STE WILLIAMS

A number of Cahoot customers were left mildly confused this week when they received an email from the bank asking them to confirm their, er, email address.

The missive invited customers to “log in to your personal homepage at cahoot.com and select ‘change my details’ to check your information is correct”.

Apart from the obvious concern that most people would have – that the email was a phishing attempt – it also seems rather futile, as customers who had changed email address would not receive the message and it would be irrelevant to those still using the current address.

Cahoot, which is the internet division of Santander UK, told El Reg that the email aimed to check that people still wanted to use the same address in connection with their account. The bank added that it would have contacted those customers whose email bounced back through some other means.

”A legitimate communication was issued from Cahoot this week asking customers to confirm that their email address was correct. In order to do this, they would have needed to log into their account,” a Cahoot spokesperson said in a hastily drafted statement.

“Cahoot, like all other banks, would never send a customer an email asking them to enter, reconfirm or change their security details such as account numbers. We apologise for any confusion this may have caused. It is essential that internet banking customers remain vigilant at all times. Cahoot has robust security measures which it constantly reviews to ensure customers remain protected at all times,” the bank added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/unusual_verification_process_causes_confusion/

San Francisco-based security firm Qualys is throwing its support behind an experimental project designed to improve the security and privacy of website authentication by reducing reliance on certificate authorities that issue secure sockets layer credentials.

The Convergence project was devised by Moxie Marlinspike, a security researcher who has exposed repeated flaws in the SSL system that serves as the internet’s foundation of trust. At the Qualys Security Conference in San Francisco on Thursday, the company said it was financing and running two new notary servers that Convergence users query to make sure the SSL certificate being offered by a given site is legitimate.

Most of the weaknesses Marlinspike has documented stem from the unwieldy number of organizations – about 650 by his count – authorized to cryptographically sign the certificates that PayPal, Gmail, and millions of other services use to prove their https-appended websites are authentic rather than easily forged counterfeits. With so many digital stamps, there are too many single points of trust. All it takes to subvert the system is for one of them to suffer a security breach like the one that hit Netherlands-based DigiNotar.

In stark contrast to the public key infrastructure at the heart of the SSL system, Convergence relies on a loose confederation of notaries that independently vouch for the authenticity of a given SSL certificate. Thursday’s announcement by Qualys that it will run two of the servers is an important endorsement of the alternative project.

“Qualys running the notaries is a huge help and a step in the right direction,” Marlinspike said.

The move comes three weeks after Google developer Adam Langley said his team had no plans to fortify their Chrome browser with the crowd-sourcing technology. He cited a variety of practical considerations, including the technical strain Convergence would put on notaries, and the risk of Chrome breaking if they failed to keep up with the demand.

Qualys Director of Engineering Ivan Ristic said Langley’s concerns were “perfectly valid,” but added that alternative approaches could easily break the potential bottlenecks the Google researcher envisioned. One possibility, he said, is to set up thousands of notaries that operate in a peer-to-peer fashion to balance the load.

“The challenge with Convergence is to get it into a state where you can use it without knowing it,” he said. “We need to figure out the mechanisms so it just works.”

A peer-to-peer design that distributes the load among huge numbers of notaries wasn’t the precise blueprint Marlinspike envisioned when he proposed Convergence in April. One of the key benefits of the system was a “trust agility” that allows users to query specific notaries they trust.

Another advantage of Convergence is its use of two separate notaries that, for privacy reasons, are intentionally kept in the dark when vouching for a certificate. One notary gets to see the IP address of the Convergence user but not the SSL certificate she wants validated. The other one sees the certificate but not the IP address.

The design is intended to remedy a fundamental weakness of the current system, which allows certificate authorities to track huge numbers of individual requests for SSL-protected websites. This shortcoming was brought home in the aftermath of the DigiNotar breach, when it was revealed the CA logged the time and IP address for more than 300,000 IP addresses exposed to a counterfeit Google.com certificate.

So far, Convergence is made up of about 50 notaries. It works only on the Firefox browser running an add-on. Ristic has more about the new notaries here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/qualys_endorses_convergence/

Police in Shanghai have arrested five suspects in a phony iPhone case that is thought to have netted over three quarters of a million dollars.

