STE WILLIAMS

Gadget enthusiasts have managed to root the Nook Tablet.

The Android-based device, only unveiled by Barnes Nobles in the US last week, was pwned by the same group of developers who previously rooted the Amazon Kindle Fire. In both cases rooting the devices gives users the ability to install apps themselves, rather than been restricted to those offered by the manufacturer.

More details on how the Nook hack was carried out can be found on the XDA Developers forum, together with users’ mixed experiences, here. Not everyone can successful complete the rooting process though many can, suggesting that the script which pulls off the job may be either unreliable or (more likely) fiddly and in need of refinement.

The Nook Tablet is an eBook reader with a colour screen that also includes the ability to watch videos, view photos and play music. It includes Wi-Fi connectivity. Like its predecessor the device is only sold in the US, at least for now, because of a lack of distribution partners in either Europe or Asia Pacific. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/nook_tablet_rooted/

Google’s open-source program manager has launched an entertaining rant against firms offering mobile security software, accusing them of selling worthless software and of being “charlatans and scammers”.

Chris DiBona, Google’s open-source programs manager, argues that neither smartphones based on Google’s Android nor Apple’s iOS need anti-virus protection. Anyone telling you different is a snake-oil salesman, he said.

“Virus companies are playing on your fears to try to sell you BS protection software for Android, RIM, and, iOS,” DiBona said on Google+. “They are charlatans and scammers. If you work for a company selling virus protection for Android, RIM or iOS, you should be ashamed of yourself.”

He argues that smartphones are inherently more secure than PCs, while admitting mobile malware is not mythical but rather that it has rarely if ever caused much of a problem.

“No major cell phone has a ‘virus’ problem in the traditional sense that Windows and some Mac machines have seen,” he said. “There have been some little things, but they haven’t gotten very far due to the user sandboxing models and the nature of the underlying kernels.”

“No Linux desktop has a real virus problem,” he added.

It seems a report from Juniper Networks last week noting “exponential growth” in Android malware, blamed on the looser controls in the Android Market than those applied by Apple, provoked the Google guru’s splenetic outburst. DiBona doesn’t call out any of the mobile security charlatans he castigates so strongly by name but there’s no shortage of candidates.

Many anti-virus firms have branched out into offering security software for Android, including commercial products from Kaspersky Lab, F-Secure and Symantec. Lookout Mobile and AVG’s DroidSecurity offer basic protection software at no charge to consumers. Some security firms, Lookout and Intego, offer more basic security packages for iOS but without bundled anti-virus protection, which is not supported by iOS. Windows Mobile anti-malware is covered by the likes of F-Secure and others. Hardened Blackberry devices exist but we’ve never come across a firm offering BlackBerry security software as a stand-alone product as yet. Viruses targeting BlackBerry remain unknown.

Security firms said DiBona has misunderstood both the threat and the capabilities of their products. Kaspersky Lab said that cybercrooks are migrating towards Android as the platform increases in popularity. the main problem is Trojans, malicious applications that pose as something useful to a smartphone user, rather than virus. Kaspersky reckons one Trojan – DroidDream – has already infected infected 100,000 users.

Mikko Hypponen, F-Secure’s chief research officer, tweeted, “What @cdibona [Chris DiBona] is missing is that these tools do much more than just antivirus: Antitheft. Remote lock. Backup. Parental control. Web filter.”

Talk of exponential malware growth is justified but needs to be put into context, that the huge rise is coming from a base of almost nothing and that the raw figures remain trivial compared to the Windows virus plague. Specialist mobile security firm Lookout, for example, estimates mobile malware instances have more than doubled to nearly 1,000 over the last four months alone. Windows malware estimates routinely exceed 5 million and above. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/mobile_security_dust_up/

It isn’t actually news as such: while the DoE’s own Sandia Labs has warned that the notorious Stop Online Piracy Act is a threat to the deployment of secure DNS – DNSSEC to its friends – the fragility of the protocol has been discussed for ages.

