STE WILLIAMS

A man has appeared in court after allegedly uploading CCTV footage that apparently showed England rugby star Mike Tindall being kissed by a blonde woman.

Jonathan Dixon, 40, appeared at Queenstown District Court, New Zealand, according to a BBC report, accused of “accessing a computer system for a dishonest purpose”.

No plea was entered by the man, who is understood to be a bouncer at Queenstown’s Altitude bar.

It was claimed that Dixon uploaded to YouTube footage of Tindall being kissed on the head. He married the Queen’s granddaughter Zara Phillips just seven weeks ago.

The England rugby players were at the bar ahead of their World Cup game against Georgia yesterday, which the team won.

The match came after a week in which the England players had been criticised for their antics in New Zealand, including taking part in a bungee-jumping session and participating in a dwarf-throwing contest.

Dixon was told to return to court on 3 October.

He told the Dominion Post that he was disgusted with Tindall’s behaviour at the bar with the blonde woman, who is said to be an old friend of the rugby star.

“Mr Tindall, you did something really wrong, not just to your wife but to your nation,” said Dixon.

“I knew there was no chance of me ever standing in front of Tindall and giving him a piece of my mind about his conduct, so I decided to put it on YouTube so that everyone could see it and form their own opinion.”

A spokeswoman for Phillips said: “This girl in the video is an old friend of Mike and Zara and has known Mike since university days. She is English but lives in Australia and was on holiday in New Zealand. Zara is very relaxed about all this.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/19/mike_tindall_cctv_footage_blonde/

Saturday marks the tenth anniversary of the infamous Nimda worm.

Nimda (admin spelled backwards) was a hybrid worm that spread via infected email attachments and across websites running vulnerable versions of Microsoft’s IIS web server software. Specifically the malware exploited a folder traversal vulnerability, which was patched by Microsoft a month after the initial outbreak on 18 September 2001.

The infuriating program infected numerous sites across the world, causing significant problems in the process largely as a result of its aggressive spreading techniques. The worm also exploited weak passwords to speed across different machines on local networks. Finally Nimda also spread using back doors left open in the wake of the Code Red II worm outbreak.

Nimda generated copious volumes of extra network traffic as it sought new machines to infect. In addition, the malware infected executables on stricken machines, further complicating the clean-up process.

Hi-tech firms including Microsoft, Dell and NTL were among the victims of Nimda. Michael Lane Thomas, a senior .NET developer evangelist, characterised the fiends behind Nimda as “industrial terrorists” in a hastily withdrawn blog post that appeared about a month after the attack.

Nimda’s network bothering came at the start of a Windows worms spate, which began with Code Red in September 2001 and rumbled on to include Slammer in January 2003, Blaster in August 2003 and Sasser in May 2004.

It’s still anybody’s guess who created Nimda or many of its viral cousins. The only miscreant in the group that actually resulted in an arrest was a Blaster variant that led to the cuffing of Jeffrey Lee Parson (AKA t33kid), then 18, in late August 2003. He was eventually jailed for 18 months.

The era of high-profile noisy megaworms like Nimda has long gone. Nowadays we have to worry more about bot nets, targeted trojans and Stuxnet – the scarily devious and stealthy worm blamed for infecting industrial control systems and sabotaging machinery at an Iranian nuclear plant last year.

The lack of Nimda-style worms is in large part due to security lessons learned during the outbreaks. For instance, Microsoft turned on its firewall by default with Windows XP SP2 in August 2004. Almost all organisations block executable files attached to emails, another sensible precaution that has driven attackers to tricking victims into visiting infected websites or viewing booby-trapped PDF files.

More musings on the Nimda anniversary can be found in a blog post by Paul Ducklin of Sophos here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/17/nimda_anniversary/

Search engines from Microsoft and Yahoo! Have once again been caught displaying ads that direct users to malicious content, some that infects them with malware that’s hard to detect and get rid of, researchers said.

Queries such as “FireFox Download,” “Download Skype,” and “Download Adobe Player” typed into the sites returned links promising to deliver the software requested but instead attempted to hijack people’s computers, GFI Labs researcher Christopher Boyd said in a blog post published Friday. Clicking on the links takes users to pages that look like the software maker’s official site, except for the URL.

