STE WILLIAMS

Hack reveals passwords from locked iPhones and iPads

Researchers have devised a method for stealing passwords stored on locked iPhones and iPads that doesn’t require cracking of the device’s passcode.

The technique, disclosed on Thursday by members of the Fraunhofer Institute for Secure Information Technology, requires physical access to the targeted iPhone or iPad, so remote attacks aren’t possible. But it takes less than six minutes and carry out, and the after effects are easy to conceal, making it ideal to carry out on devices that are lost, stolen or temporarily unattended.

The hack exploits cryptography in the iOS password management system – known as keychain – that uses a secret key that is completely independent of the device’s passcode. That saves attackers who manage to access the file system the hassle of deducing a key that’s based on a passphrase set up by the user.

“After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain,” the researchers wrote in a paper (PDF). “The decryption is done with the help of functions provided by the operating system itself.”

The script also reveals always-encrypted account settings for things like user names and server addresses for all stored accounts, as well as the account clear-text secrets. The hack worked on a locked iPhone 4 running iOS 4.2.1, which was the most current firmware version at time of writing. A demo of the attack is available on YouTube – you can view it below.

“The accessibility of keychain secrets without requiring the passcode is considered a result of a trade-off between system security and usage convenience,” the researchers wrote. “The passwords for network related services should be available directly from device startup, without having to enter the passcode first.”

The technique doesn’t retrieve passwords stored in parts of the device that remain off limits until the passcode is entered.

Still, the hack can reveal a wealth of sensitive codes, including those used for virtual private networks, Wi-Fi networks, LDAP accounts, voicemail systems and Microsoft Exchange accounts. And that’s likely to spook large business customers with employees that use the devices to connect to sensitive company systems. ®

Source

PCC Rules that Tweets are deemed Public

08 February 2011 – [London]
The Press Complaints Commission (PCC) has ruled that messages on Twitter should effectively be considered public.

Sarah Baskerville, a Department for Transport manager, last year published a series of tweets critical of the coalition’s cuts, attacking Downing Street “spin” and telling her 700 followers that the leader of a training course she attended was “mental”. The comments were published in the Daily Mail and The Independent on Sunday in November. Ms Baskerville said this information was only meant to be seen by her followers. Deciding in the newspapers’ favour today, the PCC said the fact that tweets are publicly accessible on the web was key. (more…)

Sony tweets ‘secret’ key at heart of PS3 jailbreak case

An official Sony Twitter account has leaked the PlayStation 3 master signing key at the heart of the company’s legal offensive against a group of hackers being sued for showing how to jailbreak the popular game console.

Kevin Butler, a fictional PS3 vice president, retweeted the metldr key in what can only be assumed was a colossal mistake.

“Lemme guess… you sank my battleship?” he wrote in a post to the micro-blogging website that has been preserved for all the world to see. It goes on to include the key and the ironic words “Come at me.” The message was later removed from Butler’s tweet stream with no explanation why the key was leaked and then removed.

In a lawsuit filed in federal court in San Francisco last month, Sony accused well-known jailbreaker George Hotz, aka geohot, and more than 100 other hackers of violating US copyright law by disclosing the key, which is used to sign games and software that run on the PS3. Last week, Sony expanded its legal dragnet when it filed a series of motions seeking the identity of YouTube and Twitter users who did nothing more than discuss the issuance of the key or view videos showing how the latest hack worked.

Sony contends that videos and web postings disclosing the key violate provisions of the Digital Millennium Copyright Act that prohibit the circumvention of technology designed to prevent access to copyrighted material. Two weeks ago, the judge presiding over the case tentatively ruled Sony was likely to prevail on those claims and issued a temporary restraining order to prevent what she said would be “irreparable harm” if Hotz wasn’t required to surrender all his computer gear and remove all references to the hack that he posted online.

Sony’s gaffe shows just how futile Sony’s attempts are to prosecute people who discussed the key, said Stewart Kellar, the San Francisco attorney representing Hotz.

“It just demonstrates that the restraining order here will not prevent imminent irreparable harm to Sony because if there is harm it’s already occurred,” he told The Register. “The key is already out there. Restraining George will not stop the key from being distributed.”

