Morning all! Hope you are all recovering from your *wild* Canada Day parties.

I’m sleepy. I had some dream about Scarlett Johansson last night, hmmm I wonder why?

Thanks for reading!

Signed,

Matt

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Facebook URLs Reveal Browsing History – fbhive
2. Kremlin may tighten up internet use in Russia – Guardian
3. GhostExodus, the ETA, and a Control-Systems Incident at Carrell Clinic (Part 1) – McGrew Security
4. New AES Attack Documented – SlashDot
5. Hospital Hacker Arrested – The Register
6. Suspected Rolling Stones DDoS – The Register
7. Malzilla: Exploring scareware and drive-by malware – Hollistic InfoSec
8. Mozillas Content Security Policy – ha.ckers
9. Live Blog: The Facebook Privacy Conference Call – TechCrunch
10. InfoSex Sells – Developing Security
11. China Fears Us As We Fear Them – FCW

Tags: News, Daily Links, Security Blog, Information Security, Security News

The storm clouds are gathering over the Clear debacle. Someone woke up Congress and now they want answers.

From Wired:

Clear subscribers paid $200 annually to skip to the front of security lines at 20 of the countries largest airports, but they had to undergo a background check and turn over social security numbers, fingerprints and iris prints to get the card.

That data trove left a lot of unanswered questions after Clear closed abruptly last Monday night. The company, which was founded by journalist-cum-entrepreneur Steven Brill, belatedly told members it was seeking to sell its data to another fast-lane company. If a buyer wasn’t found, it would destroy the data, according to the company’s website.

Hmm. $200 dollar subscriptions for over 165,000 people. So, $33 mil per annum and they’re not filing for bankruptcy? This smells all wrong.

Not only am I curious as to the fate of the data but, where did all the money go?

Article Link

A new law that went into effect today. A DNA sample buffet of anyone charged with a felony in Florida.

From The News Herald:

The new law, which went into effect today, will require anyone arrested on a felony charge submit a DNA sample to be added to a state database. Previously, DNA samples were taken only from those convicted of felonies.

“This is common sense and the right thing to do,” said Crist, flanked by uniformed state troopers at the June 17 bill signing.

Under the new law, however, thousands of people who are arrested on felony charges but later have those charges dropped or reduced could have their DNA swept into the statewide offender database.

So, is this to say that folks that are innocent can find their DNA in this database as well? Seems a touch sketchy on the surface. Of the people charged with a felony in 2008, 26 percent had their charges reduced, dismissed or were found innocent.

Can the innocent have a say?

“People can get their DNA purged from it if they have their charges dropped or are found innocent, stuff like that,” said Rep. Marti Coley, R – Marianna.

Strickland said the removal process is flawed.

“The process does not occur automatically,” she said. “We advocated for an automatic expungement program, and it failed.”

This has all the hallmarks of an absolutely horrid piece of…legislation.

Article Link

Morning all! Happy Canada Day to all of our Canadian readers (and writers )! Happy July to everybody else.

Busy week for me, and by busy I of course mean busy waiting for the nice weather to show up. (WTH New York?!)

Thanks for reading!

Signed,

Matt

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. ATM Vendor Halts Talk at Black Hat – Threat Level
2. Cybercrime spreads on Facebook – Reuters
3. BSOFH: Alls Fair in Security and War – Layer8
4. July 1st is Twittersec Day – I-Hacked
5. Backtrack 4 Pre-Release with persistence on an SD card – Pauldotcom
6. Adobe Shuts Down July 4th Week to Ride Out Recession – PC World
7. UK ‘has cyber attack capability’ – BBC
8. Top 10 Signs You Are A Security Twit – Developing Security
9. Texas man accused of hacking into clinic computers – Associated Press
10. ‘Mafiaboy’: Cloud Computing Will Cause Internet Security Meltdown – Dark Reading
11. Hacker pleads guilty to stealing 1.8 million credit card numbers – Post-Gazette

Finally, if you are headed to Defcon find some time to stop by the Podcasters Meetup

12. 2nd Annual Podcasters Meetup at Defcon – Podcasters Meetup

Tags: News, Daily Links, Security Blog, Information Security, Security News

/me sighs happily. I have a mad crush on Scarlett Johansson.

I’ve always wanted to do that. I’ve accomplished everything I ever wanted in this job. Whatever shall I do next?

Have a great day!