Users who downloaded and installed the software are in for a nasty surprise.

“As an example, the fake Firefox file installs a rootkit, runs IE silently in the background attempting clickfraud and also performs Google redirects,” Boyd wrote. Microsoft and Yahoo were in the process of removing the malicious ads, he said.

It’s not the first time widely used search engines have been caught displaying ads intended to harm their millions of users. Ad services used by Google and Yahoo have repeatedly been duped into serving content that punts malware and other threats.

Criminals often go to elaborate lengths to pose as legitimate marketers in an attempt to get links to their toxic wares in front of as many eyeballs as possible.

The Reg has asked Microsoft and Yahoo to comment. This article will be updated if either responds. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/

Comment PayPal reckons its mobile payment system will take us into a new way of managing our money, and PayPal into the real world of real things, but disrupting world banking ain’t that easy.

The plans, announced yesterday, made huge play of being superior to the nascent NFC-based payment systems, which require replacement phones and payment terminals. But a slightly closer look at PayPal’s offering shows that it does require replacing terminals in shops, as well as integrating the retailer’s back-end systems into PayPal’s servers, all to enable a shopping experience which is less convenient, and less secure, than we have today.

Demonstrating the system PayPal ran though three scenarios, to show just how superior PayPal’s system is. There’s a video too, for those who want to play at home:

The first scenario shows someone paying for goods without any card at all: all they do is enter a special phone number and their own PIN into a device which PayPal refers to as “the retailer’s existing payment terminal”.

Skipping over the security concerns of having a payment system that can be replicated by someone shoulder-surfing, rather than forcing them to pick your pocket too, there’s the question of when the “existing payment terminals” suddenly got support for dialling phone numbers and calling PayPal.

The vast majority of payment terminals are supplied by the banks, the model and make mandated even where not subsidised, and its hard to imagine the banks suddenly upgrading them all to accept PayPal.

The second scenario shows someone reading the barcode on a product to check if the garment is available in another size, and if so then where there is stock available. One might prefer to ask the staff, who’ll be needed anyway if there’s more stock out back, but PayPal reckons another branch nearby might have the stock needed and wants to let you know.

To do that the shop will, obviously, have to integrate its entire stock management system with PayPal’s service, presumably at some cost, and one has to wonder if those young things, who are needed to get the stock out anyway, couldn’t fulfil this role more cheaply.

The last example shows a chap being relieved of the burden of walking down the aisles searching for goods, he can see them on display around the entrance, scan the QR Code and his phone will show him where to find what he’s looking for. UK shoppers will recognise this as Argos in action, only with a physically-bigger catalogue and a smart phone rather than a stubby pencil. In Argos the poor chap wouldn’t even have to fetch his own barbecue, but with PayPal his phone guides him to the product just as his sat-nav guided him to the store.

He can also apply for credit, from PayPal rather than the store, but the store does get told he’s there so it can push him money-off vouchers and suchlike. Those vouchers are just about the only part of the demonstration which makes any sense – which is why such a service is already being offered by half a dozen companies.

Ultimately the success of PayPal’s venture into the real world depends on the deal it offers retailers. Online PayPal is cheaper than credit cards as it offers none of the benefits of credit-card payments, free insurance and suchlike: in the physical world the advantage of credit cards is far less clear and there is an opportunity for a cheaper alternative.

PayPal isn’t the first to suggest, or even launch, a system using mobile phones for payments. In the UK that title belongs to PayBox, who were processing restaurant bills by text message a decade ago, but that service never caught on even in its native Germany.

Contactless payment terminals are already popping up all over the place, with just about all new chip-and-PIN devices supporting NFC contactless payments these days, and the standard is gaining ground on both sides of the pond.

PayPal might have 100 million customers, but tens of millions of shoppers (in the UK alone) can already pay with a tap of the card, at a cost to the retailer of a penny (for transactions under £2, 4p for anything under a tenner). PayPal will have to undercut that to attract retailers, and get the customers to take their PayPal accounts on the road, both of which will be huge, quite possibly insurmountable, challenges. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/paypal_frogs/

HID Global, makers of electronic locks for everything from server keyboards to student halls, has created an app that allows NFC-equipped BlackBerrys to be used instead of ID cards.

