STE WILLIAMS

Flash drives dangerously hard to purge of sensitive data

In research that has important findings for banks, businesses and security buffs everywhere, scientists have found that computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques.

Even when the next-generation storage devices show that files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, which is being presented this week at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations. (more…)

Maryland Prison Demands Facebook Logins from Staff

In a wonderful example of how privacy rights can be casually ignored, US jailkeepers at the Maryland Division of Correction (DOC) are requiring all new members of staff, as well as those recertifying, to provide full access to their Facebook accounts for use in background checks.

The new regulations came to light with the case of Robert Collins, who was undergoing recertification last year for a position following a 4-month leave of absence, Slashdot reports. Collins, who’s now suing his employers with the help of the American Civil Liberties Union, was informed that he was required to provide full access to his Facebook account as part of the interview process and was then made to wait while the interviewer logged into his account and brazenly browsed his profile.

The reason given for this blatant invasion of privacy was to enable the government to examine Collins’ wall posts, emails, photos and friend lists to ensure that new employees within the facility were not engaged in illegal activity or affiliated with known criminals — particularly gang members.

This was not due to any suspicion of Collins in particular, but rather a blanket policy applied to all new members of staff including those — like Collins — who were undergoing recertification and had already been employed with the Maryland DOC before.

It’s no different to an employer demanding a new starter bring in their old photo albums, CD collections, text messages, letters and diaries and have everyone in the office have a good laugh at them. It violated the privacy of not only Collins, but also his friends and family, as his employer has full access to emails Collins has received, as well as sent.

While the policy is illegal under the US federal Stored Communications Act, the specific case law in Maryland is a little more vague — not because of any kind of split opinion, but purely due to the fact that such laws have never needed to be enforced before. It is also in violation of Facebook’s own terms of service, which state, “You will not solicit login information or access an account belonging to someone else.”

The American Civil Liberties Union of Maryland is currently fighting the case on behalf of Collins and all other employees of the Maryland DOC. We sincerely hope its social media policies are quickly revised, and the case gives other organisations pause for thought before imposing similar policies. Do you agree? Or do you think everything you put online is fair game, particularly if you work in a legally sensitive job?

Eben Moglen promotes Freedom in a box

In a recent interview with The H, Eben Moglen professor of law and legal history at Columbia University, and the founder, Director-Counsel and Chairman of the Software Freedom Law Center, spoke about his ideas for using simple hardware to free individuals from the tyranny of the client/server model imposed by current web services. It seems his ideas may be on the way to becoming reality in the form of the FreedomBox.

The FreedomBox is described by Moglen as a cheap, low-power, plug-top server running a Debian-Linux-based platform. Small plug-top servers such as the Pogoplug ($99 / £99) or the TonidoPlug ($99) are already on the market and as Moglen told the New York Times “They will get very cheap, very quick, … Once everyone is getting them, they will cost $29.” (more…)

Botnets 7 x increase in 1 year

Botnets used in banking credential theft and other criminal enterprises made huge gains in 2010, claiming more than seven times as many victims as the previous year, according to a report issued by a security firm that follows the large networks of infected machines.

The dramatic increase was fueled by improvements in DIY botnet construction kits, which allowed internet-based fraudsters to construct new networks that quickly gained traction, the report from Damballa said. As a result, six of the 10 biggest botnets of 2010 weren’t in existence the previous year. New infection technology that targets a hard drive’s targets a hard drive’s master boot record and changes the machine’s boot options also played role. (more…)

Lush online store hacked

Australian cosmetics retailer Lush has pulled the kill-switch on its web store following a security breach.

In a statement that replaced its home page on Tuesday, Lush Australia says it has been alerted that the security breach may have exposed customers’ credit card information. The statement directs customers to contact their bank to discuss whether cancellation is warranted.

In spite of the similarity to a similar breach of Lush’s security in the UK, the company claims the two incidents are not related.

“Our Website is not linked to the Lush UK Website, which was recently compromised,” the company’s statement said.

Update: card theft confirmed

According to a report by the ABC, Lush has since confirmed that card details were stolen, along with the company’s entire customer database.

Lush Australasia director Mark Lincoln says customers would not have been aware that their card details were kept. The ABC report says the vulnerability occurred because of a “failure to keep the Website updated”.

The company told the ABC it does not know how long breaches may have been occurring. ?

Source

Hardware keyloggers discovered in public libraries in Greater Manchester

Two USB devices, attached to keyboard sockets on the back of computers in Wilmslow and Handforth libraries, would have enabled baddies to record every keystroke made on compromised PCs. It’s unclear who placed the snooping devices on the machines but the likely purpose was to capture banking login credentials on the devices prior to their retrieval and use in banking fraud.

A third detected device was discovered but disappeared before it was turned over to local police, the Manchester Evening News reports.

(more…)

Visa relaxes PCI DSS annual vendor audits

Visa has relaxed its regulatory rules so that European high street merchants who capture at least three-quarters of their take through EMV-enabled chip-and-PIN terminals will no longer have to pass Payment Card Industry Data Security Standard (PCI DSS) audits every year. The programme, which will help high street shops to reduce compliance cost, kicks in from 31 March 2011.

Retail merchants will have to first establish compliance before they can benefit from the newly introduced programme, which means that this status will no longer be reviewed every year, at least as far as Visa is concerned. Mastercard is yet to introduce a comparable scheme, so the move doesn’t yet mean that most high street merchants can avoid annual security audits, at least for now. Chip-and-PIN transactions are, of course, irrelevant for online retailers. In addition, the programme only applies in Europe and elsewhere in the world, except the US, where chip-and-PIN as a method to authorise face-to-face credit card transactions in preference to signatures is yet to become commonplace.