Signed,

The Intern

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Juniper Networks Gags “ATM Jackpot” Researcher – Risky Biz
2. Mitnick site targeted in DNS attack on webhost – The Register
3. Is It Time to Stop Password Masking? – Threat Post
4. New Trojan stealing FTP credentials, attacking FTP websites – Search Security
5. Web Filtering Company Reports Cyber Attack To FBI – Information Week
6. Hackers blamed for wave of fake death tweets – C|NET Of course it’s a hacker, a bored teenager couldn’t possibly guess the security questions, right?
7. Metasploit Framework as a Payload – Room 362
8. Notorious phone phreaker gets 11 years for swatting – The Register
9. Hole in VLC Media Player – Heise
10. ‘Iceman’ pleads guilty in credit card theft case – C|NET

Tags: News, Daily Links, Security Blog, Information Security, Security News

The EFF has sent out a call to arms to help the protesters in Iran.

From the EFF:

As turmoil over the disputed election in Iran continues, many techs are trying to find ways to help Iranian citizens safely communicate and receive information despite the barriers being established by Iranian authorities. One tactic that even moderately tech-savvy Internet users can employ is to set up a Tor relay or a Tor bridge.

More sophisticated users can skip this paragraph, but for the rest, here’s the basic outline. Tor (an acronym of “The Onion Router”) is free and open source software that helps users remain anonymous on the Internet.

Read on for full article and lend your support.

Article Link

Hmm. Facebook’s privacy efforts have moved from the end user to European lobbyists.

From The Guardian:

“It is much easier for commercial concerns to lobby Brussels, which is distant from public attention but shapes very important legislation,” he said. “Businesses will pay to make sure their views are heard, and it’s difficult for citizens to match that.”

Facebook’s political manoeuvres mark the latest phase in the site’s ascent. It is now officially the world’s largest social networking website with more than 200 million users around the globe. In the process, the company has outpaced its Silicon Valley rivals, and delivered a surprise defeat to Rupert Murdoch and his social networking site, MySpace.

200 million users and yet, the quality seems to be faltering. An example of this would be the email snooping problems to the various UI complaints from users. Then there is always the security aspect to social media.

Article Link

Hello folks. Had a great weekend, somewhat productive with enough relaxation thrown in to feel ready to conquer another week and whatever it throws my way.

Thanks for joining us, see you tomorrow!

Signed,

The Intern

Click here to subscribe to Liquidmatrix Security Digest!.

And now, the news…

1. Watch what Microsoft’s new security app can do – C|NET
2. Titsup airport express lane biz may pawn flyer data – The Reg
3. Identity theft a fast-growing offence – The Globe and Mail
4. Girls Aloud net obscenity case falls at first hurdle – The Reg
5. Lost+Found: Bug reports, eBay, anti-debugging and asterisks – Heise
6. Real CEOs Don’t Twitter — Do They? – PC World
7. Tech Insight: Database Security — The First Three Steps – Dark Reading
8. E-mails indicate EPA suppressed report skeptical of global warming – C|NET
9. Cyberwar: Is Offense the New Defense? – CSO Online I missed this one last week, apologies!

Tags: News, Daily Links, Security Blog, Information Security, Security News

From the Associated Press:

More than a quarter million people are wondering what will happen to their fingerprints, Social Security numbers, home addresses and other personal information now that a company that sped them through airport security is out of business.

Government officials are wondering too.

Well, wonder no more…for the moment at least. Today we had one of our readership who as good enough to share a copy of the Dear John letters that Clear Members around the US are receiving on the heels of the programs demise (Thx rybolov).

Flyclear.com have taken down the website and replaced the main page with the following email text.

From: “Clear Customer Service”
Date: [REDACTED]
To: [REDACTED]
Subject: Clear Member Update

Clear Member Update

Dear [REDACTED],

In response to questions raised by our members, Clear would like to offer the following information:

Clear Lanes Are No Longer Available.

At 11:00 p.m. PST on June 22, 2009, Clear ceased operations. Clear’s parent company, Verified Identity Pass, Inc., was unable to negotiate an agreement with its senior creditor to continue operations. Verified Identity Pass regrets that Clear will not be able to continue operations.

How is Clear securing personal information?

Clear stands by our commitment to protect our customer’s personally identifiable information – including fingerprints, iris images, photos, names, addresses, credit card numbers and other personal information provided to us – and to keep the privacy promises that we have made. Information is secured in accordance with the Transportation Security Administration’s Security, Privacy and Compliance Standards.

