ste williams

A full disk encryption product has become the first bit of kit to be certified by Brit spooks in their new Commercial Product Assurance scheme.

Covent Garden-based Becrypt’s DISK Protect demonstrated good commercial security practice, earning it the official stamp of approval to be used by the UK government and public sector bodies in lower threat environments. The foundation-grade certification earned by Becrypt means the DISK Protect is trusted to safeguard data sensitive enough to earn the classification of “restricted”. The technology is not approved for guarding more sensitive “confidential” or “secret” material. Nonetheless the seal of approval will make it easier for Becrypt to sell full disk encryption to public sector organisations.

The certificate was handed out by CESG (Communications-Electronics Security Group), which is part of the UK’s snooping centre GCHQ. CESG has evaluated and certified security products for years prior to the introduction of the CPA scheme in April 2011. Under the new regime, CESG and independent test labs evaluate commercial security products against published security standards. Products that meet the foundation or tougher augmented grade get the seal of approval for public sector use. Even augmented-grade certification is only good enough for the protection of “restricted and some confidential data”, CESG explains.

The CPA scheme is not just for cryptographic products but also covers any security-enforcing gear – such as firewalls and virtualisation technology. The certification scheme does not cover services, which are likely to fall under a separate assurance scheme, currently under development.

A spokesman for CESG said: “We are grateful to Becrypt and our first test labs – Enex and Siventure – for the interest and support they have given us during the pilot phase of CPA.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/cesg_becrypt_certification/

RSA 2012 Security experts have warned that electronic voting systems are decades away from being secure, and to prove it a team from the University of Michigan successfully got the foul-mouthed, drunken Futurama robot Bender elected to head of a school board.

In 2010 the Washington DC election board announced it had set up an e-voting system for absentee ballots and was planning to use it in an election. However, to test the system, it invited the security community and members of the public to try and hack it three weeks before the election.

“It was too good an opportunity to pass up,” explained Professor Alex Halderman from the University of Michigan. “How often do you get the chance to hack a government network without the possibility of going to jail?”

With the help of two graduate students, Halderman started to examine the software. Despite it being a relatively clean Ruby on Rails build, they spotted a shell injection vulnerability within a few hours. They figured out a way of writing output to the images directory on the compromised server, and of encrypting traffic so that the front-end intrusion detection system couldn’t spot them. The team also managed to guess the login details for the terminal server used by the voting system. This wasn’t exactly difficult, since the user name and password were both “admin”.

Once in, the team searched the government servers for additional vulnerabilities and system options. They found that the cameras installed to watch the voting systems weren’t protected, and used them to work out when staff left for the day and so wouldn’t spot server activity. More worrying, they also found a PDF file containing the authentication codes for every Washington DC voter in the forthcoming election.

The team altered all the ballots on the system to vote for none of the nominated candidates. They then wrote in names of fictional IT systems as candidates, including Skynet and (Halderman’s personal favorite) Bender for head of the DC school board. They also set up systems so that any further ballots would come under their control.

According to the log files the team found, plenty of people were also busy trying to get into the system. They spotted attempts to get in from the Persian University, as well as India and China. Using their inside access, they blocked these attacks. Finally, they inserted the word “owned” onto the final signoff screen of the voting page, and set up the University of Michigan football fight song to play after 15 seconds.

It took two days before the authorities discovered they’d been pwned, and they were only alerted to that fact when another tester told them the system was secure, but that they should lose the music on the sign-off screen, as it was rather annoying. Halderman has now published a full account of the attack.

The attack demonstrates several of the flaws in electronic voting systems, and at numerous sessions at the RSA 2012 conference in San Francisco, experts have consistently warned against the dangers of this technology. In the US, there are 33 states that have introduced some kind of electronic voting systems – and none of them are secure enough to resist a determined attacker said Dr. David Jefferson from Lawrence Livermore National Labs.

“The states are in the habit of certifying voting systems, typically without testing them or seeing the source code,” he said. “In many cases the voting system uses proprietary code that government can’t legally check, and the running of the systems is outsourced to the vendors. This situation is getting worse.”

E-voting was a national security issue, he said. Financial attacks by hackers are relatively easy to detect – because at some point money has to leave the system. But if an election is hacked then we may never know, because it’s a one-time action that typically isn’t checked after the results have been announced and officials elected.

It will be decades before we have the technology to vote securely, Jefferson said, if indeed it is even possible. At stake is democracy itself, but politicians don’t seem to understand the problems of electronic voting, and both Jefferson and Halderman expressed fears for the future if current systems become more popular. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/electronic_voting_hacked_bender/

RSA 2012 The head of the FBI warns that the threat to the US from online attacks will shortly become greater than that posed by terrorists.

