ste williams

Security-watchers don’t appear overly impressed with Twitter’s introduction of two-factor authentication (2FA) to its service.

While some infosec experts welcomed the move, others argued that while it might help protect the accounts of individuals, it is ill-suited to the safeguarding of shared accounts of organisations – many of which have fallen victim to recent hijacking attacks.

On 22 May, users of the iconic micro-blogging service were given the option of using the 2FA service – which verifies login attempts by way of a code sent to a pre-registered mobile phone, as explained in a blog post by Twitter here.

The introduction of something stronger than basic user name and password authentication follows a spate of hijacking attacks over recent weeks where a long list of media organisations – including AP, The Telegraph, the BBC, The Guardian, The Financial Times and satirical new site The Onion – have had their Twitter feeds hijacked to promote propaganda from the pro-Assad Syrian Electronic Army.

The Telegraph and The Onion both said after the attack that they had been pwned via a determined multi-stage phishing attack where the attackers ultimately gained control of webmail accounts running social networking feeds.

High-profile individuals, including former Doctor Who actress Karen Gillan, have also had their Twitter feeds hacked to promote diet pill scams and other such crud.

Multi-user access, anyone?

But 2FA is useless to media organisations, or even small businesses, which have multiple users requiring access to the same account, experts contend.

“Media organisations which share breaking news via social media typically have many staff, around the globe, who share the same Twitter accounts,” explained Graham Cluley in a post to Sophos’s Naked Security blog. “2FA isn’t going to help these companies, because they can’t all access the same phone at the same time.

“Either those people will have to leave themselves permanently logged into Twitter (which is itself unwise from the security perspective), or one central trusted person will have to ‘own’ the phone – and share the six-digit code with journalists as they try to log in to share breaking news stories. It’s a complex problem to fix, and for that reason many media organisations may choose not to enable Twitter’s additional security at this time.”

Virus Bulletin anti-spam test director Martijn Grooten added that the same problem would be faced by most businesses that maintain a corporate Twitter feed.

“So if I want to share the company’s Twitter account with a colleague and set up two-factor authentication, we’d have to share a phone too,” he notes.

Jeremiah Grossman, CTO of WhiteHat Security, was more upbeat in making much the same point. “Twitter rolls out 2FA for users: good stuff, but how to support shared accounts,” he said.

A job listing, which has since been pulled, posted in February suggests Twitter has been looking for coders to develop “user-facing security features, such as multi-factor authentication and fraudulent login detection” for some months.

Cluley added that Twitter could learn lessons from Facebook, which has had a two-step login approval system since 2011, and also has multi-user access.

“In time, Twitter will surely mature and offer appropriate security, and mechanisms which recognise how many corporate brands and news organisations are using Twitter today,” he said.

“Maybe they will one day adopt a system like Facebook has, where multiple users can have access to an account – all with different levels of authority, all with different usernames and passwords.”

GooglePlus has also created a more sophisticated authentication set-up for shared accounts, Cluley told El Reg. “Google Plus and Facebook both give a way for individuals to have access to a brand page, but log in through their individual accounts (using 2FA, and different passwords),” he explained.

Logging in through your smartphone? When 2 (factors) become 1

David Emm, senior security researcher at Kaspersky Lab UK, said that while two-factor authentication will make it harder for hackers to hijack accounts, there are some potential pitfalls with the new approach, even for consumers. He is less critical than Cluley about Twitter’s design choices.

“It’s easy to see why Twitter has chosen to use SMS as the second authentication method,” Emm explained. “Nearly everyone today has a mobile phone, so this method doesn’t require people to carry around an extra token or device that generates the one-time passcode. Additionally, the cost of rolling out this technology is miniscule in comparison to investing in tokens and shipping them to its customers.”

“However, there are some potential pitfalls with using SMS as an authentication method. Many people log into their Twitter account from their smartphone via the Twitter app which doesn’t require login credentials to be entered each time. This means that the same device is being used for both authentication factors and if this device is lost or stolen, whoever finds (or has stolen) it will be able to access the account. Therefore, in effect, there is no longer two-factor authentication.

