STE WILLIAMS

When HP announced it was exploring options for its PC business, the company said it’d move into the more profitable arena of enterprise solutions. From a speech given at HP’s yearly Security conference yesterday, the titan is eyeing up cloud security as a big growth area.

Policing the cloud and monitoring employee mobiles are two of the big challenges faced by businesses in the next few years, said Tom Reilly, HP VP and general manager for Enterprise Security Products. HP wants to be there, selling them ways to help them fix it.

Business will need help storing information safely in the cloud and the increasing numbers of staff bringing smartphones and tablets into work makes for another security headache, Reilly said, according to a report of the speech on AllThingsD.

This is the seventh year of HP’s annual cybersecurity symposium Protect 2011 and the largest to date, according to their press release. Reilly himself is a buy-in from cyber-security firm ArcSight which HP acquired in 2009.

HP has signalled its interest in the cloud before: CEO Leo Apotheker talked cloud in March this year at the HP Summit in San Francisco. Though some of their efforts to become a cloud-computing business have come under criticism – as The Reg explores here, this is the area the company is propelling itself into after deciding – probably – to drop the personal-system hardware side of its business in August.

A recent spate of press releases by Hewlett Packard emphasise its focus on cloud services – particularly cloud security services: “Government leaders talk cloud, cost savings with HP“; “Innovating today for the network demands of tomorrow“; and “HP Research Reveals 56 Percent Rise in Cost of Cybercrime“.

Looks like that’s where they see the money. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/hp_position_themselves_as_the_cops_of_the_cloud/

Web authentication authority GlobalSign, which voluntarily suspended operations last week while it investigated claims its security was breached, said it has uncovered evidence that one of its servers has been compromised.

“The breached web server has always been isolated from all other infrastructure and is used only to serve the www.globalsign.com website,” the authorized issuer of secure sockets layer certificates said in an advisory published this weekend. “At present there is no further evidence of breach other than the isolated www web server. As an additional precaution, we continue to monitor all activity to all services closely.”

The certificate authority went on to say that it’s in the process of bringing its systems back online and expects to begin processing orders on Tuesday.

GlobalSign’s notice that it was hacked comes two weeks after the discovery of a counterfeit SSL credential issued by disgraced certificate authority DigiNotar that was being used to spy on people in Iran as they visited Gmail and possibly other Google properties. Over the following week, an account holder on Pastebin.com published a file signed with the private key of the bogus Google certificate, proving he had close ties to the person or people behind the attack. The person claimed to have access to GlobalSign and three other certificate authorities, but provided no proof.

GlobalSign responded by temporarily suspending its operations while it investigated the claims. It brought in Dutch security auditor Fox-IT to assist. Fox-IT also worked with DigiNotar following its security breach.

With its admission, GlobalSign’s breach becomes at least the seventh time an entity that issues SSL certificates has been hacked this year. Four resellers of Comodo have been compromised, including one that allowed the attackers to mint fraudulent credentials for GMail and six other sensitive addresses. A similar attack hit Israel-based StartSSL, but the attackers didn’t succeed in securing the bogus certificates.

In March, the Pastebin account holder published a private key for the fraudulent Google certificate issued by a Comodo reseller, proving the individual also had close ties to at least one of those hacks.

Last week, Mozilla responded to the DigiNotar attack and its aftermath by requiring all certificate authorities included in the Firefox and Thunderbird programs to perform similar security audits and ensure that their systems use two-factor authentication when issuing certificates. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/globalsign_security_breach/

Cambridge-based PragmatIC has produced an NFC-enabled label with a build-in screen picking up power from the device reading the tag, surely worth £600,000 of anyone’s money.

The technology involves printing a tag with an embedded Near Field Communications transponder, but one that also incorporates a small screen powered by the same induced current used to run the transponder. The screen can only display one image, and only for a few seconds, but is thinner than a human hair and really cheap.

