STE WILLIAMS

Security researchers have unearthed a piece of malware that mints a digital currency known as Bitcoins by harnessing the immense power of an infected machine’s graphical processing units.

According to new research from antivirus provider Symantec, Trojan.Badminer uses GPUs to generate virtual coins through a practice known as minting. That’s the term for solving difficult cryptographic proof-of-work problems and being rewarded with 50 Bitcoins for each per correct block.

General purpose GPUs far outstrip CPUs at performing math calculations and can do so in massively parallel software threads, making them a superior platform for trying huge numbers of possible keys needed to solve the Bitcoin problems.

“This makes the idea of GPGPU extremely attractive for the purpose of bitcoin mining, brute force hash attacks against password databases, and folding (the processing of simulating protein folding, a project initiated by Stanford University known as Folding@home),” Symantec researcher Poul Jensen wrote in a post published Tuesday.

An infected computer that contains an AMD Radeon 6990 CPU could process about 758.82 million cryptographic hashes per second, he wrote. That’s a far cry from an Intel’s Atom N270 netbook CPU, which is capable of handling just 1.19 Mhash/s. Rob Graham, CEO of the firm Errata Security, recently published a thought-provoking post that analyzed the economics of password cracking and Bitcoin-mining using a variety of GPU hardware.

In the event an infected machine has no GPU card, Trojan.Badminer will make do with the CPU.

GPU use could go a long way to solving a problem that has vexed malware developers who want to use other people’s computers to mine Bitcoins. As fellow Symantec researcher Peter Coogan surmised in June, a botnet of 100,000 machines that worked on a problem continuously would earn just $97,000 a month. That’s a paltry amount compared to other botnet enterprises, such as stealing online banking credentials.

“With the advent of Trojan.Badminer and common usage of fast graphics cards, it may well begin to make economic sense to rent botnets in order to carry out distributed bitcoin mining and run the process on an industrial scale,” Jensen wrote.

Of course, crooks investing resources in Bitcoin theft still must grapple with another challenge: The price of the highly decentralized coin fluctuates wildly. It has reached exchange rates as high as $29, but has plummeted since then, with the current price a little more than $11. ®

This post was rewritten to correct inaccuracies about the way Trojan.Badminer worked.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/gpu_bitcoin_brute_forcing/

A letter from News International chairman James Murdoch to the Commons Culture Select Committee has let slip details of how to gain full access to the company’s MS Exchange email system – albeit the information is from four years ago.

MPs published a raft of letters this lunchtime including one from jailed News of the World royal editor Clive Goodman, who claimed senior figures at the now-defunct Sunday tabloid knew that phone hacking was going on at the publication.

James Murdoch has consistently denied any knowledge of widespread phone-tapping beyond the illegal methods employed by “one rogue reporter” at the newspaper.

Among the evidence submitted to the committee was an email between an individual named Simon Avery and the company’s London law firm Harbottle Lewis co-founder Lawrence Abramson.

The email offers a step-by-step guide on how to access News International’s web mail server.

It includes the URL required for accessing the company’s gateway Exchange server as well as the domain and username, and was provided to Harbottle Lewis in May 2007, a few months after Goodman was sacked in February that year.

The instructions reveal that a frankly piss-poor password (mailreview) was issued by the NI sysadmin to the lawyers.

Harbottle Lewis had been granted “independent” access to relevant emails relating to allegations made by Goodman, who appealed his dismissal from the sister firm of Rupert Murdoch’s News Corp on the grounds that other individuals were aware of – and supported – illegal phone-hacking methods used by the former NotW royal correspondent.

Goodman also claimed, according to then-NI director of legal affairs Jon Chapman, that “others were carrying out similar illegal procedures” at the firm.

It was Chapman who granted Harbottle Lewis access to emails inserted in five subfolders within NI’s Exchange public folders for review by the lawyers.

The culture committee, unlike with its roughshod handling of highly sensitive details of NI’s gateway, has redacted information about emails that were searched relating to six individual accounts.

Abramson concluded an email to Chapman on 25 May 2007 with the following statement:

“I can confirm that we did not find any evidence that proved that either [redacted], [redacted] or [redacted] knew that Clive Goodman, Glen Mulcaire or any other journalists at the News of the World were engaged in illegal activities prior to their arrest.”

Mulcaire had worked as a private investigator at the newspaper. He was jailed for six months in January 2007 after admitting to conspiring with Goodman to illegally access voicemail messages.

