STE WILLIAMS

Man nabbed nude pics from women’s email accounts

A California man on Thursday admitted breaking into the Facebook and email accounts of hundreds of women and stealing stealing nude and seminude pictures of them.

George Samuel Bronk, 23, of Citrus Heights, pleaded guilty to seven felony charges, including computer intrusion, false impersonation and possession of child pornography. He faces as maximum six years in prison and will have to register as a sex offender.

When Bronk’s home was raided in September, investigators found more than 170 explicit photographs of women stored on his hard drive. The women resided in California and 16 other states as well as the UK.

Bronk acquired the pictures by trawling Facebook for women who included their email addresses and personal information, such as their favorite food, their high school or mother’s maiden name. He then used those details to reset the passwords for their email accounts. Once in, he searched the victims’ sent folders for nude or semi nude pictures.

In some cases, he sent the pictures to everyone in the victim’s address book. In other cases, he threatened to make the pictures public unless the women sent even more explicit images. He told one women he did it “because it was funny.”

The investigation began after one victim notified Connecticut State Police that her account had been breached. The agency then contacted the California Highway Patrol after discovering the perp was likely located there.

Investigators are having a hard time identifying the majority of the victims. In some cases, the investigators were able to rely on locating tags embedded in the photos. Police have emailed 3,200 questionnaires to potential victims, but so far, only 46 women have come forward.

A press release from the California Attorney General’s office is here. ®

SAP buys secure login tech ERP

German software giant SAP has moved into the security market with the acquisition of identity and access management technology from Secude.

SAP, which is best known for its Enterprise Resource Planning and enterprise application software, plans to roll secure login and enterprise single sign-on technologies acquired via the acquisition into its portfolio. The Secude deal, announced Wednesday, also involves the move of consulting staff to SAP, a move that will help its sales staff to flog SAP-owned security technology as an alternative to third-party add-ons.

SAP plans to bake the basic version of Secude’s secure login into future releases of its enterprise applications – at no extra cost. The technology will sit alongside SAP’s existing NetWeaver identity management technology, as explained in a statement by SAP here.

Switzerland-based Secude, which remains separate from SAP, plans to focus on developing and marketing its remaining data protection products. The financial terms of the deal, announced Wednesday, were not disclosed.

More and more enterprise technology heavyweights are buying into security. SAP’s deal to acquit technology assets from Secude can be loosely compared to EMC’s decision to acquire RSA Security, the market leader in secure remote access, back in 2006, in a much larger and more significant deal. More recently there’s HP’s purchase of security tools firm ArcSight for $1.5bn, a move that strengthens its existing security portfolio, and Intel’s far more puzzling acquisition of McAfee.

Back in the day, security start-ups used to pine over an acquisition by the likes of Cisco or Symantec. These days a much larger range of potential suitors are available. ®

Vodafone Sacks Login Leakers

Vodafone has dismissed “a number of staff” following the misuse of login credentials that allowed unauthorized access to a Web portal meant to be accessible only to its employees and those of its resellers.

The data breach, misinterpreted as customer details being published on the Internet by a number of Australian media outlets earlier in the week, led to accusations that customer data such as credit card numbers was being stolen, and that people were misusing customer data to spy on individuals.

In an announcement made on Thursday, Vodafone re-stated that “customer records are not publicly available or stored on the Internet”.

The company says it is continuing to review its data security.

Questions will, however, remain. As pointed out to The Register by ANU professor and Australian Privacy Foundation chair Dr Roger Clarke, Vodafone will have to satisfy organizations like the Australian Privacy Commissioner that the portal used by staff and partners doesn’t provide access to more customer data than they need to carry out their normal functions. ®

SaaS Survey Results

Hosted apps Throughout this workshop, we have been looking at the factors that affect the acceptance of SaaS. Ultimately what it boils down to is trust, and when we look at what it is that creates trust, you tell us that the most important factors are:

  • A demonstrable track record on privacy and security
  • The quality of service and support

Looking at privacy and security, it is clear that for many of you there is still a long road to go before you are convinced of moving your applications and data beyond your firewalls and into the cloud. From the preliminary results of our survey on SaaS security, most of you are of the opinion, rightly or wrongly, that both SaaS security and privacy are worse than on premise capabilities. In many cases there seems to be a defensive reaction to SaaS data storage, with apples to oranges comparisons that skirt the issue of how to share and collaborate securely and effectively:

“If I have my data stored locally then it can only be stolen / lost through my own incompetence. If it is stored in the Cloud then not only am I risking losing it through my own mistakes but also through those of other people. If files are stored on a device kept in my cupboard then not even the most incompetent network admin on the planet can cause it to get taken.”

