STE WILLIAMS

Analysis Some Android anti-virus firms have begun releasing Carrier IQ detection apps, but only after the controversial software became a talking point on Capitol Hill … and a month after a security researcher first discovered it.

BitDefender released Carrier IQ Finder, an app that identifies the presence of the controversial mobile diagnostic tool, following Lookout’s earlier release of a similar tool called Carrier IQ Detector. Both applications let mobile phone users know if they have Carrier IQ running on their Android phone without actually removing it. Each has been available at no charge via the official Android Market since last Saturday (3 December).

In a statement, BitDefender said that Carrier IQ’s mobile network diagnostic tool is “so deeply integrated with the device’s firmware [that] Carrier IQ Finder cannot remove it”.

Catalin Cosoi, global research director at Bitdefender, explained: “The Carrier IQ package can’t be removed by the users themselves if they don’t have root access on the device. They can, however, take the issue with the carrier and ask that the package be removed from the system.”

All this leaves still us with the question of why these anti-virus firms needed an extra app to detect Carrier IQ? Shouldn’t this application have been detected as potentially unwanted, at least, some time ago?

In a blog post, Lookout explained why signature detection for Carrier IQ was not added to its stand-alone Android security applications.

“Based on what we know so far, it doesn’t appear that Carrier IQ’s software is malware, and for that reason it’s not flagged as such by Lookout,” it said.

Kevin Mahaffey, co-founder and CTO of Lookout, told El Reg that it released its tool in response to requests from users. He added that even though Carrier IQ wasn’t malware, it did raise transparency and privacy issues. Mahaffey suggested that anti-malware protection ought to be all-in-one in mobiles (anti-spyware started off as a separate utility in the Windows world some years back), but didn’t rule out the possibility of releasing other stand-alone tools in future.

Kaspersky Lab said it too had decide Carrier IQ wasn’t malware but had decided, unlike Lookout, not to release a stand-alone tool.

Ram Herkanaidu, education manager at Kaspersky Lab, explained: “Kaspersky Lab does not currently detect Carrier IQ on Android devices because leaving aside the question of whether service providers need to collect this level of information, it is not strictly speaking malicious software. Currently there are no plans for Kaspersky to create a separate tool to detect Carrier IQ on mobile devices. That said, our global security researchers are investigating this and if any developments occur, we will take action appropriately.”

Lookout’s line is that although technically savvy users might be able to find out if Carrier IQ is running on their devices, its tool is needed because it allows less technically sophisticated users to do the same thing.

The whole episode leaves us wondering about the ability of Lookout or other Android anti-virus firms to flag up something potentially unwanted on devices, especially if it happens to be made by a commercial developer who might sue. We put this point to Lookout but weren’t able to get a specific answer on whether or not it was up for contesting such actions.

Anti-virus firms have been stung with lawsuits before over the detection of user-installed bundled spyware on Windows machines, something that might easily be repeated in the Android arena. Notorious, defunct crapware vendor Zango unsuccessfully sued security software maker Kaspersky Lab for calling its product “spyware”. Kaspersky manned up and fought the action, defending an important principle in the process. Other security firms might decide to duck this kind of fight.

Carrier IQ’s initial response to the discovery of its software by security researcher Trevor Eckhart in the middle of last month was to issue a cease and desist letter, though in fairness the firm has since tried to explain what it’s about and how its technology operates in a way that has defused many (but not all) of the original concerns.

Smartphone manufacturers and network providers confirmed that phones using Carrier IQ tracking software include Apple, ATT, Sprint, HTC, and Samsung. Although iPhone users are also affected, the issue of whether anti-malware software can protect them doesn’t arise because on-board anti-virus scanners for iOS are against the Jobsian faith. Users of Android devices who take the trouble to apply security software are entitled to feel more protected, but the Carrier IQ affair raises doubts about this.

It’s notable that Android anti-virus firms weren’t saying: “Wow this app is weird and it has all these privileges” and asking questions about Carrier IQ until the same day Senator Al Franken sent a letter to Carrier IQ. This raises the question of whether these mobile security apps have the ability to detect something clearly malign – a future Android rootkit, for example. Recent tests by AV-Test.org that revealed the inadequacies of some Android freebie scanner products (Lookout wasn’t tested) hardly inspire confidence on this point either.

