STE WILLIAMS

The latest agency that audits state spying in the UK, the Investigatory Powers Commission (IPCO), formally started operating today.

IPCO is the latest incarnation of the public sector snooping regulator, the body previously having been called the Interception of Communications Commissioner’s Office (IOCCO).

In plain English, IPCO is supposed to ensure that UK state spying, covering everything from covert police operations to GCHQ’s bulk cable-tapping and decryption exercises, is carried out in accordance with the UK’s notably fast and loose laws on this sort of thing.

IPCO has not yet assumed its full range of duties. Staffed by around 70 people, including 15 judicial commissioners comprised of current and retired senior judges, it will go through records of public sector surveillance operations at scheduled intervals, as well as having the power to carry out immediate inspections.

The first Investigatory Powers Commissioner, the Right Honourable Lord Justice Fulford, PC, QC, was appointed in March this year, as we reported at the time.

The new and improved IPCO now audits the snooping activities of MI5, MI6, GCHQ, the National Crime Agency, police forces, HMRC, local councils, and other such popular public bodies. Its statutory duties are set out at section 229 of the Investigatory Powers Act 2016, the so-called Snoopers’ Charter. Notable in that section are sub-sections (6) and (7), which prohibit the judicial commissioners who do IPCO’s day-to-day work from acting in a way that Fulford, who is appointed by the Prime Minister, “considers to be contrary to the public interest”, or from “jeopardising the success of an intelligence or security or law enforcement operation”.

“From today, and for the first time, investigatory powers will be overseen by a single body applying a consistent, rigorous and independent inspection regime across public authorities. This is an important milestone as we start to implement the new oversight powers set out in the Investigatory Powers Act,” said Lord Justice Fulford in a canned quote.

In the future, IPCO will oversee the judicial “double lock” process on authorisations for spying. IPCO judicial commissioners will countersign warrants issued by politicians that permit spies to go about their business, though in theory they will have the power to refuse to do so. At present these warrants are signed by politicians alone.

As an oversight mechanism, IPCO’s remit is deliberately very narrow. Its powers are effectively limited to pointing out criminal behaviour by public sector snoopers long after the event, and even then it has little practical ability to stop law-breaking by snoopers and spies. Though the Commissioner can issue “monetary penalty notices” (fines, in plain English) of up to £50,000, it would be surprising to see this power ever being exercised, given that IPCO is bound by law not to “unduly impede the operational effectiveness” of public sector snoopers.

A non-exhaustive list of the types of public sector bodies audited by IPCO can be found here. In addition to the obvious ones, it includes fire and ambulance services, the Gambling Commission, Ofcom, the NHS Business Services Authority and the Food Standards Agency. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/01/ipco_spies_auditor_starts_work/

The UK’s “independent reviewer of terrorism legislation” appears to have gone rogue, saying that encryption should be withheld from people who don’t verify their identities on social media.

Max Hill QC is supposedly the reviewer of government laws designed to stop terrorists. His latest statement, carried in tonight’s London Evening Standard, appears to be strongly echoing the views of the very government he is supposed to be scrutinising and holding to account.

“A discussion I have had with some of the tech companies is whether it is possible to withhold encryption pending positive identification of the internet user,” Hill was reported as telling the paper’s home affairs correspondent, Martin Evans.

“If the technology would permit that sort of perusal, identification and verification, prior to posting that would form a very good solution… and would not involve wholesale infringement on free speech use of the internet,” added the lawyer.

Hill’s words are concerningly close to those of Home Secretary Amber Rudd, who recently argued that “real people” [sic] actively want State snoopers to peer into their private lives.

The Independent Reviewer of Terrorism Legislation (IRTL) is supposed to act as a check and balance on the government, reporting to Parliament on how anti-terror laws are used in practice and how they affect both their intended targets and the wider population. On the IRTL’s website it even states: “The uniqueness of the role lies in its complete independence from government”.

Hill’s interview with the Standard will raise serious and far-reaching questions about his claimed independence from government, particularly as it leans heavily on the tech sector to fall into line and do as British ministers want.

The Investigatory Powers Act, better known by the moniker “the Snoopers’ Charter”, allows the British government to demand that technology companies break their encryption by introducing a backdoor to permit snooping on users of services such as social media and chat apps.