Some feel that the SaaS model is still immature and has yet to prove itself worthy, and are waiting for a it all to settle down before moving forwards even if their own infrastructure is far from perfect:

“At least keeping our data in house, the equivalent of a hiding our cash under the bed, means we are in control of it and know how it’s being looked after (even if it’s not that well). I think the cloud-computing industry needs to have successfully survived a few crises before we can categorically say that they’re safe enough to entrust with our company’s most precious assets.”

Arguably, the brouha surrounding Wikileaks is one of these defining events in the control of data in a SaaS provider. Regardless of the rights or wrongs of Wikileaks in leaking confidential information, the fact that application and data hosting services have been terminated without a legal hearing should be of concern for all companies.

“The high-handed treatment of Wikileaks by Amazon highlighted a weakness of cloud services. They should be run on the principles relied upon by telephone companies and ISPs – they are not responsible for content. Amazon’s intervention was little less than political censorship. If every carrier in the Internet had this attitude nothing would get through.”

Few consider that SaaS can offer better security and privacy, although there are certainly those that have done their homework and are using SaaS confidently, or that as a SaaS provider have developed a trusted solution that is widely used:

“We have over 1 million users on a PCI/DSS certified cloud platform based in the UK.”

“If you look at most cloud systems they have all the usual stuff. Data centres, firewalls, physical security etc. There is more investment in on demand flexibility and distributed storage, which makes sense for anyone who wants 100% uptime. You are jumping on the back of someone else’s investment.”

The approach that the following companies have taken is to de-risk SaaS, evaluating it on the level with on-premise solutions or to an even higher standard:

“Yes, risk is an issue, but with the right risk policy and data protection plan you can choose the right provider for your services.”

“Use an appropriate standard that provides a higher level of assurance than your current processes. It is highly unlikely that your current processes will pass PCI/DSS, so if you outsource to someone that passes PCI/DSS you have given the job to some one that has passed a much higher level of vetting than your current operation and is thus lower risk.”

Central to risk management is the question of performance – do you trust the provider to actually do what is agreed, and what actions to take should something go wrong. Judging by the feedback, there is a lot of concern here:

“And if your data is in Timbuktu, what about your outsourced admins? A UK admin might be approached with an offer of £50k for data/secrets the likelihood is that he’ll turn it down and report the incident. Offered £1m you might get a bite. A similar £50k offer to someone who has a fraction of the UK salary and living costs would be just as tempting as a £1m to someone in the UK.”

“Do we have any redress when, as they are certain to at some point, things go wrong? Who has a big enough stick to give them a smack on our behalf, occasionally, when they deserve it – or are cloud providers too big or nebulous to hurt?”

Another risk factor of course is what to do in the case of wanting to move providers or get everything back in house. This is a real worry, and something that should be agreed upfront:

“Exporting the data if I should decide to leave my provider is almost certainly going to be hideously complex and expensive.”

In practice, we know that some SaaS providers have some pretty good capabilities to allow for data movement and exchange. From the comments we’ve had it is important not to make assumptions, but to check it out. Another area to look at is the role of emerging standards to ease the movement of data between applications so that costly integration projects are not necessary when moving to another provider.

We know that service and support are major factors influencing the long term cost of ownership or service delivery. On an enterprise scale this needs to be localised and widespread in order for it to be responsive and relevant.

“A more important issue is can you phone them up if it goes wrong. At the cloud summit someone explained that support from Amazon and Google was non-existent – post in a forum and wait 3 months.”

The opinion expressed above, if encountered in reality, would usually result in a swift termination of service and a move back in-house or to a competitive provider. Support is commonly an Achille’s Heel for many IT solutions, not just SaaS, and the quality and capability will vary dramatically. Look for providers that can offer responsive support with local language skills and responsive support based on agreed SLAs, or engage with partners that can provide these capabilities on the ground.

It’s clear the jury is still out on SaaS applications, with divided opinions and a lot of gut instinct rather than cold light of experience influencing the path taken. The evaluation of risk comes down to knowing what it is that you need or want and how to measure it. This is more easily said than done, and the problem is eloquently summed up:

“If you know what you need, you can find it in the cloud. But in my experience, I have not seen too many companies that know what they need.”

For many companies, this leads to implementing IT by default as the accepted path, but it’s not necessarily the best approach for IT or the business. It boils down to knowing what you need, and then selecting the best solution that fits, be it SaaS or a different on-premise solution.