“In the not too distant future we anticipate that the cyber threat will pose the number one threat to our country,” the FBI’s director Robert Mueller told delegates at the RSA 2012 conference in San Francisco. “We need to take lessons learned from terrorism and apply them to cybercrime.”

He quoted the Roman Stoic philosopher Seneca the Younger, who said that the more connected a society becomes – in Seneca’s day it was the spread of roads – then the more likely it is that an individual would become a slave to that connectivity.

The same is true of modern society, Mueller said. If the electronic systems on which society relies are removed, the result would be chaos and anarchy, he suggested. Interestingly, this goes against the advice of security guru Bruce Schneier, who pointed out that the purpose of terrorism is to terrorize, and if his phone doesn’t work he’d be annoyed, but hardly terrified.

As a society we can’t turn back the clock, Mueller said, nor should we try to. Instead, we need to share information and tactics to beat any enemies in the future. To that end, the FBI will make changes to its own force, and push for more changes to business practices from government.

All FBI special agents are now being trained in electronic methods, he said, and those who specialize in the area will get the best possible training. The agency is setting up virtual meeting rooms in which investigators can compare notes and follow up on cases.

In addition, Mueller wants a national breach law, so that when a serious hack takes place, the company hit has a responsibility to let law enforcement know. Currently, 47 states have breach laws of some sort, but the FBI wants this to be standardized across the country. Companies need to share their data on attacks and devise strategy together with law enforcement. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/02/fbi_cyber_terrorism_warning_rsa/

Updated India’s clampdown on its netizens is set to continue after its government revealed it is setting up a National Cyber Co-ordination Centre to monitor all web traffic flowing through the country – in the name of national security.

The Times of India had access to the minutes of a National Security Council Secretariat meeting held earlier this month, which claimed the new £100m centre would monitor all tweets, emails, email drafts, status updates and other messages.

The agency will be tasked with scanning “cyber traffic flowing at the point of entry and exit at India’s international internet gateways” in order to provide “actionable alerts” to relevant government departments in the event of a perceived security threat.

If a particular online message is flagged, the centre will have the right to open it up and see if it has actually unearthed a terror plot or merely snooped on an innocent chat – so obviously no privacy issues there, then.

“The coordination centre will be the first layer of threat monitoring in the country,” deputy national security advisor Vijay Latha Reddy said during the meeting, according to the leaked paperwork. “It would always be in virtual contact with the control room of the internet service providers.”

The Indian government is now said to be working out how many people it needs to staff the new centre as well as liaison roles within each government department.

The news comes as India’s much-publicised dispute with Research In Motion took another turn last week: the BlackBerry maker agreed to set up a BBM server in the country to enable the authorities to monitor traffic running on the service more easily.

Nokia’s Push Mail service is said to be next in line, while Yahoo, Google, Skype and others are thought to be in dialogue with the government about routing their services through servers in the country to ensure all comms channels can be monitored. ®

Update

This story has been updated to correct the amount being spent on the Centre.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/02/29/india_censorship_web/

A new banking Trojan is spreading in the UK and the Netherlands, Symantec warns.

Neloweg operates much like its more famous cybercrime toolkit predecessor ZeuS, but with a couple of subtle twists.

“Like Zeus, Neloweg can detect which site it is on and add custom JavaScript. But while Zeus uses an included configuration file, Neloweg stores this on a malicious webserver,” Symantec analyst Fred Gutierrez explains.

The malware is designed to snatch online login credentials, primarily (but not exclusively) those for online banking sites. It infects machines by tricking Microsoft Windows users into installing it via a drive-by-download, spam or targeted email, or with the help of other malware.

Neloweg also targets browsers that utilise the Trident (Internet Explorer), Gecko (Firefox) and WebKit (Chrome/Safari) browser engines. In the case of Firefox, the Trojan buries itself, becoming an integral component of the browser on infected machines – rather than a simple extension – a development that makes the Neloweg more stealthy than previous strains of banking malware.

“In the past we have seen threats create malicious extensions,” Gutierrez writes. “All users had to do was disable that particular add-on and they would be safe.

“For Neloweg, this is not the case. Since it is a component, it does not appear as an add-on in Firefox’s add-ons Manager, like other extensions and plugins do. Furthermore, because of the way Firefox is designed, Neloweg will be recreated and reinstalled every time Firefox attempts to connect to the Internet.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/neloweg_banking_trojan/

A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency’s inspector general told a US House committee.