In a letter on 2 March 2007 to NI HR boss Daniel Cloke, Goodman rejected News International’s notice of termination of employment on the grounds of “gross misconduct”.

He claimed in the missive that phone hacking was “widely discussed” at the paper and alleged that News International had promised to re-hire him after he was convicted of intercepting voicemail messages on the provision that he didn’t implicate the newspaper in court.

Meanwhile, the paperwork submitted to the committee today also revealed exactly how much money Goodman was paid when he was sacked by News International in 2007.

The ex-royal editor was paid £90,502.08 and a further £140,000 in compensation. He was given another £13,000 from News International to pay for his lawyer’s bill.

Separately, Harbottle Lewis told Culture Committee chairman John Whittingdale that the firm had been given “remote electronic access to emails on News International’s server”.

The law firm added that the emails made available to it for review were contained in the aforementioned five sub-folders, which meant “access was not entirely straightforward”. Harbottle Lewis added that the firm had been “instructed only to look for evidence” in those folders in May 2007. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/news_international_letters_sysadmin_password_fail_clive_goodman/

Google’s privacy policy has been gently applauded by Information Commissioner Christopher Graham, who came under sharp criticism for his initial “lily-livered” handling of the company’s Street View Wi-Fi data-slurping operation.

An audit by the Information Commissioner’s Office (ICO) took place last month at Google’s London office.

The watchdog carried out the probe, after it reversed its decision about Google’s Street View technology in November 2010 when it concluded that Mountain View had breached the Data Protection Act.

The ICO said at the time it would require Google to sign a piece of paper promising not to break the law again. It also confirmed at that point that an audit of Google’s privacy practices would take place.

“I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year,” said Graham today.

“All of the commitments they gave us have been progressed and the company have also accepted the findings of our audit report where we’ve asked them to go even further.”

But, despite its U-turn last November, the ICO declined to slap a monetary penalty on Google, instead threatening “further regulatory action” if the ad broker failed to fully comply with the agreement.

“The ICO’s Google audit is not a rubber stamp for the company’s data protection policies. The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO,” said Graham this morning.

There has been much tougher action against Google’s fleet of Street View vehicles elsewhere in Europe, after the company admitted that its mass Wi-Fi snoop from the cars had slurped up passwords and entire emails and URLs. The company insisted the data had been collected accidentally.

But that didn’t stop Germany, for example, ordering Google to altogether withdraw its Street View fleet from the country.

The ICO listed areas where it reckoned Google had improved its privacy policy including a “Privacy Design Document” that involves each new project undergoing “in-depth assessment to ensure that privacy is built in from the start”.

Google has also subjected its engineers to “advance data protection training”.

The ICO said Google must still do better with how it handles data, before recommending what, in effect, were simple enhancements to action already undertaken by the firm:

• All existing products to have a Privacy Story – an explanation of how data will be managed in a new product. This should be used to provide users proactively with information about the privacy features of products.
• Google should ensure that all projects have a Privacy Design Document, and that processes to check them for accuracy and completeness continue to be enhanced.
• The core training for engineers should be developed to include specific engineering disciplines, taking account of the outcomes of the Privacy Design Document.

Separately, the ICO has been looking at whether Google’s Profile product needs to comply with Regulation 18 of the Privacy and Electronic Communications Regulations to establish whether it constitutes a directory of subscribers.

The watchdog has been poking a cotton-wool wrapped stick at Google Profiles after The Register asked it to consider what rights an individual might have if it can be proved that the service constitutes such a directory.

At the end of July, the company killed all privately stored profiles created via its Gmail product as part of a drive to link real names with users’ Google accounts and its new social network effort Google+. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/ico_happy_with_google/

Facebook has once again been criticised by a data protection authority in Germany for siphoning off information about the country’s citizens to servers based in the US.

This time the company’s “like” button and “pages” feature have been attacked by DPA officers in the Northern German federal state of Schleswig-Holstein.

On Friday, Germany’s Independent Centre for Privacy Protection (ULD) called on website operators based in that region to “shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’-button from their websites,” according to a statement on the DPA’s website.

It said it had concluded that those features violated the German Telemedia Act as well as the Federal Data Protection Act.

The Schleswig-Holstein DPA noted that anyone using the functions within the dominant social network would have their “service traffic and content data” transferred to servers located in the US.

“Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years,” it claimed.

“Facebook builds a broad individual and for members even a personalised profile. Such a profiling infringes German and European data protection law.