  • 14/01/2011
  • adm

Datacentre Networks

Datacentre The job of a datacentre network is to connect the equipment inside to the outside world, and to connect the internal systems to each other. It needs to be secure, high performance and operate with an eye on energy consumption, with a guiding principle of minimising device numbers and costs, so you end up with a system that can do what’s needed while remaining as simple as possible.

Every facility is different, so there’s no off-the-shelf answer as to what exactly goes into a datacentre network. Component selection will vary according to budget, business requirements, site location and capacity, available power and cooling, and a host of other criteria depending on circumstances. That said, you’re likely to find that most datacentre networks arrive at common solutions to common problems and so look fairly similar.

You can conceive of a datacentre network as a series of layers, with the stored data at the bottom. On the first layer is the connection to the outside world – the internet – and, if it’s an enterprise’s own datacentre, to the rest of the company. If the datacentre is owned by a service provider and is servicing a number of external clients, the Internet connection and any other connections linking clients directly also sit on the outside ring.

The second layer, commonly referred to as the edge or access layer, consists of IP-based, Ethernet devices, such as firewalls, packet inspection appliances and switches, that route traffic to and from the core of the datacentre to the outside world. Here too sit many web servers in a so-called demilitarised zone or DMZ: hemmed in by firewalls, external visitors are allowed this far into the datacentre network but no further.

Below this is the core, with large, high-performance switches consisting of blades plugged into chassis, with each blade providing dozens of ports. The chassis is likely to be managed by a management blade, while other features such as security and traffic shaping can be provided by further blades. All data passes through these devices.

Closer to the servers will be a further layer, consisting of a series of switches, maybe one per rack or row of racks, depending on density, tasked with distributing data to and between servers in order to minimise load on the core.

Behind the servers, conceptually, is the main storage. This, the fourth and final layer, consists of a series of high-performance storage arrays connected via a Fibre Channel network that’s entirely separate from the main network. This means that only the servers can connect directly to the storage, although there’s likely also to be a link from the storage to the IP network for management purposes.

The Fibre Channel network needs separate switches and management systems to configure it, adding to IT staff’s workload, so this situation is slowly changing. In ten years time, industry analysts expect that most storage systems will be connected using the IP-based Ethernet network, probably running at either 40Gbps or 100Gbps.

Let’s look at an example of the network’s job. You click on a link in your browser, which generates a request for data that arrives at our datacentre via the Internet connection. The incoming request is scanned for malware, and is re-assembled and decrypted if WAN optimisation and encryption are in use. It’s then sent on to a switch in the access layer. This switch routes the request to a web server in the DMZ, which might be physical or virtual, and which might be fronted by a load balancer to allow a cluster of servers to handle high traffic levels.

The web server receives and processes the request. A response needs information from a database, so the web server calls for data from a database server at the core of the network.

The data demand is passed to a core switch which routes it to a database server. The processed request traverses the storage network, is pulled off the disks, arrives back from main storage, is packaged up and sent back to the web server. It’s then assembled into a web page and pushed back out the Internet connection.

While a broad-brush look at network design, this is the template with which a datacentre network designer will approach the problem of building a new network from scratch. ®

  • 12/01/2011
  • adm

Cellphone tower data protected by US Constitution

A federal judge has ruled that subscriber data captured from cellphone towers is protected by the US Constitution’s Fourth Amendment guarantee against illegal searches and seizures.

The decision is part of a sea change from half a decade worth of previous rulings, in which police weren’t required to obtain search warrants based on probable cause before accessing the subscriber information. US Magistrate Judge Stephen Wm Smith of the Southern District of Texas said recent changes in case law and rapidly evolving mobile technology required a departure from the outcomes in that long line of cases.

“In 1789 it was inconceivable that every peripatetic step of a citizen’s life could be monitored, recorded, and revealed to the government,” he wrote in a decision that was released late last month but only noticed in the last few days. “For a cell phone user born in 1984, however, it is conceivable that every movement of his adult life can be imperceptibly captured, compiled, and retrieved from a digital dossier somewhere in a computer cloud. Now as then, the Fourth Amendment remains our polestar.”

The ruling – which seemed to make reference to the year the Constitution went into effect and the George Orwell novel – is a huge victory for privacy advocates, who have long argued that historical cell-site information gives the government the ability to track users’ location each time they make a call or send a text message. In this case, however, it would appear the government was seeking to electronically surveil targets “whether the phone was in active use or not,” Smith said.

The government’s request for permission to capture 60 days worth of tower data didn’t sit well with the judge, who likened the electronic record to “a continuous reality TV show, exposing two months’ worth of a person’s movements, activities, and associations in relentless detail.”