NASA IG Paul Martin said in written testimony (PDF) to the House Committee on Science, Space and Technology that a laptop was stolen in March 2011, which “resulted in the loss of the algorithms used to command and control the ISS”.

Martin also admitted that 48 different agency laptops or mobile devices had been lost or stolen between April 2009 and April 2011 (that NASA knows of). The kit contained sensitive data including third-party intellectual property and social security numbers as well as data on NASA’s Constellation and Orion programmes.

The actual number of missing machines could be much higher, because the agency relied on staff to ‘fess up when their notebooks were lost or stolen and admit what information was on them.

“Until NASA fully implements an agency-wide data encryption solution, sensitive data on its mobile computing and portable data storage devices will remain at high risk for loss or theft,” Martin told the Subcommittee on Investigations and Oversight.

The committee pointed out that it was all very well for Washington to be debating government involvement in private sector cybersecurity issues, but the government might want to remember that its own cybersecurity has had “mixed success”.

“Many of the technologies developed and utilised by NASA are just as useful for military purposes as they are for civil space applications.  While our nation’s defense and intelligence communities guard the ‘front door’ and prevent network intrusions that could steal or corrupt sensitive information, NASA could essentially become an unlocked ‘back door’ without persistent vigilance,” warned Subcommittee chairman Paul Broun.

As well as facing the continuous disappearance of unencrypted staff laptops, NASA is also subject to increasingly sophisticated cyber attacks, Martin told the hearing.

“In 2010 and 2011, NASA reported 5,408 computer security incidents that resulted in the installation of malicious software on or unauthorised access to its systems,” he said.

“These incidents spanned a wide continuum: from individuals testing their skill to break into NASA systems, to well-organised criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services seeking to further their countries’ objectives.”

He said the intrusions had disrupted mission operations, had resulted in the theft of sensitive data and had cost the agency more than $7m.

Chairman Broun said that since the inspector general’s last report on IT security at NASA, the agency had taken steps to follow the IG’s recommendations, but said it still needed to do more.

“Despite this progress, the threat to NASA’s information security is persistent, and ever changing. Unless NASA is able to constantly adapt – their data, systems, and operations will continue to be endangered,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/nasa_stolen_laptop_unencrypted/

Google has defended its decision to combine around 60 of its privacy policies into one simplified document that makes it clear that users of the company’s products and services will be more uniformly tracked by the Chocolate Factory.

The search giant debuted its revised terms of service today, after announcing in late January that it would be tweaking its data-handling policy to cross-pollinate its huge online business with a single ID verification process to more accurately target its users.

Privacy advocates, data protection officials and top lawyers have been hugely critical of the move. Google’s privacy policy overhaul even prompted the independent European advisory body on DP the Article 29 Working Group – which is vice-chaired by the UK’s Information Commissioner Christopher Graham – to task French regulator CNIL with investigating Google’s actions.

The preliminary response from CNIL, as we reported yesterday, was to confirm that Google’s changes to its privacy policy did not meet the requirements of the current European 1995 Data Protection law.

Nevertheless Google has implemented the tweaks and defended the move by saying that halting it at this stage would “confuse” the firm’s userbase.

At a seminar hosted by Microsoft-backed Brussels’ lobbyist ICOMP in London last night, Graham danced around the question of whether Google was in the wrong.

“We don’t know if Google is operating outside of EU law… I’m not going to say it isn’t lawful as it’s being investigated,” he said.

Graham had earlier noted that the company’s CEO Larry Page deserved some “credit” after Google sent out “consumer alerts” earlier this year, but further pointed out that Page had failed to answer the question on lawfulness levelled at him by CNIL.

Google’s UK policy wonk, Theo Bertram, was the one lonely Choc Factory voice at the ICOMP seminar last night. He asked the speaker, ex-US Federal Trade Commissioner Pamela Jones Harbour, to explain how Google could have better communicated the changes to its users.

Jones Harbour, who sits on the Electronic Privacy Information Center’s advisory board, declined to answer by saying she didn’t speak for Microsoft – a company to which she currently offers legal representation, although in her previous role at the FTC she fought against Redmond over antitrust behaviour relating to the browser market.

After the event, Bertram told The Register that the former commissioner’s argument against Google’s data-handling and dominance in search would have been much stronger had she provided a more “balanced view” of the current online landscape.