The screen is top right, and stays active for 2-3 seconds following a read

We mention the development cost of £600,000 as half the cash came from the UK Government’s Technology Strategy Board, which feeds money from the Department of Business, Innovation and Skills into the UK technology industry.

In this case the development was done by Cambridge-based PragmatIC and Hampshire’s DeLaRue – the latter being a big name in the secure-printing industry (found on chequebooks, credit cards and the like).

NFC tags draw power from the device being used to read them (be that an NFC phone or other reader). That power can be used to transmit an identity number or complete some sort of cryptographically secured challenge/response process, depending on the level of security required. The Remotely Activated Interactive Labels (RAIL) developed by PragmatIC uses that same power to light up the screen, which fades a few seconds after the power is removed.

It is possible to imagine a tag hanging on a piece of clothing that displays a logo only when the tag is read to prove that it’s genuine, and DeLaRue reckons this is comparable to the hologram that adorns credit cards to make them harder to copy. But we can’t help feeling that once you’re reading the NFC tag then the cryptographic challenge should weed out counterfeits a lot more effectively than a monochrome logo.

So it is a cool technology: an induction-powered screen which can be printed using conventional hot lamination processes and embedded in just about anything, now the companies involved just have to find something interesting in which to embed it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/nfc_powered_screen/

The Federal Trade Commission has fined two developers who claimed their mobile apps could cure acne with flashing colour, but there’s still plenty of snake-oil on sale.

Colour therapy for acne does have medical credentials, but the FTC’s ruling is clear that the frequencies generated by a smartphone screen aren’t even close to what’s needed, making the claimed cures baseless and forcing the developers of AcnePwner (Android) and AcneApp (iPhone) cough up $1,700 and $14,294 respectively.

Around 3,300 Android users apparently shelled out 99 cents for AcnePwner, while 11,600 iPhone users had to pay twice that for AcneApp. Both applications asked users to hold the phone screen against the skin for a few hours every day, during which it would flash suitable colours: AcneApp even cited a report from the British Journal of Dermatology to back up its claims.

A little basic arithmetic shows that even after paying off the FTC, Andrew N Finkle (developer of AcnePwner) will be up more than $500, while Koby Brown and Gregory W Pearson (responsible for AcneApp) will be almost two grand in pocket – not as rich as they thought they were, but the fine wouldn’t be much of a deterrent either.

“Smartphones make our lives easier in countless ways, but unfortunately when it comes to curing acne, there’s no app for that,” says the canned quote from FTC Chairman, Jon Leibowitz, which is loverly except for the fact that there are still plenty of apps claiming to cure acne (and just about everything else) through secret diets, prayer and the power of subliminal messages.

Oddly enough, quack medicine seems less prevalent in the Android Marketplace, compared to iTunes, but while it would be great to attribute that to the gullibility of Apple users, it’s more probably a result of the size of the iTunes app store – after all, we know that iPhone users are already physically perfect specimens of humanity.

Apple did kick the psychic wart-remover out of the iTunes store, last year, so it will take action against wildly fraudulent claims. The two apps targeted by the FTC seem to have incurred its ire by claiming to apply a genuine therapy (colour treatment), making them too credible to be allowed to last.

But curing acne by positive thinking engendered through subliminal messages, for example, falls between the obviously false and the medically unproven, so such apps remain available for those who are short on snake oil. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/acne_cure_app/

Microsoft inadvertently published details of the patches it plans to publish on Tuesday following a slip-up by its security gnomes last week.

Patch Tuesday pre-alerts normally reveal little more than the applications Microsoft intends to update and the severity of the vulnerabilities addressed. However this month the software giant leaked details of the security holes it plans to close: five fairly run-of-the-mill updates that affect Office and Windows and have a maximum severity rating of “important”.

Vulnerability management experts and Microsoft are downplaying the significance of the leak.

