STE WILLIAMS

NSW Police are about to apply to extradite a 52-year-old Australian arrested in Louisville, Kentucky, over the Madeleine Pulver bomb hoax.

This morning, Sydney time, police announced the arrest, saying that the unnamed man collared by NSW police and FBI officers has “no known relationship” to the family. Police say he was under surveillance for several days before taking off for America.

Over the weekend, Australian media were reporting a breakthrough in the case, with police seizing a library computer in the coastal town of Kincumber, near Avoca where the Pulver family has a holiday home.

Earlier, the investigation was looking at a curious link with the James Clavell novel Tai-Pan, quoted in the extortion note left with the bomb.

Madeleine Pulver, daughter of software millionaire Bill Pulver, was targeted in an afternoon attack in which an object, which her assailant described as a bomb, was tied around her neck. She was told the device could be detonated remotely, and was also told not to call police.

It was ten hours before police determined that the supposed bomb was a hoax, after which they were able to release the schoolgirl from the device.

Police have said they believe the attack was an extortion attempt, but has kept information close to the chest. Presumably, as extradition hearings in America take place, more details are bound to emerge. ®

Update: NSW Police press conference

The police have expanded their description of the man they have arrested as being a businessman who commutes between Australia and America. NSW Police assistant commissioner David Hudson of the state crime command said there were “some links” to the family, but would not comment on whether those were “direct” links.

The assistant commissioner says the arrested man “was not a suspect at the time he left [Australia]”.

Hudson says the man has family both in Australia and the USA, and that he is primarily a Sydney resident. At the time of writing, the man was under arrest, but had not yet been charged. He is, at the moment, considered a suspect, and is being held under a “provisional warrant”. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/15/pulver_hoax_breakthrough/

Hacktivists protested recent controversial actions taken by a San Francisco regional subway authority by publishing sensitive information for more than 2,000 of passengers who had nothing to do with its agency’s management.

Anonymous, the loose-knit hacking collective, breached the security of MyBart.org and published the names, street and email addresses, and site passwords for about 2,400 people who had set up accounts on the site. It’s operated by BART, short for the Bay Area Rapid Transit. Database dumps such as the one here also included phone numbers for many users.

It was accompanied by a scathing note that said Anonymous took the action to protest two fatal police shootings in the past few years and the temporary suspension of cellphone service BART imposed on Thursday. BART officials said they took the action at at least four stations to thwart demonstrations that were being organized using mobile devices.

“It’s just common sense that I shouldn’t be the target,” one of the victims whose details were included in the data dump told The Register. “I was just in the wrong place at the wrong time.” He asked that his name not be published in this article.

He said he received a “creepy” phone call on Sunday night from someone claiming to be a member of Anonymous who uttered “foul language, hushed tones and threats.” He said he has received no notification from BART representatives that his information was taken, contradicting claims officials made in a Sunday press release that “we notified those affected right away in case anyone tries to exploit the information.”

According to a note accompanying the published data, the user information was obtained after exploiting a SQL-injection vulnerability in the MyBart site. Such exploits typically allow attackers to enter powerful database commands into a web forum and get them executed by the site’s back-end server.

“They set up this website called mybart.gov and they stored their members information with virtually no security,” the Anonymous screed stated, mislabeling the top-level domain of the compromised site as .gov instead of .org. “Any 8 year old with a internet connection could have done what we did to find it. On top of that none of the info, including the passwords, was encrypted. It is obvious that BART does no give a fuck about its customers, funders and tax payers,THE PEOPLE” [sic].

BART spokesman Linton Johnson said on a conference call with reporters that he wouldn’t say whether the MyBart.org website had been tested by outside security auditors unless he received a public records request. He repeatedly characterized BART and its customers as “victims.”

“The bottom line is we did not violate our customer security and their privacy rights,” he said. “This group Anonymous did. This group Anonymous shares all the blame for violating not only the security but also for putting out people’s private information on the web, jeopardizing their security.”

He said BART officials have reported the breach to the FBI.

He didn’t address the claim challenged by one of the MyBart.org users that all people affected by the breach had been immediately contacted. MyBart.org wasn’t operational at time of writing.

The attack is the latest act of politically minded hacking to be attributed to Anonymous, which recently has taken credit for data dumps affecting thousands of US law-enforcement officers, an attack on a US government contractor, and a claimed breach of an Italian computer crime unit.

