STE WILLIAMS

The Google webmail of as many as 300,000 Iranians may have been intercepted using fraudulently issued security certificates made after a hack against Dutch certificate authority outfit DigiNotar, according to the preliminary findings of an official report into the megahack.

Fox-IT, the security consultancy hired to examine the breach against DigiNotar, reveals that DigiNotar was hacked on or around 6 June – a month before hackers begun publishing rogue certificates. Between 10 July and 20 July hackers used compromised access to DigiNotar’s systems to issue rogue 531 SSL certificate for Google and other domains, including Skype, Mozilla add-ons, Microsoft update and others. DigiNotar only begun revoking rogue certificates on 19 July and waited more than a month later to go public about the problem. The fake *.google.com certificate – which was valid for code-signing – wasn’t revoked until 29 July.

The compromise was used, in part, to spy on Iranian internet users, using the forged Google SSL certificate to run man-in-the-middle attacks. Fox-IT found that the vast majority of queries against DigiNotar’s OCSP servers (which browsers check to see if a certificate has been revoked) came from Iran during the attack period, unlike periods before and after the attack when the volume of such queries from Iran was negligible. Many requests not originating from Iran appear to have originated via Tor exit nodes or other proxies used by Iranians in a bid to circumvent net censorship controls.

The audit reveals a catalogue of security shortcomings at the small and previously obscure Dutch certificate authority that allowed the hack to take place. DigiNotar’s servers were running out-of-date software. Its network was poorly segmented, so problems if they arose would not be contained. Passwords in play at the time of the hack might easily have been guessed via brute-force attack. In addition, there was no secure logging and an absence of any server-side anti-virus protection.

DigiNotar’s shocking ineptness in securing its system, compounded with its failure to come clean on its problems in a timely fashion, have turned the firm into a security pariah.

Fox-IT said the hack used hacking tools such as Cain Abel as well as a variety of custom scripts to pull off the attack. The security agency suggests links between the DigiNotar hack and an earlier attack on Comodo, another certificate authority, back in March.

“We found that the hackers were active for a longer period of time,” the Fox-IT report concludes. “They used both known hacker tools as well as software and scripts developed specifically for this task. Some of the software gives an amateurish impression, while some scripts, on the other hand, are very advanced. In at least one script, fingerprints from the hacker are left on purpose, which were also found in the Comodo breach investigation of March 2011. Parts of the log files, which would reveal more about the creation of the signatures, have been deleted.

“The list of domains and the fact that 99 per cent of the users are in Iran suggest that the objective of the hackers is to intercept private communications in Iran,” it adds.

Fox-IT’s investigation into what it describes as the Operation Black Tulip attacks against DigiNotar continues. Trust in all certificates issued by DigiNotar has already been revoked by many browser and operating system developers (including Microsoft, Google and Mozilla but not Apple).

A DigiNotar-controlled intermediate, operationally separate from the SSL business directly hit by the breach, had been issuing certificates as part of the Dutch government’s public key infrastructure “PKIoverheid” scheme. DigiNotar was only one of the available CAs. The Dutch government initially said that the PKIoverheid certs issued by DigiNotar were OK but has since changed its stance over the weekend and ditched DigiNotar from the programme.

In a statement issued on Tuesday in the wake of the damning Fox-IT audit, Vasco (which acquired DigiNotar in January) said the problems with its CA subsidiary had no effect on its core Digipass authentication technology.

“The integration of DigiNotar technology into Vasco’s products was planned for 2012. This means that all Vasco products in the market today are 100 per cent DigiNotar-free. Your authentication project is safe with Vasco,” the company asserted.

“Vasco does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans,” it added. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/diginotar_audit_damning_fail/

James Murdoch was made aware in 2008 that alleged phone-hacking practices at the News of the World went beyond “one rogue reporter”, the former legal manager of News Group Newspapers claimed to MPs today.

Tom Crone said that an email with the subject line “For Neville” was “the first piece of evidence we’d seen that showed [illegal voicemail interception] went beyond Clive Goodman”.

Goodman was the News of the World‘s royal editor. He, alongside private investigator Glenn Mulcaire, was jailed for illegal phone hacking in early 2007.

Crone told the Media, Culture and Sports committee that he didn’t make a copy of the email, nor did he ever refer to it as the “For Neville” [understood to be NotW reporter Neville Thurlbeck] email. But he insisted that James Murdoch knew about the existence of the document.

Colin Myler, the NotW‘s final editor, was also present at a 15-minute-long meeting in which it was claimed the email was discussed.