The problem is this: an end-to-end protocol is the simplest way to ensure that a browsing session isn’t hijacked along the way by a fake DNS record. Sandia’s letter is, in that sense, merely reiterating what’s already known.

DNSSEC proposes just such an end-to-end protocol. In today’s insecure world, the ordinary end user has very little opportunity to verify that foo.bar really is 192.168.0.10 rather than 192.168.1.10* – which opens the way to DNS hijacking and makes DNSSEC necessary.

The secured version of DNS performs the same basic function of DNS: it’s still a distributed, queryable database that allows humans to put http://www.theregister.co.uk/ into their browser bar, and get directed to 92.52.96.89 to actually get the content. But it mandates that the domain record used for that resolution is cryptographically signed.

As this paper, cited by Sandia, puts it:

“When implemented end-to-end between authoritative nameservers and requesting applications, DNSSEC prevents man-in-the-middle attacks on DNS queries by allowing for provable authenticity of DNS records and provable inauthenticity of forged data. This secure authentication is critical for combatting the distribution of malware and other problematic Internet behavior.

“Authentication flaws, including in the DNS, expose personal information, credit card data, e-mails, documents, stock data, and other sensitive information, and represent one of the primary techniques by which hackers break into and harm American assets.”

The paper was published in May 2011, in response to a different piece of mandated DNS poisoning stupidity, and is entitled Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill.

“By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress,” the paper states. “[A] DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query.”

(It’s worth noting that this latter statement only holds true in a world that’s completely adopted DNSSEC; as Sandia points out, when the majority of assets are still unsigned, browsers will still accept unsigned responses.)

In other words, the fools sockpuppets legislators proposing SOPA’s DNS-interference mechanism have done so when the impact of their thought-bubble was already known.

Moreover, as was pointed out to The Register by Australian Internet luminary Geoff Huston, DNSSEC is designed such that if a fake record is returned – for example, if a US court orders that infringing-site.com returns any address other than the authoritative record – it’s detectable.

“The NXDOMAIN response is a visible fake response in a DNSSEC world. And if you chose to block by non-response, then the DNSSEC NSEC records will again show that this is a lie,” he told us in an e-mail.

Even worse, Huston said, legislation like SOPA could encourage the formation of “darknet” alternative DNSs.

“This will not switch off the content, but will provide impetus for the formation of ‘alternate’ DNS worlds which include the blocked domain names,” he wrote.

“To what extent these alternative worlds will then be populated by ‘fake’ banks, ‘fake’ governments and all other kinds of attempts at trickery is an open question, but it is unlikely that the darker alternate DNS world will be any better than what we have today. So in effect, they argue, these attempts to suppress bad content through mucking around with the DNS encourages other forms of mucking around with the DNS, and that’s not a good thing.”

Nor will the measures proposed in SOPA actually block the content, since users will still be able to locate the “banned” resource directly using the IP address, by running a local resolver, using a foreign resolver, or by editing their hosts file.

As Sandia states, “Even non-technical users could learn to bypass filtering provisions.” ®

*Yes, I know 192.168.nnn.nnn is reserved. It’s an example. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/20/sopa_breaks_dnssec/

UK cybercops have managed to dismantle more than 2,000 fraudulent shopping websites that have ripped off thousands.

The Met’s Police Central e-Crime Unit (PCeU) hopes smashing the online rogue traders will make online shopping in the run-up to Christmas much safer. The dodgy sites targeted by the action purported to sell a raft of designer goods, including brands such as Nike, GHD, Tiffany and Ugg at bargain prices. In reality many of the sites either took money without delivering the goods or supplied knock-offs.

The scam sites, which hoodwinked thousands and netted fraudsters millions, also created an identity theft risk. Credit card details and other personal information supplied to the sites might easily have been used to make fraudulent internet purchases or to establish lines of credit under false names.