Computer researchers at Rutgers University in the US developed a proof-of-concept rootkit back in March 2010. Security firms including Fortify Software and Imperva have since expressly warned of this risk. Lessons from history suggest not every security vendor will respond promptly to the risk if and when it arrives.

Seven years ago, when the Sony BMG CD copy-protection rootkit scandal broke, security researcher Mark Russinovich and F-Secure independently discovered the software at about the same time. F/Secure quickly and decisively stood up and condemned Sony’s use of the same tactics used by virus writers in its copyright protection software. But it was only after Sony admitted it had erred that other anti-virus vendors belatedly added detection, as explained in a good historical overview of the whole sorry affair by Bruce Schneier here.

Lookout disagrees that this analogy was appropriate. The Sony rootlet involved a third-party modifying software, it said. Carrier IQ supplied a diagnostic kit built into phones and was more akin to Microsoft Software Update. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/carrier_iq_android_detection/

Federal investigators are investigating claims that email accounts of the US bid team for the 2022 World Cup were hacked of part of an alleged dirty tricks campaign that may also have affected the 2018 bid process.

FBI agents questioned members of England’s failed 2018 bid team last month as part of a wider investigation over corruption surrounding the bid process and Fifa’s affairs more generally. No one in the England bid team is suspected of any wrongdoing, The Daily Telegraph reports.

The inquiry centres around the alleged bribery of Caribbean football officials by Mohammed Bin Hammam, who ran against Sepp Blatter for the Fifa presidency this year. Bin Hammam, a Qatari national who withdrew his bid on the eve of an ethics committee meeting in May, received a lifetime ban from Fifa after it found him responsible for offering $40,000 (£25,000) bribes to Caribbean football officials. Jack Warner, former Fifa vice president and president of the Caribbean Football Union, resigned from roles in international football after an initial Fifa inquiry implicated him in the scandal.

The award of the honour of hosting the 2018 and 2022 World Cup competitions to Russia and Qatar, respectively, have been among the most contentious in Fifa’s history. Just before the vote in October 2010 the voting right of two members of Fifa’s 24-man executive committee were suspended over allegations that they were open to selling their vote.

Much of the FBI inquiry concerns the transport of large amounts of currency through US borders, an offence if the cash is not declared. A New York-based FBI squad tasked with investigating “Eurasian organised crime” has also been taking an interest in the matter since late August.

The email hacking allegations are new and, at present at least, somewhat vague. The FBI has reportedly collected “substantial evidence” documenting efforts to hack into the emails of US bid executive, who competed alongside their counterparts from South Korea, Australia, Qatar and Japan for the right to host the 2012 edition of football’s greatest tournament.

Qatar, a small desert country in the Middle East with no football heritage and a climate wholly unsuited to the beautiful game, emerged as the surprise winner of the 2012 bid.

It’s still unclear if the tournament will be moved to winter 2012 rather than its traditional slot of June and July. The country made a poor show of hosting the much smaller Asian Cup 2011, locking 5,000 ticket-holding fans out of the final match between Japan and Australia back in January, raising yet further doubts already fuelled by its poor human rights record and even over its inability to host hundreds of thousands of visiting football fans.

Russia, by contrast, has a large and expanding fan base, a healthy national football league and a World Cup heritage.

Why hack it?

Access to the email accounts of rival bid teams would have exposed plans to canvass support and would have given unscrupulous parties a huge edge in attempting to persuade voters to side with any particular bid.

In a statement, the Russia 2018 organising committee told The Telegraph that it was unaware of any FBI investigation. “Russia 2018 will not comment on speculation: the LOC [local organising committee] has not been contacted regarding any investigation, nor have we been made aware that any such investigation exists,” it said.

“We at Russia 2018 are proud of the way we conducted ourselves throughout a long and highly competitive campaign; as an LOC, we are driven by exactly the same transparency, commitment to excellence and spirit of Fair Play that underpinned our successful bid.”

Qatar and Bin Hamman also deny allegation of corruption in desert kingdom’s World Cup bid campaign.

