Lost Checking Account Info in UK

Interesting story about the big data theft in U.K., where about half the population of U.K. got their personal data "lost" via a hard drive theft. And that data contains consumer bank account numbers.

I was reading the Red Tape Chronicles (always interesting, story here http://redtape.msnbc.com/2007/11/britains-lost-d.html ) where he said that there are minimal protections against loss off checking account information.

"But banks have no such protections on checking account transactions, Litan says. In fact, anyone with a bank account number and routing number can print up fake checks and start draining consumer accounts. Banks don't even process checking account transactions in real time. Instead, they are batch-processed, generally once each day, through a system called ACH, or Automated Clearing House. So there really is little defense against a large-scale checking account theft. Millions of checking account numbers falling into criminals’ hands would be difficult to combat."

Read the entire story. Then remember to take a close look at all of your checking account transactions often (we do it daily). You might also consider keeping a minimal amount in those accounts, transferring money as needed. A bit of a pain, but nothing like the pain of dealing with identity theft.

Google Maps Mobile Knows Where You Are - Almost

Google Maps Mobile (for your cellphone) can now approximate your location on a non-GPS type cellphone. It does this by using your current cellphone tower location. I tried this on my Blackberry, and it seems to work (at least while I am at the office; haven't tried it elsewhere).

You get a blue dot on your Google Mobile Map that shows your approximate location. More information on the Google Maps Mobile blog here: http://googlemobile.blogspot.com/2007/11/new-magical-blue-circle-on-your-map.html . Note that this is version 2 and beta, and you may want to read the comments on that blog, as some people are reporting problems (as others report success). But the concept and implementation are quite interesting.

A short video is on the site explaining how it works.

MPAA Sends Out Malware

The Motion Picture Association (MPAA) is sending out malware to universities.

Brian Krebs of the Washington Post details on MPAA's attempt to provide software to US university's to "help" them to track illegal movie downloads. Unfortunately, the MPAA's program opens up some big security holes in a university that installs the software. Mr Krebs analyzed the software (with some help) and "What we found was that depending on how a university's network is set up, installing and using the MPAA tool in its default configuration could expose to the entire Internet all of the traffic flowing across the school's network. "

And another problem they found "The MPAA overview of the toolkit stresses that the software does not communicate any information about a university's network back to the association. But in its current configuration, the very first thing the toolkit does once it is fired up is phone home to the MPAA's servers and check for a new version of the software. So, right away, the MPAA knows the Internet address every computer that is running the software."

Mr. Kreb's article here: http://blog.washingtonpost.com/securityfix/2007/11/mpaa_university_toolkit_opens_1.html

Be careful of horses bearing gifts.

Click Fraud, Malware, and Google Terrain

Back again. Interesting things I have seen:

Malware via search results: Sunbelt Software reports of web pages that " tens of thousands of individual pages that have been meticulously created with the goal of obtaining high search engine ranking. Just about any search term you can think of can be found in these pages."

The goal is to create click-through revenue. More info here, including screen shots:
http://sunbeltblog.blogspot.com/2007/11/malware-redirects-aftermath_27.html

And if you go to those search pages, they will try to install some additional malware that will silently send 'clicks' to web sites that they get revenue from. It uses an old 'iframe' vulnerability that was patched several months ago.

Google Maps now has a terrain feature, which is pretty cool to look at (assuming that you live in an area with actual terrain. Go to maps.google.com, enter an address, then click on the "Terrain" button on the upper-right corner of the screen. Good visual implementation to help you get "the lay of the land".

If you have Apple's QuickTime installed, you better get updated. Active vulnerabilities there that can be exploited by viewing a evil video.

Lots of vulns out there; update everything early and often, and be careful where you click.

Email Privacy in US - Not?

From a mailing list:

E-mail privacy to disappear?
On October 8, 2007, the United States Court of Appeals for the Sixth Circuit in Cincinnati granted the government's request for a full-panel hearing in United States v. Warshak case centering on the right of privacy for stored electronic communications. At issue is whether the procedure whereby the government can subpoena stored copies of your e-mail -- similar to the way they could simply subpoena any physical mail sitting on your desk -- is unconstitutionally broad.

Link to story here:
http://www.securityfocus.com/columnists/456