The coppers worked with domain name registries and registrars to investigate the sites prior to the take-down operation, which was announced on Friday.

Detective Inspector Paul Hoare of the PCeU commented: “The sites suspended are registered in bulk by crime groups with the sole intention of duping consumers into parting with their money for, at best, poor quality counterfeit goods, or, at worst, nothing at all. In the run up to Christmas the PCeU will continue to work with Nominet and others to disable as many such sites as possible, but I would urge customers to take all precautions to ensure they buy from legitimate sites only.”

Further advice on safe online shopping can be found at Get Safe Online, Consumer Direct and The Metropolitan Police Service Fraud Alert site. Although billed as a fraud alert websites most of the content offers advice to both consumers and business on commonplace scams, rather than specific warnings about particular websites. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/uk_cybercops_fruad_site_takedown/

Software used to target ads for rental cars has been successfully applied to keeping British youngsters in education or employment after leaving school.

The predictive risk modelling software from IBM was turned to an unusual use by the Kent-based Medway Youth Trust after an employee had a brainwave.

Aware that it is easier to help kids before they get into trouble rather than when they’re unemployed, unqualified and dabbling in petty crime, Data Quality Manager Gary Seaman decided to apply customer behaviour algorithms to information about young people to predict who was likely to wind up in trouble so that the youth services could reach them before they did.

And they decided to use software bought by companies like Avis and life insurers. The result is the Hidden Patterns social enterprise that aims to rescue kids with data. IBM donate the charity their predictive behaviour software for free and the trial has been running since February.

Using data to predict who’s going to get into trouble

Medway CEO Graham Clewes told us that out of the 732 Year 11 students identified by the software in February, 648 were currently in some kind of further education or job: an outcome which is more positive than expected and has saved the 16-17 year olds who were all at risk of dropping out of the system from becoming NEETs, the hard to reach “Not in Education, Employment or Training” group. NEETs ends up costing the government hundreds of thousands of pounds in benefits, healthcare and other problems.

“It’s much easier to get to a young person if they’re still in learning than if they’ve been out for several months,” says Clewes.

The software has saved weeks of staff time as research tasks that could have spanned a fortnight were whittled down to a matter of hours when automated by a computer. It also helps the Medway Trust access and correlate info that would otherwise have been lost.

The stats that show you’re on the wrong path

The IBM software is particularly powerful because it will search through text as well as statistics. This means it brings in information that other data scrapers miss and provides a more complete picture than previously possible.

Information scraped by Medway software includes: CVs, medical records, school reports, write-ups of interviews with youth workers, social care reports and statements by the young person.

That info is combined with date of birth, ethnicity and reports on the young person’s family situation.

“We looked at a lot of technology companies,” says Clewes. “The key thing is that the IBM software analyses text data … it meant that we were able to draw out what patterns might be hidden.”

For example, if a young person is getting alcohol counselling through their local church not through the NHS a straightforward trawl of stats wouldn’t find that info, but if the issue has come up in a conversation with a youth worker, then it will be noted by the Hidden Pattern software.

Clewes stressed that all teens sign consent forms before their data gets used. It is kept confidential and teens can opt for their parents not to see the reports.

The software that can predict insurance sales – and teenagers

The kid-saving software is from the IBM SPSS Predictive analytics suite acquired by IBM when they bought out SPSS in October 2009. It analyses data to predict behaviour.

IBM explain that it uses:

Advanced mathematical and statistical expertise to extract predictive knowledge that when deployed into existing processes makes them adaptive to improve outcomes.

The modeller is the engine of the programme:

IBM SPSS Modeler enables you to discover hidden relationships in both structured and unstructured (text) data – and anticipate the outcomes of future interactions.

