At first I thought this was a joke:

Bank of America will require Internet clients to register their computers and assign a digital image, such as a photo of a pet, to their accounts in an effort to cut down on fraud, the bank announced.

The free service, called SiteKey, lets clients pick an image, write a brief phrase and select three challenge questions.

The image will appear on the site every time a customer has to enter a password.

Apparently, this is serious. I’ve heard stupid security proposals before, but this may be the stupidest ever. Does someone really think that confused Internet users would fall for fewer phishing scams if they had a picture of a puppy in front of them? I shudder to think that it might take off and I will have to upload a picture of my cat every time I want to register for something online. I would be tempted to use this picture:

(Via Backup Brain)

Update: In the comments, Prof. Michael Froomkin says I’m missing the point and this is a good thing. I’m a B of A customer, so I guess I’ll get a chance to see this feature in action soon.

Prof. Froomkin (welcome back!) links to a tracking cookie opt-out page:

With a few clicks you can block cookies from Doubleclick and six other Internet tracking/marketers. Ironically, you must allow the site to set a “no thanks” cookie, so cookie blockers must be turned off to make this work.

Although this site was a good idea once upon a time, this rigmarole is completely unnecessary. Tracking cookies are, by definition, third-party cookies. I can think of no good reason to allow third-party cookies on my computer, and so I block all of them. You’ll find the detailed instructions in this article I published in January of this year: How to completely eliminate tracking cookies.

The article includes instructions for Internet Explorer and Firefox. I just checked my system, and despite the fact that I have not deleted any cookies in the past year I have no tracking cookies from DoubleClick, Atlas DMT, 24/7 Real Media or any of the other sites listed on this page.

Brian Krebs at the Washington Post reports:

The Department of Homeland Security today received more lumps for failing to implement programs to protect the nation’s most vital computer systems from attack or disruption. The Government Accountability Office issued a report today concluding that the department’s failure to make meaningful progress on its myriad cyber-security programs was due largely to organizational and staffing problems.

The GAO report has a section entitled “DHS Has 13 Key Cybersecurity Responsibilities.” Things like “Develop a national plan for critical infrastructure protection that includes cybersecurity.” And “Support efforts to reduce cyber threats and vulnerabilities.” And “Integrate cybersecurity with national
security.”

Unfortunately, the auditors say: “DHS has not yet developed national cyber threat and vulnerability assessments or developed and exercised government and government/industry contingency recovery plans for cybersecurity, including a plan for recovering key Internet functions.”

Gee. Maybe the Department of Homeland Security would get better results if they spent more time actually protecting, you know, homeland security instead of busting people trading movies over BitTorrent. Which, by the way, isn’t anywhere on that list of 13 key scybersecurity responsibilities.

This AP story appeared this morning:

The CIA is conducting a secretive war game, dubbed “Silent Horizon,” this week to practice defending against an electronic assault on the same scale as the Sept. 11 terrorism attacks.

The three-day exercise, ending Thursday, was meant to test the ability of government and industry to respond to escalating Internet disruptions over many months, according to participants. They spoke on condition of anonymity because the CIA asked them not to disclose details of the sensitive exercise taking place in Charlottesville, Va., about two hours southwest of Washington.

Yesterday, my broadband provider, Cox Communications, was responding erratically all day. At the end of the day, it went offline in my neighborhood for more than an hour. When I called support, a recorded message described similar outages throughout the greater Phoenix area.

Coincidence? You tell me. Given the reverse Midas touch that U.S. intelligence services have demonstrated in recent years, I’m inclined to think they could screw up the Internet more effectively than any group of cyber-terrorists.

Associated Press Technology Writer Ted Bridis tries to stir up panic with an alarming story headlined “Hackers Holding Computer Files ‘Hostage'”:

Computer users already anxious about viruses and identity theft have new reason to worry: Hackers have found a way to lock up the electronic documents on your computer and then demand $200 over the Internet to get them back.

Security researchers at San Diego-based Websense Inc. uncovered the unusual extortion plot when a corporate customer they would not identify fell victim to the infection, which encrypted files that included documents, photographs and spreadsheets.

