ste williams

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Exclusive An IT blunder splashed photos of suspected criminals and details of Brits who reported them over the internet, The Register can reveal.

The Facewatch website, which allows police and businesses to upload and share evidence of alleged petty crimes, was left wide open thanks to a web-server misconfiguration. The schoolboy error allowed anyone to easily access a huge cache of CCTV footage, photos and information about companies that sign up to the service.

El Reg was able to look through almost 5,000 records containing images and films of suspects dating back to March 2011.

We saw shoplifters pilfering from department stores, a man brandishing a stick inside a bookies, and people looking shifty in packed pubs presumably just before a crime took place. Some of the images even had names on them, which would be legally problematic if those pictured turned out to be innocent.

We also saw long lists of shops around Britain which have signed up to Facewatch, along with the names and contact details of their security guards and managers. This could come in handy for any crook wishing to intimidate a witness or exact revenge on the person who reported them to the police.

Big high-street names whose staff details were available for anyone to look at include the Carphone Warehouse, Lloyds Bank and Ladbrokes, which runs a nationwide chain of betting shops. There were also extensive lists of small businesses.

Publicly distributing images of suspected criminals could cause a legal headache due to strict rules on defamation and contempt of court: publishing evidence of a person apparently committing a crime risks prejudicing a jury, should the case ever come to trial, or could ruin their reputation.

Blighty’s privacy watchdog – the Office of the Information Commissioner – told us it was beginning inquiries that could lead to a formal investigation.

A spokesman said: “We have recently been made aware of a possible data breach which appears to involve the Facewatch website.

“We will be making enquiries into the potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.”

‘Secured by design’

The website boasts it was declared “secured by design” by a police-run body that recognises products or business that meet the “Police Preferred Specification” on security. This badge of honour is normally given to secure buildings or products, such as window locks and burglar alarms, but Facewatch was awarded the online equivalent.

But with a gaping security hole in its website, this could make businesses think again about how stringent this standard actually is.

You didn’t have to be a light-fingered thief nor an elite hacker to get into the sensitive files: all that was required was changing “http” to “https” in the website’s address and all the information was there to be accessed.

Specifically, the Nginx software running the HTTPS site was incorrectly configured to list the contents of file directories on the web server rather than serving the intended web pages. Visiting http://facewatch.co.uk/ redirects to http://facewatch.co.uk/cms/ but this did not happen on the HTTPS site, which instead revealed the index of the server root directory, which could be explored to find website code, databases of users and folders packed with images.

We were told about the security hole by a source who was trying to report a crime. While trying to find the address of a HTTPS-encrypted server to send the images to, he found https://facewatch.co.uk/ gave him full read-only access to Facewatch’s file tree.

Our source said: “A novice who runs a church website would know not to allow directory browsing.”

We reported the security flaw to Facewatch, which closed the hole immediately.

The organisation’s chairman Simon Gordon told us the “accessible code related to a previous version” of its website software. And he argued the long lists of email addresses we saw were in the public domain already and could be “accessed by the public in order for people reporting crime to contact those who reported a crime on their behalf”.

The chairman admitted that contact details of security staff were left visible but they were people who took “all necessary precautions to protect their personal safety”. He continued:

We have undertaken penetration testing to ensure that the information stored in the Facewatch systems is secure and can confirm that all personal data are secure and that our systems are secure. The URL to which you referred us has been closed as this is no longer in use.

Facewatch takes the security of the information which it holds very seriously and works with its clients, including the UK police services, and the data protection regulators to ensure that all data is secure when it is being transmitted to the police or held on behalf of our clients.

The crimes which are reported through the Facewatch system do not relate to crimes against the person or which include violence and those using the system are aware that their business email addresses are made available to a variety of people, both by their own organisations and third parties.

Therefore, any risks in the publication of the email addresses are very unlikely. Our clients are required to post signs confirming that they are using CCTV and that images will be disclosed, many of our clients advertise that they are using the Facewatch system through such signs and by using other means. Therefore, the images of those that the police wish to contact are published with the full knowledge of the individuals concerned.

No names of any crime victims were hosted on the site due to ICO rules that state they should be deleted within 36 hours of recording them.

Some 63,000 people have downloaded Facewatch’s smartphone app and its images have been viewed nine million times, we’re told. As well as allowing officers and shop bosses to upload files, Facewatch allows Brits to use their mobiles to view CCTV stills and other photos of people wanted for questioning by cops.

