STE WILLIAMS

Raj Rajaratnam, the former heard of the former Galleon hedge fund that was the epicenter of several insider trading rings that came to light two years ago , was sentenced in New York today to 11 years in prison for his kingpin role.

Rajaratnam was the founder and managing director of the $7bn Galleon Management hedge fund, and before the insider trading ring was busted up by wiretap-wielding US Attorneys and FBI agents, he had a net worth of $1.3bn.

Rajaratnam and his many co-conspirators engaged in insider trading in the stocks of Goldman Sachs, Intel, IBM, Akamai, Polycom, Clearwire, and AMD, and collectively the inside traders netted over $50m in ill-gotten gains or avoided losses.

Because of his role as a provider of inside dope on IBM and its negotiations to acquire Sun Microsystems, and his knowledge of AMD’s chip foundry spinoff plans, Robert Moffat, formerly general manager of IBM’s Systems and Technology Group and one of the few heirs apparent at the company, was convicted and sent to prison for six months. Moffat never traded on any of this inside information or benefitted monetarily from it.

Rajaratnam was convicted of 14 felony counts in May of this year after an eight-week trial, and has been awaiting sentencing since that time. The US Attorney in charge of the case, Preet Bharara, had been pushing for more than two decades of jail time for Rajaratnam to make a statement about the evil that insider trading does – this being the largest ring that has been discovered and prosecuted to date.

US District Judge Richard Holwell received over 200 letters from people speaking on Rajaratnam’s behalf, attesting to the substantial charity work he does. Rajaratnam also is on dialysis and is in need of a kidney transplant. Even with these factors taken into account, however, Judge Holwell didn’t pull the punch much: he gave Rajaratnam the longest sentence anyone has ever gotten for insider trading in the United States, at 11 years, but well short of what the Feds wanted.

In his sentencing, Holwell said that insider trading “is an assault on our free markets,” and added that “the crimes and scope of the crimes reflect a virus in our business culture that needs to be eradicated.”

“It is a sad conclusion to what once seemed to be a glittering story,” Bhahara said in a statement issued after the sentencing. “We can only hope that this case will be the wake-up call we said it should be when Mr. Rajaratnam was arrested. Privileged professionals do not get a free pass to pursue profit through corrupt means. The message is the same for everyone no matter who you are or how much money you have – obey the law or face the fate of those who don’t.”

In addition to the 11 years of jail time, Rajaratnam, who is 54, has to forfeit $53.8m in ill-gotten gains and pay a $10m fine. He is also going to be placed on two years of supervised release once his time is served. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/13/galleon_rajaratnam_sentencing/

Underscoring the growing sophistication of Mac-based malware, a trojan preying on OS X users has adopted several stealth techniques since it was discovered last month.

Updates to the Flashback trojan, which gets installed by disguising itself as an Adobe Flash update, now prevent the malware from running on Macs that use VMware Fusion. Such virtual machine software is routinely used by security researchers to test the behavior of a malware sample because it’s easier to delete a virtual instance when they’re finished than it is to wipe the hard drive clean and reinstall the operating system.

When users get tricked into clicking on the recently introduced Flashback.D installer, the program checks to see if the Mac is running Fusion. If it is, it doesn’t execute, researchers from antivirus provider Intego blogged on Thursday. Windows malware has done the same thing for years.

Flashback developers have also rejiggered their code so that it no longer installs itself in an easy-to-spot subfolder off the OS X ~/Library location. Instead, it plants a backdoor inside a more obscure folder associated with the Safari. Deleting the files prevents the browser from working.

Such virtual-machine blocking and cloaking of malicious files have become standard fare in Windows malware. Their addition to Flashback suggests the same techniques are being adopted by criminals targeting Macs.

“These changes show that the malware authors are sophisticated, and that they’re altering their code to ensure that the malware is not detected,” Intego researchers wrote.

A separate post from researchers at competing antivirus firm F-Secure said the VM-awareness dates back to the release of the earlier Flashback.B version of the malware.

“It appears that Mac malware authors are anticipating that researchers will begin to use virtualized environments during analysis, and are taking steps to hamper such efforts,” the post stated.

Developers are bringing additional innovations to Mac malware. According to security reporter Brian Krebs, Trojan-Dropper: OSX/Revir.A, another recently discovered Mac trojan, “challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/13/mac_trojan_innovates/

New EU laws on net neutrality may be necessary to stop internet service providers (ISPs) from infringing individuals’ data protection and privacy rights, the European Data Protection Supervisor (EDPS) has said.

