General discussion

NEWS - October 29, 2010

Paperless e-voting a concern this election, say watchdogs

"Nearly one in four registered voters in Tuesday's elections will use electronic voting systems with no verifiable paper records"

Some election watchers are expressing concern over the fact that an about one in four registered voters in next week's general elections will be casting their ballots using electronic voting machines that offer no verifiable paper records.

Paperless direct-recording electronic voting systems have drawn flak in past elections for being unreliable, too hard to audit and too prone to all sorts of tampering.

Such concerns have prompted 32 states and the District of Columbia to pass laws mandating the use of voting systems that support Voter-Verified Paper Records over the past few years.

Election officials in another six states have adopted similar systems even though they are not required by law to do so.

However, six states - Delaware, Georgia, Louisiana, Maryland, New Jersy, and South Carolina - still use paperless e-voting systems statewide, according to a tally maintained by the election watchdog Verified Voting Foundation. In Indiana, Pennsylvania, Texas, Tennessee, and Vrigina, direct-recording electronic voting systems account for a vast majority of voting systems.

Discussion is locked

Reply to: NEWS - October 29, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 29, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Coder fires 'Idiocy' warning to Twitter users'

"Inspired by Firesheep"

A coder has developed a hijacking tool to compromise Twitter accounts and then post a warning to the victim.

The tool, named "Idiocy", searches for users insecurely visiting Twitter over public Wi-Fi networks and then hijacks their session to post a tweet informing them they are vulnerable to attack.

A link has also been included in the tweet directing users to a website explaining what has happened once a user has been exploited.

Jonty Wareing, a London-based software developer, has been credited as the tool's creator and he made the exploit code available on GitHub.

He claimed to have been inspired by the creation of the Firesheep tool - a Firefox browser extension, which was designed to exploit weak transaction security on social network applications, such as Facebook and iGoogle.,coder-fires-idiocy-warning-to-twitter-users.aspx

- Collapse -
Endgame Systems Launches ipTrust Reputation Service to ...
...Fight Botnets

Startup ipTrust will let businesses avoid botnets and infected machines by revealing which IP addresses are linked to botnets, malware and other Web-threats.

Endgame Systems launched iPTrust, a cloud-based botnet and malware detection service that collects and distills security data into a reputation engine, the company said on Oct. 28. The ipTrust service provides useful information that identifies which system on an organization's network has been compromised by a botnet, the company said.

An enterprise is often the last one to know that its systems have been compromised. Until they figure it out, they are inadvertently distributing even more malware to other unsuspecting organizations.

The ipTrust services gives organizations "useful and actionable" information they can use to keep their networks secure, said Dan Ingevaldson, chief operating office of Endgame Systems to eWEEK.

"With the events data, we know the exact IP address that was compromised, what it did, and when it occurred," said Ingevaldson.

With this information in hand, ipTrust identifies and track botnets over the Internet without relying on any internal network data. There is no software or hardware for anyone to install; ipTrust's Web based technology monitors public IP addresses and stores all security-related event data, according to Ingevaldson.
- Collapse -
Telstra's blunder leads to massive data leak

It is yet unknown if it was a human or computer error that made Australian telecommunications and company Telstra send out letters containing personal information (name, phone numbers, telephone plans) of its customers to incorrect recipients.

The letters were supposed to explain new pricing charges to the customers, but now the privacy of potentially 220,00 customers - among whom are 23,500 silent line customers - was breached, and Telstra has begun contacting affected customers by phone and email and apologizing.

Telstra is also asking all those customers who have received multiple letters to destroy them or send them back to the company.

According to The Australian, the Privacy Commissioner and the Australian Communications and Media Authority launched investigations into the breach, and that giving that the incident was a mistake and not a deliberate disclosure of confidential information, Telstra will probably not be criminally charged.

Related Post : Telstra gains remote access to customers' PCs

- Collapse -
Sysadmin stole co-worker IDs for Amazon survey splurge

A California IT worker has been jailed for a year for stealing confidential data to make money by completing online health surveys.

Cam Giang, 31, a former worker at the University of California San Francisco Medical Center, used the names, birthdays and Social Security numbers of other hospital workers to complete online surveys, earning vouchers from Amazon worth $100 each time in the process.

Giang completed 382 surveys between January and April this year before the firm running the promotion, StayWell Health Management, received complaints from UCSF workers that were unable to apply for the promo, IDG reports.

Its investigation revealed that Giang had already completed surveys in the names of his co-workers. UCSF promptly fired Giang, a five-year veteran of its IT department. It also notified 486 workers that their information had been accessed without authorisation.

