Privacy & data protection

I sat down on Thursday with someone who watches the underground criminals who are trying to break into people's bank accounts and steal their money. And the picture isn't pretty.

Online fraudsters are coming up with more types of dangerous attacks and more sophisticated methods, says Uri Rivner, head of new technologies for RSA Consumer Solutions, which is owned by EMC.

I've already written about how the cybercriminals are borrowing organizational structures from the mafia and even legitimate businesses, and have further explored the threats from identity fraud. Rivner filled in some details with his assessment of how the fraudsters are operating. He talked about the "Fraud Supply Chain" in which harvesters steal the data and then sell it to people who are expert at turning the data into cash by emptying out the bank accounts.

The two sides of this e-commerce underground communicate via informal marketplaces on IRC Chat channels. They also share information on sites like "Carder's Market," where you can read industry blogs and even reviews of Trojans and other malware.

Fraudsters aren't just targeting bank customers. They are also luring victims off social networks, where they harvest sensitive private information, and online gaming sites, where they steal accomplished avatars and accounts and sell them for money, Rivner says.

Another recent trend is the blending of phishing and malware on spoof Web sites that look legitimate but prompt visitors to run an executable in order to see a video, for instance. Instead, the executable is a Trojan that can grab the sensitive data on the computer. The recent "Obama sex video" spam is an example of this. … Read more

Large organizations are deploying more and more encryption technologies these days on laptops, tape backup systems, mobile devices--everywhere.

Yes, they are concerned about regulatory compliance, data breaches, and embarrassing front-page headlines, but there is something else going on as well. Technology suppliers are now baking encryption into technology components and systems. As encryption becomes cheap and ubiquitous, risk-averse users will likely deploy it everywhere.

Ironically, multilayer encryption may actually compromise data security. Why? If data is encrypted multiple times, someone better know about the chain of encryption events that took place. Each encryption activity relies on an encryption key to … Read more

A new hole in Facebook allows members to see the fan pages of people on the networking site who they aren't friends with, an outside researcher revealed on Friday.

In verifying the hole, CNET News--signing onto the site as someone who is not a designated "friend" of Facebook founder Mark Zuckerberg--was still able to see that he is a fan of Barack Obama, the Dalai Lama, Green Day, Nirvana, Central Park, the Monterey Bay Aquarium, and Apple Students.

All a would-be spy has to do is go to anyone's profile page, click on the "Info&… Read more

Facebook has filled a hole that allowed strangers to view members' photos through the mobile version of the site, a spokesman said Tuesday after being alerted to the problem by CNET News Monday night.

"Today, we learned that certain photos could be viewed by unauthorized users who employed a complicated hack," a spokesman wrote in an e-mail. "Once we were notified of the issue, it was resolved within hours. These photos are no longer available to unauthorized users. We encourage security researchers examining Facebook to practice responsible disclosure."

Basically, someone who knew the serial number of … Read more

After booting applications from Facebook this summer for violating user privacy, the social-networking company is gearing up to vet apps for trustworthiness as part of a voluntary validation program.

The validation badge will give Facebook members a gauge to use in deciding whether to add a particular app or not. Experts praise Facebook's effort, but say apps posing security risks will still be around despite that, partly because of the popularity of the network.

Facebook gives a tremendous level of access to its APIs, which has enabled developers to create more than 24,000 apps for the platform since … Read more

The iPhone is recording everything users see and do on their devices for caching purposes, an iPhone hacker says.

The device records screenshots of a user's most recent action so that it can achieve that cool effect of applications fading away when the home button is clicked, according to Jonathan Zdziarski, who wrote the forthcoming book iPhone Forensics: Recovering Evidence, Personal Data, and Corporate Assets.

The screenshots are presumably deleted after the application is closed, but they can be recovered with forensics techniques just like data deleted from most any storage device can be reconstructed for purposes of law … Read more

Don't believe everything you read on the Internet: Democratic presidential candidate Barack Obama isn't a terrorist...or a porn star.

A malicious spam e-mail is spreading that claims to have a link to a sex video of Obama but is instead spyware that steals sensitive data from the computer, security firm Sophos warned on Wednesday.

The subject line says "Obama sex video!!!" and the e-mail appears to come from "infonews@obama.com, Graham Cluley, senior technology consultant at Sophos, says on his blog.

Clicking on the link downloads an executable file that plays an amateur … Read more

Digital copies of death certificates have been removed from the Web site of Maricopa County in Arizona because they could be used for identity fraud, The Arizona Republic reported on Wednesday.

"There is so much personal information on them: a mother's maiden name, what they died from," said Helen Purcell, recorder for Maricopa County, which covers the state capital, Phoenix.

The county had received complaints from people about the posting of the information for years and removed them last month, she said. The state has one of the highest identity fraud rates in the country.

The County … Read more

Under pressure from European regulators, Google is halving the amount of time its stores Internet Protocol addresses.

In a blog post, Google said it would keep IP addresses on its server logs for 9 months before anonymizing them, down from the 18 months it had previously stored the data.

A European Commission advisory body issued an opinion paper earlier this year urging search engines to delete data collected about their users after six months.

At the time, Google said the proposals could have an impact on its ability "to provide quality products and services for users, like accurate search … Read more