Wolfgang Kandek, CTO of security outfit Qualys, commented: “While the information is interesting and certainly helpful for us (it makes life somewhat easier for our QA lab) I don’t believe there is any heightened security risk with the early exposure.”

“If the patches (i.e. the binaries) themselves had been revealed then indeed it would give attackers a 4-day head start,” he added.

Microsoft Security Response admitted the problem on its Twitter feed on Saturday, adding that it had deleted the text. “Some of you may have seen an early peek at Tuesday’s draft bulletin text, we’ve since removed the content,” it said. “Stay tuned for Tuesday.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/ms_spills_patch_tuesday_low_down/

Manchester City chief executive Garry Cook has resigned over allegations he sent an offensive email that made light of a cancer sufferer’s plight.

The email, meant for City’s director of football Brian Marwood, reached Dr Anthonia Onuoha, the mother of City defender Nedum Onuoha at a time she was both recovering from cancer and negotiating her son’s future at the club last October, The Guardian reports.

Dr Onuoha sent Marwood and Cook a message at the time stating that although she was “ravaged with cancer” she would still be negotiating on behalf of her son. She received a reply from the club in response addressed to “Brian”, that said: “Ravaged with it!! … I don’t know how you sleep at night. You used to be such a nice man when I worked with you at Nike. G.”

The email returned to embarrass the club 10 months after it was sent when Dr Onuoha went to The Sun to tell the paper of her hurt and distress.

Dr Onuoha told The Sun: “When I opened my emails and saw the message, it was the worst day of my life, even worse than being diagnosed with cancer. I couldn’t understand how anybody could behave like that. I just cried and cried for hours. I’m critically ill and at that point I was undergoing chemotherapy. I was just so shocked but I couldn’t tell Nedum or any of my family because I didn’t know how they would react.”

Cook initially claimed that an unidentified hacker had sent the contentious email, and that the culprit had been identified and disciplined. However an internal investigation by the club, which is seeking to build a global brand and sensitive of its reputation, dismissed this line.

Following the investigation, Cook admitted an “error of judgement” and tendered his resignation, which has been accepted, as a MCFC statement explains.

Cook is credited with doing a very good job during his three years at Manchester City, despite the occasional gaffe. For example, he built a shelter for supporters queuing outside the ticket office after seeing fans queuing in the rain.

His blunders included describing controversial former City owner Thaksin Shinawatra as a “great guy to play golf with”. He also raised eyebrows with claims that former world football player of the year Kaka “bottled it” in deciding not to move to Eastlands from AC Milan in January 2009. ®

Bootnote

We wouldn’t be surprised in the least if the incident was used to sell Data Leak Prevention technology, a filtering technology designed to block the accidental or deliberate extraction of sensitive content outside corporate boundaries, to Manchester City.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/man_city_boss_resigns_over_cancer_email/

A security breach has left several sites including the Irish Catholic defaced.

Atheistic hackers defaced the paper’s site at http://www.irishcatholic.ie/site on sunday with a message mocking religion that also fired barbs at a site admin.

The message, headed, You.Got.Taken (screenshot below), states: “The Irish Catholic – Ireland’s biggest and best-selling Catholic newspaper since 1888 is currently hacked We should be back shortly. Thank you for your patience. And wish you to continue beliveing in your false religion.”

“Gotta love false hope,” it adds.

Unusually the defacement goes on to criticise the administrator of the site by name. “Get your act together. Several large sites on one server? Not a smart move Aidan Murphy. Watch your data.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/hackers_deface_irsih_catholic_paper/

Cybercrooks have set up a web store that offers rented access to compromised machines on the TDSS/TDL-4 botnet.

The latest version of the TDSS botnet agent bundles a component that turns compromised machines into a proxy connected to awmproxy.net.

AWMproxy – which purportedly accepts payment via PayPal, MasterCard, and Visa – charges between $3 per day to $300 a week to would-be Baron Samedis who don’t have the nous to acquire their own zombies. The site even offers a Firefox add-on to customers, further dumbing down the process.

