FBI Raid shuts down spammer suspect

WEST BLOOMFIELD, Mich.

– A man described as one of the nation’s leading senders of spam says an FBI raid on his home office has halted his e-mail operation.

Warrants unsealed last week show that a September raid on Alan M. Ralsky’s home in a Detroit suburb included the seizure of financial records, computers and disks.

“We’re out of business at this point in time,” Ralsky said. “They didn’t shut us down. They took all our equipment, which had the effect of shutting us down.”

Terry Berg, the top deputy in the Detroit U.S. attorney’s office, declined to comment.

Ralsky, 60, has said that he has 150 million or more e-mail addresses, and he has been a target of anti-spam efforts for years.

Verizon Communications Inc. sued him in 2001, saying he shut down its networks with millions of e-mail solicitations. He settled, promising not to send spam on its networks.

A federal law that took effect last year bans use of misleading subject lines and the sending of commercial e-mail messages that appear to be from friends. It also bans use of multiple e-mail addresses or domain names to hide senders’ identities.

Fingerprint Payments

Fingerprint payments taking off despite security concerns
Robert Lemos, SecurityFocus 2005-10-07

Consumers embarking on a shopping spree may be able to leave their wallets behind in the near future, despite some security and privacy experts’ concerns.

This week, Pay By Touch Solutions, a San Francisco-based firm whose system allows customers to pay at participating grocery stores with the press of a finger, announced that investors have pledged $130 million to fund the company’s expansion plans. And, rival BioPay has already enrolled more than 2 million people into its service for cashing payroll checks and paying at the supermarket checkout.

Paying by fingerprint is a hit with consumers, because people want convenience and faster check outs, said Shannon Reardon, director of marketing for Pay By Touch.

“The primary reason consumers sign up is for convenience,” Reardon said. “They don’t need a wallet or purse. When it become more ubiquitous, consumers won’t have to carry cards around.”

Moreover, the systems are popular with merchants, who stand to save a significant amount in processing fees if their customers pay using fingerprints linked to their bank accounts–up to 75 percent over straight credit card fees, according to BioPay. The market for such point-of-sale equipment and services will jump to $440 million–or 8.4 percent of the market for biometrics–by 2010, up from $31 million–or 2 percent of the market–in 2005, according to research firm International Biometric Group.

Yet, the security of the systems largely remains a question mark. Security and privacy experts worry that pay-by-fingerprint schemes could lead to hard-to-combat identity fraud and greater threats to civil rights.

“What are their security practices and how much more extraordinary are they compared to a ChoicePoint, a LexisNexis, or a CardSystems?” said Pam Dixon, executive director of the World Privacy Forum. ChoicePoint, Reed Elsevier’s LexisNexis, and CardSystems Solutions have all had high-profile incidents where consumers’ financial and personal data has been leaked.

“Stealing a credit card number is one thing,” she said. “But if your biometric is stolen and can be reconstituted, then that is a big problem.”

Both Pay By Touch and BioPay pledged that their customers’ security and privacy are of paramount importance.

Both companies require customers to physically enroll and link their fingerprint and customer ID number to one or more financial accounts. Social Security numbers are not used and accounts are only identified by the last few digits of the account number. The merchant never sees any of the information and nothing is left behind, said Donita Prakash, vice president of marketing for Herndon, Virginia-based BioPay.

“It is the least amount of information left behind about you for any of the possible ways of completing a transaction,” Prakash said. “Nothing physical passes to the merchant that could be skimmed, and it’s not leaving your body.”

Moreover, neither system uses the actual fingerprint to identify the user, but creates a template of the fingerprint–generally a set of numbers measuring specific features of the print. The data format reduces transmission time, but also makes it impossible to reconstitute the original fingerprint, said Larry Hollowood, chief security officer for Pay By Touch.

“When we explain to our consumers that we are not taking the full fingerprint, but that we have 40 data points that can’t be turned into a fingerprint, that increases the adoption rate,” he said.

For most consumers, the firm’s security pledges are either enough or take a back seat to the convenience of paying by fingerprint. A survey commissioned by BioPay found that half of those polled believed fingerprints to be more secure than other forms of payment and, more importantly, more convenient.

“Convenience almost always wins out, even over security,” BioPay’s Prakash said.

However, at least one of BioPay’s practices has raised eyebrows among security and privacy experts. While Pay By Touch executives say the company does not keep the original image of the fingerprints used by the customer to enroll, BioPay does, storing two fingerprints images from each of its 2 million customers encrypted in an offline database.