According to the Shanghai Daily, police raided an underground workshop in July in the city’s Zhabei district, not far from the Shanghai Multimedia Valley technology zone, and found that the gang was assembling iPhones using some of the components used in authorized handsets. When shown the finished product, Apple engineers said that the “it’s really hard for customers to distinguish the fake ones from the genuine ones.”

The raid netted 200 of the faux iPhones, together with around 5,000 components, which would either be assembled onsite or farmed out to freelance assemblers who worked from home. The finished products were sold online and via illegal market stalls by the gang, which was headed by a local man named Dong.

The phony iPhones actually worked properly, the report notes, albeit with a reduced battery life. Because they used proper components, they cost around 2,000 yuan to make, and they were sold for around 4,000 yuan, slightly less than the cost of a proper iPhone.

“The cell phones sell well with more than 30 … sold in one day,” officers said.

Demand for Apple products among China’s emerging middle class is huge, so much so that analysts have speculated that Cupertino will release a cut-down version for the Middle Kingdom. Earlier this year there was also concern that Chinese entrepreneurs were running entirely fake Apple stores, although it seems these may simply have been resellers. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/chinese_police_bust_faux_iphone/

Victims of the Sony Playstation Network hack included Sony, according to Australian Privacy Commissioner Timothy Pilgrim.

His just-concluded investigation, launched in April, was designed to determine whether or not the hack compromised the personal information of Australian subscribers to the service, and the degree to which Sony was responsible for compromised information.

According to Pilgrim’s investigation, the PSN and Qriocity breaches did not breach National Privacy Principles. The two NPPs that applied in this case were NPP 2.1, which regulates the circumstances under which an organization is allowed to disclose the personal information of its customers; and NPP 4.1, which requires companies to take reasonable steps to protect personal information of their customers.

In the case of NPP 2.1, the issue of responsibility is relatively straightforward: the subscriber information gained when the network was breached wasn’t “disclosed” by Sony. “Rather, the information was accessed as a result of a sophisticated cyber-attack against the network platform,” the PC’s report states.

As for NPP 4.1, Pilgrim found that just because a company like Sony has its security breached does not necessarily mean it did not take “reasonable” steps to protect information against being compromised.

Based on information provided by Sony, he has found that the company had reasonable measures in place, including “physical, network and communications security measures”, encryption of credit card information, and ISO/IEC 27001-compliant security standards.

The report does, however, underline Australia’s lack of data breach notification laws. Currently, all that exists is a set of notification guidelines. Even these do not stipulate suggest a particular period in which breaches should be notified.

Nonetheless, Pilgrim said, “the affected individuals could have been notified earlier” than the seven days Sony Computer Entertainment Europe dithered after the attack occurred. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/30/sony_cleared_by_privacy_commissioner/

UK-based defence conglomerate Ultra Electronics has acquired security appliance firm AEP Networks in a deal valued at up to $75m. Ultra Electronics agreed to pay $57.5m plus a further $17.5m, depending on sales figures, for the remote appliance firm.

AEP Networks specialises in SSL VPN appliances that allow workers to securely connect into corporate applications and databases without the need to install client software on every PC, thus saving money. The technology works in conjunction with remote access hardware encryption products. More recently AEP also began marketing a subscriber-based thin client virtualisation service called Cloud Protect.

Most of AEP’s 80 employees are based in Ascot, Berkshire and Hemel Hempstead, Hertfordshire. AEP also has a sales and engineering operation in New Jersey in the US. It claims 5,000 blue chip and government customers in over 60 countries.

Ultra Electronics’s main line of business is defence and aerospace, although it has a finger in many pies, including energy and transport. AEP will join Ultra’s Tactical Sonar Systems division.

The end game for most security firms is to be bought by the likes of Symantec, Cisco or Juniper. Less frequently start-ups grow to the point where an IPO is possible.

The AEP deal shows that a greater range of businesses – including those in the defence sector – are looking to expand their cyber-security capabilities, primarily because it might allow them to gain a slice of lucrative government net security contracts. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/ultra_buys_aep/

Most retailers and other businesses are continuing to struggle with payment card industry standards, placing confidential customer data at a heightened risk of exposure as a result.

A Payment Card Industry (PCI) Compliance Report from Verizon found that just one in five (21 per cent) organisations achieved compliance during initial Payment Card Industry Data Security Standard (PCI DSS) audits. While the compliance situation has neither worsened nor improved compared to previous years, it is still “disappointing”, according to Verizon.

