STE WILLIAMS

The makers of the controversial smartphone app Carrier IQ have reportedly been quizzed by federal regulators over concerns that its technology tracked user activity and uploaded data to mobile operators behind the back of consumers.

The Washington Post reports that senior Carrier IQ execs have met with representatives from US consumer watchdog The Federal Trade commission and staff from the Federal Communications Commission (FCC) to explain its position. Controversy over Carrier IQ’s mobile network diagnostic tool reignited earlier this week after it emerged, via freedom of information requests, that the FBI is using data captured by the app.

The FBI denies asking for data obtained by Carrier IQ’s software, at least directly. It seems that information snaffled by the utility was handed over by carriers in response to lawful interception requests, The Guardian reports.

Carrier IQ said it had sought meetings with regulators in order to allay possible concerns and defuse privacy fears. It denies being hauled in as part of a more formal investigation.

“Carrier IQ sought meetings with the FTC and FCC to educate the two agencies… and answer any and all questions,” Andrew Coward, the senior vice president for marketing, told the Post. He added that he was unaware of any official investigation into the firm.

Coward met FTC and FCC staffers alongside Carrier IQ chief executive, Larry Lenhart, as well as congressional staff. US senator Al Franken wrote to Carrier IQ last month soon after the controversy about its technology first emerged.

Security researcher Trevor Eckhart was the first to raise concerns about Carrier IQ’s technology. After initially serving Eckhart with a cease and desist letter the firm has since come around and explained how its technology operates in a way that has defused many of the original concerns. It’s not a mobile rootkit or keylogger, contrary to initial reports and descriptions of the technology by Google’s chairman Eric Schmidt, respectively. However transparency and privacy issues remain valid concerns.

Carrier IQ explained earlier this month that its technology is only designed to diagnose operational problems on networks and mobile devices, such as dropped calls, data transmission speeds and battery life. “While a few individuals have identified that there is a great deal of information available to the Carrier IQ software inside the handset, our software does not record, store or transmit the contents of SMS messages, email, photographs, audio or video,” it said (PDF statement here).

Actually that last bit turns out to be not entirely true because the software firm was obliged to admit that a security bug meant its application did collect the contents of SMS messages in some circumstances. An SMS message would get embedded in signalling if, for example, a user received a message during a call. The data would be encoded and not easily readable by a human, as explained in a blog post by Kaspersky Lab’s Threatpost blog here.

Smartphone manufacturers and US network providers confirmed that phones and networks using Carrier IQ technology include Apple, ATT, Sprint, HTC, Samsung and T-Mobile. The formerly obscure software runs on more than 141 million handsets, according to stats prominently displayed on Carrier IQ’s site.

Apple is reportedly going to use a future software update to remove the unholy utility from Jesus phones, where diagnostic reports generated via the software are only sent back with the permission of users. The technology is even more deeply embedded in Android smartphones. Users have the ability to detect the app using third-party detection tools from anti-virus firm but don’t have the ability to actually remove it.

Comment

None of this is what you’d call terribly reassuring but we’re still inclined to believe, as Carrier IQ insists, that its technology is not designed as a tool for lawful interception but as a means for carriers to diagnose handset and network problems. Each implementation is different and so the diagnostic information actually gathered by Carrier IQ’s technology varies between different mobile operators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/carrier_iq_privacy_latest/

Internet Explorer is about to do more than just look like Chrome – it’ll silently update on your PC just like Google’s browser, too.

Microsoft in January will start rolling out auto updates moving you to the latest edition of IE available for your machine’s operating system.

Platforms covered are Windows XP, Windows Vista and Windows 7 and the policy means Windows XP holdouts on IE6 or IE7 get booted up to IE8 while Windows Vista and 7 users still on IE7 or even on Windows 8 get shunted up to IE9, released in March.

Silent updates will start in Australia and Brazil and you’ll need to have turned on automatic updating via Windows Update.

You won’t be forced to move, if you’ve deliberately decided old is your thing.

Microsoft makes available IE8 and IE9 Automatic Update Blocker toolkits to stop auto-updates while those who’ve actively declined updating in the past won’t be moved.

You can also uninstall the update.