A court hearing is scheduled for Thursday in the case so the judge can hear arguments that the temporary restraining order is overbroad and should be rescinded.

Sony, which says it’s sold about 44 million PS3s, has said its suit is necessary to prevent pirated games from running on the console. Hotz and members of the fail0verflow hacking collective, which in December published a PS3 jailbreak technique independent of Hotz, insist the hacks expand the functionality of the console so it can run custom, “homebrewed” applications that aren’t covered by copyright.

Last year, the US Copyright Office exempted iPhone jailbreaking from the DMCA so the handsets can run apps not officially sanctioned by Apple. Game consoles are unaffected by that act.

A email sent to Butler and a phone call left to Sony’s PR department weren’t returned?

Corporate Governance : Definition

I came across a good definition of Corporate Governance today :

Governance is the sum of all international and national rules, regulations, values and principles, which are binding for our company and determine how to lead and supervise. Therefore Corporate Governance is very complex and includes obligatory and voluntary measures: Observing laws and regulations, following approved standards and recommendations as well as developing and following group-owned guidelines.

Corporate Governance means “responsible management and control” in order to safeguard the company and all employees.

  • 03/02/2011
  • adm

Bill Gates: Killing The Internet is Easy

Gun power trumps tweet power

By Gavin Clarke in San FranciscoGet more from this author

Posted in Networks, 2nd February 2011 05:48 GMT

Free whitepaper – WAN Optimization for Dummies

When the revolution comes, someone’s always ready to tell you how Facebook and Twitter are powering history.

The problem is that while they’re still standing, governments can snuff out Facebook and Twitter whenever they like. All they need do is flip the “off” switch on the servers, routers, and wireless equipment used by local service providers.

Just ask Bill Gates.

When US TV anchor Katie Couric asked the Microsoft co-founder and chairman if he was surprised that Egyptian president Hosni Mubarak could take the unprecedented step of killing the entire Egyptian internet, Gates responded with an emphatic: “no“.

Sometimes, he knows what he’s talking about.

“It’s not that hard to shut the Internet down if you have military power where you can tell people that’s what’s going to happen,” Gates said. “Whenever you do something extraordinary like that you’re sort of showing people you’re afraid of the truth getting out, so it’s a very difficult tactic, but certainly it can be shut off.”

Web traffic analysis firm Renesys tracking the black out encapsulated the enormity of the situation here:

Every Egyptian provider, every business, bank, Internet cafe, website, school, embassy, and government office that relied on the big four Egyptian ISPs for their Internet connectivity is now cut off from the rest of the world. Link Egypt, Vodafone/Raya, Telecom Egypt, Etisalat Misr, and all their customers and partners are, for the moment, off the air.

And yet the Egyptian protests continue – without Twitter and Facebook.

As US chat-show host Conan O’Brien, himself the victim of a botched power struggle, apparently put it: “If you want people to stay at home and do nothing, why don’t you turn the internet back on?”

Next stop: the leader of the free world contemplates its own internet kill switch. ®

Source

  • 03/02/2011
  • adm

Money is more important

Money is more valuable that security. Simple. Its even more valuable than the security used to protect your money. Strange huh ?
That’s why corporates are insured up to the hilt. Even in situations where insurers reject claims on the basis that poor security facilitated the loss of money or assets; companies will spend more money on legal suits to recover the amounts – than they would to address the security issues that lead to the issue in the first place.

  • 03/02/2011
  • adm

First DOS-based malware celebrates silver jubilee

The first virus capable of infecting DOS-based PCs celebrates its silver jubilee this month.

The Brain Virus, written by Pakistani brothers Basit and Amjad Alvi, was relatively harmless. The Alvis claimed the malware was there as a copyright protection measure to protect their medical software from piracy, an article by CIO magazine on the anniversary recalls.

Brain replaced the boot sector of an infected floppy disk with malicious code, moving the real boot sector to another part of the disc. The malware had the effect of slowing down disk access and, more rarely, making some disks unusable.