Compliance requirements that organisations most struggled with included protecting stored cardholder data, maintaining security policies, tracking and monitoring access, and regularly testing systems and processes, all factors directly linked to protecting cardholder data.

Failure to achieve compliance means fines and increased transaction fees from the credit card brands, but complacency, overconfidence and other factors mean that many organisations who take credit card payments are continuing to struggle to make a passing grade.

Verizon’s analysis come from the results of more than 100 PCI Data Security Standard assessments alongside information gathered in researching Verizon’s annual studies into real-world payment card data breaches. The assessments include data from organisations based in the US, Europe and Asia.

Security researchers at Verizon argue there’s a direct correlation between data breaches and non-compliance. Breached organisations are significantly more likely to not be PCI compliant and are more likely to suffer from identity theft and fraud issues, it concludes.

“We had hoped to see more organisations complying with the PCI standard, since we believe that compliance will ultimately improve the security posture of organisations and in all likelihood lead to fewer breaches,” said Wade Baker, director of risk intelligence, Verizon. “By reviewing this report, organisations can see where to focus their efforts and implement our recommendations for helping to accelerate PCI compliance. Our end goal is a safer credit-card environment for consumers and businesses,” he added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/pci_compliance_survey/

Does the use of Gmail or Hotmail by a Minister’s Private Office (in order to evade Freedom of Information (FOI) obligations) also lead to breaches in the Data Protection Act? Well, I can see how this could be the case.

The press has raised this issue only in the context of FOI. Yesterday’s Sunday Times, for example, noted that the allegations facing Michael Gove and his special adviser, Dominic Cummings, were that by using personal email accounts, they were assuming that any requested information could not be held by a public authority and therefore not subject to a FOI regime.

A spokesman for the Department for Education (DfE) has told the press that “The Cabinet Office is clear that private email accounts do not fall within the FOI Act and are not searchable by civil servants. Neither the Secretary of State nor special advisers have been asked to disclose emails sent from private accounts”.

The DfE spokesman then added: “The Permanent Secretary is satisfied that ministers and special advisers act within the law.” Despite this, the Information Commissioner has entered the fray and has said that private account emails discussing Government business could be subject to FOI requests.

Whether these emails are, or are not, subject to FOIA will no doubt be resolved in the near future. However, what I am certain about is that all these emails contain some personal data (even if the personal data is limited to email addresses) and these emails are regulated by the Data Protection Act.

Mr Gove, the Sunday Times reports, uses the username of “Mrs Blurt” in his emails. However, suppose the advisor (Dominic Cummings perhaps using the name of “Mr Blurt”) sends an email to “Mrs Blurt” or vice-versa. Now further suppose that email says the following: “Can we talk to the Whips to make sure that Joe Bloggs MP does not get on the Standing Committee that is scrutinising the Education Bill?”. (This kind of exclusion happens as MPs are usually selected for Committees by the Whips on the basis the less troublesome they are, the easier it is for Government business to get through).

Perhaps another email might go: “I have just had a meeting from Head Teacher X who publicly asked some very awkward questions about our education reforms. Just in case there are ‘future complications’ , I recommend that this head teacher’s school should not be in the first wave of schools that get compulsory Academy status?”.

Could these be the sort of emails that a special advisor could send to a Minister – especially if they think the FOI regime does not apply? Well I think this is distinctly possible.

First data protection question: are these emails personal data? I think we can say: “obviously yes”. There are four data subjects: Mr Gove, Dominic Cummings (i.e. “Mr and Mrs Blurt”) and the MP or Head Teacher X. Who is the data controller? Well if it is not the Department for Education (remember, the claim is that the emails are exempt from FOIA) then it has to be Mr Gove and possibly Mr Cummings as well.

Does the personal data fall into the domestic purpose exemption in Section 36 of the DPA? Well, if there are emails that have the content described above, I suggest that this exemption is inapplicable. Do the emails impact on the MP and Head Teacher mentioned in them, so much so that they should be informed about the processing purpose via the fair processing rules? Well, I can’t see an exemption from this obligation.

Michael Gove, as an MP, has a register entry that describes his constituency casework for the purpose of “the carrying out of casework on behalf of individual constituents”. Any “personal emails” about an MP or head teacher as postulated above have nothing to do with this purpose as the data subjects are not constituents. Dominic Cummings, as of today, is not registered at all.