Until now, Microsoft’s relied pretty much on the end-user to manage the move to a new version of IE – either by converting when they purchase a new machine with a new version of Windows on board, or when by downloading the latest version of IE online. In business, organizations will rollout an image of a standardized desktop with the browser in it.

General manager for business and marketing Ryan Gavin dressed up the change in policy here, with plenty-o-talk about making the web better and customer safer by putting them on the most up-to-date browsers. And, to be sure, there’s no reason anybody should still be on IE6 – Microsoft’s tried repeatedly to stamp it out with upgrade campaigns. Microsoft has been aggressively pushing HTML, which is supported better in IE9 than it has been at any other time in the history of Microsoft’s browser or of HTML.

Microsoft has two real problems, however.

The first, is that the PC market is in a crisis and if Microsoft expects shipments of new PCs will help see wider update of IE9, only released in March, then it’s mistaken. Sales of PCs for 2011 have been slashed by IDC, which now expects just 4.2 per cent growth down from seven per cent at the start of 2011. The outlook is unclear for 2012.

All of which hits to the bigger problem: IE8 and IE9 have failed to reverse IE’s falling market share. In the last few years, Microsoft’s tried everything: targeting mass-market consumers with dreamy talk about the “beauty of the web”, fashion-forward hipsters with an IE9 launch at the South-by-South-West conference in March, and engineering geeks with more rapid engineering cycles: after years of literally nothing between IE6 and 7 – that helped establish Firefox – we’ve had IE8 in May 2010, IE9 in March 2011, and now a preview for IE10 in April this year.

Yet, IE finishes 2011 with even less market then when it entered – 52.64 per cent versus 58.64, according to Net Applications. And while Firefox has, by all accounts stalled, Chrome is growing – having taken the number-two position from Firefox in November according to StatCounter.

Indeed, StatCounter thinks Chrome really is the one to watch: Chrome 15.0 is just a few per-centage points behind IE8, on 24 per cent and it was only released in October. IE9, in play since March, is still on less than 12 per cent.

Windows needs IE, IE needs Windows

The problem is clear, if not the reason. Fast releases don’t necessarily make more people use your software, as Firefox-shop Mozilla has discovered. Losing the browser would be a major set-back for Microsoft; IE is one more reason to buy Windows, and Microsoft needs those.

For example, IE9 lets you pin a website to your Windows 7 taskbar. You click on the pin when you want to visit a site, and you’re taken to the site or service you want without actively surfing. You can see a list of pinned sites here and see the kind of rich, content-driven desktop idea Microsoft had in mind here.

With IE only working on Windows, however, the idea is that IE gives you one more reason to buy Windows and it gives content providers another reason to target IE. If IE disappears, there’s another reason to bypass Windows.

To understand the link between Microsoft’s browser and sales of Windows, consider this: IE9 was not made for Windows XP because Microsoft’s priority is to sell copies of Windows 7.

Silent updates aren’t just needed for IE; they are needed for Windows, too. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/ie_9_silent_updates/

Victims of iPhone theft have discovered that remotely wiping the nicked kit won’t stop iMessage content being delivered to the thief, who can continue to respond under the owner’s name.

The flaw was spotted by one David Hovis, whose wife had her iPhone lifted and promptly deactivated the mobile number, remotely wiped the data and changed both Apple ID and password. But despite all that he discovered messages sent using iMessage were being received by buyer of the stolen handset, in addition to being delivered to his wife’s new handset, and shared the experience with Ars Technica.

Not only was the receiver-of-stolen-goods getting messages addressed to Hovis’ wife, but the chap was able to respond to the messages and got quite leery when told he had bought a stolen handset.

It seems the problem isn’t unique to Mrs Hovis, but has hit quite a few iPhone users, a problem which will presumably increase as iMessage gains ground.

iMessage works by automatically turning SMS, and MMS, messages into internet traffic when a data connection is available at both ends. It only operates where both parties have an iPhone, and are connected to the internet, but when activated it does provide a free messaging service.

Users sometimes find themselves caught out when they get billed for an MMS they expected to be free, and where group send is being used the service can get quite confused, but in general it’s a useful facility that users love. The fact that iMessages are converted from SMS’s means they are addressed to a phone number, rather than an Apple ID or similar, which might explain why the ID is proving so resilient.

Changing the phone number should really prevent iMessage delivery, but it seems the application is somehow cacheing the phone number and refusing to forget that cached content despite being remotely wiped.

