By

Updated every Tuesday evening, circa 11 p.m. ET. Links may require registration/subscription.

Computer Cases

File-sharing software on government computers has exposed not just sensitive government information such as Federal Bureau of Investigation surveillance photos, but also Social Security numbers and other personal information.

Though file-sharing software is often used to download music and other entertainment, it can also make available any other files on users' machines, such as health and financial records stored on government computers, The Washington Post reported July 30.

A spokesman for the Secret Service, Malcolm Wiley, told the Post that some of the information, such as motorcade routes and safe house sites for Laura Bush, who was First Lady at the time the data was shared, are not considered top secret.

"If something like that were to emerge before an event, keep in mind, we've got other security countermeasures in place," Wiley said. And after an event, the data is "not of any value."

The FBI surveillance photos are also of limited value now that the person under surveillance, a Mafia hit man, is serving a life sentence in prison. However, the congressional committee investigating the matter asked that the convict not be named; at the time the information was shared online, the defendant was still on trial.

More concern was raised over the Social Security numbers and medical records exposed through file-sharing software, since such information does not have an expiration date. Deborah Peel, who founded the health privacy group Patient Privacy Rights, told the Post, "All of these medical files have everything needed for identity theft, the most prominent and frightening consumer issue with electronic systems."


Though most cell phone malware requires users to click a link to download applications, researchers announced last week that they had spotted a way that malicious code could be installed on phones without any action by the phones' users.

Researchers Charlie Miller and Collin Mulliner have discovered that on some smart phones, including Apple Inc.'s iPhone, a stream of text messages could be sent that would give the attacker control over the targeted device, according to a July 30 report by Cnet News. In the case of the iPhone, the attacked phone could be completely taken over, and any personal data stored on it could be harvested by the attacker.

Users can fight back by switching off the phone, Miller said. When the phone powers up again, it would funtion normally — unless the hackers strike again.

"It doesn't take but a second to grab all your personal info from the device, and as soon as you turn it back on, the bad guy could attack you again," Miller told Cnet. "That's why I think this is so serious."

The flaw was also found in some phones running Google Inc.'s Android operating system or Microsoft Corp.'s Windows Mobile, but the potential effects were less damaging. For example, Android phones could be shut down but not taken over.

All three companies have issued patches to block such attacks, but users who have not patched their phones' software could remain vulnerable.


Twitter Inc. is fighting back against spammers who use its microblogging service to distribute malicious software.

Twitter is using Google's safe browsing system to spot links to phishing sites and other troublesome places on the Web, according to an article Computerworld ran Monday. Users who "tweet" a link to one such site get the error message: "Oops! Your tweet contained a URL to a known malware site," the article said.

However, this feature has a long way to go, the article said. The filter may be tricked by dropping the "www" from a full link, and it may also be tricked by using one of the link-shortening services commonly used to fit long links within Twitter's 140-character limit.

However, one such service, known as Bit.ly, uses the same Google API to screen shortened links, the article said.

Scam Sleuthing

A hacking conference is a poor choice to install a phony automated teller machine.

Security professionals at last week's Defcon conference in the Riviera Hotel in Las Vegas quickly identified a fake ATM and notified police, who removed the machine from the hotel, according to an article Computerworld ran Sunday.

The machine was a shell housing a personal computer, which was visible when attendees shone a flashlight into a window that would normally protect the ATM's camera. The computer was configured to steal card data and personal identification numbers, the article said.

Though the hotel may have been a bad site, the scammers themselves lucked out in one way: They planted their machine in a part of the hotel lacking security cameras, so they were not caught on surveillance tapes, the article said.


A prominent "scareware" scam may have been linked to the Dutch transaction processor Chronopay LLC.

Many scareware programs, which hold a computer hostage until the user buys a bogus antivirus program from the scammers by credit card, contain fine print linking them to a company called Innovagest, The Washington Post's Brian Krebs reported in his "Security Fix" column Friday.

Though Chronopay denied any official involvement with Innovagest, or any of the other entities Krebs tracked in his connect-the-dots exercise to find the people behind the scareware programs, it conceded that an employee may have been involved with the scammers.

Krebs found that the registration records for Innovagest's Web sites linked it to crutop.nu, a Russian forum for people who operate adult Web sites. Crutop has come under fire from the Federal Trade Commission for allegedly facilitating cybercrime, he wrote.

Crutop and Chronopay share the same Google Analytics account number, UA-630887, Krebs wrote. Google Analytics is used to track visitors to Web sites, and the account number is visible in the source code of clients' Web pages.

Kirill Vorobyev, Chronopay's public relations manager, said the connection may simply have been a former employee who was in charge of the Google Analytics account.

"We have suspected for a long time that it is one of our former employees," Vorobyev told Krebs. "We declare, however, that Chronopay doesn't have anything to do with a portal crutop.nu company, though we cannot guarantee it concerning our employees."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.