Murdoch signed off a settlement payment of £425,000 – according to a letter (3-page/152KB PDF) to the committee’s chairman John Whittingdale from a law firm acting for News Group Newspapers – to Professional Footballers’ Association boss Gordon Taylor.

Farrer Co said Taylor had filed a damages claim against the now-defunct Sunday tabloid. The former FA boss had been seeking up to £1m from NGN, which is a subsidiary of News International.

He eventually accepted the £425,000 offer after batting away smaller proposed settlement figures.

Crone said today that the “For Neville” email “was the reason we had to settle the [Taylor] case”.

He claimed that had News International not settled the claim, four other individuals could have then sued the company, bringing on potentially serious commercial damage.

Crone said he had to sign a written undertaking required by the Metropolitan police, who provided him with a copy of the “For Neville” document.

“If you can avoid litigation coming in then you do. If we have to pay way over the odds especially if there’s a confidentiality clause then that is a good course of action,” he told MPs on the committee.

But Crone denied trying to conceal alleged widespread criminality at NotW, despite his admission that he knew – courtesy of the “For Neville” evidence – that Goodman was not a “rogue reporter” as had previously been claimed by News International.

A transcription by a junior reporter at the tabloid appeared to have originated from voicemail and that was why the company ultimately settled with Taylor, claimed Crone.

“The priority at the time was to contain the situation… get on with our business,” he said in response to a question from Labour MP Tom Watson, who asked if Taylor’s silence had been bought.

But when Watson grilled Crone further over whether the settlement would also mean the “For Neville” email evidence would be concealed, the erstwhile NGN legal manager retorted:

“The providence of this document was from the Met. How can we be accused of covering up something that has reached us from the police?”

Myler later claimed that James Murdoch understood what was being discussed when the meeting with Crone took place in 2008.

“There was no ambiguity about the significance of that [“For Neville”] document… There was no suggestion then or now that anyone tried to conceal anything,” said Myler.

“It was alleged wrongly that we were guilty of covering up or concealing events… that’s not factually correct,” he added, in reference to comments made by James and Rupert Murdoch who were questioned by MPs on 19 July.

James Murdoch claimed at that hearing that he was unaware of the email in 2008.

He added at the time that “there was every reason to settle the [Taylor] case, given the likelihood of losing the case and given the damages – we had received counsel – that would be levied”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/news_international_phone_hacking_media_committee/

Sony is beefing up its security staff after the devastating hacking attack in April that crippled the Playstation Network for 23 days and led to the potential exposure of millions of users’ account information.

The company has picked former US Department of Homeland Security exec Philip R Reitinger to fill the role of senior VP and chief information security officer. Reitinger has also worked in cybersecurity at Microsoft as well as at the US Departments of Defense and Justice.

“He will oversee information security, privacy and internet safety across the company, coordinating closely with key headquarters groups and working in partnership with the information security community to bring the best ideas and approaches to Sony,” the firm said.

Sony has been battered on the markets since the massive hack in the spring followed by a series of smaller attacks, losing more than 50 per cent of its share value.

In total, the attacks exposed personally identifiable information for over 100 million Sony customers and cost the company at least $171m, apart from lawsuits resulting from the breaches and share losses.

The technology firm has since been struggling to answer criticism that its security was not up to scratch, with much “reviewing” and “updating” of its online security systems going on while it got its Playstation Network back online.

The Japanese company has also suffered due to the lack of consumer appetite for big-ticket items such as TVs as well as the rise of the yen against the euro. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/ex_homeland_security_exec_becomes_chief_security_officer/

Toshiba has made something of a ruck-up in a Rugby World Cup competition, exposing customer details in the process.

UK consumers purchasing new Toshiba laptops were offered a £1 rebate for every point England’s Toby Flood scores in the tournament, which kicks off next weekend. Customers were invited to apply by submitting their personal details to a website, receiving a link to a certificate of registration in return.

The suggested URLs came in the form:

toshibaregistrations.com/rugbyworldcup/Certificates/TOSH1500.pdf.

Henry Dillon, on receiving this certificate, realised certificates containing personal information had been uploaded to an open webserver with no attempt made to obfuscate the URL.

Sure enough Henry was able to see the personal details (name, home address, date of birth, telephone number, model and serial number of laptop bought) of other users by changing the number in the final part of the URL from TOSH1500.pdf to TOSH1501.PDF or other values. Toshiba plugged the security snafu in late August, which Dillon estimates might have affected 1,800 competition entrants.

Dillon, who waited until Toshiba had pulled the plug on the offending PDFs, has a write-up of the problem (containing an obfuscated grab of one of the offending PDFs) in a blog post here.