More commentary on the information security aspects of the FBI’s ongoing probe can be found in a blog post by net security firm Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/feds_probe_alleged_world_cup_bid_email_hack/

The Criminal Records Bureau (CRB) is to introduce an online status checking service for employers to verify that potential employees have been cleared for relevant jobs. It is intended to save people from having to request a new certificate every time they apply for a new role.

The move is one of the measures announced by Lynne Featherstone, the criminal information minister, in response to a review of the criminal records regime by the government’s independent advisor Sunita Mason. Featherstone said the government has accepted the majority of the recommendations and incorporated them in the Protection of Freedoms bill.

In a statement to Parliament, she said the online service is part of an effort to reduce the bureaucracy in the CRB regime. The checks are run for positions working with vulnerable people.

“We have included a provision to make the CRB process less burdensome on all concerned by introducing a new, online status checking capability that will in effect mean individuals can re-use their certificates for different employers across the same workforce and so will no longer need to apply for a new certificate every time they want to take up a new role,” she said. “This will have a positive impact on business, making it significantly easier for employers to take on staff in relevant sectors.”

A Home Office spokesman was unable to provide any further detail on how the service will work.

Other relevant features of the protection of Freedoms bill include:

• Ensuring that only relevant and accurate personal information will ever be disclosed by the police.
• The opportunity for applicants to review and, if appropriate, dispute any information held about them by the police prior to it being disclosed to an employer.
• Substantially reducing the scope of ‘regulated activity’ from which people can be barred.

The government has not accepted Mason’s call for a significant reduction in the number of people eligible for checks.

The Home Office also announced that the government will maintain the current arrangements for holding criminal records on the police national computer, while ensuring the controls on accessing those records are sufficiently strong.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/08/crb_checks_to_go_online/

A Michigan appeals court is trying to decide whether the state’s anti hacking law should be invoked against a man who broke into his wife’s Gmail account to see if she was having an affair.

Leon Walker, 34, faces a maximum of five years in prison for using a shared family computer to read his wife’s personal email after she failed to return home one night. It turns out Clara Walker was indeed involved with another man, who just happened to be her previous husband.

Attorneys for Leon Walker told judges with the Michigan Court of Appeals that the law their client was charged under was ambiguous and was never intended for domestic matters. It was passed in 1979 and was designed to prevent identity and trade secret theft. They also warned if charges go forward the law could criminalize activities such as parents monitoring their children’s online activities.

Judges hearing the case, according to USA Today, didn’t sound so sure.

“Your client is being charged with security intellectual property – her email, accessing her intellectual property,” judge Pat Donofrio said.

The three-judge panel is expected to issue an opinion next year.

More coverage from The Detroit News is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/cuckold_hacking_charges/

Gadget enthusiasts have produced a detailed guide on how to jailbreak BlackBerry PlayBook tablets.

A video showing the rooting of the RIM-manufactured device was published last week by the same group, without an explanation of how they did it. The new guide explains that the technique, which involves using a custom hacking tool but is otherwise pretty straightforward, takes advantage of the fact that device backups aren’t digitally signed.

This shortcoming permits the installation of the so-called DingleBerry tool needed to pull off the hack, as explained in a post by Neuralic here. Users attempting the hack need to have the beta 2.0 version of the PlayBook software installed. If successful, the hack allows consumers to install apps of their choosing from the Android Marketplace.

Neuralic warns that consumers tinker with the device entirely at their own risk. “You shouldn’t be able to do any permanent damage, but make sure to backup before playing with anything,” he cautions. “I take no responsibility for damage to your device.”

RIM is reviewing what to do following the release of the PlayBook jailbreak tool.

“RIM is aware of reports that a security researcher has released a tool designed to allow BlackBerry PlayBook users to jailbreak their tablet. RIM is following its standard security response process to investigate the functionality and impact of this tool and if needed, RIM will develop, test, and release a software update that is designed to minimize the potential adverse impact to our customers,” the firm said in a statement, Kaspersky Labs’ Threatpost blog reports.

The BlackBerry PlayBook tablet is the latest in a growing list of fondleslabs to be rooted, following hacks on the Amazon Kindle Fire and other devices before it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/blackberry_playbook_jailbreak_release/

Someone in RailCorp will be nursing a bruised ego after selling a pile of USB keys lost on trains in the authority’s regular lost property auction.