Jones Harbour, who is a partner at Fulbright Jaworski LLP, countered in a telephone conversation with this reporter this morning that Microsoft’s search engine Bing has just 3 per cent market share in Europe, and added that Google’s dominance in the online business deserved scrutiny not only by data protection watchdogs but also from antitrust regulators.

The lawyer cited the Article 29 Working Group’s previous discussion with Europe’s Directorate General for competition about Google’s 2007 takeover of ad company DoubleClick.

Those talks didn’t lead anywhere, however. Jones Harbour reckons that it’s now “time for competition officials to take another look”.

It’s unclear whether the European Commission might yet widen its current investigation of Google’s business practices to work out if that behaviour has been anti-competitive in the EU market by also considering how the company collects data from its users, given today’s significant terms of service tweak.

For Jones Harbour, competition and privacy in the online world needs to be much more closely knitted together by antitrust watchdogs then is currently the case.

“The traditional ways of looking at the market don’t apply here when it comes to companies such as Google,” she said.

The lawyer added that she had never seen a business behave in the way Google had by declining to halt its privacy tweaks while DPAs scrutinised the move.

She claimed that “Google is arrogantly saying ‘make me do it’ to regulators”.

Meanwhile, Google’s Alma Whitten reiterated what the privacy policy revamp meant in a blog post confirming that the company had effectively ignored CNIL’s request:

“The new policy doesn’t change any existing privacy settings or how any personal information is shared outside of Google. We aren’t collecting any new or additional information about users. We won’t be selling your personal data. And we will continue to employ industry-leading security to keep your information safe.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/google_privacy_policy_implemented/

Investigators have cracked the encryption key for a laptop drive owned by a Colorado woman accused of real-estate fraud – rendering a judge’s controversial order to make her hand over the passphrase or stand in contempt of court irrelevant.

The government seized the Toshiba laptop from Ramona Fricosu back in 2010 and successfully asked the court to compel her to either type the key into the computer or turn over a plain-text version of the data held on her machine.

Her lawyer’s argument that compelling her to hand over encryption keys would violate her Fifth Amendment rights against self-incrimination was rejected. Prosecutors offered Fricosu limited immunity in this case without going so far as promising they wouldn’t use information on the computer against her.

The Electronic Frontier Foundation filed a brief supporting the defence in the case, arguing that Fricosu was being forced to become a witness against herself. District Judge Robert Blackburn refused to suspend his decision for the time it would take to convene an appeal. The regional 10th U.S. Circuit Court of Appeals refused to review his decision.

Fricosu was left with the stark choice of either coughing up her encryption keys by the end of February or risk a spell behind bars for contempt of court. Philip Dubois, Fricosu’s attorney, claimed that his client had forgotten the encryption passphrase.

The closely watched case set the scene for a legal showdown that would test the US Constitution’s Fifth Amendment rights in the digital age. However the Feds handed the plain-text contents of the laptop to Dubois on Wednesday. It seems more than likely that the authorities had come across the right passphrase without Fricosu’s forced assistance.

“They must have used or found successful one of the passwords the co-defendant provided them,” Dubois told Wired.

Fricosu, and her ex-husband co-defendant Scott Whatcott are both accused of mortgage fraud.

The development comes days after a federal appeals court ruled in a separate case that a defendant did not have to hand over keys to decrypt a laptop drive believed to be storing images of child abuse. The ruling by the Atlanta-based US 11th Circuit Court of Appeals in the case of an unnamed Florida suspect upheld the defendant’s right to resist forced decryption.

This was the first appellant court to rule on the balance between Fifth Amendment rights against compelled self-incrimination and the public interest in allowing police to potentially unearth evidence in criminal cases involved encrypted computers and storage devices. However the ruling is not binding in other regions, especially in the absence of a Supreme Court ruling on the issue.

The US Fifth Amendment holds that no one “shall be compelled in any criminal case to be a witness against himself”. Supreme Court rulings have previously ruled that a criminal suspect can be compelled to turn over a key to a safe possibly containing incriminating evidence, but is not obliged to supply the combination of a safe to investigators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/forced_decryption_ruling_moot/

Durham University leaked the personal details of 177 staff and students in a training manual that turned out to reveal more than how to take out a library book. The university has just been given a slap on the wrist by the Information Commissioner’s Office (ICO) and has promised to reform its data protection policies.

In illustrating the internal workings of its systems, Durham Uni unfortunately revealed personal information about its employees and students and posted screenshots of webpages full of information including names, addresses and dates of birth.

Details that should have been fictionalised or anonymised turned out to be the real details of 177 members of staff and present and past students.

