STE WILLIAMS

Part 1 It has been a year since I have talked about securing browsers against privacy invasion. In that time, things have got worse, not better. In addition to the threat of malware and malicious scripts, we have the frightening new evercookie.

Leaving the criminal misuse of tracking for a later date, there is plenty to worry about from the use – and misuse – of our personal data by legitimate organisations. Advertisers are getting aggressive, and the techniques in use require a stalwart defence if we hope to retain our privacy.

Hello Mr Yakamoto and welcome back to the GAP! How’d those assorted tank tops work out for you?

The most pervasive breach of personal privacy – and threat to online anonymity – is the omnipresent tracking of our every digital move by advertisers and the companies that sell ad space to them. Targeted advertising has already gone so far that it is entirely possible that Google, Amazon and Facebook know more about you than your own mother.

Last night I spent four hours discussing a piece of media distribution software with one of the company’s founders. We went off the rails a little, engaged in some blue sky thinking and came to the conclusion that with some minor tweaking, that firm is sitting on software nearly capable of delivering a Minority Report level of personalised advertising.

It was an interesting thought exercise, and frankly it’s a little scary that such a thing is possible simply by bolting together various different extant technologies. Government surveillance is usually the threat bantered about, but that isn’t a real concern to me. Governments are notoriously terrible at actually implementing technology.

The problem with this is that Mr Yakamoto may not want every website (or store) he visits to have such a personal relationship with him. Knowledge about what we purchase – or research online – when and from whom can have real world impacts.

Flaws in software can leave our entire browsing history vulnerable to malicious websites. Sometimes normally credible websites run by reputable companies simply give your information away.

Having your plans to join the surveillance society revealed inadvertently might not go over well at the next condo meeting. Your coworkers might become disgruntled were they to learn that you read books favouring a political party they despise.

Many of us still share information on our computers by having someone physically look at the same screen we see. The advertisements custom targeted at you can often be seen by those around you, inadvertently revealing more about us than we realise.

Would your employer be upset to see a message informing you about three replies in an advertisement for a job search site? And might there be an awkward moment when your shoulder-surfing girlfriend starts wondering why the advertisements on your nightly news sites have shifted suddenly from being predominantly about video games to predominantly about engagement rings?

What we buy, where and from whom is sensitive information. That this information is often combined with personally identifiable information such as our home address, phone number, credit cards, etc means that putting a real live person behind the data is not that hard. We don’t want to share that information with everyone around us, and yet we unknowingly do so every single day.

But how do they track us, and what can we do about it?

You best defence here is your browser. Since advertising tracking can come in many forms, you need a multitude of configuration changes or plug-ins to keep you safe.

Be wary however, even an up-to-date browser with a full suite of plug-ins – if improperly configured – can still reveal a remarkable amount of information about you. Take the time to run a test if you are concerned. If you use flash, you should go here and review your security settings.

Browser Referral

Every time you click a hyperlink on a web page, your browser sends information to the web server you are visiting. Included in this payload is the website you are currently visiting.

Traditionally, this has been an important source of information to virtually all website owners; it tells them how you found their website. It helps those running websites make the most out of limited advertising budgets and even keeps them informed of forums, complaint websites or news articles they have been mentioned on.

Lately however, more and more web users are becoming aware of the existence of browser referrals, and spoofing them. If you want to block websites from seeing your referral information, there are methods available. (IE, Safari, Firefox, Chrome and Opera)

Next page: Social media buttons and badges

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/how_to_stay_anonymous/

Researchers have devised a simple procedure that can be added to many electronic voting machine routines to reduce the success of insider attacks that attempt to alter results.

The approach, laid out in a short research paper (PDF), augments the effectiveness of end-to-end verifiable election systems, such as the Scantegrity and the MarkPledge. They’re designed to generate results that can be checked by anyone, by giving each voter a receipt that contains a cryptographic hash of the ballot contents.

The researchers propose chaining the hash of each receipt to the contents of the previous receipt. By linking each hash to the ballot cast previously, the receipt serves not only as a verification that its votes haven’t been altered, but also as confirmation that none of the votes previously cast on the same machine have been tampered with.

The procedure is intended to reduce the success of what’s known as a trash attack, in which election personnel or other insiders comb through the contents of garbage cans near polling places for discarded receipts. The presence of the discarded receipts is often correlated with votes that can be altered with little chance of detection.

The running hash is designed to make it harder for insiders to change more than a handful of votes without the fraud being easy to detect.

“This mitigation makes the attack far more difficult and makes it nearly impossible to alter more than a small number of votes,” Josh Benaloh of Microsoft Research and Eric Lazarus of DecisionSmith wrote. “This mitigation also offers additional benefits to many verifiable systems at minimal cost.”

