16-year-old. Her son, who lives with his grandmother, also requested a no-contact order. Prior to this issue, New and her son reportedly had a "great relationship," despite their living arrangements.

According to the boy, his mother hacked into his Facebook and email accounts, then changed both passwords. She also allegedly posted remarks that involved slander and information about his personal life...

New plans on fighting the charges, as she believes she was fully within her legal rights as a parent to monitor her son's online behavior.

I hardly think parent's rights extend to accessing your kids social media and email accounts and changing the password on them. If they are old enough to have such things, let them have them. The boy in question is 16, not 6.
The mom claims he left his accounts logged in on his PC...let this be a lesson to those of you that don't log out of your accounts.

TJMaxx Hacker Gets 20 Years

Remember the largest personal data theft in history? The guy that supposedly was behind it was sentenced this week to 20 years in prison. 

Albert Gonzalez, who operated under the hacker alias SoupNazi, pleaded guilty last year to slipping into the computer networks of major retailers such as TJ Maxx, BJ's Wholesale Club, Barnes & Noble, OfficeMax and Boston Market.

To pull off the caper, Gonzalez, 28, would hack into the Heartland Payment systems that handled credit card transactions for major retailers. Then the Miami resident got creative. He would cruise by stores with his laptop and infiltrate wireless Internet signals.

A Trojan Horse program would be planted in the store's network and Gonzalez would later vacuum out credit and debit numbers.

Authorities say Gonzalez operated with two co-conspirators and operated overseas as well. All told, the operation stole more than $200 million. The Secret Service estimated that the potential economic loss could be in the billions. Gonzalez personally amassed $2.8 million.

Of course, there was some fault of the retailers involved, as they were using WEP encryption, known for years prior to the data theft to be easily hacked and thus insecure, to wirelessly transmit transaction data between registers and the store office. Gonzalez and his crew were then able to repeatedly tap into the store systems this way, and learned how to login into the corporate computer system of TJX, parent company of TJ Maxx, BJ's Wholesale Club, Barnes & Noble, OfficeMax and Boston Market. Since TJX evidently was storing customer data in violation of PCI Data Security Standards, Gonzalez and crew were able to steal some 46 million customer credit cards from this company.
Amazingly, PCI standards will not ban the use of WEP in credit card systems until June 30, 2010 (although it has prohibited new systems that use WEP from being installed since March 31, 2009.)

Another Password Stealing Virus Hits Facebook

(Reuters) - Hackers have flooded the Internet with virus-tainted spam that targets Facebook's estimated 400 million users in an effort to steal banking passwords and gather other sensitive information.
The emails tell recipients that the passwords on their Facebook accounts have been reset, urging them to click on an attachment to obtain new login credentials, according to anti-virus software maker McAfee Inc.
If the attachment is opened, it downloads several types of malicious software, including a program that steals passwords, McAfee said on Wednesday.
Hackers have long targeted Facebook users, sending them tainted messages via the social networking company's own internal email system. With this new attack, they are using regular Internet email to spread their malicious software.
A Facebook spokesman said the company could not comment on the specific case, but pointed to a status update the company posted on its web site earlier on Wednesday warning users about the spoofed email and advising users to delete the email and to warn their friends.
McAfee estimates that hackers sent out tens of millions of spam across Europe, the United States and Asia since the campaign began on Tuesday.
Dave Marcus, McAfee's director of malware research and communications, said that he expects the hackers will succeed in infecting millions of computers.
"With Facebook as your lure, you potentially have 400 million people that can click on the attachment. If you get 10 percent success, that's 40 million," he said.
The email's subject line says "Facebook password reset confirmation customer support," according to Marcus.

McAfee: Cyber Attacks, Extortion 'Common' In Business World

At the World Economic Forum Annual Meeting in Switzerland, McAfeeannounced the results of a survey of 600 IT security execs in "critical infrastructure enterprises worldwide": that is, in places such as utility companies, banks, and even oil refineries. And apparently, they're constantly under cyber attack and also extortion related to those attacks.

The report, written by the Center for Strategic and International Studies(CSIS), says that 54 percent of those surveyed have already been attacked. The culprits behind the cyber-attacks are listed as "organized crime-gangs, terrorists, or nation-states."

Only one-fifth of the IT execs surveyed believe their systems are currently secure. One-third say things are worse now, vulnerability-wise, than a year ago, due to budget cuts.