We asked Toshiba to comment on the lapse but had yet to hear back at the time of publication. Dillon told El Reg that he had not reported the matter to data privacy watchdogs at the ICO. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/toshiba_rugby_world_cup_data_spill/

The government has asked Ofcom to avoid giving alleged copyright infringers a general right of appeal against warning letters they may receive about their online activity in new regulations due out shortly, the telecoms regulator has said.

Under the Digital Economy Act (DEA) Ofcom is tasked with writing new regulations to help stop online copyright infringement. Last year it published a draft code of practice in which it outlined procedures that would allow copyright owners to identify illegal file sharers and take legal action against them.

The code stated that before that can happen internet users should first receive three warning letters from their internet service provider (ISP) if they are suspected of copyright infringements online, and that subscribers will be able to appeal against them.

An Ofcom spokesperson said that the government had asked it to “remove” the right of internet service provider (ISP) subscribers to appeal against receiving the letters if they had “any other reasonable grounds” to do so.

The draft code (74-page/365KB PDF) listed grounds of appeal but did not include that general right. That right appears to have originated subsequently, though it has never been officially published and neither the regulator nor the Department for Culture, Media and Sport (DCMS) would confirm it.

However a leaked copy of an apparently unredacted version of an Ofcom document appears to suggest that Ofcom had previously included a right for an alleged infringer to appeal if there were “any other reasonable grounds” to do so under the draft code.

“The grounds set out in the Act are non-exhaustive and we reflected this in our drafted Code by including an option to appeal on ‘any other reasonable ground’,” the apparently unredacted version (39-page/419KB PDF) of Ofcom’s Digital Economy Act Online Copyright Infringement Appeals Process – Options for Reducing Costs report said. This version has not been confirmed as authentic by the government or Ofcom.

“This was intended to provide an efficient mechanism through which to avoid a lengthy revision of the code should subscribers find additional, but reasonable, grounds for appeal as technologies and consumer behaviours evolve. We understand that government believes we should not include this mechanism in the final code,” the document said.

“Nevertheless, we think it offers an opportunity to minimise Ofcom’s costs (which are passed through to copyright owners) and potentially avoid the need for a revised code to be renotified and resubmitted to Parliament,” it said.

Neither Ofcom nor the DCMS would confirm the legitimacy of the sections of the report, which originally contained redactions. The official Ofcom report (39-page/377KB PDF) was published earlier this month.

Details of illegal file-sharers who receive more than three letters in a year would be added to a blacklist and copyright-holders would have access to the list to enable them to identify infringers to take legal action, Ofcom’s draft code said. The plans also said ISPs could also have to suspend users’ internet access if they are found to be illegally downloading copyrighted material.

An independent appeals body has to be set up to hear appeals by individuals who receive the warning letters as part of Ofcom’s code, according to provisions of the DEA.

In the draft proposals, Ofcom said that an alleged infringer may have grounds to appeal if an apparent infringement is not in breach of copyright or if their IP address from the time of the alleged incident “does not relate” to the one listed in the notification letter they received.

Other grounds of appeal may arise if the alleged ISP subscriber was not responsible for and “took reasonable steps to prevent” others using their “internet access service” to infringe copyright, or if there was “an act or omission by a qualifying ISP or qualifying copyright owner amounts to a contravention of the code or of an obligation regulated by the code”, the draft code said.

Ofcom also said that ISP customers could bring an appeal if there was “any other ground on which a subscriber chooses to rely as to why the act or omission should not have occurred”.

Individuals will have to pay a fee of £20 to appeal, although that fee will be refunded if they are successful, the government said earlier this month.

The Department for Culture, Media and Sport (DCMS) said that the government would not comment on the code ahead of the announcement, but a spokesman did say that it would “not be too much longer” until it is finalised.

“It is entirely within the government’s remit to make changes to the code,” an Ofcom spokesperson said.

Copyright © 2011, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/gove_asks_ofcom_not_to_give_alleged_infringers_of_copyright_the_general_right_to_appeal/

The digital miscreant known as ComodoHacker has claimed responsibility for the high-profile DigiNotar digital certificate authority hack.

Soon after the Comodo forged certificates hack an Iranian using the handle Comodohacker posted a series of messages via Pastebin account providing evidence that he carried out the attack. The account, which has been dormant since March, sprung back to life on Tuesday with claims that the individual or individuals behind it hacked DigiNotar as well, net security firm F-Secure reports.