The decision follows August’s landmark decision in which a federal appeals court bashed warrantless GPS surveillance, ruling FBI agents should have obtained a search warrant before planting a GPS device on the vehicle of a suspected drug dealer. A few weeks later, a federal judge in New York ruled cell-tower data was also protected by the Fourth Amendment, rebuffing investigators who said there was no reasonable expectation such data is private.

The American Civil Liberties Union, hailed Smith’s decision.

“The court reached this conclusion both because cell tracking reveals information about constitutionally protected spaces such as the home, and because the prolonged nature of such surveillance is very invasive,” Catherine Crump, of the ACLU’s Speech, Privacy and Technology Project, blogged.

A PDF of Smith’s ruling is here ®

  • 12/01/2011
  • adm

Cell Phone Search Needs No Warrant – California

California’s high court said police don’t need a warrant to read text messages stored on the cell phones of people taken into custody.

Monday’s 5-2 decision (PDF) relied on separate decisions from the 1970s by the US Supreme Court that upheld warrantless searches of cigarette packs and clothing taken from suspects after they were arrested.

Cell phones are no different, California Supreme Court Justice Ming Chin wrote for the majority in Monday’s decision. They went on to uphold an appeals court decision that the retrieval of an incriminating text message from a drug suspect’s handset didn’t violate the US Constitution’s protection against unreasonable searches and seizures.

The ruling came in the case of Gregory Diaz, who was arrested in 2007 for conspiracy to sell Ecstasy. Officers who confiscated his phone found a message that read “6 4 $80,” which was interpreted to mean the defendant would sell six pills for $80.

In a dissenting opinion, two associate justices said cell phones should be treated differently than other personal effects confiscated from a suspect because they’re capable of storing so much more information.

“A contemporary smartphone can hold hundreds or thousands of messages, photographs, videos, maps, contacts, financial records, memoranda and other documents, as well as records of the user‟s telephone calls and Web browsing,” Kathryn M. Werdegar wrote in the dissent. “Never before has it been possible to carry so much personal or business information in one’s pocket or purse. The potential impairment to privacy if arrestees’ mobile phones and handheld computers are treated like clothing or cigarette packages, fully searchable without probable cause or a warrant, is correspondingly great.”

The warrantless seizure of cell phones has already been heard by other courts with varying outcomes, according to The San Francisco Chronicle. The split may prompt the US Supreme Court to take up the issue. ®

  • 12/01/2011
  • adm

Lawyers fear Assange faces death penalty in US

WikiLeaks founder Julian Assange could be imprisoned at Guantanamo Bay or face the death penalty if he’s extradited to the US, his attorneys argued in court papers released Tuesday.

The document, which outlines the defense Assange’s legal team intends to use next month at a hearing over Sweden’s request for extradition, says Assange could be subject to other types of maltreatment that would violate the European Convention on Human Rights. They include the possibility of torture or, they hinted, “extraordinary rendition,” in which the CIA forcibly transfers suspected terrorists to countries where prohibitions against torture aren’t in place.

“There is a real risk that, if extradited to Sweden, the US will seek his extradition and/or illegal rendition to the USA, where there will be a real risk of him being detained at Guantanamo Bay or elsewhere, in conditions which would breach Article 3 of the ECHR,” the document stated. “Indeed, if Mr. Assange were rendered to the USA, without assurances that the death penalty would not be carried out, there is a real risk that he could be made subject to the death penalty.”

The document went on to cite references from former Alaska Governor Sarah Palin and former Arkansas Governor Mike Huckabee, who have both called for Assange to be treated as a terrorist.

Assange, 39, remains confined to a country mansion outside London on about $410,000 surety while a London court decides whether Assange should be extradited to Sweden. Prosecutors in that country are investigating claims by two women that Assange sexually molested them while visiting Sweden in August. Assange was previously cleared to leave the country after prosecutors there closed their investigation. When it was reopened, prosecutors sought Assange’s extradition, which the WikiLeaks’ founder has opposed.

Assange hasn’t been charged with any crime.

In the defense preview, Assange’s attorneys took issue with the extradition application of Swedish prosecutor Marianne Ny. Requests can be made only after a suspect has been charged with a crime that is subject to extradition, the attorneys argued. What’s more, prosecutors must exhaust all “normal procedures” for interrogating Assange, which has yet to happen, they argued.

“In short, Ms. Ny went from informal discussions about arranging an interview of Mr. Assange straight to the issuance of [a European arrest warrant], without taking the reasonable and proportionate, intermediary step of formally summoning him for an interview or formally requesting his interrogation,” the wrote. “The proper, proportionate and legal means of requesting a person’s questioning in the UK in these circumstances is through Mutual Legal Assistance.”

