STE WILLIAMS

An Indiana man was sentenced to 14 years in prison for selling counterfeit payment cards that caused more than $3 million in losses.

Tony Perez III, 21, received the sentence on Friday, five months after pleading guilty to one count each of wire fraud and aggravated identity theft. He was also ordered to forfeit more than $2.8 million in proceeds and pay a $250,000 fine.

In his plea, Perez admitted he ran on online operation that sold payment cards encoded with stolen account information. He frequented underground carding forums, where he received stolen credit card information.

When the US Secret Service raided his apartment in June 2010, they found data for 21,000 stolen credit cards and equipment needed to encode them onto blank cards. Credit card companies said losses from the card numbers in Perez’s possession topped more than $3 million.

More from the Department of Justice is here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/carder_sentenced/

Rich people and public sector workers can now get the kind of network security that used to be reserved for military organizations.

Unisys is known mostly for its ClearPath mainframes and various outsourcing and other services that it sells to financial, transportation, and retail companies and various governments that buy its gear. But the company has been trying to leverage a set of network encryption technologies called Stealth – which was originally created for system security contracts with the US Department of Defense and NATO – and turn it into a new software product or service.

Unisys has talked about Stealth before, launching an appliance using the data encryption technology created for the military to secure the networks and storage used on public clouds back in July 2009. A few months later, in November 2009, the company debuted a version of the Stealth appliance to secure private clouds.

And now, Unisys is embedding Stealth network security in a USB stick that will allow anyone to plug this USB stick into any machine and access a set of application interfaces and networks addresses burned onto the stick – and do so over any network, including public ones, and do so securely.

Unisys, working with partner Security First, which created a program called SecureParser, which adds two layers of encryption and some packet obfuscation to data that is transmitted over a network – data in flight – or stored on a disk or flash drive – data at rest. The Stealth algorithms created by Unisys and Security First employ a technique called cryptographic bit splitting, which randomly breaks data down into bites, bytes, or blocks and then encrypts it as it is passed around the network or stored on media.

These chunks of data are parsed with one security key, and then the packets are wrapped up in AES-256 encryption using a different security key. The result is that even if you do deep packet inspection on data in flight, you can’t figure out how to reassemble it into its original form unless you know how the SecureParser works and have its key.

The Stealth encryption and obfuscation is the result of an RFP that Unisys participated in back in 2005 with the DoD, Mark Feverston, vice president of data security solutions at Unisys, tells El Reg. This RFP called for security to be managed by person or device, not by location on the network; had to run with applications unchanged; had to be maintained by people in the field; and it also had to be able to be run over public, private, and military networks – including enemy networks if it came to that.

The Stealth Secure Virtual Terminal (SSVT) USB stick is a device that complies with the US government’s FIPS-140 security standard for hardening electronic devices. It self-destructs (electronically, not explosively) if you try to tamper with it. The USB stick has three parts. The first is a custom ASIC that has been etched to run the Stealth cryptographic bit splitting algorithm.

Then there some ROM to hold encryption and bit-splitting keys as well as the custom splash screens and network IP addresses of the applications you want a user to be able to access once they plug into a machine that is attached to a network. There is a third chamber in the USB stick for an optional chunk of read/write flash memory, but Feverston says that a lot of customers don’t want to enable this feature. The Feds certainly don’t.

The SSVT USB stick has been rated at the EAL4+ Common Criteria security level so it can run on the NSA’s networks and is qualified to handle classified and secret materials (but not yet top secret stuff). It blocks screen scraping, downloading, and other capabilities on a PC and really only lets end users access the screens of applications on a precise network that are enabled in the SSVT.

Once initial use case that Unisys is peddling the SSVT to is for banking, giving the USB stocks to wealthy clients or treasury departments at corporations that need better security than a password or RSA dongle can give. The Feds are also interested in using SSVT to enable teleworkers that handle sensitive material.