Facewatch’s Gordon claimed some of the images we found on the server were part of that public mug-shot gallery.

“Some residual images of individuals that the police would like to contact in relation to certain reported crimes were available, these images had been made available to see if members of the public would be able to help with their identification,” Gordon said.

The scheme was first tested in London, before being rolled out across the UK. It is operated by a private company called FaceWatch Limited, based in Ipswich. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/facewatch_https_directory_index_error/

Agentless Backup is Not a Myth

Pic Cops have arrested two men following a failed “smash and grab” robbery at Apple’s flagship store on Regent Street, London.

Detectives want to hear from anyone who may have witnessed the incident, which took place at 1am on Tuesday morning.

Damage to the shop window

Officers told The Register that up to eight people may have been involved in the attempted burglary. Cops said the gang used an axe to smash through a glass door, but were chased off by the fruity firm’s security team.

The gang then sped off on a number of scooters, forcing the police to scramble a helicopter to find them.

Two men, aged 21 and 18, were later cuffed in the fashionable North London borough of Islington: the pair are still being quizzed by the plod.

They were both arrested on suspicion of aggravated attempted burglary and dangerous driving, although the two have not yet been charged with any offence.

Anyone with any infomation on the attempted break-in should call the Westminster division of the Metropolitan Police’s Serious Acquisitive Crime Unit via 101. Anonymous tipsters can ring the confidential Crimestoppers hotline on 0800 555 111 instead. ®

Customer Success Testimonial: Recovery is Everything

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/two_detained_after_apple_store_raid_attempt/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

36 Privacy Commissioners from around the world have written to Google to ask, in the polite-but-firm language of international diplomacy, for some details about Google Glass.

The letter, signed by Privacy Commissioners or their equivalents from Canada, Australia, New Zealand, Mexico, Switzerland and Israel, plus several Canadian provinces.

The authors’ beef is simple: it looks like Glass could invade privacy in dozens of ways, but Google has told the world almost nothing about how the device works. That observation produced the following list of questions the Commissioners want answered:

• What are the privacy safeguards Google and application developers are putting in place?
• What information does Google collect via Glass and what information is shared with third parties, including application developers?
• How does Google intend to use this information?
• While we understand that Google has decided not to include facial recognition in Glass, how does Google intend to address the specific issues around facial recognition in the future?
• Is Google doing anything about the broader social and ethical issues raised by such a product, for example, the surreptitious collection of information about other individuals?
• Has Google undertaken any privacy risk assessment the outcomes of which it would be willing to share?
• Would Google be willing to demonstrate the device to our offices and allow any interested data protection authorities to test it?

At the time of writing Google has not responded to the letter, which is addressed to Larry Page himself.

“We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world,” the authors say. “We look forward to responses to these questions and to a meeting to discuss the privacy issues raised by Google Glass.”

As do we all. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/six_nations_ask_google_for_answers_on_glass_privacy/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Despite weekly news of successful and nasty online attacks damaging organisations of every stripe, executive types remain blasé about security and don’t pay it enough attention, says Jason Clark, chief security officer at Websense, who recommends fighting back by phishing CEOs and board members.

Clark’s suggested attacks are controlled fakes, run by dedicated white hat outfits, and are designed to ensure suits get a brief jolt of fear rather than having to ask their personal assistants to arrange delivery of new platinum cards. Clark feels the experience of being phished is sobering because its delivery by email demonstrates how anyone in an organisation can be attacked.

Once suits understand that, Clark’s hope is it becomes easier for security professionals to have meaningful conversations with business decision makers and those who hold the purse-strings.

Such discussions need to get deeper and more frequent, he feels, because today too few executives pay more than lip service to security. When they do, they ask for assurance that the organisations they lead are complying with legislation and can demonstrate they have appropriate security controls.

Once suits are properly scared, they’ll be more interested in learning more about security, will ask more and more probing questions of their IT departments and eventually lead their organisations to a security regime that gives them the protection they need.

Clark’s advice is otherwise mundane: he suggests organisations ensure they have advance malware repulsion tools, spear phishing blockers and data protection tools to ensure valuable documents can’t leave the building. Few organisations he visits – Clark claims to meet 400 CSOs or CEOs a year – have all three in place. Around ten per cent of organisations he visits have used phake phishing.