The defense preview was issued a few hours after Assange appeared at a brief court hearing attended by supporters including Bianca Jagger and heiress/socialite/humanitarian Jemima Goldsmith. ®

WikiLeaks lawyer dubs US subpoena on Twitter ‘harassment’

US prosecutor demands that Twitter hand over data about WikiLeaks and a raft of supporters amounts to harassment, a lawyer for the whistle-blower website says.

The claim comes amid revelations of documents the US Department of Justice secretly filed in federal court seeking detailed information associated with the accounts of WikiLeaks and several of its supporters, including Icelandic Member of Parliament Birgitta Jónsdóttir, founder Julian Assange, and Rop Gonggrijp and Jacob Appelbaum, who are hackers who have worked with Assange in the past. Pfc. Bradley Manning, the US Army intelligence analyst suspected of supplying WikiLeaks with classified government documents was also targeted.

Mark Stephens, an attorney representing the secret-spilling website, told journalists over the weekend that the demands violate the US Constitution’s guarantee against unreasonable searches and seizures and amounts to a shake down.

“The Department of Justice is turning into an agent of harassment rather than an agent of law,” Stephens told Bloomberg News. “They’re shaking the tree to see if anything drops out, but more important they are shaking down people who are supporters of WikiLeaks.”

Stephens went on to tell Bloomberg that similar information was sought from Google, Facebook and eBay’s Skype division. Those companies have yet to confirm or deny that claim.

The government’s dragnet might never have come to light were it not for the actions of Twitter, which under the national security letters filed on December 14 in US District Court for the Eastern District of Virginia was forbidden from notifying its subscribers that their information was being demanded. Lawyers for the micro-blogging filed a motion to unseal the court order and won last week.

The company easily could have complied with the order and faced “zero” liability for doing so, said Christopher Soghoian, a Ph.D. candidate in Indiana University’s School of Informatics and Computing, where he is researching data security and privacy, cyber law.

“It is wonderful to see companies taking a strong stance, and fighting for their users’ privacy,” he blogged. “I am sure that this will pay long term PR dividends to Twitter, and is a refreshing change, compared to the actions by some other major telecommunications and internet application providers, who often bend over backwards to help law enforcement agencies.”

He went on to highlight comments made a few years ago by eBay’s director of compliance boasting that the online auction house “has probably the most generous policy of any internet company when it comes to sharing information.” The site doesn’t require a subpoena “except for very limited circumstances,” the official went on to say.

Meanwhile Iceland’s Foreign Ministry has summoned the US Ambassador to Reykjavik to explain why investigators are dredging up the online activity of an Icelandic lawmaker. It’s not clear when the meeting will take place.

Stephens, the WikiLeaks attorney, said government investigators are using the data demands to learn as much as they can about the comings and goings of the targets, as well as their relationship to each other.

“What they will then do is take that data and analyze it in conjunction with data they get from Google, Facebook and the other social media, so that they can ascertain individuals that they feel they want to pay more attention to,” he told Bloomberg. ®

  • 12/01/2011
  • adm

Researcher cracks Wi-Fi passwords with Amazon cloud

A security researcher has tapped Amazon’s cloud computing service to crack Wi-Fi passwords in a fraction of the time and for a fraction of the cost of using his own gear.

Thomas Roth of Cologne, Germany told Reuters he used custom software running on Amazon’s Elastic Compute Cloud service to break into a WPA-PSK protected network in about 20 minutes. With refinements to his program, he said he could shave the time to about six minutes. With EC2 computers available for 28 cents per minute, the cost of the crack came to just $1.68.

“People tell me there is no possible way to break WPA, or, if it were possible, it would cost you a ton of money to do so,” Roth told the news service. “But it is easy to brute force them.”

Roth is the same researcher who in November used Amazon’s cloud to brute force SHA-1 hashes. Roth said he cracked 14 hashes from a 160-bit SHA-1 hash with a password of between one and six characters in about 49 minutes. He told The Register at the time he’d be able to significantly reduce that time with minor tweaks to his software, which made use of “Cluster GPU Instances” of the EC2 service.

As the term suggests, brute force cracks are among the least sophisticated means of gaining unauthorized access to a network. Rather than exploit weaknesses, they try huge numbers of possible passwords until the right phrase is entered. Roth has combined this caveman approach with a highly innovative technique that applies it to extremely powerful servers that anyone can rent at highly affordable rates.

Roth’s latest program uses EC2 to run through 400,000 possible passwords per second, a massive amount that only a few years ago would have required the resources of a supercomputer. He is scheduled to present his findings at next week’s Black Hat security conference in Washington, DC. ®

  • 12/01/2011
  • adm