It may have never raised an eyebrow, except that the keys were bought by the keen-eyed Paul Ducklin of Sophos. What Ducklin thought of as a good source of research into user habits has consequently turned into a shouting match over privacy.

Certainly Ducklin’s research into the keys he picked up at the auction reveals a nation of overconfident users. Extracting the metadata from the keys – he emphasised, both in this blog post and on the telephone to The Register that nobody at Sophos viewed any private data – he discovered that none of the keys were encrypted (or had any kind of access control enabled), and two-thirds were infected with malware.

The pervasive problem of USB data leakage also popped up, with CAD files, meeting minutes, tax deductions and the like turning up on the keys.

On its own, that would have made a story, but the second story – the bruiser for RailCorp – was that the rail authority made no attempt to wipe the keys before selling them. This is at odds with the policies that dictate that more sensitive devices like PCs and mobile phones are wiped before sale.

According to SC Magazine, this brought a slap from the NSW privacy regulator, which stated that RailCorp “should be cleaning these USBs” before sale.

The Register was also moved to wonder whether someone’s lost USB stick might not be still protected by laws protecting private data against unauthorised access.

While not a lawyer, the point hadn’t escaped Ducklin. He emphasised that in analysing the keys, Sophos didn’t open any private user files – rather, it created a script to scrape out information like filenames, and made its inferences from the filenames.

Also, under the legislation covering railway lost property, unclaimed objects eventually become the property of RailCorp. Since it, as the owner of the devices, on-sold them to Sophos, this should cover the “authorisation” question: by the time it analysed the USBs, Sophos was the owner. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/railcorp_sells_usb_keys/

São Paulo police are warning of the perils of flashing your wealth on Facebook after a teenager’s snaps of his electronic equipment and foreign holidays on the social network prompted thieves to rob his family’s apartment.

The unnamed 16-year-old was targeted by a student at his school when he “boasted among friends and put the information on Facebook”, according to cop Fabiana do Sena.

The “envious” youngster, also 16, enlisted the help of two adults for the robbery, and provided them with keys he’d stolen from his intended victim a few days previously.

The two men entered the apartment in a middle class area of São Paulo at around 11pm on 29 November, where they held up four people, apparently at gunpoint.

During the heist, one of the perps got a call on his mobile phone and said: “There’s not as much here as you said.”

The pair eventually made off with jewellery, six watches, electronic equipment and R$370 (£130) in cash.

During their escape, they were intercepted by members of Sao Paulo’s paramilitary police, and shot during a gun battle. They later died in hospital.

The teenager who instigated the robbery claimed he’d been pressured into it, Sena said.

The officer concluded: “Adolescents put personal information on these websites. It’s important that parents advise them not do do this.” ®

Bootnote

Muito obrigado to Eloi Assis for the tip-off.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/facebook_booty/

Data privacy watchdogs have fined Powys County Council £130,000, the highest fine the ICO has ever levied, for failing to protect the personal data of vulnerable young people.

The Information Commissioner’s Office got out the big stick to punish the Welsh council after it sent details of a child protection case to the wrong recipient, as a statement by the ICO explains.

Two separate reports about child protection cases were sent to the same shared printer. It is thought that two pages from one report were then mistakenly collected with the papers from another case and were sent out without being checked. The recipient mistakenly received the two pages of the report and knew the identities of the parent and child whose personal details were included in the papers. The recipient made a complaint to the council and a further complaint was also submitted by the recipient’s mother via her MP.

In a horrible twist, the serious privacy breach follows a similar but less serious incident in June last year, when a social worker sent information relating to a vulnerable child to the same recipient. The ICO also made it clear that the recipient knew the parent/s and the child/s named in the reports in both instances.

Powys was advised to introduce mandatory training and to tighten up its security measures following the first incident. Its failure to apply this properly has resulted in the whopper fine, which will ultimately come out of the pockets of local council tax-payers. The council has also been served with an enforcement notice.

The penalty is the highest that the ICO has served since it received the power in April 2010. Most but not all of these fines have been levied against local authorities, who seem particularly lax about data security. The ICO also fined ACS:Law, the one-man law firm which controversially harried alleged file-sharers, over a security breach arising from a hack attack.