A ransom note left behind included an e-mail address, and the attacker using the address later demanded $200 for the digital keys to unlock the files.

“This is equivalent to someone coming into your home, putting your valuables in a safe and not telling you the combination,” said Oliver Friedrichs, a security manager for Symantec Corp.

The FBI said the scheme, which appears isolated, was unlike other Internet extortion crimes. Leading security and antivirus firms this week were updating protective software for companies and consumers to guard against this type of attack, which experts dubbed “ransom-ware.”

This is just dumb. “Hackers have found a way to lock up the electronic documents on your computer…”? Viruses and other forms of hostile code capable of deleting, encrypting, scrambling, stealing, or corrupting files have been around for as long as I can remember. An ICSA report documents this significantly more widespread extortion attempt from 1989, for instance:

[T]he Aids Trojan … was concealed on diskettes labelled “Aids Introductory Information Diskette” offering information on the human AIDS virus. The diskettes were mailed worldwide from London in December 1989, and when installed displayed a licence agreement and printed invoices for $189 or $378. Users were instructed to send the money to a fictitious PC Cyborg Corporation at an actual PO Box number in Panama, otherwise their PC would cease to function. This was no empty threat; after a variable number of power-ups since its installation the Trojan rendered the PC inoperable. At the end of January 1990, Joseph Popp was arrested by the FBI in Ohio, extradited to London and charged with 11 counts of blackmail… [I]t was estimated that this Trojan was intended to extort at least … 6 million [pounds].

This AP story takes an incident that the reporter acknowledges is “isolated,” which was reported by a publicity-seeking security software firm, and tries to turn it into a trend story. He doesn’t bother talking to any independent security researchers and instead interviews spokespeople for three companies that clearly stand to benefit financially from security-based panic. And I just about lost it when I read that the evil hacker asked for … gasp! Two hundred dollars! Clearly, this is not Dr. Evil we’re dealing with.

The story ends with this paragraph that basically cuts off its own legs:

Experts said there were no widespread reports the new threat was spreading, and the Web site was already shut down where the infection originally spread. They also said the hacker’s demand for payment might be his weakness, since bank transactions can be traced easily.

Oh. I see. Never mind.

There’s no trend here, folks. It’s one of the most fundamental principles of security: If you let someone else install software on your computer, it’s not your computer anymore.

Bridis deserves extra demerits for this lame story.

Update: Add Brian Krebs of the Washington Post to the Dishonor Roll. In his usually trenchant Security Fix blog at washingtonpost.com, Krebs falls overboard for this one:

In what could be a harbinger of the next big fad in online crime, Internet scammers are now trying to extort money from Microsoft Windows users by scrambling text files on victims’ PCs and then requesting payment for a computer program needed to decode the documents.

“Harbinger of the next big fad in online crime”? I doubt it. And “scammers” (plural)? Nope. One isolated incident. He does note, correctly, that this example exploits a security flaw in Internet Explorer that was patched last July.

Yet another update: More uncritical sources continue to pick this story up and fling it around the Internets. Neowin reprints the story unquestioningly, and so does Ed Oswald at Betanews (although an alert commenter quickly provided Betanews readers with a link to this page – thanks, Zaine!). And alas, a scan of Google News reveals that the story has been picked up by more than 400 sources.

I just received yet another “phishing” attempt from someone trying to get me to give up my eBay account information. It came to my Gmail account, and like most such attempts it was a painfully obvious fraud.

What was most impressive, though, was how Gmail handled the message. For starters, it landed in my Spam folder, with a big red banner at the top of the message warning me “This message may not be from whom it claims to be.”

Even better, the URL in the message had been disabled. I was able to dig deep into the Gmail interface and find the HTML source code of the original message, where a link to the phisher’s Web site was buried. But that clickable link didn’t survive in the message that actually landed in my Inbox. And finally, the More Options button on the message window included a Report Phishing link, which I used.

Very nice work, Google!

Oh, and I have yet another stack of 50 Gmail invites, so if you’re looking for your own Gmail account, send a note to edbott (at) gmail.com and I’ll send you an invite.