The only reported success in stopping message deliver was to switch off iMessage on the stolen device (which might be tough unless it’s some sort of insurance scam) or register an completely new Apple ID and forget about the old one – though that means forgetting about all the films, music and applications owned by that account too.

If the problem is an overly persistent cache then Apple will probably get it fixed quite swiftly, but with Cupertino being as taciturn as ever we’ll probably never know when they have, or what messages have been delivered to thieves (and their customers) in the meantime. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/imessage_persistant/

Facebook has declined to comment on a report that suggested the dominant social network had already tucked away sales of $2.5bn for the first nine months of 2011.

Gawker, citing a “well-placed” source, claimed to have its hands on juicy financial details about the privately-held company that is expected to go public next year.

A Facebook spokeswoman told The Register “No comment, as it relates to revenue.”

If the numbers are accurate, then they paint a good picture of just how much money CEO and co-founder Mark Zuckerberg is sitting on right about now.

Here’s Gawker’s breakdown for the period covering January 2011 to September 2011:

Assets: $5.6 billion

Cash/cash equivalents: $3.5bn

Debt: $0

Shareholder equity: $4.5bn

Operating cashflow: $1bn

Revenue: $2.5bn

Operating income: $1.2bn

Net income: $714m

The same report echoed earlier suggestions that Facebook was looking to raise $10bn at a $100bn valuation in an initial public offering.

That private treasure trove, again if correct, is impressive. But some observers had estimated that Facebook could hit revenue of $4bn for 2011, a goal that may have now been missed, unless – that is – the company manages to pull in sales of $1.5bn during its final quarter.

Another interesting nugget apparently leaked by the anonymous source to Gawker appears to reveal exactly how Facebook’s ownership is currently carved up.

Zuckerberg owns 24 per cent of the network he helped build from his college dorm in Harvard.

Among others, Facebook employees have a 30 per cent slice of the pie, serial Web2.0 investor Digital Sky Technologies owns 10 per cent, and Microsoft has 1.3 per cent ownership of the network.

Earlier today, the company debuted a major makeover of Facebook by introducing its Timeline feature. The network certainly appears to be priming itself for a very public showtime in 2012. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/facebook_supposed_revenues_leak/

The Information Commissioner’s Office won’t begin enforcing the new cookies law for another six months yet – in the meantime, the regulator has issued a reminder to web outfits warning them to prepare to comply with the legislation.

On 25 May 2011, the implementation of the revised e-Privacy Directive passed with a whimper rather than a bang, after just two Member States issued a full notification to Brussels. The remaining 25 countries that make up the European Union failed to meet that deadline.

The UK at that point had offered Brussels officials partial notifications, despite the fact that the Commission had clearly stated that the implementation of all the measures detailed in the directive were required to be transposed into national law.

European Commissioner Viviane Reding told this reporter in June that she was surprised by how many member states had ignored the deadline for implementing the ePrivacy Directive, which included a requirement for businesses to be much more upfront about their use of cookies online.

“I always meet people who are astonished that Christmas is on the 25th of December. I always encounter governments that are astonished that a law that has been voted for two or three years before has to be applied on that date … That is not just on the cookies, but a general problem, which I have normally,” she said.

“This decision doesn’t come out of the blue. That was the Council of Ministers plus the European Parliament who had done this together … You decide something, you apply it. If you don’t we bring the country to the court.”

However, the UK government made the decision to effectively free up web owners from the burden of complying to the directive that required sites within the EU to obtain a visitor’s consent to install a cookie in their browser, by deferring enforcement of the law for one year.

And now, Blighty’s data protection watchdog is having another punt at playing the friendly policeman with website owners operating in the UK.

“The guidance we’ve issued today builds on the advice we’ve already set out, and now includes specific practical examples of what compliance might look like,” said Information Commissioner Christopher Graham.

“We’re half way through the lead-in to formal enforcement of the rules. But, come 26 May next year, when our 12 month grace period ends, there will not be a wave of knee-jerk formal enforcement actions taken against those who are not yet compliant but are trying to get there.”

However, fines of up to £500,000 could be levied against those web outfits that fail to get their cookie-tracking in order come mid-2012.