How is Clear securing any information at the airports?

Each hard disk at the airport, including the enrollment and verification kiosks, has now been wiped clean of all data and software. The triple wipe process we used automatically and completely overwrites the contents of the entire disk, including the operating system, the data and the file structure. This process also prevents or thoroughly hinders all known techniques of hard disk forensic analysis.

How is Clear securing any information in central databases and corporate systems?

Lockheed Martin is the lead systems integrator for Clear, and is currently working with Verified Identity Pass, Inc. to ensure an orderly shutdown as the program closes. As Verified Identity Pass, Inc. and the Transportation Security Administration work through this process, Lockheed Martin remains committed to protecting the privacy of individuals’ personal information provided for the Clear Registered Traveler program. Lockheed’s work will also remain consistent with the Transportation Security Administration’s federal requirements and the enhanced security and privacy requirements of Verified Identity Pass, Inc.

The computers that Verified Identity Pass, Inc. assigned to its former corporate employees are being wiped using the same process described for computers at the airports.

Will personally identifiable information be sold?

The personally identifiable information that customers provided to Clear may not be used for any purpose other than a Registered Traveler program operated by a Transportation Security Administration authorized service provider. Any new service provider would need to maintain personally identifiable information in accordance with the Transportation Security Administration’s privacy and security requirements for Registered Traveler programs. If the information is not used for a Registered Traveler program, it will be deleted.

How will members be notified when information is deleted?

Clear intends to notify members in a final email message when the information is deleted.

Who is monitoring this process?

Clear is communicating with TSA, airport and airline sponsors, and subcontractors, to ensure that the security of the information and systems is maintained throughout the closure process. Clear thanks these partners for their continuing cooperation and diligence.

How can I contact Clear?

Please visit our website, www.flyclear.com, for the latest updates. Clear’s call center and customer support email service are no longer available.

Will I receive a refund for membership in Clear?

At the present time, Verified Identity Pass, Inc. cannot issue refunds due to the company’s financial condition.

Has Verified Identity Pass, Inc. filed for bankruptcy?

At the present time, Verified Identity Pass has not commenced any proceedings under the United States Bankruptcy Code.

Clear Customer Service

Clear, 600 Third Avenue 10th Floor, New York, NY 10016
www.flyclear.com

Three times overwrite to destroy the hard drive data. OK, but, by what method? NIST 800-88 (.pdf) lays out some criteria but, it’s unclear if they followed that guidance or something similar. The Canadian Communications Security Establishment offers this guidance for clearing and declassifying data storage devices.

Myrcurial had this to add,

It depends on the technology and the over-write method — ie: all ones, random, and whether or not the controller (assuming it’s magnetic disk and not tape/optical/etc.) is giving you a true 1:1 representation of all sectors. 3x with the wrong method on a modern IDE disk doesn’t mean the same as one time with the right method on an MFM/RLL disk

Why not just pitch the drives in a grinder? Also, I have little doubt that there were laptops floating about. Have they all been accounted for? Thumb drives?

Oh, and they’re not filing for bankruptcy. But, they’re keeping your money. WTF?

For more on this story check out the following article.

Article Link

Yes, that’s right. Mike is dead.

From TMZ:

We’ve just learned Michael Jackson has died. He was 50.

Michael suffered a cardiac arrest earlier this afternoon at his Holmby Hills home and paramedics were unable to revive him. We’re told when paramedics arrived Jackson had no pulse and they never got a pulse back.

A source tells us Jackson was dead when paramedics arrived. A cardiologist at UCLA tells TMZ Jackson died of cardiac arrest.

Once at the hospital, the staff tried to resuscitate him but he was completely unresponsive.

But, what’s more insidious than the constant coverage of his passing on every “news” outlet is the impending flood of spam. Gird your loins. It should be starting started any time now. All too often spammers rely on the death of a celebrity to ply their trade.

Today will be no different.

It’s not like there isn’t precedent for this. Back in 2005 a piece of spam made the rounds pronouncing the alleged suicide of Michael Jackson.

Well, I’m done with this nonsense. If I’m to feel bad about something, I’m going to feel bad about something of substance.

UPDATE: Well, can’t sat I didn’t call it. Just four days later and the malware is making the rounds. Not that it was a stretch. It’s interesting to note that only three AV engines, Antivir, McAfee and Sophos, could detect this one.