STE WILLIAMS

Updated The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user’s phone session, a German security researcher has reported.

The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.

“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.

A screen shot from Kayan’s website showing the injection bug in action

A Skype spokeswoman disputed Kayan’s account.

“We have had this reported to us by various media outlets and have confirmed that the person is mistaken, this is not a web window and while it does cause a phone number to be underlined, does nothing other than this,” spokeswoman Brianna Reynaud wrote in an email.

In an email to The Register, Kayan stood his ground, insisting that at a minimum, the flaw allows an attacker to create a hyperlink on a victim’s client that leads to a site of the attacker’s choosing.

“According to Skype’s spokeswoman, I wanted to tell you, that this is not really true what she said, because the entries in (home, office and mobile phone and even in “city”) are embedded via HTML,” he wrote.

Kayan said the unsafe content is displayed when users view a booby-trapped profile. The malicious profile is created by inserting a JavaScript command or web address where a phone number is expected. The reported vulnerability is eerily reminiscent of an XSS bug Kayan reported in an earlier version of Skype last month.

Such vulnerabilities open the possibility of creating self-replicating attacks if they can be used to target users contained in each victim’s contact list. As each new user is exploited, the worm spreads virally by attacking a whole new set of people. A vulnerability reported in May for Mac versions of Skype was described as wormable, though there are no reports it was ever exploited in the wild. It’s unclear if the current vulnerability is also self-replicating.

Microsoft is in the process of acquiring the popular internet-based phone service. ®

This article was updated to add comment from Skype spokeswoman and a response from Kayan.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/skype_security_bug/

NSW Police are about to apply to extradite a 52-year-old Australian arrested in Louisville, Kentucky, over the Madeleine Pulver bomb hoax.

This morning, Sydney time, police announced the arrest, saying that the unnamed man collared by NSW police and FBI officers has “no known relationship” to the family. Police say he was under surveillance for several days before taking off for America.

Over the weekend, Australian media were reporting a breakthrough in the case, with police seizing a library computer in the coastal town of Kincumber, near Avoca where the Pulver family has a holiday home.

Earlier, the investigation was looking at a curious link with the James Clavell novel Tai-Pan, quoted in the extortion note left with the bomb.

Madeleine Pulver, daughter of software millionaire Bill Pulver, was targeted in an afternoon attack in which an object, which her assailant described as a bomb, was tied around her neck. She was told the device could be detonated remotely, and was also told not to call police.

It was ten hours before police determined that the supposed bomb was a hoax, after which they were able to release the schoolgirl from the device.

Police have said they believe the attack was an extortion attempt, but has kept information close to the chest. Presumably, as extradition hearings in America take place, more details are bound to emerge. ®

Update: NSW Police press conference

The police have expanded their description of the man they have arrested as being a businessman who commutes between Australia and America. NSW Police assistant commissioner David Hudson of the state crime command said there were “some links” to the family, but would not comment on whether those were “direct” links.

The assistant commissioner says the arrested man “was not a suspect at the time he left [Australia]”.

Hudson says the man has family both in Australia and the USA, and that he is primarily a Sydney resident. At the time of writing, the man was under arrest, but had not yet been charged. He is, at the moment, considered a suspect, and is being held under a “provisional warrant”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/15/pulver_hoax_breakthrough/

Hacktivists protested recent controversial actions taken by a San Francisco regional subway authority by publishing sensitive information for more than 2,000 of passengers who had nothing to do with its agency’s management.

Anonymous, the loose-knit hacking collective, breached the security of MyBart.org and published the names, street and email addresses, and site passwords for about 2,400 people who had set up accounts on the site. It’s operated by BART, short for the Bay Area Rapid Transit. Database dumps such as the one here also included phone numbers for many users.

It was accompanied by a scathing note that said Anonymous took the action to protest two fatal police shootings in the past few years and the temporary suspension of cellphone service BART imposed on Thursday. BART officials said they took the action at at least four stations to thwart demonstrations that were being organized using mobile devices.

“It’s just common sense that I shouldn’t be the target,” one of the victims whose details were included in the data dump told The Register. “I was just in the wrong place at the wrong time.” He asked that his name not be published in this article.

He said he received a “creepy” phone call on Sunday night from someone claiming to be a member of Anonymous who uttered “foul language, hushed tones and threats.” He said he has received no notification from BART representatives that his information was taken, contradicting claims officials made in a Sunday press release that “we notified those affected right away in case anyone tries to exploit the information.”