“Also, it is possible that we will see the development of smartphone-based malware that is specifically designed to steal the SMS authentication code. We have already seen similar malware designed to steal mTAN numbers for banking transactions. Examples include ZitMo (ZeuS-in-the-Mobile),” he added.

Cluley agreed that even those who enabled two-factor authentication were still vulnerable to some of the more sophisticated forms of phishing and man-in-the-middle-attacks.

“Determined online criminals could use “man-in-the-middle” techniques to grab the six-digit passcode alongside your password and username,” Cluley explained. “So, even if you do turn on Twitter’s 2FA, you still need to double-check that when you enter your username and password, or your six-digit code, that you are *really* on Twitter’s https website. Otherwise, the crooks can just use all three items to log in as you,” he warned.

Emm was more willing to give Twitter some credit for moving in the right direction in giving users improved authentication tools. “Twitter’s use of two-factor authentication should be welcomed with open arms,” he said.

“Two-factor authentication makes it difficult for someone to hijack an account by adding another method of validation. To date, a static password has been the only thing securing Twitter accounts, and all too often these are easy to guess,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/twitter_2fa_analysis/

Wikileaks has released a transcript of a documentary about its history so it can add notes to each section saying “Wrong!”, a day before the film debuts.

The secret-spilling site has taken umbrage with We Steal Secrets: The Story of Wikileaks, which is set to debut in New York and Los Angeles today and released a transcript of the documentary online yesterday.

The annotated transcript, which can be found on the Justice4Assange website, comes with an introductory note claiming that the documentary is “filled with errors and speculation”.

“The stock footage used has been heavily edited, in some places distorting what was said,” the note said. “This is unprofessional and irresponsible in light of ongoing legal proceedings. It trivialises serious issues.”

The site highlights the point at which the film implies that top Wikileaker Julian Assange could be guilty of “conspiring with Bradley Manning”.

“This not only factually incorrect, but also buys into the current US government position that journalists and publishers can be prosecuted as co-conspirators with their alleged sources or with whistleblowers who communicate information to them,” the note said.

It also said that neither Assange nor anyone else at Wikileaks agreed to be in the documentary because they’re all going to be in a film “by respected Academy Award-nominated film-maker Laura Poitras” out later in the year.

Guardian investigative journalist Nick Davies also caught some flak for claiming Assange had said Afghan supporters of foreign military forces in their country “deserve to die”.

The documentary was commissioned by Universal for $2m and was made by film-maker Alex Gibney, according to the note, which also mentions that yet another film, “co-produced with Ken Loach’s 16 Films, will be released shortly”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/wikileaks_leaks_documentary_transcript/

Geek’s Guide to Britain For staff at the Government Communications Headquarters (GCHQ) in Cheltenham, there’s an air of Fight Club about the place. The first rule about GCHQ is you don’t talk about GCHQ.

It’s a well observed tradition, even though there are road signs and a bus route directing you to this highly secret establishment, the nerve centre of Britain’s communications surveillance operations.

GCHQ Benhall … does a doughnut keep better secrets? Source: Bing Maps/Digital Globe

The design of the doughnut-shaped building at Benhall has attracted a fair share of attention since its completion in late 2003. Indeed, if you take a look at the site from Google Earth, you might wonder if it inspired Steve Jobs’ plans for a new circular Apple building – a company that also likes to keep secrets.

Benhall is now the primary home of GCHQ and the majority of the service’s 5,300 employees are based here. The organisation’s own website describes itself as “one of the three UK Intelligence Agencies and forms a crucial part of the UK’s National Intelligence and Security machinery”. The other two are the Security Service (MI5) and the Secret Intelligence Service (MI6).

In years gone by, GCHQ in Cheltenham was spread over two sites a few miles apart: Oakley and Benhall. The Oakley site has largely given way to a housing development although some buildings remain with the barbed wire fence rather menacingly separating it from a kids’ play area on the new estate. While undoubtedly unintentional, this incongruousness does appear strangely Soviet – it’s perhaps fitting given Cold War concerns became GCHQ’s raison d’être in the 1950s.

