We've been talking about the faux urgency to pass some cybersecurity legislation coming from the federal government, with plenty of fear mongering from politicians who never seem to want to point out any factual basis for why we need such new laws. Instead, it's all been about Hollywood movie script-style scenarios about planes falling from the skies. It appears that the White House is heavily involved in this bogus fear mongering as well, having recently set up a "simulated cyberattack on New York City's power supply" to convince elected officials to move forward on the legislation.

During a classified briefing in the Office of Senate Security, Homeland Security Secretary Janet Napolitano and White House counterterrorism adviser John Brennan showed lawmakers how a hacker could breach control systems of the city’s electric system and trigger a ripple effect throughout the population and private sector, according to a source familiar with the scenario.

“The fact that we could be subject to a catastrophic attack under the right circumstances and we now know some of the things that would help us to protect against such an attack, that’s why it’s important now for the Congress to take this up,” Napolitano said in an interview with POLITICO.

Now that's interesting. Just how could a hacker breach control systems of the power grid? Apparently with an email phishing attack:

During the simulation, the hacker gains access to the electric supply’s control system through a simple “spearphishing” attack, in which a worker merely clicks on a link in an email that appears to be from someone they know.

Um, there's your problem. If the NYC power grid is attached to the public internet in such a way that it can be taken down, then um, shouldn't we take it off the internet? This isn't about cybersecurity, this is about common sense, where things like the power grid should not be accessible via the internet -- and I'm pretty sure they're not (back here in reality). But in the world where we need fear, uncertainty, doubt and the ability for the federal government to spy on private networks, we have to pretend such a scenario is likely.

Of course, I also question why the White House chose NYC as the showcase for the simulation and suggested that there would be deaths and other massive harm from such a power grid takedown. After all, it was just about a decade ago that the power grid in the Northeast did, in fact, fail. It was an inconvenience for many people, certainly, but it was hardly damaging in the way the White House seems to have implied with this scare tactic.

So, once again, can we take a step back and ask some simple questions: what's the real threat and the real risk here? If it's that the NYC power grid is accessible by a simple password over the public internet, then the problem isn't cybersecurity, it's whoever was stupid enough to connect the power grid to the internet. Let's fix that. But let's not regulate and spy on large segments of the public internet to cover for a few bad decisions.

Late on Friday, the news came out that Sony had been hacked yet again, and this time the hacked site was being used for phishing. This was totally unrelated to the PlayStation Network hacks, but involved a website for Sony Thailand. Still, given all the trouble Sony has had lately keeping its systems secure, this seems to just add another layer to the stack of questions about Sony's technical competence.

Back in 2007 we wrote about how police had arrested a kid for "stealing" virtual furniture in the virtual world, Habbo Hotel. At the time, we pointed out how problematic it is when real laws (and real police) cross over into virtual worlds. What if "stealing" is a part of the game? Even if it's not, it seems like these are cases where the folks who run Habbo Hotel should handle it via terms of service issues, rather than getting the real police involved. If virtual items are "stolen," then Habbo should be able to give them back. That's one of the nice things about a virtual world where there is no scarcity and where there's the ability to bring "stolen" things back.

However, it looks like that's not happening any time soon. A bunch of folks have sent in the news that the Habbo Hotel folks have now asked Finnish police to investigate 400 cases of "theft" in their world. Seriously. Of course it is a bit more complicated than that. They're really upset about phishing scams that let scammers get users login information, which they then use to get into their account and transfer the virtual goods away. But that's not really "theft" and it's a misnomer to call it that. And, really, if Habbo Hotel users are getting phished so frequently, perhaps the Habbo developers should focus on building a better login system that is not so susceptible to simple phishing scams...

Hey, sooner or later everyone falls for some sort of phishing/scamware type of thing, right? It's just especially embarrassing if you're the head of the FCC. The NY Times is reporting that FCC Chair Julius Genachowski had his Facebook account spam all his friends with a message saying "Adam got me started making money with this" which was followed by a link to a now defunct site. Facebook has taken down Genachowski's page, and appears to be effectively blaming him for the problem, putting out a generic notice about how users need to be careful not to click on strange links...

