STE WILLIAMS

A French company trying to trademark the Anonymous logo and slogan for commercial purposes has inspired an angry response from a team claiming to be affiliated with the hacking group.

The company Early Flicker, or E-Flicker, has registered the headless man logo and the slogan ‘We are Anonymous, We do not forgive, We do not forget. Expect us’ with the French National Institute of Industrial Property. This would allow the company to produce and sell merchandising bearing the logo, and potentially to take action against others who use it in France.

“Their arrogance and ignorance of what they have done will not go unpunished,” promised the group in a video on YouTube. “Anonymous will take down any business they have going on the internet and the ninety nine per cent will not stop until the registration has been revoked and a public apology has been made. The name of Anonymous will not be the whore of the world.”

In what it is calling Operation AnonTrademark the group has vowed to shut down any online activities conducted by the company and want the trademarking cancelled. Given the group’s prior conduct, the management at Early Flicker might want to rethink their strategy.

The last company to go up against Anonymous directly was security consultants at HBGary Federal, who claimed to have infiltrated Anonymous high command and were going to present a paper on the case at the BSides conference in San Francisco. Less than 24 hours after the company made the announcement, it was comprehensively pwned and had its email servers scraped and published.

The hacking attack revealed that HBGary Federal had been touting its services to combat WikiLeaks with a proposed plan to smear journalists who appeared sympathetic to the whistleblowing site and feeding false documents to the website to discredit it. The firm’s head Aaron Barr was forced to step down and the company was sold shortly afterwards.

Given the relative ease with which Anonymous were able to get into a security firm’s servers, an online retailer should cause few problems. El Reg would advise Early Flicker to batten down the hatches and prepare for boarders. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/anonymous_french_firm_trademark/

Police have arrested two South Koreans who allegedly leaked the personal information of 8.7 million mobile phone subscribers. The pair have been charged with hacking into the systems of KT Corp, the country’s second biggest mobile carrier, and selling on the data.

A further seven suspects have been questioned by police over allegations that they bought the illegally obtained data to target telemarketing sales calls, the Yonhap news agency reports.

Investigators reckon telemarketers used subscribers’ personal information, including details of phones they were using and monthly plans, to punt alternative mobile services just before their current contracts were about the expire.

The illegal marketing tactic brought in estimated sales of 1 billion South Korean won (£563,560; $877,000). Police only released partial details of one of the two main suspects in the case, a 40-year-old whose family name was Choi. The other suspects remain unnamed.

KT has reportedly acknowledged the data breach and promised to tighten up its security in a bid to prevent a repetition.

The privacy flap involving the details of million of mobile phone subscribers follows the leak of personal information of 35 million South Korean users last August after a hacking attack against two popular portal websites run by SK Communications, the country’s biggest security breach to date. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/south_korea_mega_mobile_breach/

Brit cops manacle another journalist in computer hacking probe

• 
• 
• 
• 

‘Not trying to burn sources, it’s about blagged mobes’

By Kelly Fiveash, Networks Correspondent • Get more from this author

Posted in Policing, 31st July 2012 14:52 GMT

Free whitepaper – Capture Enabled BPM

A 37-year-old man has been arrested by Met police officers investigating alleged computer hacking.

It’s the second such cuffing to have taken place in the last 24 hours and brings the total number of arrests under Scotland Yard’s Operation Tuleta inquiry to nine suspects.

The Met confirmed that the unnamed man was a journalist who was manacled at an East London police station under suspicion of handling stolen goods.

The same allegations are currently being probed by the Yard against a 51-year-old male journalist, who was arrested on Monday.

To that end, police repeated their statement from yesterday about the latest suspect to be questioned based on those claims:

The arrest relates to a suspected conspiracy involving the gathering of data from stolen mobile phones and is not about seeking journalists to reveal confidential sources in relation to information that has been obtained legitimately.