GCHQ Oakley … recreation and razor wire live side by side these days

I was born into a GCHQ family as my parents met there. As I write, it now occurs to me that if GCHQ didn’t exist, neither would I. Spooky. I lived in a GCHQ house, too – purpose built to accommodate the growing workforce – and I could see Benhall’s satellite dishes from my bedroom window.

I worked there too, and before I tread further along this telecommunications taboo tightrope I should mention to our colonial cousins that what we have here is the equivalent of America’s National Security Agency (NSA). For me, this association came in handy when applying for a US visa to visit a GCHQ colleague working for that ultra-hush-hush outfit. Mentioning those three initials at the US Embassy had my passport visa stamp in seconds.

Incidentally, I did ask the GCHQ press office if there was any chance of a tour of the building or even some publicity pictures of the interior. Admittedly, there was a bit of wishful thinking behind the former – there were employee family tours when the building was complete – but the answer was no. The polite response to the latter request was that pictures would be considered on condition the article could be viewed before publication. That’s against our editorial policy, but chances are they’ve done that already.

Official Secrets Act warning

and that’s just the car park

I decided to take some photos myself, which are no more intrusive than those found on Google Streetview. It was only later that I spotted a “no photographs” sign, but as I was some distance away, I didn’t notice it at first. I doubt I’d notice if I’m now being followed or having my communications tampered with as a result, but it would seem like a waste of time and of public money.

If you do go on a tour of ‘Nam, taking pics aplenty up to the wire wouldn’t be a very good idea. The security staff, many of which are ex-servicemen, take a dim view of this sort of thing.

Choosing Cheltenham

As part of my research for this piece, I dug up Peter Freeman’s 34-page booklet titled How GCHQ came to Cheltenham, which lays out a longer story than I’d anticipated. Freeman details the early years and the decision-making process that saw this sleepy Cotswold town – that for 75 years up to 1945 had a static population of 50,000 – undergo significant changes when GCHQ became operational. The population swelled by 20 per cent in the 1950s with a housing programme in place to support Cheltenham’s new cottage industry: intelligence gathering.

Freeman remarks that the Ministry of Health’s initial views were that “Cheltenham did not want civil servants and already had plenty of local employment”. The Ministry of Works leaned on the Ministry of Health and consequently the town now breeds civil servants.

Early GCHQ history by staffer Peter Freeman

I was reading an exclusive edition of Freeman’s work which features various handwritten corrections and additional detail courtesy of my mother, and she would know being on the 1950s-era Foreign Office recruitment team based above the Ministry of Food bureau in Clarence Street, Cheltenham (rationing was still in operation in post-war Britain). Their task was to find the right stuff to staff Oakley and Benhall.

Yet how GCHQ came to Cheltenham owes more to what the Americans left behind after World War II than any strategic importance to the spa town’s location. The Oakley and Benhall sites were purchased by the Ministry of Works in 1939 and building works began for the purpose of housing government departments if an evacuation from London’s Whitehall became necessary. During the Blitz, some ministries had to move fast and ended up arriving before work on the temporary office blocks was complete. Each site had six of these utilitarian, single storey, 12-spur buildings that, in total, clocked up over 400,000sq ft of office space.

With the Blitz over, various departments returned to London, and the Americans, now involved in the war, found themselves at these two sites running a major HQ. The US SOS (Services of Support) dealt with logistics for the European Theatre of Operations, US Army (ETOUSA), and the buildings were used as offices for this communications hub. According to Freeman, the Americans arrived in secret and those coming from London had exclusive trains laid on to keep their movements under wraps. The railway staff at Paddington weren’t so clued up though, and slapped up signs on the platform saying “US Forces To Cheltenham”. As the Yanks dug in at ‘Nam, they consequently installed a substantial network of landlines which remained after the war.

US Forces in covert UK transportation ops … lucky they kept this quiet

Source: HyperWar

The clincher was when Cheltenham was visited by a staffer from GCHQ – then based at Bletchley Park near Milton Keynes – who knew of the site at Benhall, which was where the Ministry of Pensions had taken residence prior to an eventual move to Blackpool. Posing as an Admiralty official on a pensions fact-finding mission, he was granted a tour of the site and wrote up a favourable report of the place. Although there would be numerous inter-departmental and financial wrangles to follow, GCHQ eventually made its home in Cheltenham in the early 1950s.