While sensible people accept and understand that to introduce a crypto backdoor for one is to introduce a backdoor for all, the British government has consistently done the equivalent of shouting “LA LA LA I CAN’T HEAR YOU” every time this is pointed out.

Rohan Silva, a one-time advisor to former prime minister David Cameron, was torn a new one by information security experts when he suggested that end-to-end crypto could somehow be selectively broken for those who see themselves as the good guys.

Both former GCHQ director Robert Hannigan and former MI5 chief Lord Evans have spoken in favour of end-to-end encryption. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/01/max_hill_qc_deny_encryption_anonymous_users/

Instagram’s API sprung a leak, with attackers snatching email addresses and phone numbers of “high-profile” users.

We don’t know who those high-profile users are, but we do know, as Variety reports, that somebody posted nude photos of Justin Bieber on to Selena Gomez’s Instagram account on Monday.

Bare Bieber photos weren’t up for long: within minutes, the account was offline, photos from (former couple) Gomez and Bieber’s 2015 vacation in Bora Bora were deleted, the account was re-secured, and back up it went.

Was it due to hackers exploiting what Instagram said was “a bug” in its API? Or just a coincidence? We can’t say. The two could be completely unrelated: after all, much, if not all, of the nude celebrities photo grabs of Celebgate versions 1, 2 and 3 were enabled by attackers phishing login credentials to iCloud and Google email accounts.

Or then again, it could be that the Instagram attacker did in fact exploit the flaw in the social media app’s API to peek at users’ profile information. As The Register notes, the API lets developers see profile information. That’s why Instagram and Facebook both changed their terms of service in March: to turn off the data spigot for developers who were mining the platforms for surveillance purposes.

At any rate, Instagram wasn’t forthcoming with details. But here’s what it did say in a statement sent to the New York Daily News:

We recently discovered that one or more individuals obtained unlawful access to a number of high-profile Instagram users’ contact information – specifically email address and phone number – by exploiting a bug in an Instagram API.

A source told the Daily News that one person found the API bug and used it to steal information.

Instagram says that it’s warned all of its verified users about the hack. It declined to say how many accounts were affected.

Censored versions of Bieber’s photos initially appeared in the Daily News, but the Full Monty versions later made their way online, Variety reports. This isn’t the first time his nude photos have been stolen. When it happened in 2015, also while he was on vacation in Bora Bora, he told Access Hollywood that it was a violation:

My first thing was like…how can they do this? Like, I feel super violated.

I’m not a Belieber, but I do beliebe he’s right: it is a violation when thieves get their grubby mitts on our intimate photos. Here are some ways to keep it from happening:

• Don’t click on links in email and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, rather than clicking on the email link, get in touch by typing in the URL for its website and contacting the company via a phone number or email you find there.
• Use strong passwords.
• Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
• Don’t add people on social media you haven’t met in real life, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. This isn’t the first time that Instagram content has been grabbed: one example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
• Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing attackers need to figure out every time they try to phish you.

Follow @NakedSecurity
Follow @LisaVaas

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/AWczZzcze3I/

Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months.

The malware generator, dubbed the Cobian remote access trojan (RAT) by researchers at security shop Zscaler, is a fairly elemental bit of code and is based around the njRAT that surfaced around four years ago. It comes with all the usual bells and whistles – a keylogger, webcam hijacker, screen capturing and the ability to run your own code on an infected system.

But the Cobain RAT also has a secondary payload built in, hidden in an encrypted library. Once activated, it allows the original author of the malware to take control of any computers infected by the attack code and, if necessary, cut off the criminal who caused the infection in the first place.

“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author,” said Zscaler’s advisory on Thursday. “The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators’ Botnet.”

The secondary payload communicates with a preset page on Pastebin to get the current address of the command and control servers run by the original writer. But the malware checks first to see if the second level operator is online, in which case it keeps quiet to avoid detection.

It’s likely the original author won’t automatically cut off the second level operator for fear of alerting that person. Instead it’s in the author’s interests to encourage as many infections as possible and to run a massive botnet without the bother of distributing the malware necessary to build a zombie army.

It’s a logical thing to do when you think about it, and the thought of all those lower-level malware operators doing the hard work for nothing won’t exactly bring salt tears to our eyes. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/free_trojan_for_hackers/

Something for the Weekend, Sir? Stop the digital presses, hold the home page – I have breaking news for you! An organisation somewhere in the world has NOT been hacked into today!