Defence lawyers argued that Giang never got around to cashing in the 218 vouchers (total value $21,800) that he made through the scheme. They also argued that the victims of the scam suffered damages only to the extent of failing to benefit from StayWell's marketing surveys. The personal data accessed by Giang was not applied to obtain loans under false pretences or for other more malign purposes.

- Collapse -
IE6 addiction throws monkey wrench into Windows 7 migration

"1-in-5 enterprises will bust budget moving to Windows 7 because of IE6 compatibility problems, says Gartner"

Enterprises addicted to Microsoft's nine-year-old Internet Explorer 6 (IE6) browser are having a tough time migrating to Windows 7, an analyst said today.

And although Microsoft has made it clear it wants IE6 dead and buried , the company needs to help solve a problem it created when it released the non-standard browser, then pressed businesses to develop IE6-specific applications, said Michael Silver of Gartner.

"Microsoft would rather put the non-standard browser technology behind it," Silver said in a recently published research report.

Easy for Microsoft to say; it doesn't have to deal with the IE6 fallout.

According to Gartner, IE6 compatibility problems will cause at least one-in-five organizations to take longer than expected or spend more than they budgeted for their Windows 7 migration projects.

"Microsoft needs to explore all avenues that could ease the transitions away from IE6," Silver added as he spelled out ways the company could lower barriers to Windows 7 adoption, something obviously in its interest.

- Collapse -
CCleaner 3.0 adds secure drive erase tool
Piriform has released version 3.0 of its CCleaner maintenance tool for Windows PCs. The CCleaner application is a popular Windows-only cleaning and maintenance tool that allows users to easily delete, for example, the temporary internet files, cookies and history from a variety of web browsers, as well as from their system recycle bin and other temporary files.

The latest 3.0 release of CCleaner is a major upgrade and adds native support for 64-bit systems and a new Drive Wiper tool that can be used to securely erase the contents of free space on a specified drive - the new option can be accessed via the Tools section. Users can select one ore more drives and the tool will remove sensitive information by overwriting the area of the drive on which the data is stored, one or more times, using special algorithms, from a single overwrite to 3, 7 or 35 passes. Other improvements include better support for Internet Explorer 9 and Google's Chrome web browser, additional cleaning support options for HTML5 database storage and a new intelligent cookie keeping feature.
- Collapse -
Google escapes prosecution over Streetview data

Metropolitan police will not take Google to court, but the search giant may face a small fine over its monitoring of wifi data

Google will not be prosecuted by the Metropolitan Police for collecting thousands of pieces of data about British citizens, the House of Commons was told yesterday.

Ed Vaizey, the communications minister, told a debate on privacy and the internet that although the search giant could still be fined for collecting the wifi data without people's knowledge while it was mapping the UK for its Streetview service, the offence also pre-dated legislation that gave the Information Commissioner the power to levy punishments of up to ?500,000. Any fine that is imposed is likely to be far smaller.

Google monitored unencrypted traffic on open wifi networks "inadvertently", the company has said, and has never profited from the data it collected. Although it reported itself to information commissioners around the world, it has been fiercely criticised for allowing the "accident" to happen in the first place. Google initially claimed that it only intercepted fragments of information, but it later revealed that passwords and entire emails could have been recorded. None of the data has ever been published or used by the search giant in any of its products.

- Collapse -
Disliking Facebook LikeJacking

Another Facebook likejacking attempt is being spammed out to fool Facebook users with "5 things girls do before she meets her boyfriend". Instead of presenting a video, the page redirects browsers to a "Like" button hosted on Facebook.

As illustrated above, tens of thousands of people have clicked on the link while they are logged into Facebook already. If you are one of the people who have already attempted to watch the video, please remove the "like" entry from your wall or newsfeed. Also, delete the liked page from your "Likes and Interests" section.

Continued @ the Kaspersky Lab Weblog

__________________ Another Facebook Scam __________________

Girl's sexy Facebook video is disguise for survey scam

Earlier this month I wrote about a scam spreading virally on Facebook that posed as a video of a father catching his daughter on a webcam.

A new version of the scam is now spreading with a slightly different disguise. As a lot of people seem to being affected by it (haven't folks learnt by now about these scams?) it seems worth documenting.

The first thing you will probably see is one of your Facebook friends posting a message like this: [Screenshot]

OMG!!!! Girl Caught by Dad While Making Video on Facebook
OMG!!!!! Girl Caught at Home --> <link>

Other versions may say:

OMG!!!!! Girl Caught by Dad While Making a Sexy Webcam Video --> <link>

Clicking on the link isn't such a wise idea. You'll be taken to a webpage called "Dad Catches Daughter Making A Sexy Webcam Video".