The information was online for five months until July 2011, when Durham officials realised their mistake, took the images down and reported themselves to the ICO.

Durham has now committed to ensuring all staff receive appropriate training on data protection.

Steve Eckersley, Head of Enforcement at the ICO said: “All documents should be checked for personal information before being made available on a website. This case also highlights the importance of organisations having comprehensive data protection training in place for all staff.”

We’ve asked the university what type of training the manuals were for, and we’ll update if we hear back. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/durham_university_ico/

The premium rate phone regulator says it might disregard evidence of consumer consent from paid-for mobile applications if those apps turn out to contain malicious code.

Under PhonepayPlus’ Code of Practice, premium-rate service (PRS) providers are prohibited from charging without consumers’ consent. Certain PRS providers must hold evidence that consent has been obtained.

Under new guidance (11-page/155KB PDF) issued by the regulator it said the malware contained in mobile apps had been used to send text messages containing keywords that result in consumers being charged for using PRS “shortcodes” without their knowledge or consent.

There have also been other instances of malware on mobile apps causing PRS numbers to be dialled without consumers knowing about it or authorising it.

Malware has also caused the “illicit access” of consumer contact lists, such as phone numbers or social networking contacts, which have been relayed to others without consent in order to “build up unauthorised marketing lists,” PhonepayPlus said. In all those circumstances consent to charging may not be said to have been obtained, it said.

“Providers are asked to note that, where such malicious software (‘malware’) is found, then a Tribunal may not be likely to consider any proof of consent (including Mobile Origination messages or records of calls) to be robust enough,” the regulator said.

PhonepayPlus issued the comments as part of wider guidance to PRS providers on “application-based payments”. Some consumers use premium rate services to pay to download apps, or additional content contained in apps, and add the cost onto their existing phone bill.

The guidance included advice on how PRS providers can obtain “robust” consent to charging from consumers. The regulator also said that PRS providers must ensure that they clearly signpost prices for mobile apps they allow consumers to buy at the point of sale.

“Where consumers make payment before they access an application, either as a one-off payment or a subscription, then it is important that they are given all information, including the price, which is likely to influence their decision to purchase before they consent to purchase,” the guidance said.

“Pricing information will need to be easy to locate within a promotion – ie close (proximate) to the access code or link to purchase a service. Where a promotion is contained within a website or a mobile website, it should not be necessary to scroll down (or ‘zoom in’ on a smartphone touchscreen) beyond the initially presented screen in order to discover the price, unless the access code or link to purchase a service is also in the same area. The price should also be easy to read once it is located, and easy to understand for the reader (i.e. be unlikely to cause confusion) and expressed in UK sterling. Loose or unclear descriptions of price are not acceptable,” it said.

However, in some cases it is acceptable for this general rule to be broken if the details about price are positioned prominently enough, PhonepayPlus said.

The PhonepayPlus Code requires that “consumers of premium rate services … [are] fully and clearly informed of all information likely to influence the decision to purchase, including the cost, before any purchase is made”.

The regulators’ guidance contains advice on the kind of information it would consider acceptable to provide when PRS providers deliver services that allow extra content within apps to be purchased. The providers can choose to inform consumers of the price of purchase as and when the option arises, or clearly inform them about the extra purchase prices prior to them interacting with the service, it said.

The regulator also strongly recommended that consumers be able to send ‘stop’ messages to providers in order to stop being charged and said that consumers should be made “fully aware” of circumstances where applications need to be uninstalled in order that charging stops.

PRS providers that allow consumers to pay for apps using “virtual currency” are also issued with guidance on how to comply with PhonepayPlus’ Code. Those providers should take measures such as ensuring consumers know what the “exchange rate” of the virtual currency is in relation to UK pound sterling, and clearly informing those consumers whether there is an expiry date for such currency to be used and circumstances in which the unused currency cannot be “redeemed,” the guidance said.

PhonepayPlus also said that consumers should not be allowed to buy services that would not work on their device.

“All providers of services offered via a mobile-based payment mechanic should ensure their services are compatible with each technical network platform and/ or handset on which they are promoted. Where this is not possible, consumers with incompatible devices should be prevented from purchasing the service in question,” it said.

When proposing the draft guidance in September last year, PhonepayPlus chief executive Paul Whiteing said that the regulator would “not hesitate to use [its] robust sanctioning powers to drive out rogue providers who could damage a vital part of the UK’s growing and innovative digital and creative economies”.

Copyright © 2012, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/03/01/consent_may_not_count_for_malware_infected_apps/