“Our mid-term report can be summed up by the schoolteacher’s favourite clichés ‘could do better’ and ‘must try harder.’ Many people running websites will still be thinking that implementing the law is an impossible task,” said Graham.

“But they now need to get to work. Over the last few months we’ve been speaking to and working with businesses and organisations that are getting on with it and setting the standard. My message to others is – if they can do it, why can’t you?”

He added that “prescriptive check lists” would not be issued by the ICO.

In May, the government confirmed it was working with Mozilla, Apple, Microsoft, Google, Yahoo, Adobe and the Internet Advertising Bureau to come up with a browser solution to obtaining users’ consent.

At the time, it indicated that coming up with a browser setting that helped websites comply with the directive was – in part – the reason behind the ICO delaying enforcement for a year.

The ICO noted yesterday that: “Achieving compliance in relation to third party cookies is one of the most challenging areas,” it said, thereby flagging up one of the main issues website owners have with the directive.

“The ICO is working with other European data protection authorities and the industry to assist in addressing the complexities and finding the right answers.”

That comment seemed to suggest that it’s now open season for any web outfits in the UK lobbying for tracking online behaviour without requesting consent just as the six-month countdown to compliance begins… ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/ico_cookie/

Security researchers have discovered that Google Wallet stores sensitive information unencrypted on devices, including the cardholder’s name, transaction dates, the last four digits of credit card numbers, email address, and account balances.

The mobile payment app fails to protect anything beyond the credit card number itself, according to an analysis by ViaForensics. The firm concludes that the shortcoming places users of the technology at unnecessary risk.

While Google Wallet does a decent job securing your full credit cards numbers (it is not insecurely stored and a PIN is needed to access the cards to authorize payments), the amount of data that Google Wallet stores unencrypted on the device is significant (pretty much everything except the first 12 digits of your credit card). Many consumers would not find it acceptable if people knew their credit card balance or limits.

Further, the ability to use this data in a social engineering attack against the consumer directly or a provider is pretty high. For example, if I know your name, when you’ve used your card recently, last 4 digits and expiration date, I’m pretty confident I could use the information to my advantage. When you add data that is generally available online (such as someone’s address), an attacker is well armed for a successful social engineering attack.

Google Wallet is a payment applications, targeted at consumers of Android smartphones. The technology uses wireless Near-Field Communication (NFC) for swipe-to-pay transactions with retailers. The technology is still in the early stages of development and only supports Citi MasterCard and Google Prepaid Card as well as a small number of store and loyalty cards.

Google said ViaForensics’ study looked at what data was available on a rooted Android devices running Google Wallet. It adds that credit card and CVV numbers held by Google Wallet are stored in the secure element of an NXP chip used by Android smartphones.

“The ViaForensics study does not refute the effectiveness of the multiple layers of security built into the Android OS and Google Wallet. This report focuses on data accessed on a rooted phone, but even in this case, the secure element still protects the payment instruments, including credit card and CVV numbers,” Google said in a statement, NFC World reports.

“Android actively protects against malicious programs that attempt to gain root access without the user’s knowledge. Based on this report’s findings we have made a change to the app to prevent deleted data from being recovered on rooted devices.”

The alleged security shortcoming uncovered by ViaForensics stem from Google’s implementation rather than any inherent shortcomings in the technology. Failure to encrypt transaction history and other sensitive details is a serious oversight with the technology, according to other security observers.

Mark Bower, VP at encryption firm Voltage Security, commented: “While Google Wallet presents an exciting new way for merchants to expand business, just because it’s new doesn’t make it secure.

“Given the wallet is so new, the fact that they aren’t encrypting the data beyond the credit card is a real surprise in this day and age of exploits and data compromises – the risk here is not so much about the credit card number, it’s about the customer personal data – their transaction history – exactly the kind of data an attacker can use to mount a social attack on the consumer to get something even more valuable.

“Android’s freedom is also its weakness in enabling such attacks to potentially be automated to the Google Wallet.”

Google Wallet was launched in May and still remains very much a work in progress. The analysis by ViaForensics, which the firm says is far from comprehensive, follows other misgivings from security experts about the use of a simple PIN to lock Google Wallet, as exemplified by a blog post by Sophos here.