Such a database would quickly become the target of identity fraudsters, said Bruce Schneier, chief technology officer for Counterpane Internet Security and author of several books on security and encryption. While there is no obvious use for a database of fingerprints today, that does not mean there will not be uses in the future, he said.

“A decade ago, no one really knew what use a database of a million credit card numbers would be–turns out you can do a lot of things with it,” Schneier said. “Right now, we are not at the point that there are obvious uses of fingerprint, but ‘I don’t know’ is not a good response when discussing security threats.”

Such a database will be valuable in the future, and criminals will find a way to get access to the data, he said.

“Keeping the system offline is not a solution, because you have to worry about insiders as well as outsiders,” Schneier said.

Recent events have shown that compromising computers by attacking their network connection is only one way to get access to sensitive financial data. Bank of America lost 1.2 million records of financial accounts not through a system compromise, but when sensitive, and unencrypted, backup tapes went missing. And, Choicepoint’s had more than 145,000 consumer records stolen when fraudsters gained access to the data broker’s records by posing as legitimate firms.

Privacy experts worry that the existence of a database of fingerprints would also be a lure to law enforcement. If an unknown fingerprint is found at a crime scene, checking it against a database such as the one BioPay keeps would likely become standard procedure, said the World Privacy Forum’s Dixon.

“If I was a law enforcement agency and there was a wide deployment of BioPay, they would be my best friend,” Dixon said. “When you are thinking of really bad scenarios (from a civil rights point of view), that is it. It’s a security violation waiting to happen.”

Moreover, a database of fingerprint templates may be just as useful to criminal investigators as a database of images. If a template could be generated from a latent fingerprint left at a crime scene, then any database of fingerprint templates could be used to match a print to a person.

BioPay’s Prakash stressed that the company would control access to the database to the extent allowed by law.

“We make a pretty big point that we do not share with the government,” she said.

Yet, the marketing executive for BioPay is less certain on what the company’s reaction would be to a subpoena from law enforcement to check its database for a certain fingerprint.

“It hasn’t happened yet, and I don’t want to speculate,” Prakash said.

Stealing your neighbor’s Net

NEW YORK (CNN/Money) – Forty bucks for high-speed Internet access? Not a bad deal. But how does free sound?
 

 

To a growing number of Internet piggy-backers, it’s the sweet sound of pirating their neighbor’s wireless network. Most new computers are equipped for wireless Internet access, and more and more people opting for Wi-Fi in their homes. But as the networks become stronger and more prevalent, more of those signals are available outside the home of the subscriber, spilling over into neighbor’s apartments, hallways and the street.

Add to this the growing number of cafes and other public “hot spots” that offer Wi-Fi (for wireless fidelity) connections and the ability to buy more powerful antennas that can pick up signals several hundred feet away. The coverage in some places can be pretty near flawless.

One study by Jupiter Research said 14 percent of wireless network owners have accessed their neighbor’s connection. Yet anecdotal evidence suggests that more and more people are logging on for free.

“I haven’t paid for Internet since I’ve been in New York City,” said one friend of this reporter. “Ditto,” chimed in another.

And as the practice of using someone else’s connection without paying for it expands, it raises the question: Is there anything wrong with that?
Will this land you in jail?

The legality of stealing your neighbor’s connection is murky at best.

“All of this stuff is so new, it’s hard to say what the liability issues are,” said Robert Hale, a San Francisco-based attorney who recently published an academic paper on the subject.

Hale points out that there is a federal law on the books that ostensibly prohibits using someone’s access point with out their permission. But “without permission” is vaguely defined and the law seems more geared towards computer hacking.

It seems pretty clear that if you hack your neighbor’s password then it could be reasonably argued you didn’t have authorization.

But securing many older wireless systems with a password is difficult and even newer ones can be a challenge if you’re running multiple computers or multiple operating systems. And, while it may be a violation of the user agreements with Internet service providers, some community-minded users deliberately leave their connections open for others to borrow.

“It’s a gray area,” said Paul Stamp, an analyst at the technology consultants Forester Research. “By not restricting access it could be argued that you’re implicitly making that available.”

“A broad statement concerning the access of unprotected wireless networks as being always legal or illegal simply can’t be made,” said Jackie Lesch, a spokeswoman for the Department of Justice. “It’s just kind of dicey.”

On a federal level, according to Lesch, prosecuting decisions are made on a case to case basis, mostly depending on the type of system accessed and what it was accessed for.

On the state level it could be more clear. “It’s unlawful access”, said John Geraty, an officer with the Internet crimes against children unit of the San Francisco Police Department.

According to Geraty, using your neighbor’s wireless is specifically prohibited in the California penal code. “It’s not yours and you’re taking it,” he says.