The traffic inspection required to operate systems that breach net neutrality principles and prioritise some content over other content could violate privacy and data protection rights, he said.

Peter Hustinx said that EU telecoms regulators should monitor whether ISPs are complying with EU data protection and privacy laws when managing communications across their networks. Net neutrality is the principle that an ISP will deliver all content requested by a customer equally, not allowing content producers which pay it to have preferential access to its subscribers.

Hustinx called on the European Commission to establish an expert group, comprised of regulators and privacy watchdogs, which would “develop guidance” on applying the principles of data protection and privacy to net neutrality “in order to ensure solid and harmonised approaches and the same playing field” across the EU.

He said the guidance was necessary because of “the relative novelty of the possibility of massive, real-time inspection of communications” by ISPs in delivering services. Findings of the group and regulators could determine whether further EU regulation of net neutrality is needed, Hustinx said.

ISPs sometimes block or slow down users’ access to some content during busy periods on their networks, but can also benefit from this kind of “traffic management” by charging content providers who are willing to pay for preferential access to their subscribers or by charging users more for fewer restrictions. To decide which content to “throttle” or block access to, ISPs sometimes inspect personal data contained in communications. Hustinx said that this activity can be legitimate providing it complies with EU law.

“The concept of net neutrality builds on the view that information on the internet should be transmitted impartially, without regard to content, destination or source,” Hustinx said in a statement. “By looking into users’ internet communications, ISPs may breach the existing rules on the confidentiality of communications, which is a fundamental right that must be carefully preserved. A serious policy debate on net neutrality must make sure that users’ confidentiality of communications is effectively protected.”

EU rules around net neutrality have not been explicitly written into EU-wide Directives, but recent changes to the Framework for Electronic Communications Directive set out certain requirements for national regulators to promote the concept.

Under the Directive, EU member states must ensure that national regulatory authorities “take all reasonable measures” proportionate to “promote the interests of the citizens of the European Union by … promoting the ability of end-users to access and distribute information or run applications and services of their choice”.

Other rules set out in the Universal Services Directive force ISPs to maintain a minimum quality of service and provide transparent information to customers about the services they provide. The Body of European Regulators of Electronic Communications, which is made up of representatives of telecoms regulators in the 27 EU countries, recently said that ISPs must provide consumers with accessible, understandable, meaningful, comparable and accurate information in order to allow them to make “informed choices” about services.

In a formal opinion (20-page/193KB PDF) Hustinx explained that some of the practices employed by ISPs to manage traffic on their networks may be contrary to EU data protection and privacy laws. He said that ISPs may breach the laws when accessing users’ personal data, such as account details, to determine how to manage their communications traffic.

“ISPs’ increasing reliance on monitoring and inspection techniques impinges upon the neutrality of the Internet and the confidentiality of communications,” Hustinx said. “This raises serious issues relating to the protection of users’ privacy and personal data.”

Under the EU’s Privacy and Electronic Communications Directive ISPs can process personal data “for the purpose of the transmission of a communication” subject to some conditions. The Directive states that providers are prohibited from “listening, taping, storage or other kinds of interception or surveillance of communications” without consent from users concerned, other than when obliged to do, such as for national security purposes.

Under the Directive providers also must “take appropriate technical and organisational measures to safeguard security of its services”.

Next page: Gather data only for ‘explicit and legitimate’ purposes

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/13/isps_traffic_managemnet_may_breach_european_net_neutrality_rules/

RSA Europe Social networks make obtaining sensitive background information on people as a prelude to stealing their identities – and running attacks on corporations – easier than ever before.

Ira Winkler, president of ISAG (Internet Security Advisors Group), an ex-NSA officer and cybercrime guru, has called for increased security awareness training. “People don’t realise what they are putting out there,” he said. “Computers are making people easier to use everyday.”

Speaking at the RSA Europe conference in London on Wednesday, Winkler outlined a range of attacks that social networking might enable. Information on LinkedIn, for example, has been used as a prelude to targeted attacks against corporates or government agencies as part of the expanding list of so-called Advanced Persistent Threat-style (APT) attacks commonly blamed on China. Lower-level criminals can use information on social networks such as Facebook to guess the answers to password reset questions, for example. Worse still, 4Square users are giving away their location every time they log in to a venue, revealing to potential burglars that they are away from home in the process.

