Group items tagged

The FTC declined to identify the companies or organizations involved, but said they were both "private and public entities, including schools and local governments." The companies and organizations ranged in size from "businesses with as few as eight employees to publicly held corporations employing tens of thousands," the FTC said in a statement. It said sensitive data about customers and employees had been shared from the computer networks of the companies and organizations and made available on Internet peer-to-peer (P2P) file-sharing networks. The information was accessible to "any users of those networks, who could use it to commit identity theft or fraud," the FTC said. "Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing consumers' sensitive information at risk," FTC chairman Jon Leibowitz said. "For example, we found health-related information, financial records, and drivers' license and social security numbers -- the kind of information that could lead to identity theft," Leibowitz said.

The DMCA Chills Free Expression and Scientific Research. Experience with section 1201 demonstrates that it is being used to stifle free speech and scientific research. The lawsuit against 2600 magazine, threats against Princeton Professor Edward Felten's team of researchers, and prosecution of Russian programmer Dmitry Sklyarov have chilled the legitimate activities of journalists, publishers, scientists, students, programmers, and members of the public. The DMCA Jeopardizes Fair Use. By banning all acts of circumvention, and all technologies and tools that can be used for circumvention, the DMCA grants to copyright owners the power to unilaterally eliminate the public's fair use rights. Already, the movie industry's use of encryption on DVDs has curtailed consumers' ability to make legitimate, personal-use copies of movies they have purchased. The DMCA Impedes Competition and Innovation. Rather than focusing on pirates, some have wielded the DMCA to hinder legitimate competitors. For example, the DMCA has been used to block aftermarket competition in laser printer toner cartridges, garage door openers, and computer maintenance services. Similarly, Apple has used the DMCA to tie its iPhone and iPod devices to Apple's own software and services. The DMCA Interferes with Computer Intrusion Laws. Further, the DMCA has been misused as a general-purpose prohibition on computer network access, a task for which it was not designed and to which it is ill-suited. For example, a disgruntled employer used the DMCA against a former contractor for simply connecting to the company's computer system through a virtual private network ("VPN").

Microsoft revealed on Wednesday that it gained a court order that compelled VeriSign, the .com registry, to remove 277 ".com" names from its rolls, effectively cutting off communication between the Waledac's controllers and their infected machines. The legal action is unprecedented at the domain name level, said Andre' M. DiMino, co-founder of The Shadowserver Foundation, a group that tracks botnets and helped take down Waledac. In June 2009, a federal court ordered the shutdown of 3FN, a rogue ISP supplying connectivity to botnets such as Pushdo and Mega-D, but this appears to be the first major action at the domain-name level. "It's definitely pretty groundbreaking," DiMino said. "To disable and disrupt a botnet at this level is really pulling the weed out by the root." But behind the scenes, Microsoft's legal action was just one component of a synchronized campaign to bring down Waledac. Last year, researchers with the University of Mannheim in Germany and Technical University Vienna in Austria published a research paper showing how it was possible to infiltrate and control the Waledec botnet. They had studied Waledac's complicated peer-to-peer communication mechanism. Microsoft -- which was annoyed by Waledec due to its spamming of Hotmail accounts -- contacted those researchers about two weeks ago to see if they could perform their attack for real, according one of the University of Mannheim researchers, who did not want to be identified. "They asked me if there was also a way besides taking down those domains of redirecting the command-and-control traffic," said the Mannheim researcher. Waledac distributes instructions through command-and-control servers that work with a peer-to-peer system. Led by a researcher who did his bachelor thesis on Waledac, the action began early this week. "This was more or less an aggressive form of what we did before," the Mannheim researcher said. "We disrupted the peer-to-peer layer to redirect traffic not to botmaster servers but to our servers." At the same time, Microsoft's legal efforts brought down domain names that were used to send new instructions to drones. The result has been dramatic: Up to 90 percent of the infected machines, which amount to at least 60,000 computers, are now controlled by researchers, half of which are in the U.S. and Europe and the rest scattered around the globe.

"The only way programming errors can be eradicated is by making software development organizations legally liable for the errors," he said. SANS and Mitre, a Bedford, Mass.-based government contractor, also released their second annual list of the top 25 security errors made by programmers. The authors said those errors have been at the root of almost every major type of cyberattack, including the recent hacks of Google and numerous utilities and government agencies. According to the list, the most common mistakes continue to involve SQL injection errors, cross-site scripting flaws and buffer overflow vulnerabilities. All three have been well-known problems for