Unisys will sell you the hardware and software stack to manage the Stealth network protection and burn you some USBs for your applications; it costs on the order of a half million dollars to set it up for 1,000 users, according to Feverston. Or you can run it as a service for $40 per user per month and let Unisys manage the Stealth encryption. You can’t use any of the Stealth tools in countries where the State Department has instituted export controls in retaliation for sponsoring terrorism or trafficking arms. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/unisys_secure_virtual_terminal/

The World Wide Web Consortium (W3C) has announced the creation of a Tracking Protection Working Group to address online privacy concerns, but the task of getting all the players to agree on what standards should be adopted could yet be a sticking point.

It said the group had ambitious plans to publish standards as early as mid-2012.

The first meeting of the collective takes place on 21-22 September.

“Our task here is to deliver a set of standards that enables individuals to express their preferences and choices about online tracking, and enables transparency concerning online tracking activities for users and the public alike,” said the W3C in a blog post yesterday.

“Mechanisms that enable the enforcement of these preferences will be another important element of the work. At the same time, many business models on the web as we know it rely heavily on advertising revenue.”

The group noted that data watchdogs in Europe and the US were asking online publishers and advertisers to agree on a so-called Do-Not-Track standard.

Microsoft and Mozilla have already been working on what some might consider to be “technical solutions” to the problem many netizens have with being tracked by ad outfits online.

The W3C said that Microsoft and Mozilla’s proposals would provide the basis for the group’s work.

However, as is so often the case with establishing standards industry-wide, not everyone agrees on the Do-Not-Track mechanism that’s already available, for example, in Mozilla’s Firefox 6 browser.

Google and Opera Software don’t support DNT.

“A critical element of the group’s success will be broad-based participation: we look forward to having browser vendors, search engines, advertising networks, regulators, civil society actors, and many other interested parties involved in the work that we’ll do,” said the W3C.

The Tracking Protection collective has taken on a pair of “industry-sponsored co-chairs” to lead the group.

It said that Aleecia M McDonald, who recently joined Mozilla as senior privacy researcher, had signed up to the task.

However, the other chair remains anonymous for now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/do_not_track_w3c_working_group/

Google tells Iranians: Change your Gmail password

And check for forwarding to the Revolutionary Guards

By John Leyden • Get more from this author

Posted in Security, 9th September 2011 12:43 GMT

Free whitepaper – WAN Optimization: The Key to Effective Private Clouds

Google has issued a blanket instruction advising Iranian users to check if their Gmail accounts might have been hacked before changing their passwords.

The move follows the compromise of Dutch SSL certificate authority DigiNotar. Hackers created fake SSL certificate credentials for Google.com and many other domains. These fake Google credentials were used to run man-in-the-middle attacks against Gmail users in Iran, according to an examination of authentication look-ups logs at DigiNotar and other evidence.

Parties who obtained compromised access to Gmail accounts as a result of the hack might have added instructions to forward all received messages to another account. For that reason, Google is asking its Iranian users not only to change their passwords but to review their account settings for any signs of unauthorised changes, including alterations to account recovery options. Other Google apps, such as Google Docs, also need reviewing, as net security firm Sophos notes. Its advice on how to guard against Gmail account hacking more generally can be found here. ®

Free whitepaper – The Real Story Behind Virtualization

• 5 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/gmail_diginotar_security_alert/

Would you trust someone else with your Facebook account, giving them enough access to post status updates on your behalf? What if that person was Al Gore and it was all for a good cause?

Yes, the latest frontier in online activism has been breached by Gore and the kids over at the Climate Reality Project, who want you to donate your Facebook and/or Twitter account so they can force your friends to be as active as you are in fighting the Green fight.

The donation would give the folks over there the opportunity to update and tweet from your accounts the day before, after and of the “24 hours of reality” event on 14 September, when the project will broadcast climate change stories at 7pm in every timezone from 24 cities around the world.

The event hopes to “bring the world together with a clear message: The climate crisis is real and the time to solve it is now”, project spokesperson Eric Young told The Reg.

But why do they want control of your Facebook and Twitter to do it?

