ste williams

Sysadmin blog QR codes are everywhere. They have completely overrun Japan and are becoming well-established in the rest of the world as well. There are plenty of convenient uses for this technology, as well as several less carefully considered uses.

QR codes were created in 1994 by Toyota subsidiary Denso Wave. There was a need for a machine-readable visual information format with a greater information density than traditional bar codes. Denso originally saw use for typical industrial tasks such as inventory management and tracking car parts through the manufacturing process.

Successful use of QR codes relies on an understanding of the underlying technology. The largest defined QR code standard can hold 7,089 characters of numeric data, 4,296 of alphanumeric data or 2,953 of binary data. They can use error correction that allows for up to 30 per cent of the original QR code to be damaged while still being readable.

Those are or course theoretical limits, and real world applicability varies. High-end industrial code readers won’t have a problem with the high-density version-40 codes. Smartphones are another matter. The 8 megapixel camera on a Samsung Galaxy S II can read a 50mm x 50mm v-40 QR code. The 5 megapixel camera on an HTC Desire struggles, but can accomplish the task at a closer range. The 2MP camera on a Blackberry Bold 9000 doesn’t make the cut.

The medium matters as well; QR codes work best as black ink on white paper. They are far less readable as images presented on even the best computer or smartphone screen. The combination of camera ability and media variability places a real world upper limit on the information density you can expect to be able to present with a QR code of a given physical size.

Standards have emerged as a result. Consider the embedding of contact information. The ISO standard is vcard, however the QR code world has chosen instead to embrace mecard.

Only losers still have their vcards…

The QR code world is sticking with the mecard

Most QR code applications will offer to add vcard or mecard information into a smartphone’s contact list, however contact details embedded as a mecard require fewer bits of data than embedding the same information in vcard format. This results in less complex QR codes which in turn increases readability for the same display size and resolution. Thus meecard as a de-facto standard.

QR codes are fairly simple to generate. If you are looking for a one-off for advertising purposes, there are introductory guides, simple tools and even websites to sell you your QR code printed on virtually every object imaginable.

For those looking for a little bit more of an automated generation process, QR codes can be easily generated from the command line, or programmatically.

Every information transmission medium has its dark side, and QR codes are no different. “Garbage in, garbage out” applies here: a QR code can easily contain a link to a scam or a blob of malicious binary information.

If you plan on an enterprise deployment of this technology, make sure you use readers that can’t be compromised by malicious code. In the consumer space, pay close attention to the apps (iOS, Android) you choose. Ensure the permissions are tightly locked down.

The machine-readable display space continues to evolve. While we are just now adapting to the use of QR codes in daily life, the Japanese are already struggling against QR code’s limitations. The requirement exists to pack more information into something a standard smartphone camera can read.

Denso Wave has already put out a successor, while another Japanese outfit has latched on to the idea of using colour to increase information density. Microsoft’s HCCB also uses colors, Nokia has Mobile Codes, and Google is pushing NFC as an alternative.

All of these next generation technologies face an uphill battle. The replacement technology must achieve greater information density. It must also cope with the ubiquity of extant QR codes. The existing design offers instant recognition. It is open (as in source) and free (as in both speech and beer). Denso Wave has formally declined to pursue any patent claims it has on QR codes and this has seen them flourish.

Eighteen years have seen this small industrial tracking format grow into an advertising sensation. It is used by governments as an encrypted stamp on passports to speed travelers through airports, on train tickets, and as unique identifiers on everything from club cards to bus stops. What innovations will the next 18 years bring? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/qr_codes_are_taking_over/

Boffins at Fujitsu and Japan’s Nagoya university are claiming to have successfully developed technology designed to prevent phone scammers by recognising certain keywords and detecting changes in voice pitch and level.

The technology was developed as part of the “Modelling and Detecting Overtrust from Behaviour Signals” research area led by Kazuya Takeda.

It focuses on the notion of “overtrust”, the situation that occurs when a human is overwhelmed with distressing information and loses the capacity to objectively evaluate whether they are being lied to or not.

The technology analyses the pitch and volume of the potential victim’s voice to detect when a situation of overtrust is occurring. Typically a person’s voice flatens out in the high frequency range when they are put under psychological stress, and from this Fujitsu said it can can infer a situation of overtrust with over 90 per cent accuracy.

Bolstering the detection capabilities is keyword detection functionality which uses a list provided by the National Police Academy and counts the number of times any of those keywords are spoken, ignoring any other words.

The tech will then make a decision on whether the potential victim is being scanned by assessing the number of keywords in the conversation and whether their voice indicates a situation of overtrust, said Fujitsu.