Most verifiable election systems already include a cryptographic hash on receipts returned to voters, so the inclusion of a running hash should be relatively easy to incorporate, the researchers said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/11/01/electronic_voting_fraud_mitigation/

Dozens of companies in the defense and chemical industries have been targeted in an industrial espionage campaign that steals confidential data from computers infected with malware, researchers from Symantec said.

At least 29 companies involved in the research, development, and manufacture of chemicals and an additional 19 firms in defense and other industries have been attacked since the middle of July, Symantec researchers wrote in the report (PDF) released Monday. The unknown attackers used back door trojans, including a variant of the publicly available Poison Ivy, to exfiltrate data from victims – including multiple Fortune 100 companies involved in the research and development of chemical compounds and advanced materials.

“These attacks are primarily targeting private industry in search of key intellectual property for competitive advantage, military institutions, and governmental organizations often in search of documents related to current political events and human rights organizations,” the eight-page Symantec report stated. “This attack campaign focused on the chemical sector with the goal of obtaining sensitive documents such as proprietary designs, formulas, and manufacturing processes.”

The campaign, which the Symantec researchers have dubbed “Nitro,” wasn’t disrupted until the middle of September.

The majority of infected machines found connecting to command and control servers were located in the US, Bangladesh, and the UK. Other infected computers came from an additional 17 countries, including Argentina, Singapore, and China.

Some of the attacks have been traced to a computer that acted as a virtual private server by an individual located in the Hebei region of China. While a person calling himself Covert Grove claimed he used the system for legitimate reasons, the researchers said his denial seemed “suspicious.”

“We are unable to determine if Covert Grove is the sole attacker or if he has a direct or only indirect role,” they wrote. “Nor are we able to definitively determine if he is hacking these targets on behalf of another party or multiple parties.”

The attacks typically begin with emails purporting to warn of unpatched vulnerabilities in the Adobe Reader program from the recipient’s IT department. When the recipient clicks on one of two files included, Poison Ivy or Backdoor.0divy is installed. Security provider Norman ASA has technical information about the malicious payloads here.

Several other groups that appear to be unrelated are targeting some of the same chemical companies with malicious documents that exploit vulnerabilities in Adobe Reader and Microsoft Office. As a result, the victims are infected with Backdoor.Sogu, the same custom-developed threat used to steal personal information from as many as 35 million users of a South Korean social network, the Symantec researchers said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/chemical_firms_hacked/

Security researchers have identified malware that hijacks the resources of infected Macs to illegally mint the digital currency known as Bitcoin.

The DevilRobber.A trojan has been circulating on The Pirate Bay and other BitTorrent trackers, where it’s bundled with the Mac OS X image-editing application Graphic Converter, researchers from Sophos blogged on Monday. Like previous malware attacking Windows PCs, it commandeers a Mac’s graphics card and CPU to perform the mathematical calculations necessary to generate new digital currency, a process known as Bitcoin mining.

As researchers from rival antivirus provider Intego point out in their own blog post, Bitcoin mining is just one of the many activities performed by the recently discovered trojan.

“This malware is complex, and performs many operations,” they wrote. “It is a combination of several types of malware: it is a Trojan horse, since it is hidden inside other applications; it is a backdoor, as it opens ports and can accept commands from command and control servers; it is a stealer, as it steals data and Bitcoin virtual money; and it is a spyware, as it sends personal data to remote servers.”

In addition to hijacking a Mac’s GPU and CPU for Bitcoin mining, DevilRobber.A also searches an infected machine for any Bitcoin wallets. If found, the malware will purloin the digital currency. It also steals passwords, browsing history from Safari browsers, and data from Vidalia, a Firefox plugin used to communicate over the TOR anonymity service.

So far, DevilRobber.A has been installed on only a small number of machines. But it’s part of a growing wave of increasingly sophisticated malware targeting Mac users. Over the past month, at least two other OS X trojans have also been discovered, including Tsunami, which is derived from an earlier Linux-infecting backdoor called Kaiten, and Flashback, which was recently updated to make it harder for researchers to do reconnaissance on it. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/mac_os_x_bitcoin_mining_trojan/

The Mexican branch of Anonymous have threatened to expose members of Los Zetas unless the drug cartel releases a kidnapped member of the hacking collective.

In an ultimatum posted on YouTube, Anonymous threatens to publish data on cartel members and affiliates in Veracruz unless an unnamed male victim is freed by 5 November. The kidnapping happened during a street protest in the Mexican state of Veracruz, according to the video. The hackers threaten to expose journalists, taxi drivers and corrupt cops that have collaborated with the cartel.

The Zetas are one of the most notorious of several rival gangs of drug traffickers that have plagued Mexico over recent years. Over recent months, turf wars and escalating attacks have increased the death toll.