Next page: The great British code warriors

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/geeks_guide_gchq/

Twitter is the latest major web service to beef up its security two-factor authentication (2FA). The security feature is a pretty simple and effective approach – and one the notorious Mega kingpin Kim Dotcom claims today to have invented back in the ’90s.

Two-factor auth is a simple process for verifying that the user accessing a service is legitimate. A random code is sent from the web service (via SMS) to the person’s phone, and the user then types the code into an authentication dialog on a web page.

But did Dotcom really invent 2FA for remote authentication? In short, it appears he did not.

In 1996, the then-Kim Schmitz filed for a patent entitled “Method for authorizing in data transmission systems”. The patent has a priority date of 29 April 1997, and it does indeed describe a two-factor authentication system. The user logs into a service, triggers a secondary authentication request, and this is fulfilled by SMS.

But Ericsson filed a patent titled “User authentication method and apparatus” with a priority date of 24 June 1994 that also covered 2FA using a pager or phone. A later patent filed by Nokia ["Method for obtaining at least one item of user authentication data"] with a priority date of 23 February 1996 resembles even more closely the 2FA approach used on the web today.

Kim Dotcom’s patent through the European Patent Office was cancelled in 2011 after opposition from Ericsson.

Kim Dotcom’s US patent remains in force. Whether the US Patent Office or the United States District Court of Texas would confirm the validity of the patent is an interesting question.

On his Twitter page, Kim Schmitz/Dotcom describes himself an “innovator”. To earn the title, you’ve got to introduce something new. Kim Schmitz/Dotcom – in this case at least – doesn’t appear to have done so.®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/kim_dotcom_2fa_no/

Microsoft has plugged a flaw in its Greener IT Challenge website that leaked the names and email addresses of users who took a quiz on the site.

Users who passed the quiz by demonstrating their knowledge of buying environmentally sensitive PCs, choosing minimal power use options for new computers and how to dispose of obsolete IT kit safely were given a certificate.

The certificate is displayed at the end of the multiple-choice test, at which point a PDF version can be downloaded for printing.

However some “bad form” web-design meant that these PDF versions of the certificates were allocated in numerical order, on an unencrypted website open to world+dog. It would have been a simple matter for spammers or other miscreants to run a script and harvest hundreds of email addresses. The information might then be usable in spam runs or (worse) phishing campaigns.

In a statement, Microsoft told El Reg that the problem was “fully resolved”.

“We have now resolved this issue so all users are anonymous and their information is private,” it said.

In fairness to Microsoft we’re only talking about email addresses and names here, and not highly sensitive information like credit card numbers. Nonetheless, people are entitled to hold Microsoft to high standards in web design; something it (or a third-party agency acting in its name) failed to live up to on this occasion. ®

Bootnote

A hat tip to Reg reader Marc for his “quick tip on some ‘bad form’ web-design,” as he put it.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/ms_greener_it_test_spam_snafu/

Security researchers have uncovered hard-coded user accounts that could act as backdoors into food, car, and agricultural production systems across the world.

The flaw, which allows attackers to launch remote exploits, was found in a pair of industrial control devices.

The security hole was found in the BL20 and BL67 Programmable Gateways made by German firm Turck. The kit is used across many industries – including agriculture and food, automotive and manufacturing – to control industrial plant equipment in the United States, Europe and Asia.

Left unresolved, the flaw might be used by hackers to shut down production lines or otherwise create havoc on systems managed with the vulnerable controllers.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) published an advisory notice providing links to updated firmware from Turck that mitigates against possible attacks.

The firmware update removes the hard-coded accounts accessible by the FTP service, thus preventing attackers from remotely accessing the device by using hard-coded credentials.

No known public exploits specifically target the vulnerability. However attackers with only minimal skill could potentially carry out an attack, ICS-CERT warns.

The flaws were uncovered by IOActive Labs, whose advisory (PDF) explains that the security snafu created a ready means to plant malware on insecure kit.

