STE WILLIAMS

UK Home Secretary Theresa May will have to revamp the Investigatory Powers Bill to ban astrophysics: the cosmic background radiation bathes Earth in enough random numbers to encrypt everything forever.

Using the cosmic background radiation – the “echo of the Big Bang*” – as a random number generation isn’t a new idea, but a couple of scientists have run the slide-rule over measurements of the CMB power spectrum and reckon it offers a random number space big enough to beat any current computer.

Not in terms of protecting messages against any current decryption possibility: the CMB’s power spectrum offers a key space “too large for the encryption/decryption capacities of present computer systems”.

A straightforward terrestrial radio telescope, this Arxiv paper states, should be good enough to make “astrophysical entropy sources accessible on comparatively modest budgets”.

The Baylor University (in Waco, Texas) researchers, Jeffrey Lee and Gerald Cleaver, also note that even if Eve (attacker) watched the same bit of sky at the same time as Alice, she wouldn’t get the same random number, “due to random variations in photon energy at any sky frequency, spurious signals within the detectors, interference from other sources of stellar radio noise, etc.

“Therefore, the digitised CMB power spectrum obtained by Alice is unique and cannot be acquired through “identical” power spectrum observations of the CMB by Eve”.

Apart from the maths by which Lee and Cleaver demonstrate the CMB power spectrum’s randomness, another interesting wrinkle in the paper is that they suggest it could meet the requirements of America’s Federal Information Processing Standard 140-2.

Except for one thing: back when FIPS was created, the standard didn’t consider astrophysical sources for randomness, so it stipulates that “the RGB or portion of the RGB cryptographic module that generates the key must ‘reside’ within the FIPS 140 key-generating module.” ®

*Bootnote: Lest pedants or real astrophysicists lambast me on this point, yes: the CMB is actually, as Lee and Cleaver note, the “remnant of the Recombination Epoch in Big Bang cosmology”, rather than a direct “echo of the Big Bang”. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/big_bang_left_us_with_a_perfect_random_number_generator/

Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced.

Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it’s too easy for a sysadmin to put together an attackable implementation.

As he explains in two posts here (the background) and here (proof of concept), if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms.

Under TOTP, a seed is combined with the time to produce the token, and as Szathmari points out, “the same combination of secret key and timestamp always generates the same 6-digit code.”

That’s where NTP comes in. After the world realised the ntpd daemon was vulnerable, it got patched with validation algorithms so as not to accept bogus timestamps, Szathmari writes.

However, he says, a lot of sysadmins still use the deprecated ntpdate, which doesn’t run validation.

(There also remain vectors by which ntpd could be attacked, he writes: for example, if an attacker can remotely crash and restart the daemon, in which case it can be convinced to accept a bogus time server; or by exploiting bugs like CVE-2015-5300.)

Time manipulation is what creates the attack vector, Szathmari says. A malicious time source can strand the victim’s clocks in a time warp, making them retain the same six-digit token long enough to step through the million possible combinations, and brute-force the 2FA.

His proof-of-concept code, Szathmari says, was able to get a valid token in 39 minutes.

If you have ntpdate, now’s a good time to kill it and replace it with an up-to-the-minute ntpd. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/got_a_time_machine_good_you_can_bruteforce_2fa/

Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced.

Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it’s too easy for a sysadmin to put together an attackable implementation.

As he explains in two posts here (the background) and here (proof of concept), if an attacker can trick NTP, they can mount a brute-force attack against the security tokens produced by Google Authenticator (the example in the POC) and a bunch of other Time-based One-time Password Algorithm-based (TOTP) 2FA mechanisms.

Under TOTP, a seed is combined with the time to produce the token, and as Szathmari points out, “the same combination of secret key and timestamp always generates the same 6-digit code.”

That’s where NTP comes in. After the world realised the ntpd daemon was vulnerable, it got patched with validation algorithms so as not to accept bogus timestamps, Szathmari writes.