Of course when I say “been hacked into”, I mean “allowed anyone with a computer and the slightest inclination to take an unauthorised copy of confidential customer records with the minimum of hinderance”.

Feel free to add, as appropriate, “because customer security is not our highest priority”. If you like, you might also wish to tag on “and is in fact a much lower priority than ensuring our IT directors receive their performance bonuses on time”.

Usually after my summer vacation from Register Towers, I return to a bevy of emails referring to security breaches. This year, the bevy had swelled into a full-blown seasonal migration of entire species. No wonder everyone is in a flap (eheh). In my absence, the world turned into a live 24-hour hackathon.

I would have known about all this sooner if I had bothered to check my email from time to time between energetic bouts of striding across broken sun-parched pavements from one exotic Athenian landmark to another. My mobile phone provider seemed terribly keen for me to do this, too, having finally acknowledged that its data roaming surcharges were unwarranted and trying to spin its admission of guilt into “added value”.

The hotel was equally keen for me to connect to its free Wi-Fi. So was the airport, the train stations and every cafe we stopped in for cake throughout our stay.

Mmm, cake.

“Great, they have Wi-Fi! I’m pretty sure the owner of this ramshackle corner cafe is fully competent in security basics and has implemented WPA2-PSK with AES encryption. What’s that? There’s no login required at all? Wow, he really must be an expert!”

Given so much opportunity for us to waggle our IT privates in public, it’s no wonder mischievous self-taught coders who still live with their mums find it so irresistible to tag along to see what they might find. But is anyone policing this?

A think tank called Reform recently published a paper after speaking to a few police officers and staff in the UK with IT responsibilities. The paper calls for the establishment of a digital academy to train cyber specialists – or what I prefer to call a Cyber Police Academy.

Already I can see Steve Guttenberg enrolling and causing no end of madcap mayhem. Then they’ll make him head of training, which will lead to even more hilarious antics. And seven more sequels. They could even call it the Guttenberg Project.

Youtube Video

Also sitting in my mailbox on my return was an unreasonable quantity of promotional press releases for insane crowdfunding projects.

This is baffling, given that I only ever mention such crowdfunding projects here in order to ridicule them. Idiocy sells, I suppose, in all its hellish forms. Without wishing to help promote them any further than they deserve (i.e. not at all), two items did stand out from the bunch, if only for humour value.

One is for a “smart bulb” called Heelight, a lightbulb that can “hear the environment” and switch between 16 million colours “according to your preferences”.

It’s not just smart, this lightbulb, oh no: it’s apparently “the world’s most intelligent bulb”.

Hopefully it’s intelligent enough to take note that my preferences for lightbulbs is that they should produce white light when switched on, and not produce light when switched off. As far as I’m concerned, the remaining 15,999,999 potential colours can be safely stored up the developer’s arse.

But wait! Even lightbulbs with PhDs pale into insignificance alongside my other pick of the summer crowdfunders…

The “smart doorbell”.

I only have to read those two words and already I hate it. Then I read that the startup that invented it is called Ding, and now I hate it even more.

When a visitor presses the smart doorbell on your front door, it immediately calls your smartphone. Why it should do this remains a bit of a mystery, despite repeated attempts at having it explained to me. I try to imagine what it would be like to be a smart bell end user – a “bellend” for short.

“Hello? Oh, you’ve rung my doorbell. Well, no-one’s at home at the moment because we’re abroad on holiday. Are you a delivery man? No? What’s that, you’re a burglar? Oh, thank you for ringing. You’ll find the jewellery on top of the wardrobe, a brand new lawn mower in the shed, and if you don’t mind, could you put down a few kitchen towels before you shit on the bed?”

Evidently the joke’s on me because Ding raised £269,664 on crowdfunding platform Seedrs while I was away.

It only goes to show how little I understand about the benefits to human advancement brought about by investing in disruptive technology. Here’s me thinking people might put their money into something to do with healthcare nanobots or deep thinking by massive AI entities.

No, it’s a quarter of a million quid for a fucking doorbell.

For any bellends reading this, please put your mind at rest. Or at least you can take your mind off the man currently ransacking your home 1,000 miles way by connecting to your hotel’s hokey free Wi-Fi and logging in to every system at work while every keystroke is recorded by the seasonal slave behind reception.

He also has photocopies of your passport and preferred credit card, by the way. All he needs is the name of your first pet and he’ll have a full house – which is ironic given that your own is now decidedly emptier than it was before someone rang your doorbell.