Well, here we go again. For years we've questioned the wisdom of using real world laws to deal with issues within virtual worlds. You begin to open up quite the Pandora's Box of problems. If it's okay to charge someone for theft of virtual goods in a virtual world, what do you do if "theft" is a part of the game? And then does killing another character in a virtual world become "murder"? These issues are coming up again as Slashdot points out that a guy in the UK has been arrested for "robbery" of a player in the online world RuneScape. In this case, the arrested guy used a phishing scheme to get access to the username and password, making it similar to a story from two years ago involving "stolen goods" in Habbo Hotel that involved a similar "hacking" of an account.

But, again, it seems questionable to call this a robbery. Why not just charge the guy with violation of whatever laws there are against phishing or fraud, rather than robbery. These sorts of "robberies" can and probably should be dealt with directly in the virtual worlds themselves, where game administrators should be able to just "make things whole." Instead of calling it a robbery, why not focus on the actual crime of phishing, rather than the questionable "crime" of "robbery" of another's character.

In the past week, you may have seen various news stories about Nigerian scammers hacking into Facebook, and then sending their "friends" messages, saying they're stranded in London without money. It is, of course, just the latest improvement on the venerable old Nigerian 419 scam, this time upgraded to use hacked/phished Facebook accounts to trick trusting friends into coughing up their money. However, one of the biggest issues is raised by Yehuda Berlinger, who points out that for those who are hacked, Facebook doesn't seem to have any reasonable way to contact them and fix the problem. Considering how much of your "identity" might be tied up in your social networking profile, you would think that a company like Facebook would have a ready made system in place to handle such "emergency" situations.

One of these days, someone will do a fascinating study or book on the evolving nature of online crime. It's a constantly changing phenomenon that would be quite interesting to study. A few years ago, we noted that the ease with which script kiddies could jump into the phishing and online extortion market meant that margins were getting squeezed for older online organized crime groups who had focused on such practices in the past. Apparently, the big money now has moved away from standard phishing and into corporate espionage. Organized crime groups are figuring out ways to hack into company networks, suck up as much data as possible, and then sell it off to the highest bidder -- whether it's competing firms or foreign governments.

People seem to get pretty excited whenever we have stories of spammers and scammers getting long jail sentences, so I'm sure plenty of folks will be happy to hear that a phishing scammer just got sentenced to seven years in prison. Considering that he was scamming people's passwords to use elsewhere, this seems a lot more reasonable than the folks who get long jail sentences just for spamming. But, with all of these stories about spammers and phishers getting convicted, it always seems like the punishment is rather arbitrary. There's no clear pattern at all.

Back in 2003, there was a huge mess over VeriSign's plan to create "SiteFinder," which effectively hijacked "page not found" messages online and inserted advertising instead. This also broke a bunch of online services that relied on accurate page not found messages. Eventually, VeriSign backed down, but over the last couple of years, ISPs have been starting to do the same thing on their own at a slightly different level in the process. However, some security researchers have demonstrated just how dangerous this can be, by using Earthlink's set up to show how it can be used by phishers to make pages look like they're really on someone else's domain. This particular hole has been patched, but it does demonstrate some of the unintended problems of hijacking a widely accepted standard behavior on the internet for the ISP's own purposes. The ISPs (including Earthlink in this case) always claim that they put up these ad pages as a "customer service" or to "improve their experience," but that's simply untrue. Such pages don't help matters. If a page can't be found, the user should be told that the page can't be found. They can do a search on a search engine themselves to find the proper page.

Well, since Japan leaked nuclear secrets via a P2P site, perhaps it's nice to know that our military runs its own phishing tests to see how gullible service members are. Slashdot points us to the news that the Army ran its own phishing scam, emailing members with an offer for free tickets to theme parks if they just went to a website and filled in certain information. The test itself was set up by the U.S Army Intelligence and Security Command (INSCOM) and U.S. Army Network Enterprise Technology Command (NETCOM) -- and it involved a "fake" website supposedly from Army Family and Morale, Welfare and Recreation Command (Family and MWR). Amusingly, it appears that INSCOM and NETCOM didn't bother to tell the folks at Family and MWR that they were conducting this test, so the group had rushed out an announcement warning people away from the fake site, only to later be clued in by the security folks. Oh well, it still seems better than using Dungeons & Dragons as a test of whether army members are security risks.