The Monterrey casino attack in August, which claimed the lives of 53 people, and the the 2011 Tamaulipas massacre, involving the mass murder of an estimated 190 plus abducted bus passengers back in April, were both blamed on the Zetas. Some Zetas members are former Mexican Special Forces soldiers, the US Department of Homeland Security warns. A woman from Nuevo Laredo, Marisol Macias Castaneda, 39, was beheaded for posting about the Zetas on a local online discussion forum last month just days after two bloggers were found hanging from a bridge in the same northern Mexican border city.

If Anonymous follows through on its threat to expose details of the Zeta’s operations, it will almost certainly result in further bloodshed. Analysts warned the Houston Chronicle that outing cartel members would leave bloggers and others more vulnerable to reprisal attacks by the cartel. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/anonymous_versus_mexico_cartel/

Check Point has acquired governance, risk management and compliance (GRC) firm Dynasec. Financial terms of the deal, announced Monday, were undisclosed.

The acquisition allows Check Point to extend its 3D Security line of firewalls and VPNs to add features that enable companies to “view security as a business process, focusing on policy, people and enforcement”, according to the Israeli security firm.

Functions of GRC technology include security policy distribution and response, IT risk evaluation and compliance dashboards, as well as security problem remediation. The market, fiercely competitive but not fully formed, has some overlap with the adjacent Security Information and Event Management (SIEM) market that has been a hotbed of acquisitions of late.

McAfee and IBM have both bought into the SIEM market with the acquisition of start-ups NitroSecurity and Q1 Labs, earlier this month, for example. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/check_point_buys_grc_firm/

Surprising no one, the Chinese government has denied that it had anything to do with the hacking of two US satellites in 2007 and 2008.

“This report is untrue and has ulterior motives. It’s not worth a comment,” commented Foreign Ministry spokesman Hong Lei at a Monday press briefing, reports Reuters.

The report to which Hong was referring was a draft of the annual report of the US-China Economic and Security Review Commission, which didn’t detail the exact natures of the hack of the two US satellites – Terra (EOS AM-1) and Landsat 7 – although it did note that “the responsible party achieved all steps required to command the satellite.”

“Such interference poses numerous potential threats, particularly if achieved against satellites with more sensitive functions,” the draft said. “Access to a satellite’s controls could allow an attacker to damage or destroy the satellite. An attacker could also deny or degrade as well as forge or otherwise manipulate the satellite’s transmission.”

The report did not specifically specifically name China as the “reponsible party”, but it did point out that the Chinese military has discussed investigating how to disable enemy space-based observation systems, including “ground-based infrastructure, such as satellite control facilities.”

Frankly, if the militaries of all spacefaring nations aren’t investigating such possibilities, they should be denounced for dereliction of duty.

Neither Reuters nor The Guardian, which also reported Hong’s remarks, noted whether spokesman Hong was able to keep a straight face when he said: “China is also a victim of hacker attacks and we oppose any form of cybercrimes including hacking.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/china_denies_satellit_hack/

London’s Metropolitan Police are using fake base stations to intercept mobile-phone calls, not to mention running a covert air wing, according to reports over the weekend.

The base stations come from Leeds-based Datong plc, and can blanket a 10km² area within which every mobile phone is tracked and monitored, according to the Guardian newspaper. Meanwhile the Telegraph has been busy tracking down £3m worth of fixed-wing aircraft, which, the paper alleges, the Met has been using without oversight from the Metropolitan Police Authority.

Neither claim has been admitted, or denied, by the Metropolitan Police force, which provided us with the usual comments about “proportionate responses” and “covert policing”. Neither claim is particularly shocking, but even spooks would be impressed to see the police running a 14-seater Cessna registered to a shell company consisting of nothing more than a rented post-office box.

It would also be no great surprise if the police were to use fake base stations to track people during civil unrest. The same information can be obtained from the mobile network operators, but that takes time and costs money with the two vectors being directly related.

UK mobile operators are obliged to keep location and calling information for a year, logging everywhere you’ve been and everyone with whom you speak, but they are allowed to charge the police (on a cost-recovery basis) for access to that data. The faster the police want the data, the more the operators charge, so real-time tracking is very expensive indeed.

2G networks only authenticate in one direction – the SIM proves its identity to the network – so creating a fake base station is relatively easy. The GSM standard also allows the base station to ask for an unencrypted connection, essential in countries where strong encryption isn’t allowed, so a man-in-the-middle attack is very feasible. Handsets are supposed to provide an on-screen notification when encryption has been disabled, but conformance to that detail is very rare indeed.