Last week it emerged that Verizon Wireless is blocking (or at least omitting support for) Google Wallet on the upcoming Galaxy Nexus smartphones that will run on Verizon’s 4G LTE network. However this decision might just as easily be explained by a commercial dispute over who controls the secure element on users’ smartphones than security concerns per se, a post by Lisa Vass on Sophos’ Naked Security blog concludes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/google_wallet_uncryption/

The FBI has arrested a man suspected of taking part in a DDoS attack that smashed KISS bassist and reality telly star Gene Simmons’ web site off the internet.

Kevin Poe, 24, of Manchester, Connecticut, was cuffed and appeared in court on Tuesday to answer charges of conspiracy and unauthorised impairment of a protected computer regarding the alleged attacks. Investigators allege Poe is affiliated with Anonymous, the hacktivist group that launched an assault on Simmons’ online presence in retaliation for his aggressive public diatribes against file sharers.

GeneSimmons.com was knocked offline for five days in October last year as a result of a sustained attack launched by Anonymous.

According to the indictment, Poe (AKA spydr101) used a much loved software tool of the Anonymous collective – the Low Orbit Ion Cannon – to flood Simmons’ site with junk traffic. LOIC, be default, does nothing to hide the identity of its users, a shortcoming that led to the arrest of many alleged Anonymous members before the collective moved on towards using more sophisticated tools.

Poe was released on a $10,000 bail pending an as yet unscheduled appearance at a federal court in Los Angeles, a statement by the central Californian US Attorney’s Office in charge with prosecuting the case explains.

The Connecticut arrest follows a raid in May by investigators in the Simmons’ web site DDoS case. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/15/feds_cuff_simmons_ddos_hack_suspect/

Software developers at Google, Apple, Adobe, and elsewhere are grappling with the security risks posed by an emerging graphics technology, which in its current form could expose millions of web users’ sensitive data to attackers.

The technology, known as CSS shaders is designed to render a variety of distortion effects, such as wobbles, curling, and folding. It works by providing programming interfaces web developers can call to invoke powerful functions from an end user’s graphics card. But it could also be exploited by malicious website operators to steal web-browsing history, Facebook identities, and other private information from unsuspecting users, Adam Barth, a security researcher on Google’s Chrome browser warned recently.

“Because web sites are allowed to display content that they are not allowed to read, an attacker can use a Forshaw-style CSS shader [to] read confidential information via the timing channel,” Barth wrote in a December 3 post to his private blog. “For example, a web site could use CSS shaders to extract your identity from an embedded Facebook Like button. More subtly, a web site could extract your browsing history bypassing David Baron’s defense against history sniffing.

On the discussion list for developers of the WebKit browser engine, Barth and developers from Apple, Adobe, and Opera discussed the risks posed by the CSS shaders technology, which was submitted to the W3C as an industry standard in October. Some members argued the timing attack Barth contemplated wasn’t practical because it would have to be customized to a particular browser and would took a long time to extract only a partial image displayed on an end user’s monitor.

“Even if you tuned a CSS attack to a given browser whose rendering behavior you understand, it would take many frame times to determine the value of a single pixel and even then I think the accuracy and repeatability would be very low,” Apple developer Chris Marrin wrote in response. “I’m happy to be proven wrong about this, but I’ve never seen a convincing demo of any CSS rendering exploit.”

Barth conceded he was aware of no reliable proofs of concept demonstrating the attack, but he told The Register he’s concerned the feature could expose users to a classic browse-and-get-hacked attack in which private information is stolen simply by visiting the wrong site.

“For example, an attacker could apply a CSS shader to an iframe containing content from another web site,” he wrote in an email. “If the attacker crafts a shader such that its run time depends on the contents of the iframe, the attacker could potentially steal sensitive data from that web site.”

He said that exploits might also expose the directory locations of sensitive files when users upload files to a website.

The scenario outlined by Barth closely resembles a vulnerability disclosed in another graphics engine that’s also emerging as an industry standard. In June, security researchers warned that a 3D-accelleration API known as WebGL also allowed websites to extract images displayed on a visitor’s monitor. An accompanying proof-of-concept exploit stole images displayed on the Firefox browser by “spraying” memory in the computer’s graphics card. The researchers said other browsers were probably also vulnerable. Barth said the vulnerability has since been fixed.