However, he says, a lot of sysadmins still use the deprecated ntpdate, which doesn’t run validation.

(There also remain vectors by which ntpd could be attacked, he writes: for example, if an attacker can remotely crash and restart the daemon, in which case it can be convinced to accept a bogus time server; or by exploiting bugs like CVE-2015-5300.)

Time manipulation is what creates the attack vector, Szathmari says. A malicious time source can strand the victim’s clocks in a time warp, making them retain the same six-digit token long enough to step through the million possible combinations, and brute-force the 2FA.

His proof-of-concept code, Szathmari says, was able to get a valid token in 39 minutes.

If you have ntpdate, now’s a good time to kill it and replace it with an up-to-the-minute ntpd. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/got_a_time_machine_good_you_can_bruteforce_2fa/

As debate kicks off at Westminster over the surveillance powers of spies and the police, the 55 Scottish National Party lawmakers look likely to be a restraining influence.

The party’s general election manifesto pledged to oppose the Snooper’s Charter. A decade ago, SNP MPs were among the first to oppose New Labour’s identity card scheme.

But in Scotland, the SNP-run government is introducing, or at least considering, IT-led projects which some critics see as increasing surveillance, including a data-sharing system covering all children, an upgraded CCTV network run by the police, and a Scottish identity scheme.

The plan which has attracted the strongest opposition is the Named Person scheme, allocating a state-sector professional to every under-18 in Scotland. The scheme, which is already operating in some areas and will cover all of Scotland by August 2016, provides someone who can respond to requests for help from a child, as well as work with those who have concerns for his or her wellbeing.

It has similarities with ContactPoint, a New Labour system that would have kept tabs on all children in England if it hadn’t been abolished along with ID cards by the Tory-LibDem coalition government in 2011.

NO2NP, a pressure group set up by civil liberties, educational and Christian organisations to oppose the scheme, is worried about how many people will have access to the data and how it will be secured, as “once personal data is out there, there’s no getting it back,” said spokesperson Colin Hart.

The Scottish Government dismisses this. “The individuals that will be delivering the Named Person functions – typically health visitors and senior school staff – are currently handling and processing personal sensitive and confidential information. The organisations that support them already have systems and processes in place to support the legal and secure storage of this information,” said its own spokesperson.

NO2NP, which more broadly sees the scheme as undermining parents and the privacy of families, is pursuing legal action against it – so far unsuccessfully.

In September, judges in Edinburgh’s Court of Session dismissed an appeal against the group’s previously-rejected petition for a judicial review. However, NO2NP plans to take its case to London, then if that fails, the European Court.

Meanwhile, Scotland’s just-created single police force has been attempting its own bit of centralisation, with proposals to link up the nation’s public CCTV cameras. As elsewhere in the UK, councils run many of these cameras – and also like those across the country, they are short of cash following cuts in grants from central government.

Some local authorities in England and Wales have decided to cut back on CCTV to save money. In May, Carmarthenshire County Council scrapped live monitoring of its cameras, saving £100,000 a year to help pay for its Meals on Wheels service, after the local police and crime commissioner said such monitoring had little or no benefit.

Police Scotland takes a different view: it asked for a £10m upgrade of Scotland’s network of 2,800 public CCTV. A review it conducted in August 2013 found they were in a bad state, with 80 per cent using analogue technology and a dozen councils failing to comply with legal auditing requirements.

As well as recommending a new wave of high-definition digital cameras, the force said these should be connected to its new i6 IT system – and, according to a redacted recommendation, the force urges that “statutory responsibility for the operation and maintenance of public space CCTV in Scotland is allocated to a public body”.

The hidden sections were revealed in July by investigative website The Ferret, which used copying and pasting into Word to reveal the redacted bits.

The Scottish Government said it is considering whether arrangements for oversight of CCTV are sufficiently robust, but that it encourages the police and local authorities to work in partnership.