Any other floppies used on a machine while the virus was in memory would get infected, but the malware did not copy itself to hard disk drives, as explained in a write-up here.

The Lahore-based Alvi brothers were fairly upfront about their questionable actions, going as far as embedding their names and business address in the malware code. Although intended only to target copyright violators, the malware infected machines in the US and UK among other places.

It’s hard to believe now, but the very few computer viruses prior to Brain infected early Apple or Unix machines.

It is highly unlikely any of today’s generation of VXers would do the same. Instead of curios such as the Brain virus, security threats these days take the more ominous form of Zombie botnet clients.

The Alvi brothers could never have imagined we’d get here, even though they arguably helped pave a small part of the way towards a world of Windows malware.

  • 21/01/2011
  • adm

Lush website hack ‘exposes credit card details’

Luxury cosmetics firm Lush has ditched its UK website in response to a sustained hacking attack which left users vulnerable to credit card fraud.

The firm warns that credit card details submitted to the Lush.co.uk site between 4 October and 20 January may have been compromised by the assault by unknown hackers. Customers are advised to contact their bank as a precaution.

Lush wrote to its customers about the problem via email, copies of which were forwarded to us by several Reg readers. One reader reports that the credit card of a friend who had bought goods from Lush was subsequently used in a failed attempt to fraudulently purchase electrical goods online, anecdotal evidence that suggests the risk of fraud arising from this breach is far from theoretical.

E-commerce outlets sometimes suspend their website upon the discovery of a security compromise, restoring them once it’s decided that underlying problems that might have allowed an attack have been fixed. Lush has gone much further than this and decided to “completely retire” the present version of its website.

“Our website has been the victim of hackers,” a statement on Lush’s soon-to-be-abandoned website explains. “We refuse to put our customers at risk of another entry – so have decided to completely retire this version of our website.”

The cosmetics retailer plans to launch a completely new website, one that initially at least will only accept PayPal payments.

Lush’s shops and mail order systems, run separately and not affected by the hack, will continue to trade as normal. UK-based Lush maintains multiple country specific websites throughout Europe, the US and parts of Asia. All appear to be trading as normal.

A quirky statement on Lush’s UK website, which links to a video ad promoting Lush and featuring glove puppets, concludes with a message to the unknown hackers. “If you are reading this, our web team would like to say that your talents are formidable. We would like to offer you a job – were it not for the fact that your morals are clearly not compatible with ours or our customers,” it said.

Lush’s website statement leaves plenty of questions unanswered, not least how many records were exposed by the attack and what went wrong with its UK site. The continued operation of multiple country-specific sites by Lush sits oddly with its decision to ditch, rather than just suspend, its UK site.

A spokeswoman said that Lush was in the process of putting together an updated statement on the incident, which we await with interest. She declined to answer our questions on how many records might have been exposed

  • 21/01/2011
  • adm

EU climate exchange website hit by green-hat hacker

An EU Climate Exchange website was hacked as part of a political protest against carbon credits by a green-hat defacement crew.

The front page of the ECX.eu website was sprayed with digital graffiti lampooning the concept of applying a market-based approach to tackling carbon emissions. An anonymous group of hacktivists called Decocidio claimed responsibility for the attack, which took place late on Friday.

The hack highlighted the group’s opposition to carbon trading as a means of tackling climate change, and contained links to activist groups Earth First, Climate Justice Action, and the Hack Block as well as an embedded video called The Story of Cap and Trade. Archived copies of the defacement, which carried the headline Super Promo – Climate for sale, can be found here, on a blog maintained by former TV meteorologist Anthony Watts.

The defacement was purged over the weekend and the ECX.eu was restored to normal operation by Monday morning.

IndyMedia Australia has more on the background and motivations of the hack’s perps here. Decocidio preposterously describes its attack as a public act of digital direct action.

Doubtless, as we speak, the perps are camped out in Epping Forest eating lentils and listening to 80s anarcho-vegitarian agitpop from the likes of Crass or Flux of Pink Indians.

Netcraft reports the Climax Exchange website runs Apache on Linux. It’s unclear how the attack was carried out or whether any deeper compromise into databases or other sensitive information was achieved. The vast majority of website defacements do not coincide with deeper breaches.