The internet is a great way to get a following together and try to change some issue that’s getting under your skin. You don’t have to stand on the side of the street in the rain to get people to sign your petition, you can put it online and get people to sign it from their own homes, as initiatives like FixMyStreet.com or the government’s e-petitions let you do.

But this kind of activism usually lets the social machine promote it or not as it sees fit – something doesn’t trend on Twitter unless people are finding it interesting.

Young insists that the project is “hoping people tell their friends and use their social networks to spread the word” and that donating their accounts is just “one option” of how to post about the event. But a couple of talking heads and security guys, such as Graham Cluley at Sophos, are wondering if this is really such a good idea.

The first issue is security, you’re essentially handing over your Facebook or Twitter account, and the first rule of security is: definitely don’t give anyone control of your accounts.

Young says the project takes privacy concerns very seriously.

“Our staff will not have access to user accounts other than to publish updates about our event. On Facebook, we set up our ‘donate your status’ program using Facebook’s API and in accordance with their policies,” he said.

So you’re protected as much as you usually are with Facebook, not all that comforting a thought given the amount of fake and/or nasty apps out there. You’re also being asked to trust the staff of the project, which might be considered something of a leap of faith since some activists will use any and all means to get their point across – hacktivism, anyone?

Still, these are supposed to be the good guys, so if you are willing to trust them, there’s still point number two: is this a load of spam to be inflicting on your followers?

There’s also an issue of authenticity. If this is to become a widespread trend, how will you ever know that your mates on Facebook or the celebs you follow on Twitter are really care about these things or if they’ve given someone else license to speak for them?

Young says the program is “completely voluntary” and “any supporters that sign up are able to unsubscribe at any time”.

“We have been pleased and excited by the number of people that have chosen to sign up,” he said.

Authenticity online, and especially on social media, is a contested issue, but most people come down on the side of honesty is the best policy. Regardless of how one feels about Gore’s message, the Facebook takeover project risks overshadowing the issues with a very fake social media experience. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/al_gore_asks_people_to_donate_their_social_media_accounts/

Typo-squatting domains might easily be used to intercept misdirected corporate emails, according to new research.

Domain typo‐squatting has long been used as a means to expose butter-fingered users who accidentally misspell a legitimate domain to malware. So-called doppelganger domains take advantage of an omission instead of a misspelling, for example missing the dot between host/subdomain and domain.

Security researchers at Godai Group profiled companies in the Fortune 500 for susceptibility to attacks based on this ruse, and found that 151 (30 per cent) were vulnerable.

Doppelganger domains open up the possibility of two types of attack. Attackers could passively set up email honey pots on such domains and wait for mistyped emails to arrive. In this scenario, attackers would configure their email server to vacuum up all email addressed to that domain, regardless of the user it was sent towards. Such catch-all email addresses would pick up email from both internal and external users.

The second type of attack would rely on actively trying to trick a targeted individual or group of individuals into sending email to doppelganger domains. Attackers would typically run the scam by posing as workers in the same company or their business associates. Purchasing doppelganger domains for both a targeted conglomerate and its business partners or bank creates a possible means to run man-in-the-middle (or Man‐in‐the‐MailBox) attacks, the researchers warn.

As an experiment, Godai Group registered doppelganger domains for Fortune 500 firms before passively collecting emails sent to mistyped domains. During a six‐month period, they collected more than 120,000 individual emails (or 20 gigabytes of data). All sorts of sensitive information appeared in this batch including trade secrets, business invoices, personal information of employees, network diagrams, usernames and passwords, etc. All the original data that was collected during the research period has been deleted.

“Essentially, a simple mistype of the destination domain could send anything that is sent over email to an unintended destination,” the GodaiGroup researchers explain.

Although this was outside the scope of the study, the team also noticed network service requests being sent to doppelganger domains. This means that by setting up a fake SSH server, for example, it would be possible to harvest remote access usernames and passwords.

After reviewing the WHOIS information from all Fortune 500 companies, Godai Group noticed of the many hi-tech firms had doppelganger domains registered to locations in China. Many of these domains are already associated with malware and phishing, it warns.