According to a note accompanying the published data, the user information was obtained after exploiting a SQL-injection vulnerability in the MyBart site. Such exploits typically allow attackers to enter powerful database commands into a web forum and get them executed by the site’s back-end server.

“They set up this website called mybart.gov and they stored their members information with virtually no security,” the Anonymous screed stated, mislabeling the top-level domain of the compromised site as .gov instead of .org. “Any 8 year old with a internet connection could have done what we did to find it. On top of that none of the info, including the passwords, was encrypted. It is obvious that BART does no give a fuck about its customers, funders and tax payers,THE PEOPLE” [sic].

BART spokesman Linton Johnson said on a conference call with reporters that he wouldn’t say whether the MyBart.org website had been tested by outside security auditors unless he received a public records request. He repeatedly characterized BART and its customers as “victims.”

“The bottom line is we did not violate our customer security and their privacy rights,” he said. “This group Anonymous did. This group Anonymous shares all the blame for violating not only the security but also for putting out people’s private information on the web, jeopardizing their security.”

He said BART officials have reported the breach to the FBI.

He didn’t address the claim challenged by one of the MyBart.org users that all people affected by the breach had been immediately contacted. MyBart.org wasn’t operational at time of writing.

The attack is the latest act of politically minded hacking to be attributed to Anonymous, which recently has taken credit for data dumps affecting thousands of US law-enforcement officers, an attack on a US government contractor, and a claimed breach of an Italian computer crime unit.

The weekend hack followed BART’s admission on Friday that it had suspended cellular service at San Francisco stations the night before to disrupt a planned demonstration protesting the fatal police shooting in July of a passenger accused of brandishing a knife and charging at BART police officers.

Officials admitted they disconnected nodes of cellular antennas used at several San Francisco stations. They said they took the action to prevent overcrowding and other unsafe conditions in the paid areas of its system and that service was restored a few hours later. Cellular service outside the stations was unaffected.

Civil libertarians, including the American Civil Liberties Union and the Electronic Frontier Foundation have blasted the move and drawn comparisons to former Egyptian President Hosni Mubarak, who ordered the shut down of cellular service in Cairo to quell recent protests against his rule. A California state senator has called on the Federal Communications Commission to investigate the black out.

After this article was first published, FCC officials said they were looking in to the move by BART.

“Any time communications services are interrupted, we seek to assess the situation,” FCC spokesman Neil Grace said in a statement. “We are continuing to collect information about BART’s actions and will be taking steps to hear from stakeholders about the important issues those actions raised, including protecting public safety and ensuring the availability of communications networks.”

What we’re left with here is a drama that seems replete with antagonists and no heroes.

BART’s Johnson repeatedly insisted that BART officials should shoulder no responsibility for the breach, even though it would appear they left the site open to some of the most rudimentary of attacks. We’ve written before about the unfounded trust people place in the websites they use and the wisdom of withholding, whenever possible, any personally identifiable information. Until BART is more forthcoming about how it secures its passengers’ data, add its websites to this long list.

Then you have the perpetrators of the attack pretending that they’ve done the world a favor by exposing the private information of thousands of people who did nothing more than rely on the transit agency to get around. ®

This story was updated to include information provided by BART spokesman Linton Johnson and the FCC.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/15/anonymous_breaches_bart_site/

The next version of Microsoft’s Windows Phone operating system has arrived early for those willing to risk a slapdown by Redmond.

A version of the code built by Microsoft and delivered to smartphone-makers this summer has apparently slipped free of the Redmond-OEM loop and was leaked online.

The leaked code is build number 7720 of Windows Phone 7.5, which Microsoft signed off and released to phone-makers in July.

A link to the code, better known by its codename of Mango, appeared in the XDA Developers forums here, larded with plenty of warnings.

The post points out this is vanilla MS phone code, missing the tweaks that phone-makers will add to differentiate their phones from those of the competition.

What the post doesn’t say, but probably should, is that if you decide to install 7720 on your phone you run the strong chance incurring Microsoft’s displeasure.

You might also miss out on future updates once Microsoft and the OEMs officially ship phones loaded with Windows Phone 7.5.