But, giving more power to Police Scotland worries some: “The police in Scotland are a wee bit of a force unto themselves,” said Pol Clementsmith, Scotland officer for the Open Rights Group.

The force has been criticised for heavy-handedness in deploying armed officers, such as on routine patrols on the mean streets of Inverness and for accessing journalists’ communications data without obtaining judicial approval.

In terms of IT competence, it failed to investigate a crashed car by the M9 motorway for three days as a result of failing to enter information from a call into its systems; one of the passengers may have survived if she had been found earlier.

A plan to use Scotland’s NHS Central Register as a national ID system, which gained parliamentary approval last March, could open the register to some 120 bodies across the Scottish public sector, including Quality Meat Scotland and Canals Scotland.

Pol Clementsmith said a set of smaller databases would be better, partly for improved privacy, partly as contracts to build it would be accessible to local suppliers: “We have some great Scottish technology companies that could bid for bits of it.”

“The Scottish Government has consulted on proposed amendments to the NHS Central Register,” said its spokesperson. “No decisions have yet been made while we consider the consultation responses, and we will outline the way forward to Parliament in due course.”

The Spectator magazine, focusing on the Named Persons scheme, recently ran a cover of Scotland’s first minister Nicola Sturgeon as the country’s ‘big sister’. She tweeted it, commenting: “LOL (as I believe the youngsters say these days!).”

Clementsmith thinks that the various plans have been triggered by attempts to save money and, in the case of Named Persons, to improve child protection rather than a desire to control people’s lives: “I don’t think the SNP is there saying: ‘We can watch what everyone is doing,’ but is sleepwalking into this,” he said.

“When it comes to the machinery of government, it presses ahead with ideas without looking at consequences,” he added.

Could such systems be used as the basis of an independent Scotland’s IT, following a “yes” vote in a future referendum? The Scottish Government has run public services including healthcare since devolution in 1999, so there is already an obvious case for some Scotland-wide IT.

But creating an all-purpose Scottish ID system would look like the action of a soon-to-be independent nation – and one that planned to keep an even closer eye on its citizens than the UK does. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/scotlands_creeping_it_independence/

As debate kicks off at Westminster over the surveillance powers of spies and the police, the 55 Scottish National Party lawmakers look likely to be a restraining influence.

The party’s general election manifesto pledged to oppose the Snooper’s Charter. A decade ago, SNP MPs were among the first to oppose New Labour’s identity card scheme.

But in Scotland, the SNP-run government is introducing, or at least considering, IT-led projects which some critics see as increasing surveillance, including a data-sharing system covering all children, an upgraded CCTV network run by the police, and a Scottish identity scheme.

The plan which has attracted the strongest opposition is the Named Person scheme, allocating a state-sector professional to every under-18 in Scotland. The scheme, which is already operating in some areas and will cover all of Scotland by August 2016, provides someone who can respond to requests for help from a child, as well as work with those who have concerns for his or her wellbeing.

It has similarities with ContactPoint, a New Labour system that would have kept tabs on all children in England if it hadn’t been abolished along with ID cards by the Tory-LibDem coalition government in 2011.

NO2NP, a pressure group set up by civil liberties, educational and Christian organisations to oppose the scheme, is worried about how many people will have access to the data and how it will be secured, as “once personal data is out there, there’s no getting it back,” said spokesperson Colin Hart.

The Scottish Government dismisses this. “The individuals that will be delivering the Named Person functions – typically health visitors and senior school staff – are currently handling and processing personal sensitive and confidential information. The organisations that support them already have systems and processes in place to support the legal and secure storage of this information,” said its own spokesperson.

NO2NP, which more broadly sees the scheme as undermining parents and the privacy of families, is pursuing legal action against it – so far unsuccessfully.

In September, judges in Edinburgh’s Court of Session dismissed an appeal against the group’s previously-rejected petition for a judicial review. However, NO2NP plans to take its case to London, then if that fails, the European Court.