So we have one, possibly two data controllers, likely to be processing personal data in breach of the data protection principles:- one for an unregistered purpose and the other just, plain simple unregistered. Not only could we have FOI evasion but we are also likely to have DP evasion in addition. This means that Mr Gove has gone one better than Tony Blair: Mr Blair only disapproves of FOI.

So if the Information Commissioner finds resistance to his FOI enforcement powers, perhaps he should put his data protection hat on. After all, I think the data protection arguments are sound and failure to comply with the Commissioner’s data protection powers can be a criminal offence (unlike with FOIA).

This story originally appeared at HAWKTALK, the blog of Amberhawk Training Ltd.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/does_gove_email_policy_breach_data_protection_act/

It’s been a few short months since Murdoch rag-for-suits the Wall Street Journal perplexed the world by releasing a flawed whistle-blower website for people wanting to leak tasty secrets to the newspaper.

Now the WSJ has tweaked its privacy policy and switched on creepy browser-tracking by default.

It brazenly confirmed yesterday: “The Wall Street Journal revised its website privacy policy on Tuesday [27 September] to allow the site to connect personally identifiable information with web-browsing data without user consent.”

Until this change, the paper had stated “it would obtain ‘express affirmative consent’ to combine personal data with ‘click stream information’ culled from the website.”

But that’s a thing of the past. It will now slurp up that information without prior consent from any visitor to the site.

Like other companies that don hard hats to mine such data online, the paper – which is owned by Rupert Murdoch’s News Corp – claimed that the rejig to its privacy policy would mean it could more readily “customise” its service for its readers.

“It is not being applied retrospectively and only applies going forward to new registered users and subscribers,” said the organ’s digital network boss Alisa Bowen.

The paper then appeared to swallow the kind of jargon adopted by various social networks and other web companies that trade in user data by claiming that the tweak “simplified” its privacy policies across its network that includes WSJ.com, Barrons.com and AllthingsD.com.

WSJ‘s own report on the changes cheerily noted that the new policy “contains expanded disclosures of online tracking techniques and contains links to opt-outs from third party tracking networks. It also adds a disclosure that it collects mobile device IDs.”

Apparently, the company plans to only share such mobile identifier data with outfits that make cash from the “internal analytics” market.

On top of that, the Journal will continue to sell its print subscriber list while keeping the online version private – at least for now.

Bowen added that the whole thing “allows us to be consistent with how we handle privacy across our network of sites, it makes our policy easier to understand and use, and it ensures our practices are consistent with the way we are evolving to better meet the needs of our users”.

So that’s alright, then! ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/wall_street_journal_tweaks_privacy_policy/

Hacktivist groups TeaMp0isoN and Anonymous have teamed up with an independent artist to release a rap song which they hope will storm the music charts.

Proceeds from the ‪#OpCensorThis‬ digital activism project, a collaboration between TeaMp0isoN and ‪Lyricist Jinn – ‬will go to the East Africa Crisis Appeal. A slick professionally produced video was released to accompany the tune, which enjoyed a delayed release via iTunes and YouTube on Wednesday.

The video features images from the London riots this summer along with satirical depictions of authority figures and corporations set aside images of youth protest. The delivery of the rap by Lyricist Jinn is earnest, strident but more than a little on the flat side. He lacks the delivery of Eminem, the lyricism of Berkowski or the humourous edge of John Cooper Clarke that might have made the effort more interesting in its own right.

Overall it’s a credible effort, however, and certainly far superior to anything produced as a result of Symantec’s ill-starred HackisWack rap competition last year. “People need to understand that lyricist jinn is a fully independent artist with limited capabilities, listen to the lyrics and humble yourselves,” TeaMp0isoN said in comments on the YouTube video. Early reaction to the video – which has clocked up just over 4,000 views by Thursday morning – is mixed.

Although Anonymous is focusing on the ongoing Wall Street occupation protests, TeaMp0isoN is bigging up its effort to storm the chart.

“Remember to like favourite the video, so it can be featured in the music section on youtube,” TeaMp0isoN encouraged its Twitter followers.

The group previously said that any attempts by the music industry to thwart their plans will be accompanied by reprisal hack attacks. “Once this hits the charts, radio stations will by law have to play it,” the project’s manifesto stated. “If they censor the song we will attack the music industry and censor them instead.”