“There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use,” the ULD argued.

It said it expected website owners based in Schleswig-Holstein to bar such user data being passed on to Facebook by “deactivating” such services.

Formal complaints could be brought against public organisations that fail to comply, said the ULD, while fines could be slapped on private outfits who flout the rules, which the authority plans to introduce by the end of next month.

“ULD has pointed out informally for some time that many Facebook offerings are in conflict with the law. This unfortunately has not prevented website owners from using the respective services and the more so as they are easy to install and free of charge,” said ULD commissioner Thilo Weichert.

“Institutions must be aware that they cannot shift their responsibility for data privacy upon the enterprise Facebook which does not have an establishment in Germany and also not upon the users.”

The commissioner added that the Schleswig-Holstein state was continuing to analyse the “privacy impact” of Facebook applications.

“Users can take their part by trying to avoid privacy adverse offerings,” the commissioner added.

“To internet users, ULD offers the advice to keep their fingers from clicking on social plug-ins such as the ‘like’-button and not to set up a Facebook account if they wish to avoid a comprehensive profiling by this company. Profiles are personal information; Facebook is requiring its members to register their actual name.”

This is Germany’s latest privacy crackdown against Facebook.

A few weeks ago, Hamburg’s data protection authority warned the social network that it could be fined if the company failed to delete the “biometric data” it harvests from its facial recognition tech, which was quietly rolled out to the service in Europe earlier this year.

Facebook quickly rejected the claim that it wasn’t meeting its obligations under EU data protection law.

The company isn’t actually breaching any Brussels’ data protection law as of today. But legislation is expected in the autumn from the EU that will be applied to any business operating in Europe.

“We firmly reject any assertion that Facebook is not compliant with EU data protection standards. The Facebook Like button is such a popular feature because people have complete control over how their information is shared through it,” said the firm in an emailed statement.

“For more than a year, the plugin has brought value to many businesses and individuals every day. We will review the materials produced by the ULD, both on our own behalf and on the behalf of web users throughout Germany.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/schleswig_holstein_facebook_dislikes_like_and_pages/

Chick-lit authoress and politician Louise Mensch, somewhat famed for being fired from EMI due to “inappropriate dress” and copping to possible drug use and bad dancing in her salad days, says that hacktivists from Anonymous and/or LulzSec have threatened her children by email.

The Tory MP, who has penned various lighthearted lipstick’n’bonking-themed ladies’ reads under the name Louise Bagshawe, tweeted:

Had some morons from Anonymous/LulzSec threaten my children via email. As I’m in the States, be good to have somebody from the UK police advise me where I should forward the email. To those who sent it; get stuffed, losers.

Oh and I’m posting it on Twitter because they threatened me telling me to get off Twitter. Hi kids! ::waves::

I’ve contacted the police via the House of Commons and the email is with them now. I don’t bully easily, kids. Or in fact at all.

Security-firm mouthpiece Graham Cluley (of Sophos) pooh-poohed the notion that Anons or LulzSec-ers might be behind the outrage, commenting:

In my opinion it doesn’t sound very likely that the threatening email (which hasn’t been released) was from Anonymous or LulzSec. Neither group has a history of engaging in physical violence, preferring to sit behind computer keyboards instead.

Furthermore, it seems very odd that Anonymous or LulzSec would send an email, when their normal practice is to post a message on Twitter or a link to a statement on PasteBin.

Mensch previously achieved modest fame after being contacted by “an investigative journalist” (unidentified) following her participation in political grillings aimed at exploring the extent of skulduggery in Fleet Street journalism. The supposed journo referred to claims that she had possibly taken drugs and committed dance blunders while working at EMI in the 1990s.

The punchy MP stated on that occasion:

Although I do not remember the specific incident, this sounds highly probable … since I was in my twenties, I’m sure it was not the only incident of the kind; we all do idiotic things when young. I am not a very good dancer and must apologise to any and all journalists who were forced to watch me dance that night at Ronnie Scott’s …

[This was] not why I was fired by EMI. “Leaving work early” and “missing the odd day at work” along with “inappropriate dress” were the reasons quoted to me.

So there. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/louise_mensch/

WikiLeaks admits insider deleted loads of its data

• 
• 
• 
• 

We do have more than one source, honest. Well, we did

By John Oates • Get more from this author

Posted in Music and Media, 22nd August 2011 14:19 GMT

Free whitepaper – Creating Order from Chaos in Data Centers and Server Rooms

WikiLeaks has explained the non-appearance of Bank of America data it frequently promised to publish: a defector took the only copies with him when he left the organisation and has now deleted the files.