But Geraty said his department doesn’t deal with that type of crime specifically and an officer at the department’s fraud desk — whose jurisdiction it would fall under — said she couldn’t recall anyone ever being arrested for it.

Experts do agree that the likelihood of getting caught and prosecuted for stealing a wireless connection probably depends on how often you do it and how you’re using it.

“The damages are really the big issue,” said Hale. “Are you just poking around, checking your e-mail, or are you doing it on a regular basis and affecting this person’s bandwidth?”

Location also seems to play a part.

“If you’re in a Manhattan building with 30 apartments that’s one thing,” said Julie Ask, research director at the technology consultants Jupiter Research. “But if you’re the guy who parks your car in front of a suburban house in the middle of the night and you’ve got the screen from your laptop glowing, well…” speaking of a man who was arrested earlier this month in Florida for just that.
Exposing yourself

Legal questions aside, reliability is another reason to pay for your own access. If you are a heavy user or need the Internet to work from home, relying on a connection that your neighbor could shut off at any moment is probably not a good idea.

There is also the possibility that someone could have set up the unsecured connection as a trap. Experts say it’s possible for the network subscriber to gain at least partial access to your computer, read your e-mails and see the pages you visit if you are using their connection. Any personal information you send online could then be compromised.

So while pirating your neighbor’s Wi-Fi it may seem like a good way to siphon a free service, you may end up feeling pretty stupid if you get a summons for sneaking a peak at the latest sports scores or your favorite Web sites are the topic of conversation at the neighborhood Christmas party.

How much does Google know about you?

 

NEW YORK (AP) — Google is at once a powerful search engine and a growing e-mail provider. It runs a blogging service, makes software to speed Web traffic and has ambitions to become a digital library. And it is developing a payments service.

Although many Internet users eagerly await each new technology from Google Inc., its rapid expansion is also prompting concerns that the company may know too much: what you read, where you surf and travel, whom you write.

“This is a lot of personal information in a single basket,” said Chris Hoofnagle, senior counsel with the Electronic Privacy Information Center. “Google is becoming one of the largest privacy risks on the Internet.”

Not that Hoofnagle is suggesting that Google has strayed from its mantra of making money “without doing evil.”

Rather, some privacy advocates worry about the potential: The data’s very existence — conveniently all under a single digital roof — makes Google a prime target for abuse by overzealous law enforcers and criminals alike.

Through hacking or with the assistance of rogue employees, they say, criminals could steal data for blackmail or identity theft. Recent high-profile privacy breaches elsewhere underscore the vulnerability of even those systems where thoughtful security measures are taken.

Law enforcement, meanwhile, could obtain information that later becomes public, in court filings or otherwise, about people who are not even targets of a particular investigation.

Though Google’s privacy protection is generally comparable to _ even better than — those at Microsoft Corp., Yahoo Inc., Amazon.com Inc. and a host of other Internet giants, “I don’t think any of the others have the scope of personal information that Google does,” Hoofnagle said.

Plus, Google’s practices may influence rivals given its dominance in search and the fierce competition.

“Google is perhaps the most noteworthy right now by the simple fact that they are the 800-pound gorilla,” said Lauren Weinstein, a veteran computer scientist and privacy advocate. “What they do tends to set a pattern and precedent.”

The concerns reflect Google’s growing heft. As startups get bigger and more powerful, scrutiny often follows.

Google says it takes privacy seriously.

“In general, as a company, we look at privacy from design all the way (through) launch,” said Nicole Wong, an associate general counsel at Google.

That means product managers, engineers and executives — not just lawyers — consider the privacy implications as new technologies are developed and new services offered, Wong said.

She also said that Google regularly seeks feedback from civil liberties groups such as the Center for Democracy and Technology and the Electronic Frontier Foundation, both of which credit Google for listening even if it doesn’t always agree.

Google’s privacy statements specify that only some of its employees have access to personal data — on a need-to-know basis _ and such access is logged to deter abuse.

Google Chief Executive Eric Schmidt says a tradeoff exists between privacy and functionality, and the company believes in making fully optional — and seeking permission beforehand — any services that require personally identifiable information.

“There are always options to not use that set of technology and remain anonymous,” Schmidt told reporters in May.

But what is meant by personally identifiable information is subject to debate.

Google automatically keeps records of what search terms people use and when, attaching the information to a user’s numeric Internet address and a unique ID number stored in a Web browser “cookie” file that Google uploads to computers unless users reconfigure their browsers to reject them.

Like most Internet companies, Google says it doesn’t consider the data personally identifiable. But Internet addresses can often be traced to a specific user.

