“If a company is providing telecom services in Indian, then all communications must be available to Indian security services,” a government representative told AFP. “If Google or Skype have a component that is not accessible, that will not be possible. The message is the same for everybody.”

The Indian government is also said to be wanting access to corporate VPN traffic. How they will do this without compromising the security of corporations is really up for debate.

I wonder if they will be trying to ban IronKeys next?

Safe harbor compliance entails:
1. Notice: An organization must inform individuals about the data processing and about possibilities to file inquiries or complaints;
2. Choice: An organization must provide a general opportunity for individuals to choose to object (opt out) and must ask for consent (opt in) for processing of sensitive data;
3. Onward Transfer: Disclosure of information is only permitted if the recipient adheres to the notice and choice principle;
4. Security: Protection of data from loss, misuse and unauthorized access, disclosure, alteration and destruction;
5. Data Integrity: Observance of purpose limitation of data;
6. Access: Right to access personal information hold by an organization about the individual concerned;
7. Enforcement: Mechanisms for assuring effective compliance and data subjects rights.

Weichert’s statement is based on research by privacy research Chris Connolly who has done research showing that of 2,170 US companies that claim to be safe harbor compliant, many were in fact not. 940 out of the 2170 US companies do not provide information on how to enforce individuals’ rights. Strangely, 388 of these companies were not even registered with the Department of Commerce!

It seems that RIM, the maker of Blackberry, is looking to add security back-doors so that governments in these countries can spy on Blackberry users in those areas.

Apparently the flash drive got stuck in his intestinal tract. Federal agents obtained a search warrant, and had a surgeon remove the device from Necula’s body. Wow. I didn’t realize you could get a search warrant to search your intestine!

Comerica refused to reimburse Experi-Metal. So the company sued the bank to recover their funds, alleging that the bank does not have sufficient online security and anti-fraud measures.

Comerica responded by filing a request for a summary judgement to dismiss the lawsuit. A judge has dismissed the request, and the course is now going to court.

This is happening under the auspices of the European Investigation order (EIO).

Civil liberties organizations are very concerned that UK citizen’s personal details could be shared with foreign police for such mundane offenses as not paying for a meal at a restaurant.

The FBI says that these spies not only used encryption to protect data on their laptops and USB flash drives, but that they also are suspected of using proprietary Russian-build steganography software to hide data inside images and other files on their computers.

Steganography is the technique of hiding information inside other documents or data, so that it cannot be detected. Combining steganography with cryptography can create systems of communications and data protection that are incredibly difficult to detect and to crack.

For example, imagine encrypting a data file using strong encryption, and then inserting that file as noise in the soundtrack or video stream of a large .wmv video file. Then posting that file to a website or sharing it on a bittorrent network for its intended recipients to download. If you communicate out-of-band (through an email or a phone call or SMS) to your recipients the name of the video file, and if there is a key sharing protocol (ie. they know the password to decrypt the data), then its highly likely that only that person will be able to know that the encrypted data is there, and be able to decrypt it.

If anyone else downloads the file, even using steganographic detection tools they are unlikely to detect the encrypted data. And even if they were able to extract it, they would still have to crack the encryption.

In fact, one wishing to communicate covertly would want other people to download the file, so that nobody monitoring networks can tell who the file is intended for.

In the case we are discussing today, the alleged Russian spies were detected sending data to known addresses of Russian government computers (we assume IP addresses). Using the technique I discuss, they would have been able to avoid such detection.

One other thing I found interesting about this article is that a 27 character password was required to access the steganographic data. Sounds like a great security measure to have such a long password. However, the agent wrote the password down on a piece of paper! In such a case, it would have been much more secure to use a shorter password that was more easily remembered.

Apparently the investigation has found 120,000 stolen credit card numbers, and 5,000 cloned credit cards. Six card cloning labs have been seized.

Brian Krebs (krebsonsecurity.com) has posted an excellent blog post today. He’s even posted a picture of one of the credit card cloning labs, sourced from the Spanish Ministry of Interior.

The FBI is targeting the end of the criminal supply chain—the “money mules” who receive transfers of stolen funds in their banks accounts—to raise public awareness and dissuade people from becoming mules, said Patrick Carney, acting chief of the FBI’s Cyber Criminal Section.

Money mules are people who think they have a legitimate work-at-home job, where they receive goods or get money wired into their bank accounts, and their job is to forward the goods or a portion of the funds, to another person. These scams are usually presented as a work-from-home shipping clerk job, or perhaps a business consultant or an accounting administrator.

These jobs are posted on job boards like Monster.com and HotJobs.com They are sent out by spam. They are advertised online and even in newspapers.

But the reality is that these are scams, and are operated by the cyber underground as a way to launder stolen funds or goods purchased online with stolen credit cards.

We do not know how many people are working as “mules”, but it must be ten thousand or more in the USA. The anti-money-laundering website BobBear.co.uk lists hundreds of active fake companies that are fronts for money mules.