See? I bet you’d already forgotten about your smart bell woes!

See you next week! Ding dong!

Youtube Video

Alistair Dabbs is a freelance technology tart, juggling tech journalism, training and digital publishing. He would like to make it clear right now that his birthday present wishlist will not include a smart bell, a smart bulb or a smart toilet roll. Actually, the last one could be a goer, if only to ensure that every swipe is logged (eheh) and ensures some megacorporation’s big data storage system becomes – almost literally – full of shit.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/01/connect_at_mine_free_wifi_i_would_knew_what_i_is_do_i_is_cafe_boss/

China’s new cybersecurity law will enable its government to discover potential security vulnerabilities of any company doing business in the country, threat intelligence firm Recorded Future warns.

The law grants the China Information Technology Evaluation Center (CNITSEC), an office in the Ministry of State Security (MSS), the power to request source code and other intellectual property of tech suppliers operating in the country. Information gleaned might easily be exploited by CNITSEC in furtherance of its intelligence operations, Recorded Future claims.

Priscilla Moriuchi, director of strategic threat development at the firm, reckons the measures place companies between a rock and a hard place. Vendors either have to give up their proprietary technology and IP, or lose out on one of the world’s biggest and most important markets.

A white paper by Recorded Future, published Thursday, looks at the law’s impact as well as offering practical advice on how firms might navigate the rules while trading in China. Recorded Future’s cautionary take follows previous criticism that the law posed compliance difficulties to foreign companies because it imposed what’s been described as onerous, vague, and broad new legal requirements.

Bill Hagestad, a former US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that China’s tough new regulations come from a mindset moulded by “haunting memories” of when the Eight-Nation Alliance invaded and attempted to colonise China in the early 1900s.

“As a result of this foreign effrontery, China lives daily with the shame of having almost been ruled by foreign devils,” Hagestad explained. “This historical basis is the foundation for the People’s Republic of China’s New Internet Security Law.

“The digital geography of the Middle Kingdom is now sacrosanct and will not be violated as was China’s geography physically during the beginning of the 19th century.”

The impact on foreign businesses has been severalfold, according to Hagestad.

“IBM has acquiesced building servers for Larkspur to serve (no pun intended) the Chinese banking industry; Apple has removed nefarious VPN applications from its app store to appease the Communist boys and girls in Beijing… ALL foreign companies must submit to data inspections, and most importantly, if there is Chinese data it can never leave the Middle Kingdom.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/01/china_cybersecurity_law_analysis/

With much of Houston, Texas, still under water from flooding caused by Hurricane Harvey, scammers are running robocall operations aimed at residents of the storm-ravaged area.

US trade watchdog the FTC on Thursday issued an alert after receiving reports of a “flood insurance” scam targeting those in and around the American city.

“One thing we’ve learned at the Federal Trade Commission is that scams often follow the news – especially when there’s a natural disaster, like Hurricane Harvey, in the headlines,” the warning said.

The robocalls claim that the target’s flood insurance premiums are “past due,” and in order to have any coverage for damages caused by Hurricane Harvey they need to make an immediate payment.

The scam is a blatant attempt to capitalize on the panic of people in the area who have already lost much if not all of their possessions – and in some cases, pets and family members – to the flooding in parts of Texas and Louisiana.

The FTC said that anyone who receives such a call should (obviously) not give the scammer any payment information and should directly contact their insurance provider if they have questions about the status of their coverage.

The commission also urges people to report any scams they spot to both the FTC complaint site and the Federal Emergency Management Agency’s disaster fraud hotline at 1-866-720-5721.

Hurricane Harvey is expected to be one of the costliest natural disasters in US history, with many people planning to file insurance claims for the storm and flood damage.

Such schemes have, sadly, become very commonplace in the wake of high-profile disasters, particularly with social media reaching a wider audience and crowd-funding platforms allowing an easy way to set up and collect money for fake campaigns. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/robocallers_target_hurricane_victims/

Infosec consulting firm Nomotion has reported vulnerabilities in Arris broadband modems and which it says are trivial to exploit, and could affect nearly 140,000 devices.

The report claims the modems carry hard-coded credentials, serious since a firmware update turned on SSH by default. That would let a remote attacker access the modem’s cshell service and take a leisurely walk through most of the devices’ configurations.