This may seem like a lot of bother to be going to for a crime which rarely hits the front pages in the UK, however phone scams are a big problem in Japan and deemed particularly reprehensible in a country where crime is rare as it is usually targeted at the elderly and infirm.

Typically the scammer will pretend to be either a member of the victim’s family, friend or someone in a position of authority. They will usually impart some distressing information about a crime committed by an acquaintance of the victim and urge them to send money to sort the problem out.

Fujitsu now plans to work with the National Police Academy and The Bank of Nagoya to test the technology embedded in mobile phones. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/23/japan_phone_scam/

The Student Loans Company (SLC) has apologised after inadvertently leaking the email addresses of about 8,400 students this week.

Anyone who had got half-way through filling in an application form on the SLC site was sent a motherlode of personal data on Monday: emailed reminders to complete the electronic paperwork included an attachment listing the details of the 8,400 other recipients.

A spokesperson told The Reg that the money lender quickly realised its mistake and sent out a subsequent email asking all recipients to delete the previous email and attachment.

The SLC (an arm’s length quango attached to the Department of Business and Skills) said:

We are sorry that a number of student email addresses have been included in an email which has been sent to other customers. The information was sent in error and only included email addresses, no other personal student data was shared. We have contacted all customers affected to let them know about this issue.

Chris Andrew, company secretary of the Student Loans Company, has said bosses have launched an internal investigation into the cause of the breach. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/student_loan_email_leak/

Hacktivism had a massive effect on the overall data breach scene last year.

More than half (58 per cent) of data stolen last year can be attributed to hacktivism – hacking to advance political and social objectives – according to the latest edition of the Data Breach Investigations report from Verizon.  The figures contrast sharply with findings from previous years, when the majority of attacks were carried out by cybercriminals, whose primary motivation was financial gain.

Seventy-nine per cent of attacks covered by Verizon’s report were opportunistic. Only 4 per cent of the overall total were rated as particularly challenging for hackers to carry out. In addition, an estimated 97 per cent of breaches might have been avoidable without recourse to difficult or expensive countermeasures.

Image via Verizon

Wade Baker, director of risk intelligence at Verizon, told El Reg that 44 per cent of the attacks exploited default or easily guessable credentials. However he qualified this remark by saying that default passwords were a far greater problem in hacks involving smaller organisations.

Breaches originated from 36 countries around the globe, an increase from 22 countries during 2010. Nearly 70 per cent of breaches originated in Eastern Europe and less than 25 per cent originated in North America.

The report covers 855 data breaches that collectively spilled 174 million records, the second highest number since Verizon began collating this type of data back in 2004. External attacks were blamed for the vast majority (98 per cent) of data breaches. This external attacker group includes organised crime, activist groups, former employees, lone hackers and organisations sponsored by foreign governments.

Hacktivism by groups like Anonymous and LulzSec figured in many data breaches last year. Wade reckons recent arrests might reverse this trend, but he’s far from sure on this point.

“Anonymous is a movement. It’s hard to stop a movement by taking out individuals,” he said.

Image via Verizon

Attacks were overwhelming led by outsiders of one type or another. Only 4 per cent of attacks relied on the involvement of internal employees. Business partners were a factor in than 1 per cent of data breaches.

Hacking appeared in 81 per cent of breaches (compared with 50 per cent in 2010) and malware featured in 69 per cent of breaches last year (also up from the 49 per cent recorded in 2010).

The increase is easily explained: hacking and malware offer outsiders an easy way to exploit security flaws and gain access to confidential data. The ready availability of easy-to-use hacking tools also contributes to this effect.

Social engineering (tricking end users into doing something stupid or handing over information to attackers) and SQL injection attacks against vulnerable webservers also figured as a factor in many attacks.

Another important factor in attacks is the slow speed at which organisations patch up vulnerable systems and the length of time between a successful compromise and its discovery, which is most often measured in months or even years. Third parties continue to detect the majority of breaches (92 per cent).

Industrial espionage revealed criminal interest in stealing trade secrets and gaining access to intellectual property. “This trend, while less frequent, has serious implications for the security of corporate data, especially if it gains steam,” Verizon warns.

Wade said that attacks involving intellectual property theft were an “undercurrent in [the] data set”. Industrial espionage was the prime motive in around 5 per cent of attacks, he said. In such cases insider involvement was more common.

While compliance programmes, such as the Payment Card Industry Data Security Standard, provide sound steps to increasing security, being PCI compliant does not make an organisation immune from attacks.