Meanwhile, Scotland’s just-created single police force has been attempting its own bit of centralisation, with proposals to link up the nation’s public CCTV cameras. As elsewhere in the UK, councils run many of these cameras – and also like those across the country, they are short of cash following cuts in grants from central government.

Some local authorities in England and Wales have decided to cut back on CCTV to save money. In May, Carmarthenshire County Council scrapped live monitoring of its cameras, saving £100,000 a year to help pay for its Meals on Wheels service, after the local police and crime commissioner said such monitoring had little or no benefit.

Police Scotland takes a different view: it asked for a £10m upgrade of Scotland’s network of 2,800 public CCTV. A review it conducted in August 2013 found they were in a bad state, with 80 per cent using analogue technology and a dozen councils failing to comply with legal auditing requirements.

As well as recommending a new wave of high-definition digital cameras, the force said these should be connected to its new i6 IT system – and, according to a redacted recommendation, the force urges that “statutory responsibility for the operation and maintenance of public space CCTV in Scotland is allocated to a public body”.

The hidden sections were revealed in July by investigative website The Ferret, which used copying and pasting into Word to reveal the redacted bits.

The Scottish Government said it is considering whether arrangements for oversight of CCTV are sufficiently robust, but that it encourages the police and local authorities to work in partnership.

But, giving more power to Police Scotland worries some: “The police in Scotland are a wee bit of a force unto themselves,” said Pol Clementsmith, Scotland officer for the Open Rights Group.

The force has been criticised for heavy-handedness in deploying armed officers, such as on routine patrols on the mean streets of Inverness and for accessing journalists’ communications data without obtaining judicial approval.

In terms of IT competence, it failed to investigate a crashed car by the M9 motorway for three days as a result of failing to enter information from a call into its systems; one of the passengers may have survived if she had been found earlier.

A plan to use Scotland’s NHS Central Register as a national ID system, which gained parliamentary approval last March, could open the register to some 120 bodies across the Scottish public sector, including Quality Meat Scotland and Canals Scotland.

Pol Clementsmith said a set of smaller databases would be better, partly for improved privacy, partly as contracts to build it would be accessible to local suppliers: “We have some great Scottish technology companies that could bid for bits of it.”

“The Scottish Government has consulted on proposed amendments to the NHS Central Register,” said its spokesperson. “No decisions have yet been made while we consider the consultation responses, and we will outline the way forward to Parliament in due course.”

The Spectator magazine, focusing on the Named Persons scheme, recently ran a cover of Scotland’s first minister Nicola Sturgeon as the country’s ‘big sister’. She tweeted it, commenting: “LOL (as I believe the youngsters say these days!).”

Clementsmith thinks that the various plans have been triggered by attempts to save money and, in the case of Named Persons, to improve child protection rather than a desire to control people’s lives: “I don’t think the SNP is there saying: ‘We can watch what everyone is doing,’ but is sleepwalking into this,” he said.

“When it comes to the machinery of government, it presses ahead with ideas without looking at consequences,” he added.

Could such systems be used as the basis of an independent Scotland’s IT, following a “yes” vote in a future referendum? The Scottish Government has run public services including healthcare since devolution in 1999, so there is already an obvious case for some Scotland-wide IT.

But creating an all-purpose Scottish ID system would look like the action of a soon-to-be independent nation – and one that planned to keep an even closer eye on its citizens than the UK does. ®

Sponsored:
OpenStack for enterprise: The tipping point cometh

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/scotlands_creeping_it_independence/

US federal prosecutors, on Tuesday, unveiled criminal charges against three men accused of orchestrating the biggest theft of customer data from financial institutions in the country’s history – encompassing personal data belonging to more than 100 million people.