Assistant Commissioner for Wales Anne Jones said: “This is the third UK council in as many weeks to receive a monetary penalty for disclosing sensitive information about vulnerable people. It’s the most serious case yet and it has attracted a record fine. The distress that this incident would have caused to the individuals involved is obvious and made worse by the fact that the breach could have been prevented if Powys County Council had acted on our original recommendations.

“The ICO has also issued a legal notice ordering the council to take action to improve its data handling. Failure to do so will result in legal action being taken through the courts.

“There is clearly an underlying problem with data protection in social services departments and we will be meeting with stakeholders from across the UK’s local government sector to discuss how we can support them in addressing these problems,” she added.

Christian Toon, European head of information security at information management services Iron Mountain, said the Powys breach high;lighted the need for user education.

“In so many cases these incidents are the result of carelessness and lack of thought rather than any malicious intention,” Toon said. “Having said that, the public has the right to expect that information about them is handled with care at all times. For public sector organisations this should mean committing to regular staff training and the creation of robust guidelines that everyone understands and buys into – employees must be encouraged to think before they act.”

“There is no excuse; basic errors such as printing highly sensitive and private child protection reports to a shared printer should not be happening in a modern and accountable government organisation,” he concluded. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/welsh_council_record_ico_fine/

A political scandal is brewing in Korea over alleged denial of service attacks against the National Election Commission (NEC) website.

Police have arrested the 27-year-old personal assistant of ruling Grand National Party politician Choi Gu-sik over the alleged cyber-assault, which disrupted a Seoul mayoral by-election back in October.

However, security experts said that they doubt the suspect, identified only by his surname “Gong”, had the technical expertise or resources needed to pull off the sophisticated attack. Rather than knocking the NEC website offline, the attack made a portion of the website – offering information on voting booth locations – inaccessible.

Despite this issue resembling a technical fault rather than a DDoS attack, the incident is being treated as a criminal attack by the police, who have arrested Gong and charged him along with three others.

Police said that the “attack”, which lasted for more than two hours, was launched using a total of 10 wireless internet connections, including five T-Login and five WiBro connections. Police speculated that this was either a way of making it harder to thwart the attack or an attempt to complicate police efforts to investigate the assault. A police official told Korean daily newspaper The HankYoreh: “This went beyond simply using zombie PCs and wireless internet to launder IP addresses. It was a sophisticated attack.”

Opposition groups argue that the early morning timing of the attack was carefully designed to disrupt the voting of young commuters, who are more likely to vote for opposition (liberal) candidates. They want to force a parliamentary audit or special prosecutor’s investigation if the police investigation fails to get to the bottom of the attack.

Gong continues to protest his innocence, a factor that has led opposition politicians to speculate that he is covering up for higher-ranking officials who ordered the attack.

Democratic Party politician Baek Won-woo told The HankYoreh: “We need to determine quickly and precisely whether there was someone up the line who ordered the attack, and whether there was compensation.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/07/korean_election_ddos_row/

David Noel Cecil, who earlier this year was arrested on accusations that he had hacked into computers operated by Platform Networks, has pleaded guilty to two counts of causing unauthorized modification of data.

Cecil, who launched the attack under the moniker “Evil”, entered the plea via his solicitor Peter Ringbauer, according to the Central Western Daily.

The attack on Platform Networks earlier this year led to a flurry of entirely inaccurate but distressingly persistent stories that Australia’s National Broadband Network had been hacked. Nothing of the sort happened: Platform was signed on as an NBN retail service provider, but had not yet gone live on the service.

That widespread cluelessness, partly fuelled by early police statements that the attack “threatened Australia’s cyber-infrastructure”, eventually drew an angry response from NBN Co CEO Mike Quigley that there was no threat to the NBN infrastructure.

Cecil still faces a further 48 charges, the Central Western Daily quotes Ringbauer as stating that many individual incidents occurred within seconds of each other. It is therefore feasible that prosecutors may consolidate these into a smaller number of charges when the matter returns to Orange Local Court on December 16. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/12/06/evil_pleads_guilty/