Authorities in the US have arrested more than 80 “mules” involved in large scale bank fraud. Although the masterminds are still at large, and probably in Eastern Europe, these arrests show the massive size and success of the fraud operation. Cyber crime has become a virtual economy.

The Zeus banking Trojan enabled hackers to secretly monitor the victims’ computer activity, enabling them to obtain bank account numbers, passwords, and authentication information as the victim typed them into the infected computer, the FBI said.

The scheme relied on individuals known as “money mules” in the United States to actually steal money, the FBI said. Bharara said those arrested consisted almost entirely of mules and four people who managed them.

…

“The hacking rings we see today take on a more organized approach, similar to a drug cartel or a cyber-mafia,” Bar Yosef says. “There is a hierarchy with employees that have a distinct role in the scheme — the researcher looking for different ways to infect machines, the botnet farmer operating the bots, the botnet dealer renting the bots, and the actual ‘consumer’ who monetizes on the virtual goods received by the bot.

via More Than 80 Arrested In Alleged Zeus Banking Scam – computer crime/Attacks – DarkReading.

Android applications are supposed to get permission from the user before they gain access to personal information, such as location. But what happens once the permission is given?

This study from Network World looked at 30 apps to see where and when personal information was used, and found some worrisome results.

A recent test of prototype security code for Android phones found that 15 of 30 free Android Market applications sent users’ private information to remote advertising servers, without the users being aware of what was being sent or to whom. In some cases, the user’s location data was sent as often as every 30 seconds.

Can the Internet be encrypted by default?

With the current debates about lawful intercept and increasing numbers of man-in-the-middle attacks, maybe the Internet should finally be made secure by default.

Encryption is currently used sparingly, mostly when connecting to e-commerce and financial services over the web. Here the https protocol is used and traffic between the user’s web browser and the server is protected from eavesdropping using SSL. The problems with this scheme are legendary, mostly associated with requiring users to notice when encryption is on and off, and knowing how to interpret certificate information and error messages.

But could encryption be turned on all the time, automatically?

Google has recently made https the default for Gmail, demonstrated that encryption can be scaled to millions of users. What about scaling it to the entire Internet?

Tcpcrypt is an extension to the TCP protocol designed to make encryption the default. It is backwardly compatible with traditional TCP, and it would protect old applications that don’t have encryption. And it works faster than the SSL we rely on today.

You can read more about tcpcrypt in a recent technical paper, on a tcpcrypt community web site, and on Wikipedia.

A good, brief article on economics and security failures by Ross Anderson contains some great quotes…

The discipline of security economics teaches us that large systems often fail because incentives are poorly aligned; if someone guards a system while someone else bears the cost of failure, then failure is likely.

…

As one of my students put it, “All the party invitations in Cambridge come through Facebook. If you don’t use Facebook you don’t get to any parties, so you’ll never meet any girls, you won’t have any kids and your genes will die out.”

Google is introducing two-factor authentication to its Google Apps products. This means that in order to access the enterprise services (mail, documents, etc.) the Google user will have to know their password and also supply a one-time verification code. That code will be sent to your cell phone, or generated by a special application on the smart phone.

The approach is not novel, and does not provide 100% security, but it is notable because of Google’s size and influence. Having such a large player adopt stronger authentication can only help to speed the adoption by other organizations, and that is a good thing.

By doing this now, and previously making https the default in gmail, Google is demonstrating that better security can be done on a large scale, with general users.

There are two research positions open at CMU in the area of privacy decision making. One is at the Post-Doc level and the other is for Ph.D. students. The principle investigator is Alessandro Acquisti.

The project aims at investigating the role of soft paternalistic approaches in assisting users who face privacy-sensitive trade-offs. Such privacy “nudges” will be incorporated into policy proposals as well as tools and technologies to be developed by other members of the project.

The US military has been collecting millions of biometric samples from Iraqi citizens, both good guys and bad guys. Now that the US is leaving, what should be done with the biometric waste? There are real risks that the records could be used to determine who worked with the US forces during the occupation, or to identify members of rival tribes. And can the new Iraqi government be trusted to use the records properly?

As the war draws down, however, the collection of so much personal information has raised questions about how data gathered during wartime should be used during times of peace, and with whom that information should be shared.

via Questions arise about use of data gathered in Iraq war – The Boston Globe.