Earlier this year, many users keen to get their hands on the highly anticipated but delayed NoDo release of Windows Phone 7 downloaded the ChevronWP7 hack, created by Chris Walsh, which let them unlock Windows Phone devices and install an unfinished build of NoDo.

Microsoft initially warned against using such home-brew installations, saying it was not sure what would happen to people’s phones once the hack was used. As it turned out, people who installed the unofficial update were not able to move to the finished NoDo.

After NoDo was made available, Microsoft took great pleasure in crowing “I told you so” in an official company blog post here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/15/mango_rtm_leaked/

NSW Police has arrested five men responsible for what it describes as an international credit card fraud operation.

After investigations that began in 2009, the police executed three search warrants yesterday in metropolitan Sydney, retrieving EFTPOS terminals, computers, cash, mobile phones, skimming devices, and several Canadian credit cards.

Other seizures in the two-year investigation have included 18,000 blank and counterfeit credit cards, stolen EFTPOS terminals, and skimming devices.

The men arrested are Malaysian and Sri Lankan nationals, and are accused of coordinating the fraud operation in Australia, North America and Europe.

The charges range from conspiracy to cheat and defraud, dealing with identification information, possessing equipment to create identification documents, possessing false or misleading documents, and participation in a criminal group.

The police statement says: “It is alleged that the syndicate was highly advanced technologically, and operated under a sophisticated international network.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/14/skimmer_arrests_in_nsw/

An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users.

When researchers from Armorize first spotted the exploit on July 24, they estimated it had injected malicious links into about 91,000 webpages. By early last week, The Reg reported it had taken hold of almost 5 million pages. At time of writing, Google searches here and here suggested that the number exceeded 8.3 million.

Armorize said attackers are exploiting three separate vulnerabilities in the open source store-management application, including one that was discovered last month. Harold Ponce de Leon, the lead developer of osCommerce, said there’s only one vulnerability that’s being exploited, but he admitted that no one on his team has spoken to anyone at Armorize to reconcile the difference of opinion.

“It is devastating not only to see the damage the attack has inflicted to online stores, but also to customers who are getting affected with old IE6 browser exploits,” he wrote in an email.

He said a fix has been available since November’s release of osCommerce Online Merchant v2.3. The steadily climbing number of infected webpages suggests that a large percentage of osCommerce websites can’t be bothered to install it. And that means people visiting those ecommerce websites are being unnecessarily exposed to attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/13/oscommerce_infection_threatens_web/

The government’s approach to the collection and use of personal data is “deeply flawed”, according to a report from the Equalities and Human Rights Commission (EHRC).

The EHRC has joined in long running complaints from privacy activists with the publication of a report, Protecting Information Privacy (105-page PDF/716KB), which says public authorities may be unaware they are breaking the law, as the complexity of the legal framework makes their obligations unclear.

It acknowledges that the demand for information is coming from the public and the private sectors, and says there is a risk of eroding the right to privacy.

The report finds that it is difficult for people to know what information is held about them, by which government agency or private sector body, or how it is being used. For example, as there is currently no law regulating the use of CCTV cameras it would be very difficult for someone to find which organisations hold footage of them.

It can be hard to check the accuracy of personal data held, to hold anyone to account for errors in the data or its misuse and to challenge decisions made about someone on the basis of that information. Calling any public or private organisation to account is made more difficult because people often may not know what their rights are or know when a breach of those rights has occurred.

The EHRC says that breaches of privacy are likely to get worse in the future as demand for personal information increases and as new technology is developed that is not covered by existing legislation or regulations. Piecemeal reform of relevant laws, such as the proposals in the Protection of Freedoms Bill, may not be sufficient to ensure people’s rights are protected.

In response, it makes a handful of recommendations:

• Streamline the current legislation on information privacy so that it is easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights.
• Ensure that public bodies and others have to properly justify why they need someone’s personal data and for what purpose. Any requirement to use personal data for any purpose other than for which it was collected should go through a vetting process.
• All public bodies should carefully consider the impact on information privacy of any new policy or practice and ensure that all requests for personal data are justified and proportionate.

Geraldine Van Bueren, a commissioner for the EHRC, said: “It’s important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it’s accurate or being able to challenge this effectively.

“This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/ehrc_warns_of_data_threat/

A privacy researcher has revealed the evil genius behind a for-profit web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser’s privacy mode.