Applications including surfing the net anonymously with someone else’s IP address or launching cyber attacks, according to security blogger Bryan Krebs. Owners of infected systems used to send threats or view images of child abuse could find themselves in legal hot water.

TDSS/TDL-4 is one of the most sophisticated botnets to date. The malware behind the bot uses rootlet techniques to disguise its presence on infected systems.

Krebs did some digging on the public storefront behind the TDSS/TDL-4 bonnet. Google Analytics code embedded in the storefront homepage allowed Krebs to find sites with the same code. AWMProxy was established in February 2008 using the email adds [email protected], the same email address used to set up other hostile sites including pornxplayer.com and fizot.com.

The now defunct fizot.com was registered by Galdziev Chingiz of St Petersburg, Russia. Krebs found the [email protected] address was linked with a LiveJournal blog that discusses such matters as life in St Petersburg, earning megabucks and owning a Porsche sports car with a license plate number that includes the Number of the Beast: “666”. Fizot also maintained a YouTube channel that shows a Porsche car with the license plate H666XK [N666HK in the Cyrillic alphabet] zooming around a shopping mall parking lot.

Krebs concludes that although Chingiz may only be “tangentially related” to whoever set up the TDSS storefront he’s likely to know more about the main parties behind the operation. In apparent response to Krebs’ digging, Fizot deleted nearly all of the posts on his LiveJournal account and the YouTube videos. The solitary entry in the LiveJournal blog claims he sold the AWMproxy service some time ago, without providing any details.

Soon after publishing the article last week Krebs’ site and that of his service provider came under denial of service attack. The security blogger suspects resources on the TDSS/TDL-4 bonnet were used to launch the attack but this remains unconfirmed. Krebs’ site has since been returned to normal operations. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/12/tdss_rented_botnet_shenanigans/

Investigative reporter Duncan Campbell reflects how 9/11 has torpedoed resistance to intrusion and undermined privacy rights born of earlier struggles. It may, irreversibility, have changed the way we think.

9/11 was a savage nightmare that took too long to happen for some in the West.

For 12 fallow years, from the fall of the Wall to the fall of the Towers, there was a brief golden period in which no great common enemy menaced all unseen beyond the distant horizon. There was no simple spectre of fear on which to construct, fund and operate surveillance platforms, or reason to tap data funnels into society’s communications and transport arteries.

Through the ’90s, in debates about the control of communications and electronic security measures – amid a US-led hue and cry for government control of all cryptography (remember the “Clipper Chip“?) – the “what if” question hung always in the mouths of the proponents of more control. What if terrorists had a nuke? A new virus to plague civilisation?

But the bad guys largely stayed off stage. The inter-Irish conflict that had dogged the UK had subsided into a peace process. There was a global terrorist shortage.

Then the catastrophe hardliners had secretly longed for was on everyone’s screens, providing the justification for rafts of intrusive new surveillance measures. The common criminality that caused carnage in New York and Washington was elevated to a war that became the GWOT, the global war on terror that endures today.

It seems that on that day, and for the sake of that war, civil society’s power to control surveillance of the wired world has eroded, and with it the moral authority to impose controls on what shall be done in security’s name. The zeitgeist has changed.

Much aided and abetted by the internet giants‘ readily expressed contempt for privacy in the rush to monetise their customers and their customers’ data, the long-term legacy of 9/11 is that new generations are being schooled to no longer see or understand why control of personal information may really matter, and why in history it does and did matter.

“Warrantless wiretapping” of the internet and other intrusions have become a fact of life. When secret agreements made by the US National Security Agency (NSA) to access American telephone and cable networks started to become public in 2005, it was soon apparent that they had been made unlawfully, on the basis of questionable and undisclosed secret authorities from the Bush White House given after 9/11.