The arrests follow charges for alleged phone-hacking offences being brought against erstwhile News International boss Rebekah Brooks and PM David Cameron’s top spinman Andy Coulson last week. ®

Free whitepaper – Enabling Datacenter and Cloud Service Management for Mid-Tier Enterprises

• Send corrections
  
• 1 commentPost a comment

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/operation_tuleta_ninth_arrest/

Tesco’s admission that it still merrily emails passwords to punters in plain text has alarmed anyone with a grasp of computer security.

The UK’s supermarket behemoth reassured the world on Sunday that it stores passwords for online shopping accounts in an encrypted format, and only decrypts them when users forget their login credentials and request a reminder via email.

This cut little ice with many Reg readers, who contacted us in large numbers on Monday morning. They pointed out that the method is undesirable because it fails to meet the security industry’s best practices. It would be far better if Tesco switched to a secure password reset process.

One (unlikely) danger is that these unencrypted email password reminders could be intercepted and used by crooks. But the bigger issue is that the method implies that the grocer stores passwords in a way that could allow anyone who infiltrates the website to uncover the original plaintext credentials: if Tesco can decrypt stored passwords for reminder emails, hackers can too.

The password reminder issue was raised again at the weekend by developer Troy Hunt but the same issue was actually first reported five years ago, back in 2007.

It’s poor practice to send out password reminders in the clear-text but Tesco is hardly alone in this, and it’s hardly the most wretched of security sins. The tone and severity of criticism against Tesco would be justified had its systems had actually been hacked and the passwords exposed – as has happened to other and still more prominent organisations in recent times – but this doesn’t appear to be the case.

The password reminder issue is just the most obvious in a security of security mistakes by the grocer, according to Hunt, who list the various flubs in a blog post here. Other problems include using unencrypted authentication cookies and mixing up encrypted and unencrypted content on a secure page, behaviour that likely to generate browser warnings that most users will find confusing. For good measure Tesco’s website is insecurely configured and running IIS 6, a seven-year-old and twice superseded version of Microsoft’s web server software.

We asked Tesco for a more substantive response covering these various concerns but at the time of posting we’re yet to hear back from the retailer. We’ll update this story as and when we hear more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/tesco_website_insecurity/

As we speak, apathetic Australians are failing to lodge submissions objecting to the government’s ill-defined data retention proposals.

But Anonymous thinks it represents us, and until it actually started showing the data, @Op_Australia on Twitter descended into the kind of “RSN” you can only deliver if you’re an archetypal self-abuser.

Forgive me if I say that the principal arguments about freedom and peoples’ right not to be snooped on have been aired in many forums in the context of Australia’s data retention debate, and I’d have no new insight to add on that score.

However, there are a couple of aspects to the Australian government’s call for comment regarding data retention that haven’t received much publicity.

Chief among these, in my mind, is this: in modeling data retention on what’s retained in phone records, governments and law enforcement either don’t realize or don’t care about the differences between the Internet and the telephone.

If the Australian government sticks to its previously-expressed enthusiasm for retention modeled on the European Data Directive, then the retained data would include the user ID, time of day, source IP address, and destination IP address for their Internet interactions.

As I said, it’s modeled on phone data records, in which carriers keep calling party, called party, and a timestamp for billing purposes (and law enforcement trawls if it’s given permission by a judge to see who someone called).

There are problems using the phone record as a model. For example, I’m not in control of every IP address my Web browser visits. No matter that I only intend to look at a story in (say) the Sydney Morning Herald, the site owner imposes all sorts of cruft for me to view the story: there’s the trackers (Google Analytics, IMR Worldwide and so on), the ad servers (Doubleclick, Google), the videos which might come from a different IP address to the story, and all the affiliate links which might also come from a different IP.

It only takes one visit to a compromised Web server, and a user can make contact with an IP address that ASIO or the AFP doesn’t like – without knowing they’ve done so.

It’s not a phone, it’s more like a series of … tubes

If we were talking about phone calls, there’s a reasonable chance that Joe Sixpack can at least talk sense to a policeman knocking at his door. A phone bill is human-readable. People can recognize telephone numbers; 02 9555 5555 makes sense. Even if Joe ends up needed a lawyer to help him, they can communicate on common ground.

“Honestly, I can swear on the witness stand that nobody in my house ever called 9555 5555!”