The US Secret Service and the Met Police’s Central e-Crime Unit collaborated with Verizon in preparing the report, which this year also involved input from other police agencies in the Netherlands and Australia. Verizon’s annual study, now in its fifth year, is considered among the best of its type in the infosec business.

Verizon’s report, which includes separate recommendations for enterprises and small businesses on guarding against cyber attacks, can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/verizon_security_breach_trends/

Filthy-minded scammers wasted little time latching onto the news that Jenna-Louise Coleman will join Doctor Who in the TARDIS later this year.

The BBC announcement on Wednesday unsurprisingly made the name of the 25-year-old actress a trending topic on Twitter. Porno spammers latched onto this trend by mentioning “Jenna-Louise Coleman” in messages containing links references to supposed sex videos. In reality, users are been tricked through the combination of a smutty lure and a clickjacking exploit into unwittingly following a Twitter account, as explained in a post by Graham Cluley on Sophos’s Naked Security blog here.

“The webpage you are taken to doesn’t have any content (pornographic or otherwise) related to the Time Lord’s latest sidekick. Instead, you’ll find what appears to be a portal for an Asian hardcore porn video website,” Cluley explains.

“Clicking on the video thumbnails is definitely ill-advised. When I examined the page, I found that each of the videos were masking a secret Twitter follow button.”

While this lure promotes an Asian grumble flick portal, the same trick might have been used to direct surfers towards a malware portal or a survey (AKA hand over all your details in exchange for the supposed chance to win an iPad) scam. Browser plugins such as NoScript help defend against clickjacking. Surfers, even those that use NoScript as a defence, should also be cautious about which links they click on. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/dr_who_clickjacking_scam/

The IP address of a computer used to view a motorbike sales ad posted by an early victim of the Toulouse gunman played a vital role in narrowing down Mohamed Merah as the main suspect in a series of attacks that have horrified France, it has emerged.

French soldier Imad Ibn-Ziaten posted a video of the motorbike he wanted to sell online. The paratrooper was killed on killed on 11 March after he invited someone who posed as a prospective buyer to his house.

Le Monde reports (Google translation here) that the ad was viewed by about 500 people. Cyber police narrowed down the list of likely suspects on this list to those who lived in and around Toulouse in south-west France. This search was intensified after Ibn-Ziaten’s assassination was linked to the slaughter of three children and a rabbi at a Jewish school in Toulouse on Monday, 19 March.

In addition, Le Monde added, a motorcycle dealer had reported a suspicious conversation with someone who wanted to know whether it was possible to remove a anti-theft tracking device from a Yamaha scooter days before the vehicle was stolen on 6 March – just days before the first attacks, against French soldiers. The twin strands of evidence allowed police to compile a short list. Merah was already ready under surveillance by French authorities and the use of an IP address tied to his brother’s house in viewing the Ibn-Ziaten motorcycle video made him a prime suspect in the case.

A French anti-terrorist unit surrounded a block of flats where the reportedly heavily-armed Mohamed Merah lived in the early hours of Wednesday leading to a siege that ended after police stormed his flat on Thursday morning. Merah jumped out of a Window, reportedly while a href=”Le Monde reports”still firing back at police. He was subsequently found dead on the ground, though it is as yet unclear whether the fall or police snipers killed him.

During the siege, Merah reportedly proclaimed allegiance to al Qaida and admitted responsibility for shooting dead of three French soldiers in two ambushes last week as well as the attack on the Jewish school. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/toulouse_manhunt/

CA Technologies has found a nasty flaw in flagship backup software ARCServe.

The flaw goes all the way back to version 10 of the product, which has just reached v.16.

CA says the problem “can allow a remote attacker to cause a denial of service condition“ and “ … occurs due to insufficient validation of certain network requests. An attacker can potentially use the vulnerability to disable network services.”

Many versions of ARCserve can fix the bug with a patch, but CA’s advisory says the solution for ARCserve Backup for Windows r12.0 is to “Update to CA ARCserve Backup for Windows r16 SP1.”

We’re sure ARCserve users will appreciate the forced upgrade and happily set aside other work to make it happen. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/22/arcserve_ddos_flaw/

The Hi Tech Crime Investigation Unit* of Queensland’s ever-vigilant Police force will shortly spend some of its valuable time driving around Brisbane, the fair tropical state’s Capital, looking for open WiFi connections, the better to inform citizens about the terrible dangers that may flow from signal slurping.

Detective Superintendent Brian Hay said, in a statement, that the force has already spotted lots of open connections and that users who leave WiFi open “may as well put their bank account details, passwords and personal details on a billboard on the side of the highway.”

cop_speak “Unprotected or unsecured wireless networks are easy to infiltrate and hack. Criminals can then either take over the connection and commit fraud online or steal the personal details of the owner. This is definitely the next step in identity fraud,”/cop_speak he added.