The application will launch next year, but only runs on RIM’s Bold 9900/9930 and Curve 9350/9360 handsets, as they have the necessary NFC hardware. The app uses same cryptography as the iClass cards already deployed, and works with the same locks. Given that quite a few of those locks are already deployed, that means many companies could very quickly replace their plastic key cards with remotely-manageable BlackBerry applications.

Being able to remotely manage a key is obviously useful where the locks themselves aren’t networked, but it should make the keys harder to lose and will also discourage employees lending keys to each other – for better or worse.

Electronic keys is one of the applications of NFC which really hasn’t been much explored yet. Last week Yale announced it would be retailing an NFC-based lock for early adopters, but its ability to work with existing infrastructure makes the app from HID Global much more interesting, even if it does provide one more way for the BOFH to screw up your day. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/rim_nfc/

Coders can now get their hands on a single Google+ API (application programming interface).

Over time, Google will be opening up more of its platform to developers, presumably in a similar fashion to Facebook’s API – which allows third parties to build apps for the network.

“Google+ gives users full control over their information, supporting everything from intimate conversations with family to public showcases and debates,” said Google. “This initial API release is focused on public data only — it lets you read information that people have shared publicly on Google+.”

Eventually, coders will be able to squirrel their way into other parts of the Google+ estate.

By cracking open the first API for coders, Google will be hoping to extend the influence of Google+ beyond the walls of that network.

The Facebook developer platform is a model example of how to scatter a Web2.0 product across the interwebs, so it’s unsurprising to see Google+, which is still in a rather big test-field mode with around 30 million people said to be plugging in, going down the same route.

Google mentioned the ability for coders to include rich sharing, identity, and conversations in their apps, so presumably APIs for those methods will be added soon. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/google_plus_api/

Spanish national police have reactivated their website following attacks by hacking supergroup Anonymous.

The assault on policia.es on Thursday coincided with the publication of the names of 30 bodyguards working for Spanish prime minister Jose Rodriguez Zapatero. The hacktivists also threatened to reveal mobile phone numbers and other details of the Special Operations Group (Spain’s equivalent of Special Branch), ABC reports (en Español). It’s not immediately clear how the hacktivists got their paws on the sensitive data.

Anonymous called for the resignation of Alfredo Perez Rubalcaba, the Spanish interior minister and the Spanish socialists’ prime ministerial candidate for the November 2011 general election in Spain, over his alleged mistreatment of austerity demo suspects, Movement 15-M.

In June, Anonymous propelled a series of denial of service attacks against the policia.es website in a protest over the arrest of three alleged ringleaders of the activist group.

In other hacktivist news, Anonymous is planning to occupy Wall Street, starting on 17 September. The peaceful protest campaign was inspired by the Arab Spring uprisings, and protests in Spain and Greece against austerity measures.

Aside from expressing anger at the influence of major corporations on the government and demanding a “plurality of voices” in forming political policies, it’s unclear what the objectives of the protestors might be. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/spain_police_hacktivism_attack/

Supposed psychological profiles of senior members of hacking horde Anonymous are almost certainly a work of fiction.

The bogus paperwork created a buzz last week when it showed up on Tugaleaks. Allegedly written by the FBI’s Behavioural Science Unit, the profiles suggested that LulzSec kingpin Sabu is a narcissistic nihilist who is married and works in the tech sector.

Fellow member Kayla, who poses as a young female online, was said to be a bloke in his early 20s who was possibly abused as a child and is likely to be a drug user.

The characterisation of arrested former Anonymous member Topiary as “cannon fodder for law enforcement” provides the strongest clue that the supposed documents are an elaborate wind-up or attempt at misinformation. In addition, the spelling and grammatical mistakes in the documents are out of place in an official dossier of this type.

Although convincing at first sight, the profiles appear to have been put together using snippets of publicly available information from news reports and other sources. Whistle-blowing site Cryptome.org is convinced the whole thing is an elaborate hoax.