Much of this type of activity is wrongly described as social engineering, according to Winkler. The security guru said the term social engineering has been bastardised. Its original meaning referred to an interaction with people where they would be directly manipulated into performing actions or giving away confidential information. The bastardised term is now misapplied to “check this out” lures in mass-mailed computer viruses or even to the lifting of sensitive information consumers have unwittingly left on social networking sites, he says.

He also pointed out that few stop to think that current or potential employers might scan their Facebook profiles, which reveal details of drunken parties or time taken off work when they are supposedly sick.

Content-filtering tools for social networks don’t exist as yet. In the absence of such tools, Winkler favours security awareness training for users, which he argues is sorely needed.

“You can have no expectation of privacy for anything you put on the internet,” Winkler. “The test has to be: do you want your worst possible enemy to see the information you are putting online?” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/13/social_networking_spy_risk/

Dutch ISP A2B Internet has filed a complaint with the police after it claimed to have been “blackmailed” by London-based anti-spam outfit Spamhaus.

A2B managing director Erik Bais told Webwereld (report in Dutch) that Spamhaus “has gone too far”.

The Spamhaus Project is an international organisation, founded by Steve Linford in 1998, dedicated to tracking email spammers and spam-related activity. It is responsible for a number of widely used anti-spam DNS-based block lists (DNSBLs). Many ISPs use these services to reduce the amount of spam they take on.

Spamhaus put in a request to block all data traffic from German ISP Cyberbunker, aka CB3ROB, best known for helping out torrent site The Pirate Bay. But Cyberbunker has several server racks with a partner of A2B. A2B, as an upstream provider, refused to block the full IP range of Cyberbunker and decided to block only one particular IP address that Spamhaus had identified as a source of spam.

According to Bais, Spamhaus then decided to include the full IP range of all of A2B’s customers in its block list. Several companies were practically offline as a result and couldn’t send or receive email.

Finally A2B gave in and decided to remove Cyberbunker from its BGP (border gateway protocol) list, used for exchanging routing information between gateway hosts. Almost immediately, A2B could resume its normal duties. “Spamhaus cannot be its own judge,” Bais told Webwereld.

Several years ago, Spamhaus used similar tactics when it put Austrian Registry Nic.at on its block list. Spamhaus demanded that the Austrian Registry delete 15 domains that the spam-blockers considered to be used by phishers, without providing enough evidence to satisfy Nic.at. Nic.at responded that — because of Austrian law — it could not simply delete domains without proof of bogus WHOIS addresses.

A2B director Erik Bais told Webwereld: “I will certainly raise this issue at the next RIPE [Réseaux IP Européens, or European IP Networks] meeting.”

Spamhaus’s Steve Linford said: “To say that an SBL listing amounts to extortion is the same as being refused entry to a restaurant because you’re not properly dressed, and then claiming that you are being blackmailed.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/13/dutch_isp_accuses_spamhaus/

A new strain of the ZeuS crimeware toolkit comes with a peer-to-peer design that lets infected machines bypass centralized servers when receiving updates and marching orders from operators, a researcher said.

The update to a custom-built ZeuS variant known as Murofet could make it harder for white-hat hackers and law-enforcement agents to disrupt botnets by eliminating centralized command and control servers they infiltrate or shut down, said the the researcher with Zeus Tracker, which monitors botnet communications. The researcher, who asked that his name not be included in this article, recently counted machines from more than 100,000 unique IP addresses infected by the custom build.

Zombies under the control of Murofet come with an initial list of IP addresses to query. They send UDP packets to those destinations over high-numbered ports and wait for fellow bots to respond with additional addresses that are also a part of the p2p network.

If the remote node is running a more recent version of the bot software, it then updates the other machine using a TCP connection. The p2p feature was added around the same time the malware scaled back its reliance on a domain generation algorithm, that allowed bots to connect to custom-registered domain names on specific dates.

The new capability gives the ZeuS offshoot p2p capabilities similar to those that Waledac, TDL-4, and other botnets have boasted for years. With the many other advanced features offered by ZeuS, it’s surprising it didn’t add it years ago.