Daniel Domscheit-Berg left WikiLeaks last summer and took the documents with him following a dispute with Julian Assange. This seems to have centred on Berg’s relationship with a woman at Microsoft.

Berg was suspended at the end of August 2010 and, WikiLeaks claims, has tried to extract money from the group in return for their data. In January he set up his own version of WikiLeaks, but the site has been inactive since then. He also wrote a book about his time at the site.

Assange’s organisation confirmed on Twitter that Berg had destroyed 20 gigabytes of information from the Bank of America, the entire US no-fly list and US intercept arrangements for 100 companies as well as details and emails from 20 neo-Nazi groups and a German far right group. ®

Free whitepaper – Data Center Projects

• 27 commentsPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/wikileaks_data_lost/

Two men have been banged up for four years apiece, after unsuccessfully inciting violent disorder on Facebook.

Jordan Blackshaw, 20, of Vale Road in Marston near Northwich and Perry Sutcliffe-Keenan, 22, of Richmond Avenue, Warrington, were handed the harsh sentences at Chester Crown Court yesterday.

“If we cast our minds back just a few days to last week and recall the way in which technology was used to spread incitement and bring people together to commit acts of criminality it is easy to understand the four-year sentences that were handed down in court today,” said Chester police assistant chief constable Phil Thompson.

Jordon Blackshaw

“In Cheshire, we quickly recognised the impact of the situation on our communities and the way in which social media was being used to promote and incite behaviour that would strike fear in to the hearts of our communities.”

The court hoped that the hefty sentences would deter others from writing similar stupid posts on social networks.

Perry Sutcliffe-Keenan

“Officers took swift action against those people who have been using Facebook and other social media sites to incite disorder,” added Thompson.

“The sentences passed down today recognise how technology can be abused to incite criminal activity and send a strong message to potential troublemakers about the extent to which ordinary people value safety and order in their lives and their communities. Anyone who seeks to undermine that will face the full force of the law.”

The two men pleaded guilty under sections 44 (intentionally encouraging or assisting an offence) and 46 (encouraging or assisting offences believing one or more will be committed) of the Serious Crime Act.

However, neither Blackshaw or Sutcliffe-Keenan were successful in their efforts to incite a riot in their home towns, after posting “events” and “pages” on Facebook.

The Crown Prosecution Service told the BBC that Blackshaw had called on Facebookers who were members of the “Mob Hill Massive Northwich Lootin'” group to “Smash d[o]wn in Northwich Town”.

That group has now been removed from Facebook.

The event created by Blackshaw urged people to meet on the afternoon of 9 August “behind maccies” – understood to mean the McDonald’s fast food joint – in Northwich town centre.

He also posted the first comment on the page, declaring: “We’ll need to get this kickin off all over.”

Only the police turned up at Maccie-D’s, however, and Blackshaw was promptly arrested.

Sutcliffe-Keenan, meanwhile, created a Facebook page calling on people to “riot” on 10 August. His message went out to 400 contacts on the site, but he took down the page the following morning, claiming the post had been a joke.

Similarly, no rioting took place as a result of Sutcliffe-Keenan inciting people to do exactly that in his home town of Warrington.

But both men were handed tough sentences yesterday for their actions on Facebook.

Their profiles no longer exist on the social network. But inevitably, a page in support of the pair has already appeared on Facebook.

The “Free Jordan Blackshaw Perry Sutcliffe-Keenan” page currently has 20 people who “like” it.

However, many of the posts on the site are heavily abusive comments. So presumably the Facebook police will see this and take down the page.

There’s also a separate page urging Facebookers to campaign “Against Jail Sentences for Rioters Looters”.

It currently has one solitary fan. ®

[We submit for your consideration the term ‘flashplod’ for a planned flashmob event where only police turn up – apparently now quite common – ed]

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/facebook_riot_four_year_sentences/

Blue Coat boss Michael Borman has fallen on his sword following declining sales and profits in fiscal first quarter 2012.

The web security and WAN optimisation minnow saw sales come in at $109.5m (£66.7m) down 9 per cent sequentially and 11 per cent on last year, as profits fell 70 per cent quarter-on-quarter to $2.7m (£1.6m) and 81 per cent on Q1 2010.