Attacks against climate change or research websites carry an extra political weight, especially after the CRU breach last year.

A hack against University of East Anglia last November resulted in the exposure of emails and other documents from staff at its Climate Research Unit online. The so-called Climategate breach resulted in a huge political controversy over the methodology of the scientists, with researchers on either side of the climate change debate using extracts from the documents to back up their positions

  • 21/01/2011
  • adm

National Identity Card holding chumps have buyer’s remorse

The horror that was the National Identity scheme may be dead – its end pronounced yesterday – but it is not altogether gone and now, zombie-like, supporters of the ID card are returning to haunt the Coalition.

And while el Reg has not been known for its support of the scheme – or the NI register that under-pinned it – it is possible that the complainers have a point.

In the months between the launch of the National Identity card and its abrupt termination at the hands of the Coalition, some 30,000 individuals are estimated to have signed up for the card, at a modest £30 a time.

Fingerprinted, photographed and details neatly recorded, the promise to these identity guinea pigs was that less hassle at banks and shops throughout the UK – where the demand for documentation grows ever more pressing – and the ability to carry their card with them at all times, while abroad, instead of the rather more cumbersome and costly UK passport.

Two individuals who took up the offer were Angela Epstein, a freelance journalist, frequently to be found writing for the Good Health section in the Mail, and Investment Banking Consultant Nicholas Hodder. They are not best pleased that the cards are being scrapped – though for slightly different reasons.

Ms Epstein, who was the very first individual in the UK to sign up for a card, feels that the card performed a useful function: she will mourn its passing. She is also less than amused that the government is scrapping her 10-year card without providing a refund.

Mr Hodder made extensive use of his card when abroad, presenting it at border checkpoints in excess of 30 times. He dislikes carrying a passport: he finds the card that much more convenient.

Both were on the BBC last week, on Rip-off Britain, making the case for the government to offer either a refund, or continued recognition of the card, over its lifetime, for those who do not opt to receive their money back. Mr Hodder points out that at UK Borders, the only check made is whether cards or passports are blacklisted. So there are no major database implications of retaining the card as a stand-alone identity document.

These views have gained some ground in Parliament. In November, the matter was debated in the Lords, where peers on both sides of the House expressed dissatisfaction at the proposal to scrap the cards without providing a refund.

Lord Brett pointed out that although the intention to scrap them had been made perfectly clear by both Tory and Lib Dem manifestoes, neither party had stated a position on whether it would offer a refund or not.

Lib Dem peer Lord Phillips of Sudbury reckoned that few ordinary members of the public would have read the manifestoes. Speaking of his own experience, he said: “I will be quite frank – I did not even read my own party’s manifesto. It was 115 pages long, for a start.”

He also queried the view expressed by the deputy director of policy at the Identity and Passport Service, who claimed that the ID card was not a consumer good – and therefore exempt from consumer protection law.

Putting in a plug for UK SME’s, Lord Erroll expressed scepticism about a claimed £20m needed to refund the card cost, suggesting that the government “have clearly fallen into the hands of the large systems integrators again, who are siphoning off our taxpayers’ money to America”.

On 17 November, the Lords voted an amendment to the Identity Documents Bill that would have required the government to pay compensation to cardholders. This was agreed on 24 November and passed across to the Commons earlier this week as part of the process known as “parliamentary ping-pong” which takes place whenever Lords and Commons cannot agree on an issue. The Commons has now appointed a Committee of MPs to look into the matter.

According to a statement from the Identity and Passport Service: “The Identity Card scheme has already cost the taxpayer millions of pounds. Combined with development work on biometric data, some £292 million has been spent on ID cards.

“The amendment to pay refunds would add a further cost to be picked up by the taxpayer.

“The Government will reverse this expensive change when the Bill returns to the Commons.”

With the abolition of ID cards becoming law yesterday, Mr Hodder’s suggestion is pretty much history: however, the question of whether or not to pay refunds is a quite different matter, and despite Home Office hopes to the contrary, it may yet be one that returns to bite the government, in the courts.

  • 21/01/2011
  • adm