The hacker boasted he still has access to four other (unnamed) “high-profile” CAs and retains the ability to issue new rogue certificates, including code signing certificates. The hacker (active on Twitter under the username ichsunx2) claimed that the domain administrator password of the DigiNotar network was Pr0d@dm1n.

Compromises against both Comodo affiliates and DigiNotar allowed hackers to generate bogus SSL certificates. The certificates create a means to mount convincing man-in-the-middle or phishing attacks. Evidence suggests that a rogue certificate issued in July under the name of Google as the result of the DigiNotar hack was used to spy on Iranian internet users.

The still-unfolding DigiNotar saga further underlines the fragility in the net’s foundation of trust first highlighted by the Comodo hack. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/comodohacker_claims_diginotar_hack/

The Information Commissioner’s Office (ICO) has found that the organisation which investigates the care of Scotland’s most vulnerable children had twice failed to protect sensitive child welfare information.

In January 2011 the Scottish Children’s Reporter Administration (SCRA) sent legal papers containing sensitive information about a child’s court hearing to the wrong email address, the watchdog said.

The electronic documents included details relating to physical abuse and included the identities of the child’s mother and witnesses.

Four months earlier, in September 2010, the SCRA had left nine case files in a filing cabinet when it was removed as part of an office refurbishment.

The files contained names, dates of birth, social reports and referral decisions relating to children.

Although the cabinet was supposed to have been destroyed, it was sold on to a second-hand furniture shop with the files still inside.

The ICO said that both breaches were the result of the SCRA’s failure to make sure that its data protection and IT security guidance were being correctly followed by staff.

Ken Macdonald, assistant information commissioner for Scotland, said he was very concerned that sensitive information had been mishandled twice by the same organisation.

“On both occasions the personal data which was compromised related to young children and was caused by human errors that could easily have been avoided,” said Macdonald. He added that it was lucky that on both occasions, the information was not circulated widely.

Neil Hunter, chief executive of the SCRA, has now signed an undertaking to ensure that staff are made aware of the organisation’s policies about the storage and use of personal data, and that checks are made to ensure the policy is followed.

The ICO said it is working with the SCRA on a series of workshops aimed at raising awareness of data protection obligations among staff.

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/06/ico_scolds_scottish_childrens_protection_body_over_data_breaches/

Scotland Yard brought the total number of arrests so far in its ongoing phone hacking allegations investigation at the now-defunct News of the World to 16 last Friday.

The Met cuffed a 30-year-old man on suspicion of conspiracy to intercept voicemail messages, contrary to the Criminal Law Act, and attempting to pervert the course of justice.

The unnamed man was held in custody at a north London police station and later bailed until mid-January next year.

His arrest followed the re-arrest of 71-year-old former NotW managing editor Stuart Kuttner.

Kuttner was initially quizzed by cops probing phone-hacking and police corruption claims at the start of August.

Meanwhile, James Murdoch temporarily sacrificed a $6m bonus that was expected to be paid him by his father’s company News Corp, which owns News International.

Murdoch the younger is NI’s chairman, and so he has taken personal flak for the company’s recent, er, bad press over phone-tapping at its former flagship British Sunday tabloid.

“In light of the current controversy surrounding News of the World, I have declined the bonus that the company chose to award to me,” he said in News Corp’s annual proxy statement.

“While the financial and operating performance metrics on which the bonus decision was based are not associated with this matter, I feel that declining the bonus is the right thing to do.”

But it doesn’t mean that $6m sweetener is gone for good.

“I will consult with the Compensation Committee in the future about whether any bonus may be appropriate at a later date,” added Murdoch.

In the meantime, the younger Murdoch gets a base salary of $3m, a further $8.3m in stock awards and – among other things – personal use of the company aircraft for “security reasons”, which cost News Corp just shy of $225,000 for the fiscal year ended 30 June 2011.

A parliamentary hearing by the Culture, Media and Sport select committee takes place tomorrow morning, with the NotW‘s final editor Colin Myler and ex-NI legal manager Tom Crone appearing before MPs.

Those two men claimed in July that Murdoch junior had been privy to an email with the subject line “for Neville” that contained a transcript of illegally intercepted voicemail messages around the time he signed off a reported settlement payment of £700,000 in 2008.

That sum was paid by News International to Professional Footballers’ Association boss Gordon Taylor, who had filed a damages claim against NotW.