On the other hand, 144.140.108.23 is not meaningful to the ordinary user. I can tell El Reg readers that it’s the address to which Telstra.com resolves, but most people don’t know what that means.

So when the the Chief Inspector leans across the table and utters dark threats because someone using your IP address accessed a sub-domain on a given IP address, and that the sub-domain was host to an extremist Web page showing bomb-making instructions … what exactly do you say?

You get my point, I hope. You can’t challenge evidence you can’t understand.

By thinking of Internet transactions as some kind of analogue for telephone calls, law enforcement is creating a huge asymmetry that doesn’t exist when we discuss telephone call records.

“I have no idea what you’re talking about, officer”. “Tough luck, mate, you can’t argue with the logfiles.”

Surely we don’t want to create a country in which this conversation is feasible.

Anonymous, again

Mind you, I can think and discuss this without Anonymous’s assistance.

Its latest attacks, and release of a sample of data purloined from AAPT, via Melbourne IT, are as always completely unhelpful. They give aid and comfort to those who argue in favour of regulating the Internet, without doing a damn thing to prevent said regulation.

With the kind of geopolitical ignorance that screams “American” at me, Anonymous attacked Queensland government Websites to protest events in Canberra. That left the group taking out its anger with one jurisdiction – all of Australia – on a single state. Worse still, the respective governments of those jurisdictions share robust and ongoing enmity.

I’m actually in favour of having the issue debated, and submissions made to government: a strong “don’t snoop” response from the public is a good way to get the message across.

I don’t like the (mainly media-driven) oversimplification that takes every government request for comment as a fait accompli. It discourages people from taking part in the process – which is exactly the point of inviting submissions.

If we truly believe in the Internet as a medium for democratic interaction, then we need to encourage governments to put their proposals up for comment – as they now do, and but for the depressing apathy of the populace, with much greater debate.

Nearly every proposal will have its opponents, whether they’re right or wrong, informed or ignorant, leftist, centrist, right-wing or none of the above. People will support or oppose wind farms, marine parks, coal mines, gas loaders, logging, Medicare, government deficits, government surpluses, the carbon tax, income tax, private school subsidies and the rest.

Some may even grab the placard to protest over something if they feel strongly enough about it. More power to them: it’s a democratic right – as is even the loon stumping up his or her own money to take a government to the High Court.

Those things, however, take courage. You have to lend your name to the protest, have to be prepared, if necessary, to front the court and pay the fine.

“For your own good” an expression of the will to power. I don’t care who you are, Anonymous: you don’t have permission to exercise power over me. Even for my own good. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/anonymous_go_bloody_home/

Security researcher Moxie Marlinspike has turned his attention to VPNs based on Microsoft’s MS-CHAPv2 protocol, demonstrating software at Defcon that can capture and crack passwords.

Chapcrack parses the credential information out of MS-CHAPv2 handshakes, which are then sent to Cloudcracker. Cloudcracker will then return a packet that can be decrypted by Chapcrack to recover the password.

As noted by ThreatPost, MS-CHAPv2 is an old protocol that should have been replaced, but hasn’t: criticisms go back as far as 1999.

Marlinspike writes in this blog post, “It shows up most notably in PPTP VPNs, and is also used quite heavily in WPA2 Enterprise environments”.

There is, he writes, “only one unknown in the entire protocol – the MD4 hash of the user’s passphrase, which is used to construct three separate DES keys”. Since the MD4 hash of a user’s password “is enough to authenticate as them”, Marlinspike and collaborator David Hulton of Pico computing made this the focus of Chapcrack.

While El Reg doesn’t propose reproducing Marlinspike’s technical explanation in full, it’s worth a read, if only for the reasoning behind how the attack works: from what looks like a seriously difficult computational task, he and Hulton winnow the problem down to a complexity of 2⁵⁶: “the security of MS-CHAPv2 can be reduced to the strength of a single DES encryption” [original emphasis].

Pico Computing’s key contribution to the effort is in the form of an FPGA-based box that can “crack any MS-CHAPv2 handshake in less than a day”, Marlinspike writes.