The new architecture means Murofet no longer uses a static URL to download binary updates and configuration files, and that’s likely to make the job of some researchers harder. But despite the new design, the ZeuS malware remains vulnerable, because it still relies on a central domain and falls back on the domain generation algorithm in the event connections to the main command server and p2p drones is lost.

“Its not impossible to track it, but its more difficult than before,” the researcher told The Register over instant messenger. “I would say it makes tracking of ZeuS just more complicated but its not *the new super trojan*.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/13/zeus_botnet_p2p/

A Florida man hacked into the email accounts of actresses Scarlett Johansson and Mila Kunis, and as many as 50 other celebrities and made off with nude photos, movie scripts, and other personal information, federal prosecutors said.

Christopher Chaney, 35, of Jacksonville, Florida, obtained personal information about his victims and used it to breach the email accounts of more than 50 individuals, federal prosecutors alleged in a criminal indictment unsealed on Wednesday. After Chaney accessed the accounts hosted by Apple, Google and Yahoo, he activated their forwarding feature, allowing him to transfer new messages “instantaneously” to a separate account he controlled.

Other celebrities allegedly targeted by Chaney included pop singer Christina Aguilera, actress Renee Olstead, and fashion designer Simone Harouche.

The 26-count indictment comes four weeks after partially nude photos of Johansson appeared online. One of the pictures showed the actress, who starred in films including “Lost in Translation” and “Vicky Cristina Barcelona,” reflected in a mirror wearing only a towel. A separate image showed her topless. At a press conference on Wednesday, FBI officials said the leaked pictures were connected to the case involving Chaney.

Prosecutors didn’t say exactly how Chaney broke into the email accounts, but the use of victims’ personal information has long been a favorite technique to gain access to their sensitive data stored online.

In 2008, the son of a democratic state representative from Tennessee used publicly available information to breach the Yahoo Mail account of then vice presidential candidate Sarah Palin, for which he was later jailed. It took David Kernel less than 45 minutes to search the web for Palin’s birth date, zip code, and the location she met her spouse. That was all the information he needed to reset the password for Palin’s account.

There’s no evidence that Chaney worked on behalf of any of the websites that published any of the pictures or other information stolen from the celebrities accounts. That would appear to set the case apart from the cellphone hacking scandal that has rocked Rupert Murdoch’s News Corp.

The indictment explicitly names Johansson, Kunis, Aguilera, Olstead, and Harouche as victims and references six other victims only by their first and last initials. They are: B.P., J.A., L.B., L.S., D.F., and B.G. Over the past few years, reports have claimed that numerous celebrities have had online accounts compromised. It is unclear of any of those hacks are related to Chaney.

If convicted, Chaney faces a maximum sentence of 121 years in federal prison. He was arrested without incident by FBI agents in Florida. The charges stem from an 11-month investigation dubbed “Operation Hackerazzi.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/12/scarlett_johansson_hacker_charged/

Five German states have admitted using a controversial backdoor Trojan to spy on criminal suspects.

Samples of the so-called R2D2 (AKA “0zapftis”) Trojan came into the possession of the Chaos Computer Club (CCC), which published an analysis of the code last weekend.

German federal law allows the use of malware to eavesdrop on Skype conversations. But the CCC analysis suggests that the specific Trojan it wrote about is capable of a far wider range of functions than this – including establishing a backdoor on compromised machines and keystroke logging. The backdoor creates a means for third parties to hijack compromised machines, while the lack of encryption creates a mechanism for miscreants to plant false evidence. The CCC slams the code as being both “amateurishly written” and illegal.

Although the Federal police denied using this specific Trojan, at least five German states – including Baden-Württemberg, Brandenburg, Schleswig-Holstein, Bavaria and Lower Saxony – have admitted that local police have used the spyware, Deutche Welle reports. The so-called “Bundestrojaner” (Federal Trojan) has been used in criminal cases, some involving drug investigations, for around two years.

Local government officials said the Trojan was used within the law, contrary to CCC’s claims. Bavarian Interior Minister Joachim Herrmann said local authorities had acted within the law but nonetheless offered to review the use of the technology.

Justice Minister Sabine Leutheusser-Schnarrenberger said that federal and state governments ought to mount a joint investigation into the technology.  The sample of the Trojan obtained by the CCC was apparently placed on a suspect’s laptop when he passed through customs at the Munich International airport. German lawyer Patrick Schladt, the defence lawyer in the case, handed over the laptop to the CCC, with the permission of his client.