Here’s just some of the ways Google can collect data on its users:

One of Gmail’s selling points is its ability to retain e-mail messages “forever.”

Google’s program for scanning library books sometimes requires usernames to protect copyrights.

The company is testing software for making Web pages load more quickly; the application routes all Web requests through its servers.

Google also provides driving directions, photo sharing and instant messaging, and it is developing a payments service that critics say could add billing information to user profiles.

Because storage is cheap, data from these services can be retained practically forever, and Google won’t specify how long it keeps such information.

Without elaborating, Google says it “may share” data across such services as e-mail and search. It also provides information to outside parties serving as Google’s agents — though they must first agree to uphold Google’s privacy policies.

Much of the concern, though, stems from a fear of the unknown.

“Everybody gets worried about what they (Google) could do but what they have done to date has not seemed to violate any privacy that anyone has documented,” said Danny Sullivan, editor of the online newsletter Search Engine Watch.

Eric Goldman, a cyberlaw professor at Marquette University, believes the focus ought to be on the underlying problem: access by hackers and law enforcement.

“We still need to have good technology to inhibit the hackers. We still need laws that make hacking criminal. We still need restraints on government surveillance,” Goldman said. “Google’s database doesn’t change any of that.”

Anne Rubin, 20, a New York University junior who uses Google’s search, Gmail and Blogger services, says quality overrides any privacy concerns, and she doesn’t mind that profiles are built on her in order to make the ads she sees more relevant.

“I see it as a tradeoff. They give services for free,” she said. “I have a vague assumption that things I do (online) aren’t entirely private. It doesn’t faze me.”

Larry Ponemon, a privacy adviser, says research by his Ponemon Institute found Google consistently getting high marks for trust.

By contrast, Microsoft, whose software sometimes crashes and regularly gets violated by hackers, didn’t fare as well despite what Ponemon and others acknowledge are improvements in its approach to privacy.

“People confuse customer service with obligations to maintain privacy,” Ponemon said. “Google has a product that seems to work. It gets almost like a free ride on privacy.”

That’s changing.

Google, a perennially secretive company, may share some of the blame. It goes out of its way to strip its privacy statements of legalese so they are easier to read. But the statements remain vague on how long the company keeps data.

In an interview, Wong said Google had no set time limits on data retention; such determinations are left to individual product teams. She said the information helps Google know how well it is doing — for instance, are users getting the results they want in the first five, 10 or 100 hits?

“We keep data that’s collected from our services for as long as we think it’s useful,” she said.

Google says it releases data when required by law, but its privacy statements offer few details. Wong said Google doesn’t surrender data without a subpoena, court order or warrant. But she would not offer any details on how many requests it gets, or how often, and federal law bars Google from disclosing requests related to national security.

For civil lawsuits, Wong said, Google warns users before it complies so they can file objections with a court — a fact the company doesn’t publicize.

Mark Rasch, who was a Justice Department prosecutor in the 1980s and has since advised companies on getting data from Internet companies, says electronic records will only become more relevant for investigators searching for evidence of intent and knowledge.

“As Google becomes more involved in parts of your lives including chats and blog, then it’s going to get lots more subpoenas,” he said. “It’s a lot more than just a search tool.”

Hacker may have accessed applicants’ records

 

LOS ANGELES, California (AP) — Officials of the University of Southern California said they will contact everyone who used the school’s online application system in the past eight years to warn them that a hacker may have been able to read their files.

School security officials said they plan to contact about 270,000 people although they believe the hacker looked at only about 10 files.

“Although we believe that the scope of this is pretty small, we’re taking it very seriously and we are taking great care to notify every single person where there is even the potential that their records might have been viewed,” said L. Katharine Harrington, USC’s dean of admission and financial aid.

The hacker took advantage of a security flaw he discovered while trying to use the USC Web site on June 20, said Robert M. Wood, USC’s information security officer.

However, the hacker then reported the flaw to an online security magazine, SecurityFocus, and the publication informed USC.

Wood said the FBI was notified but he doubted that any criminal case will be pursued because there didn’t appear to have been any malicious attempt to obtain private information.

FBI officials would not comment.

Since the middle of last year, computer security lapses have been reported at several other schools.

Harvard University, the Massachusetts Institute of Technology and Stanford University all rejected dozens of business school applicants who tried to access admissions Web sites earlier this year in hopes of learning their fate ahead of schedule.

A former University of Texas student was indicted last fall on charges he hacked into the school’s computer system and stole Social Security numbers and other personal information from more than 37,000 students and employees. California State University, Chico, had a similar incident in March.

Information Assurance & Cyber Security Research and Education, a 501(c)(3)