Hacks hit embassy, government e-mail accounts worldwide

Usernames and passwords for more than 100 e-mail
accounts at embassies and governments worldwide have been posted online.
Using the information, anyone can access the accounts that have been
compromised.

I am not sure how much needs to be said about this. In general email security is very lax. People often forget just how much information lives in their email accounts. Especially when using Exchange or IMAP type email, all of your old email archives will be compromised if your account is breached. When you consider all of the file attachments most of us get every day, there is probably little sensitive information any of us handle that is not contained in those email archives.

Germany wants to spy on suspects via Web

Germany is proposing to use trojan horse software to enable surveillance of target computers. I have to wonder how effective this will actually be. They are talking about distributing it in an apparently official email from a government email address.

1. Now that the bad guys know this, it seems likely that they will take more care with the attachments from the government.
2. Anti-virus / anti-malware programs should be able to identify and block this software
3. If the anti-virus software makers are convinced to leave a hole for this software, it will be a huge back door for other hackers to use to deploy their trojan horse software.

In general this seems like a high risk operation for the Germans. I suspect that it will be used rarely and very selectively.

E-voting predicament: Not-so-secret ballots | CNET News.com

Once again it is proved that security and anonymity are not as simple as they look. In this case an E-Voting system enables anyone to recover the actual votes of every voter, by name. This system eliminates any privacy in the voting process.

The implications for vote buying, and retribution by family, employers, and others, are huge.

Wikipedia Spin Doctors Revealed - Yahoo! News

Once again, people use the Internet in inappropriate ways assuming that they are anonymous. In this case, Virgil Griffith has created WikiScanner. The idea is really simple. Look through Wikipedia for the IP addresses of everyone who has submitted edits to Wikipedia. They also provide tools to make it easy to see what changes have been submitted by people within specific organizations.

It will come as no surprise that this turns up many blatant attempts to whitewash articles about that organization (or its leaders), or to turn the Wikipedia entry in to a veritable marketing vehicle. I am amazed that people who are net-savvy enough to think of altering Wikipedia entries like this, would simultaneously be unaware that they could easily be identified while doing so.

How search engines rate on privacy | CNET News.com

CNET has done a nice little study on the privacy policies and practices of the top 5 search engines. Their results show that their privacy policies leave a lot to be desired. In particular, Google and Yahoo never actually delete search data, and only partially “anonymize” it after over a year. As has been proven many times, the “anonymized” data can still be easily used to identify the actual identity of the searcher.

The Trial of Fake Steve Jobs - Bits - Technology - New York Times Blog

Here is an interesting bit of detective work. An anonymous blogger was uncovered with a combination of geographic location (pulled from IP addresses), characteristic writing patterns, and some shrewd guess work. The tracking of the IP address is the first piece of evidence they mention. Now if he had used Anonymizer…….

Report: “Sidejacking” session information over WiFi easy as pie

While this is not really news, it is a very nice description of a very widespread risk.
This issue here is that many websites simply use a serial number in a cookie to keep track of user sessions. The implicit behavior is that if you have the cookie, you are authenticated and logged in. The big problem is that most of these sites are also insecure. With the popularity of insecure WiFi networks, capturing those cookies has become very easy. Once an attacker has the cookie, he can act as you for all purposes on those websites.

The simplest solutions are: enable SSL on the website (if possible), only use WPA secured WiFi, use a VPN, or use Anonymizer with the encrypted surfing option enabled (which effectively makes all websites SSL protected).