If the Unit finds an open connection it will then ruthlessly insert pamphlets into letterboxes near the affected areas. Those pamphlets point readers to an online source of sensible advice on WEP versus WPA WPA2, changing administrator passwords and MAC address filtering. ®

*Queensland Police spell it “Hi” not “High”.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/21/queensland_war_driving/

Consumers are prepared to pay more for goods in exchange for more privacy but the difference comes down to pennies rather than pounds.

A lab study sponsored by ENISA, the European Union security agency, confronted participants with a choice of whether to buy identical goods from two online vendors, one of which offered a lower price but wanted personal details such as government-issued ID number and mobile phone number that the other more expensive vendor didn’t request.

Where the prices on offer were the same, the lab rats stayed away from the privacy-violating online retailer. However the aversion wasn’t strong and a price discount of just €0.50 (£0.42) was enough to tempt consumers into choosing the privacy-invading provider.

The experiment involved 443 people and a choice between two online cinema vendors. The cheaper chain asked users for their mobile number and permission to send them marketing messages via email. Both requested the name, email address and date of birth of prospective buyers. The study was run by researchers at the German Institute for Economic Research (DIW Berlin) and the University of Cambridge.

When prices were the same, the privacy-friendly chain established a market share of 83 per cent. Even when the privacy-busting chain offered bargain prices, a sizeable minority (29 per cent) willingly paid extra to avoid handing over their mobile phone number. This share drops to 9 per cent for those prepared to pay extra to avoid marketing emails.

The survey is one of the few of its type to date. Sören Preibusch, a member of the University of Cambridge team, said the experiment showed that privacy-friendly services were capable of attracting a healthy niche market.

“A sizeable proportion of consumers are willing to pay a higher price for privacy,” he writes. “Online businesses can capitalise these concerns. Privacy-friendliness is a win-win for online retailers and their customers.”

The lab tests were supplemented by field surveys of 2,300 participants that broadly confirmed the earlier findings.

More details on the study, entitled Monetizing Privacy: An Economic Model for Pricing Personal Information can be found here.

Consumer privacy has hit the headlines over recent weeks with concerns over the lack of transparency over privacy practices employed by many mobile application developers, but the issue is wider than that and also affects web-based services. A post on the Cambridge University’s Light Blue Touchpaper blog discussing the experiment in greater depth and discussing the concept of privacy as a currency for web-based services can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/21/privacy_economics/

Enterprise spam filters are blocking less junk mail, according to independent tests from Virus Bulletin.

During a comparative of 20 corporate email filtering products, several missed more than twice as much spam as in previous editions of the VBSpam tests. Virus Bulletin reckons the drop in performance might be down to improved tactics by spammers rather than a dip in the capabilities in the filtering products it put through their paces.

“This is a worrying trend,” says VB’s anti-spam test director Martijn Grooten. “There have been many news stories highlighting a global decline in spam in recent months, but if spam filter performances decline too, the situation for the end-user doesn’t improve at all.”

“It is hard to say what exactly caused filters to miss more spam, but it looks like spammers are doing a better job at avoiding IP- and domain-based blacklists. It may be a sign that they are increasingly using compromised legitimate systems to send their messages,” he added.

The best performance in the March 2012 anti-spam comparative review came from Libra Esva, which blocked 99.97 per cent of all spam messages without blocking any legitimate mail, making it the only product to obtain the new ‘VBSpam+’ award.

Other products with a good spam capture rate of better than 99 per cent included Kaspersky Anti-Spam, GFI, McAfee, Symantec, Sophos and others. BitDefender caught 98.94 per cent of spam but it avoided any false positives. McAfee SaaS caught 99.93 per cent of junk mail but it binned a significant proportion of legitimate messages, 0.21 per cent (the worst performance among the tested products).

Most products still blocked more than 99 out of 100 spam emails, and no product incorrectly marked more than 1 in 470 legitimate emails as spam.

Taken in isolation such figures might be seen as pretty good, however, since both the spam-catching rates and false detection rates both got worse this month Virus Bulletin is in no mood to pop any champagne corks.

“More spam means more time wasted dealing with it, a greater chance of falling for scams, and a greater chance of accidentally deleting legitimate emails,” it notes.

Virus Bulletin has put together a chart that shows spam-catch rate against false positive mistakes. The best-performing products are those that hit the top-right quadrant of the Virus Bulletin’s graph. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/20/spam_filters_performance_dip/