The technique, which worked with sites including Hulu, Spotify and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the websites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user’s browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month.

KISSmetrics CEO responded with a post on its website claiming the research “significantly distorts our technology and business practices.” The company also responded by adding a “consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking, going well beyond the options that other analytics companies provide.”

Ashkan Soltani, one of the researchers, stands by the findings and said KISSmetrics’ recently updated privacy policy doesn’t make it clear how users go about opting out of tracking.

At the heart of the technique is the practice of storing a unique identifier, known as an ETag value, in a browser’s cache and metadata folders. A piece of JavaScript hosted on kissmetrics.com accesses the serial number each time one of the KISSmetrics websites is viewed.

“It’s effectively acting like a cookie because with every connection to KISSmetrics, it will send a referrer header and the ETag value,” Soltani told The Register. “The ETag is effectively acting as a cookie. It has the same exact value of the cookie as well.”

KISSmetrics analytics combined the the ETag technique with several other controversial technologies that use cookies based on Adobe Flash and HTML5 to reproduce tracking cookies even after a user had specifically deleted them. Soltani and his colleagues first documented the sneaky move in 2009 and dubbed it cookie “respawning.”

Adobe responded by building an application interface that made it easy for users to delete Flash cookies using standard features in a browser’s menu. The advent of server-based scripts that pull up ETag data means that it’s once again trivial for analytics services to defy the wishes of visitors who don’t want to be tracked.

“The more accurately they can represent the number of uniques that have visited their sites the more value they can provide for their analytics customers,” Soltani explained. “That might mean you as a person who doesn’t want to be tracked uniquely trying to opt out. They’re incentivized to circumvent that opt-out.”

Soltani said the only way to block the tracking using the technique is to block all cookies and to clear the browser cache after each site visited. He has published a detailed technical description of the new technique here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/cookie_respawning_secrets_revealed/

Lothian and Borders police has launched a new initiative that allows the public to report suspected criminals, anonymously if they wish, “using facebook or via Bluetooth” or using the Crimestoppers website.

The Scottish force said that the ‘Made from Crime’ scheme is the first of its kind in the country.

The intelligence-gathering campaign is designed to make full use of the Proceeds of Crime Act, specific legislation that allows officers to seize assets that have been purchased through criminal activity.

Lothian and Borders said that more than £41m has already been seized from criminals through the Act, with the money being reinvested in community projects across Scotland. It hopes that the use of social media and other online tools will help them to identify more criminals.

Iain Livingstone, assistant chief constable at the force, said that the launch of the campaign sends out a strong message that Lothian and Borders is serious about tackling criminals profiting from crime in the area.

“I personally appeal to local communities who have any information to come forward immediately, either to Crimestoppers or to Lothian and Borders police,” he added.

The scheme also has the backing of the Scottish Government, the Crown Office and Procurator Fiscal Service.

Solicitor general Lesley Thomson QC said: “We have vast powers available to us through the proceeds of crime legislation and I am delighted that this new initiative will allow people to use social media to report anonymously those who they see flaunting ill-gotten gains before them.

“The Crown Office and Procurator Fiscal Service will continue to take a robust approach to anyone who chooses to fund their lifestyle through crime – and we will use every power available to us as prosecutors to seize their assets and disrupt their activities.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/report_crime_on_facebook_say_lothian_and_borders_coppers/

A Georgia IT administrator has pleaded guilty to crippling the computer system of a Japanese pharmaceutical company’s US subsidiary several months after his employment there ended.

Jason Cornish, 37, admitted using a public internet connection at a McDonald’s restaurant in Smyrna, Georgia, to access the network of the Shionogi subsidiary using an old account, according to federal prosecutors in New Jersey. He then deleted the contents of 15 VMware hosts used to run the equivalent of 88 servers that supported email, employee Blackberrys, order tracking and other essential services.

“The February 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communications via email,” prosecutors wrote in a criminal complaint filed in June. In all, the attack cost the company $800,000.

FBI agents linked the attack to the McDonald’s by analyzing the IP addresses used during the attack. They later discovered Cornish had used his credit card at the restaurant a few minutes earlier.

Cornish faces a maximum of 10 years in prison and $250,000 in fines. Sentencing is scheduled for November 10. He joins a growing roster of disgruntled IT admins charged and convicted of sabotaging their former employers. For a sampling, see related stories below. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/it_admin_revenge/