Privacy advocates fight back

But when lawsuits started by the Electronic Frontier Foundation and other privacy advocates started to gather traction, the rules were changed. Supported, sadly, by Senator Obama before his election, the lawmakers handed out get-out-of-jail-free cards indemnifying the communications companies and their executives from prosecution and lawsuits. GWOT was their trump card.

Once, we did understand. Twenty-five years ago, Independent science correspondent Steve Connor and I wrote a tome about Britain’s Databanks and the effect of growing data processing on civil society. Steve had located Britain’s first ever vehicle Automatic Number Plate Recognition (ANPR) device, a washing-machine-sized contraption planted on a motorway bridge near St Albans. It heralded the potentially tyrannical ultimate development of a nationwide movement surveillance. We both reached for and proclaimed words from early reviews of data protection laws that had warned that new sensors and new software such as free text retrieval (FTR) raised “new dimensions of unease”.

A quarter-century on, these words are all but unsayable. The thoughts no longer fit the world. Every sort of record is analysed in every way. A vast nationwide ANPR network is in place and growing every week, collating years of movement records in a Hendon database for potential analysis for any purpose. Every traveller, whether of current interest or not, has her or his movements logged. There was no parliamentary debate. Only on one occasion, in Birmingham, has an ANPR network been rolled back from a community targeted for intense surveillance.

For now, ANPR sensors placed around Britain’s roads remain marginally distinguishable from “ordinary” traffic cameras and CCTV (since they feature infrared illuminators and require at least one camera per lane). But that will change within less than a decade, as the signatures of these and other new surveillance devices vanish to invisibility.

For this writer, the political effect of 9/11 was immediate, personal and direct. Six days before the towers came down, the European Parliament had passed 25 recommendations for securing domestic and international satellite communications from the Anglo–American surveillance system known as Echelon.

I had uncovered and first reported on the Echelon network in 1988. It took a decade more for its significance to become widely known, mainly because of further investigation and revelations by New Zealand investigator Nicky Hager in his book Secret Power.

Although now widely mis-described in web chat as a generalised surveillance octopus, Echelon’s purpose and hardware was quite specific. In 1969, new receive-only satellite ground stations were built in Cornwall, UK and West Virginia, USA, and soon after around the world, to copy and analyse all international satellite communications.

That part of all international communications which was digital – communications addresses, data streams, faxes and telexes – were fed into early text-recognition software, the Echelon Dictionary, and then extracted and fed out.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/10/how_september_11_changed_our_world/

Apple has finally purged the imprimatur of disgraced web authentication authority DigiNotar from its Mac operating system.

In an update released Friday, Apple removed multiple DigiNotar root certificates from the Lion and Snow Leopard versions of Mac OS X. The move came nine days after the discovery that the Netherlands-based authority issued a counterfeit SSL certificate for Google.com that was used to spy on people in Iran. An investigation later revealed that DigiNotar had failed to warn browser makers that it issued at least 531 bogus credentials following a security breach that gave attackers free rein over its certificate issuance system for weeks.

Within hours of the discovery, Google and Mozilla issued updates that caused their browsers and email programs to reject most SSL certificates issued by DigiNotar. Users of Windows Vista and later versions of the Microsoft operating system were also protected, although it wasn’t until earlier this week that Windows XP users received the same defense.

Apple’s delayed response comes in sharp contrast. Not only has it taken longer to issue the update, but it didn’t utter a peep of warning to its users in the intervening time. At time of writing, there were no updates available that purged the untrustworthy DigiNotar root certificates from iOS, meaning iPhone and iPad users are still vulnerable to fraudulent DigiNotar certificates.

Users of Google’s Android OS for smartphones also remain wide open.

The threats Apple and Google have failed to protect their users against are by no means theoretical. At least one of the certificates has already been encountered by at least 300,000 people, mostly in Iran, as they accessed Gmail or other protected Google services. Trend Micro has more details about the certificate here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/apple_purges_diginotar_certificates/