Medway Youth Trust has now set up a social enterprise which aims to help other charities, local authorities and central government organisations develop similar models for predicting and reducing NEET status among young people. Over 30 local authorities have expressed interest and Medway are in discussion with the department of Education. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/21/ibm_risk_modelling_software_used_to_keep_kids_in_school/

It isn’t actually news as such: while the DoE’s own Sandia Labs has warned that the notorious Stop Online Piracy Act is a threat to the deployment of secure DNS – DNSSEC to its friends – the fragility of the protocol has been discussed for ages.

The problem is this: an end-to-end protocol is the simplest way to ensure that a browsing session isn’t hijacked along the way by a fake DNS record. Sandia’s letter is, in that sense, merely reiterating what’s already known.

DNSSEC proposes just such an end-to-end protocol. In today’s insecure world, the ordinary end user has very little opportunity to verify that foo.bar really is 192.168.0.10 rather than 192.168.1.10* – which opens the way to DNS hijacking and makes DNSSEC necessary.

The secured version of DNS performs the same basic function of DNS: it’s still a distributed, queryable database that allows humans to put http://www.theregister.co.uk/ into their browser bar, and get directed to 92.52.96.89 to actually get the content. But it mandates that the domain record used for that resolution is cryptographically signed.

As this paper, cited by Sandia, puts it:

“When implemented end-to-end between authoritative nameservers and requesting applications, DNSSEC prevents man-in-the-middle attacks on DNS queries by allowing for provable authenticity of DNS records and provable inauthenticity of forged data. This secure authentication is critical for combatting the distribution of malware and other problematic Internet behavior.

“Authentication flaws, including in the DNS, expose personal information, credit card data, e-mails, documents, stock data, and other sensitive information, and represent one of the primary techniques by which hackers break into and harm American assets.”

The paper was published in May 2011, in response to a different piece of mandated DNS poisoning stupidity, and is entitled Security and Other Technical Concerns Raised by the DNS Filtering Requirements in the PROTECT IP Bill.

“By mandating redirection, PROTECT IP would require and legitimize the very behavior DNSSEC is designed to detect and suppress,” the paper states. “[A] DNSSEC-enabled browser or other application cannot accept an unsigned response; doing so would defeat the purpose of secure DNS. Consistent with DNSSEC, the nameserver charged with retrieving responses to a user’s DNSSEC queries cannot sign any alternate response in any manner that would enable it to validate a query.”

(It’s worth noting that this latter statement only holds true in a world that’s completely adopted DNSSEC; as Sandia points out, when the majority of assets are still unsigned, browsers will still accept unsigned responses.)

In other words, the fools sockpuppets legislators proposing SOPA’s DNS-interference mechanism have done so when the impact of their thought-bubble was already known.

Moreover, as was pointed out to The Register by Australian Internet luminary Geoff Huston, DNSSEC is designed such that if a fake record is returned – for example, if a US court orders that infringing-site.com returns any address other than the authoritative record – it’s detectable.

“The NXDOMAIN response is a visible fake response in a DNSSEC world. And if you chose to block by non-response, then the DNSSEC NSEC records will again show that this is a lie,” he told us in an e-mail.

Even worse, Huston said, legislation like SOPA could encourage the formation of “darknet” alternative DNSs.

“This will not switch off the content, but will provide impetus for the formation of ‘alternate’ DNS worlds which include the blocked domain names,” he wrote.

“To what extent these alternative worlds will then be populated by ‘fake’ banks, ‘fake’ governments and all other kinds of attempts at trickery is an open question, but it is unlikely that the darker alternate DNS world will be any better than what we have today. So in effect, they argue, these attempts to suppress bad content through mucking around with the DNS encourages other forms of mucking around with the DNS, and that’s not a good thing.”

Nor will the measures proposed in SOPA actually block the content, since users will still be able to locate the “banned” resource directly using the IP address, by running a local resolver, using a foreign resolver, or by editing their hosts file.