Marlinspike says that MS-CHAPv2 should be purged from the Internet, advising that PPTP traffic “should be considered unencrypted”, and that MS-CHAPv2 enterprise users should begin migrating – now. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/31/ms_chapv2_crack/

Black Hat Hackers and other delegates to Black Hat celebrated the best and worst of information security with the latest edition of the Pwnie Awards, the security geek equivalent of the Oscars.

The award in the top “Epic 0wnage” category went to whoever’s behind the Flame cyber-espionage spyware. It was their use of an MD5 collision attack to create counterfeit Microsoft certificates – and thereby push bogus updates via the Windows Update – that earned the respect of hackers. Recent reports by the Washington Post suggest that a team from the CIA, the National Security Agency and the Israeli Defence Force developed the attack.

The NSA’s director Keith Alexander gave a key-note at Defcon – the other hacking convention held in Vegas in July – but disappointingly decided not to pick up the award.

“Any attack that requires a breakthrough in cryptography to pull off is pretty cool in our book,” the citation for the award explains. “And being able to pwn any Windows machine through Windows Update is pretty mass 0wnage.”

The Pwnie for “Best Client-Side Bug” was a joint award to Pinkie Pie and Sergey Glazunov for separately hacking their way out of the Chrome sandbox. Both had already raked in $60,000 as winners of Google’s Pwnium hacker contest for their ingenious hacks.

The discovery that some MySQL server configurations will accept any login password after enough tries earned Sergei Golubchik the Pwnie for the “Best Server-Side Bug”. And the most innovative research Pwnie was bestowed on Travis Goodspeed for a paper on Wi-Fi hacking, entitled Packets in Packets: Orson Welles In-Band Signalling Attacks for Modern Radios.

Most of the awards celebrate excellence in the field of information security but one award celebrates epic incompetence. The Golden Raspberry Pwnie for Most Epic FAIL went to F5 for putting using the same extractable SSH private key in the firmware of all its appliances.

A more complete list of winners for the Pwnies can be found on the award’s official page here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/30/flame_wins_pwnie/

Sophos has crafted a freebie antivirus app dubbed Sophos Mobile Security for Android-powered devices.

The software tries to protect smartphones against malware, warns fandroids of privacy-invading programs and can lock down a gadget if it’s lost or stolen, ideally without taxing either performance or battery life. The software, released on Monday, can be downloaded from Google Play.

Several free-of-charge security scanners already exist for the Android platform, but the performance of some in recent tests has been mediocre. Paid-for products from the likes of Kaspersky and F-Secure tend to perform better. Sophos is positioning its product against the more capable freebie Android scanners from the likes of Lookout and AVG (Droid Security), but with the additional benefit of offering hardware loss and privacy dashboard features more associated with paid-for products.

Sophos Mobile Security is designed to automatically scan apps as users install them, thus blocking undesirable software. The technology also locates lost or stolen Android devices as well as shielding personal information from thieves.

Sophos has entered the mobile security zone a few years late, but rather than corner the freebie Android scanner market, its new software will be used to market a managed Enterprise version, due to be released this year.

The strategy makes sense because it dovetails neatly with the bring-your-own-device craze that’s allowing consumers’ technology choices shape corporate IT, including the mobile security products that are used.

Android malware last year increased 155 percent from 2010, according to Juniper Networks.

“We’re seeing no slowdown in the number of malicious apps, as more smartphone owners use their devices to not only store personal data, but also access social networks and the internet,” said Matthias Pankert, vice president of product management, Sophos. “This usage, coupled with the increase in Bring Your Own Device (BYOD) activity, is making Android devices a compelling target for cybercriminals and malware.”

Sophos released a freebie security scanner for Macs two years ago. The plan in that case was more about improving home punters’ cyber-hygiene than pushing licences, but mobile security is much more integral to the corporate plans of the UK-based security software firm, so Sophos Mobile Security is not a philanthropic gesture. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/30/sophos_freebie_android_scanner/

A bit of holiday fun for Google security researcher Travis Ormandy left Ubisoft scrambling to fix a gaping flaw in its Uplay gaming application on Monday morning.