Godai Group suggests a series of steps firms can take to address the security risk posed by doppelganger domains. Corporates can purchase such domains or, if they have already been registered, file a domain registration dispute. Alternatively internal users can be prevented from sending mistyped emails to doppelganger domains by either configuring internal DNS not to resolve doppelganger domains or configuring email servers not to send messages to such domains.

More details of the group’s research on doppelganger domains – as well as details of its suggested mitigation tactics – can be found here (7-page/566KB PDF). ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/typo_squatting_email_harvesting_risk/

Office and Windows fixes star in quiet Patch Tuesday

No criticals for once among the backdoor plugs

By John Leyden • Get more from this author

Posted in Security, 9th September 2011 09:38 GMT

Free whitepaper – WAN Optimization: The Key to Effective Private Clouds

September’s Patch Tuesday will include five bulletins, none of which are rated as critical.

The patch batch marks the first update in recent times that omits any critical bugs but that’s not to say it ought to be ignored.

Vulnerability scanning and security services firm Qualys says attention should be directed towards flaws in Microsoft Office which pose a code execution risk. Excel 2003 through Excel 2010 and Office 2003 through Office 2010 will need patching. Another high priority update covers an as-yet-unspecified remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003 and Windows 2008.

Microsoft’s pre-alert announcement can be found here. Additional commentary from Qualys is here. ®

Free whitepaper – The Real Story Behind Virtualization

• 3 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/ms_sept_patch_tuesday_pre_alert/

Apple has patented software that will automatically log the visits of iPhone users to restaurants, stores and business and then use the number of visits by Jesus-mobe owners as an indication of how good/popular/worthy-of-a-high-search-ranking that business is.

We’ve known Apple logged our location before, but this is the first time we’ve seen software that connects you to the businesses you patronise, rather than just the GPS co-ordinates. Finally it seems to be a use for the vast amounts of detailed info Apple collects about where we go.

The patent – now spotted by AppleInsider – was filed by Apple engineers Jaron Waldman and Chad Richard on 3 May 2010 and published on 9 August this year. Where location services like Foursquare or Facebook Places require users to fire up an app and hit a check-in button to log their location, all the new Apple system needs to log your visit to Starbucks is for you to be there for a certain amount of time. You won’t need your maps apps open or even to kick the phone out of sleep mode for your visit to be logged. Sinister.

But this is no Foursquare or share-your-favourite-frappuchino-joint-with-friends venture. This is a way for Apple to improve its mobile search facility by harvesting data from its users. Apple will use the popularity of venues with iPhone users as a way to rank them in search results. The information will be anonymous and you can opt out of the system altogether.

Apple’s patent lays out the limitations of the current ways we have of organising location search:

“Search results ordered by proximity do not account for quality of the search result relative to the query. Search results ordered by average-user-ranking are based upon opinions of relatively few people whom take the time to review the location. Search results that are ordered based on advertising dollars also do not take into account quality or desirability and sometimes broaden the criteria for relevance beyond a desirable measure.”

Apple explain that they will ensure anonymity by assigning users a unique ID number. The server which tracks and logs your location will only know the ID number and not your identity. Though we imagine it wouldn’t be impossible to connect the two.

“Data can be anonymously recorded and tracked for individual devices by assigning the device a unique identifier that is separate from any user information. One way to do this is to alert the handheld communication device of its unique ID, and the handheld communication device can report data along with its unique ID. In this way, the server will only be tracking the movements of an anonymous user based on an ID.”

Note that Apple have made sure they are the only ones authorised to use the users’ unique IDs – this isn’t some open feature that app developers will be able to use. This will be a treasure trove of user behaviour information that will accumulate behind Apple’s closed doors.

It seems like an intelligent way to improve search, but a couple of questions occur – what if Apple decides to sell this information off? Chunked up and packaged this could be valuable. What if the police want to know something: will Apple be able to find and track the location of particular users? ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/apple_patent_will_use_iphones_to_check_into_venues/

Researchers have released a Firefox extension that demonstrates the risks of using Google search services on Wi-Fi hotspots and other unsecured networks: With just a few clicks, attackers can view large chunks of your intimate browsing history, including websites you’ve already visited.