But that’s to listen in to calls. Tracking people is a good deal easier. Phones broadcast an identifying number (the TIMSI) which can’t immediately be linked to an individual but can be used to track movements in an entirely passive way. The lack of identity actually makes the process (legally) easier, as under the current legislation the privacy implications disappear when there’s no identity. Private companies such as Path Intelligence do exactly the same thing for shopping malls and suchlike, tracking footfall without knowing (or caring) whose feet are falling.

The police, however, are slightly different in that they can go back to the network operator later and link the TIMSI to a real IMSI. That will generally link to a physical person, who might then have to explain what his/her phone was doing at the time in question.

The Guardian reckons the Met paid £143,455 to Detong in 2008/9, and Detong do sell kit for tracking mobile phones as described, so it seems likely that this is what the Met is doing. Hertfordshire Constabulary also shelled out £8,373 to Detong, presumably for similar capabilities.

We already know that the police can use our mobile-phone records to see where we were, and the technology to see where we are has been knocking around for years, so it shouldn’t be hugely surprising if the police are using that too. The UK is one of the decreasing number of countries in which one can still buy a mobile phone without proof of identity, which provides considerable protection against such tracking, so we should probably expect to see that freedom targeted any day now. ®

Bootnote

It should probably be noted that large and well-resourced parts of the Metropolitan Police are nothing to do with the city’s government or London as such. The Counter Terrorism Command, despite appearing on the Met table of organisation as SO15, is in fact a national organisation with offices and operations outside the capital. It frequently operates alongside the Security and Secret Intelligence services (MI5 and MI6). As such it has access to funds other than those supplied via the Metropolitan Police Authority.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/met_police_datong_mobile_tracking/

The Mexican branch of Anonymous have threatened to expose members of Los Zetas unless the drug cartel releases a kidnapped member of the hacking collective.

In an ultimatum posted on YouTube, Anonymous threatens to publish data on cartel members and affiliates in Veracruz unless an unnamed male victim is freed by 5 November. The kidnapping happened during a street protest in the Mexican state of Veracruz, according to the video. The hackers threaten to expose journalists, taxi drivers and corrupt cops that have collaborated with the cartel.

The Zetas are one of the most notorious of several rival gangs of drug traffickers that have plagued Mexico over recent years. Over recent months, turf wars and escalating attacks have increased the death toll.

The Monterrey casino attack in August, which claimed the lives of 53 people, and the the 2011 Tamaulipas massacre, involving the mass murder of an estimated 190 plus abducted bus passengers back in April, were both blamed on the Zetas. Some Los Zetas members are former Mexican Special Forces soldiers, the US Department of Homeland Security warns. A woman from Nuevo Laredo, Marisol Macias Castaneda, 39, was beheaded for posting about the Zetas on a local online discussion forum last month just days after two bloggers were found hanging from a bridge in the same northern Mexican border city.

If Anonymous follows through on its threat to expose details of the Zeta’s operations, it will almost certainly result in further bloodshed. Analysts warned the Houston Chronicle that outing cartel members would leave bloggers and others more vulnerable to reprisal attacks by the cartel. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/anonymous_versus_mexico_cartel/

Halloween celebrations on Monday are likely to be haunted by rampant malware infections and an onslaught of internet scams, security watchers warn.

Wicked writers of devilish code are likely to take advantage of the festivities to spook surfers with search engine poisoning attacks that point browsers towards websites infected with malware or peddling scareware.

“The combination of things that people will search for online at this time of year presents multiple opportunities for scammers to try to compromise personal data and corrupt computers,” said Jovi Umawing, a research analyst at GFI Software. “It is paramount that people are vigilant and approach anything with a Halloween theme with caution.”

Halloween has repeatedly been exploited via various scams, the most noteworthy of which are listed below.

• Shopping scams: bogus Halloween gift card offers have appeared via email in each of the last three years. Marks are offered free £250 Halloween gift cards, supposedly in return for signing up for a new credit card, often from a high-interest rate card issuer. “This is in fact a scam to harvest your personal and financial information for criminal use at a later date. The data doesn’t even go to the legitimate credit card issuer referenced,” Umawing intones.
• The Dancing Skeleton: joke emails and comedy animations in the form of a desktop widget loaded with a scary hidden backdoor. Variants of the infamous Storm trojan used this trick.
• The fake party invitation: emails with malicious attachments that pose as supposed Halloween party invitations. “Even if you receive an invite from known individual, approach with caution and check all links before clicking on them,” GFI warns.

Links distributed via social networking sites, such as Facebook and Twitter, from compromised accounts also pose a risk. Scammers may disguise the true destination of a web address in these cases using URL shortening services.

GFI’s warning is repeated by Trend Micro, which has published an infographic on seasonal threats here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/31/halloween_themed_threats/