The weekend hack followed BART’s admission on Friday that it had suspended cellular service at San Francisco stations the night before to disrupt a planned demonstration protesting the fatal police shooting in July of a passenger accused of brandishing a knife and charging at BART police officers.

Officials admitted they disconnected nodes of cellular antennas used at several San Francisco stations. They said they took the action to prevent overcrowding and other unsafe conditions in the paid areas of its system and that service was restored a few hours later. Cellular service outside the stations was unaffected.

Civil libertarians, including the American Civil Liberties Union and the Electronic Frontier Foundation have blasted the move and drawn comparisons to former Egyptian President Hosni Mubarak, who ordered the shut down of cellular service in Cairo to quell recent protests against his rule. A California state senator has called on the Federal Communications Commission to investigate the black out.

After this article was first published, FCC officials said they were looking in to the move by BART.

“Any time communications services are interrupted, we seek to assess the situation,” FCC spokesman Neil Grace said in a statement. “We are continuing to collect information about BART’s actions and will be taking steps to hear from stakeholders about the important issues those actions raised, including protecting public safety and ensuring the availability of communications networks.”

What we’re left with here is a drama that seems replete with antagonists and no heroes.

BART’s Johnson repeatedly insisted that BART officials should shoulder no responsibility for the breach, even though it would appear they left the site open to some of the most rudimentary of attacks. We’ve written before about the unfounded trust people place in the websites they use and the wisdom of withholding, whenever possible, any personally identifiable information. Until BART is more forthcoming about how it secures its passengers’ data, add its websites to this long list.

Then you have the perpetrators of the attack pretending that they’ve done the world a favor by exposing the private information of thousands of people who did nothing more than rely on the transit agency to get around. ®

This story was updated to include information provided by BART spokesman Linton Johnson and the FCC.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/15/anonymous_breaches_bart_site/

The next version of Microsoft’s Windows Phone operating system has arrived early for those willing to risk a slapdown by Redmond.

A version of the code built by Microsoft and delivered to smartphone-makers this summer has apparently slipped free of the Redmond-OEM loop and was leaked online.

The leaked code is build number 7720 of Windows Phone 7.5, which Microsoft signed off and released to phone-makers in July.

A link to the code, better known by its codename of Mango, appeared in the XDA Developers forums here, larded with plenty of warnings.

The post points out this is vanilla MS phone code, missing the tweaks that phone-makers will add to differentiate their phones from those of the competition.

What the post doesn’t say, but probably should, is that if you decide to install 7720 on your phone you run the strong chance incurring Microsoft’s displeasure.

You might also miss out on future updates once Microsoft and the OEMs officially ship phones loaded with Windows Phone 7.5.

Earlier this year, many users keen to get their hands on the highly anticipated but delayed NoDo release of Windows Phone 7 downloaded the ChevronWP7 hack, created by Chris Walsh, which let them unlock Windows Phone devices and install an unfinished build of NoDo.

Microsoft initially warned against using such home-brew installations, saying it was not sure what would happen to people’s phones once the hack was used. As it turned out, people who installed the unofficial update were not able to move to the finished NoDo.

After NoDo was made available, Microsoft took great pleasure in crowing “I told you so” in an official company blog post here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/15/mango_rtm_leaked/

NSW Police has arrested five men responsible for what it describes as an international credit card fraud operation.

After investigations that began in 2009, the police executed three search warrants yesterday in metropolitan Sydney, retrieving EFTPOS terminals, computers, cash, mobile phones, skimming devices, and several Canadian credit cards.

Other seizures in the two-year investigation have included 18,000 blank and counterfeit credit cards, stolen EFTPOS terminals, and skimming devices.

The men arrested are Malaysian and Sri Lankan nationals, and are accused of coordinating the fraud operation in Australia, North America and Europe.

The charges range from conspiracy to cheat and defraud, dealing with identification information, possessing equipment to create identification documents, possessing false or misleading documents, and participation in a criminal group.

The police statement says: “It is alleged that the syndicate was highly advanced technologically, and operated under a sophisticated international network.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/14/skimmer_arrests_in_nsw/

An attack targeting sites running unpatched versions of the osCommerce web application kept growing virally this week, more than three weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users.