This vulnerability allows an attacker to remotely access the device, via its embedded FTP server, by using the undocumented hard-coded credentials. Thus, the attacker can install a trojanized firmware to control communications and processes.

This malicious code may create false communication between remote I/Os, PLCs, or DCS systems in order to compromise additional devices, disrupt legitimate services, or alter industrial processes.

Ruben Santamarta, the IOActive security consultant who unearthed the bugs, explained that the unaddressed flaw left the devices wide open to hackers who happened to know the default login credentials for the kit.

“These hard-coded user accounts pose a significant threat to organisations that have deployed the vulnerable Turck devices,” he said. “Any attacker with knowledge of the credentials can effectively remotely control the devices and reap havoc on the network – easily disrupting or shutting down critical production lines.”

“Affected organisations should immediately apply the updated firmware from Turck to remove these backdoors,” he added.

Santamarta added that the presence of the backdoors in industrial control kit is sadly typical of insecure product development across the sector.

“It is both surprising and disappointing that hard-coded user accounts like these continue to crop up in Industrial Control Systems. Vendors and purchasers of such critical technologies should take great care to ensure that similar vulnerabilities do not affect future product lines. The industry as a whole still has a long way to go in implementing secure development lifecycle principles,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/24/turck_industrial_control_backdoor/

Google is about to start the first upgrade to its SSL certification system in recent memory, and will move to 2048-bit encryption keys by the end of 2013. The first tranche of changes is planned for August 1.

The new requirements are laid out in a blog post and a FAQ on the topic. The upgrade, based on the guidelines from National Institute of Standards and Technology (NIST), will also see Google’s root certificate for signing all of its SSL certificates getting an upgrade from a 1024-bit key.

“There aren’t immediate concerns about these certificates being cracked,” a Google spokesman told El Reg, “but updating them now provides much better defense against any future risks.”

The upgrade is required because NIST thinks it’s technically possible that the standard could be broken pretty soon. The first reported factorization of a 768-bit RSA modulus came in December 2009, when an international team of computer scientists and cryptographers spent two-and-a-half years dedicating themselves to the task.

“A 1024-bit RSA modulus is still about one thousand times harder to factor than a 768-bit one,” the researchers reported. “If we are optimistic, it may be possible to factor a 1024-bit RSA modulus within the next decade.

“We can confidently say that if we restrict ourselves to an open community, academic effort as ours and unless something dramatic happens in factoring, we will not be able to factor a 1024-bit RSA modulus within the next five years. After that, all bets are off.”

NIST estimates it would take six or seven years for any attempt to have a realistic chance of success at breaking 1,024-bit keys, based on the speed of processor development and improvements in factoring computation.

That said, it’s still an estimate, and NIST had wanted to get the changeover done faster, with 2010 picked as the original transition date. But because the 1,024-bit standard was so ubiquitous, the schedule was pushed back until the end of this year.

It’s the first time anyone can remember the SSL encryption keys getting changed at Google, and it’s a measure of the power and sophistication of computer processors that the update is needed. Barring some breakthrough in quantum computing or coding practice, it should be some years before another upgrade is required. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/google_upgrade_ssl_certificates_schedule/

Intelligence files kept hidden for nearly 80 years have shown that the British government was bugging King Edward VIII’s phones in the days leading up to his abdication.

Neil Forbes Grant’s telegram confirming the King’s abdication.

Government officials were clearly panicking about what Edward would do and how the news would be received, so they monitored calls from Buckingham Palace and the King’s Windsor residence Fort Belvedere, as well as stopping telegrams leaking the news of his abdication and intimidating journalists to keep a lid on the news.

The London editor of the Cape Times, Neil Forbes Grant, was dragged in to face Home Secretary Sir John Simon after sending a telegram to South Africa on 6 December, 1936 saying that the King was going to give up the throne. The missive was one of two the General Post Office had intercepted with the leaked news.

Sir John lambasted Grant, reminding him that a false rumour that the country had lost the Battle of Waterloo in 1815 caused a financial crisis and ruined many people, and tried to pressure him to reveal his “highly placed source”.