Documents leaked via WikiLeaks suggest that the German Customs Investigation Bureau purchased surveillance services from German software developer DigiTask valued at more than €2m. The same set of documents suggest that DigiTask develop a commercial Trojan intended for law enforcement called Skype Capture Unit. This is significant because the installer file uses the filename scuinst.exe, short for Skype Capture Unit Installer.

Net security firm F-Secure hasn’t seen the Trojan in the wild but it has seen the installer file numerous times since December 2010. That’s because the installer was submitted to VirusTotal multiple times. VirusTotal analyses suspicious files using multiple antivirus engines. The service shares uploaded files with participating security firms, so anyone who uploaded the file must have cared little about keeping the technology secret and therefore effective for longer, or they were incompetent, as net security firm F-Secure notes.

Net security firm Sophos has put together a well-written and compressive FAQ on the R2D2 (AKA “0zapftis”) Trojan here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/12/bundestrojaner/

As foreshadowed last week, this month’s round of Microsoft patches focuses on critical vulnerabilities in Internet Explorer, .NET and Silverlight.

The IE patch covers eight vulnerabilities that reach all the way up to remote code execution from malicious web pages, and has to be applied to all supported versions from IE6 to IE9. Microsoft’s Jerry Bryant says in the accompanying video that “we are not aware of any attempts to exploit these issues”.

Silverlight and the .NET framework are also vulnerable to remote code-execution from a malicious page – for client systems, via Silverlight or an XAML-capable browser. “Further the issue may allow for code execution on IIS Web servers, if an attacker can upload ASP.NET applications,” Bryant says in the video.

There are two “deployment priority two” patches. One, covering Windows XP and Windows Server 2003, addresses a privilege-escalation issue, the other plugs a remote code execution hole in kernel-mode drivers.

Lower down on the priority list are patches for three remote code execution vulnerabilities in Active Accessibility, Media Center and Forefront UAG respectively, and a patch for a denial-of-service vulnerability in Host Integration Server.

The Media Center and Active Accessibility vulnerabilities both require users to be persuaded to open legitimate files that reside in the same directory as a specially crafted DLL file, while the Forefront UAG would depend on persuading users to visit a crafted URL.

More details in the Microsoft Security Bulletin, here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/12/patch_tuesday_october_2011/

MasterCard has announced it will be deploying PayPass in BlackBerrys in the United Arab Emirates, showing RIM’s support for the Single Wire Protocol in the process.

It isn’t clear which RIM handsets will be able to use the system, which will allow Etisalat customers within UAE to pay for goods with a tap of the phone. But given Oberthur Technologies’ statement that the secure element will go in the SIM, it is clear that RIM has acceded to the demands of network operators and decided to support the SWP in its handsets.

RIM has been very cagey about the Near Field Communication capabilities of its latest handsets, pushing the exchange of business cards and hosting corporate IDs over proximity payment systems. We’ve asked the question directly, several times, but received no useful reply from RIM, but the company has been under pressure from network operators to support secure elements in SIMs, and this announcement seems to confirm that the pressure has worked.

Proximity payments require two components: the radio connection between the handset/card and the reader, and a secure element hosting the application which authenticates the transaction. The NFC standard says a lot about the radio, but purposefully says nothing about where the secure element should go, or who has control over it.

Network operators would like the secure element to go into the SIM, but that requires handsets supporting the Single Wire Protocol (SWP). Operators have been badgering RIM to support the SWP after it seemed clear that the Canadian company would instead decide to place a secure element of its own in the handsets.

The solution, as pioneered by Google, is to support two secure elements: an embedded element under the control of the manufacturer, and an SWP connection to appease the network operator. In RIM’s case the embedded element can provide door-locking and P2P connections, as well as being available in case RIM ever decides to host proximity payment services.

But in the UAE the BlackBerry service will be hosted by Etisalat, using SIMs from Oberthur and running MasterCard’s PayPass application to connect to Network International’s payment processing service.

Sadly NFC Times puts the number of PayPass terminals in UAE at 700. Despite all that effort, it is hard to believe the service will be widely adopted. MasterCard prefers to quote the global figure of 341,000, and certainly deployments in Europe and the USA are forging ahead, so the fact that BlackBerry handsets support the SWP, and thus other SIM-hosted payment systems, is perhaps the more important story here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/10/12/rim_nfc_payments/