When researchers from Armorize first spotted the exploit on July 24, they estimated it had injected malicious links into about 91,000 webpages. By early last week, The Reg reported it had taken hold of almost 5 million pages. At time of writing, Google searches here and here suggested that the number exceeded 8.3 million.

Armorize said attackers are exploiting three separate vulnerabilities in the open source store-management application, including one that was discovered last month. Harold Ponce de Leon, the lead developer of osCommerce, said there’s only one vulnerability that’s being exploited, but he admitted that no one on his team has spoken to anyone at Armorize to reconcile the difference of opinion.

“It is devastating not only to see the damage the attack has inflicted to online stores, but also to customers who are getting affected with old IE6 browser exploits,” he wrote in an email.

He said a fix has been available since November’s release of osCommerce Online Merchant v2.3. The steadily climbing number of infected webpages suggests that a large percentage of osCommerce websites can’t be bothered to install it. And that means people visiting those ecommerce websites are being unnecessarily exposed to attacks. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/13/oscommerce_infection_threatens_web/

A Georgia IT administrator has pleaded guilty to crippling the computer system of a Japanese pharmaceutical company’s US subsidiary several months after his employment there ended.

Jason Cornish, 37, admitted using a public internet connection at a McDonald’s restaurant in Smyrna, Georgia, to access the network of the Shionogi subsidiary using an old account, according to federal prosecutors in New Jersey. He then deleted the contents of 15 VMware hosts used to run the equivalent of 88 servers that supported email, employee Blackberrys, order tracking and other essential services.

“The February 3 attack effectively froze Shionogi’s operations for a number of days, leaving company employees unable to ship product, to cut checks, or even to communications via email,” prosecutors wrote in a criminal complaint filed in June. In all, the attack cost the company $800,000.

FBI agents linked the attack to the McDonald’s by analyzing the IP addresses used during the attack. They later discovered Cornish had used his credit card at the restaurant a few minutes earlier.

Cornish faces a maximum of 10 years in prison and $250,000 in fines. Sentencing is scheduled for November 10. He joins a growing roster of disgruntled IT admins charged and convicted of sabotaging their former employers. For a sampling, see related stories below. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/17/it_admin_revenge/

Security researchers have unearthed a piece of malware that mints a digital currency known as Bitcoins by harnessing the immense power of an infected machine’s graphical processing units.

According to new research from antivirus provider Symantec, Trojan.Badminer uses GPUs to generate virtual coins through a practice known as minting. That’s the term for solving difficult cryptographic proof-of-work problems and being rewarded with 50 Bitcoins for each per correct block.

General purpose GPUs far outstrip CPUs at performing math calculations and can do so in massively parallel software threads, making them a superior platform for trying huge numbers of possible keys needed to solve the Bitcoin problems.

“This makes the idea of GPGPU extremely attractive for the purpose of bitcoin mining, brute force hash attacks against password databases, and folding (the processing of simulating protein folding, a project initiated by Stanford University known as Folding@home),” Symantec researcher Poul Jensen wrote in a post published Tuesday.

An infected computer that contains an AMD Radeon 6990 CPU could process about 758.82 million cryptographic hashes per second, he wrote. That’s a far cry from an Intel’s Atom N270 netbook CPU, which is capable of handling just 1.19 Mhash/s. Rob Graham, CEO of the firm Errata Security, recently published a thought-provoking post that analyzed the economics of password cracking and Bitcoin-mining using a variety of GPU hardware.

In the event an infected machine has no GPU card, Trojan.Badminer will make do with the CPU.

GPU use could go a long way to solving a problem that has vexed malware developers who want to use other people’s computers to mine Bitcoins. As fellow Symantec researcher Peter Coogan surmised in June, a botnet of 100,000 machines that worked on a problem continuously would earn just $97,000 a month. That’s a paltry amount compared to other botnet enterprises, such as stealing online banking credentials.

“With the advent of Trojan.Badminer and common usage of fast graphics cards, it may well begin to make economic sense to rent botnets in order to carry out distributed bitcoin mining and run the process on an industrial scale,” Jensen wrote.