“The FBI psychological profiles of Anonymous leadership is a joke. Pretty well done but not convincing if read carefully,” it concludes.

The FBI itself has denied producing the supposed document and suggested Anonymous itself cooked up the fake profiles as an elaborate joke, Kaspersky Labs news service Threatpost reports. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/anon_fbi_profile_fakery/

When the master encryption key locking down millions of Blu-ray players and set-top boxes was mysteriously leaked last year, Hollywood moguls worried their precious high-definition movies would face a new flurry of piracy.

Instead, it spawned the Chumby NeTV, a tiny, Wi-Fi-connected box that sits between a television and a set-top box or DVD player so email alerts, Tweets and other internet content are scrolled across the bottom of the screen – all without interrupting the flow of the video.

Making the NeTV break into the encrypted video stream passing through an HDMI cable required the elite hacking skills of Bunnie Huang, an engineer and co-founder of Chumby, the maker of net-connected alarm clocks that display weather forecasts, news headlines, and other internet content. Using the leaked master key at the heart of the HDCP, or high definition content protection encryption, scheme to modify the content was clever enough. Doing it without violating draconian copyright laws was nothing short of brilliant.

The Chumby NeTV in all its glory

That’s because HDCP was created by Intel for the express purpose of thwarting piracy by restricting access to video passing between set-top boxes and TVs. It establishes a secret key that’s unique to each pair of devices, creating a barrier for would-be pirates out to capture and copy the high-definition content. Tampering with this scheme runs the risk of violating the Digital Millennium Copyright Act, a law that carries stiff criminal and civil penalties for circumventing technology intended to prevent access to copyrighted material.

Ignorance is bliss

Faced with the challenge of crashing the party that only HDCP-compliant devices can join without running afoul of the DMCA, Huang employed the leaked master key in a way that allows the Chumby NeTV to use the shared secret key to inject Tweets and other content into the encrypted stream without decrypting the restricted video. His device intentionally remains oblivious to the protected work, a distinction he believes keeps it from violating the law’s anti-circumvention provisions.

“It’s important to note that nowhere in the pipelines is the video data decrypted,” Huang wrote in an email to The Register. “We don’t use the master key to break any locks, or circumvent any copyright protection. We use it to enable interoperability and we do so without ever decrypting the source data: encrypted pixels are just replaced with different encrypted pixels.”

Huang’s claims have been confirmed by two experts.

“What’s interesting here is that although the device does have the keys needed to do decryption, it isn’t actually doing that,” Keith Irwin, a professor of computer science at Winston-Salem State University in North Carolina, wrote in an email. “A conceptually simple means of modifying encrypted video would be to have the NeTV decrypt the video signal from the video device, modify it, then re-encrypt it. However, this isn’t what the NeTV does.”

Cryptographer Nate Lawson, who heads the Root Labs security consultancy, has analyzed the open-source code that runs the NeTV and provides an analysis here.

Next page: ‘Legal bullies on the technology playground’

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/16/chumby_nettv_hack/

As their long-standing ANZUS treaty reaches its sixtieth birthday, Australia and America have decided to extend their co-operation into the virtual space.

According to Reuters, the decision was made in discussions between the two countries this week. The extension of the treaty would mean that a cyber-attack on either country would be considered an attack on both.

Exactly what this means in practice is less clear: practically every government with a connection to the Internet is subject to pretty much constant attack, and both Australia and America regularly accuse China and North Korea of playing host to many such attacks (China just as regularly denies any government involvement in Internet-borne attacks).

According to Reuters, it’s the first time any non-NATO defense pact has extended to the Internet. US Defence Secretary Leon Panetta is quoted as saying “cyber is the battlefield of the future.”

Australia is also in the process of beefing up legislation applying to Internet security, with its much-criticized Cybercrime Amendment Bill working its way through the Parliamentary process. Australia’s Green Party is still seeking changes to the data retention and data destruction parts of the bill.

It’s possible that further statements about the “cyber” impacts of the treaty could be made in November, when President Obama is planning to visit Australia. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/15/cyber_crime_anzus/