Fewer still perform comprehensive threat modelling, a practice he recommends as the best route to understanding appropriate security investments. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/spear_phish_your_boss_to_win_more_security_cash/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

The Chinese group behind the recently discovered NetTraveler attacks is now using widespread interest in the infamous National Security Agency (NSA) PRISM surveillance program to encourage users to open malicious email attachments, it has emerged.

Brandon Dixon of the 9bplus blog said he came across an email uploaded to VirusTotal entitled “CIA’s Prism Watchlist”.

The intended recipient of the message was a Yahoo account associated with the Regional Tibet Youth Congress in Mundgod, India, he added. The sender address was apparently faked to approximate “Jill Kelley” – the woman whose complaints of harassment prompted the investigation which led to the resignation of former CIA boss David Petraeus.

The Word doc attached was named “Monitored List 1.doc”, containing malware designed to exploit the same vulnerability (CVE-2012-0158) favoured by the NetTraveler gang, Dixon wrote.

“It’s funny to note that these actors are keeping up with their same techniques and infrastructure (not all of it) despite being 100 per cent outed,” he added. “Again, this sort of behaviour shows poor operational security or a complete lack of care.”

The NetTraveler attacks were first brought to light by Kaspersky Lab earlier this month, when researchers at the AV vendor revealed that the campaign had successfully compromised more than 350 high profile victims in 40 countries, with the malware in question having been active since 2004.

Key targets included embassies, oil and gas corporations, research institutes, military contractors and governments.

Tibetan and Uyghur activists were also among those targeted by the group of 50-odd individuals – usually a tell-tale sign of Chinese involvement.

Kaspersky added that most members were native Chinese speakers. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/prism_nettraveler_email_malware/

Ensure Ease of Recovery with Asigra’s Agentless Software

India’s outsourcing giants are likely to face more delays in their frustrated bid to tap a potential IT services market worth $30 billion, after a report emerged suggesting the EU still has big data security concerns with the country.

The EU and India have been trying to finalise their Broad-based Trade and Investment Agreement since 2006, with the goal of breaking down trade barriers, but progress in the past few months has been slow, according to The Hindu.

One of New Delhi’s major requests as part of the deal is for the country to be recognised as a “data secure destination”, an accreditation which could increase the country’s outsourcing revenue from the EU from $20bn to $50bn, according to Nasscom’s Data Security Council of India.

Although the EU Justice Department’s study into India’s data protection regime has not yet been completed, mutterings suggest it has identified significant gaps in local laws which could require time-consuming legislative amendments.

“The recent communication from the EU Justice Department is worrying for us as it indicates that the EU is not willing to offer us data secure status till we make changes in our systems. This could take a long time as it may also require legislative changes,” a Commerce Department official told The Hindu.

“It is very clear that the EU is not in any hurry to give us data secure status. This would hamper the trade talks further.”

The thorough audit demanded by the EU would seem appropriate given the data breaches at Indian IT services firms periodically come to light.

For example, news broke a year ago that corrupt staff in local call centres were systematically selling on the personal details of millions of British customers.

It’s a problem which was highlighted in February by prime minister David Cameron, who during a trade visit to India signed a deal promising “an unprecedented level of co-operation with India on security issues”.

The joint task force which will be set up between the two countries will see the UK share its expertise in tackling data security with India in order to better secure the increasing amount of data stored on servers in the sub-continent. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/19/india_outsourcing_data_security_woes_eu/

Regcast training : Hyper-V 3.0, VM high availability and disaster recovery

Puppet Labs has blasted out a security advisory about a vulnerability in the popular infrastructure management tool Puppet.

The CVE-2013-3567 (Unauthenticated Remote Code Execution Vulnerability) warning was issued by Puppet Labs on Tuesday, and advises all Puppet users to upgrade to versions 2.7.22, 3.2.2 or later, and paid-for customers of Puppet Enterprise to move to 2.8.2.

The vulnerability is serious as it allows for code to be executed remotely.

“When making REST api calls, the puppet master takes YAML from an untrusted client, deserializes it, and then calls methods on the resulting object. A YAML payload can be crafted to cause the deserialization to construct an instance of any class available in the ruby process, which allows an attacker to execute code contained in the payload,” the company wrote.

Puppet is an open source configuration management and automation tool, and its development is stewarded by Puppet Labs, which makes the commercial version, Puppet Enterprise. VMware was the sole investor in the company’s $30 million fourth funding round in January.