“I asked him if he did not realise that his responsibilities as a journalist and an Englishman made the sending of such a message without definite authority as to its truth very improper and reckless,” Simon wrote.

Grant refused to give up his source and Simon relented, asking him to keep the interview “absolutely secret and between ourselves”. He also told Grant that there was “no truth” to the abdication rumour.

Edward abdicated at Fort Belvedere four days after Grant sent the telegram.

The papers come from a pile of documents deemed too sensitive and “difficult” to be stored in the classified section of the National Archives. Instead they were kept in a locked vault under the Cabinet Office.

Released through the National Archives, the collection shows the government’s frantic attempts to control the situation as Edward prepared to give up his throne to marry Mrs Wallis Simpson, an American divorcee and socialite. Edward, as head of the Church of England, could not marry Wallis while her former husband still lived – but he refused to give her up. In response, Sir John asked the GPO to monitor the King’s phone calls from 5 December, 1936.

The papers also show that the King himself asked the police to guard Simpson’s residence overlooking Regent’s Park a few months before his abdication. Edward asked Chief Inspector Storries to help make Simpson’s house “burglar proof” and to take steps to stop her from being “annoyed by pressmen, press photographers and other curious persons”. He also asked Storries to keep the instructions to himself.

A sketch of Chf Insp Storries’ security arrangements around Wallis Simpson’s house

Among the documents was a handwritten diagram of the stepped-up patrol around Simpson’s house, which police later had to deny the existence of when questioned by American newspapermen.

Other papers released by the Cabinet Office outline a drunken night during Winston Churchill’s August 1942 mission to Moscow and his first face-to-face meeting with Soviet dictator Josef Stalin. Sir Alexander Cadogan, permanent under-secretary at the Foreign Office, was along for the trip and later wrote to Viscount Halifax that things weren’t going that well until Churchill got Stalin alone.

“Nothing can be imagined more awful than a Kremlin banquet, but it has to be endured. Unfortunately, Winston didn’t suffer it gladly. However, next morning, he was determined to fire his last bolt, and asked for a private talk, alone, with Stalin,” he wrote.

At around 1am, Cadogan was called to Stalin’s private rooms and found the war leaders a little worse for wear.

“There I found Winston and Stalin, and Molotov who has joined them, sitting with a heavily-laden board between them: food of all kinds crowned by a sucking [sic] pig, and innumerable bottles,” he said.

“What Stalin made me drink seemed pretty savage: Winston, who by that time was complaining of a slight headache, seemed wisely to be confining himself to a comparatively innocuous effervescent Caucasian red wine. Everyone seemed to be as merry as a marriage bell.

“I think the two great men really made contact and got on terms, Certainly, Winston was impressed and I think that feeling was reciprocated … Anyhow, conditions have been established in which messages exchanged between the two will mean twice as much, or more, than they did before.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/british_government_spied_on_own_king_cabinet_office_papers/

A New York detective allegedly hired hackers to spy on 19 fellow cops and at least 11 others – apparently in a bid to discover if any of them were sleeping with his ex.

Edwin Vargas, a 42-year-old Bronx investigator, is accused of spending $4,050 on an email-hacking service to obtain the usernames and passwords for 43 message inboxes in, it is believed, an obsessive quest to keep tabs on his former girlfriend.

He was arrested on Tuesday and appeared before a magistrate judge charged with conspiracy to commit computer hacking.

The detective, of Bronxville, New York, it is claimed, had suspected his ex-lover, with whom he had split after they had a child together, had started a new relationship with a fellow officer. The veteran cop of 20 years handed over between $50 and $250 to unnamed hackers for the login details of each inbox, it is claimed.

Vargas accessed at least one of his fellow cops’ accounts, the Feds said. He is also charged with unlawfully accessing the National Crime Information Center (NCIC) database by allegedly running unauthorised checks on two serving officers.