Murdoch the younger has disputed those comments, saying he stood by the testimony he made to the media committee in the company of his dad on 19 July. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/05/phone_hacking_parliamentary_hearing_james_murdoch_bonus/

Spamhaus has finally prevailed in a long-running US court action against it by e360 Insight, a firm it blacklisted for spamming.

e360 Insight sued Spamhaus in the US over the blacklisting way back in 2006. Spamhaus, which is based in the UK, argued (on the advice of lawyers) that it was outside the jurisdiction of US courts. Judge Charles Kocoras allowed the case against Spamhaus to proceed despite this and awarded a default judgment in favour of e360 Insight for a whopping $11.7m.

The default judgement was used by e360 Insight in a failed attempt to pressure ICANN into removing Spamhaus’ domain records. Judge Kocoras ruled the sanction was too broad and rejected the bid.

The original judgment was appealed and sent back to district court for a second hearing, where much reduced damages of $27,002 were awarded last week, two years after e360 Insight filed for bankruptcy, citing the legal cots of fighting the case as one of the reasons for the failure of the business. The defunct firm was characterised by Spamhaus as a Chicago-based one-man ‘bulk email marketing’ firm. e360 Insight, which was owned by David Linhardt, allegedly spamvertised bargaindepot.net (prop. David Linhardt) via junk mail messages that violated the US CAN SPAM Act.

Spamhaus’ lawyers appealed for a second time to argue that the damages awarded against the anti-spam organisation were still too high. The US Court of Appeals found in favour of Spamhaus on Friday, reducing damages to the token value of $3 and ordering e360 Insight to pay Spamhaus’ defence costs. The ruling criticises e360 Insight’s conduct throughout the case, particularly criticising it for failing to come up with any evidence for the supposedly astronomical financial losses Spamhaus’s actions had caused it to suffer and for repeatedly failing to file legal papers on time (ie, to meet basic discovery obligations).

By failing to comply with its basic discovery obligations, a party can snatch defeat from the jaws of certain victory. After our earlier remand, all e360 needed to do was provide a reasonable estimate of the harm it suffered from Spamhaus’s conduct. Rather than do so, however, e360 engaged in a pattern of delay that ultimately cost it the testimony of all but one witness with any personal knowledge of its damages. That lone witness lost all credibility when he painted a wildly unrealistic picture of e360’s losses.

Having squandered its opportunity to present its case, e360 must content itself with nominal damages on each of its claims, and nothing more. We VACATE the judgment of the district court and REMAND this matter with instructions to enter judgment for the plaintiffs in the amount of three dollars.

A full history on the case, from Spamhaus’s perspective, can be found here. Independent comment can be found on Eric Goldman’s technology and marketing law blog here.

Goldman concludes that the Spamhaus case illustrates that courts are ultimately likely to favour filtering services and ISPs rather than bulk-mailing firms in cases involving spam blacklisting.

“Spamhaus ended up traveling the long road and ultimately defeating e360, but it’s nice to see it prevail. As the Holomaxx v. Yahoo and Microsoft cases indicate, lawsuits brought by emailers against ISPs or filtering services face a long and uphill road, which should lead to a dead end,” he writes. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/05/spamhaus_e360_insight_lawsuit/

Streaming trials on the internet will help people have confidence in the British justice system, Sky News boss John Ryley claimed in an open letter to the Justice Secretary today.

Justice Secretary Ken Clarke promised to open up British courts to cameras eight months ago in a meeting with Sky, the BBC and ITN – but as yet only dealings in the Supreme Court are filmed and published online.

John Ryley, Head of Sky News, has decided to hustle Clarke along with an open letter where he states that:

“I believe that if television cameras were allowed to broadcast the remarks made by judges when they pass sentence, it would go a long way to making the process more transparent and would dramatically improve public confidence in the system.”

Ryley adds a claim that Sky News’s Supreme Court Live feed, which started in May 2011, gets 90,000 visitors a day. (Though obviously only when the court is in session – it’s currently off till October when the legal term starts again.)

The courts have complained about cost before in discussions of opening up trials to cameras, saying on their website that they cannot make recordings of previous cases available to members of the public because it takes them too much time to burn the broadcasts onto DVDs.

With the decline of court reporting in regional papers as budgets and journalists are cut, both judges and journalists have warned that courts will escape public scrutiny, so broadcasting their procedures online is one obvious way to make the system more transparent.

One early objection to televising trials seems to have been quashed by the experiment with the Supreme court: Judges don’t “act up” to the cameras.

The Press Gazette reports Sky News’ associate editor Simon Bucks saying that: “A few minutes watching the proceedings will dispel one of the arguments used by those who oppose televising all courts: that judges and lawyers will ‘act up’ to the camera. They don’t.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/09/05/put-cameras-in-courts-says-sky-news-boss/