One alternative to Puppet is Chef, which is made by Opscode. Chef has been backed heavily by Amazon Web Services and sits inside the company’s OpsWorks control layer. ®

Agentless Backup is Not a Myth

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/puppet_security_vuln/

Customer Success Testimonial: Recovery is Everything

iPhones being used as Wi-Fi hotspots are open to attack because of lax security protocols in the automatic password generation system Apple has in place, according to new research from the University of Erlangen in Germany.

The paper, “Usability vs. Security: The Everlasting Trade-Off in the Context of Apple iOS Mobile Hotspots” by Andreas Kurtz, Felix Freiling, and Daniel Metz, found that the seemingly random password iOS generates for hotspots is simple to crack. It consists of four to six characters followed by a four-digit number string.

As a test, the team downloaded a 52,500-word dictionary from an open source version of Scrabble, added number-generating code, and cracked the iOS password system every time – although the team points out it isn’t suggesting Apple used the same dictionary. Using a AMD Radeon HD 6990 GPU, the average time to crack was 59 minutes – which is interesting, but hardly practical.

So the team then reverse-engineered the iOS word list used for password generation, using “static and dynamic analysis,” tools like GNU Debugger, and by manually going through the ARM disassembly of the relevant iOS frameworks. They found Apple uses English-language words of between four and six letters from a dictionary copyrighted by Lernout Hauspie Speech Products.

“Only 1,842 different entries of that dictionary are taken into consideration,” the paper states. “Consequently, any default password used within an arbitrary iOS mobile hotspot, is based on one of these 1,842 different words. This fact reduced the search space of our initial brute force attack by more than 96% and thus increased the overall cracking speed significantly.”

In addition, the selection of words picked for passwords was skewed. “Suave” was used 0.08 per cent of the time, “subbed” cropped up 0.76 per cent and “head” 0.53 per cent – ten times the frequency they should have had under a random pick. By frontloading these selections into any attack code, the chances of cracking the system quickly are greatly increased.

The team also decided to upgrade their hardware to bring down search times and built a box with four AMD Radeon HD 7970 units that could burn through 390,000 guesses per second. This cut the time to crack automatically generated passwords down to 24 seconds, or 52 using a single AMD Radeon HD 6990 GPU. Users should specify their own the team recommends.

As a test case, the team built an iOS application dubbed “Hotspot Cracker” which could be used to try out an attack of the target phone. This was limited by the processing power of the smartphone, but can be used in conjunction with a cloud password cracking service such as CloudCracker for better results.

Once the password has been cracked, the operator can piggyback on the hotspot’s bandwidth, stage a man-in-the-middle attack for eavesdropping, and get access to files stored on the device. Jailbroken iPhones are extra risky since they could allow access to the basic iPhone system services code.

While the researchers concentrated on Apple, they note that other mobile operating systems shouldn’t get too smug. Microsoft’s Windows Phone 8 uses a similar password system that doesn’t even use words, relying instead on eight-digit number strings alone. Android is much better, but there have been cases of manufacturers such as HTC dumbing down password generation for some handsets, the authors report.

“The results of our analysis have shown that the mobile hotspot feature of smart devices increases the attack surface in several ways,” the team concludes. “As the default password of an arbitrary iOS hotspot user can be revealed within seconds, attacks on mobile hotspots might have been underestimated in the past and might be an attractive target in the future.” ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/iospoor_passwords_crackable_24_seconds/

Customer Success Testimonial: Recovery is Everything

Users of the Tor traffic anonymizing service are currently locked out of Facebook after a flood of dodgy traffic triggered an automatic lockdown by the social network’s security systems.

Given the paranoid post-PRISM times we live, in the outage on Tuesday caused a certain amount of online panic. A report highlighting the issue briefly topped the front page on Reddit, before both Facebook and Tor told users there was nothing to worry about.

“Facebook is not blocking Tor deliberately,” a Facebook spokesman told El Reg in a statement. “However, a high volume of malicious activity across Tor exit nodes triggered Facebook’s site integrity systems which are designed to protect people who use the service. Tor and Facebook are working together to find a resolution.”

Tor too was quick to reassure users that this wasn’t the beginning of a crackdown on access to Facebook, although there’s no public word yet as to the specific type of traffic that triggered the shutdown. In a blog post, it assured users of Tor systems that it was working with Facebook on this, and that they would be able to get their daily dose of birthday reminders, cat pictures, and web games as soon as the problem was fixed.