Unsealing a 23-count indictment in Manhattan, the Justice Department charged Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein with computer hacking crimes against JPMorgan, as well as other financial institutions, brokerage firms and financial news reporters, including The Wall Street Journal. The trio stand accused of stealing as many as 83 million customer records.

Speaking at a press conference, US Attorney Preet Bharara said:

The charged crimes showcase a brave new world of hacking for profit. It is no longer hacking merely for a quick payout, but hacking to support a diversified criminal conglomerate.

This was hacking as a business model. The alleged conduct also signals the next frontier in securities fraud – sophisticated hacking to steal nonpublic information, something the defendants discussed for the next stage of their sprawling enterprise.

The news finally puts to bed long-standing rumours of Russian shenanigans, instead painting a picture of good, old-fashioned greed. The scam centred around the tried and tested pump-and-dump stock scam that’s still very much alive and kicking, as we learned on Monday, when Lisa told us about James Alan Craig who had been using Twitter to manipulate stock prices.

This case is unusual though – pump-and-dumpers usually just spread misinformation in order to drive stock prices in which ever direction serves their needs; they don’t hack their way into systems to steal business data.

That’s exactly what happened in this case though and the reasons for it are simple. Not only were the alleged hackers able to glean more intel on the companies they were targeting, which would have given them additional insight into future stock values, they were also able to pick up personal information on specific individuals – a useful tactic in tailoring attacks against them.

And both avenues proved to be extremely lucrative for them, as prosecutors claim they made upwards of $100m through hacking 7 large banks, running their own illegal Bitcoin trading operation and from an online casino.

In fact, according to law enforcement, the operation was so successful that it employed hundreds of people across 75 shell companies created in a number of countries via fake passports.

Prosecutors claim Shalon was the mastermind of the whole operation, saying he was the owner of US-based Bitcoin exchange Coin.mx which he operated with fellow Israeli, Orenstein.

With the help of Aaron, an American, the group allegedly bought up the type of penny stocks so often used in pump-and-dump scams. They then blasted out emails to dupe the unwary into jumping on a bandwagon so full of hype that they reportedly walked out of one deal alone with $2m.

It’s here that the information stolen from JPMorgan, Dow Jones, Scottrade and others came in useful – client and subscriber lists offered up a long line of potential marks.

As for how the trio allegedly broke into JPMorgan and other banks, the indictment says very little. However, it did reference a mutual fund in Boston whose tardiness left the doors to its network wide open in April 2014, when it failed to install a patch for the Heartbleed bug in good time.

According to Attorney Bharara, the sophisticated nature of the scheme was such that many companies could yet be unaware that they have also been targeted:

Even the most sophisticated companies – like those victimized by the hacks in this case – have to appreciate the limits of their ability to uncover the full scope of any cyber-intrusion and to stop the perpetrators before they strike again.

If they have been hacked, most likely others have been as well, and even more will be. The best bet to identify, stop and punish cybercriminals is to work closely, and early, with law enforcement. That happened here, and today’s charges are proof of that.

JPMorgan – which confirmed it was “Victim 1” in the superseding indictment – agreed that strong cooperation with law enforcement had been essential “in bringing the criminals to justice” with Scottrade, which had 4.6 million client accounts compromised, and Dow Jones both nodding in mutual agreement.

Shalon and Orenstein were arrested by Israeli Police in July 2015 on an indictment that charged the underlying securities fraud, and both remain in custody in Israel as prosecutors continue to negotiate their extradition to the US.

Aaron, meanwhile, remains at large, with prosecutors declining to confirm or deny whether they know where he is currently hiding.

Follow @Security_FAQs

Follow @NakedSecurity

Image of hacker being arrested courtesy of Shutterstock.com

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/FNIgy5Ga0Z4/

PacSec: Google’s Chrome for Android has been popped in a single exploit that could lead to the compromise of any handset.

The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo yesterday but not disclosed in full detail, targets the JavaScript v8 engine. It can probably hose all modern and updated Android phones if users visit a malicious website.