“The username for this access is remotessh and the password is 5SaP9I26”, Nomotion states.

The shell’s capabilities include “viewing/changing the WiFi SSID/password, modifying the network setup, re-flashing the firmware from a file served by any tftp server on the Internet” – and there’s also access to a kernel module “whose sole purpose seems to be to inject advertisements into the user’s unencrypted web traffic.”

That last isn’t in use in the modem, Nomotion’s Joseph Hutchins writes – but the code is present and vulnerable.

The modems in question are the Arris NVG589 and NVG599, which Nomotion notes are provided as standard customer premises equipment for ATT U-verse customers.

The bugs could have been added by ATT, the report says, since while “examining the firmware, it seems apparent that ATT engineers have the authority and ability to add and customize code running on these devices, which they then provide to the consumer (as they should).”

The cshell runs as root, which means any other possible exploit is also trivial to exploit. For example, he provides a demonstration of a command injection using its ping functionality.

Other vulnerabilities Hutchins says he’s found in the modems include:

Arris told Kaspersky’s ThreatPost it’s now analysing the report and will act to protect users if necessary. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/01/att_customers_with_arris_modems_at_risk_claim_infosec_bods/

Admins of the popular IP telephony application Asterisk have a lovely end to the week ahead of them – there’s two moderate vulnerabilities, and one critical mess, that need patches.

The worst of the three is this one: a bug in the Realtime Transport Protocol (RTP) stack that exposes a system to information disclosure.

The problem came about as a result of a change to the system’s strict RTP implementation, designed to handle network issues more smoothly.

When packets go missing, the recipient issues a re-invite, so the system has to work with packets out of order. This has dependencies on various components of the RTP stack:

The maintainers found a situation where media could be hijacked:

“If a flood of RTP traffic was received the strict RTP support would allow the new address to provide media and with symmetric RTP enabled outgoing traffic would be sent to this new address, allowing the media to be hijacked. Provided the attacker continued to send traffic they would continue to receive traffic as well”.

Present in Asterisk Open Source 11.x, 13.x and 14.x, and Certified Asterisk 11.6 and 13.3 versions, patches are available for all vulnerable systems.

The same versions have a shell access vulnerability in the app_minivm “mini voicemail” module.

The way the module sends notifications using caller ID name and number, and these can come from an untrusted source exploitable via crafted values, permitting command injection.

Finally, in this vulnerability, the res_pjisp module in Asterisk’s Session Initiation Protocol (SIP) functions.

A crafted Uniform Resource Identifier (URI) in the From, To, or Contact fields can crash Asterisk Open Source 13.15.0 or 14.4.0; it’s patched in version 13.17.1 or 14.6.1. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/01/asterisk_admin_patch/

A laughably insecure comment system has left US comms watchdog the FCC open to malware attack, and the agency doesn’t seem to know what to do about it.

The security hole was spotted by a 20-year-old US university student, who found that when someone applies to put a comment onto the FCC website, the system allows almost any file type to be uploaded to its servers. Given the large number of files that can harbor malware, the FCC is making itself a target. THe flaw appears to be at least five months old.

“The bloke who found this is scared to death,” Guise Bule, the security blogger who wrote about the hole, told The Register. “He’s not a computer security whizz, just someone who spotted the issue.”

The problem is that the FCC’s public API is available to anyone with an email address, and publicly documented. It allows files of up to 25MB can be uploaded – more than enough space for a very nasty package of goodies indeed.

People have already started having fun with the site, posting up a document designed to look like an FCC comment from the agency’s staff. The comment reads: “Dear American citizenry, We’re sorry Ajit Pai is such a filthy spineless cuck. Sincerely, The FCC”

It now appears that the practice has been stopped, but with one important caveat, according to Bule. The demonstration key the FCC provides still appears to work.

Looks like they either stopped sending out new API keys or their system’s overloaded. I tried requesting with two different email addresses.

— Liam Kirsh (@choicefresh) August 31, 2017

“The FCC comment system is designed to maximize inclusiveness and part of that system allows anyone to upload a document as a public comment, which is what happened in this case,” the agency told The Register.

“The Commission has had procedures in place to prevent malware from being uploaded to the comment system. And the FCC is running additional scans and taking additional steps with its cloud partners to make sure no known malware has been uploaded to the comment system.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/08/31/malware_uploaded_w_comments_to_fcc/