As Sandia states, “Even non-technical users could learn to bypass filtering provisions.” ®

*Yes, I know 192.168.nnn.nnn is reserved. It’s an example. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/20/sopa_breaks_dnssec/

Images posted online suggest that hackers may have gained unauthorized access to computers controlling a second water treatment facility, a claim that raises additional concerns about of the security of the US’s critical infrastructure.

Five computer screenshots posted early Friday purport to show the user interface used to monitor and control equipment at the Water and Sewer Department for the City of South Houston, Texas. They were posted by someone calling himself pr0f to counter comments included in a Register article posted on Thursday in which a US Department of Homeland Security spokesman responded to reports of an attack on a separate water plant by saying there was no “credible corroborated data” indicating critical infrastructure was at risk.

“I dislike, immensely, how the DHS tend to downplay how absolutely FUCKED the state of national infrastructure is,” the post stated. “I’ve also seen various people doubt the possibility an attack like this could be done.”

pr0f went on to post what he claims is proof that internet-connected computers controlling other industrial equipment are easily accessible to unauthorized parties. The five pictures show what appears to be the HMI, or human machine interface, controlling highly sensitive equipment used by South Houston’s Water and Sewer personnel. One interface depicts an apparatus for monitoring and controlling the city’s waste-water treatment plant, including a power generator and what appear to be “blowers”, which control air flow.

     

One of five images posted by ‘pr0f’ (click to enlarge)

The Register was unable to confirm claims that the images were obtained through the unauthorized access of the system. City officials have yet to confirm or deny pr0f’s claims, and representatives with DHS didn’t respond to an email seeking comment. The possibility that screen captures of the city’s industrial control systems were made by authorized employees for training or other purposes and later obtained by pr0f can’t be ruled out.

The posting comes a day after industrial control systems security expert Joe Weiss disclosed contents of a November 10 report from the Illinois Statewide Terrorism and Intelligence Center. It claimed that attackers destroyed a pump belonging to a regional water utility in that state by hackers who gained access to supervisory control and data acquisition systems that manage the utility’s machinery. That report remains unconfirmed, although the DHS spokesman said officials from his agency and the FBI are investigating.

While the events over the past two days have yet to be verified, there’s no denying that huge amounts of machinery used in gas refineries, power plants, and other industrial facilities are controlled by computers that are connected to the internet. This raises the specter of core parts of the nation’s infrastructure being taken over and sabotaged if hackers figure out ways to bypass their security controls. Officials are frequently aware of the risks, but financial constraints and personnel matters often trump those concerns.

“For folks with less resources available and tighter budgets, (there’s) web-based remote access,” said Michael Assante, a SCADA security expert and president of the National Board of Information Security Examiners, a nonprofit focused on security workforce training. Having controls available over the internet means many cash-strapped agencies don’t have to have dedicated SCADA engineers on premises around the clock, he explained. “They’re trying to use the technology to maximize the resources they have available to them.” ®

This article was updated to clarify blowers.

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/second_water_utility_hack/

The US Securities and Exchange Commission has closed down an investment scam that was touting pre-IPO shares in Facebook, Twitter, Zynga and Groupon.

The SEC alleges that Florida resident John Mattera and others set up a new hedge fund named The Praetorian Global Fund. The Commission alleged that the suspects had claimed to potential investors that they, and other entities, had tens of millions of dollars worth of shares in the tech firms before their initial public offering.

Mattera and his partners Brad Van Siclen, David Howard, Joseph Almazon and John Arnold, allegedly encouraged the investors to part with their cash to be put into an escrow fund to purchase the shares when the time came, and the SEC said they had managed to bag $12m from investors all over the US in the last 15 months.

According to the SEC, none of the individuals ever had any shares in the companies, which also included firms like Bloom Energy and Fisker Auto. The money that was supposed to be going into escrow was actually just going into the personal accounts of Mattera and Arnold, the SEC said.