Visa describes the move as a validation of proven technology that also lays the groundwork towards the future use of mobile payment technologies.

“EMV chip is a proven technology platform that can offer the industry the ability to facilitate dynamic data as well as enable payment innovations,” said Jim McCarthy, global head of product at Visa, in a statement. “In addition, merchant adoption of dual interface contact/contactless terminals will support the emergence of near field communication (NFC) payment form factors, including mobile devices.”

Ross Brewer, president and managing director of security compliance and management tools firm LogRhythm, said that although the new rules may reduce the compliancy burdens for some, they will inevitably lead to greater confusion over regulations.

“Visa should of course be applauded for trying to reduce the compliance burden for merchants that are using the latest secure technologies, in this instance, contact or dual contact/contactless chip-and-PIN terminals,” Brewer explained. “However, this by no means spells the end of compliance – other card firms, including MasterCard, will still require annual validation that regulations are being met – so appropriate compliance procedures still need to be in place.”

Assuring security at a point-of-sale terminal is only part of maintaining a secure retail environment. Encryption of customer details and maintaining secure wireless networks in retail environment are also important. Brewer cautioned that Visa appeared to be sending out a “mixed message” about complying with industry best practices by failing to stress a holistic approach. Brewer said: “Even if point-of-sale security is completely watertight, who’s to say that the credit card details stored elsewhere in the merchant’s IT infrastructure are just as safe?”

“PCI compliance – as burdensome as it sometimes seems – still delivers benefits to merchants, as it helps them achieve best practice,” he concluded. ®

?Source

Home Secretary promises £63m for cybercrime fight

Home Secretary Theresa May has announced a £63m boost to police budgets for combating cyber crime.

The money will come from the £650m being spent on beefing up the UK’s national cyber defences announced last year.

The move to a proactive, and attacking, form of cyber defence was explained to the Reg by “senior Whitehall officials” in 2009. They warned the newly-formed Office of Cyber Security, within the Cabinet Office, that the main threats to UK infrastructure comes from organised criminals, not terrorists.

Officials also made clear that attacks were no longer likely to be “online only” – 90 per cent of UK high street transactions are now “online” in some sense.

A potted statement from the Home Office said: “This proposed new funding will be used to develop the UK’s overall response to cyber crime. The Government is determined to build an effective law enforcement response to the cyber crime threat building upon the existing expertise within SOCA and the Met Police Central e-Crime Unit.

“More details of the funding allocation will be made public in due course.”

The Home Office press office was unable to confirm the figure of £63m, which was reported by eGovmonitor reporting comments made by Theresa May. ®

?Source

Digital-Attacks on Mobile Devices on the Rise

Security threats to mobile devices rose 46 percent last year, with Android and Symbian platforms particularly vulnerable, according to security firm McAfee.

“During the last several years, we have seen a steady growth in the number of threats to mobile,” McAfee said the report. “We also see the direct correlation between device popularity and cybercriminal activity, a trend we expect to surge in 2011.”

Google’s Android operating system, which last quarter overtook Nokia’s Symbian as the maker of the world’s most popular smartphone software, had been targeted by a Trojan virus, called “Geinimi,” which buried itself in applications and games, said the report. Trojan code often destroys data on a device, sometimes while flashing a mocking message on the screen.

Symbian was also targeted by malware called “Zitmo,” developed by criminals running a botnet dubbed “Zeus” that repackaged old commercial spying software.

McAfee warned that botnets, which are networks of devices installed with malware that let criminals control them remotely, will begin to spring up. Devices infected with botnets often have sensitive information like bank account details and passwords stolen from them, or are used for criminal purposes like flooding or hacking.

In order to reduce the risk of devices being hacked, users should apply the same precautions to it when searching the Web or using email on a computer. Among the most basic of these are never opening attachments to emails and not downloading data from any site you are not sure of. Many phone operators also offer spam filters and other security software for free.

Source

Hack reveals passwords from locked iPhones and iPads

Researchers have devised a method for stealing passwords stored on locked iPhones and iPads that doesn’t require cracking of the device’s passcode.

The technique, disclosed on Thursday by members of the Fraunhofer Institute for Secure Information Technology, requires physical access to the targeted iPhone or iPad, so remote attacks aren’t possible. But it takes less than six minutes and carry out, and the after effects are easy to conceal, making it ideal to carry out on devices that are lost, stolen or temporarily unattended.

The hack exploits cryptography in the iOS password management system – known as keychain – that uses a secret key that is completely independent of the device’s passcode. That saves attackers who manage to access the file system the hassle of deducing a key that’s based on a passphrase set up by the user.

“After using a jailbreaking tool, to get access to a command shell, we run a small script to access and decrypt the passwords found in the keychain,” the researchers wrote in a paper (PDF). “The decryption is done with the help of functions provided by the operating system itself.”

The script also reveals always-encrypted account settings for things like user names and server addresses for all stored accounts, as well as the account clear-text secrets. The hack worked on a locked iPhone 4 running iOS 4.2.1, which was the most current firmware version at time of writing. A demo of the attack is available on YouTube – you can view it below.

“The accessibility of keychain secrets without requiring the passcode is considered a result of a trade-off between system security and usage convenience,” the researchers wrote. “The passwords for network related services should be available directly from device startup, without having to enter the passcode first.”

The technique doesn’t retrieve passwords stored in parts of the device that remain off limits until the passcode is entered.

Still, the hack can reveal a wealth of sensitive codes, including those used for virtual private networks, Wi-Fi networks, LDAP accounts, voicemail systems and Microsoft Exchange accounts. And that’s likely to spook large business customers with employees that use the devices to connect to sensitive company systems. ®

Source