Of course, crooks investing resources in Bitcoin theft still must grapple with another challenge: The price of the highly decentralized coin fluctuates wildly. It has reached exchange rates as high as $29, but has plummeted since then, with the current price a little more than $11. ®

This post was rewritten to correct inaccuracies about the way Trojan.Badminer worked.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/gpu_bitcoin_brute_forcing/

A letter from News International chairman James Murdoch to the Commons Culture Select Committee has let slip details of how to gain full access to the company’s MS Exchange email system – albeit the information is from four years ago.

MPs published a raft of letters this lunchtime including one from jailed News of the World royal editor Clive Goodman, who claimed senior figures at the now-defunct Sunday tabloid knew that phone hacking was going on at the publication.

James Murdoch has consistently denied any knowledge of widespread phone-tapping beyond the illegal methods employed by “one rogue reporter” at the newspaper.

Among the evidence submitted to the committee was an email between an individual named Simon Avery and the company’s London law firm Harbottle Lewis co-founder Lawrence Abramson.

The email offers a step-by-step guide on how to access News International’s web mail server.

It includes the URL required for accessing the company’s gateway Exchange server as well as the domain and username, and was provided to Harbottle Lewis in May 2007, a few months after Goodman was sacked in February that year.

The instructions reveal that a frankly piss-poor password (mailreview) was issued by the NI sysadmin to the lawyers.

Harbottle Lewis had been granted “independent” access to relevant emails relating to allegations made by Goodman, who appealed his dismissal from the sister firm of Rupert Murdoch’s News Corp on the grounds that other individuals were aware of – and supported – illegal phone-hacking methods used by the former NotW royal correspondent.

Goodman also claimed, according to then-NI director of legal affairs Jon Chapman, that “others were carrying out similar illegal procedures” at the firm.

It was Chapman who granted Harbottle Lewis access to emails inserted in five subfolders within NI’s Exchange public folders for review by the lawyers.

The culture committee, unlike with its roughshod handling of highly sensitive details of NI’s gateway, has redacted information about emails that were searched relating to six individual accounts.

Abramson concluded an email to Chapman on 25 May 2007 with the following statement:

“I can confirm that we did not find any evidence that proved that either [redacted], [redacted] or [redacted] knew that Clive Goodman, Glen Mulcaire or any other journalists at the News of the World were engaged in illegal activities prior to their arrest.”

Mulcaire had worked as a private investigator at the newspaper. He was jailed for six months in January 2007 after admitting to conspiring with Goodman to illegally access voicemail messages.

In a letter on 2 March 2007 to NI HR boss Daniel Cloke, Goodman rejected News International’s notice of termination of employment on the grounds of “gross misconduct”.

He claimed in the missive that phone hacking was “widely discussed” at the paper and alleged that News International had promised to re-hire him after he was convicted of intercepting voicemail messages on the provision that he didn’t implicate the newspaper in court.

Meanwhile, the paperwork submitted to the committee today also revealed exactly how much money Goodman was paid when he was sacked by News International in 2007.

The ex-royal editor was paid £90,502.08 and a further £140,000 in compensation. He was given another £13,000 from News International to pay for his lawyer’s bill.

Separately, Harbottle Lewis told Culture Committee chairman John Whittingdale that the firm had been given “remote electronic access to emails on News International’s server”.

The law firm added that the emails made available to it for review were contained in the aforementioned five sub-folders, which meant “access was not entirely straightforward”. Harbottle Lewis added that the firm had been “instructed only to look for evidence” in those folders in May 2007. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/news_international_letters_sysadmin_password_fail_clive_goodman/

Google’s privacy policy has been gently applauded by Information Commissioner Christopher Graham, who came under sharp criticism for his initial “lily-livered” handling of the company’s Street View Wi-Fi data-slurping operation.

An audit by the Information Commissioner’s Office (ICO) took place last month at Google’s London office.

The watchdog carried out the probe, after it reversed its decision about Google’s Street View technology in November 2010 when it concluded that Mountain View had breached the Data Protection Act.

The ICO said at the time it would require Google to sign a piece of paper promising not to break the law again. It also confirmed at that point that an audit of Google’s privacy practices would take place.

“I’m satisfied that Google has made good progress in improving its privacy procedures following the undertaking they signed with me last year,” said Graham today.

“All of the commitments they gave us have been progressed and the company have also accepted the findings of our audit report where we’ve asked them to go even further.”

But, despite its U-turn last November, the ICO declined to slap a monetary penalty on Google, instead threatening “further regulatory action” if the ad broker failed to fully comply with the agreement.