The Commission asserted that after Arnold had taken his cut, Mattera then grabbed the rest of the dosh to “afford his lavish personal expenses” and to pay the rest of the gang.

“By conjuring up a seemingly prestigious hedge fund and touting the safety of an escrow agent, these men exploited investors’ desire to get an inside track on a wave of hyped future IPOs,” George Canellos, director of the SEC’s New York office, said in a canned statement.

“Even as investors believed their funds were sitting safely in escrow accounts, Mattera plundered those accounts to bankroll a lifestyle of private jets, luxury cars, and fine art.”

The US attorney’s office for the southern district of New York, which was carrying on a parallel investigation, has now filed criminal charges against Mattera and arrested him.

The SEC is now looking for the courts to freeze the assets of all five men and eight different corporate entities listed in the complaint (PDF).

Apparently, it’s not the first time some of these guys have been involved in white-collar crime. Mattera has been in trouble with the SEC before and been “the subject of several state criminal actions”, while Howard was charged by the commission earlier this year for his part in a boiler room operation (a busy and slick telephone operation to sell questionable goods or go the whole hog and do some outright stock fraud). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/pre_ipo_share_scam_facebook_twitter/

Cryptocard has acquired the patents and intellectual property of GrIDsure, a UK pattern-based authentication start-up that became insolvent earlier this month. Term of the deal, announced Friday, were undisclosed.

The acquired technology will be added to Cryptocard’s existing cloud-based authentication services portfolio, which already offers secure logins to enterprises and service providers based on SMS, software and hardware tokens. Adding grid-based tokens to the mix add another option to Cryptocard’s BlackShield SaaS platform.

GrIDsure’s technology offers a mildly bothersome alternative to passwords. Users memorise the position of (say) four tiles on a grid of numbers instead of a static password. The numbers presented to users changes every time they login, but the position of the required tiles remains secret to the punter – as the video below shows:

The firm marketed its technology as an alternative to hardware tokens from the likes of RSA but it failed to gain traction in the marketplace fast enough. GrIDsure went into liquidation earlier this month after its investors declined to pump more money into its business, CRN reports.

A representative of Cryptocard confirmed that GrIDsure was insolvent; Companies House lists the biz as in liquidation. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/cryptocard_gridsure/

A security researcher said that he has developed malware for Microsoft’s forthcoming Windows 8 operating system that is able to load during boot-up when it’s run on older PCs.

Peter Kleissner said Stoned Lite – as the latest version of his bootkit is called – doesn’t bypass defenses that will be available to people using Windows 8 on newer machines.

Specifically, he said in a series of Twitter messages, it doesn’t work against PCs using UEFI (Unified Extensible Firmware Interface), which is being held out as a replacement to Bios ROM firmware. Stoned Lite also doesn’t attack a low-level security feature known as Secured Boot, which scans boot drives for invalid signatures prior to starting up.

A previous boot kit – which Kleissner called Stoned – works on Windows 2000 through Windows 7 and is able to load before Windows starts by attaching itself to the master boot record of a targeted PC’s hard drive. Stoned Lite is able to do the same thing for Windows Server 2008 and Windows 8, the Vienna-based developer and researcher said. It works by bypassing the Windows User Account Control, and with a footprint of just 14KB, it can easily be unleashed from a USB or CD drive.

Kleissner said he plans to release further details at next week’s Malcon conference in India.

Microsoft’s announcement in September that it planned to use UEFI was almost immediately met with suspicion from open-source boosters, who claimed the feature could make it impossible to run systems such as Linux and FreeBSD on computers that had adopted the alternative firmware. Microsoft has denied such claims, but many critics still aren’t convinced.

Whatever the merits of that argument, the inability of Stoned Lite to penetrate UEFI and Secured Boot are the strongest endorsements to date that the features work as advertised. At least for now. ®

This article was updated to clarify UEFI and Secured Boot.

Follow @dangoodin001 on Twitter.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/18/windows_8_bootkit/