It is also notable in that it is a single clean exploit that does not require multiple chained vulnerabilities to work, the researchers say.

Quihoo 360 researcher Guang Gong showcased the exploit which he developed over three months.

PacSec organiser Dragos Ruiu told Vulture South the exploit was demonstrated on a new Google Project Fi Nexus 6.

“The impressive thing about Guang’s exploit is that it was one shot; most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction, ” Ruiu says.

Dragos Ruiu (r) and Guang Gong

“As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.”

“The vuln being in recent version of Chrome should work on all Android phones; we were checking his exploit specifically but you could recode it for any Android target since he was hitting the JavaScript engine

A Google security engineer on site received the bug. Ruiu says it is likely that Google will pay a security bug bounty for the vulnerability since the working exploit details were not disclosed.

A second team from Germany also appears to have popped a modern Samsung phone, with a demonstration delayed until today due to a delayed flight.

As a reward Ruiu will fly Gong to the CanSecWest security conference in March next year for a ski trip.

Last year hackers hosed popular phones for shares in $425,000 in cash rewards, but security sponsors Google and Hewlett Packard’s Zero Day Initiative pulled out.

Google did not offer detail to questions about its withdrawal, instead pointing Vulture South to its security rewards programs for Android.

HP says it did not sponsor the competition thanks to the complexities of the Wassenaar Arrangement and the US$300 million acquisition of Tipping Point and the Zero Day Initiative by Trend Micro.

“Due to the complexity of obtaining real-time import and export licenses in countries that participate in the Wassenaar Arrangement, the ZDI has notified conference organiser, Dragos Ruiu, that it would not be holding the Pwn2Own contest at PacSecWest,” a spokesperson says.

“Additionally, with the recent announcement of the TippingPoint divesture, the ZDI will be under new ownership once the transaction closes.”

Apple and Microsoft also failed to return as sponsors.

Ruiu says researchers like Gong would not necessarily put the effort into developing exploits for bug bounties alone, and prefer the fun and bragging rights of security hacking events. ®

Update: Since this story was published, Gong has confirmed to The Register that he believes the vulnerability affects all versions of Android running the latest Chrome. We have asked Google for comment. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/mobile_pwn2own/

The Tor Project is claiming that researchers at Carnegie Mellon University (CMU) were paid a hefty bounty by the FBI to stage an attack last year aiming to unmask the operators of the network’s hidden servers.

“We have been told that the payment to CMU was at least $1 million,” the group said in a blog post.

In July 2014 the Tor Project revealed that it had been the victim of a six-month hacking campaign which sought to flood the network with relays that modified Tor protocol headers to track hidden servers. Within a week Tor updated its software and pushed out new versions of code to block similar attacks in the future.

The attack was limited in that it didn’t monitor entry and exit nodes to the Tor network, but could have been used to trace traffic patterns to hidden sites by the academics-for-hire. But the Tor Project is fuming that the FBI used the university to circumvent federal hacking laws.

“Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users,” said the group.

“This attack also sets a troubling precedent: civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute.”

CMU’s role in trying to hack the Tor network – an anonymizing internet network that was partially funded by the US Office of Naval Research – has been well known ever since researchers from the university pulled a talk from last year’s Black Hat security conference about how they could break through its privacy protections.

According to the Black Hat presentation’s precis, some Tor traffic could be tracked using a few powerful servers and some fiber-speed connections. The researchers said that with a $3,000 budget they could use Tor design flaws to deanonymize traffic to hidden servers within a few months.

Two months after the briefing was scheduled to occur, US and European cybercops announced the successful conclusion of Operation Onymous – a huge raid against dark net operators that took down Silk Road 2.0 and Cannabis Road. Police netted over $1m in Bitcoin, €180,000 (£141,200, $223,800) in cash, drugs, gold and silver, shut down 414 websites, and made 17 arrests.