Some limited hacking around the release already appears to have happened. “A kashmiri hacktivist friend just defaced an indian government site in support of #OpCensorThis,” TeaMp0isoN said in apparent approval.

The hacktivists are turning to song to get its message across, something reflected in the dense lyrics of ‪#OpCensorThis‬.

“I solemnly vow/To crack the wrists/Of any who wish to test the power of the hacktivists,” one section of the polemical tune states.

TeaMp0isoN is a hacktivist group and sometime rival to LulzSec, best known for its defacement of BlackBerry Blog in the immediate aftermath of the London riots. The BlackBerry defacement threatened to reveal the addresses of RIM employees in the event that the Canadian smartphone manufacturer followed through on plans to turn its BlackBerry Messengers logs to police investigating incidents of incitement related to the London lootings. The group also hacked the far-right English Defence League website back in February. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/anon_rap/

Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle’s Java software framework.

The move, which would prevent Firefox from working with scores of popular websites and crucial enterprise tools, is one way to thwart a recently unveiled attack that decrypts traffic protected by SSL, the cryptographic protocol that millions of websites use to safeguard social security numbers and other sensitive data. In a demonstration last Friday, it took less than two minutes for researchers Thai Duong and Juliano Rizzo to wield the exploit to recover an encrypted authentication cookie used to access a PayPal user account.

Short for Browser Exploit Against SSL/TLS, BEAST injects JavaScript into an SSL session to recover secret information that’s transmitted repeatedly in a predictable location in the data stream. For Friday’s implementation of BEAST to work, Duong and Rizzo had to subvert a safety mechanism built into the web known as the same-origin policy, which dictates that data set by one internet domain can’t be read or modified by a different address.

The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser.

“I recommend that we blocklist all versions of the Java Plugin,” Firefox developer Brian Smith wrote on Tuesday in a discussion on Mozilla’s online bug forum. “My understanding is that Oracle may or may not be aware of the details of the same-origin exploit. As of now, we have no ETA for a fix for the Java plugin.”

About four hours later, fellow developer Justin Scott updated the thread, writing:

“In the interest of keeping this bug updated with the latest status, this morning I asked Johnath for some help in understanding the balance between the horrible user experience this would cause and the severity/prevalence of the security issue and am waiting to hear back. We also discussed this in the Products team meeting today and definitely need better understanding of that before putting the block in place.”

On Wednesday morning, Johnath, the alias for Firefox Director of Engineering Johnathan Nightingale, weighed in: “Yeah – this is a hard call. Killing Java means disabling user functionality like facebook video chat, as well as various java-based corporate apps (I feel like Citrix uses Java, for instance?)”

He went on to say that Firefox already has a mechanism for “soft-blocking” Java that allows users to re-enable the plugin from the browser’s addons manager or in response to a dialogue box that appears in certain cases.

“Click to play or domain-specific whitelisting will provide some measure of benefit, but I suspect that enough users will whitelist, e.g., facebook that even with those mechanisms (which don’t currently exist!) in place, we’d have a lot of users potentially exposed to java weaknesses.”

The Draconian move under consideration is in stark contrast to the approach developers of Google’s Chrome browser have taken. Last week, they updated the developer and beta versions of Chrome to split certain messages into fragments to reduce the attacker’s control over the plaintext about to be encrypted. By adding unexpected randomness to the encryption process, the new behavior in Chrome is intended to throw BEAST off the scent of the decryption process by feeding it confusing information.

The update has created incompatibilities between Chrome and at least some websites, as this Chromium bug report shows. Google has yet to push out the update to the vast majority of Chrome users who rely on the stable version of the browser.

Microsoft, meanwhile, has recommended that users apply several workaround fixes while it develops a permanent patch. The company hasn’t outlined the approach it plans to take.

The prospect of Firefox no longer working with Java could cause a variety of serious problems for users, particularly those in large corporations and government organizations that rely on the framework to make their browsers work with virtual private networks, intranet tools, and web-conferencing applications such as Cisco Systems’ WebEx.

Presumably, Java would be killed by adding it to the Mozilla Blocklisting Policy.

“Whatever decision we make here, I really hope Oracle gets an update of their own out,” Nightingale wrote. “It’s the only way to keep their users affirmatively safe.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/29/firefox_killing_java/