Graham Cluley's post continued @ Sophos Naked Security Blog

- Collapse -
Microsoft Considering Encryption For Bing

If you try to force HTTPS, Bing strips the SSL. In light of the dangers exposed from Firesheep, Microsoft is looking into SSL and other security and privacy solutions for future releases of Bing.

No one wants another person to take over their account and impersonate them - or worse. HTTP session hijacking is nowhere close to a new vulnerability, but with the introduction of the Firefox addon, Firesheep, people who have never hacked, are trying the free and easy-to-use tool. After installation, a person can connect to an open Wi-Fi network, see which users on that network are on insecure social sites, and then double-click on that user to capture their cookie and be logged in as them. Four days and nearly 400,000 downloads later, it's time to see insecure websites get serious about protecting their users' privacy and security with full end-to-end encryption.

On the second day after Firesheep was released, Firesheep was the second suggestion on Bing when you typed "fire". With Bing on the brain, I went to and tried to add S to HTTP. The below screenshot is what happens - an invalid security certificate pops up. [Screenshot]

After poking around on Twitter, I saw that other people had tried it as well.

When I asked Microsoft if it intended to encrypt its connection so that HTTPS worked with Bing, a spokesperson said, "The security and privacy of our customers is very important to us at Bing. We are looking at SSL and other technologies for future releases of Bing."

Windows Live,, is also listed among the sites that can be sniffed and hijacked with Firesheep. Errata Security's Robert Graham blogged, "The presentation on FireSheep has the really cool graphic above, showing an elephant in the room. That's what sidejacking is: how long will providers like HotMail (MSN Live) and Yahoo continue not to provide encryption for their e-mail products. Seriously, if you still use the free versions of HotMail or Yahoo Mail, you are an idiot."

Related Post : How to protect against Firesheep attacks

- Collapse -
IBM Proposes WiFi Security Approach After Firesheep

"IBM researchers are proposing an approach to WiFi security they call 'Secure Open Wireless' in light of the release of the Firesheep tool"

IBM is proposing a new approach to address WiFi security in the wake of the Firesheep plug-in for Firefox.

The Firesheep extension can be used to hijack the sessions of people using unencrypted sites such as Facebook and Twitter on an open wireless network. The tool was released less than a week ago at the ToorCon 12 conference in San Diego, and has since been downloaded more than 440,000 times.

In response, IBM's X-Force team has gone public with what it calls 'Secure Open Wireless.' In a joint blog post, Tom Cross, manager of IBM Internet Security System X-Force Advanced Research Team, and X-Force researcher Takehiro Takahashi explained the company has been working on a secure way to "set up an open access point that has encryption and authentication of the network provider."

"If you think about how HTTPS works, you're establishing an encrypted connection to a website, but you don?t have to have a password set up with that website in order to establish that encrypted connection," they blogged. "The security of an HTTPS session comes from the fact that the website you are connecting to presents a digital certificate, signed by a trusted third party certificate authority, demonstrating that the website you are connecting to legitimately controls the domain name you are trying to reach."

- Collapse -
New Trojan, Vecebot, Targets Anti-Communist Bloggers

A new family of Trojan Horse programs is being used to stifle political opposition to the Communist Party in Vietnam, according to an analysis by researchers at SecureWorks.

The Trojan, dubbed Vecebot, is a new family of malware and has been linked to distributed denial of service (DDoS) attacks against bloggers who have written critically of the ruling Communist Party and Chinese mining operations in the country, SecureWorks said.

The targets of the Vecebot botnet, estimated at between 20,000 and 30,000 hosts, include popular Vietnamese blogs and online forums, the analysis found. The release of Vecebot may have been coordinated with what was billed as "Vietnam Blogger Day" on October 19, a coordinated online civil action to celebrate the release of a blogger and political prisoner who used the name Dieu Cay, the SecureWorks analysis said.

If accurate, the analysis identifies what would be just the latest example of malware attacks that appear to have political, rather than strictly commercial objectives. The SecureWorks analysis points to connections between Vecebot and an earlier Trojan, Vulncanbot which also targeted anti-Communist Web sites in Vietnam with DDoS attacks and other targeted hacks. Domains used for the Vecebot command and control servers are similar to those used in the earlier, Vulcanbot attacks, according to a report by SecureWorks Counter Threat Unit.

CNET Forums

Forum Info