The exit of Borman, who only joined the firm early September last year – he had previously been CEO at Avocent – was confirmed at the same time as the numbers.

“Our first quarter results were disappointing as they came in below our expectations,” said David Hanna, chairman at Blue Coat. “We are taking the necessary actions.”

His replacement, Gregory Clark – most recently president and CEO at enterprise software group Minicom – is set to join Blue Coat from the middle of next month in the same roles.

The Q1 financials were impacted by “go-to-market challenges” and “weakness in the US Federal vertical” which pushed down revenues and profits, the firm said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/blue_coat_ceo_quits/

A mobile applications developer will be fined $50,000 for allegedly collecting and disclosing children’s personal information without parental consent, the US Federal Trade Commission (FTC) has said.

The US consumer regulator settled charges against W3 Innovations and its owner, Justin Maples, over the company’s alleged violation of the US’ Children’s Online Privacy Protection Act (COPPA) and the FTC’s rules that ensure enforcement of the Act, it said. A court has yet to approve the voluntary agreement which would withdraw the threat of criminal charges.

The agreement would also prohibit W3 and Maples from violating COPPA in the future and force them to delete all personal information collected in violation of the laws, the FTC said.

“According to the [FTC’s] complaint, [W3 and Maples] did not provide notice of their information-collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children. The FTC charged that those practices violated the COPPA Rule,” the FTC said in a statement.

COPPA requires that “the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child … obtain verifiable parental consent for the collection, use, or disclosure of personal information from children”.

W3, operating as Broken Thumbs Apps, developed games apps for kids, including Emily’s Girl World, Emily’s Dress Up and Emily’s Runway High Fashion.

The Emily apps “encouraged children to email ‘Emily’ their comments and submit blogs to ‘Emily’s Blog’ via email, such as ‘shout-outs’ to friends and requests for advice. The FTC alleges that the defendants collected and maintained thousands of email addresses from users of the Emily apps”, the FTC said.

“In addition to collecting and maintaining children’s email addresses, the FTC alleges that the defendants also allowed children to publicly post information, including personal information, on message boards,” the FTC statement said.

More than 50,000 Broken Thumbs Apps were downloaded via Apple’s App Store and the company collected personal data of thousands of children under the age of 13 without consent, the FTC claimed.

The FTC voted to refer the case to the US Department of Justice, which filed the FTC’s complaint and proposed a settlement agreement with a district court in California. The court will now decide whether to approve the settlement.

“The FTC’s COPPA Rule requires parental notice and consent before collecting children’s personal information online, whether through a website or a mobile app,” FTC chairman Jon Leibowitz said.

“Companies must give parents the opportunity to make smart choices when it comes to their children’s sharing of information on smartphones,” Leibowitz said.

The FTC said it was the first time it had been involved in a case against an apps developer.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/app_dev_collected_kid_data_says_ftc/

The latest version of Skype for Windows contains a security vulnerability that allows attackers to inject potentially dangerous code into a user’s phone session, a German security researcher has reported.

The XSS, or cross-site scripting, vulnerability in Skype 5.5.0.113 is the result of the voice-over-IP client failing to inspect user-supplied phone numbers for malicious code, researcher Levent Kayan said. As a result, attackers might be able to exploit the bug to inject commands or scripts that hijack the machine running the program.

“An attacker could for example inject HTML/JavaScript code,” Kayan wrote in an advisory published on Wednesday. “It has not been verified though, if it’s possible to hijack cookies or to attack the underlying operating system.” An attacker might also exploit the vulnerability to remotely execute malicious JavaScript files on external websites, he said.

A screen shot from Kayan’s website showing the injection bug in action

The unsafe content is displayed when users view a booby-trapped profile. The malicious profile is created by inserting a JavaScript command or web address where a phone number is expected. The reported vulnerability is eerily reminiscent of an XSS bug Kayan reported in an earlier version of Skype last month. Skype representatives didn’t immediately respond to an email requesting comment on the persistent code injection vulnerability.

Such vulnerabilities open the possibility of creating self-replicating attacks if they can be used to target users contained in each victim’s contact list. As each new user is exploited, the worm spreads virally by attacking a whole new set of people. A vulnerability reported in May for Mac versions of Skype was described as wormable, though there are no reports it was ever exploited in the wild. It’s unclear if the current vulnerability is also self-replicating.

Microsoft is in the process of acquiring the popular internet-based phone service. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/22/skype_security_bug/