For Tor to go on the record with such a claim indicates pretty strong evidence, but CMU has yet to respond to comment on the matter at time of publication. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/fbi_paid_bounty_to_hack_tor_project/

Police are now saying that yesterday’s Melbourne train-heist-and-wreck was possible because miscreants bought stolen keys online.

The vandalism, the cost of which is now estimated at AU$3 million rather than the original $2 million, involved people getting into an idle train at Hurstbridge station, starting it, and taking it on a 50-metre trip through the railyard.

The train halted by a “derail block” which then tipped it into another train.

However, in reporting the issue of stolen keys, Melbourne newspaper The Age compounded the problem: it showed a photograph of “universal keys” in sufficient detail for them to be reproduced.

The publication is reminiscent of the emergence in September of 3D printed copies of TSA master luggage-keys, copied from a picture published by the Washington Post – except that a train is much bigger and more dangerous than most suitcases.

That was noticed by Twitter user @AnthonyBriggs:

.@theage It’s much easier since you posted photos of the universal keys, including the type code. (Censoring mine) pic.twitter.com/K89c1DqNSL

— Neo luddite (@AnthonyBriggs) November 12, 2015

The image of the keys doesn’t appear on The Age’s online story about keys being sold on the black market. So it’s only available to … well, pretty much the whole world by now, or soon.

There is, apparently, a program to replace the keys with more complex entry mechanisms, but this is “in its infancy” according to Victoria’s Metro Trains. ®

Sponsored:
2015 Cost of Cyber Crime Study: United States

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/oz_railway_lets_newspaper_photograph_train_keys/

Australia’s peak privacy body has lambasted the country’s Senate for being ignorant about the implications of the country’s new e-health records.

What was once called the Personally Controlled Electronic Health Record (PCEHR), re-branded My Health Record this year to give it a smiley face, is the government’s attempt to dragoon Australians into a national health database.

Looking behind the mask, however, the Australian Privacy Foundation reckons the e-health system looks more like it was designed for spooks and revenue-collectors than for doctors or patients.

Coming in for special criticism is the Senate committee recommendation (full report here) that My Health Record be changed from an opt-in system to an opt-out system. That decision seems designed to boost the chronically low take-up of a system that this year got a budget allocation of more than AU$450 million (its 15-year estimated cost from 2010 to 2025 is $3.6 billion).

In a letter sent to the Senate as well as to the media, signed by chair of the APF’s Health Sub-committee Bernard Robinson-Dunn, the group calls the Senate committee that’s signed off on the opt-out provisions “dangerously naïve.”

It says the Senate Standing Committee on Community Affairs’ recommendation that My Health Record be opt-out creates a honeypot of data that can’t be protected merely by criminal sanctions on its abuse.

“The PCEHR is accessible in multiple ways, including over the Internet. The first line of defence should be highly effective systemic controls backed up by civil and criminal penalties.

“Relying primarily on penalties overlooks the fact that they are totally ineffective against criminals and cyber-terrorists operating overseas. Once a breach has occurred, the data cannot be put back in the box. Once an identity is used fraudulently, the damage is done.”

For that reason, Robinson-Dunn writes, a reliance on criminal and civil penalties is “patently absurd”.

The APF says the entire e-health strategy needs to be re-evaluated, and the record re-designed to be “functional, secure and useful”.

“There is not a full appreciation of, and learning from, the complexities and risks associated with National E-Health Systems which have run massively over budget or simply failed in many countries over the last decade,” the letter notes.

As an IT project, the PCEHR has had a troubled history. In 2012, trials stalled because of software incompatibilities in the system, and later that year it was revealed that the Accenture-built system couldn’t handle names with apostrophes (O’Dwyer for example).

It suffered data-leak bugs in 2014, one occurring because Accenture had made a hash of avoiding name-collisions in the system. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/11/12/oz_ehealth_privacy_after_a_breach_is_too_late/