“While on vacation recently I bought a video game called ‘Assassin’s Creed Revelations,’ he posted on the Full Disclosure mailing list. “I noticed the installation procedure creates a browser plugin for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites.”

A demonstration page showed how a visitor’s browser with the Uplay plugin installed could be made to launch a calculator application as a test case. The problem was initially reported as being a form of rootkit used for monitoring the Ubisoft’s DRM system, but the company denied this in a statement to El Reg.

“The issue is not a rootkit. The Uplay application has never included a rootkit. The issue was from a browser plug-in that Uplay PC utilizes which suffered from a coding error that allowed systems usually used by Ubisoft PC game developers to make their games,” it said.

The company said that it got the news of the flaw early on Monday morning and had a patch out within 90 minutes, giving a few people a very sudden start to the working week. Around 20 of its most recent games are thought to be vulnerable and Ubisoft advised users to download the patch, shut down all browsers, and run the update to fix the issue.

The rootkit row, although misguided, demonstrates the continuing frustration with some over Ubisoft’s latest DRM system, which require some games to maintain a constant internet connection to function. While this is an effective form of DRM, it’s cold comfort if your connection goes down seconds before you level up. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/30/ubisoft_plugin_flaw_rootkit/

Analysis Skype has hit back against a wave of stories speculating that the internet telephony outfit has made chat, call record and other user data more available to the authorities. In truth such assistance to law enforcement has been going on for at least five years, as Skype itself acknowledges.

A series of stories in Slate, The Washington Post and elsewhere alleged that Skype changed its network’s architecture since its acquisition by Microsoft last year to enable “lawful interception” of calls.

To support the theory that Microsoft is cooperating further with authorities, the articles cite a patent for “legal intercept” technology, which was granted to Microsoft in June 2011, and the fact that Skype’s “supernodes” now route data through centralised servers controlled by the software giant.

These reports, in turn, provoked a hyperbolic response from some quarters, including a piece headed “It’s Terrifying and Sickening that Microsoft Can Now Listen In on All My Skype Calls”, by The Onion Forbes.

Skype returned fire with a blog post by Mark Gillett, the company’s chief operating officer. He said said his engineers changed the VoIP service’s architecture to include “mega-supernodes” in the cloud back in 2010, a move to improve reliability rather than set up a set of hubs where user data might be more easily collected and passed onto cops, spooks and g-men:

The move to supernodes was not intended to facilitate greater law enforcement access to our users’ communications. Skype has had a team of Skype employees to respond to legal demands and requests from law enforcement since 2005.

While we are focused on building the best possible products and experiences for our users, we also fundamentally believe that making a great product experience also means we must act responsibly and make it safe for everyone to use.

Our position has always been that when a law enforcement entity follows the appropriate procedures, we respond where legally required and technically feasible.

Gillett denied suggestions that “Skype now monitors and records audio and video calls of our users”:

Skype to Skype calls do not flow through our data centres and the “supernodes” are not involved in passing media (audio or video) between Skype clients.

These calls continue to be established directly between participating Skype nodes (clients). In some cases, Skype has added servers to assist in the establishment, management or maintenance of calls.

Gillett added that calls to regular landline or mobile networks do go through the networks of Skype’s public-switched telephone network (PSTN) partners. PSTN incorporates mobile, landline, fibre-optic, undersea and satellite comms.

The cloud-based architecture means that some instant messages are “stored temporarily on our [Skype/Microsoft] servers for immediate or later delivery to a user”, but again we’re told this isn’t to make it easier for spooks, but to improve the reliability of the network and make it easier to quickly introduce new services.

Skype acts in accordance with its privacy policy and only helps law enforcement when it is “legally required and technically feasible”, Gillett reiterated.

The 1,290-word blog post is Skype’s clearest position on its privacy policy and co-operation with law enforcement to date, and certainly since the time it was acquired by Microsoft last year.

Next page: Not that easy to tap – unless you’re a cop with a court order

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2012/07/30/skype_wiretap_analysis/