Parts of the CSS shaders specification are available in nightly developer builds of the WebKit browser engine that form the underpinnings of the Chrome and Apple Safari browsers. Adobe has an internal build of WebKit that implements CSS shaders more completely. Barth said he’s unaware of the technology shipping in working versions of any browser. And that means the coalition of developers still has time to fix the flaw before it can do any damage.

“There are a number of defenses that we’re discussing in the W3C CSS-SVG effects task force,” Barth said. “In my view, the most promising approach is to find a subset of the GLSL shader language in which a shader always takes the same amount of time to run, regardless of the input. If we find such a subset, web sites would be able to use these effects without the browser leaking sensitive information into the timing channel.” ®

Follow dangoodin001

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/14/browser_image_theft_threat/

Microsoft released 13 security bulletins addressing 19 vulnerabilities overnight, as part of a bumper final Patch Tuesday of the year.

Highlight of the baker’s dozen is a patch for the the zero-day vulnerability exploited by Duqu (sibling of Stuxnet) worm back in October. Fixing the underlying flaw exploited by Duqu involves the resolution of a problem in how Windows kernel mode driver handles TrueType font files.

Aside from this critical update the batch includes an update to address a critical flaw n Windows Media Player. A cumulative security update of ActiveX kill bits is covered by the third, and final, critical update this month. The other ten bulletins address less severe (important) flaws in Windows, IE and Office. Altogether its a desktop-heavy patch batch, as you can see from Microsoft’s summary here.

Microsoft originally promised 14 bulletins for the December edition of Patch Tuesday but one has been pulled, probably for quality control reasons. The original anticipated 14th bulletin was for the BEAST attack, but did not make it in time for the holidays due to a last minute software incompatibility uncovered during third party testing, security services firm Qualys reports. The absence of this fix means that Microsoft has issued a grand total of 99 bulletins this year, one less than the ton up that might have resulted in adverse headlines.

The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Although a patch will have to wait until January, at least, Microsoft has already published a workaround, which involves using the non affected RC4 cipher in SSL setups.

The Internet Storm Centre has produced a helpful graphical overview of the Black Tuesday updates from Microsoft here. It reckons that some of the flaws are more severe than Redmond’s rating. By the ISC’s count there are EIGHT critical updates. Either way you look at it, this is a lot of patching work even before we think about other security updates doing the rounds.

Google and Adobe are also joining in on the season of giving by releasing updates of their own. Adobe last week issued a critical updates for Adobe Reader and Acrobat. The latest version of Adobe PDF-reading software, Adobe Reader X, is not affected by this vulnerability thanks to the use of sand-boxing technology. So users have the option to either upgrade or apply a patch to the earlier version of the software.

In addition, Google published an update to its Chrome browser that addresses 15 security flaws, including six high-risk vulnerabilities, on Tuesday. More details of what’s fixed inside Chrome 16.0.912.63, the latest cross-platform version of the browser (yes Mac and Linux fans you ought to update too), can be found here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/14/ms_bumper_patch_tuesday/

A computer enthusiast from York has admitted hacking into Facebook.

Glenn Mangham, 26, pleaded guilty to hacking into the social networking site between April and May this year at a hearing in London’s Southwark Crown Court on Tuesday. The court heard that the incident sparked a major security alert amid fears that some form of industrial espionage was involved, the BBC reports.

Mangham, a computer science student, had previously advised Yahoo! on how to improve the security of its website. Although his subsequent actions against Facebook were not maliciously motivated they were unauthorised and resulted in the extraction of what prosecutor Sandip Patel described as “highly sensitive intellectual property”. Mangham had downloaded and stored code he wanted to work with offline.

Although Mangham attempted to delete his tracks he was tracked down and arrested, after which he freely admitted his actions, violations of the UK’s Computer Misuse Act. Evidence of the hack was discovered during a routine security check.

In a statement, Facebook explained its decision to file a criminal complaint, adding that the “attack did not involve an attempt to compromise or access user data”.

At Facebook nothing is more important to us than the security and integrity of our site, and we take any attempt to compromise our security network incredibly seriously. We work closely with law enforcement agencies and the police to ensure that offenders are brought to justice.

This attack did not involve an attempt to compromise or access user data.

A sentencing hearing against Mangham has been set for 17 February. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/14/facebook_hack_prosecution/