What constitutes a cyber attack? A distributed denial of service (DDoS) is the most typical. 64 percent of those surveyed have experienced one that disrupted operations; 29 percent get them multiple times per month. A DDoS attack is, of course, conducted by bot-nets--robot networks of infected computers--so if you get malware on your PC, you might be doing your part to bring down foreign (or local) utilities and corporations.

[via PCWorld]

Hacker Attack Takes Down Social Networks

From USA Today:
Social networks Twitter, Facebook and LiveJournal on Thursday morning were overwhelmed by denial-of-service attacks disrupting access to more than 300 million users. Botnets — thousands of infected home and workplace PCs — flooded the websites with nuisance requests, thus cutting off access to anyone else.

Security experts can't say if the attacks were related. Twitter users around the globe could not Tweet for at least three hours. Access was restored in much of the U.S. by 1 p.m. Eastern, but Twitter could not be reached via iPhone or in Eastern Europe through much of the day, says Stephan Tanase, a senior analyst at Kaspersky Lab. "This was definitely a pretty heavy attack," says Tanase.

The attacks may have been related to the ongoing political conflict between Russia and Georgia. They started with hackers using a botnet to send a flurry of spam e-mail messages that contained links to pages on Twitter, Facebook and other sites written by a single pro-Abkhazia activist, according to Bill Woodcock, research director of the San Francisco-based Packet Clearing House, a nonprofit that tracks Internet traffic.

Facebook reported degraded service for some of its 250 million users, while LiveJournals says its 21 million users were cut off for an hour.

Nothing on this scale has been seen since February 2000, when a 15-year-old Montreal youth, known as Mafiaboy, directed a bot network to cut off access to Yahoo, eBay, Amazon.com, Etrade, ZDNET and CNN. Upon being arrested, Michael Calce, now a security consultant, said he did it for bragging rights.

Last month, a denial of service attack cut off access to several government and commercial sites in the U.S. and South Korea, raising speculation that North Korea was responsible. The attacker oddly erased the hard drives of the 40,000 bots used in the attack, rendering the computers useless.

Roger Thompson, a senior researcher at antivirus company AVG, says a vigilante may have been trying to "get the attention of the world on the botnet problem." Estimates vary, but some 40% of Internet-connected computers may be under the control of criminals who can easily use them for a variety of criminal pursuits.

17-Year-Old Behind Massive XSS Attack On Twitter

A second worm has emerged as a threat on Twitter today, after a previous worm showed up yesterday spreading advertising, and its author said more could be on the way. 17 year-old Mikeyy Mooney from Brooklyn, New York has claimed responsibility for both worms.

The first worm emerged on Saturday when Twitter profiles began posting messages which encouraged people to visit StalkDaily.com. The owner of the website, Mikeyy Mooney, told BNO News that he was responsible. "I am aware of the attack and yes I am behind this attack," he said. Mooney said he created the worm to "give the developers an insight on the problem and while doing so, promoting myself or my website."

Later that evening, Twitter said they had resolved the problem. "We've taken steps to remove the offending updates, and to close the holes that allowed this worm to spread," a statement read.

Hours later, a new worm which appeared to be similar to the first one, made its way into the Twitter community. Infected users spread messages such as "Mikeyy is done" and other Twitter users start doing the same if they are logged on to the site and visit an infected profile, which makes the worm unusual as no action is required to get infected. A review of the script by BNO News showed it is the same worm from Saturday, except for the fact that it is spreading a new message and is hosted on a different server. Mooney confirmed to BNO News that he is behind the two worms and said more could be on the way. "[It] seems they still haven't sanitized their input fields for the XSS," he said. It is currently unknown if he may face legal action.

The worm is more of an annoyance that a real threat, as no passwords or sensitive information are stolen. Here are the steps to remove it if you find this on your Twitter account:

1. Go to www.twitter.com.
2. Log in to the infected account.
3. Go to "Settings" in the menu.
4. Under "Name", remove the text in the field (which has been edited by the worm).
5. Remove the text under "More info URL", which has also been edited by the worm.

When you completed those 5 steps, the worm is no longer active on your profile but you can get easily re-infected. For now, until the problem has been solved, BNO News recommends that you not visit any accusation Twitter profiles.

read more|digg story

Conficker Worm Finally Stirs

The dreaded Conficker computer worm is stirring. Security experts say the worm's authors appear to be trying to build a big moneymaker, but not a cyber weapon of mass destruction as many people feared.