“The ICO’s Google audit is not a rubber stamp for the company’s data protection policies. The company needs to ensure its work in this area continues to evolve alongside new products and technologies. Google will not be filed and forgotten by the ICO,” said Graham this morning.

There has been much tougher action against Google’s fleet of Street View vehicles elsewhere in Europe, after the company admitted that its mass Wi-Fi snoop from the cars had slurped up passwords and entire emails and URLs. The company insisted the data had been collected accidentally.

But that didn’t stop Germany, for example, ordering Google to altogether withdraw its Street View fleet from the country.

The ICO listed areas where it reckoned Google had improved its privacy policy including a “Privacy Design Document” that involves each new project undergoing “in-depth assessment to ensure that privacy is built in from the start”.

Google has also subjected its engineers to “advance data protection training”.

The ICO said Google must still do better with how it handles data, before recommending what, in effect, were simple enhancements to action already undertaken by the firm:

• All existing products to have a Privacy Story – an explanation of how data will be managed in a new product. This should be used to provide users proactively with information about the privacy features of products.
• Google should ensure that all projects have a Privacy Design Document, and that processes to check them for accuracy and completeness continue to be enhanced.
• The core training for engineers should be developed to include specific engineering disciplines, taking account of the outcomes of the Privacy Design Document.

Separately, the ICO has been looking at whether Google’s Profile product needs to comply with Regulation 18 of the Privacy and Electronic Communications Regulations to establish whether it constitutes a directory of subscribers.

The watchdog has been poking a cotton-wool wrapped stick at Google Profiles after The Register asked it to consider what rights an individual might have if it can be proved that the service constitutes such a directory.

At the end of July, the company killed all privately stored profiles created via its Gmail product as part of a drive to link real names with users’ Google accounts and its new social network effort Google+. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/ico_happy_with_google/

The government’s approach to the collection and use of personal data is “deeply flawed”, according to a report from the Equalities and Human Rights Commission (EHRC).

The EHRC has joined in long running complaints from privacy activists with the publication of a report, Protecting Information Privacy (105-page PDF/716KB), which says public authorities may be unaware they are breaking the law, as the complexity of the legal framework makes their obligations unclear.

It acknowledges that the demand for information is coming from the public and the private sectors, and says there is a risk of eroding the right to privacy.

The report finds that it is difficult for people to know what information is held about them, by which government agency or private sector body, or how it is being used. For example, as there is currently no law regulating the use of CCTV cameras it would be very difficult for someone to find which organisations hold footage of them.

It can be hard to check the accuracy of personal data held, to hold anyone to account for errors in the data or its misuse and to challenge decisions made about someone on the basis of that information. Calling any public or private organisation to account is made more difficult because people often may not know what their rights are or know when a breach of those rights has occurred.

The EHRC says that breaches of privacy are likely to get worse in the future as demand for personal information increases and as new technology is developed that is not covered by existing legislation or regulations. Piecemeal reform of relevant laws, such as the proposals in the Protection of Freedoms Bill, may not be sufficient to ensure people’s rights are protected.

In response, it makes a handful of recommendations:

• Streamline the current legislation on information privacy so that it is easier for organisations to understand their responsibilities and simpler for citizens to know and use their rights.
• Ensure that public bodies and others have to properly justify why they need someone’s personal data and for what purpose. Any requirement to use personal data for any purpose other than for which it was collected should go through a vetting process.
• All public bodies should carefully consider the impact on information privacy of any new policy or practice and ensure that all requests for personal data are justified and proportionate.

Geraldine Van Bueren, a commissioner for the EHRC, said: “It’s important that the government and its agencies have the information they need about us to do their job, for example to fight crime, or protect our health. However, the state is holding increasing amounts of information about our lives without us knowing, being able to check that it’s accurate or being able to challenge this effectively.

“This needs to change so that any need for personal information has to be clearly justified by the organisation that wants it. The law and regulatory framework needs to be simplified and in the meantime public authorities need to check what data they have and that it complies with the existing laws.”

This article was originally published at Guardian Government Computing.

Guardian Government Computing is a business division of Guardian Professional, and covers the latest news and analysis of public sector technology. For updates on public sector IT, join the Government Computing Network here.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2011/08/16/ehrc_warns_of_data_threat/