The prosecution also accused Vargas of paying hackers to snoop on the records of a mobile phone account belonging to one of his targets, as an FBI statement on the case explained:

After receiving the log-in credentials he had purchased from the e-mail hacking services, Vargas accessed at least one personal e-mail account belonging to a current NYPD officer. He also accessed an online cellular telephone account belonging to another victim. Vargas paid a total of more than $4,000 to entities associated with the e-mail hacking services.

An examination of the contents of the hard drive from Vargas’ NYPD computer revealed, among other things, that the Contacts section of his Gmail account included a list of at least 20 e-mail addresses, along with what appear to be telephone numbers, home addresses, and vehicle information corresponding to those e-mail addresses, as well as what appear to be the passwords for those e-mail addresses.

Vargas was released on bail after posting a $50,000 bond. Each of the two charges against him, allegedly committed between March 2011 and October 2012, carries a maximum sentence of one year in prison if he is convicted. “The charges contained in the complaint are merely accusations, and the defendant is presumed innocent unless and until proven guilty,” the Feds added in their joint statement with Manhattan’s US attorney.

At this stage, the officials omitted any mention of a motive for Vargas’ alleged wrongdoing but the New York Daily News, like the New York Times, claimed the suspect was motivated by a desire to spy of the mother of his three-year-old son. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/nypd_black_hat/

The identities of more than 15,000 South Africans who reported crimes or provided tip-offs to the police have been exposed following an attack on a SAPS (South African Police Service) website.

The names and personal details of whistleblowers and crime victims were lifted from www.saps.gov.za and uploaded to a bullet-proof hosting site.

Names, phone numbers, email addresses and ID numbers of people who thought they had been providing information in confidence and anonymously have been spaffed on the net.

The data dump includes information on 15,700 individuals who used the website from 2005, according to eNews Channel Africa, the local news service that broke the story of the leak. Usernames and passwords of around 40 SAPS personnel were also leaked.

The South African cops initially denied anything was amiss before confirming the breach after eNCA reporters had spoken to a number of individuals named in the data dump.

“Complaints range from rape cases opened in Durban to police brutality in Port Elizabeth,” the news service reports.

“Also on the list are ordinary South Africans asking for help in cases involving vehicle theft and illegal shebeens*. People have also complimented police on their work, including speedy responses to emergencies and help in cases.”

Safety concerns

One tipster – who had made a complaint about police brutality – expressed concerns about her safety in the wake of the breach. Daily newspaper The Star also spoke to someone who had complained to the police about a lack of apparent progress in the investigation of the rape of a 14 year-old girl. The complainant, who remained anonymous in The Star report, is clearly concerned about the safety of the victim.

A previous obscure hacker crew called @DomainerAnon, which claims an affiliation with loosely knit hacktivist collective Anonymous, claimed responsibility for the attack, which it said was pulled off using a SQL injection attack.

The group tweeted: “A message to SAP: You are responsible for the data you hold…. we have merely shown that you do not live up to your own Code of Conduct!”

Payback… but who’s paying?

The attack was apparently motivated by a protest against the death of 34 people when police opened fire on striking miners at the Marikana platinum mine last August.

The potential for collateral damage from @DomainerAnon’s actions is obvious, but the self-declared lone wolf group dismissed suggestions that it was potentially putting the lives of innocents and whistleblower on the line to further its political agenda in exchanges on Twitter (here and here).

In an interview with MyBroadband, a member of DomainerAnon attempting to justify the decision to release the stolen data said. “I laughed when I was accused of ‘blowing’ covers of so-called whistle-blowers,” Domainer said. “I read one email which complained to the police of their lack of service. Another mail reported their missing cat!”

It’s not the first time hacktivists have published personal details of private citizens from leaked websites to “embarrass the authorities”.

In June 2011, LulzSec released a number of documents pertaining to the Arizona Department of Public Safety.

Leaked data including email addresses and passwords of immigrants, as well as potentially sensitive police documents was dumped online in a protest against Arizona laws requiring those immigrants to carry documents at all times. Police officials at the time expressed concerns that leaked information on how Arizona cops combat gangs – as well as lists of some of the officers’ identities – put the lives of police at risk. ®

* Makeshift drinking taverns where often illegally brewed alcohol is consumed.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/05/23/saps_anon_hack/