As many as 12 million computers have been infected by Conficker. Security firm Trend Micro says some of the machines have been updated over the past few days with fake antivirus software - the first attempt by Conficker's authors to profit from their massive "botnet."

Criminals use bogus security software to extort money. Victims are told their computers are infected, and can be fixed only by paying for a clean-up that never happens.

Conficker gets on computers through a hole Microsoft patched in October. PCs set up for automatic Windows updates should be clean.

read more | digg story

Bill Proposes You Keep Router Records For Police

Republican politicians on Thursday called for a sweeping new federal law that would require all Internet providers and operators of millions of Wi-Fi access points, even hotels, local coffee shops, and home users, to keep records about users for two years to aid police investigations.

The legislation, which echoes a measure proposed by one of their Democratic colleagues three years ago, would impose unprecedented data retention requirements on a broad swath of Internet access providers and is certain to draw fire from businesses and privacy advocates.

Two bills have been introduced so far--S.436 in the Senate and H.R.1076 in the House. Each of the companion bills is titled "Internet Stopping Adults Facilitating the Exploitation of Today's Youth Act," or Internet Safety Act.

Each contains the same language: "A provider of an electronic communication service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a user of a temporarily assigned network address the service assigns to that user."

Translated, the Internet Safety Act applies not just to AT&T, Comcast, Verizon, and so on--but also to the tens of millions of homes with Wi-Fi access points or wired routers that use the standard method of dynamically assigning temporary addresses. (That method is called Dynamic Host Configuration Protocol, or DHCP.)"Everyone has to keep such information," says Albert Gidari, a partner at the Perkins Coie law firm in Seattle who specializes in this area of electronic privacy law.

Holy. Cow.

read more | digg story

Kid's Digital Cameras Come Complete With Virus

A CBS affiliate is reporting on one Minnesota family that received more than they bargained for when their child got a Fisher-Price Kid Tough digital camera for Christmas. The first time they connected it to their PC to download the pictures, their anti-virus software detected two viruses on the camera's memory.

A popular digital camera for children is causing problems for at least one Minnesota family this Christmas. Some of Fisher-Price's Kid-Tough digital cameras have viruses that are affecting not just the camera, but computers as well.

Anna Tapper couldn't wait to tear open and try out her favorite present.

"I take pictures of lots of things," Anna said.

Her father, Jeff Tapper, said she had a big smile on her face the minute she knew what it was.

"She was glad to have her own camera and she didn't have to ask mom and dad for theirs and she could take as many pictures as she wanted," Tapper said.

When Tapper went to download her work, he found her camera had two viruses. Luckily, his anti-virus software spotted them before he downloaded them onto his computer. Without an up-to-date virus-fighter, his laptop could've been infected.

"Especially since it's a kid's digital camera it's the last thing you'd expect to have a virus on it," Tapper said.

The Kid-Tough model was a popular pick for parents. A quick online search found many are having the same problem. Fisher-Price told them if they'd send the cameras to the company it would send them a new one in about a month.

A quick look at Amazon reviews and messages posted to Yahoo! Answers reveals more people verifying this is taking place with this camera model.
This is not the first time viruses have come pre-loaded on consumer products. Repeatedly last year reports of viruses coming pre-loaded on several models of digital picture frames made the news. External hard drives and desktop PCs have also been pre-infected with viruses.

Trojan Virus Has Been Stealing Bank Info For Years

The BBC is reporting about a trojan that has been quietly collecting online banking information for nearly three years. This particular virus is interesting because you didn't need to click on a pop-up or spam email link to get it. Using the 'drive-by download' method, simply visiting a website is enough to be infected.

The details of about 500,000 online bank accounts and credit and debit cards have been stolen by a virus described as "one of the most advanced pieces of crimeware ever created".
The Sinowal trojan has been tracked by RSA, which helps to secure networks in Fortune 500 companies.
RSA said the trojan virus has infected computers all over the planet. "The effect has been really global with over 2000 domains compromised," said Sean Brady of RSA's security division.
The RSA's Fraud Action Research Lab said it first detected the Windows Sinowal trojan in Feb 2006.
Since then, Mr Brady said, more than 270,000 banking accounts and 240,000 credit and debit cards have been compromised from financial institutions in countries including the US, UK, Australia and Poland.
"One of the key points of interest about this particular trojan is that it has existed for two and a half years quietly collecting information," he said.

read more

Laptop From eBay Exposes Data For 1 Million Bank Customers

This goes to show no matter how careful you are, the stupidity of some company somewhere can still compromise your data. WHY was this data even kept on a laptop to begin with? Companies that do stupid things like this need to be held accountable for their actions.