The proof-of-concept addon is an extension of Firesheep, a Firefox extension released in October that streamlined the process of hijacking private accounts on Facebook, Twitter, and other websites. Neither plug-in exploits newly discovered vulnerabilities. Rather, their significance lies in raising new awareness about an architectural weakness that has plagued the web since its beginning.

The newly released addon automatically intercepts SID, or session ID, cookies that Google uses to personalize search results based on an individual’s previous searches. The file is transmitted each time a Google.com website is accessed while a user is logged into her account and can be used to retrieve on average 40 percent of her click history. The cookie is sent in plaintext – in some cases even when a user has deployed services such as HTTPS-Everywhere to force encrypted connections – making it easy to intercept on unsecured networks.

“We extended Firesheep to implement our information leakage attack,” researchers Vincent Toubiana and Vincent Verdot of the Alcatel-Lucent Bell Labs wrote in a recently released paper (PDF). “As a result, when a Google SID cookie is captured, the account name appears in the Firesheep sidebar. Double clicking on it starts the attack; double clicking again displays the retrieved list of visited links.”

A Google spokesman sent a statement that read in part:

We consider the concerns raised by these researchers to be fairly academic in nature and not a significant risk to users. Google Web History and our Web Search suggestion service are served over HTTPS, and we have encrypted the back-end server requests associated with the suggestion service as well. We look forward to providing more support for SSL technologies across our product offerings in the future, including changes that will specifically protect hijacked cookies from being used to access search data.

The researchers said users can protect themselves by logging out of their Google accounts while connecting over networks they don’t trust. Another countermeasure is to disable Google’s “visited” and “social” search filters. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/09/google_info_leak_exploit/

Mozilla has directed all web authentication authorities trusted by its software to conduct security audits to ensure they aren’t being abused to issue counterfeit secure sockets layer certificates.

Thursday’s note from Kathleen Wilson, who oversees the certificate authorities included in the Firefox browser and Thunderbird email client, gives all participants eight days to confirm their systems are secure from the same type of compromise that recently hit Netherlands-based DigiNotar. Hackers penetrated the authority’s certificate issuance systems and minted at least 531 counterfeit credentials, including one for a Google.com that was used to spy on Iranians accessing their Gmail accounts.

“Mozilla recently removed the DigiNotar root certificate in response to their failure to promptly detect, contain, and notify Mozilla of a security breach regarding their root and subordinate certificates,” Wilson wrote. “If you ever have reason to suspect a security breach or mis-issuance has occurred at your CA or elsewhere, please contact [Mozilla] immediately.”

DigiNotar’s omissions came as a personal affront to Mozilla, since one of the domains they imperiled was https://addons.mozilla.org/, home of tens of thousands of addons that add powerful capabilities to the default versions of Firefox and Thunderbird.

Wilson went on to direct all companies participating under the Mozilla root program to complete five actions, including auditing their certificate issuance systems for signs of intrusion, compiling a complete list of root certificates authorized to issue credentials, and to “confirm that multi-factor authentication is required for all accounts capable of directly causing certificate issuance.”

“Participation in Mozilla’s root program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe,” Wilson wrote.

She gave them until September 16 to confirm completion of those steps or say when they would be completed. A Google spokesman said company representatives had no plans to send similar requests to the authorities trusted in the Chrome browser. A Microsoft spokeswoman didn’t say if CAs included in Windows will also be required to audit their security. Instead, she did issue a statement saying the company “is always evaluating its Certificate Authority Program and we will be distributing any new guidelines as needed.”

A Mozilla spokeswoman said 54 certificate authorities participate in its program using a total of 147 root certificates. See this spreadsheet for a detailed break down. ®

This post was updated to include comment from Microsoft.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/08/mozilla_certificate_authority_audit/