There’s been a upsurge of interest in the Tor system ever since the revelations by NSA whistleblower Ed Snowden about the extent of domestic and international data surveillance by the US intelligence services. Tor uses a network of proxies to protect some of the activities of their users, but the organization has warned that the system isn’t perfect.

“The core Tor software’s job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end,” it said. “By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.”

The group recommends using the HTTPS Everywhere browser plug-in to encrypt traffic to websites when possible, to do the same with email traffic using TorBirdy and Enigmail, and consider shifting to a decentralized social network such as Diaspora.

That said, a lot of work needs to be done to toughen-up the privacy protection of the Tor system, and the group is running a donations page to fund development and are on the lookout for volunteer coders to help out. ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/facebook_blocks_tor_traffic_over_security/

Customer Success Testimonial: Recovery is Everything

Yahoo! has become the latest big-hitting American tech firm to reveal exactly how much information it has handed to US spooks.

Marissa Mayer’s outfit joined Apple, Facebook and Microsoft in releasing the number of sensitive data requests made by spies and law enforcement agencies.

The tech giants want to reassure customers and prospective clients that they are not being spied upon in the wake of the PRISM surveillance scandal.

In a joint statement, Marissa Mayer, CEO and Ron Bell, general counsel, said her firm had processed between 12,000 and 13,000 information requests.

The most common requests involved “fraud, homicides, kidnappings and other criminal investigations”, as well as requests made under the Foreign Intelligence Surveillance Act (FISA). Yahoo was keen to point out that it could not reveal how many FISA requests it received.

Apple said it had received between 4,000 and 5,000 data requests in the same period. Microsoft and Facebook released information covering the latter half of 2012, where the social network said it had processed between 9,000 and 10,000 requests. Microsoft said it had dealt with between 6,000 and 7,000.

“We’ve worked hard over the years to earn our users’ trust and we fight hard to preserve it,” Yahoo!’s statement said.

“Like all companies, Yahoo! cannot lawfully break out FISA request numbers at this time because those numbers are classified. However, we strongly urge the federal government to reconsider its stance on this issue.

“Democracy demands accountability. Recognizing the important role that Yahoo! can play in ensuring accountability, we will issue later this summer our first global law enforcement transparency report, which will cover the first half of the year. We will refresh this report with current statistics twice a year.

“As always, we will continually evaluate whether further actions can be taken to protect the privacy of our users and our ability to defend it. We appreciate—and do not take for granted—the trust you place in us.”

In an interview with non-profit telly broadcaster PBS, President Barack Obama insisted that the NSA spying scheme was legal – and, in a piece of textbook doublespeak, even insisted the programme was “transparent”, despite the fact operations are planned and authorised under a cloak of secrecy.

He said this desire for openness had inspired the creation of a secret court set up under the Foreign Intelligence Surveillance Act, which authorises a programme to harvest American phone records and monitor US servers if it is suspected they are being used by foreign terror suspects.

In a bid to reassure a nervous public, Obama claimed to be setting up a board to monitor privacy and civil liberties, which will also decide how much data spies are allowed to harvest. He also promised to keep the public informed about government surveillance programmes in the future.

“We’re going to have to find ways where the public has an assurance that there are checks and balances in place … that their phone calls aren’t being listened into; their text messages aren’t being monitored; their emails are not being read by some big brother somewhere,” Obama said.

“What I’ve asked the intelligence community to do is see how much of this we can declassify without further compromising the program… And they are in that process of doing so now,” he added.

Edward Snowden, the IT worker behind the PRISM leak, is still at large in Hong Kong and gave a live webchat interview to The Guardian yesterday. He said: “All I can say right now is the US government is not going to be able to cover this up by jailing or murdering me. Truth is coming, and it cannot be stopped.”

Nine tech firms are alleged to be involved in the PRISM programme, although it is not clear if some or all of them would have been unwitting participants. So far, all of the firms have said that they require the police and other government workers to present them with a court order on a case-by-case basis before they will allow access to any data and none have copped to providing unfettered access to the Feds. Apple, for instance, said: “We first heard of the government’s ‘Prism’ program when news organizations asked us about it on June 6.” ®

Ensure Ease of Recovery with Asigra’s Agentless Software

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/06/18/yahoo_joins_rival_spookgate_data_request_admission/