Personal details of more than 1 million customers of Royal Bank of Scotland, American Express and NatWest are found on a computer sold on auction site eBay. RBS said the information included historical data related to credit card applications and data from other banks, but would not disclose further details.The information was being held by archiving firm Graphic Data, which copies paperwork from some of Britain's biggest financial organisations and stores it digitally.
The Daily Mail said names, addresses, mobile phone numbers, bank account numbers, sort codes, credit card numbers, mothers' maiden names and even signatures had been left on the hard drive.

read more | digg story

Sick New Spam: 'We Have Kidnapped Your Child'

SophosLabs™ is reporting that a new variety of spam is starting to make it's way into inboxes everywhere. A new spam email being sent out that claims your child has been kidnapped! The email is evidently UK based, asking for a £25,000 ransom ($50,000 USD) and most insidiously includes an attachment purporting to be a picture of the kidnapped child. Once a user clicks and downloads the attachment, of course, their computer is infected with a trojan horse virus.
The poorly worded email's subject line reads 'We have hijacked your baby.'

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread spam campaign that pretends that the receipient's baby has been kidnapped.

The campaign tries to trick innocent computer users into opening a file claiming to be photographs of the infant, but are really malicious software.

Attached to the email is a file, entitled photo.zip, which contains a malicious Trojan horse that will download further malware from the internet to compromise PCs. Sophos detects the Trojan horse as Troj/Resex-Fam.

read more | digg story

DHS Can Now Seize Your Laptop Indefinitely

Be aware if you're crossing the border...A pair of DHS policies (1 and 2 [pdf warning]) from last month say that customs agents can routinely--as a matter of course--seize, make copies of, and "analyze the information transported by any individual attempting to enter, re-enter, depart, pass through, or reside in the United States."
The new DHS policies say that customs agents can, "absent individualized suspicion," seize electronic gear: "Documents and electronic media, or copies thereof, may be detained for further review, either on-site at the place of detention or at an off-site location, including a location associated with a demand for assistance from an outside agency or entity."
An electronic device is defined as "any device capable of storing information in digital or analog form" including hard drives, compact discs, DVDs, flash drives, portable music players, cell phones, pagers, beepers, and videotapes.
This follows the recent news that Canadian border officials will begin inspecting your digital devices for copyrighted media if ACTA is enacted. How a customs officer is supposed to tell if a file is pirated vs. legitimately downloaded is not known. Online accounts of border agents/TSA not knowing what PSPs and MacBook Airs are and looking for illegal porn in the My Pictures folder on Windows do not bode well for any of these plans.

read more | digg story

IT Admin Holding San Francisco Computers Hostage

The San Francisco Chronicle is reporting that a disgruntled network administrator has locked up a multimillion dollar city computer system that handles sensitive data and is refusing to give police the password.
The employee, 43-year-old Terry Childs, was arrested Sunday. He gave some passwords to police, which did not work, and refused to reveal the real code, the paper reported.
The new FiberWAN (Wide Area Network) handles city payroll files, jail bookings, law enforcement documents and official e-mail for San Francisco. The network is functioning but administrators have little or no access. Childs, who remains in custody, is accused of improperly tampering with computer systems and causing a denial of service, said Kamala Harris, San Francisco's district attorney, on Monday afternoon.

read more | digg story

Happy Anniversary! 30 Years of Email Spam

This week marks the first known spam email that was sent 30 years ago on Saturday. But the message sent on May 3, 1978 by a marketer for the now defunct DEC computer company to around 400 people on the west coast of the United States wasn't called spam, and the sender dispatched it without ill intent.
How things have changed. For one, instead of having to type each email address individually, programs can send out millions of automated emails in minutes.
Another drastic change is that spammers don't have to try to find ISPs to send spam. Now botnets, hijacked personal and office PCs that carry out remote commands, have control of some 30% of PCs. Yes, thats probably you, blog reader that still uses IE version 5.5 or earlier. See my post from Feb of 2007.

read more | digg story

Study Shows Online Privacy Concerns Are Rising

In the wake of the Facebook Beacon and Sears Manage My Home privacy snafus, you would expect more Americans to state they are concerned about online privacy. Interestingly, according to this study it is mainly people who don't shop online and those who are new to shopping online who express concern over privacy. I would be surprised if more than a few of those polled had heard of either incident, both of which got limited mainstream news coverage.
However, you don't even have to be online to have your privacy or identity threatened. Anyone who purchased items from a Sears store, for example, where Sears had a record of the purchaser's name and address was potentially vulnerable to that purchasing history being exposed on the web in the recent Manage My Home debacle. The largest data breach yet known was due to TJ Maxx stores not properly securing their intra-store wireless, allowing anyone with a laptop and 30 seconds to hack the signal in the parking lot. Thieves then were able to access TJ Maxx's main databases for months, stealing 46 million credit card numbers.
And yesterday, JC Penny reported their data storage company lost a backup tape that contains information on 650,000 customers, including Social Security numbers for about 150,000 people. So you don't have to shop or bank online to be subject to identity theft or privacy breaches. (If you get a letter from GEMoney, open it.)
It's no wonder that more consumers are now closely monitoring their credit or joining identity protection services like LifeLock.
Scary.

read more | digg story

Sears Removes 'Find My Product History' From Site

PCWorld is reporting that Sears has taken part of its Managemyhome.com website offline after it was revealed the site was making customers' purchasing histories publicly available.
It seemed to disappear mid-afternoon yesterday after I logged into the Managemyhome service to see if I could pull up my own purchase history on the site. After trying one of the two addresses I've had in the last two years, I was inexplicably logged off the site. After logging back in, the 'find my product history' feature was nowhere to be found.
Of course, Sears still has yet to answer for the Comscore spyware allegedly being installed on customer PCs, which by far is the more egregious privacy concern.

read more | digg story

Sears/K-Mart Installing Spyware On Your Computer?

Security researchers are now stating that the Sears and K-Mart websites have been found to be installing software to track the online activity of users that joined their 'online community.' Benjamin Googins at Computer Associates and spyware researcher Ben Edelman have both posted information on their respective sites detailing what has been going on. In the post-Facebook Beacon internet, consumers are becoming more wary of what information is being collected (and shared) about their online activities. While Facebook owned up to what was going on and quickly responded to concerns, Sears (who owns both Sears.com and Kmart.com) isn't doing that.
From Googins CA blog:

Sears.com is distributing spyware that tracks all your Internet usage - including banking logins, email, and all other forms of Internet usage - all in the name of "community participation." Every website visitor that joins the Sears community installs software that acts as a proxy to every web transaction made on the compromised computer. In other words, if you have installed Sears software ("the proxy") on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software.

Edelman says Sears claiming you get 'adequate notice' before the software in question installs is "demonstrably false."
The software that Sears installs is from ComScore, who, according to their front page, "maintains massive proprietary databases that provide a continuous, real-time measurement of the myriad ways in which the Internet is used and the wide variety of activities that are occurring online."

If it's true that Sears was collecting everything Googins says; they are sure to be headed for legal trouble, even if they got people to click 'ok' to an outrageous 54 page license agreement.

Christmas and New Years Greetings From the Storm Worm

I've mentioned the Storm Worm before, a malicious trojan horse program, and it's creative subject lines to get you to click on the link in that email. Now Stormy is taking a Christmas (and now New Year's) greetings approach to infect more unwary PCs. Recipients of emails will get a link to the MerryChristmasDude website which is evidently registered to Russian hackers.
Subject lines from these emails have said

• I love this Carol!
• Warm Up this Christmas
• The Twelve Girls Of Christmas
• Jingle Bells, Jingle Bells
• The Perfect Christmas
• Santa Said, HO HO HO
• Find Some Christmas Tail

and so on. As of today the emails and website they link to have been updated with New Year's messages and want you to download a supposed greeting card called 'happycards2008' but you won't be too happy after you download this malware.
Please, people, show some common sense and stop clicking on links from random emails and using these idiotic greeting card sites which do nothing more than harvest email addresses to send us more spam.

read more | digg story